On the selection of polynomials for the DLP quasi-polynomial time algorithm in small characteristic
aa r X i v : . [ m a t h . N T ] F e b ON THE SELECTION OF POLYNOMIALS FOR THE DLPQUASI-POLYNOMIAL TIME ALGORITHM IN SMALLCHARACTERISTIC
GIACOMO MICHELI
Abstract.
In this paper we characterize the set of polynomials f ∈ F q [ X ]satisfying the following property: there exists a positive integer d such that forany positive integer ℓ less or equal than the degree of f , there exists t in F q d such that the polynomial f − t has an irreducible factor of degree ℓ over F q d [ X ].This result is then used to progress in the last step which is needed to removethe heuristic from one of the quasi-polynomial time algorithms for discretelogarithm problems (DLP) in small characteristic. Our characterization allowsa construction of polynomials satisfying the wanted property. The method isgeneral and can be used to tackle similar problems which involve factorizationpatterns of polynomials over finite fields. Introduction
For a long time the discrete logarithm problem (DLP) over finite fields has beenone of the most important primitives used for cryptographic protocols. The majorbreakthrough in recent years concerning DLPs in small characteristic consists ofthe heuristic quasi-polynomial time algorithms given in [1, 4] (see also [3, 6] fortheir origins).In this paper we focus on the algorithm in [4] which only relies on the fieldrepresentation heuristic (see [4, p.2]). In fact, if that can be proved, this wouldshow that DLP in small characteristic can indeed be solved in quasi-polynomialtime. Our results characterize a class of polynomials which seem to be particularlysuitable for performing the quasi-polynomial time DLP-algorithm described in [4]and show that if one wants to select polynomials satisfying the wanted property,these have to be chosen in this class (see Theorem 12).Our constructions involve some Galois theory over function fields, group theoryand Chebotarev density theorem. Let us start with the motivating conjecture,which has to be proved in order to remove the remaining heuristic from the algo-rithm in [4].
Conjecture 1.
For any finite field F q and any fixed positive integer ℓ ≤ q + 2 ,there exists an integer d = O (log( q )) and h , h ∈ F q d [ X ] coprime of degree atmost such that h X q + h has an irreducible factor of degree ℓ . If this conjecture is true, then DLP in small characteristic can be solved innon-heuristic quasi-polynomial time as described in the algorithm presented in[4].Such kind of requirement also appeared in [1, Section 5] where it is observedthat the choice h = 1 and h = X − t (for some well chosen t ∈ F q d ) seemsto always satisfy the requirements in odd characteristic and for d = 2. Thismotivates us to formulate the following stronger Conjecture 2.
Let F q be a finite field of odd characteristic. There exists aninteger d = O (log( q )) and h , h ∈ F q d [ X ] coprime of degree at most such that,for any positive integer ℓ ≤ deg( h )+ q there exists t ∈ F q d such that h X q + h − t has an irreducible factor of degree ℓ . A polynomial satisfying Conjecture 2 will allow to build extensions with thecorrect representation and of desired degree.Both these conjectures seem to be very hard. In this paper we make a stepforward by showing a relaxed version of the stronger conjecture: in fact, we willfit the conjecture above in a general framework and will show a characterizationof polynomials satisfying a weaker property than the one described in Conjecture2. In particular we will be able to prove the following
Theorem 3.
