{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T18:43:01Z","timestamp":1772044981426,"version":"3.50.1"},"reference-count":103,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2018,1,29]],"date-time":"2018-01-29T00:00:00Z","timestamp":1517184000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2019,10]]},"DOI":"10.1007\/s00145-018-9280-5","type":"journal-article","created":{"date-parts":[[2018,1,29]],"date-time":"2018-01-29T20:03:52Z","timestamp":1517256232000},"page":"1298-1336","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":129,"title":["Updating Key Size Estimations for Pairings"],"prefix":"10.1007","volume":"32","author":[{"given":"Razvan","family":"Barbulescu","sequence":"first","affiliation":[]},{"given":"Sylvain","family":"Duquesne","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,1,29]]},"reference":[{"key":"9280_CR1","unstructured":"G. Adj, I.\u00a0Canales-Mart\u00ednez, N.\u00a0C. Cort\u00e9s, A.\u00a0Menezes, T.\u00a0Oliveira, L.\u00a0Rivera-Zamarripa, F.\u00a0Rodr\u00edguez-Henr\u00edquez, Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields. Cryptology ePrint Archive, Report 2016\/914 (2016)"},{"key":"9280_CR2","first-page":"108","volume-title":"Lecture Notes in Computer Science","author":"Leonard M. Adleman","year":"1994","unstructured":"L.M. Adleman, The function field sieve, in Algorithmic Number Theory Symposium\u2014ANTS I. Lecture Notes in Computer Science, vol. 877 (1994), pp. 108\u2013121"},{"key":"9280_CR3","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-36334-4_11","volume-title":"Pairing-Based Cryptography \u2013 Pairing 2012","author":"Diego F. Aranha","year":"2013","unstructured":"D.F. Aranha, L.\u00a0Fuentes-Casta\u00f1eda, E.\u00a0Knapp, A.\u00a0Menezes, F.\u00a0Rodr\u00edguez-Henr\u00edquez, Implementing pairings at the 192-bit security level, in Pairing-based cryptography\u2014PAIRING 2012. Lecture Notes in Computer Science, vol. 7708 (2013)"},{"key":"9280_CR4","first-page":"1","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2007","author":"Kazumaro Aoki","year":"2007","unstructured":"K.\u00a0Aoki, J.\u00a0Franke, T.\u00a0Kleinjung, A.\u00a0Lenstra, D.A. Osvik, A kilobit special number field sieve factorization. in Advances in Cryptology\u2014ASIACRYPT 2007. Lecture notes in computer science, vol. 4833 (2007), pp. 1\u201312"},{"issue":"1","key":"9280_CR5","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1006\/inco.1998.2761","volume":"151","author":"LM Adleman","year":"1999","unstructured":"L.M. Adleman, M.D.A. Huang, Function field sieve method for discrete logarithms over finite fields. Inf. Comput.\n 151(1), 5\u201316 (1999)","journal-title":"Inf. Comput."},{"key":"9280_CR6","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1007\/978-3-642-20465-4_5","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2011","author":"Diego F. Aranha","year":"2011","unstructured":"D.\u00a0Aranha, K.\u00a0Karabina, P.\u00a0Longa, C.\u00a0H. Gebotys, J\u00a0L\u00f3pez, Faster explicit formulas for computing pairings over ordinary curves, in Advances in Cryptology EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632 (2011), pp. 48\u201368"},{"key":"9280_CR7","doi-asserted-by":"crossref","first-page":"148","DOI":"10.1016\/j.ffa.2014.10.009","volume":"32","author":"G Adj","year":"2015","unstructured":"G.\u00a0Adj, A.\u00a0Menezes, T.\u00a0Oliveira, F.\u00a0Rodriguez-Henriquez, Weakness of \n \n \n \n $${\\mathbb{F}} _{3^{6\\cdot 1429}}$$\n \n \n \n F\n \n 3\n \n 6\n \u00b7\n 1429\n \n \n \n \n \n and \n \n \n \n $${\\mathbb{F}} _{2^{4\\cdot 3041}}$$\n \n \n \n F\n \n 2\n \n 4\n \u00b7\n 3041\n \n \n \n \n \n for discrete logarithm cryptography. Finite Fields Their Appl.\u00a032, 148\u2013170 (2015)","journal-title":"Finite Fields Their Appl."},{"key":"9280_CR8","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1007\/978-3-319-22174-8_14","volume-title":"Progress in Cryptology -- LATINCRYPT 2015","author":"Paulo S. L. M. Barreto","year":"2015","unstructured":"P.S.L.M. Barreto, C. Costello, R. Misoczki, M. Naehrig, G.C.C.F. Pereira, G. Zanon, Subgroup security in pairing-based cryptography, in K. Lauter, F. Rodr\u00edguez-Henr\u00edquez, editors, Progress in Cryptology \u2013 LATINCRYPT 2015: 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23\u201326, 2015, Proceedings (Springer International Publishing, Cham, 2015), pp. 245\u2013265"},{"key":"9280_CR9","unstructured":"R.\u00a0Barbulescu, S.\u00a0Duquesne, Online supplement for \u201cupdating keysizes of pairings\u201d (2017). Downloadable from \n https:\/\/webusers.imj-prg.fr\/~razvan.barbaud\/Pairings\/Pairings.html\n \n ."