# A New Index Calculus Algorithm with Complexity \(L(1/4+o(1))\) in Small Characteristic

- 38 Citations
- 1.7k Downloads

## Abstract

In this paper, we describe a new algorithm for discrete logarithms in small characteristic. This algorithm is based on index calculus and includes two new contributions. The first is a new method for generating multiplicative relations among elements of a small smoothness basis. The second is a new descent strategy that allows us to express the logarithm of an arbitrary finite field element in terms of the logarithm of elements from the smoothness basis. For a small characteristic finite field of size \(Q=p^n\), this algorithm achieves heuristic complexity \(L_Q(1/4+o(1)).\) For technical reasons, unless \(n\) is already a composite with factors of the right size, this is done by embedding \({\mathbb F}_{Q}\) in a small extension \({\mathbb F}_{Q^e}\) with \(e\le 2\lceil \log _p n \rceil \).

## Keywords

Index Calculus Algorithm Basic Smoothness Function Field Sieve Classical Descent Kummer Extension## 1 Introduction

The discrete logarithm problem is one of the major hard problems used in cryptography. In this paper, we show that for finite fields of small characteristic, this problem can be solved with heuristic complexity \(L(1/4+o(1)).\) Moreover, the algorithm yields very practical improvements compared to the previous state-of-the-art.

One of the two main ideas used for our algorithm is a generalization of the pinpointing technique proposed in [10]. Another independent algorithm for characteristic 2 was proposed in [5], yielding an algorithm with complexity \(L_Q(1/3),\) with a better constant than the Function Field Sieve.

## 2 A Reminder of Discrete Logarithm Algorithms in Small Characteristic

When considering the computation of discrete logarithms, in fields of the form \({\mathbb F}_{Q}\), where \(p\) is relatively small compared to \(Q\), the state of the art choice is to use one of the numerous variation of the function field sieve. For larger values of \(p\), it becomes preferable to use a variation of the number field sieve. The choice between the two family of algorithms is made by comparing \(p\) and \(L_{Q}(\frac{1}{3})\) (see [12]).

**random**polynomial of degree \(n\) decomposes into factors of degree \(m\) over a finite field is close to:

When using function field sieve algorithms, a standard *heuristic assumption* is to assume that all polynomials that arise in the algorithm also follow this smoothness probability. In the new algorithm presented here, this is false by construction, because we consider polynomials than decompose more frequently than usual. However, we still use the heuristic assumption on some polynomials: those for which there is no known reason to expect that they would deviate from the normal behavior.

Despite the new ingredients we are using, there are deep similarities between our algorithm and its predecessors. In particular, some features are reminiscent of Coppersmith’s algorithm [3], while others are inspired from [11]. In the present section, we recall these two algorithms.

### 2.1 Coppersmith’s Algorithm

Coppersmith’s Algorithm was published in 1984 in [3]. Historically, it was the first discrete logarithm algorithm to achieve complexity \(L(1/3)\). In its original presentation, this algorithm is dedicated to characteristic 2, but it can easily be generalized to any fixed characteristic [14].

Consider as usual a finite field of size \(Q=p^n\). Coppersmith assumes that \({\mathbb F}_{Q}\) is constructed using a polynomial \(P(x)=x^n-P_0(x)\), where \(P_0(x)\) is a polynomial of low degree. He then chooses \(k\) a power of \(p\) close to \(\sqrt{n}\) and writes \(n=hk-n_0\), with \(0\le n_0<k\).

The complexity of Coppersmith’s index calculus algorithm is \(L(1/3,c)\) with a value of \(c\) that depends on the extension degree \(n\). This constant is minimized when \(n\) is close to a power of \(p^2\).

### 2.2 Function Field Sieve

The general function field sieve algorithm was proposed in 1999 by Adleman and Huang in [1]. It improves on Coppermith’s algorithm when the extension degree \(n\) is not close to a power of \(p^2\). In its general form, it uses multiplicative relations between ideals in function fields and technicalities arise due to this. A simplified version was proposed in [11]. This simplified version only involves polynomial rings (instead of function fields), which has the merit of removing most of these technicalities.

The algorithm from [11] is particularly well suited to the computation of discrete logarithms in fields that contain a medium-sized subfield (not necessarily prime). To emphasize this, we write the finite field as \({\mathbb F}_{q^n}\), a degree \(n\) extension of the medium-sized field \({\mathbb F}_{q}\). In the optimal case where \(q=L_{q^n}(1/3)\), the constant in the complexity can even be reduced compared to usual function field sieve.

