Discrete Logarithm Problem

Download as pdf or txt
Download as pdf or txt
You are on page 1of 43

Discrete Logarithms

Aurore Guillevic, François Morain

To cite this version:


Aurore Guillevic, François Morain. Discrete Logarithms. Nadia El Mrabet; Marc Joye. Guide to
pairing-based cryptography, �CRC Press - Taylor and Francis Group�, pp.42, 2016, 9781498729505.
�hal-01420485v2�

HAL Id: hal-01420485


https://hal.inria.fr/hal-01420485v2
Submitted on 13 Dec 2017

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est


archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents
entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non,
lished or not. The documents may come from émanant des établissements d’enseignement et de
teaching and research institutions in France or recherche français ou étrangers, des laboratoires
abroad, or from public or private research centers. publics ou privés.
Chapter 9

Discrete Logarithms 1

Aurore Guillevic
INRIA-Saclay and École Polytechnique/LIX
François Morain
École Polytechnique/LIX and CNRS and INRIA-Saclay

Contents
9.1 Setting and First Properties . . . . . . . . . . . . . . . . . . . . 3
9.1.1 General Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
9.1.2 The Pohlig-Hellman Reduction . . . . . . . . . . . . . . . . . . 3
9.1.3 A Tour of Possible Groups . . . . . . . . . . . . . . . . . . . . . 4
9.2 Generic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 5
9.2.1 Shanks’s Baby-Steps Giant-Steps Algorithm . . . . . . . . . . . 5
9.2.2 The RHO Method . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.2.3 The Kangaroo Method . . . . . . . . . . . . . . . . . . . . . . . 15
9.2.4 Solving Batch-DLP . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.3 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.3.2 Index-Calculus Methods . . . . . . . . . . . . . . . . . . . . . . 20
9.3.3 Linear Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.3.4 The Number Field Sieve (NFS) . . . . . . . . . . . . . . . . . . 25
9.3.5 Number Field Sieve: Refinements . . . . . . . . . . . . . . . . . 28
9.3.6 Large Characteristic Non-Prime Fields . . . . . . . . . . . . . . 29
9.3.7 Medium Characteristic Fields . . . . . . . . . . . . . . . . . . . 30
9.3.8 Small Characteristic: From the Function Field Sieve (FFS) to
the Quasi-Polynomial-Time Algorithm (QPA) . . . . . . . . . 32
9.3.9 How to Choose Real-Size Finite Field Parameters . . . . . . . . 36
9.3.10 Discrete logarithm algorithms in pairing-friendly target finite
fields Fpn : August 2016 state-of-the-art . . . . . . . . . . . . . 38

The Discrete Logarithm Problem (DLP) is one of the most used mathematical problems
in asymmetric cryptography design, the other one being the integer factorization. It is
intrinsically related to the Diffie-Hellman problem (DHP). DLP can be stated in various
1 This chapter is the 9-th chapter of the book Guide to Pairing-Based Cryptography, edited by Nadia

El Mrabet and Marc Joye, and published by CRC Press, ISBN 9781498729505. This document is the
authors’ version archived on HAL (hal.inria.fr) on December 20, 2016. The publisher’s official webpage
of the book is: https://www.crcpress.com/Guide-to-Pairing-Based-Cryptography/El-Mrabet-Joye/p/
book/9781498729505

1
CHAPTER 9. DISCRETE LOGARITHMS 2

groups. It must be hard in well-chosen groups, so that secure-enough cryptosystems can


be built. In this chapter, we present the DLP, the various cryptographic problems based
on it, the commonly used groups, and the major algorithms available at the moment to
compute discrete logarithms in such groups. We also list the groups that must be avoided
for security reasons.
Our computational model will be that of classical computers. It is to be noted that in
the quantum model, DLP can be solved in polynomial time for cyclic groups [108].

9.1 Setting and First Properties


9.1.1 General Setting
Let G be a finite cyclic group of order N generated by g. The group law on G is defined
multiplicatively and noted ◦, the neutral element is noted 1G , and the inverse of an element
a will be noted 1/a = a−1 . The discrete logarithm problem is the following:
DLP: given h ∈ G, find an integer n, 0 ≤ n < N such that h = g n .
Along the years, and motivated by precise algorithms or cryptographic implementations,
variants of this basic problem appeared. For instance:
Interval-DLP (IDLP): given h ∈ G, find an integer n, a ≤ n < b such that h = g n .
We may also need to compute multiple instances of the DLP:
Batch-DLP (BDLP): given {h1 , . . . , hk } ⊂ G, find integers ni ’s, 0 ≤ ni < N such that
hi = g ni .
A variant of this is Delayed target DLP where we can precompute many logs before
receiving the actual target. This was used in the logjam attack where logarithms could be
computed in real time during an SSL connection [9].
We may relate them to Diffie-Hellman problems, such as
Computational DH problem (DHPor CDH): given (g, g a , g b ), compute g ab .
Decisional DH problem (DDHP): given (g, g a , g b , g c ), do we have c = ab mod N ?
We use A ≤ B to indicate that A is easier than B (i.e., there is polynomial time reduction
from B to A). The first easy result is the following:
Proposition 9.1. DDHP ≤ DHP ≤ DLP.

In some cases, partial or heuristic reciprocals have been given, most notably in [86, 87].
With more and more applications and implementations available of different DH bases
protocols, more problems arose, notably related to static variants. We refer to [77] for a
survey.

9.1.2 The Pohlig-Hellman Reduction


In this section, we reduce the cost of DLP in a group of size N to several DLPswhose overall
cost is dominated by that of the DLP for the largest p | N .
Proposition 9.2. Let G be a finite cyclic group of order N whose factorization into primes
is known,
Yr
N= pαi
i

i=1

where the pi ’s are all distinct. Then DLP in G can be solved using the DLPson all subgroups
of order pα
i .
i

Proof. Solving g x = a is equivalent to finding x mod N , i.e., x mod pα


i for all i, using the
i

Chinese remaindering theorem.


CHAPTER 9. DISCRETE LOGARITHMS 3

Suppose pα || N (which means pα | N but pα+1 - N ) and m = N/pα . Then b = am


is in the cyclic group of order pα generated by h = g m . We can find the log of b in this
group, which yields x mod pα . From this, we have reduced DLP to r DLPs in smaller cyclic
groups.
α−1 α−1
How do we proceed? First compute c1 = bp and h1 = hp . Both elements
belong to the cyclic subgroup of order p of G, generated by h1 . Writing y = x mod pα =
y0 + y1 p + · · · + yα−1 pα−1 with 0 ≤ yi < p, we see that y = logh (b) mod pα . We compute

hy1 = hy10

so that y0 is the discrete logarithm of c in base h1 . Write


α−2 (y0 +y1 p)pα−2
c2 = bp = h1

or α−2
c2 h−y
1
0p
= hy11 .
In this way, we recover y1 by computing the discrete logarithm of the left hand side w.r.t.
h1 again.

We have shown that DLP in a cyclic group of order pα can be replaced by α solutions of
DLP in a cyclic group of order p and some group operations. If p is small, all these steps
will be easily solved by table lookup. Otherwise, the methods presented in the next section
will apply and give a good complexity.
A direct cryptographic consequence is that for cryptographic use, N must have at least
one large prime factor.

9.1.3 A Tour of Possible Groups


Easy Groups
Let us say a group is easy for DL if DLP can be solved in polynomial time for this group. DLP
is easy in (Z/N Z, +), since h = ng mod N is solvable in polynomial time (Euclid). This list
was recently enlarged to cases where the discrete log can be computed in quasi-polynomial
time [17].
As for algebraic curves, supersingular elliptic curves were shown to be somewhat weaker
in [89]; the same is true for hyperelliptic curves [49, 37]. Elliptic curves of trace 1 (also
called anomalous curves) were shown to be easy in [109, 104]; the result was extended to
hyperelliptic anomalous curves in [99].

Not-so-easy groups
Relatively easy groups are those for which subexponential methods exist: finite fields (of
medium or large characteristic), algebraic curves of very large genus, class groups of number
fields.
Probably difficult groups, for which we know of nothing but exponential methods,
include elliptic curves (see [50] for a recent survey) and curves of genus 2.

9.2 Generic Algorithms


We start with algorithms solving DLP in a generic way, which amounts to saying that we use
group operations only. We concentrate on generic groups. For particular cases, as elliptic
curves, we refer to [53] for optimized algorithms. We emphasize that generic methods are
the only known methods for solving the DLP over ordinary elliptic curves.
CHAPTER 9. DISCRETE LOGARITHMS 4

The chosen setting is that of a group G = hgi of prime order N , following the use of
the Pohlig-Hellman reduction. Enumerating all possible powers of g is an O(N ) process,
and this is enough
√ when N is small. Other methods include Shanks’s and Pollard’s, each
achieving a O( N ) time complexity, but different properties as determinism or space. We
summarize this in Table 9.1. The baby-steps giant-steps (BSGS) method and its variants
are deterministic, whereas the other methods are probabilistic. It is interesting to note that
Nechaev and Shoup have proven that √ a lower bound on generic DLP (algorithms that use
group operations only) is precisely O( N ) (see for instance [111]).
Due to the large time complexity, it is desirable to design distributed versions with a
gain of p in time when p processors are used. This will be described method by method.

Table 9.1: Properties of generic DL algorithms.


Algorithm group interval time
√ space

BSGS X X O(√N ) O( N )
RHO X – O(√N ) O(log N )
Kangaroo X X O( N ) O(log N )

9.2.1 Shanks’s Baby-Steps Giant-Steps Algorithm


Shanks’s idea, presented in the context of class groups [107], became a fundamental tool for
operating in generic groups,√for order or discrete logarithm √
computations. All variants of it
have a time complexity O( N ) group operations for an O( N ) storage of group elements.
They all differ by the corresponding constants and scenarii in which they are used. From
[53], we extract Table 9.2.


Table 9.2: Table of constants C such that the complexity is C N .
Algorithm Average-case time Worst-case time
BSGS 1.5 2.0
BSGS optimized for av. case 1.414 2.121
IBSGS 1.333 2.0
Grumpy giants 1.25? ≤3
RHO with dist. pts 1.253(1 + o(1)) ∞

The goal of this subsection is to present the original algorithm together with some of its
more recent variants. We refer to the literature for more material and analyses.

Original algorithm and analysis


The standard algorithm runs as follows. Write the unknown n in base u for some integer u
that will be precised later on:

n = cu + d, 0 ≤ d < u, 0 ≤ c < N/u.

We rewrite our equation as


g n = h ⇔ h ◦ (g −u )c = g d .
The algorithm is given in Figure 9.1. It consists of evaluating the right-hand side for
all possible d by increment of 1 (baby steps), and then computing all left-hand sides by
increment of u (giant steps), until a match is found.
CHAPTER 9. DISCRETE LOGARITHMS 5

Algorithm 9.1: Baby-steps giant-steps.


Function BSGS(G, g, N , h)
Input : G ⊃ hgi, g of order N ; h ∈ hgi
n
l√ : 0m ≤ n < N , g = h
Output
u← N ;
// Step 1 (baby steps)
initialize a table B for storing u pairs (element of G, integer < N );
store(B, (1G , 0));
H ← g; store(B, (H, 1));
for d := 2 to u − 1 do
H ← H ◦ g;
store(B, (H, d));
end
// Step 2 (giant steps)
H ← H ◦ g;
f ← 1/H = g −u ;
H ← h;
for c := 0 to N/u do
// H = h ◦ f c
if ∃(H 0 , d) ∈ B such that H = H 0 then
// H = h ◦ f c = g d hence n = cu + d
return cu + d;
end
H ← H ◦ f;
end

The number of group


√ operations is easily seen to be Co = u + N/u
√ in the worst case,
minimized for u = N , leading to a deterministic complexity of 2 N group operations.
On average, c will be of order N/(2u), so that the average cost is (1 + 1/2)u, which gives
us the first entry in Table 9.2.
Step 1 requires u insertions in the set B and Step 2 requires N/u membership tests in
the worst case. This explains why we should find a convenient data structure for B that has
the smallest time for both operations. This calls for B to be represented by a hash table
of some
√ sort. The cost of these set operations will be (u + N/u)O(1), again minimized by
u = N.
Remarks.
Variants exist when inversion has a small cost compared to multiplication, leading √to
writing n = cu + d where −c/2 ≤ d < c/2, thereby gaining in the constant in front of N
(see [53] for a synthetic view). Cases where the distribution of parameters is non-uniform
are studied in [26].
All kinds of trade-offs are possible if low memory is available. Moreover, different
variants of BSGS exist when one wants to run through the possible steps in various orders
(see [110]). If no bound is known on N , there are slower incremental algorithms that will
find the answer; see [113] and [110].
As a final comment, BSGS is easy to distribute among processors with a shared memory.
Solving IDLP
BSGS works if we have a bound on N only. It also works when x is known to belong to
some interval [a, b[⊂ [0, N [. The process amounts
√ to a translation of x to [0, b − a[ of length
b − a and therefore BSGS will require time O( b − a).
CHAPTER 9. DISCRETE LOGARITHMS 6

Optimizing BSGS on average


On average, we could anticipate c to be around N/2, so that we may want to optimize
p
the mean number
√ of operations of BSGS, or Cm = u + (N/2)/u, leading to u = N/2
and Cm = 2N , decreasing the memory used by the same quantity. The number of set
operations also decreases. This gives us the line for BSGS optimized for average-case.
Algorithm 9.1 is usable mutatis mutandis.

Interleaving baby steps and giant steps


Pollard [98] proposed a variant of the BSGS algorithm interleaving baby steps and giant
steps, in order to decrease the average cost of BSGS. The idea is the following: If x = cu + d,
we may find c and d after max(c, d) steps using the following algorithm. The rationale for
the choice of u will be explained next.

Algorithm 9.2: Interleaved Baby steps-giant steps.


Function IBSGS(G, g, N , h)
Input : G ⊃ hgi, g of order N ; h ∈ hgi
n
l√ : 0m ≤ n < N , g = h
Output
u← N ;
initialize two tables B and G for storing u pairs (element of G, integer < N );
H ← 1G ; store(B, (1G , 0)); store(G, (1G , 0));
F ← h;
f ← g −u = 1/g u ;
for i := 1 to u do
H ← H ◦ g;
if ∃(H 0 , c) ∈ G such that H = H 0 then
// H = g i = H 0 = h ◦ g −uc hence n = cu + i
return cu + i;
end
store(B, (H, i));
F ← F ◦ f;
if ∃(H 0 , d) ∈ B such that F = H 0 then
// F = h ◦ g −ui = H 0 = g d hence n = iu + d
return iu + d;
end
store(G, (F , i));
end

First of all, remark that any integer n in [0, N [ may be written as cu + d where
0 ≤ c, d < u. Algorithm 9.2 performs 2 max(c, d) group operations. We need to evaluate the
average value of this quantity over the domain [0, u[×[0, u[, which is equivalent to computing
Z 1 Z 1
max(x, y) d x d y.
x=0 y=0

Fixing x, we see that max(x, y) = x for y ≤ x and y otherwise. Therefore the double
integral is Z 1 Z x Z 1 
2
xd y + yd y d x = .
x=0 y=0 y=x 3

We have proven
√ that the mean time for this algorithm is 4/3 N , hence a constant that is
smaller than 2 for the original algorithm.
CHAPTER 9. DISCRETE LOGARITHMS 7

Grumpy giants
In [23], the authors designed a new variant of BSGS to decrease the average case running
time again. They gave a heuristic analysis of it. This was precised and generalized to
other √variants (such as using negation) in [53]. We follow the presentation therein. For
u = d N /2e, the algorithm computes the three sets of cardinality L that will be found
later:
B = {g i for 0 ≤ i < L},
G1 = {h ◦ (g ju ) for 0 ≤ j < L},
G2 = {: h2 ◦ g −k(u+1) for 0 ≤ k < L},
and waits for a collision between any of the two sets, in an interleaved manner. The
algorithm succeeds when one of the following sets contains the discrete logarithm we are
looking for:
LL = {i − ju (mod N ), 0 ≤ i, j < L}
−1
∪ {2 (i + k(u + 1)) (mod N ), 0 ≤ i, k < L}
∪ {ju + k(u + 1) (mod N ), 0 ≤ j, k < L}.
For ease of exposition of Algorithm 9.3, we define Expo(u, j) to be the exponent of g in
case of Gj for j = 1..2. Precisely, a member of Gj is
hj ◦ fj = hj ◦ g Expo(u,j) ,
with Expo(u, j) = (−1)j−1 (u + j − 1). √
It is conjectured that u is optimal and that L can be taken as O( N ). Experiments
were carried out to support√this claim in [23, 53]. Moreover [53] contains an analysis of the
algorithm, leading to 1.25 N as total group operations.