},{"key":"9280_CR10","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44647-8_13","volume-title":"Advances in Cryptology \u2014 CRYPTO 2001","author":"Dan Boneh","year":"2001","unstructured":"D. Boneh, M.\u00a0Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology\u2014CRYPTO 2001. Lecture notes in computer science, vol. 2139 (2001), pp. 213\u2013229"},{"key":"9280_CR11","unstructured":"R.\u00a0Barbulescu, P.\u00a0Gaudry, A.\u00a0Guillevic, F.\u00a0Morain, Discrete logarithms in GF(\n \n \n \n $$p^2$$\n \n \n \n p\n 2\n \n \n \n )\u2014160 digits (2014). Announcement available at the NMBRTHRY archives, item 004706"},{"key":"9280_CR12","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-662-46800-5_6","volume-title":"Advances in Cryptology -- EUROCRYPT 2015","author":"Razvan Barbulescu","year":"2015","unstructured":"R.\u00a0Barbulescu, P.\u00a0Gaudry, A.\u00a0Guillevic, F.\u00a0Morain, Improving NFS for the discrete logarithm problem in non-prime finite fields, in Advances in Cryptology\u2014EUROCRYPT 2015. Lecture Notes in Computer Science, vol. 9056 (2015), pp. 129\u2013155"},{"key":"9280_CR13","unstructured":"R.\u00a0Barbulescu, P.\u00a0Gaudry, A.\u00a0Guillevic, F.\u00a0Morain, New record in \n \n \n \n $${\\mathbb{F}}_{p^3}$$\n \n \n \n F\n \n p\n 3\n \n \n \n \n , (2015). Available online at \n https:\/\/webusers.imj-prg.fr\/~razvan.barbaud\/p3dd52.pdf"},{"key":"9280_CR14","unstructured":"C.\u00a0Bouvier, P.\u00a0Gaudry, L.\u00a0Imbert, H.\u00a0Jeljeli, E.\u00a0Thom\u00e9, Discrete logarithms in GF(p)\u2014180 digits, (2014). Announcement available at the NMBRTHRY archives, item 004703"},{"key":"9280_CR15","first-page":"1","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2014","author":"Razvan Barbulescu","year":"2014","unstructured":"R.\u00a0Barbulescu, P.\u00a0Gaudry, A.\u00a0Joux, E.\u00a0Thom\u00e9, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in Advances in Cryptology\u2014EUROCRYPT 2014. Lecture Notes in Computer Science, vol. 8441 (2014), pp. 1\u201316"},{"key":"9280_CR16","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1007\/978-3-662-48800-3_2","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2015","author":"Razvan Barbulescu","year":"2015","unstructured":"R.\u00a0Barbulescu, P.\u00a0Gaudry, T.\u00a0Kleinjung, The tower number field sieve, in Advances in Cryptology\u2014ASIACRYPT 2015. Lecture Notes in Computer Science, vol. 9453 (2015), pp. 31\u201355"},{"key":"9280_CR17","doi-asserted-by":"publisher","first-page":"258","DOI":"10.1007\/11535218_16","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"Dan Boneh","year":"2005","unstructured":"D.\u00a0Boneh, C.\u00a0Gentry, B.\u00a0Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in Advances in Cryptology\u2014CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (2005), pp. 258\u2013275"},{"key":"9280_CR18","unstructured":"J.\u00a0Bos, M.\u00a0Kaihara, T.\u00a0Kleinjung, A.\u00a0Lenstra, P.\u00a0Montgomery, On the security of 1024-bit RSA and 160-bit elliptic curve cryptography. Cryptology ePrint Archive, Report 2009\/389"},{"issue":"303","key":"9280_CR19","doi-asserted-by":"publisher","first-page":"397","DOI":"10.1090\/mcom\/3112","volume":"86","author":"R Barbulescu","year":"2017","unstructured":"R.\u00a0Barbulescu, A.\u00a0Lachand, Some mathematical remarks on the polynomial selection in NFS. Math. Comput.\u00a086(303), 397\u2013418 (2017)","journal-title":"Math. Comput."},{"key":"9280_CR20","doi-asserted-by":"crossref","unstructured":"J.\u00a0P. Buhler, H.\u00a0Lenstra\u00a0Jr., C.\u00a0Pomerance, Factoring integers with the number field sieve, in The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554 (Springer, 1993), pp. 50\u201394","DOI":"10.1007\/BFb0091539"},{"key":"9280_CR21","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/3-540-36413-7_19","volume-title":"Security in Communication Networks","author":"Paulo S. L. M. Barreto","year":"2003","unstructured":"P. Barreto, B.\u00a0Lynn, M.\u00a0Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks. Lecture Notes in Computer Science, vol. 2576 (2003), pp. 257\u2013267"},{"issue":"4","key":"9280_CR22","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/s00145-004-0314-9","volume":"17","author":"D Boneh","year":"2004","unstructured":"D.\u00a0Boneh, B.\u00a0Lynn, H.\u00a0Shacham, Short signatures from the Weil pairing. J. Cryptol.\u00a017(4), 297\u2013319 (2004)","journal-title":"J. Cryptol."},{"key":"9280_CR23","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1007\/11693383_22","volume-title":"Selected Areas in Cryptography","author":"Paulo S. L. M. Barreto","year":"2006","unstructured":"P.