Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in ${\mathbb F}_{2^{4 \cdot 1223}}$ and ${\mathbb F}_{2^{12 \cdot 367}}$)
نویسندگان
چکیده
In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasipolynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Menezes, Oliveira and Rodŕıguez-Henŕıquez analysed the concrete security of the DLP, as it arises from pairings on (the Jacobians of) various genus one and two supersingular curves in the literature. At the 128-bit security level, they suggested that the new algorithms have no impact on the security of a genus one curve over F21223 , and reduce the security of a genus two curve over F2367 to 94.6 bits. In this paper we propose a new field representation and efficient descent principles, which together demonstrate that the new techniques can be made practical at the 128-bit security level. In particular, we show that the aforementioned genus one curve offers only 59 bits of security, and we report a total break of the genus two curve. Since these techniques are widely applicable, we conclude that small characteristic pairings should henceforth be considered completely insecure.
منابع مشابه
New Subexponential Fewnomial Hypersurface Bounds
Suppose $c_1,\ldots,c_{n+k}$ are real numbers, $\{a_1,\ldots,a_{n+k}\}\!\subset\!\mathbb{R}^n$ is a set of points not all lying in the same affine hyperplane, $y\!\in\!\mathbb{R}^n$, $a_j\cdot y$ denotes the standard real inner product of $a_j$ and $y$, and we set $g(y)\!:=\!\sum^{n+k}_{j=1} c_j e^{a_j\cdot y}$. We prove that, for generic $c_j$, the number of connected components of the real ze...
متن کاملTowards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over $\mathbb{F}_{2^{1223}}$
For the first time ever, the FPGA based cryptoprocessor presented in [12] makes it possible to compute an eta pairing at the 128-bit security level in less than one millisecond. The high performance of their cryptoprocessor comes largely from the use of the Karatsuba method for field multiplication. In this article, for the same type of pairing we propose hybrid sequential/parallel multipliers ...
متن کاملMAGMA-JOINED-MAGMAS: A CLASS OF NEW ALGEBRAIC STRUCTURES
By left magma-$e$-magma, I mean a set containingthe fixed element $e$, and equipped by two binary operations "$cdot$", $odot$ with the property $eodot (xcdot y)=eodot(xodot y)$, namelyleft $e$-join law. So, $(X,cdot,e,odot)$ is a left magma-$e$-magmaif and only if $(X,cdot)$, $(X,odot)$ are magmas (groupoids), $ein X$ and the left $e$-join law holds.Right (and two-sided) magma-$e$-magmas are de...
متن کاملBreaking `128-bit Secure' Supersingular Binary Curves
In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasipolynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Menezes, Oliveira and Rodŕıguez-Henŕıquez analysed the concrete security of the DLP, as it arises from pairings ...
متن کامل$(1-2u^k)$-constacyclic codes over $\mathbb{F}_p+u\mathbb{F}_p+u^2\mathbb{F}_+u^{3}\mathbb{F}_{p}+\dots+u^{k}\mathbb{F}_{p}$
Let $\mathbb{F}_p$ be a finite field and $u$ be an indeterminate. This article studies $(1-2u^k)$-constacyclic codes over the ring $\mathcal{R}=\mathbb{F}_p+u\mathbb{F}_p+u^2\mathbb{F}_p+u^{3}\mathbb{F}_{p}+\cdots+u^{k}\mathbb{F}_{p}$ where $u^{k+1}=u$. We illustrate the generator polynomials and investigate the structural properties of these codes via decomposition theorem.
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- CoRR
دوره abs/1402.3668 شماره
صفحات -
تاریخ انتشار 2014