# Solving a \(6120\)-bit DLP on a Desktop Computer

## Abstract

In this paper we show how some recent ideas regarding the discrete logarithm problem (DLP) in finite fields of small characteristic may be applied to compute logarithms in some very large fields extremely efficiently. By combining the polynomial time relation generation from the authors’ CRYPTO 2013 paper, an improved degree two elimination technique, and an analogue of Joux’s recent small-degree elimination method, we solved a DLP in the record-sized finite field of \(2^{6120}\) elements, using just a single core-month. Relative to the previous record set by Joux in the field of \(2^{4080}\) elements, this represents a \(50\,\%\) increase in the bitlength, using just \(5\,\%\) of the core-hours. We also show that for the fields considered, the parameters for Joux’s \(L_Q(1/4 + o(1))\) algorithm may be optimised to produce an \(L_Q(1/4)\) algorithm.

### Keywords

Discrete logarithm problem Binary finite fields## 1 Introduction

^{1}, where

Soon afterwards the present authors showed that in the context of binary fields (and more generally small characteristic fields), finding relations for the factor base can be *polynomial time* in the size of the field [6]. By extending the basic idea to eliminate degree two elements during the descent phase, for medium-sized base fields a heuristic complexity as low as \(L_Q(1/3,(4/9)^{1/3}) \approx L_Q(1/3,0.763)\) was achieved; this approach was demonstrated via the solution of a DLP in the field \(\mathbb F_{2^{1971}}\) [7], and in the field \(\mathbb F_{2^{3164}}\).

After the initial publication of [6], Joux released a preprint [12] detailing an algorithm for solving the discrete logarithm problem for fields of the form \(\mathbb F_{q^{2n}}\), with \(q = p^{\ell }\) and \(n \approx q\), which was used in the solving of a DLP in \(\mathbb F_{2^{1778}}\) [14], and later in \(\mathbb F_{2^{4080}}\) [15]. This algorithm has heuristic complexity \(L_Q(1/4 + o(1))\), and also has a heuristic polynomial time relation generation method, similar in principle to that in [6]. While the degree two element elimination in [6] is arguably superior, for other small degrees, Joux’s elimination method is faster, resulting in the stated complexity. Joux’s discrete logarithm computation in \(\mathbb F_{2^{4080}}\) [15] required about \(14,\!100\) core-hours: \(9,\!300\) core-hours for the computation of the logarithms of all degree one and two elements; and \(4,\!800\) core-hours for the descent step, i.e., for computing the logarithm of an arbitrary element. For this computation, the field \(\mathbb F_{2^{4080}}\) was represented as a degree \(255\) Kummer extension of \(\mathbb F_{2^{16}}\), i.e., \(\mathbb F_{(q^2)^{q-1}}\) with \(q = 2^8\), as per [12]. The use of Kummer extensions (with extension degree either \(q-1\) or \(q+1\)) gives a reduction in the size of the degree one and two factor base [11, 12, 17]; they are therefore preferable when it comes to setting record DLP computations.

The relation generation method in [6, Sect. 3.3] applies to larger base fields of the form \(\mathbb F_{q^{k}}\) with \(k \ge 3\) (rather than \(k = 2\)) and extension degrees up to \(n \approx q \delta _1\) with \(\delta _1 \ge 1\) a small integer. Hence the methods in this paper naturally apply to any extension degree. Note that this representation offers greater flexibility than Joux’s (which can represent extension degrees up to \(q + \delta '_{1}\)) for essentially the same algorithmic cost, and may therefore provide a more practical DLP break when small base fields need to be embedded into larger ones in order to apply the attacks. However, here we choose to focus on Kummer extensions of degree \(q \pm 1\), as these optimise the relation generation efficiency [6, Sect. 3.4], and linear algebra step. While the two DLP breaks in the fields \(\mathbb F_{2^{1971}}\) and \(\mathbb F_{2^{3164}}\) contained therein did not fully exploit the above ‘extreme’ fields in which the extension degree is polynomially related to the size of the base field, thanks to Joux’s fast small-degree elimination method, one can now do this more efficiently. Hence, with a view to solving the DLP in larger fields than before and in as short a time as possible, in this work we identify a family of fields for which the DLP is very easily solved, relative to other fields of a similar size. While this does not mean other fields of a similar size are infeasible to break, it requires more time in practice to find the logarithms of the factor base elements, with the complexities remaining the same.