\u00a0Barreto, M.\u00a0Naehrig, Pairing-friendly elliptic curves of prime order. in Selected Areas in Cryptography\u2013SAC 2005. Lecture Notes in Computer Science, vol. 3006 (2005), pp. 319\u2013331"},{"issue":"A","key":"9280_CR24","doi-asserted-by":"publisher","first-page":"230","DOI":"10.1112\/S1461157014000369","volume":"17","author":"Razvan Barbulescu","year":"2014","unstructured":"R.\u00a0Barbulescu, C.\u00a0Pierrot, The multiple number field sieve for medium- and high-characteristic finite fields. LMS J. Comput. Math.\u00a017, 230\u2013246 (2014). The published version contains an error which is corrected in version 2 available at \n https:\/\/hal.inria.fr\/hal-00952610\n \n .","journal-title":"LMS Journal of Computation and Mathematics"},{"issue":"1","key":"9280_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/0022-314X(83)90002-1","volume":"17","author":"ER Canfield","year":"1983","unstructured":"E. R. Canfield, P.\u00a0Erd\u00f6s, C.\u00a0Pomerance, On a problem of Oppenheim concerning factorisatio numerorum. J. Number Theory\u00a017(1), 1\u201328 (1983)","journal-title":"J. Number Theory"},{"key":"9280_CR26","unstructured":"S.\u00a0Cavallar\u00a0Hedwig, On the number field sieve integer factorisation algorithm. PhD thesis, Universiteit Leiden (2002)"},{"issue":"4","key":"9280_CR27","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1109\/TIT.1984.1056941","volume":"30","author":"D Coppersmith","year":"1984","unstructured":"D.\u00a0Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory\u00a030(4), 587\u2013594 (1984)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9280_CR28","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1016\/0024-3795(93)90235-G","volume":"192","author":"D Coppersmith","year":"1993","unstructured":"D.\u00a0Coppersmith, Solving linear equations over GF(2): block Lanczos algorithm. Linear Algebra Appl.\u00a0192, 33\u201360 (1993)","journal-title":"Linear Algebra Appl."},{"issue":"205","key":"9280_CR29","first-page":"333","volume":"62","author":"D Coppersmith","year":"1994","unstructured":"D.\u00a0Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput.\u00a062(205), 333\u2013350 (1994)","journal-title":"Math. Comput."},{"key":"9280_CR30","doi-asserted-by":"publisher","first-page":"174","DOI":"10.1007\/11745853_12","volume-title":"Public Key Cryptography - PKC 2006","author":"An Commeine","year":"2006","unstructured":"A.\u00a0Commeine, I.\u00a0Semaev, An algorithm to solve the discrete logarithm problem with the number field sieve, in Public Key Cryptography\u2014PKC 2006. Lecture Notes in Computer Science, vol. 3958 (2006), pp. 174\u2013190"},{"key":"9280_CR31","doi-asserted-by":"publisher","first-page":"421","DOI":"10.1007\/978-3-642-23951-9_28","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES 2011","author":"Ray C. C. Cheung","year":"2011","unstructured":"R.\u00a0Cheung, S.Duquesne, J.\u00a0Fan, N.\u00a0Guillermin, I.\u00a0Verbauwhede, G.\u00a0X. Yao, FPGA implementation of pairings using residue number system and lazy reduction, in Cryptographic Hardware and Embedded Systems\u2014CHES 2011. Lecture Notes in Computer Science, vol. 6917 (2011), pp. 421\u2013441"},{"key":"9280_CR32","unstructured":"J.\u00a0Detrey, FFS factory: Adapting Coppersmith\u2019s \u201cfactorization factory\u201d to the function field sieve. Cryptology ePrint Archive, Report 2014\/419 (2014)"},{"key":"9280_CR33","unstructured":"S.\u00a0Duquesne, N.\u00a0El Mrabet, S.\u00a0Haloui, F.\u00a0Rondepierre, Choosing and generating parameters for low level pairing implementation on BN curves. Cryptology ePrint Archive, Report 2015\/1212 (2015)"},{"key":"9280_CR34","unstructured":"A.\u00a0J. Devegili, M.\u00a0Scott, R.\u00a0Dahab, Implementing cryptographic pairings over Barreto\u2013Naehrig curve, in Pairing-Based Cryptography\u2014Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (2007), pp. 197\u2013207"},{"key":"9280_CR35","doi-asserted-by":"crossref","unstructured":"N.\u00a0El\u00a0Mrabet, M.\u00a0Joye, Guide to Pairing-Based Cryptography. Chapman & Hall\/CRC Cryptography and Network Security Series (CRC Press, 2017)","DOI":"10.1201\/9781315370170"},{"key":"9280_CR36","first-page":"202","volume-title":"Lecture Notes in Computer Science","author":"Joshua Fried","year":"2017","unstructured":"J.\u00a0Fried, P.\u00a0Gaudry, N.\u00a0Heninger, E.\u00a0Thom\u00e9, A kilobit hidden SNFS discrete logarithm computation, in Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 10210 (2017), pp. 202\u2013231"},{"key":"9280_CR37","unstructured":"L.