Keywords

1 Introduction

1.1 Cryptographic Interest

Given a cyclic group \((G, \cdot )\) and a generator g of G, the discrete logarithm (DL) of \(x \in G\) is the element \(1 \le a \le \# G\) such that \(x = g^a\). In well-chosen groups, the exponentiation \((g,a) \mapsto g^a\) is very fast but computing a from (gx) is conjectured to be very difficult: this is the Discrete Logarithm Problem (DLP), at the heart of many asymmetric cryptosystems. The first group proposed for DLP was the multiplicative group of a prime finite field. Nowadays, the group of points of elliptic curves defined over prime fields are replacing the prime fields for DLP-based cryptosystems. In pairing-based cryptography, the finite fields are still used, because they are a piece in the pairing mechanism. It is important in cryptography to know precisely the difficulty of DL computation in the considered groups, to estimate the security of the cryptosystems using them. Finite fields have a particularity: there exists a subexponential-time algorithm to compute DL in finite fields of medium to large characteristic: the Number Field Sieve (NFS). In small characteristic, this is even better: a quasi-polynomial-time algorithm was proposed very recently [7].

In May 2015, an international team of academic researchers revealed a surprisingly efficient attack against a Diffie-Hellman key exchange in TLS, the Logjam attack [2]. After a seven-day-precomputation stage (for relation collection and linear algebra of NFS-DL algorithm), it was made possible to compute any given individual DL in about one minute, for each of the two targeted 512-bit prime finite fields. This was fast enough for a man-in-the-middle attack. This experience shows how critical it can be to be able to compute individual logarithms very fast.

Another interesting application for fast individual DL is batch-DLP, and delayed-target DLP: in these contexts, an attacker aims to compute several DL in the same finite field. Since the costly phases of relation collection and linear algebra are only done one time for any fixed finite field, only the time for one individual DL is multiplied by the number of targets. This context usually arises in pairing-based cryptography and in particular in broadcast protocols and traitor tracing schemes, where a large number of DLP-based public/private key pairs are generated. The time to compute one individual DL is important in this context, even if parallelization is available.

1.2 The Number Field Sieve Algorithm for DL in Finite Fields

We recall that the NFS algorithm is made of four steps: polynomial selection, relation collection, linear algebra and finally, individual logarithm computation. This last step is mandatory to break any given instance of a discrete logarithm problem. The polynomial selection outputs two irreducible polynomials f and g defining two number fields \(K_f\) and \(K_g\). One considers the rings \(R_f = {\mathbb Z}[x]/(f(x))\) and \(R_g = {\mathbb Z}[x]/(g(x))\). There exist two maps \(\rho _f, \rho _g\) to \({\mathbb F}_{p^n}\), as shown in the following diagram. Moreover, the monic polynomial defining the finite field is \(\psi = \gcd (f,g)\)   mod  p, of degree n.

figure a

In the remaining of this paper, we will only use \(\rho = \rho _f\), \(K = K_f\) and \(R_f\). After the relation collection and linear algebra phases, the (virtual) logarithm of a subset of elements in each ring \(R_f, R_g\) is known. The individual DL step computes a preimage in one of the rings \(R_f, R_g\) of the target element in \({\mathbb F}_{p^n}\). If one can write the target preimage as a product of elements of known (virtual) logarithm, then one can deduce the individual DL of the target. The key point of individual DL computation is finding a smooth decomposition in small enough factors of the target preimage.

1.3 Previous Work on Individual Discrete Logarithm

The asymptotic running time of NFS algorithm steps are estimated with the L-function:

$$\begin{aligned} L_Q[\alpha , c] = \exp \Bigl ( \bigl (c+o(1)\bigr ) (\log Q)^\alpha (\log \log Q)^{1-\alpha } \Bigr ) \quad \text{ with } \alpha \in [0,1] \text{ and } c > 0. \end{aligned}$$

The \(\alpha \) parameter measures the gap between polynomial time (\(L_Q[\alpha =0, c]=\log ^c Q\)) and exponential time (\(L_Q[\alpha =1,c] = Q^c\)). When c is implicit, or obvious from the context, we simply write \(L_Q[\alpha ]\). When the complexity relates to an algorithm for a prime field \({\mathbb F}_p\), we write \(L_p[\alpha , c]\).

Large Prime Fields. Many improvements for computing discrete logarithms first concerned prime fields. The first subexponential DL algorithm in prime fields was due to Adleman [1] and had a complexity of \(L_p[1/2,2]\). In 1986, Coppersmith, Odlyzko and Schroeppel [13] introduced a new algorithm (COS), of complexity \(L_p[1/2, 1]\). They computed individual DL [13, Sect. 6] in \(L_p[1/2, 1/2]\) in two steps (finding a boot of medium-sized primes, then finding relations of logarithms in the database for each medium prime). In these two algorithms, the factor basis was quite large (the smoothness bound was \(L_p[1/2, 1/2]\) in both cases), providing a much faster individual DL compared to relation collection and linear algebra. This is where the common belief that individual logarithms are easy to find (and have a negligible cost compared with the prior relation collection and linear algebra phases) comes from.

In 1993, Gordon [15] proposed the first version of NFS–DL algorithm for prime fields \({\mathbb F}_p\) with asymptotic complexity \(L_p[1/3, 9^{1/3}\simeq 2.08]\). However, with the \(L_p[1/3]\) algorithm there are new difficulties, among them the individual DL phase. In this \(L_p[1/3]\) algorithm, many fewer logarithms of small elements are known, because of a smaller smoothness bound (in \(L_p[1/3]\) instead of \(L_p[1/2]\)). The relation collection is shortened, explaining the \(L_p[1/3]\) running time. But in the individual DL phase, since some non-small elements in the decomposition of the target have an unknown logarithm, a dedicated sieving and linear algebra phase is done for each of them. Gordon estimated the running-time of individual DL computation to be \(L_p[1/3, 9^{1/3} \simeq 2.08]\), i.e. the same as the first two phases. In 1998, Weber [24, Sect. 6] compared the NFS–DL algorithm to the COS algorithm for a 85 decimal digit prime and made the same observation about individual DL cost.

In 2003, ten years after Gordon’s algorithm, Joux and Lercier [17] were the first to dissociate in NFS relation collection plus linear algebra on one side and individual DL on the other side. They used the special-q technique to find the logarithm of medium-sized elements in the target decomposition. In 2006, Commeine and Semaev [11] analyzed the Joux–Lercier method. They obtained an asymptotic complexity of \(L_p[1/3, 3^{1/3} \simeq 1.44]\) for computing individual logarithms, independent of the relation collection and linear algebra phases. In 2013, Barbulescu [4, Sects. 4 and 7.3] gave a tight analysis of the individual DL computation for prime fields, decomposed in three steps: booting (also called smoothing), descent, and final combination of logarithms. The booting step has an asymptotic complexity of \(L_p[1/3, 1.23]\) and the descent step of \(L_p[1/3, 1.21]\). The final computation has a negligible cost.

Non-prime Fields of Medium to Large Characteristic. In 2006, Joux, Lercier, Smart and Vercauteren [19] computed a discrete logarithm in a cubic extension of a prime field. They used the special-q descent technique again. They proposed for large characteristic fields an equivalent of the rational reconstruction technique for prime fields and the Waterloo algorithm [8] for small characteristic fields, to improve the initializing step preceding the descent. For DLs in prime fields, the target is an integer modulo p. The rational reconstruction method outputs two integers of half size compared to p, such that their quotient is equal to the target element modulo p. Finding a smooth decomposition of the target modulo p becomes equivalent to finding a (simultaneous) smooth decomposition of two elements, each of half the size. We explain their method (that we call the JLSV fraction method in the following) for extension fields in Sect. 2.3.