Let F q be a finite field of odd characteristic. There exists an integer d ∈ N and h , h ∈ F q d [ X ] coprime of degree at most such that, for any positiveinteger ℓ ≤ deg( h ) + q there exists t ∈ F q d such that h X q + h − t has anirreducible factor of degree ℓ . Moreover, such polynomials can be constructedexplicitly. More in general, we characterize completely (in any characteristic) polynomials f ∈ F q [ X ] having the property that there exists a d ∈ N such that for any ℓ ≤ deg( f ), there exists t ∈ F q d such that f − t has an irreducible factor ofdegree ℓ in F q d [ X ].On the theoretical side, our result shows the existence of such d for a certainclass of polynomials, which is the first step in the attempt of giving an explicitbound. In practice, our methods are constructive and they allow to build newfamilies of polynomials (see for example the constructions in subsection 5.1) which N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 3 always satisfy the wanted requirements. Even though we can show the existenceof such d for these families of polynomials, the wrinkle is that the required d mightin principle be large (but in practice, if one follows our recipe, this seems to benever the case).In a nutshell, what we will do in this paper is to solve the geometric part ofthe problem connected with the two conjectures above and what remains to doto completely remove the heuristic is to give an explicit logarithmic bound for d for at least one polynomial in our families.The key idea of the method is the following. We look at the problem in afunction field theoretical framework, explaining that the factorization conditionscan be translated into group theoretical properties of the Galois closure of acertain extension L : K of global function fields. Then, we use the rigidity ofgroup theory to determine the Galois group that can occur for the polynomialswe are interested in. Finally, Chebotarev Density Theorem for global functionfields will ensure that, for any fixed element γ in the Galois group, there exists anunramified place P of K for which the cycle decomposition of γ (when you lookat its action on a certain set of homomorphisms) appears exactly as the splittingof P in L .The paper is structured as follows. In Section 2 we recap the basic tools weneed from algebraic number theory and group theory. In Section 3 we characterizethe monodromy groups of the class of polynomials we are interested in. In Section4 we specialize to the polynomial X q + X and compute its monodromy group,showing that for odd q , it is indeed the full symmetric group. In Section 5 weshow other examples of polynomials of the wanted form that have symmetricmonodromy group.1.1. Notation.
For the entire paper p is a prime (even or odd) and q = p a for some positive integer a . Let k := F q be the finite field of order q . Let f ∈ k [ X ] \ k [ X p ]. Let M f be the splitting field of f − t over k ( t ), which is aseparable extension of k ( t ). Let ˜ k be the field of constants of M f i.e. the integralclosure of k in M f . Let A f = Gal( M f : k ( t )) be the arithmetic monodromy group of f and G f = Gal( M f : ˜ k ( t )) E A f be the geometric monodromy group of f . Let S n be the symmetric group of degree n . Notice that if F , F are subfields of alarger field F , we denote by F F the the compositum of F and F . Let G be agroup acting on a set Y . For any y ∈ Y we denote by St G ( y ) the stabilizer of y in G . GIACOMO MICHELI d -universal polynomials and Galois Theory over Function Fields In this section we define the notion of universal polynomial and state the basicresults from global function field theory we will be using in the rest of the paper.
Definition 4.
Let f ∈ F q [ X ]. We say that f is d - universal for some positiveinteger d if for any positive integer ℓ ≤ deg( f ), there exists t in F q d such that f ( X ) − t has an irreducible factor of degree ℓ . We say that f is universal if it is d -universal for some d . Remark 5.
In this notation, in [1] it is suggested that X q + X is 2-universal forany odd q (see section Finding appropriate h , h of [1]).In what follows we will use notation and terminology of [10]. First, we needa classical result from algebraic number theory, which will be used to transfersplitting conditions of places into into group theoretical properties of a certainGalois group. Theorem 6.
