A faster method to compute primitive elements and discrete logarithms of factor base in Artin-Schreier extensions

Abstract

Dear editor, The discrete logarithm problem is a classical problem in mathematics and widely used in cryptography [1–4]. The pre-computation of discrete logarithms of factor base is a crucial and extremely expensive step in many algorithms solving discrete logarithms. In finite fields of small characteristics, one can use the Möbius transformations and the Frobenius endomorphism to generate relations between elements of factor base [5]. To improve the efficiency, it is interesting to find a subset of transformations sufficient to recover the discrete logarithms of factor base, especially in special fields. In this study, we focus on the Artin-Schreier extension K = Fp2 [x]/(x −x−1) for prime p. We prove that the linear system of degenerate relations derived from transformations in the Borel set is not sufficient to compute the logarithms of factor base. We use a subset of non-degenerate relations to recover the logarithms of factor base, which reduces the heuristic complexity from O(p) [6] to Õ(p) where ω 6 2.38 is the matrix multiplication exponent over a ring. Our algorithm does not depend on the heuristic of smooth numbers, and it will find a primitive element of multiplicative group K. We base the correctness of our algorithm on a heuristic which has been verified for finite fields of size within 10000 bits. Preliminaries. The Artin-Schreier extension is modeled as K = Fp2 [x]/(x p − x − 1), where Fp2 is a quadratic extension of prime field Fp. Denote by η ∈ Fp a quadratic non-residue of Fp and by g ∈ Fp2 a square root of η. It is noted that g p = −g since the minimal polynomial of g is x − η. Also, for any u ∈ Fp2 , we can represent u as u = u1+u2g where u1, u2 ∈ Fp are unique. It is easy to find such a pair (η, g) and express all elements of Fp2 in the form u1 + u2g with u1, u2 ∈ Fp. We denote by ζ a (p+1)-th primitive root of unity in Fp2 , and by ζα ∈ Fp2 an arbitrary (p+1)-th root of α ∈ F ∗ p. The complexity of algorithms is estimated by the number of arithmetic operations in Z/(p − 1)Z, or rings of similar sizes. Assume that ρ is a primitive generator of the multiplicative group K. For arbitrary u ∈ F p , we have