Link with Polynomial Selection. The running-time for finding a smooth decomposition depends on the norm of the target preimage. The norm preimage depends on the polynomial defining the number field. In particular, the smaller the coefficients and degree of the polynomial, the smaller the preimage norm. Some polynomial selection methods output polynomials that produce much smaller norm. That may be one of the reasons why the record computation of Joux et al. [19] used another polynomial selection method, whose first polynomial has very small coefficients, and the second one has coefficients of size O(p). Thanks to the very small coefficients of the first polynomial, their fraction technique was very useful. Their polynomial selection technique is now superseded by their JLSV\(_{1}\) method [19, Sect. 2.3] for larger values of p. As noted in [19, Sect. 3.2], the fraction technique is useful in practice for small n. But for the JLSV\(_{1}\) method and \(n \ge 3\), this is already too slow (compared to not using it). In 2008, Zajac [25] implemented the NFS-DL algorithm for computing DLs in \({\mathbb F}_{p^6}\) with p of 40 bits (12 decimal digits (dd), i.e. \({\mathbb F}_{p^6}\) of 240 bits or 74 dd). He used the methods described in [19], with a first polynomial with very small coefficients and a second one with coefficients in O(p). In this case, individual DL computation was possible (see the well-documented [25, Sect. 8.4.5]). In 2013, Hayasaka, Aoki, Kobayashi and Takagi [16] computed a DL in \({\mathbb F}_{p^{12}}\) with \(p = 122663\) (\(p^n\) of 203 bits or 62 dd). We noted that all these records used the same polynomial selection method, so that one of the polynomials has very small coefficients (e.g. \(f = x^3 +x^2 - 2 x -1\)) whereas the second one has coefficients in O(p).

In 2009, Joux, Lercier, Naccache and Thomé  [18] proposed an attack of DLP in a protocol context. The relation collection is sped up with queries to an oracle. They wrote in [18, Sect. B] an extended analysis of individual DL computation. In their case, the individual logarithm phase of the NFS-DL algorithm has a running-time of \(L_Q[1/3, c]\) where \(c = 1.44\) in the large characteristic case, and \(c = 1.62\) in the medium characteristic case. In 2014, Barbulescu and Pierrot [3] presented a multiple number field sieve variant (MNFS) for extension fields, based on Coppersmith’s ideas [12]. The individual logarithm is studied in [3, Sect. A]. They also used a descent technique, for a global estimated running time in \(L_Q[1/3, (9/2)^{1/3}]\), with a constant \(c \approx 1.65\). Recently in 2014, Barbulescu, Gaudry, Guillevic and Morain [5, 6] announced 160 and 180 decimal digit discrete logarithm records in quadratic fields. They also used a technique derived from the JLSV fraction method and a special-q descent technique, but did not give an asymptotic running-time. It appears that this technique becomes inefficient as soon as n = 3 or 4.

Overview of NFS-DL Asymptotic Complexities. The running-time of the relation collection step and the individual DL step rely on the smoothness probability of integers. An integer is said to be B-smooth if all its prime divisors are less than B. An ideal in a number field is said to be B-smooth if it factors into prime ideals whose norms are bounded by B. Usually, the relation collection and the linear algebra are balanced, so that they have both the same dominating asymptotic complexity. The NFS algorithm for DL in prime and large characteristic fields has a dominating complexity of \(L_Q[1/3, (\frac{64}{9})^{1/3}\simeq 1.923]\). For the individual DL in a prime field \({\mathbb F}_p\), the norm of the target preimage in the number field is bounded by p. This bound gives the running time of this fourth step (much smaller than relation collection and linear algebra). Finding a smooth decomposition of the preimage and computing the individual logarithm (see [11]) has complexity \(L_p[1/3, c]\) with \(c= 1.44\), and \(c=1.23\) with the improvements of [4]. The booting step is dominating. In large characteristic fields, the individual DL has a complexity of \(L_Q[1/3,1.44]\), dominated by the booting step again ([18, Sect. B] for JLSV\(_{2}\), Table 3 for gJL).

In generic medium characteristic fields, the complexity of the NFS algorithm is \(L_Q[1/3, (\frac{128}{9})^{1/3} = 2.42]\) with the JLSV\(_{1}\) method proposed in [19, Sect. 2.3], \(L_Q[1/3, (\frac{32}{3})^{1/3} = 2.20]\) with the Conjugation method [6], and \(L_Q[1/3, 2.156]\) with the MNFS version [23]. We focus on the individual DL step with the JLSV\(_{1}\) and Conjugation methods. In these cases, the preimage norm bound is in fact much higher than in prime fields. Without any improvements, the dominating booting step has a complexity of \(L_Q[1/3, c]\) with \(c = 1.62\) [18, Sect. C] or \(c=1.65\) [3, Sect. A]. However, this requires to sieve over ideals of degree \(1 < t < n\). For the Conjugation method, this is worse: the booting step has a running-time of \(L_Q[1/3, 6^{1/3}\simeq 1.82]\) (see our computations in Table 3). Applying the JLSV fraction method lowers the norm bound to O(Q) for the Conjugation method. The individual logarithm in this case has complexity \(L_Q[1/3, 3^{1/3}]\) as for prime fields (without the improvements of [4, Sect. 4]). However, this method is not suited for number fields generated with the JLSV\(_{1}\) method, for \(n \ge 3\).

1.4 Our Contributions

In practice, we realized that the JLSV fraction method which seems interesting and sufficient because of the O(Q) bound, is in fact not convenient for the gJL and Conjugation methods for n greater than 3. The preimage norm is much too large, so finding a smooth factorization is too slow by an order of magnitude. We propose a way to lift the target from the finite field to the number field, such that the norm is strictly smaller than O(Q) for the gJL and Conjugation methods:

Theorem 1

Let \(n > 1\) and \(s \in {\mathbb F}_{p^n}^{*}\) a random element (not in a proper subfield of \({\mathbb F}_{p^n}\)). We want to compute its discrete logarithm modulo \(\ell \), where \(\ell \mid \varPhi _n(p)\), with \(\varPhi _n\) the n-th cyclotomic polynomial. Let \(K_f\) be the number field given by a polynomial selection method, whose defining polynomial has the smallest coefficient size, and \(R_f = {\mathbb Z}[x]/(f(x))\).

Then there exists a preimage \(\varvec{r}\) in \(R_f\) of some \(r \in {\mathbb F}_{p^n}^*\), such that \(\log \rho (\varvec{r}) \equiv \log s \,\,{\text {(mod)}}\, \ell \) and such that the norm of \(\varvec{r}\) in \(K_f\) is bounded by \(O(Q^e)\), where e is equal to

  1. 1.

    \(1-\frac{1}{n}\) for the gJL and Conjugation methods;

  2. 2.

    \(\frac{3}{2} - \frac{3}{2n}\) for the JLSV\(_{1}\) method;

  3. 3.

    \(1 - \frac{2}{n}\) for the Conjugation method, if \(K_f\) has a well-chosen quadratic subfield satisfying the conditions of Lemma 3;

  4. 4.

    \(\frac{3}{2} -\frac{5}{2n}\) for the JLSV\(_{1}\) method, if \(K_f\) has a well-chosen quadratic subfield satisfying the conditions of Lemma 3.

Our method reaches the optimal bound of \(Q^{\varphi (n)/n}\), with \(\varphi (n)\) the Euler totient function, for \(n=2,3,4,5\) combined with the gJL or the Conjugation method. We show that our method provides a dramatic improvement for individual logarithm computation for small n: the running-time of the booting step (finding boots) is \(L_Q[1/3, c]\) with \(c = 1.14\) for \(n=2,4\), \(c = 1.26\) for \(n=3,6\) and \(c = 1.34\) for \(n=5\). It generalizes to any n, so that the norm is always smaller than O(Q) (the prime field case), hence the booting step running-time in \(L_Q[1/3, c]\) always satisfies \(c < 1.44\) for the two state-of-the-art variants of NFS for extension fields (we have \(c=1.44\) for prime fields). For the JLSV\(_{1}\) method, this bound is satisfied for \(n=4\), where we have \(c=1.38\) (see Table 3).

