Individual Discrete Logarithm with Sublattice Reduction

TL;DR

This paper introduces an improved lattice reduction technique for the initial splitting step in discrete logarithm computations over finite fields, leading to faster algorithms especially for fields with composite extension degrees.

Contribution

It presents a novel lattice reduction method that produces lower-degree, smaller-coefficient lifts, enhancing the efficiency of the individual logarithm step in discrete log algorithms.

Findings

Faster algorithm for initial splitting in finite fields with composite degrees.

Effective for larger non-trivial divisors of the extension degree n.

Demonstrated improved practical performance on 500-bit and 700-bit fields.

Abstract

The Number Field Sieve and its numerous variants is the best algorithm to compute discrete logarithms in medium and large characteristic finite fields. When the extension degree n is composite and the characteristic p is of medium size, the Tower variant (TNFS) is asymptotically the most efficient one. Our work deals with the last main step, namely the individual logarithm step, that computes a smooth decomposition of a given target T in the finite field thanks to two distinct phases: an initial splitting step, and a descent tree. In this article, we improve on the current state-of-the-art Guillevic's algorithm dedicated to the initial splitting step for composite n. While still exploiting the proper subfields of the target finite field, we modify the lattice reduction subroutine that creates a lift in a number field of the target T. Our algorithm returns lifted elements with lower degrees and coefficients, resulting in lower norms in the number field. The lifted elements are not only much likely to be smooth because they have smaller norms, but it permits to set a smaller smoothness bound for the descent tree. Asymptotically, our algorithm is faster and works for a larger area of finite fields than Guillevic's algorithm, being now relevant even when the medium characteristic p is such that Lpn (1/3) $\le$ p < Lpn (1/2). In practice, we conduct experiments on 500-bit and 700-bit composite finite fields: Our method becomes more efficient as the largest non trivial divisor of n grows, being thus particularly adapted to even extension degrees.