Factor Base Discrete Logarithms in Kummer Extensions

The discrete logarithm over finite fields of small characteristic can be solved much more efficiently than previously thought. This algorithmic breakthrough is based on pinpointing relations among the factor base discrete logarithms. In this paper, we concentrate on the Kummer extension Fq2(q−1) = Fq2 [x]/(x q−1 − A). It has been suggested that in this case, a small number of degenerate relations (from the Borel subgroup) are enough to solve the factor base discrete logarithms. We disprove the conjecture, and design a new heuristic algorithm with an improved bit complexity Õ(q) (or algebraic complexity Õ(q)) to compute discrete logarithms of all the elements in the factor base {x + α|α ∈ Fq2}, where θ < 2.38 is the matrix multiplication exponent over rings. Given additional time Õ(q), we can compute discrete logarithms of at least Ω(q) many monic irreducible quadratic polynomials. We reduce the correctness of the algorithm to a conjecture concerning the determinant of a simple (q + 1)-dimensional lattice, rather than to elusive smoothness assumptions. We verify the conjecture numerically for all prime powers q such that log2(q 2(q−1)) ≤ 5134, and provide theoretical supporting evidences.