The Tower Number Field Sieve
 25 Citations
 1.6k Downloads
Abstract
The security of pairingbased cryptosystems relies on the difficulty to compute discrete logarithms in finite fields \({\mathbb F}_{p^n}\) where n is a small integer larger than 1. The stateofart algorithm is the number field sieve (NFS) together with its many variants. When p has a special form (SNFS), as in many pairings constructions, NFS has a faster variant due to Joux and Pierrot. We present a new NFS variant for SNFS computations, which is better for some cryptographically relevant cases, according to a precise comparison of norm sizes. The new algorithm is an adaptation of Schirokauer’s variant of NFS based on tower extensions, for which we give a middlebrow presentation.
Keywords
Discrete logarithm Number field sieve Pairings1 Introduction
In 2006 Joux, Lercier, Smart and Vercauteren [21] presented a new variant of NFS which applies to all finite fields \({\mathbb F}_{p^n}\) with \(p=L_Q(\alpha ,c)\) for some \(\alpha \ge 1/3\) and \(c>0\), the JLSV algorithm. When \(\alpha >2/3\), their variant has complexity \(L_Q(1/3,\root 3 \of {{64}/{9}})\). The question of extending TNFS to arbitrary finite fields became obsolete, because, in case of a positive answer, it would have the same complexity as the JLSV algorithm.
In 2013 Joux and Pierrot [22] designed another variant of NFS which applies to nonprime fields \({\mathbb F}_{p^n}\) where p is an SNFS prime. Their algorithm has complexity \(L_Q(1/3,\root 3 \of {{32}/{9}})\), which is the same as that of Semaev’s SNFS algorithm for prime fields [35]. It shows that the pairingbased cryptosystems which use primes of a special form are more vulnerable to NFS attacks than the general ones. With this SNFS algorithm, the second question of Schirokauer lost its appeal as well, because this is the complexity that one can expect if Schirokauer’s algorithm can be adapted when p is an SNFS prime.
In 2014 Barbulescu, Gaudry, Guillevic and Morain improved the algorithm in [21] and set a record computation in a field \({\mathbb F}_{p^2}\) of 180 decimal digits. However, since their improvements do not apply to SNFS fields and since the algorithm of Joux and Pierrot was never implemented, it is important to find a practical algorithm for this case.
In this work, we wish to rehabilitate Schirokauer’s TNFS algorithm. First, we show that indeed, the heuristic complexity carries over to the expected range of finite fields. In order to make this analysis, we restate the original TNFS with less technicalities than in the original presentation, taking advantage of tools that were invented later (virtual logarithms).
We also show that for extension fields based on SNFS primes, the complexity of TNFS drops as expected to \(L_Q(1/3,\root 3 \of {{32}/{9}})\).
Finally, going beyond the asymptotic formulae, we compute estimates that strongly suggest that TNFS is currently the most efficient algorithm for solving discrete logarithms in small degree extensions of SNFS prime fields, like the ones arising naturally in several pairing constructions.
Outline. After a brief description of Schirokauer’s TNFS algorithm in Sect. 2, we present it with sufficiently many details to get a proper asymptotic analysis in Sect. 3. In Sect. 4, several variants are described and analyzed, in particular the SNFS variant. This is followed, in Sect. 5 by more precise estimates for cryptographically relevant sizes and comparisons with other methods. Further technicalities about TNFS are given in an appendix; these are mostly details that could be useful for an implementation but which do not change the complexities.
2 Overview of TNFS
To fix ideas, we consider the case of “large” characteristic, so that we target fields \({\mathbb F}_Q\) with \(Q=p^n\) so that \(p=L_Q(\alpha ,c)\) for some constants \(\alpha >2/3\) and \(c>0\).
Pohlig and Hellman explained how to retrieve the discrete logarithm modulo the group order N from the value of the discrete logarithms modulo each prime factor \(\ell \) of N. Furthermore, Pollard’s rho algorithm allows to compute discrete logarithms for small primes. Hence it is enough to explain how to use NFS to compute discrete logarithms modulo prime factors \(\ell \) of \(\#{\mathbb F}_{p^n}^*\) larger that \(L_{p^n}(1/3,c)\) for some \(c>0\).
A classical variant of the NFS algorithm, e.g. one of the variants used for factoring and DLP in prime fields, would involve two irreducible polynomials f and g in \({\mathbb Z}[x]\) which have a common irreducible factor of degree n modulo p. Here, in TNFS, we consider two polynomials f and g defined over a ring R which is of the form \(R = {\mathbb Z}[t]/(h(t))\) for a monic irreducible polynomial h of degree n. We ask furthermore that h remains irreducible modulo p, so that there is a unique ideal \(\mathfrak p\) above p in R. Finally, we require that f and g are irreducible over \({\mathbb Q}[t]/(h(t))\) and have a common root modulo \(\mathfrak p\) in R.
In the rest of the article, we denote by \(K_f\) the number field \(K_f\) defined by f, and by \(K_g\) the one defined by g. Also we write \({\mathbb Q}(\iota )\) for the number field defined by h, so that \(K_f\) and \(K_g\) are as in the figure aside.
