Complexity news: Also somewhat related: discrete logarithms in Im - - PowerPoint PPT Presentation

Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields— the algorithm of Barbulescu, Gaudry, Joux, Thom´ e

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Advertisement, maybe related: iml.univ-mrs.fr/ati/ geocrypt2013/ 2013.10.07–11, Tahiti. Submit talks this month! Also somewhat related: I’m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups.

Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields— algorithm of Barbulescu, Gaudry, Joux, Thom´ e Bernstein University of Illinois at Chicago & echnische Universiteit Eindhoven Advertisement, maybe related: iml.univ-mrs.fr/ati/ geocrypt2013/ 2013.10.07–11, Tahiti. Submit talks this month! Also somewhat related: I’m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete Goal: Compute group isomo F✄

q ✦ Z❂ q

represented Algorithm ❤1❀ ❤2❀ ✿ ✿ ✿ ✷

✄ q

Algorithm log❣ ❤1❀ log❣ ❤ ❀ ✿ ✿ ✿ ✷ ❂ q for some ❣ “log❣” means ❣ ✼✦ 1, if

news: rithms in groups of racteristic finite fields— Barbulescu, Thom´ e Illinois at Chicago & Universiteit Eindhoven maybe related: iml.univ-mrs.fr/ati/ Tahiti. this month! Also somewhat related: I’m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ ❂ q for some ❣. “log❣” means the ❣ ✼✦ 1, if it exists.

fields— rbulescu, Chicago & Eindhoven related: Also somewhat related: I’m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists.

Also somewhat related: I’m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists.

somewhat related: rting to analyze

• f NFS + CVP

ss groups, unit groups, generators of ideals, etc.; exploiting subfields short norms first), Galois groups, etc.

• ne else working on this?

Cryptanalytic applications: NTRU, Ring-LWE, FHE. NTRU should switch to prime-degree extensions big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists. “Generic”

❣

• n average q ❂

♦

uniform, q ❂

♦

Want som

related: analyze CVP unit groups,

• f ideals, etc.;

subfields rms first), groups, etc. rking on this? applications: Ring-LWE, FHE. should switch to degree extensions groups. Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists. “Generic” log❣ algo

• n average q1❂2+♦(1)

uniform, q1❂3+♦(1) Want something faster.

groups, etc.; this? applications: FHE. switch to extensions Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists. “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-unifo Want something faster.

Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists. “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster.

Discrete logarithms Goal: Compute some group isomorphism F✄

q ✦ Z❂(q 1),

represented in the usual way. Algorithm input: ❤1❀ ❤2❀ ✿ ✿ ✿ ✷ F✄

q.

Algorithm output: log❣ ❤1❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1) for some ❣. “log❣” means the isomorphism ❣ ✼✦ 1, if it exists. “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster. “Basic index calculus”: 1968 Western–Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, 1986 Coppersmith–Odlyzko– Schroeppel, 1991 LaMacchia– Odlyzko, 1993 Adleman– DeMarrais, 1995 Semaev, 1998 Bender–Pomerance.

Discrete logarithms Compute some isomorphism

✄ q ✦ Z❂(q 1),

resented in the usual way. rithm input: ❤ ❀ ❤ ❀ ✿ ✿ ✿ ✷ F✄

q.

rithm output:

❣ ❤ ❀ log❣ ❤2❀ ✿ ✿ ✿ ✷ Z❂(q 1)

• me ❣.

❣

means the isomorphism ❣ ✼✦ 1, if it exists. “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster. “Basic index calculus”: 1968 Western–Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, 1986 Coppersmith–Odlyzko– Schroeppel, 1991 LaMacchia– Odlyzko, 1993 Adleman– DeMarrais, 1995 Semaev, 1998 Bender–Pomerance. “NFS”: 1991 Gordon, Odlyzko, Weber–Denny 1998 Web Lercier, 2006 Smart–V “FFS”: 1984 Coppersmith–Davenp Odlyzko, Gordon–McCurley 1999 Adleman–Huang, Joux–Lercier, 2010/2012 Wang–Matsuo–Shirase–T

rithms some hism

✄ q ✦

❂ q 1), the usual way. put: ❤ ❀ ❤ ❀ ✿ ✿ ✿ ✷

✄ q

ut:

❣ ❤ ❀ ❣ ❤ ❀ ✿ ✿ ✿ ✷ Z❂(q 1)

❣

❣

the isomorphism ❣ ✼✦ exists. “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster. “Basic index calculus”: 1968 Western–Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, 1986 Coppersmith–Odlyzko– Schroeppel, 1991 LaMacchia– Odlyzko, 1993 Adleman– DeMarrais, 1995 Semaev, 1998 Bender–Pomerance. “NFS”: 1991 Schirok Gordon, 1993 Schirok Odlyzko, 1996 Schirok Weber–Denny, 1996 1998 Weber–Denny Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Copp Coppersmith–Davenp Odlyzko, 1990 McCurley Gordon–McCurley, 1999 Adleman–Huang, Joux–Lercier, 2006 2010/2012 Hayashi–Shinoha Wang–Matsuo–Shirase–T

✄ q ✦

❂ q ay. ❤ ❀ ❤ ❀ ✿ ✿ ✿ ✷

✄ q ❣ ❤ ❀ ❣ ❤ ❀ ✿ ✿ ✿ ✷

❂ q 1) ❣

❣

rphism ❣ ✼✦ “Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster. “Basic index calculus”: 1968 Western–Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, 1986 Coppersmith–Odlyzko– Schroeppel, 1991 LaMacchia– Odlyzko, 1993 Adleman– DeMarrais, 1995 Semaev, 1998 Bender–Pomerance. “NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinoha Wang–Matsuo–Shirase–Takagi.

“Generic” log❣ algorithms:

• n average q1❂2+♦(1) operations

uniform, q1❂3+♦(1) non-uniform. Want something faster. “Basic index calculus”: 1968 Western–Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, 1986 Coppersmith–Odlyzko– Schroeppel, 1991 LaMacchia– Odlyzko, 1993 Adleman– DeMarrais, 1995 Semaev, 1998 Bender–Pomerance. “NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi.