The relative degrees of \(d_1\) and \(d_2\) in the construction are controlled by an extra parameter \(D\), whose choice is determined by the size of \(q\) compared to \(q^n\). More precisely, we have \(d_1\approx \sqrt{Dn}\) and \(d_2\approx \sqrt{n/D}\). The simplest and most efficient case occurs when we can choose \(D=1\), i.e. \(d_1\approx d_2\approx \sqrt{n}.\)

Following [11] , we only keep the relations, where \(\mathcal {A}(Y)\,g_1(Y)+\mathcal {B}(Y)\) and \(\mathcal {A}(g_2(X))\,X+\mathcal {B}(g_2(X))\) both factor into unitary polynomials of degree at most \(D\) in \(X\) or \(Y\). This yields multiplicative relations between the images in \({\mathbb F}_{q^n}\) of these low-degree polynomials, which form the smoothness basis. Classically the good pairs \((\mathcal {A},\mathcal {B})\) are found using a sieving approach^{1}.

*Complexity.*To express the complexity, [11] let \(Q=q^n\) and assumes that there exists a parameter \(\alpha \) such that:

**Individual Logarithms Phase.** Another very important phase that appears in index calculus algorithms is the individual discrete logarithms phase which allows to compute the logarithm of an arbitrary finite field element by finding a multiplicative relation which relates this element to the elements of the smoothness basis whose logarithms have already been computed.

We now detail this phase in the case of [11]. The ultimate goal of expressing a given element as a product of elements from the smoothness basis is not achieved in a single pass. Instead, it is done by first expressing the desired element in \({\mathbb F}_{q^n}\) as a product of univariate polynomials in either \(x\) or \(y\) and with degree smaller than that of the desired element. These polynomials can in turn be related to polynomials of a lower degree and so on, until hitting degree \(\le D\), i.e. elements of the smoothness basis. For this reason, the individual logarithm phase is also called the descent phase.

In order to create relations between a polynomial in either \(X\) or \(Y\) (i.e. coming either from the left or right side of a previous equation) and polynomials of lower degree, [11] proceeds as follows: Let \(\mathcal {Q}(X)\) (resp. \(\mathcal {Q}(Y)\)) denote the polynomial that represent the desired element. One considers a set of monomials \(S_\mathcal {Q}=\{X^iY^j | i \in [0\cdots D_x(\mathcal {Q})], j \in [0\cdots D_y(\mathcal {Q})]\}\), where \(D_x(\mathcal {Q})\) and \(D_y(\mathcal {Q})\) are parameters that we determine later on. Each monomial in \(S_Q\) can be expressed as a univariate polynomial in \(X\) (resp. \(Y\)), after replacing \(Y\) by \(g_2(X)\) (or \(X\) by \(g_1(Y)\)). For a monomial \(m\) we denote by \(V_\mathcal {Q}(m)\) the value modulo \(\mathcal {Q}\) of the univariate polynomial corresponding to \(m\). Clearly, \(V_\mathcal {Q}(m)\) can be represented by a vector of \(\deg {\mathcal {Q}}\) finite field elements. We now build a matrix \(M_\mathcal {Q}\) by assembling all the vectors \(V_\mathcal {Q}(m)\) for \(m \in S_\mathcal {Q}\). Any vector in the kernel of \(M_\mathcal {Q}\) can then be interpreted as a polynomial whose univariate representation is divisible by \(\mathcal {Q}\). If both the quotient after dividing by \(\mathcal {Q}\) and the univariate representation in the other unknown decompose into products of polynomials of low enough degree, we obtain the desired relation.

## 3 New Algorithm: Basic Ideas

The new index calculus algorithms proposed in this paper hinges on a few basic ideas, which can be arranged into a functional discrete logarithm algorithm.

*Basic idea 1: Homographies.* In [10], it was remarked that a single polynomial \(f\) that nicely factors can be transformed into several such polynomials, simply by a linear change of variable: \( f(X) \longrightarrow f(aX)\), for any non-zero constant \(a\).

### **Theorem 1**

### *Proof*

It is also clear that the transformed factors have no reason to be irreducible in the extension field \({\mathbb F}_{q^k}\).