\u00a0Fuentes-Casta\u00f1eda, E.\u00a0Knapp, F.\u00a0Rdr\u00eduez-Henr\u00edquez, Faster hashing to \n \n \n \n $${\\mathbb{G}}_{2}$$\n \n \n \n G\n 2\n \n \n \n , in Selected Areas in Cryptography\u2014SAC 2011. Lecture Notes in Computer Science, vol. 7118 (2011), pp. 412\u2013430"},{"issue":"2","key":"9280_CR38","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/s00145-009-9048-z","volume":"23","author":"D Freeman","year":"2010","unstructured":"D.\u00a0Freeman, M.\u00a0Scott, E.\u00a0Teske, A taxonomy of pairing-friendly elliptic curves. J. Cryptol.\u00a023(2), 224\u2013280 (2010)","journal-title":"J. Cryptol."},{"key":"9280_CR39","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/978-3-642-35999-6_11","volume-title":"Selected Areas in Cryptography","author":"Gurleen Grewal","year":"2013","unstructured":"G.\u00a0Grewal, R.\u00a0Azarderakhsh, P.\u00a0Longa, S.\u00a0Hu, D.\u00a0Jao, Efficient implementation of bilinear pairings on ARM processors, in Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7707 (2013), pp. 149\u2013165"},{"key":"9280_CR40","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/978-3-319-55227-9_3","volume-title":"Arithmetic of Finite Fields","author":"Loubna Ghammam","year":"2016","unstructured":"L.\u00a0Ghammam, E.\u00a0Fouotsa, Adequate elliptic curves for computing the product of n pairings, in Arithmetic of Finite Fields\u2014WAIFI 2016. Lecture Notes in Computer Science, vol. 10064 (2016), pp. 36\u2013352"},{"key":"9280_CR41","unstructured":"L.\u00a0Gr\u00e9my, A.\u00a0Guillevic, F.\u00a0Morain, E.\u00a0Thom\u00e9, Computing discrete logarithms in GF(\n \n \n \n $$p^6$$\n \n \n \n p\n 6\n \n \n \n ), in Selected Areas in Cryptography\u2014SAC 2017. Lecture notes in computer science (2017)"},{"key":"9280_CR42","doi-asserted-by":"crossref","unstructured":"F.\u00a0G\u00f6lo\u011flu, R.\u00a0Granger, G.\u00a0McGuire, J.\u00a0Zumbr\u00e4gel, On the function field sieve and the impact of higher splitting probabilities: application to discrete logarithms in \n \n \n \n $${\\mathbb{F}}_{2^{1971}}$$\n \n \n \n F\n \n 2\n 1971\n \n \n \n \n (2013), Cryptology ePrint Archive, Report 2013\/074","DOI":"10.1007\/978-3-642-40084-1_7"},{"key":"9280_CR43","unstructured":"F.\u00a0G\u00f6lo\u011flu, R.\u00a0Granger, G.\u00a0McGuire, J.\u00a0Zumbr\u00e4gel, Solving a 6120-bit DLP on a desktop computer, in Selected Areas in Cryptography\u2014SAC. Lecture Notes in Computer Science, vol. 8282 (2013), pp. 136\u2013152"},{"issue":"A","key":"9280_CR44","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1112\/S1461157016000164","volume":"19","author":"Pierrick Gaudry","year":"2016","unstructured":"P.\u00a0Gaudry, L.\u00a0Gr\u00e9my, M.\u00a0Videau, Collecting relations in the number field sieve in GF(\n \n \n \n $$p^6$$\n \n \n \n p\n 6\n \n \n \n ). LMS J. Comput. Math.\u00a019(A), 332\u2013350 (2016)","journal-title":"LMS Journal of Computation and Mathematics"},{"key":"9280_CR45","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1007\/978-3-662-44381-1_8","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"Robert Granger","year":"2014","unstructured":"R.\u00a0Granger, T.\u00a0Kleinjung, J.\u00a0Zumbr\u00e4gel, Breaking 128-bit secure supersingular binary curves, in Advances in Cryptology\u2014CRYPTO 2014. Lecture Notes in Computer Science, vol. 8617 (2014), pp. 126\u2013145"},{"key":"9280_CR46","unstructured":"R.\u00a0Granger, T.\u00a0Kleinjung, J.\u00a0Zumbr\u00e4gel, On the powers of 2. Cryptology ePrint Archive, Report 2014\/300 (2014)"},{"key":"9280_CR47","doi-asserted-by":"crossref","unstructured":"R.\u00a0Granger, T.\u00a0Kleinjung, and J.\u00a0Zumbr\u00e4gel, On the discrete logarithm problem in finite fields of fixed characteristic. Trans. Am. Math. Soc. (2017)","DOI":"10.1090\/tran\/7027"},{"key":"9280_CR48","doi-asserted-by":"crossref","unstructured":"A.\u00a0Guillevic, F.\u00a0Morain, E.\u00a0Thom\u00e9, Solving discrete logarithms on a 170-bit MNT curve by pairing reduction, in Selected Areas in Cryptography\u2014SAC 2016. Lecture Notes of Computer Science, vol. 10532 (2016)","DOI":"10.1007\/978-3-319-69453-5_30"},{"issue":"1","key":"9280_CR49","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1137\/0406010","volume":"6","author":"D Gordon","year":"1993","unstructured":"D.\u00a0Gordon, Discrete logarithms in GF(\n \n \n \n $$p$$\n \n \n p\n \n \n ) using the number field sieve. SIAM J. Discret. Math.\u00a06(1), 124\u2013138 (1993)","journal-title":"SIAM J. Discret. Math."},{"key":"9280_CR50","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-642-13013-7_13","volume-title":"Public Key Cryptography \u2013 PKC 2010","author":"Robert Granger","year":"2010","unstructured":"R.