Among the constructions that we tried, the best one uses polynomials f and g with coefficients in \({\mathbb Z}\), so that \(K_f\) and \(K_g\) can also be seen as compositum of two fields. If one could find a construction where f and g have coefficients in R one might find a faster algorithm. In any case, it is interesting to consider f and g as polynomials in R[x], since this makes it easier to follow the analogy with the classical NFS.
Once this setting is done, the TNFS algorithm proceeds as usual. For many polynomials \(a(\iota )b(\iota )x\) in R[x], we consider their two images in R[x] / f(x) and R[x] / g(x), and test them for smoothness as ideals. Each time the images are simultaneously smooth, we can write a relation: modulo the usual complications with principality defects and units that can be handled with the help of Schirokauer maps, it is possible to convert a relation into a linear relation between virtual logarithms of the factor base elements. Then follows a sparse linear algebra step to deduce the values of these virtual logarithms. And finally, the logarithm of an individual element of \({\mathbb F}_{p^n}\) can be computed using a descent step.
In the next section, we will enter into details, define more precisely the factor base elements and the associated smoothness notion, and estimate the size of the objects involved in the computation.
3 Detailed Description and Analysis
3.1 Polynomial Selection
In the overview of the previous section, nothing is said about the respective degrees of f and g. In fact, there is some freedom here, and we could in principle have balanced degrees and use for instance the algorithm of [20] or we can use a linear polynomial g, both methods leading to the same asymptotic complexity. The only difference comes in the individual logarithm stage. In order to keep the exposition short, we will only present this stage in the case where g is linear, but in practice one must take the one which minimizes the overall time.
In practice, instead of a naïve basem approach, one can use any of the methods known for the polynomial selection of NFS, when tackling prime fields or integer factorization [3, 4, 13, 23, 24].
What is left is to select a polynomial h of degree n with small coefficients which is irreducible modulo p. This is done by testing polynomials with small coefficients and, heuristically, we succeed after n trials, on average, because the proportion of irreducible polynomials modulo p is \(\approx 1/n\). As we will explain later, rather than having the polynomial h with the smallest coefficients, we might prefer some polynomial with slightly larger coefficients but with the additional property that the Galois group of h is cyclic of order n. For this, we test polynomials in families with a cyclic Galois group; for example Foster [17] gives a list of such families when \(\deg h=2,3,4,5\) or 6.
If one is interested in rigorous results and not in the most efficient polynomials, then one can give a proof of existence based on Corollary 10 given in the Appendix. Indeed, using cyclotomic fields one provably finds h with coefficients upper bounded by \((An^B\log (pn)^C)^n\) for some effective constants A, B and C.
3.2 Relation Collection
In the top of the diagram of Fig. 1 one usually takes \(abx\) with \(a,b\in R\). However, in the most general version of NFS one considers polynomials in R[x] of arbitrary degrees; this is in particular necessary for the medium characteristic case [21]. In our study, we did not find any case where it was advantageous to consider polynomials of degree more than 1. Therefore we stick to the traditional (a, b)pairs terminology for designating a linear polynomial \(a(\iota ) b(\iota )x\) in R[x] that we consider as a candidate for producing a relation.
Ideals of Degree 1. In our case, just like in the classical NFS, only ideals of degree 1 can occur in the factorizations of the elements in the number rings (except maybe for a finite number of ideals dividing the discriminants). This is, of course only true when thinking in the relative extensions; we formalize this in the following proposition that holds for f, but is also true for g if it happens to be nonlinear.
Proposition 1
Let \({\mathbb Q}(\iota )\) be a number field and let \({\mathcal O}_\iota \) be its ring of integers. Let f be a monic irreducible polynomial in \({\mathcal O}_\iota [x]\), and denote by \(\alpha \) one of its roots. We denote by \(K_f={\mathbb Q}(\iota ,\alpha )\) the corresponding extension field, and \({\mathcal O}_f\) its ring of integers.
If \(\mathfrak q\) is a prime ideal of \({\mathcal O}_\iota \) not dividing the indexideal \([{\mathcal O}_f:{\mathcal O}_\iota [\alpha ]]\), then the following statements hold.
 (i)The prime ideals of \({\mathcal O}_f\) above \(\mathfrak q\) are all the ideals of the formwhere T(x) are the lifts to \({\mathcal O}_\iota [x]\) of the irreducible factors of f in \({\mathcal O}_\iota /\mathfrak q[x]\). Moreover \(\deg \mathfrak Q= \deg T\).$$\begin{aligned} \mathfrak Q=\langle \mathfrak q, T(\alpha ) \rangle , \end{aligned}$$
 (ii)
If a(t), \(b(t)\in {\mathbb Z}[t]\) are such that \(\mathfrak q\) divides \({{\mathrm{N}}}_{K_f/{\mathbb Q}(\iota )}(a(\iota )b(\iota )\alpha )\) and \(a(\iota ){\mathcal O}_\iota +b(\iota ){\mathcal O}_\iota ={\mathcal O}_\iota \), then the unique ideal of \({\mathcal O}_f\) above \(\mathfrak q\) which divides \(a(\iota )b(\iota )\alpha \) is \(\mathfrak Q=\langle \mathfrak q, \alpha r(\iota )\rangle \) with \(r \equiv a(\iota )/b(\iota ) ( mod \mathfrak q)\).