Remark that when \(c\ne 0\) the coefficient of \(X^{\deg {F_i}}\) in the factor coming from \(F_i\) is \(c^{\deg {F_i}}F_i(a/c)\). Since this is not necessarily \(1\) and can even be \(0\), we see that the transformed polynomials are not necessarily monic and may have degree strictly smaller than the corresponding \(F_i\). \(\square \)

Thanks to this, it is now possible to amplify a single polynomial to a much larger extend than previously. More precisely, with a linear change of variables, the number of amplified copies of a single polynomial is close to the size of the finite field in which \(a\) is picked. With homographies, the number of copies becomes larger (see Sect. 4.2 for a detailed analysis).

*Basic idea 2: Systematic polynomial splitting.*The second idea directly stems from this fact. Since it is possible to make so many copies of one polynomial, it suffices to start from a single polynomial \(f\). Thus, instead of considering many polynomials until we find some candidate, we are going to choose a polynomial with factors by design. Over a small finite field \({\mathbb F}_{q}\), an extremely natural candidate to consider is:

Geometrically, using the homogeneous evaluation of \(f\) (with multiplication by \((cX+d)^{q+1}\)) at an homography \(h\) is equivalent to considering the image of the projective line (including its point at infinity) \({\mathbb P}_1({\mathbb F}_{q})\) by \(h\).

*Basic idea 3: Field definition* The image of \(X^q-X\) by an homography is a polynomial which only contains the monomials \(X^{q+1}\), \(X^q\), \(X\) and \(1\). To obtain a multiplicative relation, it is thus desirable to find a finite field representation that transforms such a polynomial into a low degree polynomial. This can be achieved by choosing the finite field representation in a way that is reminiscent both of Coppersmith’s algorithm and of [11].

This construction is similar to Coppersmith’s Algorithm, since we require a simple expression of the Frobenius map \(x \rightarrow x^q\). It is similar to [11], because we do not ask for the relation to directly give an irreducible polynomial but only require a factor of the proper degree.

The rest of the paper gives the details of how to put together these basic ideas into a working discrete logarithm algorithm. Another application of the same ideas has been described in [7], where a new deterministic algorithm (based on similar heuristics to ours) is proposed to find a provable multiplicative generator of a finite field.

## 4 Description of the New Algorithm

In this section, we present the new discrete logarithm algorithm for small characteristic fields that arises when putting together the basic ideas from the previous section. We first describe the general setting of our algorithm, before considering its relation collection phase. We skip the description of the linear algebra phase that takes as input the relations and outputs logarithms of the elements of our factor basis, since it is left unchanged compared to previous algorithms. Finally, we study the computation of individual discrete logarithms, for arbitrary field elements. This phase relies on a descent method which contains two main strategies. For elements with representations of high degree, one proceeds as in [11], while for lower degrees we introduce a new strategy based on the resolution of multivariate systems of bilinear equations.

### 4.1 Choosing the Parameters

Given a small characteristic finite field \({\mathbb F}_{p^n}\), we start be embedding it into a field of the form \({\mathbb F}_{q^{2k}}\), with \(k\le q\). This can be achieved by taking a degree \(e\) extension of \({\mathbb F}_{p^n}\), with \(e \le 2\lceil \log _p{n} \rceil \).

After this initial embedding, the finite field \({\mathbb F}_{q^{2k}}\) is constructed has a degree \(k\) extension of \({\mathbb F}_{q^2}\). This degree \(k\) extension is obtained by using a irreducible factor of a low degree bivariate polynomial, evaluated at \((X,X^p)\). More precisely, we follow the third idea of Sect. 3 and choose two low degree polynomials \(h_0(X)\) and \(h_1(X)\) with coefficients in \({\mathbb F}_{q^2}\) such that \(h_1(X)X^q-h_0(X)\) has an irreducible factor \(\mathcal {I}(X)\) of degree \(k\). This field representation leads to the commutative diagram in Fig. 2. *Heuristically,* we expect arbitrary extension degrees to appear with this form of definition polynomials. Indeed, we expect that a fraction close to \(1/k\) of random polynomials has a factor of degree \(k\). Thus considering polynomials \(h_0\) and \(h_1\) of degree \(2\), we have a very large number of degrees of freedom and expect to get a good representation. However, this argument is not a proof. This is emphasized by the fact that with linear polynomials \(h_0\) and \(h_1\) we can only reach a fraction of the possible extension degrees (see the simple cases below).

Moreover, since we have also the option of raising the degree of \(h_0\) and \(h_1\) to an arbitrary constant, it should be easy to achieve any extension degree \(k\) (up to \(q+\deg (h_1)\).)