“Generic” log❣ algorithms: average q1❂2+♦(1) operations rm, q1❂3+♦(1) non-uniform. something faster. index calculus”: 1968 estern–Miller, 1979 Merkle, Adleman, 1983 Hellman– Reyneri, 1984 Blake–Fuji-Hara– Mullin–Vanstone, 1985 ElGamal, Coppersmith–Odlyzko– eppel, 1991 LaMacchia–

• , 1993 Adleman–

rrais, 1995 Semaev, Bender–Pomerance. “NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi. “FFS”, continued: Shimoyama–Shinoha 2012.10 Detrey–Gaudry–Jeljeli–Thom Videau–Zimmermann, Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom Zimmermann.

❣ algorithms:

q ❂

♦(1) operations

q ❂

♦(1) non-uniform.

faster. calculus”: 1968 1979 Merkle, 1983 Hellman– Blake–Fuji-Hara– anstone, 1985 ElGamal, ersmith–Odlyzko– 1991 LaMacchia– Adleman– Semaev,

• merance.

“NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi. “FFS”, continued: Shimoyama–Shinoha 2012.10 Barbulescu Detrey–Gaudry–Jeljeli–Thom Videau–Zimmermann, Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom Zimmermann.

❣

rithms: q ❂

♦

erations q ❂

♦

non-uniform. 1968 Merkle, Hellman– uji-Hara– ElGamal,

• –

LaMacchia– “NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi. “FFS”, continued: 2012 Hay Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann.

“NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi. “FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann.

“NFS”: 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer– Weber–Denny, 1996 Weber, 1998 Weber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– Smart–Vercauteren. “FFS”: 1984 Coppersmith, 1985 Coppersmith–Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon–McCurley, 1994 Adleman, 1999 Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– Wang–Matsuo–Shirase–Takagi. “FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e.

“NFS”: 1991 Schirokauer, 1993 rdon, 1993 Schirokauer, 1994

• , 1996 Schirokauer–

er–Denny, 1996 Weber, eber–Denny, 2001 Joux– Lercier, 2006 Joux–Lercier– rt–Vercauteren. “FFS”: 1984 Coppersmith, 1985 ersmith–Davenport, 1985

• , 1990 McCurley, 1992

rdon–McCurley, 1994 Adleman, Adleman–Huang, 2001 Joux–Lercier, 2006 Joux–Lercier, 2010/2012 Hayashi–Shinohara– ang–Matsuo–Shirase–Takagi. “FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable for fixed FFS costs ✔❚ log ❚ ✷ (log q

❂ ♦

Schirokauer, 1993 Schirokauer, 1994 Schirokauer– 1996 Weber, er–Denny, 2001 Joux– Joux–Lercier– ercauteren. Coppersmith, 1985 ersmith–Davenport, 1985 McCurley, 1992 rdon–McCurley, 1994 Adleman, Adleman–Huang, 2001 2006 Joux–Lercier, ashi–Shinohara– ang–Matsuo–Shirase–Takagi. “FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦

1993 auer, 1994 auer– er, Joux– Joux–Lercier– , 1985 1985 1992 Adleman, 2001 Joux–Lercier, ashi–Shinohara– akagi. “FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1).

“FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1).

“FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1).

“FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1).

“FFS”, continued: 2012 Hayashi– Shimoyama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 Barbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann. “Not your grandpa’s FFS”: 2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 G¨

• lo˘

glu–Granger–McGuire– Zumbr¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1). 1994 Shor algorithm: log ❚ ✷ (log log q)1+♦(1), proven; but needs a quantum computer.

“FFS”, continued: 2012 Hayashi– yama–Shinohara–Takagi, 2012.10 Barbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 rbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– Zimmermann.

• ur grandpa’s FFS”:

2012.12 Joux, 2013.02 Joux, 2013.02 G¨

• lo˘

glu–Granger– McGuire–Zumbr¨ agel, 2013.05 glu–Granger–McGuire– ¨ agel, 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1). 1994 Shor algorithm: log ❚ ✷ (log log q)1+♦(1), proven; but needs a quantum computer. Field construction I’ll make q = ♣2♥ ♣ is an o ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣ Most interesting: ♥ ✙ ♣ Example: ♣ ♥ (Can you ♣2♥ 1 ♣♥ ♣♥ Find “random”

♣ ①

with an irr ✬ of degree ♥ Construct

q ♣ ① ❂✬

continued: 2012 Hayashi– ama–Shinohara–Takagi, rbulescu–Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– Videau–Zimmermann, 2013.04 rbulescu–Bouvier–Detrey– Gaudry–Jeljeli–Thom´ e–Videau– grandpa’s FFS”: 2013.02 Joux, glu–Granger– ¨ agel, 2013.05 glu–Granger–McGuire– 2013.06 Barbulescu– Gaudry–Joux–Thom´ e. Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1). 1994 Shor algorithm: log ❚ ✷ (log log q)1+♦(1), proven; but needs a quantum computer. Field construction I’ll make simplifying q = ♣2♥ where ♣ is an odd prime ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣ Most interesting: ♥ ✙ ♣ Example: ♣ = 1009, ♥ (Can you find all p ♣2♥ 1 = (♣♥ 1)(♣♥ Find “random” poly

♣ ①

with an irreducible ✬ of degree ♥. Construct Fq as F♣ ① ❂✬

Hayashi– akagi, –Bouvier– Detrey–Gaudry–Jeljeli–Thom´ e– 2013.04 rbulescu–Bouvier–Detrey– e–Videau– FFS”: Joux, 2013.05 glu–Granger–McGuire– rbulescu– Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1). 1994 Shor algorithm: log ❚ ✷ (log log q)1+♦(1), proven; but needs a quantum computer. Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[① with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬.

Reasonable conjectures for fixed characteristic: FFS costs ✔❚ where log ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: log ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: log ❚ ✷ (log log q)2+♦(1). 1994 Shor algorithm: log ❚ ✷ (log log q)1+♦(1), proven; but needs a quantum computer. Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[①] with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬.