One benefit of using base fields with \(k \ge 3\) is that there is an efficient probabilistic elimination technique for degree two elements [6, Sect. 4.1]. For any fixed \(k \ge 4\) the elimination probability very quickly tends to \(1\) for increasing \(q\). In this paper we present an improved technique which allows one to find the logarithm of degree two elements extremely fast, once the logarithms of all degree one elements are known. However, for \(k = 3\) the elimination probability is \(1/(2(\delta _1-1)!)\), or exactly \(1/2\) for \(\mathbb F_{2^{6120}} = \mathbb F_{(q^3)^{q-1}}\) with \(q=2^8\). Therefore the natural next choice is to set \(k = 4\) and solve a DLP in \(\mathbb F_{2^{8160}} = \mathbb F_{(q^4)^{q-1}}\). This would require solving a sparse linear system in \({\approx }\,4.2 \cdot 10^6\) variables, and a slightly more costly descent step. Instead of carrying out this computation, we devised a technique for the \(6120\) bit case for which the elimination of each degree two element took only 0.03 s, and which required solving a much smaller linear system in \(21,\!932\) variables. This culminated in the resolution of a DLP in \(\mathbb F_{2^{6120}}\) in under \(750\) core-hours [8], which represents a \(50\,\%\) increase in bitlength over the previous record, whilst requiring just \(5\,\%\) of the computation time.

We note that the solving of DLPs in \(\mathbb F_{2^{6120}} = \mathbb F_{2^{24 \cdot 255}}\) renders insecure all pairing-based protocols based on supersingular curves of genus one and two over \(\mathbb F_{2^{255}}\), since the correponding embedding degrees are \(4\) and \(12\) (in the best cases), respectively [1]. However, since \(255\) is not prime, such curves would not be recommended due to possible Weil descent attacks [5]. In any case, the Jacobians of the curves do not have prime or nearly prime order and so are not cryptographically interesting. As stated above, we could just as easily have solved the corresponding DLP with extension degree \(q + 1\) rather than \(q-1\), i.e., with extension degree \(257\) rather than \(255\). However, since the full factorisation of \(2^{6120}-1\) is known, we were able to use a proven generator and so for completeness we chose to solve this case^{2}.

Since our break of the DLP in \(\mathbb F_{2^{6120}}\) may be considered as a proof-of-concept implementation for our approach, at the time we were not overly concerned with the issue of complexity. Indeed, as the elimination times are reasonable and as just noted, comparable to Joux’s elimination timings, further experimentation is needed to ascertain if the performance is comparable for larger systems. However, one basic difference between the two approaches is that the quadratic systems which arise when using our analogue of Joux’s small-degree elimination method are not bilinear, and hence are not guaranteed to enjoy the same resolution complexity, as given in Spaenlehauer’s thesis [25, Corollary 6.30]. Therefore, we can not currently argue that the heuristic complexity is the same. Nevertheless, we show that with a better choice of parameter and a tighter analysis, the final part of the descent in Joux’s \(L_Q(1/4 + o(1))\) algorithm may be improved to an \(L_Q(1/4)\) algorithm, for the fields we consider, i.e., those for which the extension degree is polynomially related to the size of the basefield. Since the other phases of the algorithm have complexity \(L_Q(1/4)\), or lower, the overall complexity for solving the DLP is \(L_Q(1/4)\) as well.

The remainder of the paper is organised as follows. Section 2 explains our field setup and algorithm in detail. Section 3 covers the other essential algorithms and issues regarding the computation. Section 4 gives the details of a discrete logarithm computation in \(\mathbb F_{2^{6120}}\), while finally in Sect. 5 we briefly address the issue of complexity.

## 2 The Algorithm

The following describes the field setup and index calculus method that we use for our discrete logarithm computation.

### 2.1 Setup

We consider here Kummer extensions, which are our focus for efficiency reasons; the general case can be found in [6, Sect. 3.3] and is recalled in Sect. 5.

Let \(\ell ,k\) be positive integers, \(q := 2^{\ell }\), and \(n := q - 1\). We construct the finite field \(\mathbb F_{(q^k)^n}\) of bit length \(\ell k n = \ell k (q-1)\) in which we solve the DLP, as follows^{3}. As stated in the introduction, the case \(n := q + 1\) follows *mutatis mutandis*.

