Paper 2015/513

Computing Individual Discrete Logarithms Faster in $GF(p^n)$

Aurore Guillevic

Abstract

The Number Field Sieve (NFS) algorithm is the best known method to compute discrete logarithms (DL) in finite fields ${\mathbb{F}}_{p^n}$, with $p$ medium to large and $n\ge 1$ small. This algorithm comprises four steps: polynomial selection, relation collection, linear algebra and finally, individual logarithm computation. The first step outputs two polynomials defining two number fields, and a map from the polynomial ring over the integers modulo each of these polynomials to $$. After the relation collection and linear algebra phases, the (virtual) logarithm of a subset of elements in each number field is known. Given the target element in $$, the fourth step computes a preimage in one number field. If one can write the target preimage as a product of elements of known (virtual) logarithm, then one can deduce the discrete logarithm of the target. As recently shown by the Logjam attack, this final step can be critical when it can be computed very quickly. But we realized that computing an individual DL is much slower in medium- and large-characteristic non-prime fields $$ with $$, compared to prime fields and quadratic fields $$. We optimize the first part of individual DL: the \emph{booting step}, by reducing dramatically the size of the preimage norm. Its smoothness probability is higher, hence the running-time of the booting step is much improved. Our method is very efficient for small extension fields with $$ and applies to any $$, in medium and large characteristic.

Note: Minor modification of ASIACRYPT 2015 version (typo in Table 3 corrected).