Accessibility setting

Section: New Results

Discrete Logarithm computations in finite fields with the NFS algorithm

The best discrete logarithm record computations in prime fields and large characteristic finite fields are obtained with Number Field Sieve algorithm (NFS) at the moment. This algorithm is made of four steps:

1. polynomial selection;

2. relation collection (with a sieving technique);

3. linear algebra (computing the kernel of a huge matrix, of millions of rows and columns);

4. individual discrete logarithm computation.

The two more time consuming steps are the relation collection step and the linear algebra step. The polynomial selection is quite fast but is very important since it determines the complexity of the algorithm. Selecting better polynomials is a key to improve the overall running-time of the NFS algorithm.

A. Guillevic and F. Morain have written a chapter [18] on discrete logarithm computations for a book on pairings.

Breaking a MNT curve using DL computations

There is a reduction between an elliptic curve $E$ defined over ${𝐅}_p$ and a finite extension of degree $k$ (aka embedding degree) of the base field, using pairing computations. In brief, one can transport the discrete logarithm problem from $E$ to ${𝐅}_{p^k}$. If $k$ is relatively small, this yields a DLP much easier to solve than directly on $E$. To give some highlight on current easyness, A. Guillevic, F. Morain and E. Thomé (from CARAMBA EPC in LORIA) computed a discrete log on a curve of embedding degree 3 and cryptographic size. This clearly showed that curves with small embedding degrees are indeed weak. The article [14] was presented by A. Guillevic during the SAC 2016 conference in New Foundland.