Reasonable conjectures xed characteristic: costs ✔❚ where ❚ ✷ (log q)1❂3+♦(1). 2013.02 Joux algorithm: ❚ ✷ (log q)1❂4+♦(1). 2013.06 Barbulescu–Gaudry– Joux–Thom´ e algorithm: ❚ ✷ (log log q)2+♦(1). Shor algorithm: ❚ ✷ (log log q)1+♦(1), proven; needs a quantum computer. Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[①] with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬. How many What’s chance r ✷

♣ ①

has an ir ✬ of degree ♥ For ♥ ✔ r ❁ ♥ express each r uniquely ✬ ✁ ✙(♣2)deg r r ✙(♣2)♥❂♥ ✬ ✙(♣2)deg r♥ ✮ chance ✙ ❂♥ r Similar sto r ✕ ♥ Factoring r ✮ Quickly r ✬

conjectures racteristic: ✔❚ where ❚ ✷ q

❂3+♦(1).

algorithm: ❚ ✷ q

❂4+♦(1).

rbulescu–Gaudry– algorithm: ❚ ✷ q)2+♦(1). rithm: ❚ ✷ q)1+♦(1), proven; quantum computer. Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[①] with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬. How many polys to What’s chance that r ✷

♣ ①

has an irreducible ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥ express each successful r uniquely as ✬ ✁ cofacto ✙(♣2)deg r+1 polys r ✙(♣2)♥❂♥ monic irreds ✬ ✙(♣2)deg r♥+1 cofacto ✮ chance ✙1❂♥ that r Similar story for deg r ✕ ♥ Factoring r is fast. ✮ Quickly find r, ✬

✔❚ ❚ ✷ q

❂ ♦

❚ ✷ q

❂ ♦

–Gaudry– ❚ ✷ q

♦

❚ ✷ q

♦

roven; computer. Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[①] with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬. How many polys to try? What’s chance that r ✷ F♣2[① has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬.

Field construction I’ll make simplifying assumption: q = ♣2♥ where ♣ is an odd prime power, ♥ ✷ Z, ♣♣ ✔ ♥ ✔ ♣. Most interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997. (Can you find all primes dividing ♣2♥ 1 = (♣♥ 1)(♣♥ + 1)?) Find “random” poly in F♣2[①] with an irreducible divisor ✬ of degree ♥. Construct Fq as F♣2[①]❂✬. How many polys to try? What’s chance that r ✷ F♣2[①] has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬.

construction make simplifying assumption: q ♣ ♥ where ♣

• dd prime power,

♥ ✷ , ♣♣ ✔ ♥ ✔ ♣. interesting: ♥ ✙ ♣. Example: ♣ = 1009, ♥ = 997.

• u find all primes dividing

♣ ♥ 1 = (♣♥ 1)(♣♥ + 1)?) “random” poly in F♣2[①] an irreducible divisor ✬ degree ♥. Construct Fq as F♣2[①]❂✬. How many polys to try? What’s chance that r ✷ F♣2[①] has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬. Don’t use (Starting Find ✬ dividing ①♣ ①2 ☞ ☞ ✷

♣

Then ①♣ ① ☞

q

♣2 choices ☞ ✷

♣

so overwhelmingly that at least e.g. ♣ = ♥ can have ☞ ☞ Easily generalize: ①♣ = ①2 ☞① ✌ ①♣ = (① ☞ ❂ ① ✌ But larger

construction simplifying assumption: q ♣ ♥ ♣ rime power, ♥ ✷ ♣♣ ✔ ♥ ✔ ♣. interesting: ♥ ✙ ♣. ♣ 1009, ♥ = 997. all primes dividing ♣ ♥ ♣♥ 1)(♣♥ + 1)?) poly in F♣2[①] le divisor ✬ ♥

q

F♣2[①]❂✬. How many polys to try? What’s chance that r ✷ F♣2[①] has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬. Don’t use random (Starting now: aban Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷

♣

Then ①♣ = ①2 + ☞

q

♣2 choices of ☞ ✷ F♣ so overwhelmingly that at least one w e.g. ♣ = 1009, ♥ = can have ☞2 + 92☞ Easily generalize: e.g., ①♣ = ①2 + ☞① + ✌ ①♣ = (① + ☞)❂(① + ✌ But larger degrees

assumption: q ♣ ♥ ♣ ♥ ✷ ♣♣ ✔ ♥ ✔ ♣ ♥ ✙ ♣ ♣ ♥ 997. dividing ♣ ♥ ♣♥ ♣♥ 1)?)

♣ [①]

✬ ♥

q ♣ ① ❂✬.

How many polys to try? What’s chance that r ✷ F♣2[①] has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬. Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣ Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower.

How many polys to try? What’s chance that r ✷ F♣2[①] has an irreducible divisor ✬ of degree ♥? For ♥ ✔ deg r ❁ 2♥: express each successful r uniquely as ✬ ✁ cofactor. ✙(♣2)deg r+1 polys r, ✙(♣2)♥❂♥ monic irreds ✬, ✙(♣2)deg r♥+1 cofactors ✮ chance ✙1❂♥ that r works. Similar story for deg r ✕ 2♥. Factoring r is fast. ✮ Quickly find r, ✬. Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower.

many polys to try? What’s chance that r ✷ F♣2[①] irreducible divisor ✬ degree ♥? ♥ ✔ deg r ❁ 2♥: ress each successful r uniquely as ✬ ✁ cofactor. ✙ ♣

deg r+1 polys r,

✙ ♣

♥❂♥ monic irreds ✬,

✙ ♣

deg r♥+1 cofactors ✮

✙1❂♥ that r works. r story for deg r ✕ 2♥. ring r is fast. ✮ Quickly find r, ✬. Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree First step build table ❤ ✼✦

