Individual discrete logarithm with sublattice reduction

Abstract

The Number Field Sieve and its numerous variants is the best algorithm to compute discrete logarithms in medium and large characteristic finite fields. When the extension degree n is composite and the characteristic p is of medium size, the Tower variant (TNFS) is asymptotically the most efficient one. Our work deals with the last main step, namely the individual logarithm step, that computes a smooth decomposition of a given target T in the finite field thanks to two distinct phases: an initial splitting step, and a descent tree. In this article, we improve on the current state-of-the-art Guillevic’s algorithm dedicated to the initial splitting step for composite n. While still exploiting the proper subfields of the target finite field, we modify the lattice reduction subroutine that creates a lift in a number field of the target T. Our algorithm returns lifted elements with lower degrees and coefficients, resulting in lower norms in the number field. The lifted elements are not only much likely to be smooth because they have smaller norms, but it permits to set a smaller smoothness bound for the descent tree. Asymptotically, our algorithm is faster and works for a larger area of finite fields than Guillevic’s algorithm, being now relevant even when the medium characteristic p is such that \(L_{p^n}(1/3) \le p< L_{p^n}(1/2)\). In practice, we conduct experiments on 500-bit to 2048-bit composite finite fields: Our method becomes more efficient as the largest non trivial divisor of n grows, being thus particularly adapted to even extension degrees.

Appendices

Appendix A: Example

We give a concrete example to better understand Algorithm 1 and to see how decreasing the degree while allowing larger coefficients can result is smaller norms. Take the finite field \({\mathbb F}_{p^{28}}\) of size 476 bits where \(p = 131101\).

Construction of finite field and number fields: After running JLSV\(_1\) polynomial selection to find 100 pairs of suitable polynomials. We choose the pair with the highest score for a notion of score based on the alpha value [17] and the coefficient sizes. The code to select the pair of polynomials can be found at [1].

\(f_1(X) = X^{28} + 349X^{27} + 348X^{26} + 1040X^{25} + 349X^{24} + 348X^{23} + 1040X^{22} + 1040X^{21} + 695X^{20} + 1041X^{19} + 695X^{18} + 347X^{17} + 349X^{16} + 347X^{15} + 348X^{14} + 694X^{13} + 1039X^{12} + 348X^{11} + 347X^{10} + 348X^9 + 1039X^8 + 347X^7 + 695X^6 + 1041X^5 + 349X^4 + 1039X^3 + 347X^2 + 1041X + 349\).

\(f_2(X) = -379X^{28} - 1170X^{27} - 791X^{26} - 857X^{25} - 1170X^{24} - 791X^{23} - 857X^{22} - 857X^{21} - 1203X^{20} - 1236X^{19} - 1203X^{18} - 412X^{17} - 1170X^{16} - 412X^{15} - 791X^{14} - 824X^{13} - 478X^{12} - 791X^{11} - 412X^{10} - 791X^9 - 478X^8 - 412X^7 - 1203X^6 - 1236X^5 - 1170X^4 - 478X^3 - 412X^2 - 1236X - 1170\).

Moreover, \(f_1\) is also irreducible in \({\mathbb F}_p[X]\), thus \({\mathbb F}_{p^{28}}\) is represented as:

$$\begin{aligned} {\mathbb F}_p[X]/(f_1) := {\mathbb F}_p(\alpha ). \end{aligned}$$

Since \(f_1\) has smaller coefficients than \(f_2\), it is natural to perform the smoothing step in \(\mathcal {K}= {\mathbb Q}[X]/(f_1) := {\mathbb Q}(x)\). Denote by \(\mathcal {N}\) the norm defined in \(\mathcal {K}\) and for any element Y in \({\mathbb F}_p(\alpha )\), \(\bar{Y}\) denotes its natural preimage in \(\mathcal {K}\).