\u00a0Granger, M.\u00a0Scott, Faster squaring in the cyclotomic subgroup of sixth degree extensions. in Public Key Cryptography\u2014PKC 2010. Lecture Notes in Computer Science, vol. 6056 (2010), pp. 209\u2013223"},{"issue":"8","key":"9280_CR51","doi-asserted-by":"publisher","first-page":"1319","DOI":"10.1016\/j.jss.2011.03.083","volume":"84","author":"Geovandro C.C.F. Pereira","year":"2011","unstructured":"C.C.F.\u00a0Pereira Geovandro, M.A. Simpl\u0131cio Jr., M.\u00a0Naehrig, P.\u00a0Barreto, A family of implementation-friendly BN elliptic curves. J. Syst. Softw.\u00a084(8), 1319\u20131326 (2011)","journal-title":"Journal of Systems and Software"},{"key":"9280_CR52","unstructured":"K.\u00a0Hayasaka, K.\u00a0Aoki, T.\u00a0Kobayashi, T.\u00a0Takagi, A construction of 3-dimensional lattice sieve for number field sieve over GF(\n \n \n \n $$p^n$$\n \n \n \n p\n n\n \n \n \n ). Cryptology ePrint Archive, Report 2015\/1179 (2015) \n http:\/\/eprint.iacr.org\/2014\/300"},{"key":"9280_CR53","unstructured":"T.\u00a0Hayashi, T.\u00a0Shimoyama, N.\u00a0Shinohara, T.\u00a0Takagi, Breaking pairing-based cryptosystems using \n \n \n \n $$\\eta _t$$\n \n \n \n \u03b7\n t\n \n \n \n pairing over GF(\n \n \n \n $$3^{97}$$\n \n \n \n 3\n 97\n \n \n \n ), in Advances in cryptology\u2014ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658 (2012), pp. 43\u201360"},{"issue":"10","key":"9280_CR54","doi-asserted-by":"publisher","first-page":"4595","DOI":"10.1109\/TIT.2006.881709","volume":"52","author":"F Hess","year":"2006","unstructured":"F.\u00a0Hess, N.\u00a0Smart, F.\u00a0Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory\u00a052(10), 4595\u20134602 (2006)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9280_CR55","unstructured":"T.\u00a0Hayashi, N.\u00a0Shinohara, L.\u00a0Wang, S.\u00a0Matsuo, M.\u00a0Shirase, T.\u00a0Takagi, Solving a 676-bit discrete logarithm problem in GF(\n \n \n \n $$3^{6n}$$\n \n \n \n 3\n \n 6\n n\n \n \n \n \n ), in Public Key Cryptography\u2014PKC 2010. Lecture Notes in Computer Science, vol. 6056 (2010), pp. 351\u2013367"},{"key":"9280_CR56","unstructured":"IEEE, 1363.3-2013\u2014IEEE standard for identity-based cryptographic techniques using pairings (2017). Can be purchased online at \n http:\/\/ieeexplore.ieee.org\/document\/6662370\/"},{"key":"9280_CR57","unstructured":"ISO, Iso\/iec 18033-5:2015 (2015). Can be purchased online at \n https:\/\/www.iso.org\/obp\/ui\/#iso:std:59948:en"},{"key":"9280_CR58","unstructured":"J.\u00a0Jeong, T.\u00a0Kim, Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive, Report 2016\/526 (2016). \n http:\/\/eprint.iacr.org\/2016\/526"},{"key":"9280_CR59","first-page":"431","volume-title":"Lecture Notes in Computer Science","author":"Antoine Joux","year":"2002","unstructured":"A.\u00a0Joux, R.\u00a0Lercier, The function field sieve is quite special, in Algorithmic Number Theory Symposium\u2014ANTS V. Lecture notes in computer science, vol. 2369 (2002), pp. 431\u2013445"},{"issue":"242","key":"9280_CR60","doi-asserted-by":"publisher","first-page":"953","DOI":"10.1090\/S0025-5718-02-01482-5","volume":"72","author":"A Joux","year":"2003","unstructured":"A.\u00a0Joux, R.\u00a0Lercier, Improvements to the general number field for discrete logarithms in prime fields. Math. Comput.\u00a072(242), 953\u2013967 (2003)","journal-title":"Math. Comput."},{"key":"9280_CR61","doi-asserted-by":"publisher","first-page":"254","DOI":"10.1007\/11761679_16","volume-title":"Advances in Cryptology - EUROCRYPT 2006","author":"Antoine Joux","year":"2006","unstructured":"A.\u00a0Joux, R.\u00a0Lercier, The function field sieve in the medium prime case, in Advances in Cryptology\u2014EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4005 (2006), pp. 254\u2013270"},{"key":"9280_CR62","first-page":"326","volume-title":"Lecture Notes in Computer Science","author":"Antoine Joux","year":"2006","unstructured":"A.\u00a0Joux, R.\u00a0Lercier, N.\u00a0Smart, F.\u00a0Vercauteren, The number field sieve in the medium prime case, in Advances in Cryptology\u2014CRYPTO 2006. Lecture Notes in Computer Science, vol. 4117 (2006), pp. 326\u2013344"},{"key":"9280_CR63","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-38348-9_11","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2013","author":"Antoine Joux","year":"2013","unstructured":"A.\u00a0Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in Advances in cryptology\u2014EUROCRYPT 2013. Lecture Notes in Computer Science, vol. 7881 (2013), pp. 177\u2013193"},{"key":"9280_CR64","unstructured":"A.