Breaking `128-bit Secure' Supersingular Binary Curves
The discrete logarithm problem (DLP) in finite fields of small characteristic recently enjoyed a dramatic series of breakthrough results and computational records, with its (heuristic) complexity dropping from subexponential to quasi-polynomial. While these results asymptotically render any cryptosystem relying on the hardness of such DLPs unusable, a question remained over whether the new techniques can weaken or indeed break any of the parameters proposed in the literature for pairing-based cryptographic protocols at the industry-standard 128-bit security level. In this talk I will first describe the ideas underlying the recent developments and then introduce some techniques which allow one to answer this question affirmatively. This is joint work with Thorsten Kleinjung and Jens Zumbragel.
Neuchatel_short.pdf
openaccess
531.03 KB
Adobe PDF
639d4b708aa8c41a306defa28d32bc70