Proof
(i) This is Proposition 2.3.9 of [14].
Finding Doublysmooth (a, b)pairs. Among various choices for the shape of the a(t) and b(t) polynomials that we tried, the one giving the smallest norms is that where a and b are of maximal degree, \(n1\), and for which their coefficients are all of more or less the same size.
Let us denote by A a bound on these coefficients of a(t) and b(t). In the end, it will be chosen to be just large enough so that we get enough relations to get a fullrank system by browsing through all the possible coprime (a, b)pairs of degree at most \(n1\) fitting this bound.
In order to estimate the probability that an (a, b)pair gives a relation, the first step is to bound the size of the absolute norms on the f and the gside. The main tool is the following bound on the resultant.
Theorem 2
We can now give the formula for the bound on the norm. We write it with the notations of the fside, but it applies also to the gside, after replacing the degree d by 1.
Theorem 3
Let h and f be monic irreducible polynomials over \({\mathbb Z}\) of respective degrees n and d. Let K be the compositum of the number fields defined by h and f, and let \(\iota \) and \(\alpha _f\) be roots in K of h and f, respectively.
Proof
If the polynomials f, g or h are not monic, the theorem does not apply, since the element \(a(\iota )b(\iota )\alpha _f\) is not an integer anymore. However, the denominators, that are powers of the primes dividing the leading coefficients are under control in term of smoothness (it suffices to add a few prime ideals in the factor bases). And in fact, the quantity based on resultants computed in the proof of the theorem is the one that is really used for smoothness testing. Therefore, the monic hypothesis is not a restriction, and is just there to avoid technicalities.
3.3 Writing and Solving Linear Equations
Mapping a factorization of ideals to a linear combination of logarithms is not immediate unless the ring is principal and there are no units other than \(\pm 1\); both things are highly unlikely since the fields \(K_f\) and \(K_g\) have large degrees over \({\mathbb Q}\). Therefore, we have to resort to the notion of virtual logarithms, just like in the classical case.
For this, it is easier to work with absolute extensions. Then, we can use the same strategy as in Sect. 4.3 of [21], that we summarize in the following theorem which can be applied to \(K_f\) and \(K_g\).
Theorem 4
([21, Section 4.3]). Let \(K={\mathbb Q}(\theta )\) be a number field and \(\mathfrak P\) a nonramified ideal of its ring of integers \({\mathcal O}_K\), with residual field isomorphic to \({\mathbb F}_{p^n}\) in which we fix a generator t. Let \(\ell \) be a prime factor of \(p^n1\) and let \(U=\{ x\in K \mid \forall \mathfrak L\text { above }\ell , {{\mathrm{val}}}_\mathfrak L(x)=0 \}\).
We assume that there exists a Schirokauer function, i.e. an injective group homomorphism \(\lambda =(\lambda _1,\ldots ,\lambda _r):(U/U^\ell ,\cdot )\rightarrow ({\mathbb Z}/\ell {\mathbb Z},+)^r\), where r is the unit rank of \({\mathcal O}_K\).
Assuming furthermore that \(\ell \) neither divides the class number of K nor its discriminant, the following holds.
In [33], Schirokauer explained how to construct an explicitly and efficiently computable map \(\lambda \) as in the theorem and brought heuristics to support the assumptions. These heuristics and the fact that the other hypothesis of the theorem are expected to be true rely on the condition that \(\ell \) is not too small. These are the main reasons why we asked that \(\ell \) grows at least like \(L_Q(1/3)\) in the beginning.
For each (a, b)pair that gives two smooth ideals in \(K_f\) and \(K_g\), the element \(a(\iota )b(\iota )\alpha _f\) can be expressed in the absolute representation of \(K_f={\mathbb Q}(\theta _f)\) by a polynomial form \(\phi _f(\theta _f)\), and similarly \(a(\iota )b(\iota )\alpha _g\) can be written \(\phi _g(\theta _g)\) in \(K_g={\mathbb Q}(\theta _g)\). We refer for instance to [14] for algorithms to manipulate relative extensions as absolute extensions. Then, applying Theorem 4 to \(\phi _f\) in \(K_f\) and \(\phi _g\) in \(K_g\), we obtain two linear expressions that must be equal, since they both correspond to the logarithm of the same element in \({\mathbb F}_{p^n}\).
As a consequence, each relation is rewritten as a linear equation between the virtual logarithms of the elements of the factor base and the \(\chi _j\) for each field. We make the now classical heuristic that collecting roughly the same number of relations as the size of the factor base (say, a polynomial factor times more), then the linear system obtained in such a manner has a kernel of dimension one. A vector of this kernel is computed using Wiedemann’s algorithm [36] in a quasiquadratic time \(B^{2+o(1)}\). This gives the logarithms of all the ideals in the factor base.