9.2.2 The RHO Method


The idea of Pollard was to design an algorithm solving DLP for which the memory require-
ment would be smaller than that of BSGS. Extending his RHO method of factoring, he
came up with the idea of RHO for computing discrete logarithms [97].

A basic model
Let E be a finite set of cardinality m and suppose we draw uniformly n elements from E
with replacement. The probability that all n elements are distinct is
Theorem 9.3.
n−1  
1 Y k
Proba = 1− .
m m
k=1
Taking logarithms, and assuming n  m, we get
n(n − 1)
log Proba ≈ log(n/m) − .
2m

This means that taking n = O( m) will give a somewhat large value for this probability.
We can derive from this a very simple algorithm for computing
√ discrete logarithms,
presented as Algorithm
√ 9.4. Its time complexity would be O( m log m) on average, together
with a space O( m), which is no better than BSGS.
If we assume that N is prime, the only case where v − v 0 is non-invertible is that of
v = v 0 . In that case, we hit a useless relation between g and h that is discarded.
Our basic model is highly distributable. Unfortunately, the memory problem is still
there. It does not solve the space problem, so that we have to replace this by deterministic
random walks, as explained now.
CHAPTER 9. DISCRETE LOGARITHMS 8

Algorithm 9.3: Two grumpy giants and a baby.


Function Grumpy(G, g, N , h)
Input : G ⊃ hgi, g of order N ; h ∈ hgi
n
l√ : 0m ≤ n < N , g = h
Output
u← N ;
initialize three tables B, G1 and G2 for storing u pairs (element of G, integer
< N );
H ← 1G ; store(B, (H, 0));
F1 ← h; store(G1 , (F1 , 0));
F2 ← h2 ; store(G2 , (F2 , 0));
f1 ← g u ;
f2 ← 1/(f1 ◦ g) = 1/g u+1 ;
for i := 1 to L do
H ← H ◦ g;
for j := 1 to 2 do
if ∃(H 0 , c) ∈ Gj such that H = H 0 then
// H = g i = H 0 = hj ◦ fjc
return (− Expo(u, j)c + i)/j (mod N );
end
end
store(B, (H, i));
for j := 1 to 2 do
Fj ← Fj ◦ fj ;
if ∃(H 0 , d) ∈ B such that Fj = H 0 then
// Fj = hj ◦ g ui = H 0 = g d
return (− Expo(u, j)i + d)/j (mod N );
end
j 0 ← 3 − j;
if ∃(H 0 , c) ∈ Gj 0 such that Fj = H 0 then
0
// Fj = hj ◦ fji = H 0 = hj ◦ fjc0
return (Expo(u, j 0 )c − Expo(u, j)i + d)/(j − j 0 ) (mod N );
end
store(Gj , (Fj , i));
end
end
CHAPTER 9. DISCRETE LOGARITHMS 9

Algorithm 9.4: Naive DLP algorithm.


Function NaiveDL(G, g, N , h)
Input : G ⊃ hgi, g of order N ; h ∈ hgi
Output : 0 ≤ n < N , g n = h
initialize a table L for storing u triplets (element of G, two integers < N );
repeat
draw u and v at random modulo N ;
H ← g u ◦ hv ;
if ∃(H 0 , u0 , v 0 ) ∈ L such that H = H 0 then
0 0
// H = g u ◦ hv = g u ◦ hv hence n(v − v 0 ) = u0 − u
if v − v 0 is invertible modulo N then
return (u0 − u)/(v − v 0 ) mod N ;
end
end
else
store(L, (H, u, v));
end
until a collision is found ;

Functional digraphs
Consider E of cardinality m as above and let f : E → E be a function on E. Consider the
sequence Xn+1 = f (Xn ) for some starting point X0 ∈ E. The functional digraph of X is
built with vertices Xi ’s; an edge is put between Xi and Xj if f (Xi ) = Xj . Since E is finite,
the graph has two parts, as indicated in Figure 9.1.
Xµ+1
'$


• • • • • •
X0 X1 X2 Xµ−1 &%

Xµ+λ−1

Figure 9.1: Functional digraph.

Since E is finite, the sequence X must end up looping. The first part of the sequence is
the set of Xi ’s that are reached only once and there are µ of them; the second part forms a
loop containing λ distinct elements.
Examples. 1) E = G is a finite group, we use f (x) = ax, and x0 = a, (xn ) purely is
periodic, i.e., µ = 0, and λ = ordG (a).
2) Take Em = Z/11Z and f : x 7→ x2 + 1 mod 11: We give the complete graph for all
possible starting points in Figure 9.2. The shape of it is quite typical: a cycle and trees
plugged on the structure.
By Theorem 9.3, λ and µ cannot be too large on average, since n = λ + µ. A convenient
source for all asymptotic complexities of various parameters of the graph can be found in
[46]. In particular:
Theorem 9.4. When m → ∞

r
πm
λ∼µ∼ ≈ 0.627 m.
8
Finding λ and µ is more easily done using the notion of epact.
CHAPTER 9. DISCRETE LOGARITHMS 10

9
?
0 -1 -2 -5 -4 -6 7


6 6 ?
3 - 10  8

Figure 9.2: The functional digraph of f : x 7→ x2 + 1 mod 11.

Proposition 9.5. There exists a unique e > 0 (epact) s.t. µ ≤ e < λ + µ and X2e = Xe . It
is the smallest non-zero multiple of λ that is ≥ µ: If µ = 0, e = λ and if µ > 0, e = d µλ eλ.
Proof. The equation Xi = Xj with i < j only if i and j are larger than or equal to µ.
Moreover, λ must divide j − i. If we put i = e and j = 2e, then µ ≤ e and λ | e. There
exists a single multiple of λ in any interval of length λ, which gives unicity for e. When
µ = 0, it is clear that the smallest e > 0 must be λ. When µ > 0, the given candidate
satisfies all the properties.
From [46], we extract
q
5m √
Theorem 9.6. e ∼ π288 ≈ 1.03 m.

which means that finding the epact costs O( m) with a constant not too large compared
to the actual values of µ and λ. Note that in most cryptographic applications, the collision
x2e = xe will be enough to solve our problem.
From a practical point of view, a nice and short algorithm by Floyd can be used to recover
the epact and is given as Algorithm 9.5. We need 3e evaluations of f and e comparisons.
Ideas for decreasing the number of evaluations are given in [31] (see also [91] when applied
to integer factorization).

Algorithm 9.5: Floyd’s algorithm.


Function epact(f , x0 )
Input : A function f , a starting point x0
Output : The epact of (xn ) defined by xn+1 = f (xn )
x ← x0 ; y ← x0 ; e ← 0;
repeat
e ← e + 1;
x ← f (x);
y ← f (f (y));
until x = y;
return e.

More parameters can be studied and their asymptotic values computed. Again, we refer
to [46], from which we extract the following complements.
Theorem 9.7. The expected values of some of the parameters related to the functional
graph G are
1
• the number of components is 2 log m;
• the component size containing a node ν ∈ G is 2m/3;
• the tree size containing ν is m/3 (maximal tree rooted on a circle containing ν);
CHAPTER 9. DISCRETE LOGARITHMS 11
p
• the number of cyclic nodes is πm/2 (a node is cyclic if it belongs to a cycle).

A way to understand these results is to imagine that there is a giant component that
contains almost all nodes.

Discrete logarithms
The idea of Pollard is to build a√function f from G to G appearing to be random, in
the sense that the epact of f is c N for some small constant c. This can be realized via
multiplications by random points and/or perhaps squarings in G.
Building on [105], Teske [114] has suggested the following: precompute r random
elements zi = g γi ◦ hδi for 1 ≤ i ≤ r for some random exponents. Then use some hash
function H : G → {1, . . . , r}. Finally, define f (y) = y ◦ zH(y) . The advantage of this choice
is that we can represent any iterate xi of f as

xi = g ci ◦ hdi ,

where (ci ) and (di ) are two integer sequences. When e is found:

g c2e ◦ hd2e = g ce ◦ hde

or
g c2e −ce = hde −d2e ,
i.e.,
n(c2e − ce ) ≡ (de − d2e ) mod N.
With high probability, c2e − ce is invertible modulo N and we get the logarithm of h. When
we hit a collision and it is trivial, it is no use continuing the algorithm.
Experimentally, r = 20 √ is enough to have a large mixing of points. Under a plausible
model, this leads to a O( N ) method (see [114]). We give the algorithm in Algorithm 9.6.
As an example, if G contains integers, we may simply use H(x) = 1 + (x mod r).

Parallel RHO
How would one program a parallel version of RHO? We have to modify the algorithm. First
of all, we cannot use the notion of epact any more. If we start p processors on finding the
epact of their own sequence, we would not gain anything, since all epacts are of the same
(asymptotic) size. We need to share computations.
The idea is to launch p processors on the same graph with the same iteration function and
wait for a collision. Since we cannot store all points, we content ourselves with distinguished
elements, i.e., elements having a special form, uniformly with some probability θ over G.
(For integers, one can simply decide that a distinguished integer is 0 modulo a prescribed
power of 2.) Each processor starts its own path from a random value in hgi and each time
it encounters a distinguished element, it compares it with shared distinguished elements
already found and when a useful collision is found, the program stops. The idea is that two
paths colliding at some point will eventually lead to the same distinguished element, that
will be found a little while later (see Figure 9.3). Typically, if θ < 1 is the proportion of
distinguished elements, the time to reach one of these will be 1/θ.
√ Remembering properties
of functional digraphs, this probability should satisfy 1/θ < c N for some constant c > 0.
In view of Theorem 9.7, the method succeeds since there is a giant component in which
the processors have a large probability to run in. At worst, we would need O(log m) of
these to be sure to have at least two processors in the same component.
There are many fine points that must be dealt with in an actual implementation. For
ease of reading, we first introduce a function that computes a distinguished path, starting
CHAPTER 9. DISCRETE LOGARITHMS 12

Algorithm 9.6: RHO algorithm.


Function RHO(G, g, N , h, H, (zi , γi , δi ))
Input : H : G → {1, . . . , r}; (zi )1≤i≤r random powers zi = g γi ◦ hδi of G
Output : 0 ≤ n < N , g n = h
if h = 1G then
return 0
end
// invariant: x = g ux ◦ hvx
x ← h; ux ← 0; vx ← 1;
y ← x; uy ← ux ; vy ← vx ;
repeat
(x, ux , vx ) ← Iterate(G, N , H, (zi , γi , δi ), x, ux , vx );
(y, uy , vy ) ← Iterate(G, N , H, (zi , γi , δi ), y, uy , vy );
(y, uy , vy ) ← Iterate(G, N , H, (zi , γi , δi ), y, uy , vy );
until x = y;
// g ux ◦ hvx = g uy ◦ hvy
if vx − vy is invertible modulo N then
return (uy − ux )/(vx − vy ) (mod N );
end
else
return Failure.
end

Algorithm 9.7: RHO iteration algorithm.


Function Iterate(G, N , H, (zi , γi , δi ), x, ux , vx )
Input : H : G → {1, . . . , r}; (zi )1≤i≤r random powers zi = g γi ◦ hδi of G;
x = g ux ◦ hvx
Output : f (x, ux , vx ) = (w, uw , vw ) such that w = g uw ◦ hvw
i ← H(x);
return (x ◦ zi , ux + γi (mod N ), vx + δi (mod N )).

from a point and iterating until a distinguished element is reached, at which point is it
returned.
At this point, the master can decide to continue from this distinguished element, or start
a new path. One of the main problems we can encounter is that a processor be trapped in
a (small)
√ cycle. By the properties of random digraph, a typical path should be of length
O( N ); if θ is small enough, the probability to enter a cycle will be small. However, in
some applications, small cycles exist. Therefore, we need some cycle detection algorithm,
best implemented using a bound on the number of elements found. Modifying Algorithm
9.8 can be done easily, for instance, giving
p up on paths with length > 20/θ as suggested in
[118]. The expected running time is πN/2/p + 1/θ group operations.
Note that in many circumstances, we can use an automorphism in G, and we take this
into account for speeding up the parallel RHO process, despite some technical problems
that arise (short cycles). See [44], and more recently [72, 24].
Other improvements are discussed in [36] for prime fields, with the aim of reducing the
cost of the evaluation of the iteration function.

9.2.3 The Kangaroo Method


This method was designed to solve Interval-DLP with a space complexity as small as that of
RHO, assuming the discrete logarithm we are looking for belongs to [0, `] with ` ≤ N . We
CHAPTER 9. DISCRETE LOGARITHMS 13

• •
@R•
@
• -• @ R•. . .
@
- - . . .• -◦ •?

•?
Figure 9.3: Paths.

Algorithm 9.8: Finding a distinguished path.


Function DistinguishedPath(f , x0 )
Input : A function f , a starting point x0
Output : The first distinguished element found starting at x0 ,
x ← x0 ; repeat
x ← f (x);
until x is distinguished ;
return x.

√ √
would like to obtain an algorithm whose running time is O( `) instead of O( N ).
The idea is to have two processes, traditionally called tame kangaroo and wild kangaroo.
The tame kangaroo follows a random path starting from g `/2 and adding random integers to
the exponent, while the wild kangaroo starts from h = g n and uses the same deterministic
random function. We use a sequence of integer increments (δi )1≤i≤r whose mean size is
m. Then, we iterate: f (x) = x ◦ g δH(x) . Both kangaroos can be written T = g dT and
W = h ◦ g dW for two integer sequences dT and dW that are updated when computing f .
When hitting a distinguished element, it is stored in a list depending on its character
(tame or wild). When a collision occurs, the discrete logarithm is found. The analysis is
heuristic along the following way. The original positions of KT and KW can be either

0 n `/2 ` 0 `/2 n `
• • • • or • • • •

In either case, we have a back kangaroo (B) and a front kangaroo (F ) heading right. They
are at mean mutual distance `/4 at the beginning. Since the average distance between two
points is m, B needs `/(4m) jumps to reach the initial position of F . After that, B needs
m jumps to reach a point already reached by√F . The total number √ of jumps is therefore
2(`/(4m) + m), which is minimized for m = `/2, leading to a 2 ` cost. A more precise
analysis is given in [118]. The reader can find details as Algorithm 9.9.
A close algorithm that uses another model of analysis (though still heuristic) is that of
Gaudry-Schost [54], improving on work by Gaudry and Harley. This algorithm is generalized
to any dimension (e.g., solving g x = g a1 n1 +a2 n2 +···+ad nd for given (ai )’s) and improved in
[51] (see also [52] for the use of equivalence classes).