Let L : K be a finite separable extension of global function fields andlet M be its Galois closure with Galois group G . Let P be a place of K and Q bethe set of places of L lying over P . Let R be a place of M lying over P . There isa natural bijection between Q and the set of orbits of H = Hom K ( L, M ) under theaction of the decomposition group D ( R | P ) = { g ∈ G | g ( R ) = R } . In addition, let Q ∈ Q and let H Q be the orbit corresponding to Q . Then | H Q | = e ( Q | P ) f ( Q | P ) where e ( Q | P ) and f ( Q | P ) are ramification index and relative degree respectively. A proof of Theorem 6 can be found for example in [5]. For a finite Galoisextension of function fields M : K with Galois group G , let P be a degree 1 placeof K and R be a place of M lying over P . Let φ be the topological generator ofGal( k : k ) defined by y y q . Let k R be the residue field at R and let φ R be theimage of φ in Gal( k R : k ). If ( R, M : K ) is the set of elements in D ( R | P ) mappingto φ R , we denote by ( P, M : K ) the set { gxg − : g ∈ G, x ∈ ( R, M : K ) } .We are now ready to state the other fundamental tool, which can easily beadapted from [7]. Theorem 7 (Chebotarev Density Theorem) . Let M : K be a finite Galois exten-sion of function fields over a finite field k of cardinality q and let ˜ k be the constantfield of M . Let A = Gal( M : K ) and G = Gal( M : ˜ kK ) . Let γ ∈ A such that γ acts as u u q when restricted to ˜ k . Let g ∈ Gγ , Γ be the conjugacy class of g N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 5 and let S K be the set of places in K which are unramified in M . Then we have |{ P ∈ S K | deg k ( P ) = 1 , ( P, M : K ) = Γ }| = | Γ || G | q + 2 | Γ || G | g M q / where g M is the genus of M . Theorem 7 combined with Theorem 6 is used to push group theoretical infor-mation to splitting statistics: the key fact is that the number of elements in theGalois group with a certain cycle decomposition (and in the correct coset of thegeometric Galois group) determines the statistics of the unramified places thatsplit according to the given cycle decomposition. Let us give an example thatclarifies the procedure for the class of extensions we are interested in. Let f be apolynomial of degree n ≥ F q [ X ] and consider the polynomial f − t ∈ F q ( t )[ X ].Set L = F q ( x ) = F q ( t )[ x ] / ( f ( x ) − t ), K = F q ( t ), and M f as in the notation section(i.e. the Galois closure of L : K ). Observe first that Hom K ( L, M f ) is in naturalcorrespondence with the roots of f ( x ) − t in M f , and in turn the action of A f on Hom K ( L, M f ) is equivalent to the action of A f on the roots of f − t . Now,suppose for example we want to know an estimate for the number of t ’s in F q such that f − t splits into two degree 2 irreducible factors and a degree n − F q [ x ]. Let now γ ∈ A be the Frobenius (i.e. x x q ) for thefield k f . Take now the coset G f γ and take the set Z of all elements in G f γ withdisjoint cycle decomposition ( − , − )( − , − ) ( − , . . . , − ) | {z } n − when you look at their action on the roots of f − t . Notice that Z ⊆ G f γ isa union of A f -conjugacy classes, as A f /G f is cyclic. Applying Chebotarev foreach of the conjugacy classes and adding the estimates together gives that thenumber of t ∈ F q such that f − t has the wanted factorization pattern is then q | Z | / | G f | + O ( √ q ), where the implied constant can be chosen independent of q .In what follows we will only need the following special version of Chebotarevdensity theorem, which can be also derived from [9]. Theorem 8 (Chebotarev Density Theorem with trivial constant field extension) . Let M : K be a finite Galois extension of function fields over a finite field k ofcardinality q . Let G = Gal( M : K ) and assume that the field of constants of M is exactly k . Let Γ be a conjugacy class of G and let S K be the set of places in K GIACOMO MICHELI which are unramified in M . Then we have |{ P ∈ S K | deg k ( P ) = 1 , ( P, M : K ) = Γ }| = | Γ || G | q + O (cid:16) q / (cid:17) . The following easy lemma simplifies some of the proofs of the results in thispaper.
Lemma 9.
Let f be a separable polynomial, let k ′ be an extension of k , and ˜ k ′ := k ′ ∩ ˜ k . Then Gal( k ′ M f : k ′ ( t )) ∼ = Gal( M f : ˜ k ′ ( t )) . Proof.
First we observe that if F = M f and F = k ′ ( t ), then F ∩ F = ˜ k ′ ( t ). Inaddition, we know the Galois group of the compositum:Gal( F F : F ∩ F ) = Gal( k ′ M f : ˜ k ′ ( t )) ∼ = Gal( M f : ˜ k ′ ( t )) × Gal( k ′ ( t ) : ˜ k ′ ( t ))where the isomorphism is defined by the restriction map to M f and k ′ ( t ). Itfollows easily that Gal( k ′ M f : k ′ ( t )) ∼ = Gal( M f : ˜ k ′ ( t )) . (cid:3) Short Group Theory Interlude.Definition 10.
Let X be a finite set and G be a finite group. An action of G on X is said to be non-primitive if there exists an integer ℓ ∈ { , . . . , | G | − } and apartition of X into X , . . . X ℓ such that for any i ∈ { , . . . , ℓ } and any g ∈ G wehave g ( X i ) = X i g for some i g ∈ { , . . . , ℓ } . An action is said to be primitive if isnot non-primitive.Roughly, the above definition states that an action of a group G on a set X isprimitive if it does not preserve any non-trivial partition of X . We will also needthe following group theory lemma, of which we include the proof for completeness. Lemma 11.