\(k \setminus \ell \) | 6 | 7 | 8 | 9 |
---|---|---|---|---|

3 | 1134 | 2667 | 6120 | 13797 |

4 | 1512 | 3556 | 8160 | 18396 |

5 | 1890 | 4445 | 10200 | 22995 |

6 | 2268 | 5334 | 12240 | 27594 |

In Sect. 4, we will give the details of the discrete logarithm computation when \(\ell k n = 6120\). The algorithm we explain in this section may be successfully applied to any of the above parameters with \(k \ge 4\), whereas for \(k = 3\) one would normally be required to precompute the logarithms of all degree two elements using a method analogous to Joux’s [12]. However, for \(k = 3\) and \(\ell = 8\), precomputation can be avoided entirely; see Sect. 4.4.

### 2.2 Factor Base and Automorphisms

The automorphism \(\sigma \) generates a group of order \(kn\), which acts on the set of \(q^k\) factor base elements, thus dividing the factor base into about \(N\) orbits, where \(N\approx \frac{q^k}{kn}\approx \frac{1}{k} q^{k - 1}\) is the number of variables to consider.

### 2.3 Relation Generation

**Theorem 1**

### 2.4 Individual Logarithms

After the logarithms of the factor base elements have been found, a general individual discrete logarithm can be computed, as is common, by a descent strategy. The basic idea of this method is trying to write an element, given by its polynomial representation over \(\mathbb F_{q^k}\), as a product in \(\mathbb F_{(q^k)^n}\) of factors represented by lower degree polynomials. By applying this principle recursively a descent tree is constructed, and one can eventually express a given target element by a product of factor base elements, thus solving the DLP.

While for large degree polynomials it is relatively easy to find an expression involving lower degree polynomials by a standard approach, this method becomes increasingly less efficient as the degree becomes smaller. In addition, the number of small degree polynomials in the descent tree grows significantly with lower degree. We therefore propose new methods for degree 2 elimination and small degree descent, which are inspired by the recent works [6] and [12] respectively.

**Degree 2 Elimination.** Given a polynomial \(Q(X) := X^2 + q_1 X + q_0 \in \mathbb F_{q^k}[X]\) we aim at expressing the corresponding finite field element \(Q(x) \in \mathbb F_{(q^k)^n}\) as a product of factor base elements. In essence, what we do is just the reverse of the degree one relation generation, with the polynomial \(g(X)\) set to be \(Q(X)\).

In particular, we compute – when possible – \(a, b, c \in \mathbb F_{q^k}\) such that, up to a multiplicative constant in \(\mathbb F_{q^k}^{\times }\), \(Q(x) = x^2 + q_1 x + q_0\) equals \(x^{q+1} + ax^{q} + bx + c\) where the polynomial \(X^{q+1} + aX^{q} + bX + c\) splits into linear factors (cf.[6, Sect. 4.1]).

Heuristically, for each of the above \(B\)’s the probability of success of this method, i.e., when an \(a\in \mathbb F_{q^k}\) as above exists, is \(1/2\). Note that if \(k = 3\) there is just one single \(B\) in the context of Theorem 1, and so this direct method fails in half of the cases. However, as noted earlier, this issue can be resolved under certain circumstances, e.g., for \(\ell = 8\); see Sect. 4.4.

**Small Degree Descent.**The following describes the Gröbner basis descent of Joux [12] applied in the context of the polynomials \(F_B(X) = X^{q+1} + BX + B\) of Theorem 1. Let \(f(X)\) and \(g(X)\) be polynomials over \(\mathbb F_{q^k}\) of degree \(\delta _f\) and \(\delta _g\) respectively. We substitute \(X\) by the rational function \(\frac{f(X)}{g(X)}\) and thus find that the polynomial

Now given a monic polynomial \(Q(X) \in \mathbb F_{q^k}[X]\) of degree \(2\delta \) (resp. \(2\delta -1\)) to be eliminated we consider the equation \(P(x) = Q(x)\) (resp. \(P(x) = (x+a) Q(x)\) with some random fixed \(a\in \mathbb F_{q^k}\)). It results as above in a quadratic system of \(\mathbb F_q\)-variables representing the coefficients of \(f(X)\) and \(g(X)\) in \(\mathbb F_{q^k}\), and can be solved by a Gröbner basis algorithm. In order to minimise the number of variables involved we set \(f(X)\) to be monic of degree \(\delta _f = \delta \) and \(g(X)\) of degree \(\delta _g = \delta -1\), resulting in \(k\delta + k\delta = 2k\delta \) variables in \(\mathbb F_q\). Since the number of equations to be satisfied equals \(2k\delta \) as well, we find a solution of this system with good probability.

