Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Aurore Guillevic (PIMS); Fran\c{c}ois Morain (GRACE; LIX); Emmanuel; Thom\'e (CARAMBA)

arXiv:1605.07746·cs.CR·November 28, 2016

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Aurore Guillevic (PIMS), Fran\c{c}ois Morain (GRACE, LIX), Emmanuel, Thom\'e (CARAMBA)

PDF

TL;DR

This paper demonstrates that pairing-based cryptography on a 170-bit MNT curve can be broken by reducing the discrete logarithm problem to a 508-bit extension field, challenging assumptions about security in such settings.

Contribution

It provides a practical attack on a 170-bit MNT curve using pairing reduction, questioning the security of small characteristic finite fields in cryptography.

Findings

01

Successfully solved DLP on a 170-bit MNT curve

02

Exploited pairing embedding to a degree-3 extension field

03

Challenged security assumptions of small characteristic fields

Abstract

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.