### Abstract

The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(pn). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p12). Joux et al. proposed the number field sieve over GF(pn) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p3) and GF(p6) have been proposed, but there is no report on that over GF(p12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p12) of 203 bits in about 43 hours using a PC of 16 CPU cores.

Original language | English |
---|---|

Title of host publication | Number Theory and Cryptography |

Subtitle of host publication | Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday |

Editors | Marc Fischlin, Stefan Katzenbeisser |

Pages | 108-120 |

Number of pages | 13 |

DOIs | |

Publication status | Published - Dec 1 2013 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 8260 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### All Science Journal Classification (ASJC) codes

- Theoretical Computer Science
- Computer Science(all)

## Fingerprint Dive into the research topics of 'An experiment of number field sieve for discrete logarithm problem over GF(p12)'. Together they form a unique fingerprint.

## Cite this

*Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday*(pp. 108-120). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8260 LNCS). https://doi.org/10.1007/978-3-642-42001-6_8