15

In the last week, the discrete logarithm problem was broken for the binary fields $\mathbb{F}_{2^{(14 \times 127)}}$ and $\mathbb{F}_{2^{(27 \times 73)}}$.

Pairing-based cryptography using binary fields currently relies on fields such as $\mathbb{F}_{2^{4\times353}}$ (80-bit level of security) and $\mathbb{F}_{2^{4\times1223}}$ (128-bit level of security).

Do these new attacks apply for these fields? How much security loss is expected for them? (It seems to me that they are not heavily impacted since there is a "large" prime factor in the exponent, but I don't know how much safer they are.)

While I believe the issue is not yet settled, here are some comments about the issue:

"This should signal the death knell for pairing based cryptography on Type-1 curves in small characteristic." - Nigel Smart

"it is not clear how well Joux's method applies for quasi prime extensions $2^{2\cdot r}$" - Francisco Rodríguez Henríquez

"one consequence of the new algorithms may be that characteristic 2 and 3 fields are not appropriate for pairing-based cryptography." - Steven Galbraith

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
Conrado
  • 6,414
  • 1
  • 29
  • 44
  • 4
    This might answer some questions http://bristolcrypto.blogspot.com/2013/02/discrete-logarithms.html – mikeazo Feb 22 '13 at 14:13
  • 1
    @Conrado The important thing about this post, no matter that it is quite old, is that it brings attention to how suddenly an idea in cryptography can hit the waste bin. – Patriot Aug 04 '19 at 01:24

1 Answers1

7

Antoine Joux announced the computation of discrete logarithm over $\mathbb{F}_{2^{257 \times 24}}$, which is now pretty close to what was being used in pairing-based cryptography.

According to Joux, "a direct consequence of this record is that supersingular curves (of genus 1 or 2) defined over GF(2^257) cannot be used securely for pairing-based cryptography."

It seems now that pairing-based cryptography over binary fields is dead.

Conrado
  • 6,414
  • 1
  • 29
  • 44