3.4 Overall Complexity of the Main Phase
From the previous sections, we can now conclude about the complexity of the main steps of the algorithm. In fact, with our choice for the polynomial selection, and the kind of (a, b)pairs that we test for smoothness, we have obtained exactly the same expressions for the sizes of the norms as in the usual NFS complexity analysis for prime fields, and in particular the same probability \(\text {Prob}\) that the product of the norms is smooth. Also, since the linear algebra step is also similar, the final complexity is the same: we have then to minimize \(B^2+E^2\) subject to the condition \(E^2\cdot \text {Prob}\ge B^{1+o(1)}\), and we refer for example to Conjecture 11.2 of [13]. Hence, the optimal values of the parameters are \(E=B=L_Q(1/3,\root 3 \of {\frac{8}{9}})\) and \(d=\root 3 \of {3} (\frac{\log Q}{\log \log Q})^{1/3}\), and the heuristic complexity of the main phase of TNFS is \(L_Q(1/3,\root 3 \of {\frac{64}{9}})\).
3.5 Individual Logarithms
Let s be an element of \({\mathbb F}_{p^n}^*\) for which we want to compute the discrete logarithm. If s is very small, then it factors into ideals of the factor base, and its logarithm is easily retrieved. However, in general, this requires a 2phase process that is not so trivial, although negligible compared to the other steps.
First, in what we call a smoothing phase, the element s is randomized and tested for \(B_1\)smoothness with the ECM algorithm. The bound \(B_1\) will be of the form \(L_Q(2/3)\), so that the cost of the smoothing test is in \(L_Q(1/3)\).
Thereafter, each prime ideal \(\mathfrak Q\) which is not in the factor base is considered as a specialq and we search for a relation involving \(\mathfrak Q\) and other smaller ideals. Continuing recursively, we get a specialq descent tree, from which the logarithm of s can be deduced.
Smoothing. The randomization is simple: we compute \(z=s^e\) in \({\mathbb F}_{p^n}\) for random values e, and test z for smoothness. The logarithm of s is just the logarithm of z divided by e modulo \(\ell \).
To be more precise, the smoothness is not tested for the element z as an element of the finite field, but as the corresponding element in \(K_g\). Indeed, in our construction, \(z\in {\mathbb F}_{p^n}\) is represented by a polynomial of degree less than n with coefficients modulo p. Lifting these coefficients to integers, we obtain a polynomial which makes sense modulo h(t), therefore an element of \({\mathbb Q}(\iota )=K_g\) (this is where we use that g is linear). As usual, to test the smoothness of z as an element of \({\mathbb Q}(\iota )\), we test the smoothness of its norm as an integer. Using again the estimate of Theorem 3, the size S of this norm is \(Q^{1+o(1)}\).
The bound \(B_1\) can then be optimized w.r.t. this only step, like in the classical NFS: if this is too small, the probability of being smooth is too small, while if it is too large, the cost of testing the smoothness by ECM is prohibitive. The analysis is the same as in [15] and gives a value \(B_1= L_Q(2/3,(\frac{1}{3})^{1/3})\); the corresponding cost for the smoothing phase is \(L_Q(1/3, 3^{1/3})\).
After the smoothing phase, the logarithm of s has been rewritten in terms of the logarithms of small prime ideals of \(K_g\) for which the logarithm is already known, and some largish prime ideals of \(K_g\), of norm bounded by \(B_1\). The next step is to compute the logarithms of these largish ideals.
Descent by Specialq. As in NFS, the algorithm is recursive: if \(\mathfrak Q\) is a prime ideal of degree one in \(K_f\) (respectively \(K_g\)), then we write \(\log \mathfrak Q\) as a formal sum of virtual logs of ideals \(\mathfrak Q'\) of \(K_f\) and \(K_g\) with norm less than \({{\mathrm{N}}}(\mathfrak Q)^c\), for a positive parameter \(c<1\). For this, we consider the lattice of (a, b)pairs for which \(\mathfrak Q\) divides the element \(ab\alpha _f\) (resp. \(ab\alpha _g\)). A basis for this lattice can be constructed and LLLreduced. Small combinations of these basis vectors are then formed and the norms of the corresponding (a, b) pairs are tested for \({{\mathrm{N}}}(\mathfrak Q)^c\)smoothness. We refer to Appendix 7.1 for the description of this specialq lattice technique, that is also used in practice during the collection of relations in the main stage. When a relation is found, this gives a new node in the descent tree, the children of it being the ideals of the relations that are still too large to be in the factor base. The total number of nodes is quasipolynomial.