❣ ❤

each small ❤ ✷

♣ ① ✬ ♣ ①

Easily cho ❣ “Small ❤ ❤ ✔ ❉ ❉ ✕ 1; ❉ ✷ ❖ ♥❂ ♥

to try? that r ✷ F♣2[①] ucible divisor ✬ ♥ ♥ ✔ r ❁ 2♥: successful r ✬ ✁ cofactor. ✙ ♣

r

• lys r,

✙ ♣

♥❂♥ monic irreds ✬,

✙ ♣

r♥

cofactors ✮ ✙ ❂♥ that r works. deg r ✕ 2♥. r fast. ✮ r, ✬. Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree discrete First step of algorithm: build table of ❤ ✼✦

❣ ❤

each small ❤ ✷ F♣2 ① ✬ ♣ ① Easily choose ❣ at “Small ❤”: deg ❤ ✔ ❉ ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ ♥

r ✷

♣2[①]

✬ ♥ ♥ ✔ r ❁ ♥ r ✬ ✁ ✙ ♣

r

r ✙ ♣

♥❂♥

✬ ✙ ♣

r♥

✮ ✙ ❂♥ r ks. r ✕ ♥. r ✮ r ✬ Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣ ① Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Cho ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥

Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥).

Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table!

Don’t use random polys! (Starting now: abandon proofs.) Find ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. Then ①♣ = ①2 + ☞ in Fq. ♣2 choices of ☞ ✷ F♣2, so overwhelmingly likely that at least one works. e.g. ♣ = 1009, ♥ = 997: can have ☞2 + 92☞ + 447 = 0. Easily generalize: e.g., take ①♣ = ①2 + ☞① + ✌ or ①♣ = (① + ☞)❂(① + ✌). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table! Two reasons to be more explicit:

• 1. Want ❆ with q as an input.
• 2. Method to build table

will be reused for larger ❤.

use random polys! rting now: abandon proofs.) ✬ dividing ①♣ ①2 ☞ for some ☞ ✷ F♣2. ①♣ = ①2 + ☞ in Fq. ♣ choices of ☞ ✷ F♣2,

• verwhelmingly likely

at least one works. ♣ = 1009, ♥ = 997: have ☞2 + 92☞ + 447 = 0. generalize: e.g., take ①♣ ①2 + ☞① + ✌ or ①♣ ① + ☞)❂(① + ✌). rger degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table! Two reasons to be more explicit:

• 1. Want ❆ with q as an input.
• 2. Method to build table

will be reused for larger ❤. The first ❉ ◗

☛✷F♣(① ☛ ✑ ① ①

☞ “✑” for

♣ ①

①♣ ①2 ☞

q

Hope that ① ① ☞ splits in

♣ ①

❢ ✁ ❢ Not an un ✙50% of Then log❣ ❢

❣ ❢

P

☛✷F♣ log❣ ① ☛

This is a among discrete

• f monic

random polys! abandon proofs.) ✬ ①♣ ① ☞ some ☞ ✷ F♣2. ①♣ ① ☞ in Fq. ♣ ☞ ✷ F♣2,

• verwhelmingly likely

works. ♣ ♥ = 997: ☞ 92☞ + 447 = 0. generalize: e.g., take ①♣ ① ☞① ✌ or ①♣ ① ☞ ❂ ① + ✌). degrees are slower. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table! Two reasons to be more explicit:

• 1. Want ❆ with q as an input.
• 2. Method to build table

will be reused for larger ❤. The first relation fo ❉ ◗

☛✷F♣(① ☛) ✑ ① ①

☞ “✑” for F♣2[①]: equal ①♣ ①2 ☞; force

q

Hope that ①2 ① + ☞ splits in F♣2[①], say ❢ ✁ ❢ Not an unreasonable ✙50% of quadratics Then log❣ ❢1 + log❣ ❢ P

☛✷F♣ log❣(① ☛

This is a “relation” among discrete logs

• f monic linear polys.

roofs.) ✬ ①♣ ① ☞ ☞ ✷ F♣2. ①♣ ① ☞

q

♣ ☞ ✷

♣

♣ ♥ ☞ ☞ = 0. e ①♣ ① ☞① ✌ ①♣ ① ☞ ❂ ① ✌ er. Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table! Two reasons to be more explicit:

• 1. Want ❆ with q as an input.
• 2. Method to build table

will be reused for larger ❤. The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2 Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

Low-degree discrete logs First step of algorithm: build table of ❤ ✼✦ log❣ ❤ for each small ❤ ✷ F♣2[①] ✬F♣2[①]. Easily choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: algorithm ❆q knows table! Two reasons to be more explicit:

• 1. Want ❆ with q as an input.
• 2. Method to build table

will be reused for larger ❤. The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞.

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2. Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

w-degree discrete logs step of algorithm: table of ❤ ✼✦ log❣ ❤ for small ❤ ✷ F♣2[①] ✬F♣2[①]. choose ❣ at same time. “Small ❤”: deg ❤ ✔ ❉. Choose ❉ ✕ 1; ❉ ✷ ❖(log ♥❂ log log ♥). Non-uniform approach: rithm ❆q knows table! reasons to be more explicit: ant ❆ with q as an input. Method to build table reused for larger ❤. The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞.

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2. Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

More relations ❉ For ❛❀ ❜❀ ❝❀ ❞ ✷

♣

(❝① + ❞) ❨

☛✷ ♣

❛① ❜ ☛ ❝① ❞ = (❝① + ❞ ❛① ❜ ♣ (❛① + ❜ ❝① ❞ ♣ = (❝① + ❞ ❛♣①♣ ❜♣ (❛① + ❜ ❝♣①♣ ❞♣ ✑ (❝① + ❞ ❛♣ ① ☞ ❜♣ (❛① + ❜ ❝♣ ① ☞ ❞♣ Left side linear polys

♣ ①

Often right

discrete logs algorithm: ❤ ✼✦ log❣ ❤ for ❤ ✷ F♣2[①] ✬F♣2[①]. ❣ at same time. ❤ ❤ ✔ ❉. Choose ❉ ✕ ❉ ✷ ❖(log ♥❂ log log ♥). roach: ❆q knows table! be more explicit: ❆ q as an input. build table r larger ❤. The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞.