**Large Degree Descent.**This part of the descent is somewhat classical (see [17] for example), but includes the degree balancing technique described in [6, Sect. 4], which makes the descent far more rapid when the base field \(\mathbb F_{q^k}\) is a degree \(k\) extension of a non-prime field. In the finite field \(\mathbb F_{(q^k)^n}\) we let \(y := x^q\) and \(\bar{x} := x^{2^{\ell -a}}\) for some suitably chosen integer \(1 < a < k\). Then \(y = \bar{x}^{2^a}\) and \(\bar{x} = (\frac{y}{\gamma })^{2^{\ell -a}}\) holds. Now for given \(Q(X)\in \mathbb F_{q^k}[X]\) of degree \(d\) representing \(Q(y)\) we consider the lattice

## 3 Other Essentials

In this section we give an explicit account of further basics required for a discrete logarithm computation.

### 3.1 Factorisation of the Group Order

### 3.2 Pohlig-Hellman and Pollard’s Rho Method

In order to compute a discrete logarithm in a group \(G\) of order \(m\) we can use any factorisation of \(m = m_1 \cdot \ldots \cdot m_r\) into pairwise coprime factors \(m_i\) and compute the discrete log modulo each factor. Indeed, if we are to compute \(z = \log _\alpha \beta \) it suffices to compute \(\log _{\alpha ^{c_i}}\beta ^{c_i}\) with \(c_i = m/m_i\), which determines \(z\!\!\mod m_i\). With the information of \(z\!\!\mod m_i\) for all \(i\) one easily determines \(z\pmod m\) by the Chinese Remainder theorem.

For the small prime (power) factors of \(m\) we use Pollard’s rho method to compute the discrete logarithm modulo each factor. Regarding the large factors of \(m\) we find it most efficient to combine them into a single product \(m_*\), so that in the linear algebra step of the index calculus method we work over the ring \(\mathbb Z_{m_*}\). Note that each iteration of the Lanczos method that we use for the linear algebra problem requires the inversion of a random element in \(\mathbb Z_{m_*}\); this is the reason why we separate the small factors of the group order from the large ones.

### 3.3 Linear Algebra

The relation generation phase of the index calculus method produces linear relations among the logarithms of the factor base elements. As the factor base logs are also related by the automorphism group as explained in Sect. 2.2 the number \(N\) of variables is reduced and the linear relations will have coefficients being powers of \(2\). Once \(M > N\) relations have been generated we have to find a nonzero solution vector for the linear system. To ensure that the matrix is of maximal rank \(N-1\) we generate \(M \approx N + 100\) relations. As noted earlier the number of variables \(N\) is expected to be about \(\frac{q^k}{kn}\approx \frac{1}{k} q^{k - 1}\).

We let \(B\) be the \(M\times N\) matrix of the relations’ coefficients, which is a matrix of constant row-weight \(q + 3\). We have to find a nonzero vector \(v\) of length \(N\) such that \(Bv = 0\) modulo \(m_*\), the product of the large prime factors of the group order \(m\). A common approach in index calculus algorithms is to reduce the matrix size at this stage by using a structured Gaussian elimination (SGE) method. In our case, however, the matrix is not extremely sparse while its size is quite moderate, hence the expected benefit from SGE would be minimal and we refrained from this step.

### 3.4 Target Element

## 4 Discrete Logarithms in \(\mathbb F_{2^{6120}}\)

The relation generation for degree one elements took 15 s

^{4}.The corresponding linear algebra took 60.5 core-hours.

In contrast to [12, 15], we computed the logarithm of degree 2 irreducibles on the fly; each took on average 0.03 s.

The descent was designed so as to significantly reduce the number of bottleneck (degree 6) eliminations. As a result, the individual logarithm phase took just under 689 core-hours.