4 Variants
Note on the Boundary Case. TNFS can be applied to the boundary case \(p=L_Q(2/3,c_p)\), \(c_p>0\), where one obtains a complexity \(L_Q(1/3,c)\). The constant c is strictly larger then \(\root 3 \of {64/9}\) as the factor C(n, d) in Eq. (1) is not negligible any more. Yet, for some values of \(c_p\), TNFS overcomes the method of [21], which was stateofart until recently. Using the generalized JouxLercier method, the authors of [6, 7] reduced the constant c to \((64/9)^{1/3}\approx 1.92\) and Pierrot [31] showed that a multiple fields variant allows to further reduce c to \(\approx 1.90\). Therefore, we do not reproduce here the tedious computations of the complexity in the boundary case.
The Case of Primes of Special Form (SNFS). Given a positive integer d, an integer p, not necessarily prime, is said to be a dSNFS integer if it can be written as \(p=P(u)\) for some integer \(u\approx p^{1/d}\) and a polynomial \(P\in {\mathbb Z}[x]\) such that \({\Vert }{P}{\Vert }_\infty \) is small (say, bounded by a constant). We remark that when a number is SNFS, then there can be several valid choices for d and P. This is typically the case for integers of the form \(2^k+\varepsilon \), for tiny \(\varepsilon \).
When solving DLP in fields \({\mathbb F}_{p^n}\) for dSNFS primes p, we can follow the classical SNFS construction [27] and set \(f(x)=P(x)\) and \(g(x)=xu\), which is possible since f and g share the root u modulo p.
We choose parameter E so that the number of collected pairs exceeds 2B, which is an upper bound on \(\#\mathcal {F}\). The same considerations as in [16] allow us to find the optimal parameters: \(V=L_Q(1/3, 1(\frac{\sqrt{13}1}{3})^{1/3} )\), \(E=B=L_Q(1/3,(\frac{46+13\sqrt{13}}{108})^{1/3})\) and \(d=\delta (\log Q/\log \log Q)^{1/3}\) where \(\delta =(\frac{322\sqrt{13}}{9})^{1/3}\); the complexity of the multiple field variant of TNFS is \(L_Q(1/3,(\frac{92+26\sqrt{13}}{27})^{1/3})\).
Automorphisms. Joux, Lercier, Smart and Vercauteren [21] proposed an improvement based on the field automorphisms of the number fields occurring in NFS. A recent preprint proves (a reformulation of) the following result:
Theorem 5
In Sect. 3.1 we noted that one might find \(\iota \) so that \({\mathbb Q}(\iota )/{\mathbb Q}\) has n automorphisms over \({\mathbb Q}\). All these automorphisms can be used to speedup computations, using the following result.
Corollary 6
Proof
According to [7], automorphisms allow us to sieve n times faster and to speedup the linear algebra stage by a factor \(n^2\). Note that, contrary to the classical variant of NFS where automorphisms were available only for certain values of n, TNFS has no restrictions.
5 Comparison for Cryptographically Relevant Sizes
The complexity of NFS and its many variants is written in the form \(C^{1+o(1)}\), which can hide large factors, and therefore we cannot decide which variant to implement based only on asymptotic complexity. We follow the methodology of [7, Section 4.4] and do a more precise comparison by evaluating the upper bound on the size of the integers which are tested for smoothness: the product of the norms with respect to the two sides. In particular, we make explicit the negligible terms of Eqs. (2) and (3) using Theorem 3.
5.1 The Case of General Primes
Since the JLSV algorithm comes with a variety of methods of polynomial selection, we cannot give a unified formula for the size of norms’ product, so we use the minimum of the formulae in [7]. Therefore, in the following, when we say JLSV, this covers both variants explained in [21] as well as the Conjugation and Generalized JouxLercier methods. The choice of the parameter E depends on the size of the norms, but for a first comparison we can use the default values of CADONFS [7, Table 2].
5.2 The Case of Primes of Special Shape (SNFS)
The Importance of the d Parameter. If we want to compute discrete logarithms in a field \({\mathbb F}_{p^n}\) such that p is dSNFS for a parameter d, then the first question to ask is whether to use a general algorithm like TNFS and JLSV or a specialized variant of these two, namely the SNFS variant of TNFS that we denote STNFS or the JouxPierrot algorithm.
When \(d=6\) we can rely on a reallife example: Aoki et al. [2] factored a 1039bit integer with SNFS, using sextic polynomials, i.e. \(d=6\). The current record, hold by Kleinjung et al. [26], was obtained with a MNFS variant and targeted dSNFS integers for \(d=8\). Their computations were much faster than the evaluated time to factor a 1024bit RSA modulus, so it is safe to say that SNFS is the best option when \(\log _2Q\approx 1024\) and \(d=6\) or when \(d=8\) for slightly larger targets. However, the value of d is fixed in most cases and can take very different values among curves used in pairingbased cryptosystems, going from \(d=2\) for MNT curves [29] to \(d=56\) in other constructions [18, Table 6.1],[30].