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2. Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

More relations for ❉ For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2 (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛ ❝① ❞ = (❝① + ❞)(❛① + ❜ ♣ (❛① + ❜)(❝① + ❞ ♣ = (❝① + ❞)(❛♣①♣ + ❜♣ (❛① + ❜)(❝♣①♣ + ❞♣ ✑ (❝① + ❞)(❛♣(①2 + ☞ ❜♣ (❛① + ❜)(❝♣(①2 + ☞ ❞♣ Left side is product linear polys in F♣2[① Often right side is

❤ ✼✦

❣ ❤ for

❤ ✷

♣ ① ✬F♣2[①].

❣ time. ❤ ❤ ✔ ❉ Choose ❉ ✕ ❉ ✷ ❖ ♥❂ log ♥). ❆q explicit: ❆ q input. ❤. The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞.

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2. Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① ❞ = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too.

The first relation for ❉ = 1 ◗

☛✷F♣(① ☛) ✑ ①2 ① + ☞.

“✑” for F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. Hope that ①2 ① + ☞ splits in F♣2[①], say as ❢1 ✁ ❢2. Not an unreasonable hope: ✙50% of quadratics split. Then log❣ ❢1 + log❣ ❢2 = P

☛✷F♣ log❣(① ☛).

This is a “relation” among discrete logs

• f monic linear polys.

More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too.

first relation for ❉ = 1 ◗

☛✷ ♣(① ☛) ✑ ①2 ① + ☞.

✑ r F♣2[①]: equal mod ①♣ ①2 ☞; forces = in Fq. that ①2 ① + ☞ in F♣2[①], say as ❢1 ✁ ❢2. unreasonable hope: ✙

• f quadratics split.

log❣ ❢1 + log❣ ❢2 = P

☛✷ ♣ log❣(① ☛).

a “relation” discrete logs monic linear polys. More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too. ✕ ✷ F✄

♣2❀ ▼

❛

❝ ❜ ❞

✁ ✷

♣

✮ ▼❀ ✕▼ ♠ ✷ GL2

♣ ❀ ▼ ✷ ♣

✮ ▼❀ ♠▼ No other Is there a the set of

♣

in PGL2( ♣ Cremona

✄ ♣ ❂ ✄ ♣

Bartel gives Mindless is not a real but want

for ❉ = 1 ◗

☛✷ ♣ ① ☛ ✑ ①2 ① + ☞.

✑

♣ ①

equal mod ①♣ ① ☞ rces = in Fq. ① ① + ☞

♣ ①

say as ❢1 ✁ ❢2. reasonable hope: ✙ atics split.

❣ ❢

log❣ ❢2 = P

☛✷ ♣ ❣ ① ☛).

“relation” logs

• lys.

More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too. ✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷

♣

✮ ▼❀ ✕▼ are redu ♠ ✷ GL2(F♣)❀ ▼ ✷

♣

✮ ▼❀ ♠▼ are redu No other obvious redundancies. Is there a nice way the set of cosets of

♣

in PGL2(F♣2)? Best Cremona points me

✄ ♣ ❂ ✄ ♣

Bartel gives solution Mindless enumeration is not a real bottleneck but want fast multip

❉ 1 ◗

☛✷ ♣ ① ☛ ✑ ① ①

☞. ✑

♣ ①

d ①♣ ① ☞ Fq. ① ① ☞

♣ ①

❢ ✁ ❢2. e: ✙

❣ ❢ ❣ ❢

P

☛✷ ♣ ❣ ① ☛

More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too. ✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣ ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2 ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣ in PGL2(F♣2)? Best hints so Cremona points me to F✄

♣4❂F✄ ♣

Bartel gives solution for GL2 Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval.

More relations for ❉ = 1 For ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: (❝① + ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) = (❝① + ❞)(❛① + ❜)♣ (❛① + ❜)(❝① + ❞)♣ = (❝① + ❞)(❛♣①♣ + ❜♣) (❛① + ❜)(❝♣①♣ + ❞♣) ✑ (❝① + ❞)(❛♣(①2 + ☞) + ❜♣) (❛① + ❜)(❝♣(①2 + ☞) + ❞♣). Left side is product of linear polys in F♣2[①]. Often right side is too. ✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣) in PGL2(F♣2)? Best hints so far: Cremona points me to F✄

♣4❂F✄ ♣2;

Bartel gives solution for GL2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval.

relations for ❉ = 1 ❛❀ ❜❀ ❝❀ ❞ ✷ F♣2: ❝① ❞) ❨

☛✷F♣

(❛① + ❜ ☛(❝① + ❞)) ❝① + ❞)(❛① + ❜)♣ ❛① + ❜)(❝① + ❞)♣ ❝① + ❞)(❛♣①♣ + ❜♣) ❛① + ❜)(❝♣①♣ + ❞♣) ✑ ❝① + ❞)(❛♣(①2 + ☞) + ❜♣) ❛① + ❜)(❝♣(①2 + ☞) + ❞♣). side is product of polys in F♣2[①]. right side is too. ✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣) in PGL2(F♣2)? Best hints so far: Cremona points me to F✄

♣4❂F✄ ♣2;

Bartel gives solution for GL2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. ♣3 + ♣ p conjecturally ✙ Each succee ✙ ❂ Only ♣2 Expect enough to determine (or most unless ♣ BGJT sa but fast gives better (How to

✄ ♣

Maybe cleanest: ①♣ ☞① where ☞

✄ ♣

for ❉ = 1 ❛❀ ❜❀ ❝❀ ❞ ✷

♣2:

❝① ❞ ❨

☛✷ ♣

❛① + ❜ ☛(❝① + ❞)) ❝① ❞ ❛① ❜)♣ ❛① ❜ ❝① ❞)♣ ❝① ❞ ❛♣①♣ + ❜♣) ❛① ❜ ❝♣①♣ + ❞♣) ✑ ❝① ❞ ❛♣ ①2 + ☞) + ❜♣) ❛① ❜ ❝♣ ①2 + ☞) + ❞♣). duct of

