An experiment of number field sieve for discrete logarithm problem over GF(p12)

Kenichiro Hayasaka; Kazumaro Aoki; Tetsutaro Kobayashi; Tsuyoshi Takagi

doi:10.1007/978-3-642-42001-6_8

An experiment of number field sieve for discrete logarithm problem over GF(p12)

Kenichiro Hayasaka, Kazumaro Aoki, Tetsutaro Kobayashi, Tsuyoshi Takagi

Laboratory of Mathematical Design for Advanced Cryptography

Research output: Chapter in Book/Report/Conference proceeding › Chapter

3 Citations (Scopus)

Abstract

The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(pn). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p12). Joux et al. proposed the number field sieve over GF(pn) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p3) and GF(p6) have been proposed, but there is no report on that over GF(p12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p12) of 203 bits in about 43 hours using a PC of 16 CPU cores.

Original language	English
Title of host publication	Number Theory and Cryptography
Subtitle of host publication	Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday
Editors	Marc Fischlin, Stefan Katzenbeisser
Pages	108-120
Number of pages	13
DOIs	https://doi.org/10.1007/978-3-642-42001-6_8
Publication status	Published - 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8260 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-42001-6_8

Cite this

Hayasaka, K., Aoki, K., Kobayashi, T., & Takagi, T. (2013). An experiment of number field sieve for discrete logarithm problem over GF(p12). In M. Fischlin, & S. Katzenbeisser (Eds.), Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday (pp. 108-120). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8260 LNCS). https://doi.org/10.1007/978-3-642-42001-6_8

An experiment of number field sieve for discrete logarithm problem over GF(p12). / Hayasaka, Kenichiro; Aoki, Kazumaro; Kobayashi, Tetsutaro; Takagi, Tsuyoshi.

Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday. ed. / Marc Fischlin; Stefan Katzenbeisser. 2013. p. 108-120 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8260 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Chapter

Hayasaka, K, Aoki, K, Kobayashi, T & Takagi, T 2013, An experiment of number field sieve for discrete logarithm problem over GF(p12). in M Fischlin & S Katzenbeisser (eds), Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8260 LNCS, pp. 108-120. https://doi.org/10.1007/978-3-642-42001-6_8

Hayasaka K, Aoki K, Kobayashi T, Takagi T. An experiment of number field sieve for discrete logarithm problem over GF(p12). In Fischlin M, Katzenbeisser S, editors, Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday. 2013. p. 108-120. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-42001-6_8

Hayasaka, Kenichiro ; Aoki, Kazumaro ; Kobayashi, Tetsutaro ; Takagi, Tsuyoshi. / An experiment of number field sieve for discrete logarithm problem over GF(p12). Number Theory and Cryptography: Papers in Honor of Johannes Buchmann on the Ocasion of His 60th Birthday. editor / Marc Fischlin ; Stefan Katzenbeisser. 2013. pp. 108-120 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inbook{1e7e0f9b0fd449b58dd37bf9e7c3892b,

title = "An experiment of number field sieve for discrete logarithm problem over GF(p12)",

abstract = "The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(pn). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p12). Joux et al. proposed the number field sieve over GF(pn) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p3) and GF(p6) have been proposed, but there is no report on that over GF(p12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p12) of 203 bits in about 43 hours using a PC of 16 CPU cores.",

author = "Kenichiro Hayasaka and Kazumaro Aoki and Tetsutaro Kobayashi and Tsuyoshi Takagi",

year = "2013",

doi = "10.1007/978-3-642-42001-6_8",

language = "English",

isbn = "9783642420009",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "108--120",

editor = "Marc Fischlin and Stefan Katzenbeisser",

booktitle = "Number Theory and Cryptography",

}

TY - CHAP

T1 - An experiment of number field sieve for discrete logarithm problem over GF(p12)

AU - Hayasaka, Kenichiro

AU - Aoki, Kazumaro

AU - Kobayashi, Tetsutaro

AU - Takagi, Tsuyoshi

PY - 2013

Y1 - 2013

N2 - The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(pn). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p12). Joux et al. proposed the number field sieve over GF(pn) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p3) and GF(p6) have been proposed, but there is no report on that over GF(p12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p12) of 203 bits in about 43 hours using a PC of 16 CPU cores.

AB - The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(pn). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p12). Joux et al. proposed the number field sieve over GF(pn) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p3) and GF(p6) have been proposed, but there is no report on that over GF(p12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p12) of 203 bits in about 43 hours using a PC of 16 CPU cores.

UR - http://www.scopus.com/inward/record.url?scp=84893372104&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84893372104&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-42001-6_8

DO - 10.1007/978-3-642-42001-6_8

M3 - Chapter

AN - SCOPUS:84893372104

SN - 9783642420009

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 108

EP - 120

BT - Number Theory and Cryptography

A2 - Fischlin, Marc

A2 - Katzenbeisser, Stefan

ER -

An experiment of number field sieve for discrete logarithm problem over GF(p12)

Abstract

Publication series

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this