### 4.1 Setup

We first defined \(\mathbb F_{2^8}\) using the irreducible polynomial \(T^8 + T^4 + T^3 +T + 1\). Letting \(t\) be a root of this polynomial, we defined \(\mathbb F_{2^{24}} / \mathbb F_{2^8}\) using the irreducible polynomial \(W^3 + t\). Letting \(w\) be a root of this polynomial, we finally defined \(\mathbb F_{2^{6120}} / \mathbb F_{2^{24}}\) using the irreducible polynomial \(X^{255} + w + 1\), where we denote a root of this polynomial by \(x\).

We chose as a generator \(g = x + w\), which has order \(2^{6120} - 1\); this was proven via the prime factorisation of \(2^{6120}-1\), which is provided in [8]. As usual, the target element was set to be \(\beta _\pi \) as explained in Sect. 3.4.

### 4.2 Relation Generation

Our factor base is simply the set of degree one elements of \(\mathbb F_{2^{6120}} / \mathbb F_{2^{24}}\). As detailed in Sect. 2.2, quotienting out by the action of the \(8\)-th power of Frobenius produces \(21,\!932\) distinct orbits. To obtain relations, as explained in Sect. 2.3, we make essential use of the single polynomial \(X^{257} + X + 1\), which splits completely over \(\mathbb F_{2^{24}}\). In particular, letting \(y := x^{256}\) so that \(x = \frac{y}{w+1}\), the \(\mathbb F_{2^{6120}}\) element \(xy + ay + bx + c\) corresponds to \(X^{257} + aX^{256} + bX + c\) on the one hand, and \(\frac{X^2}{w+1} + aX + \frac{bX}{w+1} + c\) on the other. The first of these transforms to \(X^{257} + X + 1\) if and only if \((a^{256} + b)^{257} = (a b + c)^{256}\). So for randomly chosen \((a,b)\) we compute \(c\) and check whether the corresponding quadratic splits. If it does – which occurs with probability \(1/2\) – we obtain a relation. Thanks to the simplicity of this approach, we collected \(22,\!932\) relations and wrote these to a matrix in \(15\) s using C++/NTL [24].

### 4.3 Linear Algebra

We took as our modulus the product of the largest \(35\) factors of \(2^{6120}-1\) listed in [8], which has bitlength \(5121\). We ran a parallelised C/GMP [9] implementation of Lanczos’ algorithm on four of the Intel (Westmere) Xeon E5650 hex-core processors of ICHEC’s SGI Altix ICE 8200EX Stokes cluster. This took 60.5 core-hours (just over 2.5 h wall time).

### 4.4 Individual Logarithm

**Degree 2 Elimination.**For computing the discrete logarithm of a degree two element \(Q(x) = x^2 + q_1 x + q_0\) we try to equate \(Q(x)\) with \(x^{257} + a x^{256} + b x + c\), where \((a^{256} + b)^{257} = (a b + c)^{256}\). If this fails we apply the following strategy, making use of the fact that \(\mathbb F_{2^{24}}\) can also be viewed as a field extension of \(\mathbb F_{2^6}\). We consider \(y = x^{256}\) and \(\bar{x} = x^4\), so that \(y = \bar{x}^{64}\) and \(\bar{x} = (\frac{y}{\gamma })^4\) holds, and apply the large degree descent method to \(\bar{Q}(X) := Q(\frac{X}{\gamma })\) (note that \(\bar{Q}(y) = Q(x)\)). Considering the lattice \(L\) (see Sect. 2.4) we construct a basis of the form \((X+u_0, u_1)\), \((v_0, X+v_1)\), where \(u_0, u_1, v_0, v_1\in \mathbb F_{2^{24}}\). Then for \(s \in \mathbb F_{2^{24}}\) we have lattice elements \((X + u_0 + sv_0, sX + u_1 + sv_1)\in L\). Now for each \(B\in \mathbb F_{2^{24}}\) such that \(X^{65} + B X + B\) splits, we solve for \(s\in \mathbb F_{2^{24}}\) satisfying