♣2[①].

is too. ✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣) in PGL2(F♣2)? Best hints so far: Cremona points me to F✄

♣4❂F✄ ♣2;

Bartel gives solution for GL2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. ♣3 + ♣ potential relations, conjecturally ✙indep Each succeeds with ✙ ❂ Only ♣2 monic linea Expect enough relations to determine their (or most logs: ok unless ♣ is very small. BGJT say sparse linea but fast matrix multiplication gives better const (How to avoid annihilating

✄ ♣

Maybe cleanest: ①♣ ☞① where ☞ generates

✄ ♣

❉ ❛❀ ❜❀ ❝❀ ❞ ✷

♣

❝① ❞ ❨

☛✷ ♣

❛① ❜ ☛ ❝① + ❞)) ❝① ❞ ❛① ❜ ♣ ❛① ❜ ❝① ❞ ♣ ❝① ❞ ❛♣①♣ ❜♣ ❛① ❜ ❝♣①♣ ❞♣ ✑ ❝① ❞ ❛♣ ① ☞ ❜♣) ❛① ❜ ❝♣ ① ☞ ❞♣).

♣ ①

✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣) in PGL2(F♣2)? Best hints so far: Cremona points me to F✄

♣4❂F✄ ♣2;

Bartel gives solution for GL2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. ♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙ ❂ Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a unless ♣ is very small. BGJT say sparse linear algeb but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣

Maybe cleanest: ①♣ = ☞①2 + where ☞ generates F✄

♣2.)

✕ ✷ F✄

♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL2(F♣) in PGL2(F♣2)? Best hints so far: Cremona points me to F✄

♣4❂F✄ ♣2;

Bartel gives solution for GL2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. ♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙1❂6. Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless ♣ is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣2?

Maybe cleanest: ①♣ = ☞①2 + 1, where ☞ generates F✄

♣2.)

✕ ✷

✄ ♣2❀ ▼ =

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ are redundant. ♠ ✷ GL2(F♣)❀ ▼ ✷ GL2(F♣2) ✮ ▼❀ ♠▼ are redundant.

• ther obvious redundancies.

there a nice way to represent set of cosets of PGL2(F♣)

2(F♣2)? Best hints so far:

Cremona points me to F✄

♣4❂F✄ ♣2;

gives solution for GL2. Mindless enumeration of cosets a real bottleneck here ant fast multipoint eval. ♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙1❂6. Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless ♣ is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣2?

Maybe cleanest: ①♣ = ☞①2 + 1, where ☞ generates F✄

♣2.)

More relations ❉ For each ❤ ✷

♣ ①

(❝❤ + ❞) ❨

☛✷ ♣

❛❤ ❜ ☛ ❝❤ ❞ = (❝❤ + ❞ ❛❤ ❜ ♣ (❛❤ + ❜ ❝❤ ❞ ♣ = (❝❤ + ❞ ❛♣❤♣ ❜♣ (❛❤ + ❜ ❝♣❤♣ ❞♣ ✑ (❝❤ + ❞ ❛♣❤ ① ☞ ❜♣ (❛❤ + ❜ ❝♣❤ ① ☞ ❞♣ Left side sometimes ✙5% as ❉ ✦ ✶ ❂

✕ ✷

✄ ♣ ❀ ▼

❛

❝ ❜ ❞

✁ ✷ GL2(F♣2) ✮ ▼❀ ✕▼ dundant. ♠ ✷

♣ ❀ ▼ ✷ GL2(F♣2)

✮ ▼❀ ♠▼ redundant.

• bvious redundancies.

ay to represent

• f PGL2(F♣)

♣

Best hints so far: me to F✄

♣4❂F✄ ♣2;

solution for GL2. enumeration of cosets

• ttleneck here

multipoint eval. ♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙1❂6. Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless ♣ is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣2?

Maybe cleanest: ①♣ = ☞①2 + 1, where ☞ generates F✄

♣2.)

More relations for ❉ For each small ❤ ✷

♣ ①

(❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛ ❝❤ ❞ = (❝❤ + ❞)(❛❤ + ❜ ♣ (❛❤ + ❜)(❝❤ + ❞ ♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣ (❛❤ + ❜)(❝♣❤♣ + ❞♣ ✑ (❝❤ + ❞)(❛♣❤(①2 ☞ ❜♣ (❛❤ + ❜)(❝♣❤(①2 ☞ ❞♣ Left side is product sometimes right side ✙5% as ❉ ✦ ✶. ❂

✕ ✷

✄ ♣ ❀ ▼

❛

❝ ❜ ❞

✁ ✷ (F♣2) ✮ ▼❀ ✕▼ ♠ ✷

♣ ❀ ▼ ✷ ♣2)

✮ ▼❀ ♠▼ ndant. redundancies. resent F♣)

♣

so far:

✄ ♣ ❂F✄ ♣2;

GL2. cosets here eval. ♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙1❂6. Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless ♣ is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣2?

Maybe cleanest: ①♣ = ☞①2 + 1, where ☞ generates F✄

♣2.)

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ ❞ = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣ (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣ Left side is product of small sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say ❂

♣3 + ♣ potential relations, conjecturally ✙independent. Each succeeds with chance ✙1❂6. Only ♣2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless ♣ is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F✄

♣2?

Maybe cleanest: ①♣ = ☞①2 + 1, where ☞ generates F✄

♣2.)

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Left side is product of small polys; sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say 1❂6.

♣ ♣ potential relations, conjecturally ✙independent. succeeds with chance ✙1❂6. ♣2 monic linear polys. ect enough relations determine their logs most logs: ok to miss a few), ♣ is very small. say sparse linear algebra; fast matrix multiplication etter const in exponent. to avoid annihilating F✄

♣2?

cleanest: ①♣ = ☞①2 + 1, ☞ generates F✄

♣2.)

