Section: New Results

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Participants : Aurore Guillevic [contact] , Emmanuel Thomé [contact] .

The project of computing discrete logarithms in finite fields of the form $GF\left(p^n\right)$ for small $n$ comes from the need to estimate precisely the security level of pairing-based cryptography. After the two record computations of 2014 and 2015 in GF$\left(p^2\right)$ of 160 and 180 decimal digits (532 and 597 bits) we investigated GF$\left(p^3\right)$ and took a real-life elliptic curve proposed in 2001 by Miyaji, Nakabayashi and Takano (MNT-3 curve). Thanks to a pairing computation (in few milliseconds), a discrete logarithm computation in the 170-bit MNT-3 curve, which is hard, can be done instead by a discrete logarithm computation in GF$\left(p^3\right)$ of 508 bits, which is much faster. This computation involved Aurore Guillevic (post-doctoral fellow in 2016 at the University of Calgary, Canada), Emmanuel Thomé, and François Morain (LIX/École Polytechnique/Inria Saclay, GRACE team). The computation took 2.97 years in total: 1.81 years for the relation collection, 1.16 years for the linear algebra and 2 days for the individual discrete logarithm computation. The work was presented at the Selected Areas in Cryptography conference in Newfoundland, Canada, and published in the proceedings [11].

The next step will be to adapt the new NFS variant called Extended-Tower-NFS to attack MNT-4 and MNT-6 curves, which means computing discrete logarithms in GF$\left(p^4\right)$ and GF$\left(p^6\right)$. This new challenge will require the higher dimension sieve developed by Laurent Grémy.