Section: New Results
Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction
Participants : Aurore Guillevic [contact] , Emmanuel Thomé [contact] .
The project of computing discrete logarithms in finite fields of the form for small comes from the need to estimate precisely the security level of pairing-based cryptography. After the two record computations of 2014 and 2015 in GF of 160 and 180 decimal digits (532 and 597 bits) we investigated GF and took a real-life elliptic curve proposed in 2001 by Miyaji, Nakabayashi and Takano (MNT-3 curve). Thanks to a pairing computation (in few milliseconds), a discrete logarithm computation in the 170-bit MNT-3 curve, which is hard, can be done instead by a discrete logarithm computation in GF of 508 bits, which is much faster. This computation involved Aurore Guillevic (post-doctoral fellow in 2016 at the University of Calgary, Canada), Emmanuel Thomé, and François Morain (LIX/École Polytechnique/Inria Saclay, GRACE team). The computation took 2.97 years in total: 1.81 years for the relation collection, 1.16 years for the linear algebra and 2 days for the individual discrete logarithm computation. The work was presented at the Selected Areas in Cryptography conference in Newfoundland, Canada, and published in the proceedings [11].
The next step will be to adapt the new NFS variant called Extended-Tower-NFS to attack MNT-4 and MNT-6 curves, which means computing discrete logarithms in GF and GF. This new challenge will require the higher dimension sieve developed by Laurent Grémy.