If the polynomial P such that \(p=P(u)\) has a special shape, one can try to reduce the value of d using techniques from the Cunningham project records. On the one hand, if \(P=T(x^a)\) with \(T\in {\mathbb Z}[x]\) and \(a\in {\mathbb N}\), we can also write \(p=T(v)\) with \(v=u^a\), so p is \((\deg T)\)SNFS. This technique can be used for example in the construction of BrezingWeng [12, Section 3, item 3(b)] where \(P(x)=\mu a^2+\nu b^2\) for some small constants \(\mu \) and \(\nu \) and where \(a,b\in {\mathbb Z}[x^5]\) have degree 5 and respectively 15; we replace P of degree 30 by a polynomial of degree 6.
On the other hand, a construction of Freeman, Scott and Teske [18, Construction 6.4] allows to divide the degree by 2. Indeed, in that case the polynomial P is almost a palindrome, in the sense that it can be written as \(P(x)=\frac{1}{4} x^{(\deg P)/2}T(x\frac{1}{x})\) with \(T\in {\mathbb Z}[x]\). Then we select \(f=T(x)\) and \(g=ux(u^21)\), which share the root \(u\frac{1}{u}\) modulo p and are so that \({\Vert }{f}{\Vert }_\infty =O(1)\) and \({\Vert }{g}{\Vert }_\infty =p^{1/\deg f}\).
A First Example. We target a 1024bit field \({\mathbb F}_{p^2}\) for a 6SNFS prime p and we set the parameters equal to their value in the computation of Aoki et al. If one chooses to forget that p has a special shape and uses JLSV with conjugation method, then the product of the norms has bitsize \(\approx 439\). If instead one uses the special shape of p, the product of the norms for STNFS has bitsize \(C_\mathrm {STNFS}(n=2,d=6)\approx 386\), while the best parameters for the JouxPierrot algorithm yield \(C_\mathrm {JP}(n=2,d=6,t=3)\approx 457\). A probabilistic experiment suggests that our model is quite precise, as the negligible factors do not add more than 6 bits.
BarretoNaehrig. The elliptic curves proposed by Barreto and Naehrig [9] correspond to finite fields of parameters \(n=12\) and \(d=4\). We tackle a field of 1024bit cardinality and we will use a value of E close to the one in the factorization record, i.e. \(\log _2E=30.4\). If we forget that p is SNFS, then we can choose the value of d in TNFS and we find \(C_\mathrm {TNFS}(n=12,d=7)=500\). If instead we use the special shape of p we obtain \(C_\mathrm {STNFS}(n=12,d=4)=408\) and \(C_\mathrm {JP}(n=12,d=4,t=12)=539\).
In that case, the extension degree n (a.k.a. the embedding degree in the pairing context) is already pretty large, so that we are not at all in the nominal range of applicability of TNFS. As a consequence, our estimate for \(C_\mathrm {TNFS}\) is way too optimistic, since the socalled negligible factors are no longer small. But in fact, it is not that bad: computing explicitly the norms for a sample of typical (a, b)’s of the appropriate size shows that the product of the norms for STNFS is 60 to 80 bits larger than the ideal model when \(f=36x^4+12x^3+16x^2+2x+1\) and \(h=x^{12}x1\). Therefore, it might still be better than JouxPierrot.
There are however examples when the specialized algorithms do not apply.
Fact 7
To see this, note first that the JouxPierrot algorithm keeps unchanged the stages of JLSV once finished the polynomial selection. In the JouxPierrot algorithm one constructs polynomials f and g such that \(\deg (f)=nd\), \(\deg (g)=n\), \({\Vert }{f}{\Vert }_\infty =O(1)\) and \({\Vert }{g}{\Vert }_\infty =Q^{1/(nd)}\). However, when \(n=2\), they have the same characteristics as the polynomials constructed by the Conjugation method, which applies to arbitrary primes.
Plots. Let us plot the modelled bitsize of the norms product for STNFS and JouxPierrot in the range which is currently feasible or might become in the near future: \(400\le \log _2Q\le 1000\). Together with \(C_\mathrm {STNFS}\) and \(C_\mathrm {JP}\) (JouxPierrot), we also plot \(C_\mathrm {NFS}\) which represents the bitsize of the product of the norms in NFS when factoring RSA numbers. We make separate graphs for each pair (n, d) where n is the degree of the target field and d is the parameter such that p is dSNFS, as those parameters are unique (in general) for each finite field: Fig. 3 (n = 2), Fig. 4 (n = 3), Fig. 5 (n = 4) and Fig. 6 (n = 5). Albeit the value of E depends on the size of the norms, in a first approximation we can use the formula \(E=c\cdot L_Q(1/3,(4/9)^{1/3})\) where c is a constant chosen such that the formula fits the value of E in the example of Aoki et al.

when \(d\ge 3\), the two algorithms specialized in fields of SNFS characteristic have smaller norms than those of NFS when factoring RSA numbers;

when \(d\ge 4\), STNFS is an important challenger for the JouxPierrot algorithm.
6 Cryptographic Consequences
The number field sieve algorithm is still far from being fully understood, in particular for extension fields that are so important for pairingbased cryptography. In the past few years, several improvements have been made in the asymptotic complexities in various scenarios, leading in particular to an \(L(1/3,\root 3 \of {32/9})\) complexity for small degree extensions of SNFSprime fields, that are common in pairingfriendly constructions.
