The hardness of discrete logarithm problem over finite fields is the security foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. In 2016, Kim and Barbulescu presented the extended tower number field sieve, which achieves a new complexity in the medium prime case and imposes a new estimation of the security of concrete parameters in certain cryptosystems such as pairing-based cryptosystems. In this paper, a refined analysis to this algorithm is given as follows.

–

Firstly, a uniform formula is given for the total complexity of the extended tower number field sieve. For a given polynomial selection method, this formula can directly give the complexity in this case.

–

Then, a method is proposed to improve the computation in the smoothing phase by exploring subfield structures when the extension degree is composite.

–

At last, the complexity of the descent phase is analyzed when sieving over degree-one polynomials and high-degree polynomials respectively and it is shown still negligible compared to the improved smoothing phase.

有限域上离散对数问题的难度是许多密码协议的安全基础。当有限域的特征为中等或较大时，用于解决相应问题的最新算法是数域筛及其变体。2016年，Kim和Barbulescu提出了扩展塔号场筛，这在中质数情况下实现了新的复杂性，并对某些密码系统（例如基于配对的密码系统）中的具体参数的安全性提出了新的估计。在本文中，对该算法进行了细化的分析，如下所示。

–

首先，给出了扩展塔数场筛总复杂度的统一公式。对于给定的多项式选择方法，在这种情况下，该公式可以直接给出复杂度。

–

然后，提出了一种在扩展程度为合成时通过探索子场结构来改进平滑阶段的计算的方法。

–

最后，分别对一阶多项式和高阶多项式进行筛选时，分析了下降阶段的复杂度，与改进的平滑阶段相比，它的影响仍然可以忽略不计。