1.5 Outline

We select three polynomial selection methods involved for NFS-DL in generic extension fields and recall their properties in Sect. 2.1. We recall a commonly used bound on the norm of an element in a number field (Sect. 2.2). We present in Sect. 2.3 a generalization of the JLSV fraction method of [19]. In Sect. 3.1 we give a proof of the booting step complexity stated in Lemma 1. We sketch in Sect. 3.2 the special-q descent technique and list the asymptotic complexities found in the literature according to the polynomial selection methods. We present in Sect. 4 our main idea to reduce the norm of the preimage in the number field, by reducing the preimage coefficient size with the LLL algorithm. We improve our technique in Sect. 5 by using a quadratic subfield when available, to finally complete the proof of Theorem 1. We provide practical examples in Sect. 6, for 180 dd finite fields in Sect. 6.1 and we give our running-time experiments for a 120 dd finite field \({\mathbb F}_{p^4}\) in Sect. 6.2.

2 Preliminaries

We recall the three polynomial selection methods we will study along this paper in Sect. 2.1. We give a common simple upper bound on the norm of an element in an number field in Sect. 2.2. We will need this formula to estimate a bound on the target preimage norm and the corresponding asymptotic running-time of the booting step of the individual logarithm computation.

We recall now an important property of the LLL algorithm [21] that we will widely use in this paper. Given a lattice \(\mathcal {L}\) of \({\mathbb Z}^n\) defined by a basis given in an \(n \times n\) matrix L, and parameters \(\frac{1}{4} < \delta <1\), \(\frac{1}{2} < \eta < \sqrt{\delta }\), the LLL algorithm outputs a \((\eta , \delta )\)-reduced basis of the lattice. the coefficients of the first (shortest) vector are bounded by

$$\begin{aligned} (\delta - \eta ^2)^{\frac{n-1}{4}} \det (L)^{1/n}. \end{aligned}$$

With \((\eta , \delta )\) close to (0.5, 0.999) (as in NTL or magma), the approximation factor \(C = (\delta - \eta ^2)^{\frac{n-1}{4}}\) is bounded by \(1.075^{n-1}\) (see [10, Sect. 2.4.2])). Gama and Nguyen experiments [14] on numerous random lattices showed that on average, \(C \approx 1.021^n\). In the remaining of this paper, we will simply denote by C this LLL approximation factor.

2.1 Polynomial Selection Methods

We will study the booting step of the NFS algorithm with these three polynomial selection methods:

  1. 1.

    the Joux–Lercier–Smart–Vercauteren (JLSV\(_{1}\)) method [19, Sect. 2.3];

  2. 2.

    the generalized Joux–Lercier (gJL) method [22, Sect. 2], [6, Sect. 3.2];

  3. 3.

    the Conjugation method [6, Sect. 3.3].

In a non-multiple NFS version, the JLSV\(_{2}\) [19, Sect. 2.3] and gJL methods have the best asymptotic running-time in the large characteristic case, while the Conjugation method holds the best one in the medium characteristic case. However for a record computation in \({\mathbb F}_{p^2}\), the Conjugation method was used [6]. For medium characteristic fields of record size (between 150 and 200 dd), is seems also that the JLSV\(_{1}\) method could be chosen [6, Sect. 4.5]. Since the use of each method is not fixed in practice, we study and compare the three above methods for the individual logarithm step of NFS. We recall now the construction and properties of these three methods.

Joux–Lercier–Smart–Vercauteren (JLSV \(_{1}\) ) Method. This method was introduced in 2006. We describe it in Algorithm 1. The two polynomials fg have degree n and coefficient size \(O(p^{1/2})\). We set \(\psi = \gcd (f,g)\)   mod  p monic of degree n. We will use \(\psi \) to represent the finite field extension \({\mathbb F}_{p^n} = {\mathbb F}_p[x]/(\psi (x))\).

figure b

Generalized Joux–Lercier (gJL) Method. This method was independently proposed in [22, Sect. 2] and [4, Sect. 8.3] (see also [6, Sect. 3.2]). This is a generalization of the Joux–Lercier method [17] for prime fields. We sketch this method in Algorithm 2. The coefficients of g have size \(O(Q^{1/(d+1)})\) and those of f have size \(O(\log p)\), with \(\deg g = d \ge n\) and \(\deg f = d+1\).

figure c

Conjugation Method. This method was published in [6] and used for the discrete logarithm record in \({\mathbb F}_{p^2}\), with \(f= x^4+1\). The coefficient size of f is in \(O(\log p)\) and the coefficient size of g is in \(O(p^{1/2})\). We describe it in Algorithm 3 (Table 1).

figure d
Table 1. Properties: degree and coefficient size of the three polynomial selection methods for NFS-DL in \({\mathbb F}_{p^n}\). The coefficient sizes are in O(X). To lighten the notations, we simply write the X term.
Full size table

2.2 Norm Upper Bound in a Number Field

In Sect. 4 we will compute the norm of an element s in a number field \(K_f\). We will need an upper bound of this norm. For all the polynomial selection methods chosen, f is monic, whereas g is not. We remove the leading coefficient of f from any formula involved with a monic f. So let f be a monic irreducible polynomial over \({\mathbb {Q}}\) and let \(K_f = {\mathbb {Q}}[x]/(f(x))\) a number field. Write \(s \in K_f\) as a polynomial in x, i.e. \(s = \sum _{i=0}^{\deg f-1} s_i x^i\). The norm is defined by a resultant computation:

$$\begin{aligned} {{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(s) = {{\mathrm{Res}}}(f, s) . \end{aligned}$$

We use Kalkbrener’s bound [20, Corollary 2] for an upper bound:

$$\begin{aligned} |{{\mathrm{Res}}}(f,s)|\le \kappa (\deg f,\deg s) \cdot {||f||}_\infty ^{\deg s} {||s||}_\infty ^{\deg f}, \end{aligned}$$

where \(\kappa (n,m)=\left( {\begin{array}{c}n+m\\ n\end{array}}\right) \left( {\begin{array}{c}n+m-1\\ n\end{array}}\right) \), and \({||f||}_\infty = \max _{0 \le i \le \deg f} |f_i|\) the absolute value of the greatest coefficient. An upper bound for \(\kappa (n,m)\) is \((n+m)!\). We will use the following bound in Sect. 4:

$$\begin{aligned} |{{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(s)| \le (\deg f + \deg s)! {||f||}_\infty ^{\deg s} {||s||}_\infty ^{\deg f} . \end{aligned}$$
(1)

2.3 Joux–Lercier–Smart–Vercauteren Fraction Method

Notation 1

Row and column indices. In the following, we will define matrices of size \(d \times d\), with \(d \ge n\). For ease of notation, we will index the rows and columns from 0 to \(d-1\) instead of 1 to d, so that the \((i+1)\)-th row at index i, \(L_i = [L_{ij}]_{0 \le j \le d-1}\), can be written in polynomial form \(\sum _{j=0}^{d-1} L_{ij} x^j\), and the column index j coincides with the degree j of \(x^j\).

In 2006 was proposed in [19] a method to generalize to non-prime fields the rational reconstruction method used for prime fields. In the prime field setting, the target is an integer modulo p. The rational reconstruction method outputs two integers of half size compared to p and such that their quotient is equal to the target element modulo p. Finding a smooth decomposition of the target modulo p becomes equivalent to finding at the same time a smooth decomposition of two integers of half size each.

To generalize to extension fields, one writes the target preimage as a quotient of two number field elements, each with a smaller norm compared to the original preimage. We denote by s the target in the finite field \({\mathbb F}_{p^n}\) and by \(\varvec{s}\) a preimage (or lift) in K. Here is a first very simple preimage choice. Let \({\mathbb F}_{p^n} = {\mathbb F}_p[x]/(\psi (x))\) and \(s = \sum _{i=0}^{\deg s} s_i x^i \in {\mathbb F}_{p^n}\), with \(\deg s < n\). We lift the coefficients \(s_i \in {\mathbb F}_p\) to \(\varvec{s}_i \in {\mathbb Z}\) then we set a preimage of s in the number field K to be

$$\begin{aligned} \varvec{s} = \sum _{i=0}^{\deg s} \varvec{s}_i X^i , \end{aligned}$$

with X such that \(K = {\mathbb {Q}}[X]/(f(X))\). (We can also write \(\varvec{s} = \sum _{i=0}^{\deg s} \varvec{s}_i \alpha ^i\), with \(\alpha \) a root of f in the number field: \(K = {\mathbb {Q}}[\alpha ]\)). We have \(\rho (\varvec{s}) = s\).