\u00a0Joux, C.\u00a0Pierrot, The special number field sieve in \n \n \n \n $${\\mathbb{F}}_{p^n}$$\n \n \n \n F\n \n p\n n\n \n \n \n \n \u2014application to pairing-friendly constructions, in Pairing-Based Cryptography\u2014Pairing 2013. Lecture Notes in Computer Science, vol. 8365 (2013), pp. 45\u201361"},{"key":"9280_CR65","first-page":"378","volume-title":"Lecture Notes in Computer Science","author":"Antoine Joux","year":"2014","unstructured":"A. Joux, C. Pierrot, Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms, in Advances in Cryptology\u2014ASIACRYPT 2014. Lecture Notes in Computer Science, vol. 8873 (2014), pp. 378\u2013397"},{"issue":"281","key":"9280_CR66","doi-asserted-by":"publisher","first-page":"555","DOI":"10.1090\/S0025-5718-2012-02625-1","volume":"82","author":"Koray Karabina","year":"2012","unstructured":"K.\u00a0Karabina, Squaring in cyclotomic subgroups. Math. Comput.\u00a082(281) (2013)","journal-title":"Mathematics of Computation"},{"key":"9280_CR67","doi-asserted-by":"publisher","first-page":"543","DOI":"10.1007\/978-3-662-53018-4_20","volume-title":"Advances in Cryptology \u2013 CRYPTO 2016","author":"Taechan Kim","year":"2016","unstructured":"T.\u00a0Kim, R.\u00a0Barbulescu, The extended tower number field sieve: A new complexity for the medium prime case, in Advances in Cryptology\u2014CRYPTO 2016. Lecture Notes in Computer Science, vol. 9814 (2016), pp. 543\u2013571"},{"key":"9280_CR68","first-page":"358","volume-title":"Lecture Notes in Computer Science","author":"Thorsten Kleinjung","year":"2014","unstructured":"T.\u00a0Kleinjung, J.\u00a0Bos, A.\u00a0Lenstra, Mersenne factorization factory, in International Conference on the Theory and Application of Cryptology and Information Security. Lecture Notes in Computer Science, vol. 8873 (2014), pp. 358\u2013377"},{"key":"9280_CR69","unstructured":"T.\u00a0Kleinjung, C.\u00a0Diem, A.\u00a0Lenstra, C.\u00a0Priplata, C.\u00a0Stahlke, Discrete logarithms in GF(p)\u2014768 bits (2016). Announcement available at the NMBRTHRY archives, item 004917"},{"key":"9280_CR70","unstructured":"E.J. Kachisa, E.F. Schaefer, M.\u00a0Scott, Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field, in Pairing-Based Cryptography\u2014Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (2008), pp. 126\u2013135"},{"issue":"1","key":"9280_CR71","doi-asserted-by":"publisher","first-page":"33","DOI":"10.6028\/jres.049.006","volume":"49","author":"C Lanczos","year":"1952","unstructured":"C.\u00a0Lanczos, Solution of systems of linear equations by minimized iterations. J. Res. Nat. Bur. Standards\u00a049(1), 33\u201353 (1952)","journal-title":"J. Res. Nat. Bur. Standards"},{"key":"9280_CR72","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/3-540-45682-1_5","volume-title":"Advances in Cryptology \u2014 ASIACRYPT 2001","author":"Arjen K. Lenstra","year":"2001","unstructured":"A.\u00a0Lenstra, Unbelievable security matching AES security using public key systems, in International Conference on the Theory and Application of Cryptology and Information Security. Lecture Notes in Computer Science, vol. 2188 (2001), pp. 67\u201386"},{"key":"9280_CR73","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/3-540-45682-1_5","volume-title":"Advances in Cryptology \u2014 ASIACRYPT 2001","author":"Arjen K. Lenstra","year":"2001","unstructured":"A.\u00a0Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in cryptology\u2014ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248 (2001), pp. 67\u201386"},{"key":"9280_CR74","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/BFb0052240","volume-title":"Advances in Cryptology \u2014 CRYPTO '97","author":"Chae Hoon Lim","year":"1997","unstructured":"C.H. Lim, P.J. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, in Advances in Cryptology\u2014CRYPTO \u201997. Lecture Notes in Computer Science, vol. 1294 (1997), pp. 249\u2013263"},{"key":"9280_CR75","unstructured":"A.\u00a0Lenstra, H.\u00a0Lenstra\u00a0Jr., M.\u00a0Manasse, J.\u00a0Pollard, The number field sieve, in Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing. ACM (1990), pp. 564\u2013572"},{"key":"9280_CR76","doi-asserted-by":"crossref","unstructured":"R.\u00a0Lidl, H.\u00a0Niederreiter, Finite Fields. (Cambridge University Press, 1997)","DOI":"10.1017\/CBO9780511525926"},{"key":"9280_CR77","unstructured":"B.\u00a0LaMacchia, A.\u00a0Odlyzko, Solving large sparse linear systems over finite fields, in Advances in Cryptology\u2014CRYPTO 1990. Lecture Notes in Computer Science, vol. 537 (1990), pp. 109\u2013133"},{"key":"9280_CR78","first-page":"121","volume":"9","author":"D Matyukhin","year":"2006","unstructured":"D.