Parallel kangaroos
The idea, as for parallel RHO, is to start p kangaroos that will discover and store distinguished
elements. Following [98], we assume p = 4p0 , and select u = 2p0 + 1, v = 2p0 − 1, so that
p = u + v. Increments
p of the jumps will be (uvs1 , . . . , uvsk ) for small si ’s, insisting on the
mean to be ≈ `/(uv). The i-th tame kangaroo will start at g `/2+iv for 0 ≤ i < u; wild
kangaroo Wi will start from h ◦ g iu , 0 ≤ i < v. A collision will be `/2 + iv = n + ju mod (uv)
and the solution is unique. This prevents kangaroos of the same herd from colliding. The
final running time is effectively divided by p.
CHAPTER 9. DISCRETE LOGARITHMS 14

Algorithm 9.9: Sequential kangaroos.


Function Kangaroo(G, g, N , h, `)
Input : G ⊃ hgi, g of order N ; h ∈ hgi
n
l√ : 0 ≤
Output m n < `, g = h
m← `/2 ;
compute positive increments (δi )1≤i≤r of mean m;
initialize two tables T and W for storing pairs (element of G, integer < N );
T ← g `/2 ; dT ← `/2;
W ← h; dW ← 0;
while true do
(T, dT ) ← f ((δi ), T, dT );
if ∃(W 0 , d0 ) ∈ W such that W 0 = T then
0
// T = g dT , W 0 = h ◦ g d
return (dT − d0 ) (mod N );
end
(W, dW ) ← f ((δi ), W, dW );
if ∃(T 0 , d0 ) ∈ T such that T 0 = W then
0
// T 0 = g d , W = h ◦ g dW
0
return (d − dW ) (mod N );
end
end

9.2.4 Solving Batch-DLP


Using BSGS
If we know in advance that we have to solve the DLP for k instances, then Step 1 of BSGS is
unchanged (but with another u) and Step 2 is performed at √most kN/u times.√ This implies
that we can minimize the total cost u + kN/u using u = kN , a gain of k compared to
applying the algorithm k times. Mixing this with other tricks already mentioned is easy.

Parallel methods
The work of [45] was analyzed in [80]: A batch of k discrete logarithms in a group of order
N reduces to an average Θ(k −1/2 N 1/2 ) group operations for k  N 1/4 ; each DL costs
Θ(N 3/8 ). [80] also defines some problems related to DLP. The method was further studied
in [60].
A more systematic way to consider the problem is the following; see [23] and its follow-up
[22], where interval-batch-DLP is also considered and solved with the same ideas. We
consider again a table of random steps not involving any target in its definition. The idea
is to build a table T of distinguished elements found by random walks starting at random
elements g x . If T is the table size and W the length of the walk, then T W elements will be
encountered. When given a target h, a random walk of length W will encounter one of the
elements in T , solving DLP for h. The probability that none of the points in the new walk
encounters any of the first is
 T W 2
1
1− .
N
Taking plogarithms, this is close to T W 2 /N , so that a reasonable chance of success is for
W ≈ α N/T for some constant α. Using this, the probability can be written exp(−α2 ),
favoring rather large αs, therefore enabling (and favoring) parallel work too.
CHAPTER 9. DISCRETE LOGARITHMS 15

Extending this algorithm to the finding of k targets leads to a total cost of


√ p
O(T W ) + kO(W ) = O((T + k)W ) = O( T N + k N/T ),

and this is dominated by kW for k > T . If we want to optimize the cost as a function
of k, we see that T = k is minimal. For T = N 1/3 , we get W = N 1/3 for each walk and
T W = N 2/3 for the precomputation phase.
For a real implementation, we can choose t = dlog2 N/3e. If G contains integers, define
x to be distinguished if x ≡ 0 mod 2t . With this choice, we need to store 2t elements; 22t
operations are needed for the precomputation phase and 2t for each of the 2t target.

9.3 Finite Fields


9.3.1 Introduction
There exist dedicated algorithms to compute DL in finite fields that exploit the structure
of the finite field. These algorithms are sub-exponential in the size of the field (but not in
the involved subgroup order). Moreover, in 2014 two variants of a quasi-polynomial-time
algorithm were proposed, for a class of finite fields such as F2n and F3n , where n is composite.
As a consequence, any pairing-friendly curve defined over a finite field of small characteristic
should definitely be avoided. We explain in the following the main idea of these algorithms
known as index calculus methods. Three main variants apply to three different types of
finite fields (small, medium, and large characteristic, as explained below). We give the
specializations of each variant and the range of finite fields to which they apply. Moreover
when the prime defining the finite field is of special form (e.g., given by a polynomial),
special variants provide an even lower complexity to compute DL.

Interest for pairing-based cryptography


Studying the complexity of DL computations in finite fields is essential for pairing-based
cryptosystem designers. The pairing target group for any algebraic curve defined over a
finite field is a subgroup in an extension of that finite field. Here are the most common
finite fields that arise with pairing-friendly curves, in increasing order of hardness of DL
computation:
1. F24n and F36m for supersingular curves defined over F2n , F3m , resp.
2. Small extension Fpn of prime field with p of special form, given by a polynomial. This
is the case for curves in families such as MNT [90], BLS [20], BN [21] curves, and any
family obtained with the Brezing-Weng method [32].
3. Small extension of prime field Fp , where p does not have any special form, e.g., Fp2 , Fp6
for supersingular curves in large characteristic, and any curves generated with the
Cocks-Pinch or Dupont-Enge-Morain methods.
The first class: Supersingular curves defined over a small characteristic finite field also
correspond to a variant of the index calculus method where computing a DL is much easier.
The two other classes are each parted in medium and large characteristic. This is explained
in the next section.

Small, medium, and large characteristic


The finite fields are commonly divided into three cases, depending on the size of the prime p
(the finite field characteristic) compared to the extension degree n, with Q = pn . Each case
has its own index calculus variant, and the most appropriate variant that applies qualifies
the characteristic (as small, large, or medium):
CHAPTER 9. DISCRETE LOGARITHMS 16

• small characteristic: One uses the function field sieve algorithm, and the quasi-
polynomial-time algorithm when the extension degree is suitable for that (i.e., smooth
enough);
• Medium characteristic: one uses the NFS-HD algorithm. This is the High Degree
variant of the Number Field Sieve (NFS) algorithm. The elements involved in the
relation collection are of higher degree compared to the regular NFS algorithm.
• Large characteristic: one uses the Number Field Sieve algorithm.
Each variant (QPA, FFS, NFS-HD, and NFS) has a different asymptotic complexity. The
asymptotic complexities are stated with the L-notation. This comes from the smoothness
probability of integers. The explanation will be provided in Section 9.3.2. The L-notation
is defined as follows.
Definition 9.8. Let Q be a positive integer. The L-notation is defined by
 
LQ [α, c] = exp c + o(1) (log Q)α (log log Q)1−α

with α ∈ [0, 1] and c > 0 .

The α parameter measures the gap between polynomial time: LQ [α = 0, c] = (log Q)c ,
and exponential time: LQ [α = 1, c] = Qc . When c is implicit, or obvious from the context,
one simply writes LQ [α]. When the complexity relates to an algorithm for a prime field Fp ,
one writes Lp [α, c].

Main historical steps


Here is a brief history of DL computations in finite fields. The DLP for cryptographic use
was first stated in prime fields, without pairing context [43]. Binary fields were used for
efficiency reasons (they provide a better arithmetic). Finite fields are not generic groups and
there exist subexponential time algorithms to compute discrete logarithms in finite fields.
About a century ago Kraitchik [78, pp. 119–123], [79, pp. 69–70, 216–267] introduced the
index calculus method (from the French calcul d’indice) to compute discrete logarithms. His
work was rediscovered in the cryptographic community in the 1970s. The first algorithms to
compute discrete logarithms in prime fields are attributed to Adleman and Western–Miller
[6, 119]. These algorithms had a complexity of Lp [1/2, c]. However Coppersmith showed
as early as 1984 [40] that the DLP is much easier in binary fields than in prime fields of
the same size. He obtained an LQ [1/3, c] running-time complexity for his algorithm. He
also showed how fast his algorithm can compute discrete logarithms in F2127 (his algorithm
was better for fields whose extension degree is very close to a power of 2, in his record
127 = 27 − 1). Later, Adleman and Huang generalized the Coppersmith’s method to other
small characteristic finite fields and named it the Function Field Sieve (FFS) algorithm [7, 8].
The asymptotic complexity was LQ [1/3, ( 32 9 )
1/3
≈ 1.526]. In 1986, the state-of-the-art
for computing DL in prime fields was the Coppersmith, Odlyzko, and Schroeppel (COS)
algorithm [42], in time Lp [1/2, 1]. Then in 1993, Gordon designed the Number Field Sieve
algorithm for prime fields [55] and reached the same class of sub-exponential asymptotic
complexity as the FFS algorithm: L[1/3, c] but with a larger constant c = 91/3 ≈ 2.080.
Between the two extremes (F2n and Fp ) is the medium characteristic case. In 2006, a huge
work was done by Joux, Lercier, Smart, and Vercauteren [67] to propose algorithms to
compute the DLP in LQ [1/3, c] for any finite field. Until 2013, the complexity formulas
were frozen at this point:
• a complexity of LQ [1/3, ( 32
9 )
1/3
≈ 1.526] for small characteristic finite fields with the
Function Field Sieve algorithm [8];
• a complexity of LQ [1/3, ( 128
9 )
1/3
≈ 2.423] for medium characteristic finite fields with
the Number Field Sieve–High Degree algorithm [67];
CHAPTER 9. DISCRETE LOGARITHMS 17

• a complexity of LQ [1/3, ( 64
9 )
1/3
≈ 1.923] for large characteristic finite fields with the
Number Field Sieve algorithm [106, 67, 85].

It was not known until recently whether small characteristic fields could be a gap
weaker than prime fields. However, computing power was regularly increasing and in 2012,
Hayashi, Shimoyama, Shinohara, and Takagi were able to compute a discrete logarithm
record in F36·97 , corresponding to a 923-bit field [58], with the Function Field Sieve. Then
in December 2012 and January 2013, Joux released two preprints later published in [63]
with a LQ [1/4] algorithm, together with record-breaking discrete logarithms in F24080 and
F26168 . This was improved by various researchers. In 2014, Barbulescu, Gaudry, Joux, and
Thomé [17] on one side and Granger, Kleinjung, and Zumbrägel [56] on the other side
proposed two versions of a quasi polynomial-time algorithm (QPA) to solve the DLP in
small characteristic finite fields. All the techniques that allowed this breakdown are not
applicable to medium and large characteristic so far.

9.3.2 Index-Calculus Methods


We saw in Section 9.2 that the best complexity is obtained by balancing parameters in
the algorithms. Over finite fields, FFS and NFS algorithms also reach sub-exponential
complexity through balancing parameters.
Throughout this section, we follow the clear presentation of index-calculus methods
made in [88]. We present in Algorithm 9.10 the basic index-calculus method for computing
DL in a prime field.

Algorithm 9.10: Index calculus in (Z/pZ)∗ .


Function IndexCalculus(F∗p , g, h)
Input : F∗p ⊃ hgi, g of order dividing p − 1
Output : 0 ≤ x < p − 1, g x = h
Phase 1: fix #B and find the logarithms modulo p − 1 of small primes in
B = {p1 , p2 , . . . , p#B ≤ B}:
Choose integers ti ∈ [1, . . . , p − 1] s.t. g ti as an integer splits completely in small
primes of B:
#B
α
Y
g ti mod p = pb b,i
b=1

so that taking the logarithm to the base g gives a relation:


#B
X
ti = αb,i logg pb mod (p − 1)
b=1

Phase 2: When enough relations are collected, solve the system to get
{logg pb }1≤b≤#B .
Phase 3: Compute the individual discrete logarithm of h in base g.
Look for t s.t. hg t mod p as an integer factors into small primes of B:
#B
Y #B
X
hg t mod p = pα
b ⇔x+t≡
b
αb logg pb mod (p − 1)
b=1 b=1

return x.
CHAPTER 9. DISCRETE LOGARITHMS 18

Example for a tiny prime p


Let p = 1019 and g = 2. We need to find the logarithms modulo 2 and 509, since
p − 1 = 2 · 509. We first locate some smooth values of g b mod p:

2909 = 2 · 32 · 5, 210 = 5, 2848 = 33 · 5, 2960 = 22 · 3.

The system to be solved is


   
1 2 1 909
 10 0 0   10 
 0 3 1  · X =  848
    mod 1018.

2 1 0 960

Solving modulo 2 and 509 separately and recombining by the Chinese remainder theorem,
we find
log2 2 = 1, log2 3 = 958, log2 5 = 10.
Note that solving modulo 2 can be replaced by computations of Legendre symbols.
Consider computing log2 314. We find that

h · g 372 ≡ 24 · 52 mod p

from which logg h = 4 + 2 · 10 − 372 mod 1018 or log2 (314) = 670. Had we used rational
reconstruction (a classical trick for DL target solution), we would have found

h · g 409 ≡ 2/3 mod p

from which the log of t follows from

logg h + 409 ≡ 1 − log2 3 mod 1018.

A first complexity analysis


We will prove that:
Theorem 9.9. The asymptotic heuristic running-time of Algorithm 9.10 is Lp [1/2, 2] with
#B ≈ B = Lp [1/2, 1/2].
The running-time of algorithm 9.10 (p. 17) is related to smoothness probabilities of
integers in Phase 1 and 3, and linear algebra in phase 2. We will use the L-notation formula
given in 9.8. To estimate the smoothness probability, we need the result of Corollary 9.11
from Theorem 9.10.
Theorem 9.10 (Canfield–Erdős–Pomerance [34]). Let ψ(x, y) be the number of natural
numbers smaller or equal to x which are y-smooth. If x ≥ 10 and y ≥ log x, then it holds
that
log x
ψ(x, y) = xu−u(1+o(1)) with u = , (9.1)
log y
where the limit implicit in the o(1) is for x → ∞.
The Canfield–Erdős–Pomerance [34] theorem provides a useful result to measure smooth-
ness probability:
Corollary 9.11 (B-smoothness probability). For an integer S bounded by LQ [αS , σ] and
a smoothness bound B = LQ [αB , β] with αB < αS , the probability that S is B-smooth is
 
σ
Pr[S is B-smooth] = LQ αS − αB , −(αS − αB ) . (9.2)
β
CHAPTER 9. DISCRETE LOGARITHMS 19

We will also need these formulas:

LQ [α, c1 ]LQ [α, c2 ] = LQ [α, c1 + c2 ] and LQ [α, c1 ]c2 = LQ [α, c1 c2 ] . (9.3)

Proof. (of Theorem 9.9.)