We have shown, that in this setting, an old NFS variant due to Schirokauer could compete and probably overcome the algorithm by JouxPierrot. We acknowledge that the comparison is not perfect since it is based on a model where the efficiency is directly linked to the size of product of the norms of the elements that have to be tested for smoothness. Still, in some cases, the difference is large enough (a few dozens of bits), so that we are confident that this should translate into a significant practical difference.
Of course, only a careful implementation of both algorithms could confirm this. Unfortunately, this goes way beyond the scope of this paper. As far as we know, JouxPierrot’s algorithm has not been used so far for a recordsetting computation, and Schirokauer’s TNFS would require even more implementation work to handle the sieve in higher dimension. And since doing experiments with nonoptimized implementations and small field sizes could lead to highly misleading conclusions, we preferred to keep this for future work.
7 Appendix: Technicalities
7.1 Specialq Sieving
In practice for prime fields the relation collection phase is split in subtasks following the socalled specialq sieving strategy. It is expected, but no so obvious, that this technique can be adapted to the case of TNFS.

\(ab\alpha _f \equiv 0\mod \mathfrak Q\);

\({{\mathrm{N}}}_{K_f/{\mathbb Q}}(ab\alpha _f)/{{\mathrm{N}}}_{K_f/{\mathbb Q}}(\mathfrak Q)\) and \({{\mathrm{N}}}_{K_g/{\mathbb Q}}(ab\alpha _g)\) are Bsmooth,
The critical part of Algorithm 1 is Step 4., where we need to solve a problem that Pollard [32] asked in the case \(m=2\).
Problem 1
Compute the intersection of a sublattice of \({\mathbb Z}^m\) with an interval product \(\prod _{k=0}^{m1}I_k\).
Since the dimension is fixed or small enough, we can use a generic lattice enumeration algorithm like the KannanFinckePohst algorithm. In the case \(m=2\), Franke and Kleinjung [25, Appendix A] gave an elegant algorithm that proved very efficient in practice. Extending this algorithm to higher dimension is still an open problem.
The Particular Case of Gaussian Integers. When \(h=x^2+1\), \(\iota =i\) and we have a series of advantages. First of all, we have \(\deg (h)=n=2\), so the combinatorial overhead C(n, d) in Theorem 3 is small. Secondly, the ring \({\mathbb Z}[i]\) is Euclidean, so that we can speedup Step 1 of Algorithm 1.
Lemma 8
Proof
Note first that if two elements \(e_1,e_2\) form a basis for a \({\mathbb Z}[i]\)module M, then the set \(\{e_1,ie_1,e_2,ie_2\}\) is a basis of M seen as a \({\mathbb Z}\)module. We apply this fact to \(M=\{(a,b)\in {\mathbb Z}[i]\times {\mathbb Z}[i] \mid abr\equiv 0 \mod q\}\), so it is sufficient to show that \((d_j,v_j)\) and \((d_{j+1},v_{j+1})\) form a basis of M when seen as a \({\mathbb Z}[i]\)module.
We interrupt the execution of EEA at its middle point, i.e. for the least index j where \({{\mathrm{N}}}_{{\mathbb Q}(i)/{\mathbb Q}}(d_j) < \sqrt{{{\mathrm{N}}}_{{\mathbb Q}(i)/{\mathbb Q}}(q)}\). As in the classical variant of NFS, we make the heuristic that for all \(k\in [1,4]\), we have \({\Vert }{(a^{(k)},b^{(k)})}{\Vert }_\infty \approx \sqrt{q}\). Hence, we replaced Step 1 in Algorithm 1 by EEA in \({\mathbb Z}[i]\).
Another advantage of \({\mathbb Z}[i]\) is that we can easily deal with the roots of unity. Indeed, the roots of unity have a bad effect on the sieve since, for any pairs (a, b) found during the sieve, one will also find (ua, ub) for all roots of unity u. For a practical implementation one might prefer to choose h so that there are no roots of unity other than \(\pm 1\).
7.2 Using a Cyclotomic Field for \({\mathbb Q}(\iota )\)
Although we found no practical advantage for cyclotomic fields other than \({\mathbb Q}(i)\), they allow us to give a poof of existence for the polynomial h, as required in the TNFS construction of Sect. 3.1.
Theorem 9
([1], Prop. 3). Assuming the Extended Riemann Hypothesis (ERH), there is a constant \(c>0\), such that for all \(p,n\in {\mathbb N}\), p prime and \(\gcd (n,p)=1\), there exists a prime q such that \(q\equiv 1 \pmod n\), \(q< c n^4\log (pn)^2\) and p is inert in the unique subfield K of \({\mathbb Q}(\zeta _q)\) with \([K:{\mathbb Q}]=n\).
Corollary 10

h is irreducible modulo p;

\({\Vert }{h}{\Vert }_\infty < (2cn^4\log (np)^2)^n\).