The polynomial \(X^5 + bX^4 + a\gamma ^4X + c\gamma ^4 = \bar{Q}(X) R(X)\) has the property that \(R(X)\) always factors into a linear and an irreducible quadratic polynomial over \(\mathbb F_{q^k}\). Indeed, by a result of Bluher [2, Theorem 4.3], for any \(B\in \mathbb F_{2^{24}}\) and any \(d\ge 1\), the number of roots in \(\mathbb F_{2^{24d}}\) of the polynomial \(F_B(X) = X^5 + BX + B\) equals either \(0\), \(1\), \(2\), or \(5\). Since \(X^5 + bX^4 + a\gamma ^4X + c\gamma ^4\) can be rewritten as \(X^5 + BX + B\) via a linear transformation (except when \(a \gamma ^4 = b^4\)), the same holds also regarding the \(\mathbb F_{2^{24d}}\)-roots of this polynomial. Now applying Bluher’s result for \(d=1\) we see that \(R(X)\) can not split into linear factors, and by Bluher’s result for \(d=3\) we conclude that \(R(X)\) can not be irreducible. Hence, \(R(X)\) is the product of linear and a quadratic polynomial, which we call \(Q'(X)\).

Now if \(Q'(X)\) is resolvable by the direct method, we have successfully eliminated the original polynomial \(Q(X)\). The number of \(B\) such that \(X^{65} + B X + B\) splits over \(\mathbb F_q\) equals \(64\), according to Theorem 1, and by experiment, for each one the success probability to find a resolvable polynomial \(Q'(X)\) is about \(0.4\).

**Performing the Descent.** Using C++/NTL we first used continued fractions to express the target element \(\beta _\pi \) as a ratio of two 27-smooth polynomials, which took 10 core-hours, and then we applied the three different descent strategies as explained in Sect. 2.4.

We used the large degree descent strategy to express all of the featured polynomials using polynomials of degree 6 or less. This took a further 495 core-hours. While we could have performed this part of the descent more efficiently, as noted above we opted to find expressions which resulted in a relatively small number of degree 6 polynomials – which are the bottleneck eliminations for the subsequent descent – namely 326.

For degrees 6 down to 3 we used the analogue of Joux’s small degree elimination method, based on the same polynomial that we used for relation generation, i.e., \(X^{257} + X + 1\), rather than the polynomial \(X^{256} + X\) that was used in [15], since the resulting performance was slightly better. Finally, we performed the degree 2 elimination as outlined above.

For convenience we coded the eliminations of polynomials of degrees 6 down to 2 in Magma [3] V2.16-12, using Faugere’s F4 algorithm [4]. The total time for this part was just over 183.5 core-hours on a 2 GHz AMD Opteron computer.

For the logarithm modulo the cofactor of our modulus we used either linear search or Pollard’s rho method, which took 20 min in total in C++/NTL. Thus the total time for the descent was just under 689 h.

^{5}that \(\beta _\pi = g^\mathrm{log}\), with \(\mathrm{log} =\)

### 4.5 Total Running Time

The total running time is \(689 + 60.5 = 749.5\) core-hours. Note that most of the computation (all except the linear algebra part) was performed on a personal computer. On a modern quad-core PC, the total running time would be around a week.

## 5 Complexity Considerations

In this section we prove a tighter complexity result than that given in [12] for the new small-degree stage of the descent. As stated in Sect. 1, the systems arising from the small-degree elimination in Sect. 2.4 are quadratic, but not bilinear. As such, they do not necessarily enjoy the same resolution complexity as bilinear quadratic systems, as given by a theorem due to Spaenlehauer [25, Corollary 6.30]. However, if one instead reverts to using the polynomial \(X^q - X\), then one can argue as follows.

Let the fields under consideration be \(\mathbb F_{(q^k)^n}\), with \(k \ge 3\) fixed, \(n \approx q \delta _1\) and \(\delta _1 \ge 1\) a small integer, as per the field representation described in [6, Sect. 3.3], and \(q \rightarrow \infty \). This is achieved by finding a polynomial \(p_1\) of degree \(\delta _1\) such that \(p_1(X^q) - X \equiv 0 \pmod {I(X)}\), with \(I(X)\) irreducible of degree \(n\). By letting \(x\in \mathbb F_{(q^k)^n}\) be a root of \(I(X)\) and \(y := x^q\), one also has \(x = p_1(y)\), and therefore two related representations of \(\mathbb F_{(q^k)^n}\).