Now LLL is used to obtain a quotient whose numerator and denominator have smaller coefficients. We present here the lattice used with the JLSV\(_{1}\) polynomial selection method. The number field K is of degree n. We define a lattice of dimension 2n. For the corresponding matrix, each column of the left half corresponds to a power of X in the numerator; each column of the right half corresponds to a power of X in the denominator. The matrix is

The first n coefficients of the output vector, \(u_0, u_1, \ldots , u_{n-1}\) give a numerator u and the last n coefficients give a denominator v, so that \(\varvec{s} = a \frac{u(X)}{v(X)}\) with a a scalar in \({\mathbb {Q}}\). The coefficients \(u_i, v_i\) are bounded by \( ||u||_\infty , ~ ||v||_\infty \le C p^{1/2} \) since the matrix determinant is \(\det L = p^n\) and the matrix is of size \(2n \times 2n\). However the product of the norms of each uv in the number field K will be much larger than the norm of the single element \(\varvec{s}\) because of the large coefficients of f in the norm formula. We use formula (1) to estimate this bound:

$$\begin{aligned} {{\mathrm{Norm}}}_{K/{\mathbb {Q}}}(u) \le ||u||_{\infty }^{\deg f} ||f||_\infty ^{\deg u} = O(p^{\frac{n}{2}} p^{\frac{n-1}{2}} ) = O(p^{n-\frac{1}{2}}) = O(Q^{1- \frac{1}{2n}}) \end{aligned}$$

and the same for \({{\mathrm{Norm}}}_{K/{\mathbb {Q}}}(v)\), hence the product of the two norms is bounded by \(O(Q^{2 - \frac{1}{n}})\). The norm of \(\varvec{s}\) is bounded by \({{\mathrm{Norm}}}_{K/{\mathbb {Q}}}(\varvec{s}) \le p^n p^{\frac{n-1}{2}} = Q^{\frac{3}{2} - \frac{1}{2n}}\) which is much smaller whenever \(n \ge 3\). Finding a smooth decomposition of u and v at the same time will be much slower than finding one for \(\varvec{s}\) directly, for large p and \(n \ge 3\). This is mainly because of the large coefficients of f (in \(O(p^{1/2})\)).

Application to gJL and Conjugation Method. The method of [19] to improve the smoothness of the target norm in the number field \(K_f\) has an advantage for the gJL and Conjugation methods. First we note that the number field degree is larger than n: this is \(d+1 \ge n+1\) for the gJL method and 2n for the Conjugation method. For ease of notation, we denote by \(d_f\) the degree of f. We define a lattice of dimension \(2 d_f\). Hence there is more place to reduce the coefficient size of the target \(\varvec{s}\).

We put p on the diagonal of the first \(n-1\) rows, then \(x^i\psi (x)\) coefficients from row n to \(d_f -1\), where \(0 \leqslant i < d_f-1\) (\(\psi \) is of degree n and has \(n+1\) coefficients). The rows from index \(d_f\) to \(2 d_f\) are filled with \(X^i \varvec{s}\)   mod  f (these elements have \(d_f\) coefficients). We obtain a triangular matrix L.

Since the determinant is \( \det L = p^n\) and the matrix of dimension \(2d_f\times 2 d_f\), the coefficients obtained with LLL will be bounded by \( C p^{\frac{n}{2 d_f}}\). The norm of the numerator or the denominator (with \(\varvec{s} = u(X)/v(X) \in K_f\)) is bounded by

$$\begin{aligned} {{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(u) \le ||u||_\infty ^{\deg f} ||f||_\infty ^{\deg u} = O(p^{n/2}) = O(Q^{1/2}). \end{aligned}$$

The product of the two norms will be bounded by O(Q) hence we will have the same asymptotic running time as for prime fields, for finding a smooth decomposition of the target in a number field obtained with the gJL or Conjugation method. We will show in Sect. 4 that we can do even better.

3 Asymptotic Complexity of Individual DL Computation

3.1 Asymptotic Complexity of Initialization or Booting Step

In this section, we prove the following lemma on the booting step running-time to find a smooth decomposition of the norm preimage. This was already proven especially for an initial norm bound of O(Q). We state it in the general case of a norm bound of \(Q^e\). The smoothness bound \(B=L_Q[2/3,\gamma ]\) used here is not the same as for the relation collection step, where the smoothness bound was \(B_0 = L_Q[1/3, \beta _0]\). Consequently, the special-q output in the booting step will be bounded by B.

Lemma 1

(Running-time of B-smooth decomposition). Let \(s \in {\mathbb F}_Q\) of order \(\ell \). Take at random \(t \in [1, \ell -1]\) and assume that the norm \(S_t\) of a preimage of \(s^t \in {\mathbb F}_Q\), in the number field \(K_f\), is bounded by \(Q^e = L_Q[1, e]\). Write \({B} = L_Q[\alpha _{B}, \gamma ]\) the smoothness bound for \(S_t\). Then the lower bound of the expected running time for finding t s.t. the norm \(S_t\) of \(s^t\) is B-smooth is \(L_Q[1/3, (3e)^{1/3}]\), obtained with \(\alpha _{B} = 2/3\) and \(\gamma = (e^2/3)^{1/3}\).

First, we need a result on smoothness probability. We recall the definition of B-smoothness already stated in Sect. 1.4: an integer S is B-smooth if and only if all its prime divisors are less than or equal to B. We also recall the L-notation widely used for sub-exponential asymptotic complexities:

$$\begin{aligned} L_Q[\alpha , c] = \exp \Bigl ( \bigl (c+o(1)\bigr ) (\log Q)^\alpha (\log \log Q)^{1-\alpha } \Bigr ) \quad \text{ with } \alpha \in [0,1] \text{ and } c > 0. \end{aligned}$$

The Canfield–Erdős–Pomerance [9] theorem provides a useful result to measure smoothness probability:

Theorem 2

( B -smoothness probability). Suppose \(0 < \alpha _B < \alpha _S \le 1\), \(\sigma >0\), and \(\beta > 0\) are fixed. For a random integer S bounded by \(L_Q[\alpha _S, \sigma ]\) and a smoothness bound \(B = L_Q[\alpha _B, \beta ]\), the probability that S is B-smooth is

$$\begin{aligned} {{\mathrm{Pr}}}(S \text{ is } B\text{-smooth }) = L_Q\Bigl [\alpha _S - \alpha _B, -(\alpha _S -\alpha _B) \frac{\sigma }{\beta } \Bigr ] \end{aligned}$$
(2)

for \(Q \rightarrow \infty \).

We prove now the Lemma 1 that states the running-time of individual logarithm when the norm of the target in a number field is bounded by \(O(Q^{e})\).