**Illustration of Some Simple Cases.** Some kind of extensions are especially well-suited to this form of representation. To illustrate our construction, we now describe these simple cases.

A first example concerns extensions of degree \(k=q-1\). They can be represented as Kummer extensions by an irreducible polynomial \(\mathcal {I}(X)=X^{q-1}-g,\) where \(g\) is a generator of the multiplicative group \({\mathbb F}_{q}^{*}\). This can be achieved easily in our setting by letting \(h_0(X)=gX\) and \(h_1(X)=1.\)

Similarly extensions of degree \(k=q+1\) can be represented by a Kummer extension by an irreducible polynomial \(\mathcal {I}(X)=X^{q+1}+G^{q-1},\) where \(G\) is a generator of the multiplicative group \({\mathbb F}_{q^2}^{*}\). This can be achieved easily in our setting by letting \(h_0(X)=-G^{q-1}\) and \(h_1(X)=X.\)

Alternatively, extensions of degree \(q+1\) can also be represented using a “twisted Kummer” form, i.e. using an irreducible polynomial of the form \(X^{q+1}-AX-B\), with coefficients \(A\) and \(B\) in \({\mathbb F}_{q}\). This twisted Kummer form is used for the record computation presented in Sect. 8.

Another special case is \(k=p\), which can be represented by an Artin-Schreier extension with \(\mathcal {I}(X)=X^{p}-X-1.\) This can be achieved by choosing \(h_0(X)=-(X+1)\) and \(h_1(X)=1.\) However, since our algorithm is dedicated to small characteristic, this only leads to low degree extensions.

*Action of Frobenius.*When using Kummer, twisted Kummer or Artin-Schreier extensions, the fact that the Frobenius maps \(X\) to an homography in \(X\) allows to reduce the size of the factor basis by a factor close to the extension degree. Indeed, we can remark that:

- 1.In the Kummer case:$$ (x+\theta )^q=x^q+\theta ^q=g(x+\theta ^q/g). $$
- 2.In the twisted Kummer case:$$ (x+\theta )^q=x^q+\theta ^q=\frac{1}{x}((\theta +A)x+B). $$
- 3.In the Artin-Schreier case:$$ (x+\theta )^p=x^p+\theta ^p+1. $$

### 4.2 Logarithms of Linear Polynomials

The first step in the algorithm is to generate the logarithms of all linear polynomials in the finite field. As usual in index calculus, we construct multiplicative relations between these elements. These equations can be viewed as linear equations on the values of their logarithms which are then obtained by linear algebra.

**Counting the Relation Candidates.** The above description that generates a candidate relation from a quadruple \((a,b,c,d)\) disregards some important structure in the set of candidates. In particular, the reader should be aware that the same relation may be encountered several times (with different quadruples \((a,b,c,d)\)). Typically, when \((a,b,c,d)\in {\mathbb F}_{q}^4\), we obtain a trivial equation. Indeed, in this case, for each \(v\) in \(\{a,b,c,d\}\), we have \(v^q=v\). As a consequence, after evaluation, we obtain the polynomial \((ad-bc)(X^q-X)\). Since this a just a multiple of the basic polynomial \(X^q-X\), this cannot form a new relation.

This is the reason why we need to take coefficients^{2} \((a,b,c,d)\) in \({\mathbb F}_{q^2}\) and to consider a smoothness basis with coefficients in \({\mathbb F}_{q^2}\).

*Cost of relation finding.*We now would like to estimate the probability of finding a relation for a random quadruple. Under the usual heuristic that the right-hand side’s numerator factors into linear with a probability close to a random polynomial of the same degree, we need to perform \(D !\) trials, where \(D\) denotes the degree of the right-hand numerator. We note that \(D\le 1+\max (\deg {h_0},\deg {h_1}).\)

As a consequence, since \(D\) can heuristically be chosen as a constant, we expect to find enough relations by considering \(O(q^2)\) quadruples. To avoid duplicates, we can either use the structure of the orbits of \(\mathrm{{PGL}}_2({\mathbb F}_{q^2})\) under the action of \(\mathrm{{PGL}}_2({\mathbb F}_{q})\) or simply keep hash values of the relations to remove collisions. Since we only need \(O(q^2)\) distinct elements in a set of size close to \(q^3\), the number of expected collisions between relations for randomly chosen quadruples \((a,b,c,d)\) is \(O(q)\). As a consequence, dealing with these collisions does not induce any noticeable slow-down.