Let G be a subgroup of S n acting on U = { , . . . , n } . Suppose that G acts transitively on U and it contains a cycle of prime order r with r > n/ .Then G acts primitively on U .Proof. Let X ⊔ X ⊔ · · · ⊔ X ℓ be a system of imprimitivity. This is the partitioninduced by a non trivial equivalence relation ∼ which is G -invariant (i.e. x ∼ y implies gx ∼ gy ). Since G acts transitively, we recall that | X i | = | X | for all N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 7 i ∈ { , . . . ℓ } . We argue by contradiction, by assuming 1 < | X | < n . Considernow the cycle σ of order r and take X j which intersects the support of σ (i.e. σ acts non trivially on X j ). Consider the orbit of X j via σ : X j , σ ( X j ) , . . . , σ v − ( X j ) , where v is the orbit of X j via σ . We have that v necessarily divides r . Then both v = 1 and v = r are impossible. (cid:3) A characterization of universal polynomials
We are now ready to prove the main result.
Theorem 12.
Let f ∈ F q [ X ] . Suppose that n = deg( f ) ≥ , then f is universalif and only if A f = G f = S n .Proof. First, let us assume that f is d -universal for some positive integer d . Con-sider first A ′ f = Gal( F q d M f : F q d ( t )) ≤ S n . Let x be any zero of f ( X ) − t over F q ( t ). From now on, we will look at A ′ f as asubgroup of the permutation group of the roots of f ( X ) − t (or equivalently ofthe set H = Hom F qd ( t ) ( F q d ( x ) , F q d M f )). Our first purpose is indeed to show that A ′ f = S n .Let r be a prime in {⌊ n ⌋ + 1 , . . . , n − } . Such prime always exists by BertrandPostulate (also known as Chebyshev’s Theorem). Fix now t ∈ F q d in such away that f ( X ) − t has an irreducible factor h ( X ) of degree r (over F q d [ X ]).This implies immediately that the ramification at t is one, as h ( X ) e would havedegree larger than n for any e >
1. We claim that there exists γ ∈ A ′ f whichis a cycle of order r . Let P be the place corresponding to t , Q be the placeof F q d ( x ) corresponding to the irreducible factor of degree r lying over P , and R be a place of F q d M f lying over Q . Let g ∈ D ( R | P ) be such that its imagein Gal( O R /R : O P /P ) under the natural reduction modulo R is the Frobeniusautomorphism. The order of g is then divisible by r , since an orbit of g acting on H = Hom F qd ( t ) ( F q d ( x ) , F q d M f ) has size r (by the natural correspondence givenby Theorem 6). As r is prime, the only chance is that g has a cycle of order r inits decomposition in disjoint cycles. Now, as r > n/
2, a certain power of g willbe a cycle of order r : this is our element γ .Let us now summarize the properties of A ′ f given by the d -universality: GIACOMO MICHELI (1) It contains a cycle of order n/ < r < n − f ( X ) − t is irreducible for some t , we get that A ′ f contains a cycleof order n by a direct application of Theorem 6.(3) Analogously, it contains a cycle of order n − A ′ f is primitive, therefore, (1)+(2) implies that A ′ f contains the alternating group thanks to a theorem of Jordan [12, Theorem13.9]. Then (2)+(3) implies that A ′ f is not the alternating group. It follows that A ′ f = S n . Let us now show that A f = A ′ f . Recall that ˜ k is the constant field of M f . Let k ′ = F q d and ˜ k ′ = ˜ k ∩ k ′ . By Lemma 9 S n = A ′ f = Gal( k ′ M f : k ′ ( t )) = Gal( M f : ˜ k ′ ( t )) . Now, by observing Gal( M f : ˜ k ′ ( t )) ≤ Gal( M f : F q ( t )) = A f ≤ S n we conclude A ′ f = A f .We have now to show that the field of constants of M f is indeed F q . The onlyother possibility is that the field of constants is ˜ k = F q as for n ≥ S n hasno normal subgroups other than the alternating group A n . The reader shouldnotice that if d is even then ˜ k ′ = ˜ k = F q , therefore we are done by the fact that G f = Gal( M f : ˜ k ′ ( t )) = Gal( M f : ˜ k ( t )) = S n . Thus, we restrict to the case d odd.Let us argue by contradiction by supposing k ′ ˜ k = F q d . Suppose that n = deg( f )is odd, and let t ∈ F q d for which f ( x ) − t is irreducible of degree n . Let usdenote