Anand Kumar Narayanan

Ming-Deh Huang, Anand Kumar Narayanan

Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete logarithms in small characteristic finite fields share an interesting feature in common with the earlier medium prime function field sieve method \cite{jl}. To solve discrete logarithms in a finite extension of a finite field $\F$, a polynomial $h(x) \in \F[x]$ of a special form is constructed with an irreducible factor $g(x) \in \F[x]$ of the desired degree. The special form of $h(x)$ is then exploited in generating multiplicative relations that hold in the residue class ring $\F[x]/h(x)\F[x]$ hence also in the target residue class field $\F[x]/g(x)\F[x]$. An interesting question in this context and addressed in this paper is: when and how does a set of relations on the residue class ring determine the discrete logarithms in the finite fields contained in it? We give necessary and sufficient conditions for a set of relations on the residue class ring to determine discrete logarithms in the finite fields contained in it. We also present efficient algorithms to derive discrete logarithms from the relations when the conditions are met. The derived necessary conditions allow us to clearly identify structural obstructions intrinsic to the special polynomial $h(x)$ in each of the aforementioned methods, and propose modifications to the selection of $h(x)$ so as to avoid obstructions.

Ming-Deh Huang, Anand Kumar Narayanan

In \cite{joux}, Joux devised an algorithm to compute discrete logarithms between elements in a certain subset of the multiplicative group of an extension of the finite field $\mathbb{F}_{p^n}$ in time polynomial in $p$ and $n$. Shortly after, Barbulescu, Gaudry, Joux and Thome \cite{bgjt} proposed a descent algorithm that in $(p n)^{\mathcal{O}(\log n)}$ time projects an arbitrary element in $\mathbb{F}_{p^n}^\times$ as a product of powers of elements in the aforementioned subset. Together, these two algorithms yield a quasi-polynomial time algorithm for computing discrete logarithms in finite fields of small characteristic. The success of both the algorithms are reliant on heuristic assumptions. We identify obstructions that prevent certain heuristic assumptions they make from being true in general. Further, we describe methods to overcome these obstructions.