### 4.3 Extending the Basis to Degree \(2\) Polynomials

The above process together with linear algebra can thus give us the logarithms of linear polynomials. Unfortunately, this is not enough. Indeed, we do not know, in general, how to compute arbitrary logarithms using a smoothness basis that only contains linear polynomials. Instead, we extend our basis of known logarithms to include polynomials of degree \(2\).

We first describe a natural approach that does not work, before proposing a successful approach that requires some additional linear algebra steps.

**A Natural Strategy that Fails.** The idea of this strategy is to reconsider the relations produced for finding the linear polynomials. But, instead of keeping the relations with a right-hand side that splits into linear factors, it also keeps relations with a single degree 2 factor and some linear factors. This clearly allows us to compute the logarithm of the degree 2 polynomial.

A simple counting argument shows that in general, this approach must fail. Indeed, on the one-hand, the number of quadratic polynomials with coefficients in \({\mathbb F}_{q^2}\) is \(O(q^4)\), while on the other hand, the number of relations that can be obtained from homographies with coefficients in \({\mathbb F}_{q^2}\) is close to \(q^3\) when removing the duplicates arising from homographies with coefficients in \({\mathbb F}_{q}\). As a consequence, it is not possible to derive the logarithms of all quadratic polynomials in this way.

It is interesting to note that if we replace the field \({\mathbb F}_{q^2}\) by a larger field for the coefficients of the homographies, the natural approach becomes workable. However, we can see that the same counting argument shows that, in general, using \({\mathbb F}_{q^3}\) is not good enough since a fraction of the equation are lost due to the right-hand side splitting probability. Thus, to be able to recover the degree 2 polynomials with the simple strategy we need to, at least, use \({\mathbb F}_{q^4}\) as our basefield. Since the number of linear polynomials in this case is \(q^4\), it is clearly preferable to stay with \({\mathbb F}_{q^2}\) and pay the price of constructing quadratic polynomials with the strategy below.

**A Working Strategy.**For this second strategy, we produce some extra equations, using the same approach as for linear polynomials together with a slightly more general change of variable. More precisely, we consider changes of the form:

However, this linear algebra step is much bigger than the first one. In fact, it is almost as expensive as initially building all linear polynomials over the larger basefield \({\mathbb F}_{q^4}\). Thankfully, it is often possible to improve this, by separating the degree 2 polynomials into several subsets which can be addressed independently.

Depending on the exact parameters of the finite field and the number of logarithms that need to be computed, it might also be useful to further extend the smoothness basis and include polynomials of higher degree (3 or more).

## 5 New Algorithm: Descent Phase

Once the logarithms of smoothness basis elements are known, we want to be able to compute the logarithm of an arbitrary element of the finite field. We wish to proceed using a descent approach similar to [11]. The basic idea is to first obtain a good representation of the desired element into a product of polynomials whose degrees are not too high. Then, proceeding recursively, we express the logarithms of those polynomials as sums of logarithms of polynomials of decreasing degree. Once we reach the polynomials of the smoothness basis, we are done.

In our context, we cannot, in general, use the preexisting method for this descent step. Yet, we first recall this method, discuss when it can be used and explain why we cannot use it generally. Then, we propose an alternative method that is more suited to the field representations we are using. This new method involves the resolution of bilinear multivariate systems of equations over \({\mathbb F}_{q^2}\). The resolution of such systems has been analyzed carefully in Spaenlehauer’s PhD thesis [15] and in [4].

### 5.1 Practical Preliminary Step

Before going into the descent itself, it is useful to start by finding a good representation of the element \(Z\) whose logarithm is desired. Initially, \(Z\) is expressed as a polynomial of degree up to \(k-1\) over \({\mathbb F}_{q^2}\). Assuming that \(g\) denotes a generator of \({\mathbb F}_{q^{2k}}\), we consider the decomposition of the polynomials that represent \(g^i Z\), until we find one which decomposes into elements of reasonably low degree. These lower degree elements are then processed by the descent step.

A classical improvement on this is to use a continued fraction algorithm to first express \(g^i Z\) as a quotient of two polynomials of degree at most \(k/2\).

This preliminary step gives no improvement on the asymptotic complexity of the descent phase.

### 5.2 Classical Descent Method

The classical descent technique as described in [11] and recalled in Sect. 2.2 is based on Special-Q sieving. More precisely, it creates relations in a linear subspace where by construction one side of the equation is divisible by the desired polynomial.