Generator selection: Finding a generator of \({\mathbb F}_{p^n}^*\) requires factoring \(p^n -1\) which is out of reach. Instead one chooses a random element \(g \in {\mathbb F}_{p^n}^*\) and tests if \(g^{(p^n - 1)/m} \not = 1\) for all m running over small divisors of \(p^n - 1\) (say all divisors smaller than \(10^9\)). Such an element has a very high probability of being a generator of \({\mathbb F}_{p^n}^*\), and is called a pseudo generator. Running our code that is available at [1], we find the following pseudo generator of \({\mathbb F}_{p^{28}}^*\): \(g = 44501\alpha ^{27} + 17288\alpha ^{26} + 79714\alpha ^{25} + 15355\alpha ^{24} + 100146\alpha ^{23} + 87012\alpha ^{22} + 18126\alpha ^{21} + 125995\alpha ^{20} + 12941\alpha ^{19} + 86746\alpha ^{18} + 22260\alpha ^{17} + 8816\alpha ^{16} + 41799\alpha ^{15} + 19116\alpha ^{14} + 45121\alpha ^{13} + 116926\alpha ^{12} + 11767\alpha ^{11} + 64435\alpha ^{10} + 16296\alpha ^9 + 33812\alpha ^8 + 96819\alpha ^7 + 40474\alpha ^6 + 105343\alpha ^5 + 71563\alpha ^4 + 48599\alpha ^3 + 102954\alpha ^2 + 36712\alpha + 3594\).

Target selection: We choose a target constructed from the decimal digits of \(\pi \).

\(T = 1415926\alpha ^{27} + 5358979\alpha ^{26} + 3238462\alpha ^{25} + 6433832\alpha ^{24} + 7950288\alpha ^{23} + 4197169\alpha ^{22} + 3993751\alpha ^{21} + 582097\alpha ^{20} + 4944592\alpha ^{19} + 3078164\alpha ^{18} + 628620\alpha ^{17} + 8998628\alpha ^{16} + 348253\alpha ^{15} + 4211706\alpha ^{14} + 7982148\alpha ^{13} + 865132\alpha ^{12} + 8230664\alpha ^{11} + 7093844\alpha ^{10} + 6095505\alpha ^9 + 8223172\alpha ^8 + 5359408\alpha ^7 + 1284811\alpha ^6 + 1745028\alpha ^5 + 4102701\alpha ^4 + 9385211\alpha ^3 + 555964\alpha ^2 + 4622948\alpha + 9549303\).

After reducing each coefficient modulo p, the target T becomes: \(T = 104916\alpha ^{27} + 114939\alpha ^{26} + 92038\alpha ^{25} + 9883\alpha ^{24} + 84228\alpha ^{23} + 1937\alpha ^{22} + 60721\alpha ^{21} + 57693\alpha ^{20} + 93855\alpha ^{19} + 62841\alpha ^{18} + 104216\alpha ^{17} + 83760\alpha ^{16} + 86051\alpha ^{15} + 16474\alpha ^{14} + 116088\alpha ^{13} + 78526\alpha ^{12} + 102402\alpha ^{11} + 14390\alpha ^{10} + 64859\alpha ^9 + 94910\alpha ^8 + 115368\alpha ^7 + 104902\alpha ^6 + 40715\alpha ^5 + 38570\alpha ^4 + 77040\alpha ^3 + 31560\alpha ^2 + 34413\alpha + 110031\).

Outputs: To run our code [1], one starts by creating an instance from smoothness.sage: diag = Smoothness(p, n, f1, f1, g), and then one calls the method smoothness_lattice_n: \(R_1\), \(R_2\), \(s_{best}\) = diag.smoothness_lattice_n(T). We get \(\overline{R_1}\) the output of the algorithm of [19] (i.e: Algorithm 1 with \(s=0\)) and \(\overline{R_2}\) the output of Algorithm 1 for the best choice of s, that is \(s_{practical}\). We recall that \(s_{practical}\) is the number of columns erased from the lattice that results in the output of the smallest element, that is \(\overline{R_2}\). We get:

\(\overline{R_1} = -13x^{27} - 51x^{26} - 10x^{25} + 100x^{24} + 219x^{23} + 80x^{22} + 98x^{21} + 54x^{20} - 5x^{19} + 113x^{18} - 195x^{17} + 92x^{16} - 46x^{15} - 99x^{14} + 9x^{13} + 77x^{12} - 173x^{11} + 77x^{10} + 57x^9 + 213x^8 - 82x^7 - 107x^6 - 76x^5 - 58x^4 - 8x^3 + 34x^2 - 64x - 28\).