In our context, we want to find a smooth decomposition of the least integer r (|r| < p)
s.t. r = g bi (mod p). We need to estimate the probability of an integer smaller than p to be
B-smooth. We write the formula, then balance parameters to ensure the optimal cost of this
algorithm. Let us write the smoothness-bound B in sub-exponential form: B = Lp [αB , β].
Any prime in B is smaller than B. The probability of r bounded by p = Lp [1, 1] to be
B-smooth is  1+o(1)
1
Pr[r is B-smooth] = Lp 1 − αB , −(1 − αB ) .
β
To complete Phase 2, we need enough relations to get a square matrix and solve the
system, in other words, more than #B. Since the number of prime numbers ≤ B is B/ log B
for B → ∞, we approximate #B ≈ B. The number of iterations over g ti and smoothness
tests to be made to get enough relations is
number of relations B
number of tests = = = Lp [αB , β]Lp [1 − αB , (1 − αB )/β] .
B-smoothness probability Pr
The dominating α-parameter will be max(αB , 1 − αB ) and is minimal for αB = 1/2. The
1
number of tests is then Lp [1/2, β + 2β ] (thanks to Equation (9.3)).
Now we compute the running time to gather the relations: This is the above quantity
times the cost of a smoothing step. At the beginning of index calculus methods, a trial
division was used, so one B-smooth test costs at most #B = B = Lp [1/2, β] divisions. The
total relation collection running time is then

Lp [1/2, 2β + 1/(2β)] .

The linear algebra phase finds the kernel of a matrix of dimension B. It has running-time
of B ω ≈ Lp [1/2, ωβ] (ω is a constant, equal to 3 for classical Gauss, and nowadays we use
iterative methods, of complexity B 2+o(1) ; see Section 9.3.3). The total running time of the
first two steps is
Lp [1/2, 2β + 1/(2β)] + Lp [1/2, 3β] .
1
The minimum of β 7→ 2β + 2β is 2, for β = 1/2 (take the derivative of the function
1
x 7→ 2x + 2x to obtain its minimum, for x > 0). We conclude that the total cost of the first
two phases is dominated by Lp [1/2, 2]: the relation collection phase.
The last phase uses the same process as finding one relation in Phase 1. It needs
1
1/Pr[r = g t (mod p) is B-smooth] tries of cost B each, hence B/Pr = Lp [1/2, β + 2β ]=
Lp [1/2, 3/2].

COS algorithm, Gaussian integer variant


Coppersmith, Odlyzko, and Schroeppel proposed in [42] a better algorithm by modifying
the relation collection phase. They proposed to sieve over elements of well-chosen form, of

size ∼ p instead of p. They also proposed to use sparse matrix linear algebra, to improve
the second phase of the algorithm. Computing the kernel of a sparse square matrix of size B
has a running-time of O(B 2+o(1) ) with their modified Lanczos algorithm. We present now
their Gaussian Integer variant, so that the Gordon Number Field Sieve will be clearer in
Section 9.3.4. We consider a generator g of F∗p and want to compute the discrete logarithm
x of h in base g, in the subgroup of F∗p of prime order `, with ` | p − 1.
The idea of [42] is to change the relation collection: In the former case, iterating over
g ti and taking the smallest integer r ≡ g ti (mod p) always produces r of the same size as p.
CHAPTER 9. DISCRETE LOGARITHMS 20

In this version, another iteration is made. The idea is to produce elements r much smaller
than p, to improve their smoothness probability. In the previous index calculus, we made
relations between integers (we lifted g ti mod p to r ∈ Z). Here one side will consider integers,
the second side will treat algebraic integers. Let A be a small negative integer which is a
quadratic √residue modulo p. Preferably, A ∈ {−1, −2, −3, −7, −11, −19, −43, −67, −163}
so that Q[ A] is a unique factorization domain. For ease of presentation, we assume that
p ≡ 1 mod 4 and take A = −1. Our algebraic side will be the Gaussian integer ring Z[i].

Now let 0 < U, V < p such that p = U 2 + V 2 (computed via the rational reconstruction
method, for example). The element U/V is a root of x2 + 1 modulo p. For an analogy
with the number field sieve, one can define f = x2 + 1 for the first (algebraic) side and
g = U − xV for the second (rational) side. The two polynomials have a common root U/V
modulo p. We define a map from Z[i] to Fp :

ρ: Z[i] → Fp
i 7→ U V −1 mod p (9.4)
hence a − bi 7→ V −1 (aV − bU ) mod p .

Now we sieve over pairs (a, b) on the rational side, looking for a B-smooth decomposition of
the integer aV − bU , as in Algorithm 9.10. What will be the second member of a relation?
Here comes the algebraic side. We consider the elements a − bi ∈ Z[i] (with the same
pairs (a, b)) and iterate over them such that a − bi, as an ideal of Z[i], factors into prime
ideals p of Z[i] of norm NZ[i]/Z (p) smaller than B. (For example: 1 + 3i = (1 + i)(2 + i)
with N (1 + 3i) = 12 + 32 = 10 = 2 · 5 = N (1 + i)N (2 + i)). Here is the magic: Since
NZ[i]/Z (a − bi) = a2 + b2 and we sieve over small 0 < a < E, − E < b < E, the norm of
a − bi will be bounded by E 2 and the product of the norms of the prime ideals p in the
factorization, which is equal to a2 + b2 , will be bounded by E 2 as well. At this point, we
end up with pairs (a, b) such that
Y s Y t
aV − bU = pbj , and a − bi = pbj0 .
pb ≤B N (pb0 )≤B

Then we use the map ρ to show up an equality, then get a relation. We have ρ(a − bi) =
a − bU V −1 = V −1 (aV − bU ) so up to a factor V (which is constant along the pairs (a, b)),
we have: Y s Y
aV − bU = pbj = V ρ(pb0 )tj . (9.5)
pb ≤B N (pb0 )≤B

Here we don’t need to know explicitly the value of ρ(pb0 ) in Fp . We simply consider it as an
element of the basis B of small elements: B = {V } ∪ {pb ≤ B} ∪ {ρ(pb0 ) : NZ[i]/Z (pb0 ) ≤ B}.
In the COS algorithm, the matrix is indeed two times larger than in the basic version of
Algorithm 9.10 (2B instead of B), but with norms a2 + b2 and V a − bU much smaller; we
can decrease the smoothness bound B. Taking the logarithm of Equation (9.5), we obtain
an equation between logarithms of elements in B:
X X
sj log pb = log V + tj log ρ(pb0 ) . (9.6)
pb ≤B NZ[i]/Z (pb0 )≤B

The optimal choice of parameters is E = B = Lp [1/2, 1/2], so that both sieving and
linear algebra cost Lp [1/2, 1], better than the previous Lp [1/2, 2] thanks to the much better
smoothness probabilities of the elements considered. Phase 2 of the algorithm computes the
kernel of a large sparse matrix of more than 2B rows. Its expected running time is (2B)2 ,
hence again Lp [1/2, 1]. The expected running time of the individual logarithm computation
(Phase 3) is Lp [1/2, 1/2] ([42, §7]).
CHAPTER 9. DISCRETE LOGARITHMS 21

9.3.3 Linear Algebra


Before diving into the explanation of the most powerful algorithms for computing DLs, we
make a pause and give some ideas on a technical but crucial problem: linear algebra and
how we solve the systems arising in DL computations.
At the beginning of index calculus methods, the only available method was the ordinary
Gauss algorithm, whose complexity is cubic in the number of rows (or columns) N of the
matrix M . For small matrices, this is enough, but remember that entries in the matrix are
elements of some finite field F` for some large `, in contrast with matrices we encounter
in integer factorization, which are boolean. Fill-in in DL matrices is therefore extremely
costly and we should be careful in doing this.
DL-matrices are very sparse, as factorization matrices. The coefficients are small integers
(in absolute value). Special methods have been designed for all these matrices. Generally,
some form of sparse Gaussian elimination is done in order to reduce the size of the matrix
prior to the use of more sophisticated methods to be described below. The idea is to perform
elimination using a sparse structure and minimize fill-in as long as possible. The general
term for these is filtering, and it was optimized and made necessary due to the use of many
large primes in recent years (see [30] for recent progress in the field).
Adaptation of numerical methods was done: The Lanczos iterative algorithm could
be generalized to the finite field case. A new class of iterative methods was invented by
Wiedemann [120]. Both classes have a complexity of O(N 2+ε ) where we assume that our
matrix has size N 1+ε . The core of the computation is the determination of the so-called
Krylov subspaces, namely V ecthM i · bi for some fixed vector b. Applying M to b costs
O(N 1+ε ), and N iterations are needed. The advantage of such methods is also to be able
to handle sparse structures for M .
Variants operating on blocks of vectors were designed by Coppersmith [39], for integer
factorization as for DLP. Despite the use of such methods, space and time become quite
a problem in recent records. The natural idea is to try to distribute the computations
over clusters or larger networks. The only method that can be partly distributed is the
block Wiedemann algorithm. A good reference for this part is Thomé’s thesis [117]. All his
work is incorporated and available in the CADO-NFS package [112], including the many
refinements to distribute the computations over the world and some special tricks related
to Schirokauer maps (see [70] for an independent work on the same topic). Record DL
computations now handle (sparse) matrices with several millions of rows and columns.

9.3.4 The Number Field Sieve (NFS)


Many improvements for computing discrete logarithms first concerned prime fields and were
adapted from improvements on integer factorization methods. Until 1993, the state-of-the-art
algorithm for computing discrete logarithms in prime fields was the Coppersmith, Odlyzko,
and Schroeppel (COS) algorithm [42] in Lp [1/2, 1]. In some cases, integer factorization
was easier because the modulus had a special form. The equivalent for DL computation in
prime fields is when p has a special form, given by a polynomial P of very small coefficients,
p = 2127 − 1 for example. In that case, one can define an algebraic side with this polynomial
P . By construction, P will have a root m modulo p of size ∼ p1/ deg P , hence the polynomial
of the rational side (g = U − V x in the COS algorithm) will have coefficients of size
m ∼ p1/ deg P . However, a generic method was found to reduce the coefficient size of the
polynomials when one of the degrees increases. In 1993, Gordon [55] proposed the first
version of NFS–DL algorithm for prime fields Fp with asymptotic complexity Lp [1/3, 91/3 ].
Gordon’s Lp [1/3] algorithm is interesting for very large values of p that were not yet targets
for discrete logarithm computations in the 1990s. Buhler, H. Lenstra, and Pomerance [33]
estimated the crossover point between 100 and 150 decimal digits, i.e., between 330 and
500 bits.
CHAPTER 9. DISCRETE LOGARITHMS 22

In Gordon’s algorithm, Phase 1 and Phase 3 are modified. The Phase 2 is still a large
sparse matrix kernel computation. We explain the polynomial selection method and the
sieving phase. We also explain why the Phase 3 (individual logarithm computation) needs
important modifications. The hurried reader can skip the proof of Theorem 9.12.

Polynomial selection with the base-m method


The polynomial selection of [55] is an analogy for prime fields of the method [33] for integer
factorization. We will build a polynomial f of degree d > 1 and a polynomial g of degree 1
such that they have a common root m modulo p, and have coefficients of size ∼ p1/d . Set
m = [p1/d ] and write p to the base-m:

p = cd md + cd−1 md−1 + . . . + c0 ,

where 0 ≤ ci < m. Then set

f = cd xd + cd−1 xd−1 + . . . + c0 and g =x−m .


2
Under the condition p > 2d , f will be monic [33, Prop. 3.2]. These two polynomials have a
common root m modulo p hence a similar map than in Equation (9.4) is available:

ρ : Z[x]/(f (x)) = Z[αf ] → Fp


αf 7→ m mod p (9.7)
hence a − bαf 7→ a − bm mod p .

Relation collection
The new technicalities concern factorization of ideals a − bαf into prime ideals of Z[αf ].
This is not as simple as for Z[i]: Z[αf ] may not be a unique factorization domain, moreover
what is called bad ideals can appear in the factorization. To end up with good relations, one
stores only pairs (a, b) such that a − bαf factors into good prime ideals of degree one, and
whose norm is bounded by B. The sieve on the rational side is as in the COS algorithm.

Individual discrete logarithm computation


The other new issue is the individual logarithm computation. Since the sieving space
and the factor basis B are much smaller (Lp [1/3, β] instead of Lp [1/2, β]), there are much
fewer known logarithms. It is hopeless to compute g t h with t at random until a smooth
factorization is found, because now the smoothness bound is too small. A strategy in two
phases was proposed by Joux and Lercier: Fix a larger smoothness bound B1 = Lp [2/3, β1 ].
First find a B1 -smoothness decomposition of g t h. Secondly, treat separately each prime
factor less than B1 but larger than B to obtain a B-smooth decomposition. Finally retrieve
the individual logarithm of h in base g. Each step has a cost LQ [1/3, c0 ] with c0 smaller
than the constant c = 1.923 of the two dominating steps (relation collection and linear
algebra).

Asymptotic complexity
We present how to obtain the expected heuristic running-time of Lp [1/3, ( 64
9 )
1/3
] to compute
DL in Fp with the base-m method and a few improvements to the original Gordon algorithm.
The impatient reader can admit the result of Theorem 9.12 and skip this section.
Theorem 9.12. The running-time of the NFS-DL algorithm with base-m method is
"  1/3 #
64
Lp 1/3, ≈ 1.923 ,
9
CHAPTER 9. DISCRETE LOGARITHMS 23

Table 9.3: Optimal value δ( logloglogp p )1/3 with δ = 1.44 for p of 100 to 300 decimal digits. One
takes d = [x] or d = bxc in practice.
log10 p 40 60 80 100 120 140 160 180 200 220 240 260 280 300
dlog2 Be (bits) 18b 21b 24b 27b 29b 31b 33b 35b 36b 38b 39b 41b 42b 43b
 1/3
δ logloglogp p 3.93 4.37 4.72 5.02 5.27 5.50 5.71 5.90 6.08 6.24 6.39 6.54 6.68 6.81

obtained for a smoothness bound B = Lp [1/3, β] with β = (8/9)1/3 ≈ 0.96, a sieving bound
E = B (s.t. |a|, |b| < E), and a degree of f to be d = dδ( logloglogp p )1/3 c with δ = 31/3 = 1.44.

