This talk will focus on the last step of the number field sive algorithm used to compute discrete logarithms in finite fields. We consider here non-prime finite fields of very small extension degree: $1 \le n \le 6$. These cases are interesting in pairing-based cryptography: the pairing output is an element in such a finite field. The discrete logarithm in that finite field must be hard enough to prevent from attacks in a given time (e.g. $10$ years). Within the CATREL project we aim to compute DL records in finite fields of moderate size (e.g. in $GF(p^n$) of global size from $600$ to $800$ bits) to estimate more tightly the hardness of DL in fields of cryptographic size ($2048$ bits at the moment). The best algorithm known to compute discrete logarithms in large finite fields (with small $n$) is the number field sieve (NFS):
(1) polynomial selection: select two distinct polynomials $f,g$ defining two number fields, such that they share modulo $p$ an irreducible degree $n$ factor, and have additional properties to improve the next two steps.
(2) sieving: sieve over elements that satisfy relations, to build the factor basis made of prime ideals of small norm.
(3) linear algebra: compute the kernel of a large matrix computed the step before. Then the logarithm of each element in the factor basis is known.
(4) individual logarithm: for a given element $s \in GF(p^n)$, decompose it over the factor basis to finally compute its discrete logarithm.
The most time consuming steps are the second and third: sieving and linear algerbra. After the sieve and the linear algebra, the logarithms of the prime ideals of small norm are known. To finally compute the discrete logarithm of the given element $s$, we lift $s$ in one of the number fields and factor it in prime ideals as with “small” elements in the sieve step. However here, $s$ does not have a small norm (bounded by $B \ll Q$). Its norm is very large, in particular, larger than $Q$. The usual way is to test for many $s' = s \cdot g^e$ with $g$ the given generator of $GF(p^n)$ until the norm of $s'$ is smooth enough. The time spent to find a good $e$ is asymptotically less than the sieving time. In practice, another modification of $s'$ is computed to reduce its norm. In [?], the authors write $s' = a(x) / b(x)$ with $a, b$ of coefficients of size $\sim p^{1/2}$ instead of $p$. With $n = 4$ the norm of $s$ is $O(p^{11/2})$. Their method compute $a,b$ of norm $O(p^{7/2})$. One need to factor into small prime ideals two elements $a,b$ instead of one $s'$.
for our record computations of discrete logarithms in $\mathbb{F}_pn$ with $2 \leqslant n \leqslant 6$, we improve the preparation of $s$, so that its norm in the number field is less than $Q$. This improves its smoothness property. Assume that we want to compute the discrete logarithm of $s$ in the larger subgroup of prime order $\ell$ of $GF(p^n)$, with $\ell$ $|$ $\Phi_np$. We decompose $s$ in $\epsilon \cdot s'$ with $\epsilon$ in a subfield or in a subgroup of order prime to $\ell$ and $s?$ with reduced coefficient size. We still have $log_g s = log_g s'$ mod $\ell$. We use a tower representation of $GF(p^n)$ with subfields for our purpose. We reduce the norm of $s \in \mathbb{F}_{p4}$ from $O(p^{11/2})$ to $O(p^{7/2}), s \in GF(p^3)$ from $O(p^6)$ to $O(p^2)$ and $s \in \mathbb{F}_{p2}$ from $O(p^4)$ to $O(p)$. This does not change the asymptotic complexity of this last step but this improves a lot its running time for small $n$.
[-]
English