Proof
7.3 The Waterloo Improvement
Footnotes
References
 1.Adleman, L.M., Lenstra, H.W.: Finding irreducible polynomials over finite fields. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, pp. 350–355. ACM (1986)Google Scholar
 2.Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 3.Bai, S.: Polynomial selection for the number field sieve. Ph.D. thesis, Australian National University (2011)Google Scholar
 4.Bai, S., Bouvier, C., Kruppa, A., Zimmermann, P.: Better polynomials for GNFS. Preprint (2014)Google Scholar
 5.Barbulescu, R.: Algorithmes de logarithmes discrets dans les corps finis. Ph.D. thesis, Université de Lorraine (2013)Google Scholar
 6.Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: (Algebraic) improvements to the number field sieve for nonprime finite fields. Preprint http://hal.inria.fr/hal01052449
 7.Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in nonprime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015) Google Scholar
 8.Barbulescu, R., Pierrot, C.: The multiple number field sieve for medium and highcharacteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014)MathSciNetCrossRefGoogle Scholar
 9.Barreto, P.S.L.M., Naehrig, M.: Pairingfriendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 10.Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432(8), 1995–2005 (2010)zbMATHMathSciNetCrossRefGoogle Scholar
 11.Blake, I.F., FujiHara, R., Mullin, R.C., Vanstone, S.A.: Computing logarithms in finite fields of characteristic two. SIAM J. Algebraic Discrete Methods 5(2), 276–285 (1984)zbMATHMathSciNetCrossRefGoogle Scholar
 12.Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Crypt. 37(1), 133–141 (2005)zbMATHMathSciNetCrossRefGoogle Scholar
 13.Buhler, J.P., Lenstra Jr., H.W., Pomerance, C.: Factoring integers with the number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554, pp. 50–94. Springer, Heidelberg (1993)Google Scholar
 14.Cohen, H.: Advanced Topics in Computational Number Theory. Graduate Texts in Mathematics, vol. 193. Springer, New York (2000) zbMATHCrossRefGoogle Scholar
 15.Commeine, A., Semaev, I.A.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 16.Coppersmith, D.: Modifications to the number field sieve. J. Cryptol. 6(3), 169–180 (1993)zbMATHMathSciNetCrossRefGoogle Scholar
 17.Foster, K.: HT90 and “simplest” number fields. Illinois J. Math. 55(4), 1621–1655 (2011)zbMATHMathSciNetGoogle Scholar
 18.Freeman, D., Scott, M., Teske, E.: A taxonomy of pairingfriendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010)zbMATHMathSciNetCrossRefGoogle Scholar
 19.Gordon, D.M.: Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993)zbMATHMathSciNetCrossRefGoogle Scholar
 20.Joux, A., Lercier, R.: The function field sieve is quite special. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 431–445. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 21.Joux, A., Lercier, R., Smart, N.P., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 22.Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\). In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 23.Kleinjung, T.: On polynomial selection for the general number field sieve. Math. Comput. 75(256), 2037–2047 (2006)zbMATHMathSciNetCrossRefGoogle Scholar
 24.Kleinjung, T.: Polynomial selection. Slides at CADO workshop (2008). http://cado.gforge.inria.fr/workshop/slides/kleinjung.pdf
 25.Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768Bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 26.Kleinjung, T., Bos, J.W., Lenstra, A.K.: Mersenne factorization factory. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 358–377. Springer, Heidelberg (2014) Google Scholar
 27.Lenstra, A.K., Lenstra Jr., H.W., Manasse, M., Pollard, J.: The number field sieve. The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554, pp. 11–42. Springer, Heidelberg (1993)Google Scholar
 28.Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over GF(p). Discrete Math. Appl. 13(1), 27–50 (2003)zbMATHMathSciNetCrossRefGoogle Scholar
 29.Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FRreduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(5), 1234–1243 (2001)Google Scholar
 30.Murphy, A., Fitzpatrick, N.: Elliptic curves for pairing applications. Cryptology ePrint Archive, Report 2005/302 (2005). http://eprint.iacr.org/
 31.Pierrot, C.: The multiple number field sieve with conjugation and generalized jouxlercier methods. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 156–170. Springer, Heidelberg (2015) Google Scholar
 32.Pollard, J.M.: The lattice sieve. In: Lenstra, A.K., Lenstra, Jr., H.W.: The development of the number field sieve, vol. 1554 of Lecture Notes in Mathematics, pp. 43–49. Springer (1993)Google Scholar
 33.Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. A 345(1676), 409–423 (1993)zbMATHMathSciNetCrossRefGoogle Scholar
 34.Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comp. 69(231), 1267–1283 (2000)zbMATHMathSciNetCrossRefGoogle Scholar
 35.Semaev, I.: Special prime numbers and discrete logs in finite prime fields. Math. Comp. 71(237), 363–377 (2002)zbMATHMathSciNetCrossRefGoogle Scholar
 36.Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory 32(1), 54–62 (1986)zbMATHMathSciNetCrossRefGoogle Scholar