Constructing CM Fields for NFS to Accelerate DL Computation in Non-Prime Finite Fields

Abstract

The hardness of discrete logarithm problem (DLP) over finite fields is the security foundation of many cryptographic protocols. When the characteristic is not small, the state-of-the-art algorithms for solving DLP are the number field sieve (NFS) and its variants. In the relation collection step, to translate the relations between prime ideals to those of elements one needs to use the Schirokauer map. Besides, if the number field has non-trivial automorphisms, one can use them to accelerate the factor-base logarithms computation. However, the Schirokauer map is not compatible with automorphisms. To exploit automorphism efficiently, we focus on the method to construct fields in NFS such that the fields on both sides have non-trivial automorphisms with the logarithms of units being zero. 1. We construct two families of CM polynomials of arbitrary even degree with small coefficients, corresponding to the automorphisms being <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">x</i> ↦ – <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">x</i> or <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">x</i> ↦ 1/ <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">x</i> . 2. We show how to combine these polynomials with the JLSV <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sub> and Conjugation polynomial selection methods on both sides. 3. We also generalize our method to the multiple number field sieve and the extended tower number field sieve.