We present in Table 9.3 the optimal values of B (in bits) and d with β ≈ 0.96 and
δ ≈ 1.44 for p from 100 to 300 decimal digits (dd).
Proof. (of Theorem 9.12.) One of the key-ingredients is to set an optimal degree d for f .
So let  1/3  
log p 1
d=δ so that m = p1/d = Lp 2/3, . (9.8)
log log p δ
 1/3
(Compute log m = d1 log p = 1δ logloglogp p log p = 1δ log2/3 p log1/3 log p). We will compute
the optimal value of δ under the given constraints later. The aim is to get a bound on
the norms of the elements a − bαf and a − bm of size Lp [2/3, ·] and a smoothness bound
Lp [1/3, ·], so that the smoothness probability will be Lp [1/3, ·]. A smoothness test is done
with the Elliptic Curve Method (ECM). The cost of the test depends on the smoothness
bound B and the total size of the integer tested. We first show that the cost of an p ECM
B-smoothness test with B = Lp [1/3, β], of an integer of size Lp [2/3, η] is Lp [1/6, 2β/3],
hence is negligible compared to any Lp [1/3, ·]. The cost of this ECM test depends on the
size of the smoothness bound:

cost of an ECM test = LB [1/2, 2] .
√ √
Writing log B = β log1/3 p log2/3 log p, we compute log LB [1/2, 2] = 2(log B log log B)1/2 ,
cancel the negligible terms, and get the result.
We denote the infinity norm of a polynomial to be the largest coefficient in absolute
value:
kf k∞ = max |fi | . (9.9)
0≤i≤deg f

We have  
2 1
kf k∞ , kgk∞ ≤ m = Lp , .
3 δ
In Phase 1, we sieve over pairs (a, b) satisfying 0 < a < E, −E < b < E and gcd(a, b) = 1,
so the sieving space is of order E 2 . We know that we can sieve over no more than Lp [1/3, ·]
pairs to be able to balance the three phases of the algorithm. So let E = Lp [1/3, ] pairs,
with  to be optimized later. The sieving space is E 2 = Lp [1/3, 2]. Since the cost of a
B-smoothness test with ECM is negligible compared to Lp [1/3, ], we conclude that the
running time of the sieving phase is E 2 = Lp [1/3, 2].
We need at least B relations to get a square matrix, and the linear algebra cost will be
B 2 = Lp [1/3, 2β]. To balance the cost of the sieving phase and the linear algebra phase, we
set
E 2 = B 2 , hence  = β
and we replace  in the following computations.
CHAPTER 9. DISCRETE LOGARITHMS 24

What is the norm bound for a − bαf ? We need it to estimate its probability to be
B-smooth. The norm is computed as the resultant (denoted Res) of the element a − bαf as
a polynomial a − bx in x, and the polynomial f . Then we bound the norm. The norm is

N (a − bαf ) = Res(f (x), a − bx)


Pd
= ad + fd−1 ad−1 b + . . . + abd−1 f1 + bd f0 = i=0 ai bd−i fi
≤ (deg f + 1)kf k∞ E deg f = (d + 1)p1/d E d

with d + 1 negligible, p1/d = m = Lp [2/3, 1/δ], and E d = B d = Lp [2/3, βδ] (first compute
d log B to get the result).

N (a − bαf ) ≤ Lp [2/3, 1/δ + δβ] .

Then for the g-side we compute

a − bm ≤ Ep1/d = Lp [1/3, β]Lp [2/3, 1δ ]


≤ Lp [2/3, 1δ ]

since the Lp [1/3, β] term is negligible.


We make the usual heuristic assumption that the norm of a − bαf follows the same
smoothness probability as a random integer of the same size. Moreover, we assume that
the probability of the norm of a − bαf and a − bm to be B-smooth at the same time is the
same as the probability of their product (bounded by Lp [2/3, 2/δ + δβ]) to be B-smooth.
Finally we apply Corollary 9.11 and get
  
1 1 2
Pr[N (a − bαf ) and a − bm are B-smooth] = 1/Lp , +δ .
3 3 δβ

How many relations do we have ? We multiply this smoothness probability Pr by the


sieving space E 2 and obtain
  
number of relations B 1 2
number of pairs (a, b) tested = = = Lp 1/3, β + +δ .
B-smoothness probability Pr 3 δβ

Since B 2 pairs were tested, we obtain the equation


   
1 2 1 2
2β = β + +δ ⇔β = +δ . (9.10)
3 δβ 3 δβ

We want to minimize the linear algebra and sieving phases, hence we minimize β > 0
through finding the minimum of the function x 7→ 13 ( βx 2
+ x) (by computing its derivative):
p p
This is 2/3p 2/β, obtained with δ = x = 2/β. We end up by solving Equation (9.10):
1/3
β = 2/3 2/β ⇔ β = (8/9) . Since the running time of Phase 1 and Phase 2 is
Lp [1/3, 2β], we obtain 2β = (64/9)1/3 as expected. The optimal degree of the polynomial f
is d = δ( logloglogp p )1/3 with δ = 31/3 ≈ 1.44.

9.3.5 Number Field Sieve: Refinements


Norm approximation
We can approximate the norm of an element b in a number field Kf = Q[x]/(f (x)) by the
two following bounds.
The Kalkbrener bound [71, Corollary 2] is the following:

| Res(f, b)| ≤ κ(deg f, deg b) · kf kdeg b


∞ kbk∞
deg f
, (9.11)
CHAPTER 9. DISCRETE LOGARITHMS 25

where κ(n, m) = n+m


 n+m−1
n n , and kf k∞ = max0≤i≤deg f |fi | is the absolute value of the
greatest coefficient. An upper bound for κ(n, m) is (n + m)!.
Bistritz and Lifshitz proved the other following bound [25, Theorem 7]:

| Res(f, φ)| ≤ kf kn2 kφkm


2 ≤ (m + 1)
n/2
(n + 1)m/2 kf kn∞ kφkm
∞ . (9.12)

When the degree of the involved polynomials is negligible, we can approximate | Res(f, φ)| by
O(kf kn∞ kφkm
∞ ). This simpler bound will be used to bound the norm of elements φ = a − bx
Pt−1
and φ = i=0 ai xi in a number field defined by a polynomial f .

Rational reconstruction and LLL


Throughout the polynomial selections, two algorithms are extensively used: the Rational
Reconstruction algorithm and the Lenstra/Lenstra/Lovasz (LLL) algorithm. Given an
integer y and a prime p, the Rational Reconstruction algorithm computes a quotient u/v
such that u/v ≡ y mod p and |u|, |v| < p.
The Lenstra–Lenstra–Lovász algorithm (LLL) [83] computes a short vector in a lattice.
Given a lattice L of √Zn defined by a basis given in an n × n matrix L, and parameters
1 1
4 < δ < 1, 2 < η < δ, the LLL algorithm outputs a (η, δ)-reduced basis of the lattice.
The coefficients of the first (shortest) vector are bounded by
n−1
(δ − η 2 ) 4 det(L)1/n .

With (η, δ) close to (0.5, 0.999) (as in NTL or Magma), the approximation factor C =
n−1
(δ − η 2 ) 4 is bounded by 1.075n−1 (see [35, §2.4.2])). A very fast software implementation
of the LLL algorithm is available with the fplll library [10].

Improvements of the polynomials


Joux and Lercier proposed in [65] another polynomial selection method that is an improve-
ment of the base-m method. In this case, the polynomials are no longer monic but have
1 1
smaller coefficients, bounded by p d+1 instead of p d . The size of the coefficients is spread
over one more coefficient (the leading coefficient). Comeine and Semaev analyzed the
complexity of their algorithm in [38]. The asymptotic complexity does not change because
the gain is hidden in the o(1) term. Their improvement is very important in practice,
however.
For a given pair of polynomials (f, g) obtained with the Joux-Lercier method, one can
improve their quality. We want the polynomials to have as many roots as possible modulo
small primes, in order to get many relations in the relation collection step. The quality of
the polynomials was studied my B. A. Murphy [93, 92]. The α value and the Murphy’s E
value measure the root properties of a pair of polynomials. The aim is to improve the root
properties while keeping the coefficients of reasonable size. A recent work on this subject can
be found in Shi Bai’s PhD thesis [11] and in [12]. The sieving can be speeded-up in practice
by choosing coefficients of the polynomial f whose √ size increases
√while the monomial
√ degree
decreases, and redefining the sieving space as −E s < a < E s, 0 < b < E/ s [74, 75].

9.3.6 Large Characteristic Non-Prime Fields


In 2006, Joux, Lercier, Smart, and Vercauteren [67] provided a polynomial construction
that permitted us to conclude that for any finite field Fq , there exists a Lq [1/3, c] algorithm
to compute DL: They proposed a method for medium-characteristic finite fields (known
as the JLSV1 method) and for large-characteristic finite fields. Another method (gJL:
generalization of Joux-Lercier for prime fields) was independently proposed by Matyukhin
[85] and Barbulescu [13, §8.3] and achieved the same asymptotic complexity as for prime
CHAPTER 9. DISCRETE LOGARITHMS 26

fields: LQ [1/3, ( 64
9 )
1/3
], with Q = pn . The two polynomials are of degree d + 1 and d ≥ n,
for a parameter d that depends on log Q as for the prime case. Note that the optimal choice
 1/3
of d for the gJL method is d = δ logloglogp p with δ = 31/3 /2 ≈ 0.72 instead of δ = 31/3
for the NFS-DL algorithm in prime fields. This is not surprising: In this case the sum of
polynomial degrees deg f + deg g is 2d + 1 instead of d + 1.

Recent results (2015) on DL record computation in non-prime finite fields with


the NFS algorithm
In 2015, Barbulescu, Gaudry, Guillevic, and Morain published a DL record computation in a
595-bit quadratic extension Fp2 , where p is a generic 298-bit prime [16]. They designed a new
polynomial selection method called the Conjugation. The polynomials allowed a factor-two
speed-up in the relation collection step, thanks to an order-two Galois automorphism.
The area is moving and later in 2015, Sarkar and Singh in [100] proposed a variant that
combines the gJL and the Conjugation method. The asymptotic complexity is the same:
LQ [1/3, ( 64
9 )
1/3
] and the polynomials might provide slightly smaller norm values in practice.
We lack one last piece of information to be able to recommend parameter sizes for a
given level of security in large characteristic fields FQ : record computations with one of
these methods.

9.3.7 Medium Characteristic Fields


This range of finite fields is where the discrete logarithm is more difficult to compute at the
moment. Moreover, the records published are for quite small sizes of finite fields only: Fp3
of 120dd (400 bits) in [67], and in [121].
There was a big issue in obtaining an L[1/3] algorithm as for the FFS algorithm in
small characteristic and the NFS algorithm in large characteristic. The solution proposed
in [67] introduces a modification in the relation collection. The small elements are of higher
 1/3
degree t − 1 ≥ 2, where t is of the form nt = c1t logloglogQQ . To obtain similar asymptotic
formulas in LQ [1/3, ·] as for prime fields (see Section 9.3.4), one sets the total number of
elements considered in the relation collection to be E 2 . With these settings,
Pt−1
• the total number of elements φ = i=0 ai xi considered in the relation collection is
kφkt∞ = E 2 , so that kφk∞ = E 2/t ;
• the norm of the elements φ on the f side is

|Nf (φ)| ≤ Res(φ, f ) ≤ κ(t − 1, deg f )kφkdeg



f
kf kt−1
∞ = κ(t − 1, deg f )E
2 deg f /t
kf kt−1
∞ .

The two polynomials defined for the 120dd record computation in [67] were f =
x3 + x2 − 2x − 1 and g = f + p. This method is not designed for scaling well and the
authors propose a variant where the two polynomials have a balanced coefficient size of
p1/2 each. This polynomial selection method, combined with the relation collection over
elements of degree t − 1, provides an asymptotic complexity of LQ [1/3, ( 128
9 )
1/3
' 2.42].
96 1/3
This asymptotic complexity went down in 2015 in [16] to LQ [1/3, ( 9 ) ' 2.201]. These
two asymptotic complexities were improved in [19, 96] to LQ [1/3, 2.39] and LQ [1/3, 2.156],
respectively, by using a multiple number field sieve variant that we explain in the next
paragraph. This variant has not been implemented for any finite field yet.

Multiple number field sieve


This paragraph is about refinements in the algorithm that slightly improve the asymptotic
complexity but whose practical gain is not known, and not certain yet.
CHAPTER 9. DISCRETE LOGARITHMS 27

The idea is to use additional number fields and hope to generate more relations per
polynomial (the a − bx elements in Gordon’s algorithm, for example). There are again two
versions: one asymmetric where one number field is preferred, say f0 , and additional number
fields fi are considered. For each element a − bx, one tests the smoothness of the image of
a − bx first in the number field defined by f0 , and if successful, then in all of the number
fields defined by the fi , to generate relations. This is used with a polynomial selection
that produces the first polynomial much better than the second. This is the case for the
base-m method and was studied by Coppersmith [41]. The same machinery applies to the
generalized Joux-Lercier method [85, 96]. In these two cases, the asymptotic complexity is
LQ [1/3, 1.90] instead of LQ [1/3, 1.923] (where Q = pn ). This MNFS version also applies to
the Conjugation method [96] and the complexity is LQ [1/3, 2.156] instead of LQ [1/3, 2.201].
The second symmetric version tests the smoothness of the image of a − bx in all the pairs
of possible number fields defined by fi , fj (for i < j). It applies to the NFS algorithm used
with the JLSV1 polynomial selection method, in medium characteristic. The complexity is
LQ [1/3, 2.39] instead of LQ [1/3, 2.42].
Unfortunately, none of these methods were ever implemented (yet), even for a reasonable
finite field size, hence we cannot realize how much in practice the smaller c constant improves
the running-time. There was a similar unknown in 1993. The cross-over point between the
Coppersmith-Odlyzko-Schroeppel algorithm in Lp [1/2] and Gordon’s algorithm in Lp [1/3]
was estimated in 1995 at about 150 decimal digits. In the MNFS algorithm, the constant is
slightly reduced but no one knows the size of Q for which “in practice”, a MNFS variant
will be faster than a regular NFS algorithm.

Special-NFS, Tower-NFS, and pairing-friendly families of curves


This paragraph lists the improvements to the NFS algorithm dedicated to fields Fpn where
the prime p is of special form, i.e., given by a polynomial evaluated at a given value.
This is the case for embedding fields of pairing-friendly curves in families, such as the
Barreto-Naehrig curves.
When the prime p defining the finite field is of a special form, there exist better
algorithms, such as the Special NFS (SNFS) for prime fields. Joux and Pierrot [69] proved
a complexity of "  1/3 #
1 deg P + 1 64
LQ ,
3 deg P 9
with P the polynomial defining the prime p. We have deg P = 4, for example, for a BN
curve [21]. Note that when deg P = 2 as for MNT curves, the complexity LQ [1/3, ( 96 9 )
1/3
]
is the same as the conjugation method complexity. This promising method has not yet
been implemented.
Very recently, [18] proposed another construction named the Tower-NFS that would be
the best choice for finite field target groups, where deg P ≥ 4. One of the numerous difficult
technicalities of this variant is the degree of the polynomials: a multiple of n. Handling
such polynomials and elements of high degree throughout the algorithm, in particular in
the relation collection phase, is a very difficult task, and is not implemented at the moment.
A clear rigorous recommendation of parameter sizes is not possible at the moment for
pairing target groups, since the area is not fixed. Theoretical algorithms are published but
real-life implementations and records over reasonable-size finite fields (more than 512 bits)
to estimate their running-time are not available.
We can clearly say that all these theoretical propositions shall be seriously taken into
consideration. The constant c in the LQ [1/3, c] asymptotic formula is decreasing, and might
reach the ( 64
9 )
1/3
value of prime fields one day. A generic recommendation in the large
characteristic case, based on a LQ [1/3, (64/9)1/3 ] asymptotic complexity, seems reasonable.
CHAPTER 9. DISCRETE LOGARITHMS 28

9.3.8 Small Characteristic: From the Function Field Sieve (FFS)


to the Quasi-Polynomial-Time Algorithm (QPA)
The main difference between a small characteristic and a large-characteristic field is the
Frobenius map π : x 7→ xp , where p is the characteristic of the field. This map is intensively
used to obtain multiple relations from an initial one, at a negligible cost. For prime fields,
the Frobenius map is the identity, so we cannot gain anything with it. In small-characteristic
fields, the use of the Frobenius map is one of the key ingredients that provides a much
better asymptotic complexity. This should be combined with a specific field representation
that allows a very fast evaluation of the Frobenius map.
For large-characteristic finite fields Fpn , the Frobenius map of order n can provide a
speed-up of a factor up to n if the polynomial selection provides a compatible representation,
i.e., if a is B-smooth, then we want πp (a) to be B-smooth as well.
Example 9.13 (Systematic equations in F2127 ). Blake, Fuji-Hara, Mullin, and Vanstone in
[27] targeted the finite field F2127 . They used the representation F2127 = F2 [x]/(x127 +x+1) to
implement Adleman’s algorithm. The polynomial f (x) = x127 +x+1 is primitive so that they
7
have chosen x as a generator of F∗2127 . They observed that x2 −1 = x127 = x + 1 mod f (x),
7 i i−6 i−7 i−7 i−7
x2 ≡ x2 + x mod f (x) and x2 ≡ x2 + x2 = x2 (1 + x2 ) mod f (x) for any i ≥ 7.
i i i i
Moreover, (1 + x2 ) = (1 + x)2 ≡ (x127 )2 so that logx (1 + x2 ) = 127 · 2i . Combining these
equations, they obtain logarithms for free.
A second notable difference between small-characteristic fields and prime fields is the
cost of factorization. In Algorithm 9.10, a preimage in N of elements in Fp is factorized.
In small characteristic, elements of F2n are lifted to polynomials of F2 [x], then factorized.
Over finite fields, there exists polynomial time algorithms to factor polynomials, hence the
time needed per smooth test is much lower.