Proof

(of Lemma 1 ). From Theorem 2, the probability that S bounded by \(Q^e = L_Q[1, e]\) is B-smooth with \({B} = L_Q[\alpha _{B}, \gamma ]\) is \({{\mathrm{Pr}}}(S \text{ is } {B}\text{-smooth }) = L_Q \bigl [1-\alpha _{B}, -(1-\alpha _{B})\frac{e}{\gamma }\bigr ]\). We assume that a B-smoothness test with ECM takes time \(L_{B}[1/2, 2^{1/2}] = L_Q [\frac{\alpha _{B}}{2}, (2 \gamma \alpha _{B})^{1/2}]\). The running-time for finding a B-smooth decomposition of S is the ratio of the time per test (ECM cost) to the B-smoothness probability of S:

$$\begin{aligned} L_Q\Bigl [ \frac{\alpha _{B}}{2}, (2 \gamma \alpha _{B})^{1/2} \Bigr ] L_Q \Bigl [ 1-\alpha _{B}, (1-\alpha _{B})\frac{e}{\gamma } \Bigr ] . \end{aligned}$$

We optimize first the \(\alpha \) value, so that \(\alpha \le 1/3\) (that is, not exceeding the \(\alpha \) of the two previous steps of the NFS algorithm): \( \max (\alpha _{B}/2, 1 - \alpha _{B}) \le \frac{1}{3} . \) This gives the system \(\left\{ \begin{array}{l} \alpha _{B} \le 2/3 \\ \alpha _{B} \ge 2/3 \\ \end{array} \right. \) So we conclude that \(\alpha _{B} = \frac{2}{3}\). The running-time for finding a B-smooth decomposition of S is therefore

$$\begin{aligned} L_Q\Bigl [1/3, \Bigl (\frac{4}{3}\gamma \Bigr )^{1/2} + \frac{e}{3\gamma }\Bigr ]. \end{aligned}$$

The minimumFootnote 1 of the function \(\gamma \mapsto (\frac{4}{3}\gamma )^{1/2} + \frac{e}{3\gamma }\) is \((3e)^{1/3}\), corresponding to \(\gamma = (e^2/3)^{1/3}\), which yields our optimal running time, together with the special-q bound B:

$$\begin{aligned} L_Q\Bigl [1/3, (3e)^{1/3}\Bigr ]\quad \text{ with } q \le B = L_Q\Bigl [2/3, (e^2/3)^{1/3}\Bigr ]. \end{aligned}$$

\(\quad \square \)

3.2 Running-Time of Special-q Descent

The second step of the individual logarithm computation is the special-q descent. This consists in computing the logarithms of the medium-sized elements in the factorization of the target in the number field. The first special-q is of order \(L_Q[2/3, \gamma ]\) (this is the boot obtained in the initialization step) and is the norm of a degree one prime ideal in the number field where the booting step was done (usually \(K_f\)). The idea is to sieve over linear combinations of degree one ideals, in \(K_f\) and \(K_g\) at the same time, whose norms for one side will be multiples of q by construction, in order to obtain a relation involving a degree one prime ideal of norm q and other degree one prime ideals of norm strictly smaller than q.

Here is the common way to obtain such a relation. Let \(\mathfrak q\) be a degree one prime ideal of \(K_f\), whose norm is q. We can write \(\mathfrak q= \langle q, r_q\rangle \), with \(r_q\) a root of f modulo q (hence \(|r_q| < q\)). We need to compute two ideals \(\mathfrak q_1, \mathfrak q_2 \in K_f\) whose respective norm is a multiple of q, and sieve over \(a \mathfrak q_1 + b \mathfrak q_2\). The classical way to construct these two ideals is to reduce the two-dimensional lattice generated by q and \(r_q - \alpha _f\), i.e. to compute \(\text{ LLL }\left( \begin{bmatrix} q&0 \\ -r&1 \\ \end{bmatrix}\right) = \) \(\begin{bmatrix} u_1&v_1 \\ u_2&v_2 \\ \end{bmatrix} \) to obtain two degree-one ideals \( u_1 + v_1 \alpha _f, u_2 + v_2 \alpha _f\) with shorter coefficients. One sieves over \(\mathfrak r_f = (a u_1 + b u_2) + (a v_1 + b v_2) \alpha _f \) and \(\mathfrak r_g = (a u_1 + b u_2) + (a v_1 + b v_2) \alpha _g \). The new ideals obtained in the relations will be treated as new special-qs until a relation of ideals of norm bounded by \(B_0\) is found, where \(B_0\) is the bound on the factor basis, so that the individual logarithms are finally known. The sieving is done in three stages, for the three ranges of parameters.

  1. 1.

    For \(q = L_Q[2/3, \beta _1]\): large special-q;

  2. 2.

    For \(q = L_Q[\lambda , \beta _2]\) with \(1/3 < \lambda < 2/3\): medium special-q;

  3. 3.

    For \(q = L_Q[1/3, \beta _3]\): small special-q.

The proof of the complexity is not trivial at all, and since this step is allegedly cheaper than the two main phases of sieving and linear algebra, whose complexity is \(L_Q[1/3, (\frac{64}{9})^{1/3}]\), the proofs are not always expanded.

There is a detailed proof in [11, Sect. 4.3] and [4, Sect. 7.3] for prime fields \({\mathbb F}_p\). We found another detailed proof in [18, Sect.  B] for large characteristic fields \({\mathbb F}_{p^n}\), however this was done for the polynomial selection of [19, Sect. 3.2] (which has the same main asymptotic complexity \(L_Q[1/3, (\frac{64}{9})^{1/3}]\)). In [22, Sect. 4, pp. 144–150] the NFS-DL algorithm is not proposed in the same order: the booting and descent steps (step (5) of the algorithm in [22, Sect. 2]) are done as a first sieving, then the relations are added to the matrix that is solved in the linear algebra phase. What corresponds to a booting step is proved to have a complexity bounded by \(L_Q[1/3, 3^{1/3}]\) and there is a proof that the descent phase has a smaller complexity than the booting step. There is a proof for the JLSV\(_{1}\) polynomial selection in [18, Sect. C] and [3, Sect. A] for a MNFS variant. We summarize in Table 2 the asymptotic complexity formulas for the booting step and the descent step that we found in the available papers.

Table 2. Complexity of the booting step and the descent step for computing one individual DL, in \({\mathbb F}_p\) and \({\mathbb F}_{p^n}\), in medium and large characteristic. The complexity is given by the formula \(L_Q[1/3, c]\), only the constant c is given in the table for ease of notation. The descent of a medium special-q, bounded by \(L_Q[\lambda , c]\) with \(1/3 < \lambda < 2/3\), is proven to be negligible compared to the large and small special-q descents. In [18, Sects. B and C], the authors used a sieving technique over ideals of degree \(t > 1\) for large and medium special-q descent.
Full size table

Usually, the norm of the target is assumed to be bounded by Q (this is clearly the case for prime fields \({\mathbb F}_p\)). The resulting initialization step (finding a boot for the descent) has complexity \(L_Q[1/3, 3^{1/3} \approx 1.44]\). Since the large special-q descent complexity depends on the size of the largest special-q of the boot, lowering the norm, hence the booting step complexity and the largest special-q of the boot also decrease the large special-q descent step complexity. It would be a considerable project to rewrite new proofs for each polynomial selection method, according to the new booting step complexities. However, its seems to us that by construction, the large special-q descent step in these cases has a (from much to slightly) smaller complexity than the booting step. The medium special-q descent step has a negligible cost in the cases considered above. Finally, the small special-q descent step does not depend on the size of the boot but on the polynomial properties (degree, and coefficient size). We note that for the JLSV\(_{2}\) polynomial selection, the constant of the complexity is 1.27. It would be interesting to know the constant for the gJL and Conjugation methods.

The third and final step of individual logarithm computation is very fast. It combines all of the logarithms computed before, to get the final discrete logarithm of the target.

4 Computing a Preimage in the Number Field

Our main idea is to compute a preimage in the number field with smaller degree (less than \(\deg s\)) and/or of coefficients of reduced size, by using the subfield structure of \({\mathbb F}_{p^n}\). We at least have one non-trivial subfield: \({\mathbb F}_p\). In this section, we reduce the size of the coefficients of the preimage. This reduces its norm and give the first part of the proof of Theorem 1. In the following section, we will reduce the degree of the preimage when n is even, completing the proof.