\u00a0Matyukhin, Effective version of the number field sieve for discrete logarithms in the field GF\n \n \n \n $$(p^k)$$\n \n \n \n (\n \n p\n k\n \n )\n \n \n \n (in Russian). Trudy po Discretnoi Matematike\u00a09, 121\u2013151 (2006)","journal-title":"Trudy po Discretnoi Matematike"},{"issue":"4","key":"9280_CR79","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1007\/s00145-004-0315-8","volume":"17","author":"V Miller","year":"2004","unstructured":"V.\u00a0Miller, The Weil pairing and its efficient calculation. J. Cryptol.\u00a017(4), 235\u2013261 (2004)","journal-title":"J. Cryptol."},{"key":"9280_CR80","doi-asserted-by":"crossref","unstructured":"P.\u00a0Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), in Advances in Cryptology\u2014EUROCRYPT 1995. vol. 921 (Springer, 1995), pp. 106\u2013120","DOI":"10.1007\/3-540-49264-X_9"},{"key":"9280_CR81","doi-asserted-by":"crossref","unstructured":"D. Moody, R.C. Peralta, R.A. Perlner, A.R. Regenscheid, A.L. Roginsky, L. Chen, Report on pairing-based cryptography-2015. Can be freely downloaded from \n http:\/\/nvlpubs.nist.gov\/nistpubs\/jres\/120\/jres.120.002.pdf","DOI":"10.6028\/jres.120.002"},{"key":"9280_CR82","doi-asserted-by":"crossref","unstructured":"A.\u00a0Menezes, P.\u00a0Sarkar, S.\u00a0Singh, Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography, in Paradigms in Cryptology\u2014Mycrypt 2016. Lecture Notes in Computer Science, vol. 10311 (2016)","DOI":"10.1007\/978-3-319-61273-7_5"},{"key":"9280_CR83","first-page":"137","volume-title":"Lecture Notes in Computer Science","author":"Brian Murphy","year":"1998","unstructured":"B.\u00a0Murphy, Modelling the yield of number field sieve polynomials, in Algorithmic Number Theory Symposium\u2014ANTS III. Lecture Notes in Computer Science, vol. 1423 (1998), pp. 137\u2013150"},{"key":"9280_CR84","unstructured":"European Network and Information\u00a0Security Agency, Algorithms, key sizes and parameters report\u20142013 (2013)"},{"key":"9280_CR85","first-page":"109","volume-title":"Lecture Notes in Computer Science","author":"Michael Naehrig","year":"2010","unstructured":"M.\u00a0Naehrig, R.\u00a0Niederhagen, P.\u00a0Schwabe, New software speed records for cryptographic pairings, in Progress in Cryptology\u2014LATINCRYPT 2010. Lecture Notes in Computer Science, vol. 6212 (2010), pp. 109\u2013123"},{"key":"9280_CR86","unstructured":"National\u00a0Institute of\u00a0Standards and Technology (NIST), NIST special publication 800-57 part 1 (revised): recommendation for key management, part 1: General (revised), (July 2012). Publication available online at \n http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-57\/sp800-57-Part1-revised2_Mar08-2007.pdf"},{"key":"9280_CR87","doi-asserted-by":"publisher","first-page":"156","DOI":"10.1007\/978-3-662-46800-5_7","volume-title":"Advances in Cryptology -- EUROCRYPT 2015","author":"C\u00e9cile Pierrot","year":"2015","unstructured":"C.\u00a0Pierrot, The multiple number field sieve with conjugation and generalized Joux-Lercier methods, in Advances in Cryptology\u2014EUROCRYPT 2015. Lecture Notes in Computer Science, vol. 9056 (2015), pp. 156\u2013170"},{"key":"9280_CR88","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1007\/978-3-642-03298-1_6","volume-title":"Pairing-Based Cryptography \u2013 Pairing 2009","author":"Michael Scott","year":"2009","unstructured":"M.\u00a0Scott, N.\u00a0Benger, M.\u00a0Charlemagne, L.J.\u00a0Dominguez Perez, E.J. Kachisa, On the final exponentiation for calculating pairings on ordinary elliptic curves, in Pairing-Based Cryptography\u2014PAIRING 2009. Lecture Notes in Computer Science, , vol. 5671 (2009), pp. 78\u201388"},{"issue":"1676","key":"9280_CR89","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1098\/rsta.1993.0139","volume":"345","author":"O Schirokauer","year":"1993","unstructured":"O.\u00a0Schirokauer, Discrete logarithms and local units. Philos. Trans. R. Soc. Lond. A Math. Phys. Eng. Sci.\u00a0345(1676), 409\u2013423 (1993)","journal-title":"Philos. Trans. R. Soc. Lond. A Math. Phys. Eng. Sci."},{"issue":"231","key":"9280_CR90","doi-asserted-by":"publisher","first-page":"1267","DOI":"10.1090\/S0025-5718-99-01137-0","volume":"69","author":"O Schirokauer","year":"2000","unstructured":"O.\u00a0Schirokauer, Using number fields to compute logarithms in finite fields. Math. Comput.\u00a069(231), 1267\u20131283 (2000)","journal-title":"Math. Comput."