In the description of this method, we have two related variables \(X\) and \(Y\). The relations are constructed by considering bivariate polynomials \(h(X,Y)\), which can lead to relations of the form \(h(X,f_1(X))=h(f_2(Y),Y)\). To create a relation that involves a fixed polynomial \(\mathcal {Q}(X)\), we want to enforce the condition \(h(X,f_1(X))\equiv 0~(\mathrm{mod~ } \mathcal {Q}(X))\). This condition is equivalent to \(\deg (\mathcal {Q})\) linear equations on the coefficients of \(h\). When the basefield is not too small, to get enough equations, it suffices to build the polynomials \(h\) as linear combination of \(\deg (\mathcal {Q})+2\) monomials.

As seen in Sect. 2.2, this becomes less and less efficient as the degree of \(\mathcal {Q}\) decreases and the complexity is dominated by the lowest degree of \(\mathcal {Q}\) that we consider.

However, by itself, this method cannot descend to very low degrees which is a problem when we want to keep a small smoothness basis. As a consequence, we combine it with a newer method described below, which works better on low degree polynomials.

### 5.3 Bilinear System Based Descent

The question is thus to construct such polynomials \(k_1\) and \(k_2\). We remark that the condition that \((k_1(X)^qk_2(X)-k_1(X)k_2(X)^q)\mathrm{~mod~ }{\mathcal {I}(X)}\) vanishes modulo \(\mathcal {Q}\) can be rewritten as a quadratic system of multivariate equations over \({\mathbb F}_{q}\). In fact, this system is even bilinear, since each monomial that appear in it contains at most one unknown for each of \(k_1\) and \(k_2\). As a consequence, this system can be quite efficiently solved using a Gröbner basis algorithm. More precisely, consider each coefficient of \(k_1\) and \(k_2\) as a formal unknown belonging to the field of coefficients \({\mathbb F}_{q^2}\). If \(x\) is one of these unknowns, we express \(x\) as \(x_0+zx_1\), where \((1,z)\) is a polynomial basis for \({\mathbb F}_{q^2}\) over \({\mathbb F}_{q}\), \(x_0\) and \(x_1\) are unknowns belonging to \({\mathbb F}_{q}\). With this convention, we have \(x^q=x_0+z^qx_1\) and we can check that our polynomial system of equations is indeed bilinear over \({\mathbb F}_{q}\). This system contains \(\deg {\mathcal {Q}}\) equations over \({\mathbb F}_{q^2}\) which are rewritten as \(2\deg {\mathcal {Q}}\) equations over \({\mathbb F}_{q}\). Assuming \(k_1\) to be unitary, the maximal number of unknowns that can fit in \(k_1\) and \(k_2\) is \(2(\deg {k_1}+\deg {k_2}+1)\). However, due to the action of \(\mathrm{{PGL}}_2({\mathbb F}_{q})\), several distinct pairs \(k_1\), \(k_2\) yield the same polynomial for \((k_1(X)^qk_2(X)-k_1(X)k_2(X)^q).\) To avoid this issue, we need to fix at least one of the unknowns over \({\mathbb F}_{q^2}\) to an element of \({\mathbb F}_{q^2}-{\mathbb F}_{q}\). After this, the number of remaining unknowns over \({\mathbb F}_{q}\) is \(2(\deg {k_1}+\deg {k_2})\).

At this point, we need a new heuristic argument concerning the resulting system of equations. Namely, we require two important properties of the system that arise after fixing any additional unknowns to values. The resulting system is bilinear and its number of unknowns \(N\) is equal to its number of equations. We ask that with good probability this system should be zero-dimensional with at least one solution with values in the finite field \({\mathbb F}_{q}\). In order to apply this heuristic, we need at least one extra unknown over \({\mathbb F}_{q^2}\) that can be set to a random value. As a consequence, we require \(\deg {k_1}+\deg {k_2}\ge \deg {\mathcal {Q}}+1\).

Under this heuristic, we can analyze the cost of the bilinear descent by studying the complexity of solving one such system. The main result from [4, 15] is that this complexity is exponential in \(\min (\deg {k_1},\deg {k_2})\). For this reason, we do not use our descent strategy with balanced degrees \(\deg {k_1}\approx \deg {k_2})\), instead we let \(d=\deg {k_2}\) parametrize the smallest of the two degrees and fix \(\deg {k_1}=\deg {\mathcal {Q}}+1-d\).