\(\overline{R_2} = 175x^{23} - 87x^{22} - 10x^{21} + 305x^{20} + 233x^{19} - 37x^{18} - 151x^{17} - 123x^{16} - 30x^{15} + 105x^{14} + 145x^{13} - 214x^{12} + 143x^{11} + 432x^{10} + 63x^9 - 222x^8 - 17x^7 - 303x^6 - 309x^5 - 239x^4 + 25x^3 - 373x^2 - 330x - 174\), where \(s_{practical} = 4\).

Norms of the target and the outputs: The norm of the target is \(\mathcal {N}\left( \bar{T} \right) \approx 2^{769}\), the norm of \(\overline{R_1}\) is \(\mathcal {N}\left( \overline{R_1} \right) \approx 2^{507}\), and the norm of \(R_2\) is \(\mathcal {N}\left( \overline{R_2} \right) \approx 2^{492}\). Our algorithm outputs here an element of norm 15 bits smaller than the one output by [19]. We emphasize that \(\overline{R_1}\) is of degree maximal 27 whereas \(\overline{R_2}\) is of degree \(27-4 = 23\) and has slightly larger coefficients.

Probability of smoothness: Fix a smoothness bound \(B = 2^{35}\). Then using the dickman_rho function implemented is sage, the probability of \(\mathcal {N}\left( \overline{R_1}\right) \) being B-smooth is about \(6.45 \times 10^{-19}\) and the probability of \(\mathcal {N}\left( \overline{R_2}\right) \) being B-smooth is about \(3.77 \times 10^{-18}\). Our output is 5.8 more likely to be smooth.

Larger example: As shown in Sect. 6, our algorithm performs the best as the degree extension n grows. For instance let us look at the 2050-bits finite field \({\mathbb F}_{p^n} = {\mathbb F}_{2199023255579^{50}}\). All the parameters for this setting, such as the polynomials selected and the generator, can be found in the GitLab repository [1]. Similarly as above, applying Algorithm 1 leads to the following:

1. 1.

   The norm of the target chosen with the decimals of \(\pi \) is \(\mathcal {N}\left( \overline{T}\right) \approx 2^{3152}\)

2. 2.

   The norm of the output \(\overline{R_1}\) of [19]’s algorithm is \(\mathcal {N}\left( \overline{R_1} \right) \approx 2^{2138}\)

3. 3.

   The norm of the output \(\overline{R_2}\) of Algorithm 1 with the best s is \(\mathcal {N}\left( \overline{R_2} \right) \approx 2^{2121}\), where the best s is \(s_{practical} = 4\).

In this example our output is \(2^{17}\) times smaller. If the smoothness bound is set to \(B=2^{70}\), then our output is about 3.5 times more likely to be B-smooth. Since the smoothness probability is higher, one can set a lower smoothness bound in order to get a smaller descent tree.

Appendix B: Data

The next two tables present the results of our experiments: n is the extension degree, d is the largest divisor of n, p in bits is the number of bits of the characteristic p, Bitsize of the field is the size of the finite field \({\mathbb F}_{p^n}\) in bits, Input norms in bits is the mean in bits of the norms in the number field of the 1000 targets, Output norms with [Guil19] in bits is the mean in bits of the norms output by [Guil19], Our norms in bits is the mean in bits of the norms output by Algorithm 1, \(s_{practical}\) is the mean of the best choice of s in Algorithm 1 in practice rounded to one decimal place, and \(s_{theoretical}\) is the optimal s given from the asymptotic formula rounded to the integer below. Each given norm in a given finite field is a mean of the norms of 1000 elements. The data is sorted in respect to n the extension degree. Moreover, the polynomials selected for the experiments, the pseudo generators of the multiplicative group in each finite field, and the implementation that produced this data are available at [1].

Table 3 Experiments are run on 460 to 500-bit finite fields

Table 4 Experiments are run on 2050 to 2080-bit finite fields