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Left side is product of small polys; sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say 1❂6. Larger disc What if ❉ ❁ ❤ ✔ ❉ Use same (❝❤ + ❞) ❨

☛✷ ♣

❛❤ ❜ ☛ ❝❤ ❞ ✑ (❝❤ + ❞ ❛♣❤ ① ☞ ❜♣ (❛❤ + ❜ ❝♣❤ ① ☞ ❞♣ Occasionally product We now Left side factor base ❢❤ ✌ ✌ ✷

♣ ❣

Solve for

❣ ❤

✌

♣ ♣ relations, ✙independent. with chance ✙1❂6. ♣ linear polys. relations their logs

• k to miss a few),

♣ small. linear algebra; multiplication const in exponent. annihilating F✄

♣2?

①♣ = ☞①2 + 1, ☞ generates F✄

♣2.)

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Left side is product of small polys; sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ ❉ Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛ ❝❤ ❞ ✑ (❝❤ + ❞)(❛♣❤(①2 ☞ ❜♣ (❛❤ + ❜)(❝♣❤(①2 ☞ ❞♣ Occasionally right product of small p We now know those Left side is product factor base: ❢❤ + ✌ ✌ ✷

♣ ❣

Solve for each log❣ ❤ ✌

♣ ♣ ✙ endent. chance ✙1❂6. ♣

• lys.

a few), ♣ algebra; multiplication

• nent.

F✄

♣2?

①♣ ☞① + 1, ☞

✄ ♣

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Left side is product of small polys; sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ ❞ ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣ (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣ Occasionally right side is product of small polys. We now know those discrete Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣ ❣ Solve for each log❣(❤ + ✌).

More relations for arbitrary ❉ For each small ❤ ✷ F♣2[①]: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) = (❝❤ + ❞)(❛❤ + ❜)♣ (❛❤ + ❜)(❝❤ + ❞)♣ = (❝❤ + ❞)(❛♣❤♣ + ❜♣) (❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Left side is product of small polys; sometimes right side is too. ✙5% as ❉ ✦ ✶. BGJT say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣2❣. Solve for each log❣(❤ + ✌).

relations for arbitrary ❉ each small ❤ ✷ F♣2[①]: ❝❤ ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ❝❤ + ❞)(❛❤ + ❜)♣ ❛❤ + ❜)(❝❤ + ❞)♣ ❝❤ + ❞)(❛♣❤♣ + ❜♣) ❛❤ + ❜)(❝♣❤♣ + ❞♣) ✑ ❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) ❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). side is product of small polys; sometimes right side is too. ✙ as ❉ ✦ ✶. BGJT say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣2❣. Solve for each log❣(❤ + ✌). For deg ❤ ✔ ✉❂ ❉ ❉-smoothness ✙✉✉ so ✙✉✉♣ Need ✙♣ Note free ❤ ✌ Works fo ✉ ✙ ♣❂ ♣ Reminiscent (1977 Schro ( ✝♣q ✞ + ❛ ✝♣q ✞ ❜ ✑ (❛ + ❜ ✝♣q ✞ ❛❜ ✝♣q ✞ q mod large q Factor base ✟✝♣q ✞ + ❛ ✠ ❬ ❢ ❣

for arbitrary ❉ ❤ ✷ F♣2[①]: ❝❤ ❞ ❨

☛✷ ♣

❛❤ + ❜ ☛(❝❤ + ❞)) ❝❤ ❞ ❛❤ ❜)♣ ❛❤ ❜ ❝❤ ❞)♣ ❝❤ ❞ ❛♣❤♣ + ❜♣) ❛❤ ❜ ❝♣❤♣ + ❞♣) ✑ ❝❤ ❞ ❛♣❤(①2 + ☞) + ❜♣) ❛❤ ❜ ❝♣❤ ①2 + ☞) + ❞♣). duct of small polys; side is too. ✙ ❉ ✦ ✶. BGJT say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣2❣. Solve for each log❣(❤ + ✌). For deg ❤ ✔ (✉❂3)❉ ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: ❤ ✌ Works for ✉ ✙ log ♣❂ ♣ Reminiscent of linea (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ ❜ ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ ✝♣q ✞ q mod large prime q. Factor base in linea ✟✝♣q ✞ + ❛ ✠ ❬ ❢small ❣

ry ❉ ❤ ✷

♣ ①]:

❝❤ ❞ ❨

☛✷ ♣

❛❤ ❜ ☛ ❝❤ + ❞)) ❝❤ ❞ ❛❤ ❜ ♣ ❛❤ ❜ ❝❤ ❞ ♣ ❝❤ ❞ ❛♣❤♣ ❜♣ ❛❤ ❜ ❝♣❤♣ ❞♣ ✑ ❝❤ ❞ ❛♣❤ ① ☞ ❜♣) ❛❤ ❜ ❝♣❤ ① ☞ ❞♣). mall polys;

• .

✙ ❉ ✦ ✶ say 1❂6. Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣2❣. Solve for each log❣(❤ + ✌). For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ ✌ Works for ✉ ✙ log ♣❂ log log ♣ Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞ q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣

Larger discrete logs What if ❉ ❁ deg ❤ ✔ 2❉? Use same equation: (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: ❢❤ + ✌ : ✌ ✷ F♣2❣. Solve for each log❣(❤ + ✌). For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ + ✌. Works for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣.

discrete logs if ❉ ❁ deg ❤ ✔ 2❉? same equation: ❝❤ ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ ❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) ❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally right side is duct of small polys. w know those discrete logs. side is product on new base: ❢❤ + ✌ : ✌ ✷ F♣2❣. for each log❣(❤ + ✌). For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ + ✌. Works for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣. Arbitrary For (✉❂3)❉ ❁ ❤ ✔ ✉❂ ❉ Use same (❝❤ + ❞) ❨

☛✷ ♣

❛❤ ❜ ☛ ❝❤ ❞ ✑ (❝❤ + ❞ ❛♣❤ ① ☞ ❜♣ (❛❤ + ❜ ❝♣❤ ① ☞ ❞♣ Occasionally ✉❂ ❉ side; again ❢❤ ✌❣ Have see (✉❂3)❉-smo ♣❖(1) sub

