7.5
Concluding Remarks
The purpose of this chapter was to gain an idea of how different parameter choices affect the performance of a basic probabilistic FFS model. The model we devel- oped permits the easy computation of optimal parameter estimates that should be used in implementations, for any finite field where the FFS applies. This model may be developed or specialised to a particular implementation as needed.
Furthermore the question of whether finite fields with a composite extension degree are potentially weaker than others due to the multiple representations avail- able was shown, with some heuristic evidence, to warrant further research. We present some research in this direction in the next chapter.
Chapter 8
Function Field Sieve in
Characteristic Three
In this chapter we investigate the practical efficiency of the Function Field Sieve to compute discrete logarithms in finite fields of the formF36m, which arise from, and
are essential to the security of, supersingular elliptic curves used in identity-based cryptography.
This chapter represents joint work with Andrew Holt, Dan Page, Nigel Smart and Fr´ederik Vercauteren, and appeared in [55].
8.1
Introduction
In light of the speculative results of Chapter 7, and motivated by attacks on identity based cryptosystems that use supersingular elliptic curves in characteristic three, in this chapter we report on the first implementation of the Function Field Sieve in this characteristic. Since the curves of interest have embedding degree six [43], we pay special attention to the fieldsF36m. A key observation is that this allows
one to represent the function field over different base fields, which from the results presented in Chapter 7, leads one to expect differing performances for computing discrete logarithms.
8.2 The Function Field Sieve
the best results, which is perhaps not too surprising. We show also that the exact analysis of Chapter 7 is more able to predict the behaviour, and thereby parameter choices, than the naive simple analysis. Finally, the results of this chapter give confidence that the key sizes one would use in a simple pairing-based system are likely to be secure against current algorithms and computing power.
8.2
The Function Field Sieve
The finite fields of interest to pairing based cryptography in characteristic three are given byK = F3n wheren = 6 · m. In what follows we set q = 3m. In practice,
we limit ourselves to finite fields which could arise as the MOV embedding of a supersingular elliptic curve over the fieldFq whose group order is divisible by a
primel of size comparable to that of q. Such elliptic curves have group orders
given by
q ±p3q + 1.
We wish to investigate not only the practicality of the function field sieve for the field extensionF3n/F3, but also the effect of taking different base fields, i.e.,
looking at the extensionF3n/F3e wheree = 1, 2, 3 or 6. To this end we let k =
F3e,N = n/e and p = 3e.
We assume we are givenα, β ∈ K, both of order l, such that
β = αx
for some unknownx ∈ {1, . . . , l − 1}. The discrete logarithm problem then is to computex given α and β.
We will use a function field F = k(X)[Y ]/(H) defined by the polynomial H(X, Y ) ∈ k[X, Y ] over the rational function field k(X). Note, we shall abuse
notation slightly and refer to the polynomialH(X, Y ) as the curve H, by which
we mean the curve defined byH(X, Y ) = 0. For practical reasons [96], one usu-
ally selects aCab-curve forH. However, in our examples we used a superelliptic
Function Field Sieve in Characteristic Three
curve of the form
H(X, Y ) = Yd + R(X)
where R(X) is a polynomial in k[X] of degree b. This enables more efficient
calculation of the functions on the algebraic side, at the expense of a little less generality of our implementation. The class number of the function field F de-
fined byH, or equivalently the number of points on the Jacobian of the curve JH
defined byH over k, we shall denote by h = #JH(k).
We assume that the field K is defined by a polynomial basis with respect to
the polynomialf ∈ k[X] of degree N, i.e.,
K ∼= k[X]/(f ).
To define the function field sieve algorithm we need to specify two polynomials
u1, u2 ∈ k[X] such that the norm of the function u1+ u2Y , given by the resultant
ud2H(X, −u1/u2) = (−u1)d+ ud2R
is divisible byf . In such a situation we have a surjective homomorphism
φ : (
k[X, Y ]/(H) −→ K ∼= k[X]/(f ) Y 7→ −u1/u2.
We select a rational factor base R of small degree irreducible polynomials in
k[X] and an algebraic factor base A of small prime divisors in the divisor group Div(F ). Hence, R and A are therefore defined by
R = {p : deg p ≤ B, p irreducible } ,
A = {hp, Y − ri : deg p ≤ B, p irreducible , r ≡ −u1/u2 (mod p)} ,
for some smoothness boundB.
The goal of the Function Field Sieve is to find relatively prime pairs of poly- nomials(r, s), with deg r, deg s ≤ l, such that the polynomial (su2− ru1) and the
8.2 The Function Field Sieve
divisorhs + rY i simultaneously factor over the respective factor bases, i.e.,
su2− ru1 = Y pi∈R paii hs + rY i = X hpj,rji∈A bjhpj, Y − rji.
Determining the factorization ofhs + rY i over A is easily done by examining the factorization of the norm
N (hs + rY i) = (−s)d+ rdR.
Sinceh hpj, Y − rji is a principal divisor, for each hpj, Y − rji ∈ A there exists
a functionλj ∈ F× withh hpj, Y − rji = hλji and such a function is unique up
to multiplication by an element ink×. We then have that our algebraic relation is
given by
(s + rY )h = µY
λj
λbj
j ,
withµ an element in k×. We then apply the homomorphismφ above to obtain
(s − ruu1
2
)h ≡Y
λj
φ(λj)bj,
where≡ denotes equality modulo a possible factor in k×. Assumingh is coprime
to(pN − 1)/(p − 1), we can take h-th roots of both sides of this equation and if
we writeκj = φ(λj)1/hwe obtain (s − ruu1 2) ≡ Y λj κbj j .
Combining the relation on the rational side with the above equation we find
1 u2 Y pi∈R paii ≡Y λj κbj j . 124
Function Field Sieve in Characteristic Three
Hence, we obtain the relation between discrete logarithms given by
X pi ailoggpi− logg(u2) = X γj bjloggκj, (8.1)
whereg is a multiplicative generator of the field K. Note that we do not need at
any point to compute the values of theκj, or for that matter the values of theλj,
all that we require is that they exist, so that whilst we do compute the logarthims of the κj in the linear algebra elimination, the only logarithms we need are of
those elements in the rational factor base. This is guaranteed by the condition that
h should be coprime to (pN − 1)/(p − 1).
If sufficiently many independent relations of the form (8.1) have been ob- tained, we can solve for the discrete logarithms themselves using structured Gaus- sian elimination combined with the Lanczos method. Determining the discrete logarithm of β with respect to α is then performed using a standard recursive
sieving strategy as explained in [131].