by P the place corresponding to t in F q d ( t ), Q ⊂ F q d ( x ) be the placeover P corresponding to the irreducible polynomial f ( x ) − t , and R a place of F q d M f lying over Q . Since Q is unique and unramified, then R is unramified.Therefore, D ( R | P ) is cyclic and it has exactly one orbit of order n correspondingto Q under the bijection given by Theorem 6. It follows that any generator of D ( R | P ) is a cycle of order n , so D ( R | P ) has order n . On the other hand, theorder of D ( R | P ) is also f ( R | P ), which is divisible by [ F q d : F q d ] = 2 thus wehave a contradiction.If n is even, then take t for which f ( x ) − t has an irreducible factor h ( X )of degree n − P be the placecorresponding to t and Q , Q be the places of F q d ( x ) corresponding respectivelyto h ( X ) and to the factor of degree one of f ( x ) − t . Let R be a place of F q d M f lying over P . Since Q and Q are the unique places of F q d ( x ) lying over P andthey are both unramified, then any place R lying above P is unramified. Arguingsimilarly as before, we get that D ( R | P ) is cyclic and it has a cycle of order n − N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 9 therefore f ( R | P ) = | D ( R | P ) | = n −
1. On the other hand, since the size of thedecomposition group is divided by [ F q d : F q d ] = 2, we get the contradiction wewanted.This shows that the constant field of F q d M f is F q d . On the other hand, thefield of constants of F q d M f is ˜ k F q d : as d is odd, this forces ˜ k = F q (as the onlyother chance was k ′ = F q d ).Let us prove the other implication. Suppose that G f = A f = S n and fix ℓ ∈ { , . . . , n } . Let now γ be a cycle of G f of order ℓ and let Γ be its conjugacyclass. In the notation of Theorem 8, for any d ∈ N we have that |{ P ∈ S F qd ( t ) | deg F qd ( P ) = 1 , ( P, M : K ) = Γ }| = | Γ || G f | q d + O (cid:16) q d/ (cid:17) , where the implied constant is independent of d and q . This shows immediatelythat, when d is large enough, there is an unramified place P of degree 1 in F q d ( t )(corresponding to an element t ∈ F q d ) for which γ is the Frobenius (for someplace of F q d M f lying over P ). As γ is a cycle of order ℓ , by applying Theorem 6we get that f ( X ) − t has a factor of degree ℓ in F q d [ X ]. (cid:3) Remark 13.
The philosophy behind the proof of the first implication of Theorem12 can be applied to prove similar statements, so we highlight the two mostimportant steps here. The first step is to use the property we are interested into obtain a bunch of group theoretical conditions via Theorem 6 (conditions 1,2,3in the proof of Theorem 12). Then, once the candidate arithmetic monodromygroup is described, we have to understand how the property we require from f (inthis case universality), combined with the group theoretical properties we found,affect the possible field of constants of M f (in our case we could prove that k f istrivial). The critical advantage of the method is that one can use powerful grouptheoretical machinery to obtain complete characterization of monodromy groups.Moreover, via Chebotarev Density Theorem, the monodromy groups capture allthe splitting statistics of the map f as long as the base field is large enoughcompared with the degree of f . Remark 14.
The reader should notice that the second implication i.e. the lastparagraph of the above proof can also be deduced by [2, Theorem 1].
Corollary 15.
Suppose that f is d -universal for some d , then there exists d forwhich f is d -universal for every d > d . Proof.
Suppose that f is d -universal, then G f = A f = S n . By the same argumentas in the proof the second implication of Theorem 12, it follows that when d islarge enough the number of t ∈ F q d for which f ( x ) has an irreducible factor ofdegree ℓ can be estimated with | Γ || G f | q d for Γ the conjugacy class of an elementhaving a cycle of order ℓ in its decomposition in disjoint cycles (one can actuallydirectly select an element which ”is” a cycle of order ℓ ). (cid:3) Corollary 16.