We recall the complexity analysis given in [4, 15]:

### **Theorem 2** \([\)Corollary 3 from [4]\(]\)

## 6 Complexity Analysis

According to the heuristic argument of Sect. 4.1, the creation of the finite field representation runs in randomized polynomial time, just by trying random polynomials \(h_0\) and \(h_1\) of degree 2 (or higher constant degree). Similarly, the creation of the logarithms of linear and quadratic elements can be done in polynomial time. The dominating part of this initial creation of logarithms is dominated by the linear algebra required for the quadratic elements. Since we are solving \(q^2\) linear systems of dimension \(O(q^2)\) with \(O(q)\) entries per line, the total cost of this polynomial part is \(O(q^7)\) arithmetic operations. Note that for Kummer extensions, the number of linear systems is reduced to \(O(q)\), which lowers the cost to \(O(q^6)\).

A similar polynomial time behavior for computing the logarithms of the smoothness basis is also given in [5].

The rest of this section analyzes the descent phases which dominates the asymptotic cost of our algorithm.

### 6.1 Individual Logarithms

Of course stopping at polynomials of degree \(O(q^{1/2})\) is not enough to finish the computation. To continue the descent, we use the newer approach, starting from polynomials of degree \(\deg {\mathcal {Q}}= c_c\sqrt{q/\log {q}}\). We need to determine the value of the parameter \(d=\deg {k_2}\) introduced in Sect. 5.3. The left-hand side in the bilinear descent contains \(q+1\) polynomials of degree at most \(\deg {k_1}=\deg {\mathcal {Q}}+1-d\). The degree of the right-hand side is bounded by \(\deg {k_1}(\max (\deg {h_0},\deg {h_1})+1)\), i.e., by a small multiple of \(\deg {\mathcal {Q}}\), a solution of the system yields with heuristic constant probability a new equation relating the desired polynomial to polynomials of degree at most \(\deg {k_1}\). The total number of polynomials of degree between \(\deg {k_1}-d\) and \(\deg {k_1}\) after decomposing each side into irreducible polynomial is at most \(q+O(1)\). Note that the contribution of lower degree polynomials to the complexity is negligible, since the computation of their logarithms is deferred to a lower level of the computation tree, where they represent a tiny fraction of the polynomials to be addressed.

*Impact of more efficient algorithms to solve the bilinear systems.* It is important to remark that given an oracle (or efficient algorithm) to solve the bilinear systems, we could use a much faster descent from degree \(\deg {\mathcal {Q}}\) to \(\lceil (\deg {\mathcal {Q}}+1)/2\rceil \) at each step. In this case, the complexity would be dominated by the number of nodes in the descent tree, i.e. \(q^{\log {D}}\). Starting directly from \(\deg {\mathcal {Q}}=k-1\) would then give a **quasi-polynomial** complexity \(\exp (O(\log ^2{q})). \)

Moreover, this would get rid of the use of classical descent, together with the constraint of having \(q=p^\ell \), with \(\ell \ge 2\).

## 7 Remarks on the Special Case of \({\mathbb F}_{p^k}\), \(p\) and \(k\) Prime

## 8 A Couple of Experiments on Kummer Extensions in Characteristic \(2\)

For practical experiments, it is very convenient to use finite fields containing a subfield of adequate size and to chose an extension that can be represented with polynomials \(h_0\) and \(h_1\) of degree \(1\). In practice, this means choosing a Kummer or twisted Kummer extension, which also a reduction of the size of the smoothness basis by a nice factor. We recently announce two computation records that illustrate the algorithm described here in this context. For numerical details about these records, we refer the reader to [8, 9].

### 8.1 A Kummer Extension \({\mathbb F}_{256^{2\cdot 255}}\)

Our first example is representative of our algorithm in the special case of Kummer extension. More precisely, we let \(q=256\) and consider the finite field \({\mathbb F}_{q^{2k}}\), with \(k=q-1\).

In this computation, the most costly part is the linear algebra step for computing the discrete logarithms of approximately \(2^{22}\) quadratic polynomials. This is decomposed into \(129\) independent linear systems, one containing \(2^{14}\) elements and \(128\) with \(2^{15}\) elements. On average, these system contain 128 non-zero coefficients per line.

An initial phase of continued fractions reduced the problem to computed logarithms of polynomials of degree at most \(29\). The classical descent step was used to reduce this down to degree \(12\). The bilinear system approach permitted to conclude the computation.