Brief history
Figure 9.4 shows the records in small-characteristic finite fields with the Function Field
Sieve (FFS) and its various improvements, especially from 2012. Most of the records
were announced on the number theory list 2 . Finite fields of characteristic 2 and 3 and
composite extension degree such as target groups of pairing-friendly (hyper-)elliptic curves
must definitively be avoided, since fields of even more than 3072 bits were already reached
in 2014.

The Waterloo algorithm In 1984, Blake, Fuji-Hara, Mullin, and Vanstone proposed a
dedicated implementation of Adleman’s algorithm to F2127 [27, 28]. They introduced the
idea of systematic equations (using the Frobenius map) and initial splitting (this name was
introduced later). Their idea works for finite fields of characteristic two and extension degree
close to a power of 2 (e.g., 127). The asymptotic complexity of their method was LQ [1/2].
In the same year, Blake, Mullin, and Vanstone [28] proposed an improved algorithm known
as the Waterloo algorithm. Odlyzko computed the asymptotic complexity of this algorithm
in [94]. The asymptotic complexity needs the estimation of the probability that a random
polynomial over Fq of degree m factors entirely into polynomials of degree at most b, i.e., is
b-smooth. Odlyzko in [94, Equation (4.5), p. 14] gave the following estimation.
 n m
p(m, n) = exp (1 + o(1)) loge for n1/100 ≤ m ≤ n99/100 . (9.13)
m n
The initial splitting idea is still used nowadays, combined with the QPA algorithm. Given
a random element a(x) of GF(2n ) represented by a degree n − 1 polynomial over GF(2)
2 https://listserv.nodak.edu/cgi-bin/wa.exe?A0=NMBRTHRY
CHAPTER 9. DISCRETE LOGARITHMS 29

Q (dd)
9216 n
DL in GF(2 ), n composite
8192 DL in GF(2n ), n prime 2500
Finite field size log2 Q in bits

DL in GF(3n ), n composite
7168
DL in GF(rn ), n composite 2000
6144

5120 1500
4096

3072 1000

2048
500
1024

1985 1990 1995 2000 2005 2010 2015


Year

Figure 9.4: Records of DL computation in fields F2n , F3n , Frn of small characteristic, with n
1
prime or composite. All the fields F2n , F3n with n composite are target fields of supersingular
pairing-friendly (hyper-)elliptic curves.

modulo an irreducible degree n polynomial f (x), the algorithm computes the extended
Euclidean algorithm to compute the GCD of f (x) and a(x). At each iteration, the following
equation holds [27, §2]:
si (x)a(x) + ti (x)f (x) = ri (x) . (9.14)
Reducing this equation modulo f (x), one obtains a(x) ≡ ri (x)/si (x) mod f (x). The degree
of ri (x) decreases while the degree of si (x) increases. By stopping the extended Euclidean
algorithm at the state i where deg ri (x), deg si (x) ≤ bn/2c, one obtains the initial splitting
of a(x) of degree n − 1 into two polynomials ri (x), si (x) of degree at most bn/2c.
Odlyzko computed the asymptotic complexity of the Waterloo algorithm to be [94,
Equation (4.17), p. 19] LQ [1/2, (2 loge (2))1/2 ≈ 1.1774].

Coppersmith’s LQ [1/3] algorithm and FFS algorithm Building on the idea of sys-
tematic equations, Coppersmith [40] gave the first LQ [1/3, c] algorithm for DL computations
over F2n (with Q = 2n ). He found (32/9)1/3 ≤ c ≤ 41/3 and did a record computation for
F∗2127 . In 1994, Adleman [7] generalized this work to the case of any small characteristic,
1
and this is now called the Function Field Sieve (FFS). This gave a LQ [1/3, ( 64 9 ) ] for Q of
3

small characteristic, with function field (in place of number field for prime fields). Later,
1
Adleman-Huang improved that to LQ [1/3, ( 32 9 ) ] for Q of small characteristic [8], however,
3

this was slower than Coppersmith for F2 . n

Outside of the pairing-based cryptography context, the research and the records are
focused on prime extensions degrees. In 2002 Thomé increased the Coppersmith record up to
GF(2607 ) [115, 116]. During the same time, Joux and Lercier implemented FFS for GF(2521 )
in [64]. Continuing the record series, in 2005, Joux and Lercier recomputed a record in
GF(2607 ) and went slightly further with a record in GF(2613 ). They also investigated the
use of FFS for larger characteristic finite fields in [66]. In 2013, a record of the CARAMEL
group in GF(2089 ) with FFS was announced by Bouvier on the NMBRTHRY list [14] and
published in [15]. The actual record is held by Kleinjung, in GF(21279 ) [76].
Since 2000, examples of supersingular pairing-friendly elliptic curves of cryptographic
size arise. Two curves are well studied in characteristic 2 and 3 for the various speed-up they
CHAPTER 9. DISCRETE LOGARITHMS 30

provide, in particular, in hardware. Supersingular curves of almost prime order in small


characteristic are very rare. No ordinary pairing-friendly curves were ever known in small
characteristic. The embedding degree for supersingular curves is at most 4 in characteristic
2 and at most 6 in characteristic 3. The first cryptanalists exploited this composite degree
extension to improve the FFS algorithm. In 2010, the record in characteristic three was in
GF(36·71 ) of 676 bits [59]. In 2012, due to increasing computer power and the prequel of
the use of the additional structure provided by the composite extension degree of the finite
field, a DL record-breaking in GF(36·97 ) (a 923-bit finite field) was made possible [47]. This
announcement had a quite important effect over the community at that time, probably
because the broken curve was the one used in the initial paper on short signatures from
pairings [29]. The targeted finite field F3582 was the target field of a pairing-friendly elliptic
curve in characteristic 3, considered safe for 80-bit security implementations.
The real start of mathematical improvements occurred at Christmas 2012: Joux proposed
a conjectured heuristic LQ [1/4] algorithm [63] and announced two records [62] of much larger
size. In finite fields that can be represented as Kummer extensions, using the Frobenius
gives many relations at one time, hence speeding-up the relation-collection phase. As we
can see in Figure 9.4, records in prime extensions n of F2 do not grow as extraordinary as
composite extensions coming from pairing-friendly curves.

The Quasi-Polynomial-time Algorithm (QPA) In 2013 [48] an improved descent


phase was proposed, that provided a quasi-polynomial-time algorithm (QPA). Two variants
of the algorithm were published [17, 56]. The polynomial selection differs and induces
differences in the algorithm. We are at the “beginning of the end”— much work is still
needed for a complete implementation of this algorithm. In particular, the descent phase is
still costly in memory requirements.
The two versions of the QPA algorithm intensively exploit the Frobenius map, to obtain
many relations for free. It works when the extension degree n is composite and satisfies
some properties.
As a conclusion, we list the last records published. In 2014 Adj, Menezes, Oliveira, and
Rodrı́gues-Henrı́quez published a discrete logarithm record in GF(36·137 ) and GF(36·163 ),
corresponding to a 1303-bit and a 1551-bit finite field [5]. In 2014, Joux and Pierrot
published a record in GF(35·479 ) corresponding to a 3796-bit field [68]. In 2014, Granger,
Kleinjung, and Zumbragel announced a record in GF(29234 ) [57].

Recent improvements in finite fields of composite extension degree (Spring


2016) There were major theoretical improvements in finite fields Fpn where n is composite,
in 2015 and 2016. This paragraph tries to summarize the news. Two preprints by Kim on
one side and Barbulescu on the other side evolved to a common paper at CRYPTO’16 [73].
In parallel, Sarkar and Singh combined Kim–Barbulescu’s work with their own techniques
[103, 101, 102]. We need to mention Jeong and Kim’s work [61] to complete the list or recent
preprints on the subject. This one paper and these four preprints exploit the extension
degree that should be composite. They each propose an improved polynomial selection
step that allows us to reduce the size of the norms of the elements involved in the relation
collection. Since the improvement is notable, it reduces the asymptotic complexity of the
NFS algorithm. These papers exploit the finite field structure and contruct a degree-n
extension as a tower of three levels: a base field Fp as first level, a second level Fpη , and
a third level Fpηκ = Fpn . The extension degree n should be composite and the divisor η
of quite small size. The two (or multiple) number fields will exploit this structure as well.
This setting provides the following new asymptotic complexities for medium-characteristic
fields:
 1/3
1. Lpn [1/3, (48/9)1/3 ≈ 1.747] when n is composite, n = ηκ, κ = 1211/3 + o(1) logloglogQQ ,
and p is generic;
CHAPTER 9. DISCRETE LOGARITHMS 31

2. Lpn [1/3, (32/9)1/3 ≈ 1.526] when n is composite and p has a special form.
The generic case where n is prime is not affected by these new improvements. We summarize
in Table 9.4 the new theoretical security of a pairing-friendly curve where (1) n is composite
and (2) n is composite and p of special form, for pn of 3072 bits.

Table 9.4: Estimate of security levels according to NFS variants.

Joux–Pierrot Conj Special


Conj –
log2 pn d=4 Ext. TNFS Ext. TNFS
Lpn [ 13 , 2.20] 1
Lpn [ 3 , 1.923]
Lpn [ 31 , 2.07] Lpn [ 13 , 1.747] Lpn [ 31 , 1.526]
3072 2159−δ1 2 149−δ2
2 139−δ3
2126−δ4 2110−δ5
3584 2169−δ1 2 159−δ2
2 148−δ3
2 134−δ4
2117−δ5
4096 2179−δ1 2 169−δ2
2 156−δ3
2 142−δ4
2124−δ5
4608 2188−δ1 2 177−δ2
2 164−δ3
2 149−δ4
2130−δ5
5120 2197−δ1 2 185−δ2
2 172−δ3
2 156−δ4
2136−δ5
5632 2204−δ1 2 192−δ2
2 179−δ3
2 162−δ4
2142−δ5
6144 2212−δ1 2 199−δ2
2 185−δ3
2 168−δ4
2147−δ5

Note: The numbers should be read as follows: a 3072-bit finite field, which is the
embedding field of a BN curve whose p is of special form and n is composite will provide
approximately a security level of 2110−δBN , where δBN depends on the curve and on the
implementation of the special extended NFS variant.

9.3.9 How to Choose Real-Size Finite Field Parameters


At some point, to design a cryptosystem, we want to translate an asymptotic complexity
to a size recommendation for a given security level, usually equivalent to an AES level of
security: 128, 192, or 256 bits. In other words, we would like that for a given finite field Fq
of given size, the running-time required to break an instance of DLP is equivalent to 2128 ,
2192 , or 2256 group operations.
√ For the DLP in a generic group, we saw in Section 9.2 that
the expected time is in O( N ), with N the prime-order subgroup considered. A group of
size 2n bits (where only generic attacks apply) is enough to achieve an n-bit security level.
We present in Table 9.5 the usual key length recommendations from http://www.
keylength.com. The NIST recommendations are the less-conservative ones. A modulus of
length 3072 is recommended to achieve a security level equivalent to a 128-bit symmetric
key. The ECRYPT II recommendations are slightly larger: 3248 bit modulus are suggested.

Table 9.5: Cryptographic key length recommendations, August 2015.


Sym- Discrete Log Elliptic Hash
Method Date Asymmetric
metric Key Group curve function
Lenstra / Verheul [84] 2076 129 6790–5888 230 6790 245 257
Lenstra Updated [82] 2090 128 4440–6974 256 4440 256 256
ECRYPT II (EU) [1] 2031–2040 128 3248 256 3248 256 256
NIST (US) [4] > 2030 128 3072 256 3072 256 256
ANSSI (France) [3] 2021–2030 128 2048 200 2048 256 256
NSA (US) [2] – 128 – – – 256 256
RFC3766 [95] – 128 3253 256 3253 242 –
Note: All key sizes are provided in bits. These are the minimal sizes for security.

We explain here where these key sizes come from. The running-time complexity of the
most efficient attacks on discrete logarithm computation and factorization are considered
CHAPTER 9. DISCRETE LOGARITHMS 32

and balanced to fit the last records. In practice, we calibrate the asymptotic complexity
(we set the constant hidden in the O() notation) so that it matches the largest DL record
computations. For prime fields Fp with no special form of the prime p, the asymptotic
formula of NFS-DL is Lp [1/3, ( 64
9 )
1/3
], and we consider its logarithm in base 2:

log2 L[α, c](n) = c + o(1) nα log1−α



2 (n ln 2) (9.15)

with n = log2 N . The last record was a DL computation in a prime field of 180dd
or 596 bits, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1406&L=NMBRTHRY&
F=&S=&P=3161.
Figure 9.5 presents the records of DL computation in prime fields, the records of RSA
modulus factorization and an interpolation according to [81, §3] by a Moore law doubling
every nine months.

pn (dd)
1024 RSA modulus factorization
Interpolation: Moore law 300

896 DL GF(p)
GF(p2 )
Finite field size log2 pn in bits

DL 250
768 DL GF(p3 )
DL GF(p4 )
DL GF(p5 ) 200
640
DL GF(p6 )
DL GF(p12 )
512 150

384
100
256

50
128
1995 2000 2005 2010 2015
Year

Figure 9.5: Records of DL computation in prime fields and RSA modulus factorization
1
To estimate the required modulus size, we compute the logarithm in base 2 of the L-
notation (9.15) and translate it such that log2 L[c, α](598) ≈ 60 (with 180dd=598bits). We
obtain log2 L[c, α](598) = 68.5 so we set a = −8.5. We obtain log2 L[c, α](3072) − 8.5 = 130
so we can safely deduce that a 3072-bit prime field with a generic safe prime is enough to
provide a 128-bit security level.

Conservative recommendations. To avoid dedicated attacks, and specific NFS vari-


ants, common-sense advice would be to avoid the curves with too much structure in the
parameters. Here is a list of points to take into account.

