Refined analysis to the extended tower number field sieve

Abstract

The hardness of discrete logarithm problem over finite fields is the security foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. In 2016, Kim and Barbulescu presented the extended tower number field sieve, which achieves a new complexity in the medium prime case and imposes a new estimation of the security of concrete parameters in certain cryptosystems such as pairing-based cryptosystems. In this paper, a refined analysis to this algorithm is given as follows.

• Firstly, a uniform formula is given for the total complexity of the extended tower number field sieve. For a given polynomial selection method, this formula can directly give the complexity in this case.

• Then, a method is proposed to improve the computation in the smoothing phase by exploring subfield structures when the extension degree is composite.

• At last, the complexity of the descent phase is analyzed when sieving over degree-one polynomials and high-degree polynomials respectively and it is shown still negligible compared to the improved smoothing phase.

Introduction

The discrete logarithm problem (DLP) in finite fields has played an important role in public key cryptography, firstly used to construct Diffie-Hellman key exchange protocol [13], later used as an important ingredient to build torus-based [33] and pairing-based [20], [10] cryptographic schemes besides other applications.

It has long been observed that the characteristic of the underlying finite field affects the hardness of the corresponding discrete logarithm problem. Denote

$$L_Q(\alpha ,c)=\exp ((c+o(1)){(\log Q)}^{\alpha }{(\log \log Q)}^{1-\alpha }),$$

where Q is the cardinality of the field ${\mathbb{F}}_{p^n}$. For simplicity, we omit Q and c when there is no confusion.

Let $p=L_Q({\alpha }_p,c_p)$. When the characteristic is medium or large (${\alpha }_p>1/3$), the state-of-art general purpose algorithm is the number field sieve (NFS) [15], [36], [23], [26]. When the characteristic is small (${\alpha }_p<1/3$), the state-of-art general purpose algorithm is the quasi-polynomial time algorithm (QPA) [7], [16], [17], which derives from the function field sieve (FFS) [1], [2], [21]. While QPA enjoys heuristic $L({\alpha }_p+o(1))$ and quasi-polynomial time complexity for the small characteristic case and fixed characteristic case respectively, NFS still runs in $L(1/3)$ time.

In 2016, Kim and Barbulescu [26] presented the extended tower number field sieve (exTNFS) and achieved a new complexity in the medium prime case. When the extension degree n can factor into two coprime integers and some other conditions are satisfied, the best complexity of exTNFS in the medium prime case is $L_Q(1/3,\sqrt[3]{\frac{48}{9}})$. Later, Kim and Jeong [27] removed the coprime restriction. Sarkar and Singh [34] combined the SS polynomial selection methods [35] and exTNFS to further loosen the conditions. These recent progress has imposed a new concrete key size estimation of certain pairing-based cryptosystems [30], [5].

Briefly, NFS consists of three steps in general: polynomial selection, factor-base logarithm computation, and individual logarithm computation. In polynomial selection step, two suitable polynomials are selected as a setup. The property of the selected polynomials affects the efficiency of the latter two steps. In recent years, some efficient polynomial selection methods have been proposed [23], [29], [6], [35]. In the factor-base logarithm step, the logarithms among the factor-base are computed and stored in a database. For several discrete logarithms computation circumstances, such as batch-DLP and delayed-target DLP, the polynomial selection step and factor-base logarithm step can be computed only once. Then the efficiency of computing an individual logarithm will be more important. For instance, the Logjam attack [3] against the real-world Diffie-Hellman key exchange protocol highlights the power of faster individual DL method.

The individual logarithm step includes two important phases: smoothing phase and descent phase. In the smoothing phase, one randomizes the target element until it splits into several smooth elements. The complexity of this phase depends on the norm of the preimage of the target element. At Asiacrypt 2015, Guillevic [18] took advantage of the subfield of degree 1 or 2 to construct a preimage with smaller norm. It reduced the complexity of the smoothing phase significantly when n is small.

Some elements obtained in the smoothing phase may not be in the factor-base. In the descent phase, we establish the relation between these elements and other elements with smaller norm until all the elements are in the factor-base. There are some papers giving the complexity analysis to this phase, such as [12], [4], [14] for prime fields, [29] for large characteristic fields and [22], [9] for medium and large characteristic fields. Besides the classical NFS, [8] and [26] gave the analysis to the descent phase in TNFS and exTNFS, respectively.

Throughout the paper, we assume that the target finite field is ${\mathbb{F}}_Q={\mathbb{F}}_{p^n}$, where $p=L_Q({\alpha }_p,c_p)$ with ${\alpha }_p>1/3$ and the extension degree $n=n_1{n}_2$.

Notation.

$$\begin{array}{cc}\hfill \mathbb{Q}(r)& \text{a number field defined by }h\hfill \\ \hfill K_f& \text{a number field over }\mathbb{Q}(r)\text{ defined by }f\hfill \\ \hfill K_g& \text{a number field over }\mathbb{Q}(r)\text{ defined by }g\hfill \\ \hfill f& \text{an irreducible polynomial over }\mathbb{Z}[r]\text{ of degree }{d}_f\hfill \\ \hfill g& \text{an irreducible polynomial over }\mathbb{Z}[r]\text{ of degree }{d}_g\hfill \\ \hfill h& \text{an irreducible polynomial over }\mathbb{Z}\text{ of degree }{n}_1\text{with small coefficients}\hfill \\ \hfill n_f& \text{the coefficients of }f\text{ are bounded by }O(p^{n_2/n_f})\hfill \\ \hfill n_g& \text{the coefficients of }g\text{ are bounded by }O(p^{n_2/n_g})\hfill \end{array}$$

The results of the paper are the following:

• First, we show the heuristic complexity of exTNFS has a uniform formula

  $$L_Q(1/3,\sqrt[3]{\frac{c}{9}}),$$

  where

  $$c\ge 64\frac{t-1}{t}(d_f+d_g)(\frac{1}{n_f}+\frac{1}{n_g}).$$

  The equality holds if and only if $(t-1)(\frac{d}{n_f}+\frac{d}{n_g})=\frac{2c_b(d_f+d_g)}{td}$, where t is the degree of the polynomials to be sieved.

• In the smoothing phase, we explicitly use the subfield to construct a preimage with coefficients bounded by $O\left(p^{\frac{n-n_1}{n_1{d}_f}}\right)$. This can reduce the complexity in this phase and we show that we can take $n_1$ to be m in most of the cases, where m is the largest proper factor of n. In addition, we show that we can construct a preimage of lower degree with the same size of coefficients in some situations by combining our method and Guillevic's method.

• Since the improvement of the smoothing phase will impact the complexity of the descent phase, we give a precise analysis to the descent phase. We give the complexity formulae when sieving over degree-one polynomials and high-degree polynomials respectively. These prove that using high-degree polynomials can reduce the complexity and the complexity of descent phase is still negligible compared to the improved smoothing phase.

Paper organization: The rest of the paper is organized as follows. In Section 2, we briefly recall the exTNFS algorithm, known results of complexity analysis, and known results about the individual logarithm step. In Section 3, we give a uniform formula for the complexity of exTNFS. The analysis doesn't depend on a specific polynomial selection method. In Section 4, we construct a preimage with coefficients bounded by $O\left(p^{\frac{n-n_1}{n_1{d}_f}}\right)$ by exploring the subfield structure and taking advantage of exTNFS. Then, we show how to combine our method with Guillevic's method. In Section 5, we precisely analyze complexity of the descent phase and show that using high-degree polynomials can reduce the complexity. We also show that the complexity of smoothing phase still dominates the complexity of individual logarithm step. In Section 6, we conclude the paper.