The total cost of the individual logarithm was approximately one half of the cost of linear algebra. However, by using improved parameter choices (as in the next computation), it would be possible to reduce this by a large factor.

### 8.2 A Twisted Kummer Extension \({\mathbb F}_{256^{3\cdot 257}}\)

This second example is interesting because it shows that pairing-based cryptography over \({\mathbb F}_{2^{257}}\) cannot be secure. However, it is too specific to be representative, indeed, it crucially relies on the fact that \({\mathbb F}_{256^3}={\mathbb F}_{64^4}\).

The main specificity of this computation is a descent strategy, similar to the one presented in [6], that allows a descent from polynomials of degree \(2\) to polynomials of degree \(1\). This requires 3 conditions, the use of a Kummer or twisted Kummer extension, the replacement of the field of coefficients \({\mathbb F}_{q^2}\) by \({\mathbb F}_{q^3}\) and the use of two different polynomials to generate the systematic side of relations. Namely, we used both \(X^{256}+X\) and \((X^{64}+X)^4\).

As a direct consequence, the costly phase of generating quadratic polynomials as a whole is removed. Thus, the computation becomes dominated by the descent phase. Compared to the previous computation, this was largely optimized. Indeed, the cost of the descent in this computation is about \(1/10\) of the descent in the previous example.

## Footnotes

- 1.
Asymptotically, exhaustive search of good pairs is as efficient. However, using sieving improves things by a large constant factor.

- 2.
At this point, there is nothing really special with \({\mathbb F}_{q^2}\), it is just the smallest superfield of \({\mathbb F}_{q}\). A larger superfield would also work.

## Notes

### Acknowledgements

We acknowledge that the results in this paper have been achieved using the PRACE Research Infrastructure resource Curie based in France at TGCC, Bruyères-le-Chatel (project number 2011050868) and the PRACE Research Infrastructure resource Jugene/Juqueen based in Germany at the Jülich Supercomputing Centre (project number 2011050868).

## References

- 1.Adleman, L.M., Huang, M.-D.A.: Function field sieve method for discrete logarithms over finite fields. Inf. Comput.
**151**, 5–16 (1999). (Academic Press)CrossRefzbMATHMathSciNetGoogle Scholar - 2.Barbulescu, R., Bouvier, C., Detrey, J., Gaudry, P., Jeljeli, H., Thomé, E., Videau, M., Zimmermann, P.: Discrete logarithm in GF(\(2^{809}\)) with FFS. IACR Cryptol. ePrint Arch.
**2013**, 197 (2013)Google Scholar - 3.Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theor.
**IT-30**(4), 587–594 (1984)Google Scholar - 4.Faugère, J.-C., Din, M.S.E., Spaenlehauer, P.-J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1,1): algorithms and complexity. J. Symbolic Comput.
**46**(4), 406–437 (2011)CrossRefzbMATHMathSciNetGoogle Scholar - 5.Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the function field sieve and the impact of higher splitting probabilities: application to discrete logarithms in \({2^{1971}}\). IACR Cryptol. ePrint Arch.
**2013**, 74 (2013)Google Scholar - 6.Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Solving a 6120-bit DLP on a desktop computer. IACR Cryptol. ePrint Arch.
**2013**, 306 (2013)Google Scholar - 7.Huang, M.-D., Narayanan, A.K.: Finding primitive elements in finite fields of small characteristic. CoRR abs/1304.1206 (2013)Google Scholar
- 8.Joux, A.: Discrete logarithms in GF(\(2^{4080}\)). NMBRTHRY list, March 2013Google Scholar
- 9.Joux, A.: Discrete logarithms in GF(\(2^{6168}\)) = GF(\((2^{257})^{24}\)). NMBRTHRY list, May 2013Google Scholar
- 10.Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 11.Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 12.Joux, A., Lercier, R., Smart, N.P., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 13.Panario, D., Gourdon, X., Flajolet, P.: An analytic approach to smooth polynomials over finite fields. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 226–236. Springer, Heidelberg (1998) Google Scholar
- 14.Semaev, I.: An algorithm for evaluation of discrete logarithms in some nonprime finite fields. Math. Comput.
**67**, 1679–1689 (1998)CrossRefzbMATHMathSciNetGoogle Scholar - 15.Spaenlehauer, P.-J.: Solving multi-homogeneous and determinantal systems Algorithms - Complexity - Applications. Ph.D. thesis, Université Pierre et Marie Curie (UPMC) (2012)Google Scholar