A universal polynomial f of degree greater than or equal to isindecomposable, i.e. it cannot be written as composition of lower degree polyno-mialsProof. By Theorem 12, it is enough to observe that S n acts primitively on theroots of f . This forces the polynomial to be indecomposable (see for example [8,Section 2.3]). (cid:3) Universality for X q + X − t In this section let us specialize to the polynomial f = X q + X , as this is theone suggested for the function field sieve [1] and experimentally is believed to be2-universal, see last paragraph in [1, Section 5]. For this section we will restrictto q odd. Let us recall a result due to Turnwald [11]. Theorem 17.
Let k be a field of characteristic different from and g ∈ k [ X ] .Suppose that the derivative g ′ of g has at least a simple root and for any pairof roots α, β of g ′ over k we have that g ( α ) = g ( β ) . In addition suppose that char( k ) ∤ deg( g ) . Then the Galois Group of g − t over k ( t ) is S deg( g ) . With this tool in hand, we are able to compute the arithmetic and the geometricmonodromy group of X q + X . Proposition 18.
Let char( F q ) = 2 and f = X q + X ∈ F q [ X ] . The Galois Group A f of f − t ∈ F q ( t )[ X ] over F q ( t ) is S q . Moreover G f = A f .Proof. Clearly, Theorem 17 does not apply to the polynomial above as its degreeis divisible by the characteristic of the field. Let us consider the extension F q ( x ) : F q ( t ) where x is a root of f − t , and then verifies f ( x ) = x q + x = t . Let { y , . . . , y q − } be the set of roots of X q − + X + 2 x ∈ F q ( x )[ X ]. They are alldistinct, as the polynomial is separable. It is easy to see that x + y i is a root of f − t for any i ∈ { , . . . q − } . Therefore, the splitting field M f of f − t over F q ( t ) is exactly F q ( x, y , . . . , y q − ). Let us now consider B = Gal( M f : F q ( x )) N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 11 which is a subgroup of A f = Gal( M f : F q ( t )). The Galois Group B is the same asthe Galois group of the polynomial X q − + X − − x over F q ( x ), for which Turnwaldtheorem applies with base field F q ( x ) since • char( F q ) = 2 • The roots of X q − − ξ i for ξ a primitive ( q − i ∈ { , . . . , q − } . • ξ i ( q − + ξ i − = ξ j ( q − + ξ j − implies ξ i = ξ j but then i = j .We are now sure that the Galois Group of X q − + X − − x is B = S q − . Observe that B ≤ A f and A f acts transitively on the set of roots { x, x + y , x + y , . . . , x + y q − } and the stabilizer of x contains B . By the orbit-stabilizer theorem we have that q = | A f || St A f ( x ) | ≤ | A f || B | = | A f | ( q − | A f | ≥ q ! but also | A f | ≤ q ! as A f is a subgroup of S q , so A f = S q . Wehave now to show that G f = A f . Suppose that the constant field of M f is ˜ k andnotice that all the arguments above apply again by replacing F q with ˜ k . Hencethis immediately shows G f = S q . (cid:3) Corollary 19.
There exists d ∈ N such that X q + X is d -universal for any d > d .Proof. By individually checking the cases q < q ≥
8. By theprevious result we have that Theorem 12 applies, therefore it also applies Corollary15, which is exactly the claim. (cid:3)
The reader should notice now that the first occurence of d for which X q + X is d universal might be strictly less than d . What would be ideal to show, isthat d is indeed “small” enough (conjecturally it is 2), on the other hand theabove corollary at least shows that such d exists.5. Constructing d -universal polynomials in odd characteristic The combination of Theorem 17 and Theorem 12 gives a deterministic easyway to construct polynomials which are likely to build up any extension betweenthe base field and the degree of the polynomial satisfying Conjecture 2. We givea class of examples in the next subsection. For the rest of this section, q will bean odd prime power. Universality for X q + j − jX . In this subsection we show a large class ofpolynomials which can be shown to be universal. In addition such polynomialsappear to be always d -universal for a small d . Proposition 20.