Lemma 2

Let \(s \in {\mathbb F}_{p^n}^{*} = \sum _{i=0}^{\deg s} s_i x^i\), with \(\deg s < n\). Let \(\ell \) be a non-trivial divisor of \(\varPhi _n(p)\). Let \(s' = u \cdot s\) with u in a proper subfield of \({\mathbb F}_{p^n}\). Then

$$\begin{aligned} \log s' \equiv \log s \,\,{\text {mod}}\, \ell . \end{aligned}$$
(3)

Proof

We start with \(\log s' = \log s + \log u \) and since u is in a proper subfield, we have \(u^{(p^n-1)/\varPhi _n(p)} = 1\), then \(u^{(p^n-1)/\ell } = 1\). Hence the logarithm of u modulo \(\ell \) is zero, and \(\log s' \equiv \log s \,\,{\text {mod}}\, \ell \). \(\quad \square \)

Example 1

(Monic preimage). Let \(s'\) be equal to s divided by its leading term, \(s' = \frac{1}{s_{\deg s}} s\in {\mathbb F}_{p^n}\). We have \(\log s' \equiv \log s \,\,{\text {mod}}\, \ell \).

We assume in the following that the target s is monic since dividing by its leading term does not change its logarithm modulo \(\ell \).

4.1 Preimage Computation in the JLSV\(_{1}\) Case

Let \(s = \sum _{i=0}^{n-1} s_i x^i \in {\mathbb F}_{p^n}\) with \(s_{n-1} = 1\). We define a lattice of dimension n by the \(n \times n\) matrix

with p on the diagonal for the first \(n-1\) rows (from 0 to \(n-2\)), and the coefficients of the monic element \(\varvec{s}\) on row \(n-1\). Applying the LLL algorithm to M, we obtain a reduced element \(\varvec{r} = \sum _{i=0}^{n-1} \varvec{r}_i X^i \in K_f\) such that

$$\begin{aligned} \varvec{r} = \sum _{i=0}^{n-1} a_i L_i \end{aligned}$$

with \(L_i\) the vector defined by the i-th row of the matrix and \(a_i\) a scalar in \({\mathbb Z}\). We map this equality in \({\mathbb F}_{p^n}\) with \(\rho \). All the terms cancel out modulo p except the line with \(\varvec{s}\):

$$\begin{aligned} \rho (\varvec{r}) \equiv \rho (a_{n-1}) \cdot \rho (\varvec{s}) = u \cdot s\,\, {\text {mod}}\, (p, \psi ) \end{aligned}$$

with \(u = \rho (a_{n-1}) \in {\mathbb F}_p\). Hence, by Lemma 2,

$$\begin{aligned} \log \rho (\varvec{r}) \equiv \log s \,\,{\text {mod}}\, \ell . \end{aligned}$$
(4)

Moreover,

$$\begin{aligned} ||\varvec{r}||_\infty \le C p^{(n-1)/n} . \end{aligned}$$

It is straightforward, using Inequality (1), to deduce that

$$\begin{aligned} {{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O\bigl (p^{\frac{3}{2}(n-1)}\bigr ) = O\bigl (Q^{\frac{3}{2} - \frac{3}{2n}}\bigr ). \end{aligned}$$

We note that this first simple improvement applied to the JLSV\(_{1}\) construction is already better than doing nothing: in that case, \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(s) = O(Q^{\frac{3}{2} - \frac{1}{2n}})\). The norm of \(\varvec{r}\) is smaller by a factor of size \(Q^{\frac{1}{n}}\). For \(n=2\) we have \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O(Q^{\frac{3}{4}})\) but for \(n=3\), the bound is \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O(Q)\), and for \(n=4\), \(O(Q^{11/8})\). This is already too large. We would like to obtain such a bound, strictly smaller than O(Q), for any n.

4.2 Preimage Computation in the gJL and Conjugation Cases

Let \(s = \sum _{i=0}^{n-1} s_i x^i \in {\mathbb F}_{p^n}\) with \(s_{n-1} = 1\). In order to present a generic method for both the gJL and the Conjugation methods, we denote by \(d_f\) the degree of f. In the gJL case we have \(d_f = d+1 \ge n+1\), while in the Conjugation case, \(d_f = 2n\). We define the \(d_f \times d_f\) matrix with p on the diagonal for the first \(n-1\) rows, and the coefficients of the monic element \(\varvec{s}\) on row \(n-1\). The rows n to \(d_f\) are filled with the coefficients of the monic polynomial \(x^j\psi \), with \(0 \le j \le d_f-n\).

Applying the LLL algorithm to L, we obtain a reduced element \(\varvec{r} = \sum _{i=0}^{d_f-1} \varvec{r}_i X^i \in K_f\) such that \( \varvec{r} = \sum _{i=0}^{d_f-1} a_i L_i\) where \(L_i\) is the i-th row vector of L and \(a_i\) is a scalar in \({\mathbb Z}\). We map this equality into \({\mathbb F}_{p^n}\) with \(\rho \). All the terms cancel out modulo \((p, \psi )\) except the one with \(\varvec{s}\) coefficients:

$$\begin{aligned} \rho (\varvec{r}) \equiv \rho (a_{n-1}) \cdot \rho (\varvec{s}) = u \cdot s\,\, {\text {mod}}\, (p, \psi ) \end{aligned}$$

with \(u = \rho (a_{n-1}) \in {\mathbb F}_p\). Hence, by Lemma 2,

$$\begin{aligned} \log \rho (\varvec{r}) \equiv \log s \,\,{\text {mod}}\, \ell . \end{aligned}$$
(5)

Moreover,

$$\begin{aligned} ||\varvec{r}||_\infty \le C p^{(n-1)/d_f}. \end{aligned}$$

It is straightforward, using Inequality (1), to deduce that

$$\begin{aligned} {{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O\bigl (p^{n-1}\bigr ) = O\bigl (Q^{1 - 1/n}\bigr ). \end{aligned}$$

Here we obtain a bound that is always strictly smaller than Q for any n. In the next section we show how to improve this bound to \(O\bigl (Q^{1 - 2/n}\bigr )\) when n is even and the number field defined by \(\psi \) has a well-suited quadratic subfield.

5 Preimages of Smaller Norm with Quadratic Subfields

Reducing the degree of s can reduce the norm size in the number field for the JLSV\(_{1}\) polynomial construction. We present a way to compute \(r\in {\mathbb F}_{p^n}\) of degree \(n-2\) from \(s \in {\mathbb F}_{p^n}\) of degree n in the given representation of \({\mathbb F}_{p^n}\), and rs satisfying Lemma 2. We need n to be even and the finite field \({\mathbb F}_{p^n}\) to be expressed as a degree-n / 2 extension of a quadratic extension defined by a polynomial of a certain form. We can define another lattice with r and get a preimage of degree \(n-2\) instead of \(n-1\) in the number field. This can be interesting with the JLSV\(_{1}\) method. Combining this method with the previous one of Sect. 4 leads to our proof of Theorem 1.

5.1 Smaller Preimage Degree

In this section, we prove that when n is even and \({\mathbb F}_{p^n} = {\mathbb F}_p[X]/(\psi (X))\) has a quadratic base field \({\mathbb F}_{p^2}\) of a certain form, from a random element \(s \in {\mathbb F}_{p^n}\) with \(s_{n-1} \ne 0\), we can compute an element \(r \in {\mathbb F}_{p^n}\) with \(r_{n-1} = 0\), and \(s = u \cdot r\) with \(u \in {\mathbb F}_{p^2}\). Then, using Lemma 2, we will conclude that \(\log r \equiv \log s \,\,{\text {mod}}\, \ell \).

Lemma 3

Let \(\psi (X)\) be a monic irreducible polynomial of \({\mathbb F}_p[X]\) of even degree n with a quadratic subfield defined by the polynomial \(P_y = Y^2 + y_1 Y + y_0\). Moreover, assume that \(\psi \) splits over \({\mathbb F}_{p^2} = {\mathbb F}_p[Y]/(P_y(Y))\) as

$$\begin{aligned} \begin{array}{l l} &{} \psi (X) = (P_z(X) - Y)(P_z(X) - Y^p) \\ \text{ or } &{} \psi (X) = (P_z(X) - Y X)(P_z(X) - Y^p X) \\ \end{array} \end{aligned}$$

with \(P_z\) monic, of degree n / 2 and coefficients in \({\mathbb F}_p\). Let \(s \in {\mathbb F}_p[X]/(\psi (X))\) a random element, \(s = \sum _{i=0}^{n-1} s_i X^i\).