• Use a generic curve constructed with the Cocks-Pinch or Dupont-Enge Morain


methods;

• Use a curve in a family with a non-special form seed, i.e., the prime p = P (x0 ) is such
that x0 has no special form (e.g., x0 6= 263 + 1);
CHAPTER 9. DISCRETE LOGARITHMS 33

• Use a curve with low-degree polynomials defining the parameters, e.g., degree 2 (MNT
and Galbraith-McKee-Valença curves) or degree 4 (Freeman curves);

• Use a curve whose discriminant D is large (e.g., constructed with the Cocks-Pinch or
Dupont-Enge-Morain method, or an MNT, a Galbraith-McKee-Valença, or a Freeman
curve);
• Use a prime embedding degree.

9.3.10 Discrete logarithm algorithms in pairing-friendly target fi-


nite fields Fpn : August 2016 state-of-the-art
Given a finite field Fpn which contains the target group of a cryptographic pairing, different
NFS-based algorithms can be applied to compute discrete logarithms, depending on the
structure of the finite field. Two criterias should be taken into account: whether n is prime,
and whether the characteristic p has a special form: given by a polynomial of degree greater
than two.

1. If n is prime,

(a) and p has no special form (e.g., supersingular curves where k = 2, MNT curves
where n = 3, and any curves constructed with the Cocks-Pinch or Dupont-Enge-
Morain methods), then only the generic NFS algorithms apply.
i. In a large-characteristic finite field, the generalized Joux–Lercier method of
asymptotic complexity LQ [1/3, 1.923] (and LQ [1/3, 1.90] in the multiple-NFS
version) applies.
ii. In a medium-characteristic finite field, the conjugation method of asymp-
totic complexity LQ [1/3, 2.20] applies. The multiple-NFS version has an
asymptotic complexity of LQ [1/3, 2.15]. The finite field size does not need
to be enlarged for now.
In practice for large sizes of finite fields, the Sarkar-Singh method that interpolates
between the GJL and the Conjugation methods provides smaller norms. In this
case, the key size should be enlarged by maybe 10% but not significantly since
the asymptotic complexity is not lower than the complexity of NFS in a prime
field: LQ [1/3, 1.923].
(b) If p is given by a polynomial of degree at least three, i.e., p = P (u) where
deg(P ) ≥ 3, then the Joux–Pierrot method applies. In the medium-characteristic
case, the asymptotic complexity tends to LQ [1/3, 1.923] for large deg(P ). In
large characteristic, the pairing-friendly curves (k = 2, 3, 4, 6 for instance) are
such that deg(P ) = 2 only.

2. If n is composite, then the extended tower-NFS technique, firstly introduced by Kim


then improved by Barbulescu, Kim, Sarkar and Singh, and Jeong, applies.
(a) If p has no special form or is given by a polynomial of degree at most 2 (MNT
curves of embedding degree 4 and 6, Cocks-Pinch and Dupont-Enge-Morain
methods), then the asymptotic complexity is LQ [1/3, 1.74] so asymptotically, the
finite field size should be enlarged by a factor 4/3.
(b) If p has a special form, then the asymptotic complexity is LQ [1/3, 1.56] and
asymptotically, the finite field size should be doubled.
Bibliography

[1] D.SPA.20. ECRYPT2 Yearly Report on Algorithms and Keysizes (2011-2012). Euro-
pean Network of Excellence in Cryptology II, September 2012.
[2] NSA Suite B. Fact Sheet Suite B Cryptography. National Security Agency, U.S.A.,
September 2014.
[3] RGS-B1. Mécanismes cryptographiques - Règles et recommandations concernant le
choix et le dimensionnement des mécanismes cryptographiques. Agence Nationale de
la Sécurité des Systèmes d’Information, France, February 2014. version 2.03.
[4] SP-800-57. Recommendation for Key Management – Part 1: General. National
Institute of Standards and Technology, U.S. Department of Commerce, July 2012.
[5] Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodrı́guez-Henrı́quez.
Computing discrete logarithms in F36·137 and F36·163 using Magma. In Ç. K. Koç,
S. Mesnager, and E. Savas, editors, Arithmetic of Finite Fields (WAIFI 2014), volume
9061 of Lecture Notes in Computer Science, pp. 3–22. Springer, 2014.

[6] Leonard Adleman. A subexponential algorithm for the discrete logarithm problem
with applications to cryptography. In 20th Annual Symposium on Foundations of
Computer Science, pp. 55–60. IEEE Computer Society Press, 1979.
[7] Leonard Adleman. The function field sieve. In L. M. Adleman and M.-D. Huang,
editors, Algorithmic Number Theory (ANTS-I), volume 877 of Lecture Notes in
Computer Science, pp. 141–154. Springer, 1994.
[8] Leonard M. Adleman and Ming-Deh A. Huang. Function field sieve method for
discrete logarithms over finite fields. Information and Computation, 151(1/2):5–16,
1999.
[9] David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew
Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke
Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul
Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In
I. Ray, N. Li, and C. Kruegel, editors, 22nd ACM Conference on Computer and
Communications Security, pp. 5–17. ACM Press, 2015.

[10] M. Albrecht, S. Bai, D. Cadé, X. Pujol, and D. Stehlé. fplll-4.0, a floating-point LLL
implementation. Available at http://perso.ens-lyon.fr/damien.stehle.
[11] Shi Bai. Polynomial Selection for the Number Field Sieve. PhD thesis, Australian Na-
tional University, 2011. http://maths.anu.edu.au/~brent/pd/Bai-thesis.pdf.
[12] Shi Bai, Richard Brent, and Emmanuel Thomé. Root optimization of polynomials in
the number field sieve. Mathematics of Computation, 84(295):2447–2457, 2015.

34
BIBLIOGRAPHY 35

[13] Razvan Barbulescu. Algorithmes de logarithmes discrets dans les corps finis.
PhD thesis, Université de Lorraine, 2013. https://tel.archives-ouvertes.fr/
tel-00925228.
[14] Razvan Barbulescu, Cyril Bouvier, Jérémie Detrey, Pierrick Gaudry, Hamza Jeljeli,
Emmanuel Thomé, Marion Videau, and Paul Zimmermann. Discrete logarithm in
GF(2809 ) with ffs, April 2013. Announcement available at the NMBRTHRY archives,
item 004534.

[15] Razvan Barbulescu, Cyril Bouvier, Jérémie Detrey, Pierrick Gaudry, Hamza Jeljeli,
Emmanuel Thomé, Marion Videau, and Paul Zimmermann. Discrete logarithm in
GF(2809 ) with FFS. In H. Krawczyk, editor, PKC 2014: 17th International Conference
on Theory and Practice of Public Key Cryptography, volume 8383 of Lecture Notes in
Computer Science, pp. 221–238. Springer, Heidelberg, 2014.

[16] Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain. Improv-
ing NFS for the discrete logarithm problem in non-prime finite fields. In E. Oswald and
M. Fischlin, editors, Advances in Cryptology – EUROCRYPT 2015, Part I, volume
9056 of Lecture Notes in Computer Science, pp. 129–155. Springer, Heidelberg, 2015.
[17] Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé. A
heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small
characteristic. In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology –
EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pp. 1–16.
Springer, Heidelberg, 2014.
[18] Razvan Barbulescu, Pierrick Gaudry, and Thorsten Kleinjung. The tower number
field sieve. In T. Iwata and J. H. Cheon, editors, Advances in Cryptology – ASI-
ACRYPT 2015, Part II, volume 9453 of Lecture Notes in Computer Science, pp.
31–55. Springer, Heidelberg, 2015.
[19] Razvan Barbulescu and Cécile Pierrot. The Multiple Number Field Sieve for Medium
and High Characteristic Finite Fields. LMS Journal of Computation and Mathematics,
17:230–246, 2014.
[20] Paulo S. L. M. Barreto, Ben Lynn, and Michael Scott. Constructing elliptic curves
with prescribed embedding degrees. In S. Cimato, C. Galdi, and G. Persiano, editors,
Security in Communication Networks (SCN 2002), volume 2576 of Lecture Notes in
Computer Science, pp. 257–267. Springer, Heidelberg, 2003.

[21] Paulo S. L. M. Barreto and Michael Naehrig. Pairing-friendly elliptic curves of prime
order. In B. Preneel and S. Tavares, editors, Selected Areas in Cryptography (SAC
2005), volume 3897 of Lecture Notes in Computer Science, pp. 319–331. Springer,
Heidelberg, 2006.
[22] Daniel J. Bernstein and Tanja Lange. Computing small discrete logarithms faster. In
S. D. Galbraith and M. Nandi, editors, Progress in Cryptology – INDOCRYPT 2012,
volume 7668 of Lecture Notes in Computer Science, pp. 317–338. Springer, Heidelberg,
2012.
[23] Daniel J. Bernstein and Tanja Lange. Non-uniform cracks in the concrete: The power
of free precomputation. In K. Sako and P. Sarkar, editors, Advances in Cryptology –
ASIACRYPT 2013, Part II, volume 8270 of Lecture Notes in Computer Science, pp.
321–340. Springer, Heidelberg, 2013.
[24] Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. On the correct use of the
negation map in the Pollard rho method. In D. Catalano et al., editors, Public Key
BIBLIOGRAPHY 36

Cryptography – PKC 2011, volume 6571 of Lecture Notes in Computer Science, pp.
128–146. Springer, Heidelberg, 2011.

[25] Yuval Bistritz and Alexander Lifshitz. Bounds for resultants of univariate and bivariate
polynomials. Linear Algebra and its Applications, 432(8):1995–2005, 2009.
[26] Simon R. Blackburn and Edlyn Teske. Baby-step giant-step algorithms for non-
uniform distributions. In W. Bosma, editor, Algorithmic Number Theory (ANTS-IV),
volume 1838 of Lecture Notes in Computer Science, pp. 153–168. Springer, 2000.
[27] Ian F. Blake, Ryoh Fuji-Hara, Ronald C. Mullin, and Scott A. Vanstone. Computing
logarithms in finite fields of characteristic two. SIAM Journal on Algebraic Discrete
Methods, 5(2):276–285, 1984.
[28] Ian F. Blake, Ronald C. Mullin, and Scott A. Vanstone. Computing logarithms in
GF(2n ). In G. R. Blakley and D. Chaum, editors, Advances in Cryptology, Proceedings
of CRYPTO ’84, volume 196 of Lecture Notes in Computer Science, pp. 73–82. Springer,
Heidelberg, 1984.
[29] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the Weil pairing.
In C. Boyd, editor, Advances in Cryptology – ASIACRYPT 2001, volume 2248 of
Lecture Notes in Computer Science, pp. 514–532. Springer, Heidelberg, 2001.
[30] Cyril Bouvier. Algorithmes pour la factorisation d’entiers et le calcul de logarithme
discret. PhD thesis, Université de Lorraine, 2015. https://tel.archives-ouvertes.
fr/tel-01167281.
[31] Richard P. Brent. An improved Monte Carlo factorization algorithm. BIT, 20:176–184,
1980.
[32] Friederike Brezing and Annegret Weng. Elliptic curves suitable for pairing based
cryptography. Designs, Codes and Cryptography, 37(1):133–141, 2005.
[33] Joe P. Buhler, Hendrik W. Lenstra Jr., and Carl Pomerance. Factoring integers
with the number field sieve. In A. K. Lenstra and H. W. Lenstra Jr., editors, The
Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics,
pp. 50–94. Springer, 1993.
[34] Earl R. Canfield, Paul Erdős, and Carl Pomerance. On a problem of Oppenheim
concerning ”factorisatio numerorum”. Journal of Number Theory, 17(1):1–28, 1983.

[35] Yuanmi Chen. Réduction de réseau et sécurité concrète du chiffrement complètement


homomorphe. PhD thesis, Université Paris 7 Denis Diderot, 2013. http://www.di.
ens.fr/~ychen/research/these.pdf.
[36] Jung Hee Cheon, Jin Hong, and Minkyu Kim. Speeding up the pollard rho method
on prime fields. In J. Pieprzyk, editor, Advances in Cryptology – ASIACRYPT 2008,
volume 5350 of Lecture Notes in Computer Science, pp. 471–488. Springer, Heidelberg,
2008.
[37] Young Ju Choie, Eun Kyung Jeong, and Eun Jeong Lee. Supersingular hyperelliptic
curves of genus 2 over finite fields. Journal of Applied Mathematics and Computation,
163(2):565–576, 2005.

[38] An Commeine and Igor Semaev. An algorithm to solve the discrete logarithm problem
with the number field sieve. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors,
Public Key Cryptography – PKC 2006, volume 3958 of Lecture Notes in Computer
Science, pp. 174–190. Springer, Heidelberg, 2006.
BIBLIOGRAPHY 37

[39] D. Coppersmith. Solving linear equations over GF(2) via block Wiedemann algorithm.
Mathematics of Computation, 62(205):333–350, 1994.

[40] Don Coppersmith. Fast evaluation of logarithms in fields of characteristic two. IEEE
Transactions on Information Theory, 30(4):587–594, 1984.
[41] Don Coppersmith. Modifications to the number field sieve. Journal of Cryptology,
6(3):169–180, 1993.

[42] Don Coppersmith, Andrew M. Odlyzko, and Richard Schroeppel. Discrete logarithms
in GF(p). Algorithmica, 1(1):1–15, 1986.
[43] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, 22(6):644–654, 1976.

[44] Iwan M. Duursma, Pierrick Gaudry, and François Morain. Speeding up the discrete
log computation on curves with automorphisms. In K.-Y. Lam, E. Okamoto, and
C. Xing, editors, Advances in Cryptology – ASIACRYPT ’99, volume 1716 of Lecture
Notes in Computer Science, pp. 103–121. Springer, Heidelberg, 1999.
[45] A. E. Escott, J. C. Sager, A. P. L. Selkirk, and D. Tsapakidis. Attacking elliptic curve
cryptosystems using the parallel Pollard rho method. CryptoBytes, 4, 1999.

[46] Philippe Flajolet and Andrew M. Odlyzko. Random mapping statistics. In J.-J.
Quisquater and J. Vandewalle, editors, Advances in Cryptology – EUROCRYPT ’89,
volume 434 of Lecture Notes in Computer Science, pp. 329–354. Springer, Heidelberg,
1990.

[47] Fujitsu Laboratories, NICT, and Kyushu University. DL record in F36·97 of 923 bits
(278 dd). NICT press release, June 18, 2012. http://www.nict.go.jp/en/press/
2012/06/18en-1.html.
[48] Steven Galbraith. Quasi-polynomial-time algorithm for discrete logarithm in finite
fields of small/medium characteristic. The Elliptic Curve Cryptography blog, June
2013. https://ellipticnews.wordpress.com/2013/06/21.
[49] Steven D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor,
Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in
Computer Science, pp. 495–513. Springer, Heidelberg, 2001.
[50] Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve
discrete logarithm problem. Cryptology ePrint Archive, Report 2015/1022, 2015.
http://eprint.iacr.org/2015/1022.
[51] Steven D. Galbraith and Raminder S. Ruprai. An improvement to the Gaudry-Schost
algorithm for multidimensional discrete logarithm problems. In M. G. Parker, editor,
Cryptography and Coding, volume 5921 of Lecture Notes in Computer Science, pp.
368–382. Springer, Heidelberg, 2009.
[52] Steven D. Galbraith and Raminder S. Ruprai. Using equivalence classes to accelerate
solving the discrete logarithm problem in a short interval. In P. Q. Nguyen and
D. Pointcheval, editors, Public Key Cryptography – PKC 2010, volume 6056 of Lecture
Notes in Computer Science, pp. 368–383. Springer, Heidelberg, 2010.