Let q be an odd prime power and F p be its prime subfield. Let j ∈ N \ { , , pk } k ∈ N . The polynomial f = X q + j − jX ∈ F q [ X ] is universal.Proof. We would like to verify the conditions of Theorem 17 for the geometricmonodromy group of f , then it will follow that also the arithmetic monodromygroup of f is the symmetric group, for which Theorem 12 now applies, showingthe universality of f .The derivative of f is f ′ = jX q + j − − j . Since j is different from 1, then f ′ has all single roots in F q . Now, any root of f has the form ξ u , where ξ is a fixedprimitive q + j − u is an integer in { , . . . , q + j − } .It is now enough to observe that f ( ξ u ) = ξ u − jξ u = (1 − j ) ξ u = (1 − j ) ξ v = f ( ξ v )for u = v mod q + j − (cid:3) Remark 21.
The experiments show that this class of polynomials actually verifiesa stronger property, i.e. each of them seems to be d -universal for d = j + 1. Inparticular, for j = 2, the polynomial X q +2 − X is 3-universal for any prime q less than
401 therefore building up suitable extensions of size up to 401 . Acknowledgements
The author is grateful to Michael Zieve for many interesting discussions andespecially for introducing him to the version of Chebotarev Density Theorem usedin this paper. The author also wants to thank Swiss National Science Foundationgrant number 171248.
References [1] Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thom´e.
Advances in Cryptology – EUROCRYPT 2014: 33rd Annual InternationalConference on the Theory and Applications of Cryptographic Techniques,Copenhagen, Denmark, May 11-15, 2014. Proceedings , chapter A Heuris-tic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of The computations were performed in SAGE and the code is available upon request
N THE SELECTION OF POLYNOMIALS FOR THE DLP ALGORITHM 13
Small Characteristic, pages 1–16. Springer Berlin Heidelberg, Berlin, Hei-delberg, 2014. ISBN 978-3-642-55220-5. doi: 10.1007/978-3-642-55220-5 1.URL http://dx.doi.org/10.1007/978-3-642-55220-5_1 .[2] Stephen D Cohen. The distribution of polynomials over finite fields.
ActaArithmetica , 17:255–271, 1970.[3] Faruk G¨olo˘glu, Robert Granger, Gary McGuire, and Jens Zumbrgel. Onthe Function Field Sieve and the Impact of Higher Splitting Probabil-ities: Application to Discrete Logarithms in F and F . In RanCanetti and Juan A. Garay, editors, Advances in Cryptology CRYPTO2013, 33rd Annual Cryptology Conference, Santa Barbara, CA, USA,August 18-22, 2013. Proceedings, Part II. , Lecture Notes in Com-puter Science, pages 109–128. Springer Berlin Heidelberg, 2013. URL http://link.springer.com/chapter/10.1007%2F978-3-642-40084-1_7 .Best Paper Award (by unanimous decision of the Program Committee).[4] Robert Granger, Thorsten Kleinjung, and Jens Zumbr¨agel. On the discretelogarithm problem in finite fields of fixed characteristic.
Transactions of theAmerican Mathematical Society , 2017.[5] Robert M. Guralnick, Thomas J. Tucker, and Michael E. Zieve. Exceptionalcovers and bijections on rational points.
International Mathematics ResearchNotices , 2007:rnm004, 2007.[6] Antoine Joux. A new index calculus algorithm with complexity l (1/4+ o(1)) in small characteristic. In
International Conference on Selected Areas inCryptography , pages 355–379. Springer, 2013.[7] Michiel Kosters. A short proof of a Chebotarev density theorem for functionfields. arXiv preprint arXiv:1404.6345 , 2014.[8] Peter M¨uller. Primitive monodromy groups of polynomials.
ContemporaryMathematics , 186:385–385, 1995.[9] Michael Rosen.
Number theory in function fields , volume 210. SpringerScience & Business Media, 2013.[10] Henning Stichtenoth.
Algebraic function fields and codes , volume 254.Springer Science & Business Media, 2009.[11] Gerhard Turnwald. On schur’s conjecture.
Journal of the Australian Mathe-matical Society (Series A) , 58(03):312–357, 1995.[12] Helmut Wielandt.