Then there exists \(r \in {\mathbb F}_{p^n}\) monic and of degree \(n-2\) in X, and \(u \in {\mathbb F}_{p^{2}}\), such that \(s = u \cdot r\) in \({\mathbb F}_{p^n}\).

We first give an example for \(s \in {\mathbb F}_{p^4}\) then present a constructive proof.

Example 2

Let \(P_y = Y^2 + y_1 Y + y_0\) be a monic irreducible polynomial over \({\mathbb F}_{p}\) and set \({\mathbb F}_{p^2} = {\mathbb F}_p[Y]/(P_y(Y))\). Assume that \(Z^2 - YZ + 1\) is irreducible over \({\mathbb F}_{p^2}\) and set \({\mathbb F}_{p^4} = {\mathbb F}_{p^2}[Z] /(Z^2 - YZ + 1)\). Let \(\psi = X^4 + y_1 X^3 + (y_0 + 2) X^2 + y_1 X + 1\) be a monic reciprocal polynomial. By construction, \(\psi \) factors over \({\mathbb F}_{p^2}\) into \((X^2 - YX + 1)(X^2 - Y^p X + 1)\) and \({\mathbb F}_p[X]/(\psi (X))\) defines a quartic extension \({\mathbb F}_{p^4}\) of \({\mathbb F}_p\). We have these two representations for \({\mathbb F}_{p^4}\):

$$\begin{aligned} \begin{array}{cc l} {\mathbb F}_{p^4} &{}=&{} {\mathbb F}_{p^2}[Z]/(Z^2 - YZ + 1)\quad \text{ and } \\ \mid &{} &{} \\ {\mathbb F}_{p^2} &{}=&{} {\mathbb F}_p[Y]/(Y^2 + y_1 Y + y_0) \\ \mid &{} &{} \\ {\mathbb F}_p &{} &{} \end{array} \begin{array}{c} \\ \\ \\ \\ \\ \end{array} \begin{array}{cc l} {\mathbb F}_{p^4} &{}=&{} {\mathbb F}_p[X]/(X^4+y_1X^3+(y_0+2)X^2+y_1X+1) \\ \mid &{} &{} \\ \mid &{} &{} \\ \mid &{} &{} \\ {\mathbb F}_p &{} &{} \\ \end{array}\end{aligned}$$

Proof

(of Lemma 3 ). Two possible extension field towers are:

$$\begin{aligned} \begin{array} {c c c } \begin{array}{l} {\mathbb F}_{p^n} = {\mathbb F}_{p^2}[Z]/(P_z(Z) - Y) \\ \mid \\ {\mathbb F}_{p^2} = {\mathbb F}_p[Y]/(P_y(Y)) \\ \mid \\ {\mathbb F}_p \\ \end{array} &{} \text{ and } &{} \begin{array}{l} {\mathbb F}_{p^n} = {\mathbb F}_{p^2}[Z]/(P_z(Z) - YZ) \\ \mid \\ {\mathbb F}_{p^2} = {\mathbb F}_p[Y]/(P_y(Y)) \\ \mid \\ {\mathbb F}_p \\ \end{array}\\ \end{array} \end{aligned}$$

We write s in the following representation to emphasize the subfield structure:

$$\begin{aligned} s = \sum _{i=0}^{n/2-1} (a_{i0} + a_{i1} Y) Z^i \text{ with } a_{ij} \in {\mathbb F}_p. \end{aligned}$$
  1. 1.

    If \(\psi = P_z(Z) - Y\) then we can divide s by \(u_{LT} = a_{n/2,0} + a_{n/2,1} Y \in {\mathbb F}_{p^2}\) (the leading term in Z, i.e. the coefficient of \(Z^{n/2}\)) to make s monic in Z up to a subfield cofactor \(u_{LT}\):

    $$\begin{aligned} \frac{s}{u_{LT}} = \sum _{i=0}^{n/2 - 2} (b_{i0} + b_{i1} Y) Z^i ~~~ + Z^{n/2-1}, \end{aligned}$$

    with the coefficients \(b_{ij}\) in the base field \({\mathbb F}_p\), and \(b_{i0} + b_{i1} Y = (a_{i0} + a_{i1} Y) / u_{LT}\). Since \(P_z(Z) = Y\) and \(Z = X\) in \({\mathbb F}_{p^n}\) by construction, we replace Y by \(P_z(Z)\) and Z by X to get an expression for s in X:

    $$\begin{aligned} \frac{s}{u_{LT}} = \sum _{i=0}^{n/2 - 2} (b_{i0} + b_{i1} P_z(X)) X^i + X^{n/2-1} = r(X). \end{aligned}$$

    The degree in X of r is \(\deg r = \deg P_z(X) X^{n/2-2} = n-2 \) instead of \(\deg s = n-1\). We set \(u = 1/u_{LT}\). By construction, \(u \in {\mathbb F}_{p^2}\). We conclude that \(s = u r \in {\mathbb F}_{p^n}\), with \(\deg r = n-2\) and \(u \in {\mathbb F}_{p^2}\).

  2. 2.

    If \(\psi = P_z(Z) - YZ\) then we can divide s by \(u_{CT} = a_{00} + a_{01} Y \in {\mathbb F}_{p^2}\) (the constant term in Z) to make the constant coefficient of s to be 1:

    $$\begin{aligned} \frac{s}{u_{CT}} = 1 + \sum _{i=1}^{n/2-1} (b_{i0} + b_{i1} Y) Z^i \end{aligned}$$

    with \(b_{ij} \in {\mathbb F}_p\). Since \(P_z(Z) = YZ\) and \(Z = X\) in \({\mathbb F}_{p^n}\) by construction, we replace YZ by \(P_z(Z)\) and Z by X to get

    $$\begin{aligned} \frac{s}{u_{CT}} = 1 + \sum _{i=1}^{n/2 - 1} (b_{i0} X^i + b_{i1} P_z(X) X^{i-1}) = r(X). \end{aligned}$$

    The degree in X of r is \(\deg r = \deg P_z(X) X^{n/2-1-1} = n-2 \) instead of \(\deg s = n-1\). We set \(u = 1/u_{CT} \). By construction, \(u \in {\mathbb F}_{p^2}\). We conclude that \(s = u r \in {\mathbb F}_{p^n}\), with \(\deg r = n-2\) and \(u \in {\mathbb F}_{p^2}\). \(\quad \square \)

Now we apply the technique described in Sect. 4.1 to reduce the coefficient size of r in the JLSV\(_{1}\) construction. We have \(r_{n-1} = 0\) and we assume that \(r_{n-2} = 1\). We define the lattice by the \((n-1)\times (n-1)\) matrix

After reducing the lattice with LLL, we obtain an element \(\varvec{r}'\) whose coefficients are bounded by \(C p^{\frac{n-2}{n-1}}\). The norm of \(\varvec{r}'\) in the number field \(K_f\) constructed with the JLSV\(_{1}\) method is

$$\begin{aligned} {{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}') = O(p^{\frac{3}{2} n - 2 - \frac{1}{n-1}} ) = O(Q^{\frac{3}{2} - \frac{2}{n} - \frac{1}{n(n-1)}}) . \end{aligned}$$

This is better than the previous \(O\bigl (Q^{\frac{3}{2} - \frac{3}{2n}}\bigr )\) case: the norm is smaller by a factor of size \(O\bigl (Q^{\frac{1}{2}n + \frac{1}{n(n-1)}}\bigr )\). For \(n = 4\), we obtain \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}') = O\bigl (Q^{\frac{11}{12}}\bigr )\), which is strictly less than O(Q).

We can do even better by re-using the element \(\varvec{r}\) of degree \(n-2\) and the given one s of degree \(n-1\), and combining them.

