Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography

Abstract

In the past two years there have been several advances in Number Field Sieve (NFS) algorithms for computing discrete logarithms in finite fields \({\mathbb F}_{p^n}\) where p is prime and \(n > 1\) is a small integer. This article presents a concise overview of these algorithms and discusses some of the challenges with assessing their impact on keylengths for pairing-based cryptosystems.

A Calculations of Bounds on Resultants

Consider the setting of the TNFS with \(Q=p^n\), \(n=\eta \kappa \), h a degree-\(\eta \) irreducible polynomial in \(\mathbb {Z}[z]\), \(R=\mathbb {Z}[z]/(h(z))\), and \(f,\phi \in R[x]\). Note that \(\deg _z f = \deg _z\phi = \eta -1\).

Let \(\mathfrak {f}(z,x)\) be a bivariate polynomial with integer coefficients where \(\mathfrak {f}_{i,j}\) is the coefficient of \(x^iz^j\). Then \(||\mathfrak {f}||_{\infty }=\max |\mathfrak {f}_{i,j}|\). Bounds on resultants of univariate and bivariate polynomials have been given in [9]. We summarize these below.

Let a(u) and b(u) be polynomials with integer coefficients. From [9], we have

$$\begin{aligned} \begin{aligned} |\mathrm{Res}_u&(a(u),b(u))| \\&\le (\mathrm{deg}(a)+1)^{\mathrm{deg}(b)/2} \cdot (\mathrm{deg}(b)+1)^{\mathrm{deg}(a)/2} \cdot ||a||_{\infty }^{\mathrm{deg}(b)} \cdot ||b||_{\infty }^{\mathrm{deg}(a)}. \end{aligned} \end{aligned}$$

(13)

Let a(u, v) and b(u, v) be polynomials with integer coefficients. Let \(c(u)=\mathrm{Res}_v(a(u,v),b(u,v))\). Then

$$\begin{aligned} \begin{aligned} ||c||_{\infty } \le&(\mathrm{deg}_v(a)+\mathrm{deg}_v(b))!\\&\cdot (\max (\mathrm{deg}_u(a),\mathrm{deg}_u(b))+1)^{\mathrm{deg}_v a+\mathrm{deg}_v b-1} \cdot ||a||_{\infty }^{\mathrm{deg}_v b}\cdot ||b||_{\infty }^{\mathrm{deg}_v a}. \end{aligned} \end{aligned}$$

(14)

Bounds on \(\mathrm{Res}_z(\mathrm{Res}_x(\phi (x),\mathfrak {f}(x)),h(z))\) can be derived by combining the bounds given by (13) and (14). Let \(\mathfrak {c}(z)=\mathrm{Res}_x(\phi (x),\mathfrak {f}(x))\). The degree of \(\mathfrak {c}(z)\) is given in [9] and from (14) we obtain \(||\mathfrak {c}||_{\infty }\). These quantities are as follows:

$$\begin{aligned} \deg \mathfrak {c}(z)= & {} (\deg _x\phi + \deg _x f) \cdot \max (\deg _z\phi +\deg _z f) = (\eta -1)(\deg _x\phi + \deg _x f), \\ ||\mathfrak {c}||_{\infty }\le & {} (\deg _x\phi + \deg _x \mathfrak {f})! \cdot (\max (\deg _z\phi ,\deg _z \mathfrak {f}) + 1)^{\deg _x\phi + \deg _x \mathfrak {f} - 1}\\&\;\;\; \cdot \; ||\phi ||_{\infty }^{\deg _x \mathfrak {f}} \cdot ||\mathfrak {f}||_{\infty }^{\deg _x\phi } \\= & {} (\deg _x\phi + \deg _x \mathfrak {f})! \cdot \eta ^{\deg _x\phi + \deg _x \mathfrak {f} - 1} \cdot ||\phi ||_{\infty }^{\deg _x \mathfrak {f}} \cdot ||\mathfrak {f}||_{\infty }^{\deg _x\phi }. \end{aligned}$$

Using these values we obtain

(15)

(16)