Improvements on the Individual Logarithm Computation for Finite Fields with Composite Extension Degrees

The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. The state-of-art algorithms for solving the corresponding problem are number field sieve, function field sieve and quasi-polynomial time algorithm when the characteristics of the finite field are medium to large, medium-small and small, respectively. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital. In this paper, we devise two methods to improve the individual logarithm step by exploring subfield structure when the extension degree n is composite. The first method applies to the case when the characteristic is medium to large. It is based on the extended tower number field sieve (exTNFS) and the improvement is significant when n has a large proper factor. The second one applies to any characteristic case. It is a generalization of the recent technique of Guillevic. It achieves almost optimal result and the improvement is significant when φ(n)/n is relatively small. We also perform some experiments to illustrate our algorithm and confirm the result.