Breaking '128-bit Secure' Supersingular Binary Curves: (Or How to Solve Discrete Logarithms in F_(2~(4.1223)) and F_(2~(12.367)))

摘要

In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasi-polynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thome. Using these developments, Adj, Menezes, Oliveira and Rodriguez-Henriquez analysed the concrete security of the DLP, as it arises from pairings on (the Jacobians of) various genus one and two supersingular curves in the literature, which were originally thought to be 128-bit secure. In particular, they suggested that the new algorithms have no impact on the security of a genus one curve over F_(2~(1223)), and reduce the security of a genus two curve over F_(2~(367)) to 94.6 bits. In this paper we propose a new field representation and efficient general descent principles which together make the new techniques far more practical. Indeed, at the '128-bit security level' our analysis shows that the aforementioned genus one curve has approximately 59 bits of security, and we report a total break of the genus two curve.