The degree of the RHS of Eq. (2) depends on the representation of the field \(\mathbb F_{(q^k)^n}\). Recall that in Joux’s field representation, one has \(h_0(X)\), \(h_1(X)\) of very low degree \(\delta _{h_0}\), \(\delta _{h_1}\) such that \(h_1(X)X^q - h_0(X) \equiv 0 \pmod {I(X)}\), with \(I(X)\) irreducible of degree \(n\) and \(n \approx q\). Now on the RHS of Eq. (2) one replaces each occurrence of \(x^q\) by \(h_0(x)/h_1(x)\), and thus the cofactor of \(Q(x)\) on the RHS has degree \((D-d) (\max \{\delta _{h_0}, \delta _{h_1}\}-1)\). For each solution to the bilinear quadratic system, it is tested for \((D-d)\)-smoothness, and when it is, one has successfully represented \(Q(x)\) as a product of at most \(q\) field elements of degree at most \(D-d\) (ignoring the negligible number of factors from the cofactor).

By repeating the above elimination technique recursively for each element occurring in the product until only degree one or degree two elements remain, the logarithm of \(Q(x)\) is computed. So what is the optimal \(d\)? Joux’s analysis [12] indicates that \(d = O(q^{1/4} (\log q)^{1/2})\) should be used, giving an overall complexity of \(\exp \big ((c' + o(1)) \, q^{1/4} (\log q)^{3/2}\big )\) for some \(c'\), which is \(L_{q^{kq}}(1/4 + o(1),c')\), due to the presence of the extra \((\log q)^{1/2}\) factor, relative to Eq. (1).

**Lemma 1**

Moreover, exactly the same argument shows that \(C(\alpha _j q^{1/2^j}, \alpha _{j+1} q^{1/2^{j+1}}) = L_{q^{kq}}(1/2^{j+1})\), and so the cost of expressing each of the \(L_{q^{kq}}(1/4)\) degree \(\alpha _2 q^{1/4}\) elements in terms of elements of degree \(\alpha _3 q^{1/8}\) is \(L_{q^{kq}}(1/8)\), and therefore for any \(j > 1\) the total cost down to degree \(\alpha _j q^{1/2^j}\) never exceeds \(L_{q^{kq}}(1/4)\). After \(j = \lceil \log _2 \log _2 q \rceil \) of the above sequence of steps we have \(\lfloor q^{1/2^j} \rfloor = 1\), and the total cost is precisely that given in Eq. (3).

As the complexity of the initial splitting of a target element into a product of elements of degree at most \(\alpha _0 q^{3/4}\) is \(L_{q^{kq}}(1/4)\), as is the complexity of classical descent from degree \(\alpha _0 q^{3/4}\) to degree \(\alpha _1 q^{1/2}\), the above tighter analysis demonstrates that for the fields considered, Joux’s algorithm has complexity \(L_{q^{kq}}(1/4)\) as well, for both his and our field representations. We have omitted the determination of the optimal parameters \(\alpha _0\) and \(\alpha _1\), since this is beyond our focus on proving that the full algorithm is \(L(1/4)\).

## Footnotes

- 1.
On foot of recent communications [13], the complexity may in fact be \(L_Q(1/3, 2^{1/3})\).

- 2.
Forty days after the announcement of our full DLP break in \(\mathbb F_{2^{6120}} = \mathbb F_{2^{24 \cdot 255}}\) [8] – and after the submission of this paper – Joux announced a break of the DLP in a \(1843\)-bit subgroup of \(\mathbb F_{2^{6168}}^{\times } = \mathbb F_{2^{24 \cdot 257}}^{\times }\), using a nearly identical degree two elimination technique and the same descent parameters, in under \(550\) core-hours [16]. Noting that the logarithms were not computed in the full multiplicative group and that this computation was performed on faster processors, it is clear that the number of our core-hours and Joux’s are comparable. In this case too the corresponding Jacobians do not have prime or nearly prime order.

- 3.
Our choice of representation of the finite field \(\mathbb F_{(q^k)^n}\) will be advantageous for our method to solve the DLP. Note that it is a computationally easy problem to switch between two different representations of a finite field [22].

- 4.
In our inital announcement [8] we stated a running time of 60 s for the relation generation. The reason for this higher running time was an unnecessary step of ordering the matrix entries, which we have discounted here.