Generalization to Subfields of Higher Degrees. It was pointed out to us by an anonymous reviewer that more generally, by standard linear algebra arguments, for \(m \mid n\) and \(s \in {\mathbb F}_{p^n}\), there exists a non-zero \(u \in {\mathbb F}_{p^m}\) such that \(s \cdot u\) is a polynomial of degree at most \(n-m\).

5.2 Smaller Preimage Norm

First, suppose that the target element \(s = \sum _{i=0}^{n-1} s_i x^i\) satisfies \(s_{n-1} = 0\) and \(s_{n-2} = 1\). We can define a lattice whose vectors, once mapped to \({\mathbb F}_{p^n}\), are either 0 (so vectors are sums of multiples of p and \(\psi \)) or are multiples of the initial target s, satisfying Lemma 2. The above r of degree \(n-2\) is a good candidate. The initial s also. If there is no initial s of degree \(n-1\), then simply take at random any u in a proper subfield of \({\mathbb F}_{p^n}\) which is not \({\mathbb F}_p\) itself and set \(s = u \cdot r\). Then s will have \(s_{n-1} \ne 0\). Then define the lattice

and use it in place of the lattices of Sect. 4.1 or 4.2.

5.3 Summary of Results

We give in Table 3 the previous and new upper bounds for the norm of s in a number field \(K_f\) for three polynomial selection methods: the JLSV\(_{1}\) method, the generalized Joux–Lercier method and the Conjugation method, and the complexity of the booting step to find a B-smooth decomposition of \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(s)\). We give our practical results for small n, where there are the most dramatic improvements. We obtain the optimal norm size of \(Q^{\varphi (n)/n}\) for \(n=2,3,5\) with the gJL method and also for \(n=4\) with the Conjugation method.

Table 3. Norm bound of the preimage with our method, and booting step complexity.
Full size table

6 Practical Examples

We present an example for each of the three polynomial selection methods we decided to study. The Conjugation method provides the best timings for \({\mathbb F}_{p^2}\) at 180 dd [6]. We apply the gJL method to \({\mathbb F}_{p^3}\) according to [6, Fig. 3]. We decided to use the JLSV\(_{1}\) method for \({\mathbb F}_{p^4}\) [6, Fig. 4].

6.1 Examples for Small n and \(p^n\) of 180 Decimal Digits (dd)

Example for n = 2, Conjugation Method. We take the parameters of the record in [6]: p is a 90 decimal digit (300 bit) prime number, and \(f, \psi \) are computed with the Conjugation method. We choose a target s from the decimal digits of \(\exp (1)\).

We first compute \(s' = \frac{1}{s_0}s\) then reduce

$$\begin{aligned} L = \begin{bmatrix} p&0&0&0 \\ s_0'&1&0&0 \\ 1&\psi _1&1&0 \\ 0&1&\psi _1&1 \\ \end{bmatrix} \end{aligned}$$

then \({{\mathrm{LLL}}}(L)\) produces \(\varvec{r}\) of degree 3 and coefficient size \(O(p^{1/4})\). Actually LLL outputs four short vectors, hence we get four small candidates for \(\varvec{r}\), each of norm \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O(p) = O(Q^{1/2}) = O(Q^{\varphi (n)/n})\), i.e. 90 dd. To slightly improve the smoothness search time, we can compute linear combinations of these four reduced preimages.

The norm of the first element is

of 90 decimal digits, as expected. For a close to optimal running-time of \(L_Q[1/3, 1.14] \sim 2^{40}\) to find a boot, the special-q bound would be around 64 bits.

Example for n = 3, gJL Method. We take p of 60 dd (200 bits) so that \({\mathbb F}_{p^3}\) has size 180 dd (600 bits) as above. We took p a prime made of the 60 first decimal digits of \(\pi \). We constructed \(f, \psi , g\) with the gJL method described in [6].

We set \(s' = \frac{1}{s_2}s\). The lattice to be reduced is

$$\begin{aligned} L = \left[ \begin{array}{cccc} p &{} 0 &{} 0 &{} 0 \\ 0 &{} p &{} 0 &{} 0 \\ s_0' &{} s_1' &{} 1 &{} 0 \\ \psi _0 &{} \psi _1 &{} \psi _2 &{} 1 \\ \end{array} \right] \end{aligned}$$

then \({{\mathrm{LLL}}}(L)\) computes four short vectors \(\varvec{r}\) of degree 3, of coefficient size \(O(p^{1/2})\), and of norm size \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}) = O(p^2) = O(Q^{2/3}) = O(Q^{\varphi (n)/n})\).

The norm of the first element is

of 117 decimal digits (with \(\frac{2}{3} 180 = 120\) dd). For a close to optimal running-time of \(L_Q[1/3, 1.26] \sim 2^{45}\) to find a boot, the special-q bound would be around 77 bits.

Example for n = 4, JLSV \(_{1}\) Method.

We set \(s' = \frac{1}{s_3}s\). The subfield simplification for s gives

We reduce the lattice defined by

$$\begin{aligned} L = \left[ \begin{array}{ccccc} p &{} 0 &{} 0 &{} 0 \\ 0 &{} p &{} 0 &{} 0 \\ r_0 &{} r_1 &{} 1 &{} 0 \\ s_0' &{} s_1' &{} s_2' &{} 1 \\ \end{array} \right] \end{aligned}$$

then \({{\mathrm{LLL}}}(L)\) produces these four short vectors of degree 3, coefficient size \(O(p^{1/2})\), and norm \({{\mathrm{Norm}}}_{K_f/{\mathbb {Q}}}(\varvec{r}') = O(p^{\frac{7}{2}}) = O(Q^{7/8})\) (smaller than O(Q)).

The norm of the first element is

of 155 decimal digits (with \(\frac{7}{8} 180 = 157.5\)). For a close to optimal running-time of \(L_Q[1/3, 1.34] \sim 2^{49}\) to find a boot, the special-q bound would be approximately of 92 bits. This is very large however.

6.2 Experiments: Finding Boots for \({\mathbb F}_{p^4}\) of 120 dd

We experimented our booting step method for \({\mathbb F}_{p^4}\) of 120 dd (400 bits). Without the quadratic subfield simplification, the randomized target norm is bounded by \(Q^{9/8}\) of 135 dd (450 bits). The largest special-q in the boot has size \(L_Q[2/3, 3/4]\) (25 dd, 82 bits) according to Lemma 1 with \(e = 9/8\). The running-time to find one boot would be \(L_Q[1/3, 1.5] \sim 2^{44}\).

We apply the quadratic subfield simplification. The norm of the randomized target is \(Q^{7/8}\) of 105 dd (\(\simeq \) 350 bits). We apply Theorem 1 with \(e = 7/8\). The size of the largest special-q in the boot will be approximately \(L_Q[2/3, 0.634]\) which is 21 dd (69 bits). The running-time needed to find one boot with the special-q of no more than 21 dd is \(L_Q[1/3, 1.38] \sim 2^{40}\) (to be compared with the dominating part of NFS-DL of \(L_Q[1/3, 1.923] \sim 2^{57}\)). We wrote a magma program to find boots, using GMP-ECM for q-smooth tests. We first set a special-q bound of 70 bits and obtained boots in about two CPU hours. We then reduced the special-q bound to a machine word size (64 bits) and also found boots in around two CPU hours. We used an Intel Xeon E5-2609 0 at 2.40 GHz with 8 cores.

7 Conclusion

We have presented a method to improve the booting step of individual logarithm computation, the final phase of the NFS algorithm. Our method is very efficient for small n, combined with the gJL or Conjugation methods; it is also usefull for the JLSV\(_{1}\) method, but with a slower running-time. For the moment, the booting step remains the dominating part of the final individual discrete logarithm. If our method is improved, then special-q descent might become the new bottleneck in some cases. A lot of work remains to be done on final individual logarithm computations in order to be able to compute one individual logarithm as fast as was done in the Logjam [2] attack, especially for \(n \ge 3\).