Section: New Results

Discrete Logarithm computations in finite fields with the NFS algorithm

The best discrete logarithm record computations in prime fields and large characteristic finite fields are obtained with Number Field Sieve algorithm (NFS) at the moment. This algorithm is made of four steps:

1. polynomial selection;

2. relation collection (with a sieving technique);

3. linear algebra (computing the kernel of a huge matrix, of millions of rows and columns);

4. individual discrete logarithm computation.

The two more time consuming steps are the relation collection step and the linear algebra step. The polynomial selection is quite fast but is very important since it determines the complexity of the algorithm. Selecting better polynomials is a key to improve the overall running-time of the NFS algorithm. The final step: individual discrete logarithm, was though to be quite fast but F. Morain and A. Guillevic showed that it has an increasing complexity with respect to the extension degree of the finite field. A. Guillevic proposed a new method to reduce considerably the complexity, with at most a factor two speed-up in the exponent [22] .

In 2015, F. Morain and A. Guillevic released with P. Gaudry and R. Barbulescu a major discrete logarithm record in a quadratic finite field GF$\left(p^2\right)$ of 180 decimal digits (dd), corresponding to 595 bits. This was presented at the international conference Eurocrypt [19] .

DL Record computation in a quadratic finite field GF$\left(p^2\right)$

In order to compare the practical running time of discrete logarithm computation in prime fields and quadratic finite fields, F. Morain and A. Guillevic with P. Gaudry and R. Barbulescu launched a DL record in a 180dd finite field. The last DL record in a prime field was held by the CARAMEL team of Nancy, in 2014, in a 180 dd prime field. The parameters chosen for the quadratic finite field are the following.

The discrete logarithm computation was made modulo $\ell$, the largest prime factor of the multiplicative subgroup $GF{\left(p^2\right)}^{*}$, so that a DL computation with generic methods of complexity $O\left(\sqrt{\ell }\right)$ was impracticable.

The two polynomials used in the NFS algorithm were chosen to be the following:

We indeed designed a new polynomial selection method, that we called the Conjugation method. It is very well suited for quadratic and cubic finite fields GF$\left(p^2\right)$ and GF$\left(p^3\right)$ for the size range of the records.

We finally computed the discrete logarithm in basis $G=T+2$ of the target $s=\lfloor (\pi \left(2^{298}\right)/8)\rfloor t+\lfloor (\gamma ·2^{298})\rfloor$

The running time was very surprising: our record was much faster than the concurrent DL computation in a prime field of the same global size of 180dd, and even faster than the RSA modulus factorization of the same size.

Individual discrete logarithm computation

A big difference between prime fields and finite fields of small extension such as GF$\left(p^3\right)$, GF$\left(p^4\right)$ and GF$\left(p^6\right)$ is the complexity of the final step of the NFS algorithm: computing the individual discrete logarithm of the target, given the large table of discrete logarithm of small elements. This table was obtained at the end of the linear algebra step. The target needs to be decomposed into small enough elements whose discrete logarithm is in the table, so that one can recompose the discrete logarithm of the target. This decomposition is quite fast for prime fields but we realized that is becomes more and more time consuming when the extension degree increase. A. Guillevic developed a new technique to improve considerably this step. The main idea is to use the structure of the finite field: the subfields. These improvements were presented at the Asiacrypt 2015 conference in Auckland, New Zealand and published in the proceedings [22] .