- 5.
Magma verification code for this solution is available from [8].

### References

- 1.Barreto, P.S.L.M., Galbraith, S.D., Ó’ hÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr.
**42**(3), 239–271 (2007)CrossRefMATHMathSciNetGoogle Scholar - 2.Bluher, A.W.: On \(x^{q+1}+ax+b\). Finite Fields Appl.
**10**(3), 285–305 (2004)CrossRefMATHMathSciNetGoogle Scholar - 3.Bosma, W., Cannon, J., Playoust, C.: The magma algebra system. I. The user language. J. Symbolic Comput.
**24**(3–4), 235–265 (1997)CrossRefMATHMathSciNetGoogle Scholar - 4.Faugére, J.C.: A new efficient algorithm for computing Gröbner bases \((F_4)\). J. Pure Appl. Algebra
**139**(1–3), 61–88 (1999)CrossRefMATHMathSciNetGoogle Scholar - 5.Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of weil descent on elliptic curves. J. Cryptol.
**15**(1), 19–46 (2002)CrossRefMathSciNetGoogle Scholar - 6.Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the function field sieve and the impact of higher splitting probabilities: application to discrete logarithms in \({\mathbb{F}}_{2^{1971}}\) and \({\mathbb{F}}_{2^{3164}}\). In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 109–128. Springer, Heidelberg (2013)Google Scholar
- 7.Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete Logarithms in \(GF(2^{1971})\). NMBRTHRY list, 19 Feb 2013Google Scholar
- 8.Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete Logarithms in \(GF(2^{6120})\). NMBRTHRY list, 11 Apr 2013Google Scholar
- 9.Granlund, T.: The GMP development team: GNU MP: The GNU Multiple Precision Arithmetic Library, 5.0.5 edn. http://gmplib.org/ (2012)
- 10.Helleseth, T., Kholosha, A.: \(x^{{2^l}+1}+x+a\) and related affine polynomials over \({}(2^k)\). Cryptogr. Commun.
**2**(1), 85–109 (2010)CrossRefMATHMathSciNetGoogle Scholar - 11.Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 12.Joux, A.: A new index calculus algorithm with complexity \(L(1/4+o(1))\) in very small characteristic. Cryptology ePrint Archive, report 2013/095. http://eprint.iacr.org/ (2013)
- 13.Joux, A.: Personal communication (2013)Google Scholar
- 14.Joux, A.: Discrete Logarithms in \(GF(2^{1778})\). NMBRTHRY list, 11 Feb 2013Google Scholar
- 15.Joux, A.: Discrete Logarithms in \(GF(2^{4080})\). NMBRTHRY list, 22 Mar 2013Google Scholar
- 16.Joux, A.: Discrete Logarithms in \(GF(2^{6168})\). NMBRTHRY list, 21 May 2013Google Scholar
- 17.Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 18.LaMacchia, B.A., Odlyzko, A.M.: Solving large sparse linear systems over finite fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991) Google Scholar
- 19.Lanczos, C.: An iteration method for the solution of the eigenvalue problem of linear differential and integral operators. J. Res. Nat. Bur. Stan.
**45**, 255–282 (1950)CrossRefMathSciNetGoogle Scholar - 20.Lenstra, A.K., Lenstra Jr, H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993)MATHGoogle Scholar
- 21.Lenstra Jr, H.W.: Factoring integers with elliptic curves. Ann. Math. (2)
**126**(3), 649–673 (1987)CrossRefMATHMathSciNetGoogle Scholar - 22.Lenstra Jr, H.W.: Finding isomorphisms between finite fields. Math. Comp.
**56**(193), 329–347 (1991)CrossRefMATHMathSciNetGoogle Scholar - 23.Popovyan, I.: Efficient parallelization of lanczos type algorithms. Cryptology ePrint Archive, Report 2011/416. http://eprint.iacr.org/ (2011)
- 24.Shoup, V.: NTL: A library for doing number theory, 5.5.2 edn. http://www.shoup.net/ntl/ (2009)
- 25.Spaenlehauer, P.J.: Solving multihomogeneous and determinantal systems algorithms - complexity - applications. Ph.D. thesis, Université Pierre et Marie Curie (UPMC) (2012)Google Scholar