Computing Individual Discrete Logarithms Faster in GF(p~n) with the NFS-DL Algorithm

摘要

The Number Field Sieve (NFS) algorithm is the best known method to compute discrete logarithms (DL) in finite fields F_(p~n), with p medium to large and n ≥ 1 small. This algorithm comprises four steps: polynomial selection, relation collection, linear algebra and finally, individual logarithm computation. The first step outputs two polynomials defining two number fields, and a map from the polynomial ring over the integers modulo each of these polynomials to F_(p~n). After the relation collection and linear algebra phases, the (virtual) logarithm of a subset of elements in each number field is known. Given the target element in F_(p~n), the fourth step computes a preimage in one number field. If one can write the target preimage as a product of elements of known (virtual) logarithm, then one can deduce the discrete logarithm of the target. As recently shown by the Logjam attack, this final step can be critical when it can be computed very quickly. But we realized that computing an individual DL is much slower in medium- and large-characteristic non-prime fields F_(p~n) with n ≥ 3, compared to prime fields and quadratic fields F_(p~2). We optimize the first part of individual DL: the booting step, by reducing dramatically the size of the preimage norm. Its smoothness probability is higher, hence the running-time of the booting step is much improved. Our method is very efficient for small extension fields with 2 ≤ n ≤ 6 and applies to any n > 1, in medium and large characteristic.