[53] Steven D. Galbraith, Ping Wang, and Fangguo Zhang. Computing elliptic curve
discrete logarithms with improved baby-step giant-step algorithm. Cryptology ePrint
Archive, Report 2015/605, 2015. http://eprint.iacr.org/2015/605.
BIBLIOGRAPHY 38

[54] Pierrick Gaudry and Éric Schost. A low-memory parallel version of Matsuo, Chao, and
Tsujii’s algorithm. In D. A. Buell, editor, Algorithmic Number Theory (ANTS-VI),
volume 3076 of Lecture Notes in Computer Science, pp. 208–222. Springer, 2004.
[55] Daniel M. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM
Journal on Discrete Mathematics, 6(1):124–138, 1993.
[56] Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel. Breaking ’128-bit se-
cure’ supersingular binary curves - (or how to solve discrete logarithms in F24·1223
and F212·367 ). In J. A. Garay and R. Gennaro, editors, Advances in Cryptology –
CRYPTO 2014, Part II, volume 8617 of Lecture Notes in Computer Science, pp.
126–145. Springer, Heidelberg, 2014.
[57] Robert Granger, Thorsten Kleinjung, and Jens Zumbragel. Discrete logarithms in
GF(29234 ), 2014. Announcement available at the NMBRTHRY archives, item 004666.

[58] Takuya Hayashi, Takeshi Shimoyama, Naoyuki Shinohara, and Tsuyoshi Takagi.
Breaking pairing-based cryptosystems using ηT pairing over GF(397 ). In X. Wang
and K. Sako, editors, Advances in Cryptology – ASIACRYPT 2012, volume 7658 of
Lecture Notes in Computer Science, pp. 43–60. Springer, Heidelberg, 2012.

[59] Takuya Hayashi, Naoyuki Shinohara, Lihua Wang, Shin’ichiro Matsuo, Masaaki
Shirase, and Tsuyoshi Takagi. Solving a 676-bit discrete logarithm problem in
GF(36n ). In P. Q. Nguyen and D. Pointcheval, editors, Public Key Cryptography –
PKC 2010, volume 6056 of Lecture Notes in Computer Science, pp. 351–367. Springer,
Heidelberg, 2010.
[60] Yvonne Hitchcock, Paul Montague, Gary Carter, and Ed Dawson. The efficiency of
solving multiple discrete logarithm problems and the implications for the security of
fixed elliptic curves. International Journal of Information Security, 3(2):86–98, 2004.
[61] Jinhyuck Jeong and Taechan Kim. Extended tower number field sieve with application
to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive,
Report 2016/526, 2016. http://eprint.iacr.org/.

[62] Antoine Joux. Faster index calculus for the medium prime case application to 1175-bit
and 1425-bit finite fields. In T. Johansson and P. Q. Nguyen, editors, Advances in
Cryptology – EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science,
pp. 177–193. Springer, Heidelberg, 2013.

[63] Antoine Joux. A new index calculus algorithm with complexity L(1/4 + o(1)) in small
characteristic. In T. Lange, K. Lauter, and P. Lisonek, editors, Selected Areas in
Cryptography – SAC 2013, volume 8282 of Lecture Notes in Computer Science, pp.
355–379. Springer, Heidelberg, 2014.
[64] Antoine Joux and Reynald Lercier. The function field sieve is quite special. In
C. Fieker and D. R. Kohel, editors, Algorithmic Number Theory (ANTS-V), volume
2369 of Lecture Notes in Computer Science, pp. 431–445. Springer, 2002.
[65] Antoine Joux and Reynald Lercier. Improvements to the general number field sieve for
discrete logarithms in prime fields. A comparison with the Gaussian integer method.
Mathematics of Computation, 72(242):953–967, 2003.

[66] Antoine Joux and Reynald Lercier. The function field sieve in the medium prime
case. In S. Vaudenay, editor, Advances in Cryptology – EUROCRYPT 2006, volume
4004 of Lecture Notes in Computer Science, pp. 254–270. Springer, Heidelberg, 2006.
BIBLIOGRAPHY 39

[67] Antoine Joux, Reynald Lercier, Nigel Smart, and Frederik Vercauteren. The number
field sieve in the medium prime case. In C. Dwork, editor, Advances in Cryptology
– CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pp. 326–344.
Springer, Heidelberg, 2006.
[68] Antoine Joux and Cécile Pierrot. Improving the polynomial time precomputation of
frobenius representation discrete logarithm algorithms - simplified setting for small
characteristic finite fields. In P. Sarkar and T. Iwata, editors, Advances in Cryptology
– ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pp.
378–397. Springer, Heidelberg, 2014.
[69] Antoine Joux and Cécile Pierrot. The special number field sieve in Fpn - application
to pairing-friendly constructions. In Z. Cao and F. Zhang, editors, Pairing-Based
Cryptography – Pairing 2013, volume 8365 of Lecture Notes in Computer Science, pp.
45–61. Springer, Heidelberg, 2014.
[70] Antoine Joux and Cécile Pierrot. Nearly sparse linear algebra. Cryptology ePrint
Archive, Report 2015/930, 2015. http://eprint.iacr.org/.
[71] Michael Kalkbrener. An upper bound on the number of monomials in determinants
of sparse matrices with symbolic entries. Mathematica Pannonica, 8:73–82, 1997.

[72] Minkyu Kim, Jung Hee Cheon, and Jin Hong. Subset-restricted random walks
for Pollard rho method on Fpm . In S. Jarecki and G. Tsudik, editors, Public Key
Cryptography – PKC 2009, volume 5443 of Lecture Notes in Computer Science, pp.
54–67. Springer, Heidelberg, 2009.
[73] Taechan Kim and Razvan Barbulescu. Extended tower number field sieve: A new
complexity for the medium prime case. In Advances in Cryptology – CRYPTO 2016,
Part I, Lecture Notes in Computer Science, pp. 543–571. Springer, Heidelberg, 2016.
[74] Thorsten Kleinjung. On polynomial selection for the general number field sieve.
Mathematics of Computation, 75(256):2037–2047, 2006.

[75] Thorsten Kleinjung. Polynomial selection. Invited talk at the CADO-NFS workshop,
Nancy, France, October 2008. slides available at http://cado.gforge.inria.fr/
workshop/slides/kleinjung.pdf.
[76] Thorsten Kleinjung. Discrete logarithms in GF(21279 ), October 2014. Announcement
available at the NMBRTHRY archives, item 004751.

[77] Neal Koblitz and Alfred Menezes. Another look at non-standard discrete log and
Diffie-Hellman problems. Journal of Mathematical Cryptology, 2(4):311–326, 2008.
[78] Maurice Kraitchik. Théorie des Nombres. Gauthier–Villars, 1922.
[79] Maurice Kraitchik. Recherches sur la Théorie des Nombres. Gauthier–Villars, 1924.

[80] Fabian Kuhn and René Struik. Random walks revisited: Extensions of Pollard’s rho
algorithm for computing multiple discrete logarithms. In S. Vaudenay and A. M.
Youssef, editors, Selected Areas in Cryptography (SAC 2001), volume 2259 of Lecture
Notes in Computer Science, pp. 212–229. Springer, Heidelberg, 2001.
[81] Arjen K. Lenstra. Unbelievable security: Matching AES security using public key sys-
tems (invited talk). In C. Boyd, editor, Advances in Cryptology – ASIACRYPT 2001,
volume 2248 of Lecture Notes in Computer Science, pp. 67–86. Springer, Heidelberg,
2001.
BIBLIOGRAPHY 40

[82] Arjen K. Lenstra. Key lengths. In H. Bidgoli, editor, Handbook of Information


Security, volume 3, pp. 617–635. John Wiley & Sons, 2006.

[83] Arjen K. Lenstra, Hendrik W. Lenstra Jr., and László Lovász. Factoring polynomials
with rational coefficients. Mathematische Annalen, 261(4):515–534, 1982.
[84] Arjen K. Lenstra and Eric R. Verheul. Selecting cryptographic key sizes. Journal of
Cryptology, 14(4):255–293, 2001.

[85] D. V. Matyukhin. Effective version of the number field sieve for discrete logarithms
in the field GF(pk ) (in Russian). Trudy po Discretnoi Matematike, 9:121–151, 2006.
[86] Ueli M. Maurer and Stefan Wolf. The relationship between breaking the Diffie-
Hellman protocol and computing discrete logarithms. SIAM Journal on Computing,
28(5):1689–1721, 1999.

[87] Ueli M. Maurer and Stefan Wolf. The Diffie-Hellman protocol. Designs, Codes and
Cryptography, 19(2/3):147–171, 2000.
[88] Kevin S. McCurley. The discrete logarithm problem. In C. Pomerance, editor,
Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia
in Applied Mathematics, pp. 49–74. AMS, 1990.

[89] Alfred J. Menezes, Tatsuaki Okamoto, and Scott A. Vanstone. Reducing elliptic
curves logarithms to logarithms in a finite field. IEEE Transactions on Information
Theory, 39(5):1639–1646, 1993.
[90] Atsuko Miyaji, Masaki Nakabayashi, and Shunzo Takano. Characterization of elliptic
curve traces under FR-reduction. In D. Won, editor, Information Security and
Cryptology – ICISC 2000, volume 2015 of Lecture Notes in Computer Science, pp.
90–108. Springer, Heidelberg, 2001.
[91] Peter L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization.
Mathematics of Computation, 48(177):243–264, 1987.

[92] B. A. Murphy. Polynomial Selection for the Number Field Sieve Integer Factorisation
Algorithm. PhD thesis, Australian National University, 1999. http://maths-people.
anu.edu.au/~brent/pd/Murphy-thesis.pdf.
[93] Brian A. Murphy. Modelling the yield of number field sieve polynomials. In J. P.
Buhler, editor, Algorithmic Number Theory: Third International Symposiun, ANTS-
III Portland, Oregon, USA, June 21–25, 1998 Proceedings, Lecture Notes in Computer
Science, pp. 137–150. Springer Berlin Heidelberg, 1998.
[94] Andrew M. Odlyzko. Discrete logarithms in finite fields and their cryptographic
significance. In T. Beth, N. Cot, and I. Ingemarsson, editors, Advances in Cryptology
– EUROCRYPT ’84, volume 209 of Lecture Notes in Computer Science, pp. 224–314.
Springer, Heidelberg, 1985.
[95] Hilarie Orman and Paul Hoffman. Determining strengths for public keys used for
exchanging symmetric keys. Request for Comments RFC 3766, Internet Engineering
Task Force (IETF), 2004.
[96] Cécile Pierrot. The multiple number field sieve with conjugation and generalized
joux-lercier methods. In E. Oswald and M. Fischlin, editors, Advances in Cryptology –
EUROCRYPT 2015, Part I, volume 9056 of Lecture Notes in Computer Science, pp.
156–170. Springer, Heidelberg, 2015.
BIBLIOGRAPHY 41

[97] John M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics
of Computation, 32(143):918–924, 1978.

[98] John M. Pollard. Kangaroos, monopoly and discrete logarithms. Journal of Cryptology,
13(4):437–447, 2000.
[99] Hans-Georg Rück. On the discrete logarithm in the divisor class group of curves.
Mathematics of Computation, 68(226):805–806, 1999.

[100] Palash Sarkar and Shashank Singh. New complexity trade-offs for the (multiple)
number field sieve algorithm in non-prime fields. Cryptology ePrint Archive, Report
2015/944, 2015. http://eprint.iacr.org/2015/944.
[101] Palash Sarkar and Shashank Singh. A general polynomial selection method and new
asymptotic complexities for the tower number field sieve algorithm. Cryptology ePrint
Archive, Report 2016/485, 2016. http://eprint.iacr.org/.
[102] Palash Sarkar and Shashank Singh. A generalisation of the conjugation method for
polynomial selection for the extended tower number field sieve algorithm. Cryptology
ePrint Archive, Report 2016/537, 2016. http://eprint.iacr.org/.
[103] Palash Sarkar and Shashank Singh. Tower number field sieve variant of a recent
polynomial selection method. Cryptology ePrint Archive, Report 2016/401, 2016.
http://eprint.iacr.org/.
[104] Takakazu Satoh and Kiyomichi Araki. Fermat quotients and the polynomial time
discrete log algorithm for anomalous elliptic curves. Commentarii Math. Univ. St.
Pauli, 47(1):81–92, 1998.

[105] Jürgen Sattler and Claus-Peter Schnorr. Generating random walks in groups. Ann.
Univ. Sci. Budapest. Sect. Comput., 6:65–79, 1985.
[106] Oliver Schirokauer. Discrete logarithms and local units. Philosophical Transactions
of the Royal Society, 345(1676):409–423, 1993.

[107] Daniel Shanks. Class number, a theory of factorization, and genera. In D. J. Lewis,
editor, 1969 Number Theory Institute, volume 20 of Proceedings of Symposia in
Applied Mathematics, pp. 415–440. AMS, 1971.
[108] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509,
1997.
[109] Nigel P. Smart. The discrete logarithm problem on elliptic curves of trace one. Journal
of Cryptology, 12(3):193–196, 1999.
[110] Andreas Stein and Edlyn Teske. Optimized baby step–giant step methods. J.
Ramanujan Math. Soc., 20(1):27–58, 2005.

[111] Douglas R. Stinson. Cryptography: Theory and Practice. Discrete Mathematics and
Its Applications. Chapman and Hall/CRC, 3rd edition, 2006.
[112] The CADO-NFS Development Team. CADO-NFS, an implementation of the number
field sieve algorithm, 2015. Release 2.2.0.

[113] David C. Terr. A modification of Shanks’ baby-step giant-step algorithm. Mathematics


of Computation, 69(230):767–773, 2000.
BIBLIOGRAPHY 42

[114] Edlyn Teske. Speeding up Pollard’s rho method for computing discrete logarithms. In
J. P. Buhler, editor, Algorithmic Number Theory (ANTS-III), volume 1423 of Lecture
Notes in Computer Science, pp. 541–554. Springer, 1998.
[115] Emmanuel Thomé. Computation of discrete logarithms in F2607 . In C. Boyd, editor,
Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in
Computer Science, pp. 107–124. Springer, Heidelberg, 2001.

[116] Emmanuel Thomé. Discrete logarithms in GF(2607 ), February 2002. Announcement


available at the NMBRTHRY archives, item 001894.
[117] Emmanuel Thomé. Algorithmes de calcul de logarithme discret dans les corps
finis. Thèse, École polytechnique, 2003. https://tel.archives-ouvertes.fr/
tel-00007532.

[118] Paul C. van Oorschot and Michael J. Wiener. Parallel collision search with cryptana-
lytic applications. Journal of Cryptology, 12(1):1–28, 1999.
[119] A. E. Western and J. C. P. Miller. Tables of Indices and Primitive Roots, volume 9 of
Royal Society Mathematical Tables. Cambridge University Press, 1968.
[120] D. H. Wiedemann. Solving sparse linear equations over finite fields. IEEE Transactions
on Information Theory, IT–32(1):54–62, 1986.
[121] Pavol Zajac. Discrete Logarithm Problem in Degree Six Finite Fields. PhD thesis,
Slovak University of Technology, 2008. http://www.kaivt.elf.stuba.sk/kaivt/
Vyskum/XTRDL.

You might also like