Selecting polynomials for the Function Field Sieve

The Function Field Sieve (FFS) algorithm is dedicated to computing discrete logarithms in a finite field Fqn, where q is a prime power, small compared to q n . Introduced by Adleman in [Adl94] and inspired by the Number Field Sieve (NFS), the algorithm collects pairs of polynomials (a;b) 2 Fq[t] such that the norms of a bx in two function fields are both smooth (the sieving stage), i.e having only irreducible divisors of small degree. It then solves a sparse linear system (the linear algebra stage), whose solutions, called virtual logarithms, allow to compute the discrete algorithm of any element during a final stage (individual logarithm stage). The choice of the defining polynomials f and g for the two function fields can be seen as a preliminary stage of the algorithm. It takes a small amount of time but it can greatly influence the sieving stage by slightly changing the probabilities of smoothness. In order to solve the discrete logarithm in Fqn, the main required property of f;g2 Fq[t][x] is that their resultant Resx(f;g) has an irreducible factor ’(t) of degree n. Various methods have been proposed to build such polynomials, but the best results in practice correspond to the method of Joux and Lercier [JL02]. Its particularity is that one of the two polynomials, say g, is linear. Moreover, for any polynomial f in Fq[t][x] and any input Fqn, one can associate a linear polynomialg satisfying the requirements of the FFS. This allows us to precompute some polynomials f which have good properties for the sieving stage. For this, we define and measure the size property and the so-called root and cancellation properties. In short, the cancellation property is measured by a function related to the size of the coecients of f as well as to the cardinality of the set of pairs (a;b) to be sieved. The root property is measured by , which is inspired by the function used for the factorization algorithms. It is related to the number of roots of f when reduced modulo small irreducible polynomials of Fq[t]. Finally, 1 measures the cancellation property, by evaluating the average loss of degree due to the cancellation of the terms of f(r) when r is a random rational fraction of Fq[t]. We present a sieving procedure which computes , the most costly to evaluate of the three functions. We next combine the dierent criteria in order to compare arbitrary polynomials. In particular we show experimental evidence that , defined as + + 1, predicts the eciency of any polynomial. Our methods were used in two records of discrete logarithm in F2n with prime values of n. In the last couple of weeks, new algorithms were proposed, which are particularly well adapted for the fields F2n for composite values of n. In the case when n is prime, the crossing point is to be computed, this latter being determined by the practical improvement of the FFS. See [Bar13] for a broader presentation of our work.

[1]  Leonard M. Adleman,et al.  The function field sieve , 1994, ANTS.

[2]  Emmanuel Thomé,et al.  Algorithmes de calcul de logarithmes discrets dans les corps finis , 2003 .

[3]  Wang Hong Polynomial Selection in the Number Field Sieve , 2003 .

[4]  Ryutaroh Matsumoto Using Cab Curves in the Function Field Sieve , 1999 .

[5]  Antoine Joux,et al.  The Function Field Sieve Is Quite Special , 2002, ANTS.

[6]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[7]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[8]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[9]  Masaaki Shirase,et al.  Solving a 676-bit Discrete Logarithm Problem in GF(36n) , 2010, IACR Cryptol. ePrint Arch..

[10]  Masaaki Shirase,et al.  Solving a 676-Bit Discrete Logarithm Problem in GF(3 6 n ) , 2010 .

[11]  J. Neukirch Algebraic Number Theory , 1999 .

[12]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[13]  Antoine Joux,et al.  Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method , 2003, Math. Comput..

[14]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[15]  Jérémie Detrey,et al.  Relation Collection for the Function Field Sieve , 2013, 2013 IEEE 21st Symposium on Computer Arithmetic.

[16]  Dino J. Lorenzini An Invitation to Arithmetic Geometry , 1996 .

[17]  Leonard M. Adleman,et al.  Function Field Sieve Method for Discrete Logarithms over Finite Fields , 1999, Inf. Comput..

[18]  B. Murphy Polynomial Selection for the Number Field Sieve Integer Factorisation Algorithm , 1999 .

[19]  Tsuyoshi Takagi,et al.  Breaking Pairing-Based Cryptosystems Using η T Pairing over GF(397) , 2012, ASIACRYPT.

[20]  Michael Rosen,et al.  A classical introduction to modern number theory , 1982, Graduate texts in mathematics.

[21]  Paul Zimmermann,et al.  Non-linear polynomial selection for the number field sieve , 2012, J. Symb. Comput..

[22]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[23]  T. Apostol Modular Functions and Dirichlet Series in Number Theory , 1976 .

[24]  W. Fulton,et al.  Algebraic Curves: An Introduction to Algebraic Geometry , 1969 .