},{"issue":"269","key":"9280_CR91","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1090\/S0025-5718-09-02198-X","volume":"79","author":"O Schirokauer","year":"2010","unstructured":"O.\u00a0Schirokauer, The number field sieve for integers of low weight. Math. Comput.\u00a079(269), 583\u2013602 (2010)","journal-title":"Math. Comput."},{"issue":"237","key":"9280_CR92","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1090\/S0025-5718-00-01308-9","volume":"71","author":"I Semaev","year":"2002","unstructured":"I.\u00a0Semaev, Special prime numbers and discrete logs in finite prime fields. Math. Comput.\u00a071(237), 363\u2013377 (2002)","journal-title":"Math. Comput."},{"key":"9280_CR93","unstructured":"N.\u00a0Smart, ECRYPT II yearly report on algorithms and key sizes (2011-2012). (2012)"},{"issue":"4","key":"9280_CR94","doi-asserted-by":"publisher","first-page":"2233","DOI":"10.1109\/TIT.2016.2528996","volume":"62","author":"P Sarkar","year":"2016","unstructured":"P.\u00a0Sarkar, S.\u00a0Singh, Fine tuning the function field sieve algorithm for the medium prime case. IEEE Trans. Inf. Theory\u00a062(4), 2233\u20132253 (2016)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9280_CR95","unstructured":"P.\u00a0Sarkar, S.\u00a0Singh, A generalisation of the conjugation method for polynomial selection for the extended tower number field sieve algorithm. Cryptology ePrint Archive, Report 2016\/537 (2016)"},{"key":"9280_CR96","unstructured":"P.\u00a0Sarkar, S.\u00a0Singh, New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (2016), pp. 429\u2013458"},{"key":"9280_CR97","unstructured":"P.\u00a0Sarkar, S.\u00a0Singh, Tower number field sieve variant of a recent polynomial selection method. Cryptology ePrint Archive, Report 2016\/401 (2016)"},{"key":"9280_CR98","doi-asserted-by":"publisher","first-page":"298","DOI":"10.1007\/978-3-662-44709-3_17","volume-title":"Advanced Information Systems Engineering","author":"Thomas Unterluggauer","year":"2014","unstructured":"T.\u00a0Unterluggauer, E.\u00a0Wenger, Efficient pairings and ECC for embedded systems, in Cryptographic Hardware and Embedded Systems\u2014CHES 2014. Lecture Notes in Computer Science, vol. 8731 (2014), pp. 298\u2013315"},{"key":"9280_CR99","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1109\/TIT.2009.2034881","volume":"56","author":"F Vercauteren","year":"2009","unstructured":"F.\u00a0Vercauteren, Optimal pairings. IEEE Trans. Inf. Theory\u00a056, 455\u2013461 (2009)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9280_CR100","unstructured":"F.\u00a0Valette, R.\u00a0Lercier, P.-A. Fouque, D.\u00a0R\u00e9al, Fault attack on elliptic curve Montgomery ladder implementation, in 5th Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2008), pp. 92\u201398"},{"issue":"1","key":"9280_CR101","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/TIT.1986.1057137","volume":"32","author":"D Wiedemann","year":"1986","unstructured":"D.\u00a0Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory\u00a032(1), 54\u201362 (1986)","journal-title":"IEEE Trans. Inf. Theory"},{"issue":"1","key":"9280_CR102","doi-asserted-by":"publisher","first-page":"161","DOI":"10.2478\/v10127-010-0012-y","volume":"45","author":"Pavol Zajac","year":"2010","unstructured":"P. Zajac, On the use of the lattice sieve in the 3D NFS. Tatra Mountains Mathematical Publications\u00a045(1), 161\u2013172 (2010)","journal-title":"Tatra Mountains Mathematical Publications"},{"key":"9280_CR103","first-page":"412","volume-title":"Lecture Notes in Computer Science","author":"Xusheng Zhang","year":"2012","unstructured":"X.\u00a0Zhang, D.\u00a0Lin, Analysis of optimum pairing products at high security levels, in Progress in Cryptology\u2014INDOCRYPT 2012. Lecture Notes in Computer Science, vol. 7668 (2012), pp. 412\u2013430"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-018-9280-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9280-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9280-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,4,8]],"date-time":"2020-04-08T08:16:32Z","timestamp":1586333792000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-018-9280-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,1,29]]},"references-count":103,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2019,10]]}},"alternative-id":["9280"],"URL":"https:\/\/doi.org\/10.1007\/s00145-018-9280-5","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,1,29]]},"assertion":[{"value":"2 May 2017","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 January 2018","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 January 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}