• f which

♣

logs ❉ ❁ deg ❤ ✔ 2❉? equation: ❝❤ ❞ ❨

☛✷ ♣

❛❤ + ❜ ☛(❝❤ + ❞)) ✑ ❝❤ ❞ ❛♣❤(①2 + ☞) + ❜♣) ❛❤ ❜ ❝♣❤ ①2 + ☞) + ❞♣). right side is polys. those discrete logs. duct on new ❢❤ + ✌ : ✌ ✷ F♣2❣. log❣(❤ + ✌). For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ + ✌. Works for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ ✉❂ ❉ Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛ ❝❤ ❞ ✑ (❝❤ + ❞)(❛♣❤(①2 ☞ ❜♣ (❛❤ + ❜)(❝♣❤(①2 ☞ ❞♣ Occasionally (✉❂3)❉ side; again ❢❤ + ✌❣ Have seen subroutine (✉❂3)❉-smooth discrete ♣❖(1) subroutine cal

• f which Θ(♣2) are

❉ ❁ ❤ ✔ ❉ ❝❤ ❞ ❨

☛✷ ♣

❛❤ ❜ ☛ ❝❤ + ❞)) ✑ ❝❤ ❞ ❛♣❤ ① ☞ ❜♣) ❛❤ ❜ ❝♣❤ ① ☞ ❞♣). discrete logs. ❢❤ ✌ ✌ ✷ F♣2❣.

❣ ❤

✌). For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ + ✌. Works for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3) ❉ Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ ❞ ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣ (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣ Occasionally (✉❂3)❉-smooth side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

For deg ❤ ✔ (✉❂3)❉: ❉-smoothness chance ✙✉✉ so ✙✉✉♣3 relations. Need ✙♣2 relations. Note free relations: smooth ❤ + ✌. Works for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve (1977 Schroeppel): ( ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ (❛ + ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q mod large prime q. Factor base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3)2❉: Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally (✉❂3)❉-smooth right side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

deg ❤ ✔ (✉❂3)❉: ❉

• thness chance ✙✉✉

✙✉✉♣3 relations. ✙♣2 relations. free relations: smooth ❤ + ✌. for ✉ ✙ log ♣❂ log log ♣. Reminiscent of linear sieve Schroeppel): ✝♣q ✞ + ❛)( ✝♣q ✞ + ❜) ✑ ❛ ❜) ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q rge prime q. base in linear sieve: ✟✝♣q ✞ + ❛ ✠ ❬ ❢small primes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3)2❉: Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally (✉❂3)❉-smooth right side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

For larger ❤ Reach degree ♥ log ♥ log(✉❂3) ✷ ✏ ♥ ♥ ✑ levels of Total cost ♣

♥❂ ♥

= exp Θ ✏ ♥ ♥ ✑ = exp Θ ✏ q q ✑ What ab ♣ ♥ ♣ ❁ ♥ Embed into Can also ①

❤ ✔ ✉❂3)❉: ❉ chance ✙✉✉ ✙✉✉♣ relations. ✙♣ relations. relations: smooth ❤ + ✌. ✉ ✙ log ♣❂ log log ♣. linear sieve el): ✝♣q ✞ ❛ ✝♣q ✞ + ❜) ✑ ❛ ❜ ✝♣q ✞ + ❛❜ + ✝♣q ✞2 q q. linear sieve: ✟✝♣q ✞ ❛ ✠ ❬ ❢small primes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3)2❉: Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally (✉❂3)❉-smooth right side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

For larger ❤: recurse. Reach degree ♥ log ♥ log(✉❂3) ✷ Θ ✏ log ♥ log ♥ ✑ levels of recursion. Total cost ♣Θ(log ♥❂

♥

= exp Θ ✏ (log ♥)2 log log ♥ ✑ = exp Θ ✏ (log log q log log log q ✑ What about ♣2♥ with ♣ ❁ ♥ Embed into an extension Can also use ①char

❤ ✔ ✉❂ ❉ ❉ ✙✉✉ ✙✉✉♣ ✙♣

• th ❤ + ✌.

✉ ✙ ♣❂ log ♣. ✝♣q ✞ ❛ ✝♣q ✞ ❜ ✑ ❛ ❜ ✝♣q ✞ ❛❜ ✝♣q ✞2 q q sieve: ✟✝♣q ✞ ❛ ✠ ❬ ❢ rimes❣. Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3)2❉: Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally (✉❂3)❉-smooth right side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

For larger ❤: recurse. Reach degree ♥ 1 using log ♥ log(✉❂3) ✷ Θ ✏ log ♥ log log ♥ ✑ levels of recursion. Total cost ♣Θ(log ♥❂ log log ♥) = exp Θ ✏ (log ♥)2 log log ♥ ✑ = exp Θ ✏ (log log q)2 log log log q ✑ . What about ♣2♥ with ♣ ❁ ♥ Embed into an extension field. Can also use ①char etc.

Arbitrary discrete logs For (✉❂3)❉ ❁ deg ❤ ✔ (✉❂3)2❉: Use same equation (❝❤ + ❞) ❨

☛✷F♣

(❛❤ + ❜ ☛(❝❤ + ❞)) ✑ (❝❤ + ❞)(❛♣❤(①2 + ☞) + ❜♣) (❛❤ + ❜)(❝♣❤(①2 + ☞) + ❞♣). Occasionally (✉❂3)❉-smooth right side; again ❢❤ + ✌❣ for left side. Have seen subroutine to compute (✉❂3)❉-smooth discrete logs. ♣❖(1) subroutine calls,

• f which Θ(♣2) are important.

For larger ❤: recurse. Reach degree ♥ 1 using log ♥ log(✉❂3) ✷ Θ ✏ log ♥ log log ♥ ✑ levels of recursion. Total cost ♣Θ(log ♥❂ log log ♥) = exp Θ ✏ (log ♥)2 log log ♥ ✑ = exp Θ ✏ (log log q)2 log log log q ✑ . What about ♣2♥ with ♣ ❁ ♥? Embed into an extension field. Can also use ①char etc.