COMPUTING DISCRETE LOGARITHMS IN CRYPTOGRAPHICALLY-INTERESTING CHARACTERISTIC-THREE FINITE FIELDS

. Since 2013 there have been several developments in algorithms for computing discrete logarithms in small-characteristic ﬁnite ﬁelds, culmi- nating in a quasi-polynomial algorithm. In this paper, we report on our successful computation of discrete logarithms in the cryptographically-interesting characteristic-three ﬁnite ﬁeld F 3 6 · 509 using these new algorithms; prior to 2013, it was believed that this ﬁeld enjoyed a security level of 128 bits. We also show that a recent idea of Guillevic can be used to compute discrete logarithms in the cryptographically-interesting ﬁnite ﬁeld F 3 6 · 709 using essentially the same resources as we expended on the F 3 6 · 509 computation. Finally, we argue that discrete logarithms in the ﬁnite ﬁeld F 3 6 · 1429 can feasibly be com- puted today; this is signiﬁcant because this cryptographically-interesting ﬁeld was previously believed to enjoy a security level of 192 bits.


Introduction
Let F q denote a finite field of order q. The discrete logarithm problem (DLP) in F q is the following: given an element g ∈ F * q of order r, and h ∈ g , find the integer x ∈ [0, r − 1] such that h = g x . The integer x is called the discrete logarithm of h to the base g and is denoted by log g h. Before 2013, the fastest general-purpose 1. the k = 6 pairings derived from supersingular elliptic curves Y 2 = X 3 − X + 1 and Y 2 = X 3 − X − 1 over F q with q = 3 n ; 2. the k = 4 pairings derived from supersingular elliptic curves Y 2 +Y = X 3 +X and Y 2 + Y = X 3 + X + 1 over F q with q = 2 n ; 3. the k = 12 pairings derived from supersingular genus-2 curves Y 2 + Y = X 5 + X 3 and Y 2 + Y = X 5 + X 3 + 1 over F q with q = 2 n .
In all cases, n is chosen to be a prime such that #E(F q ) or #Jac C (F q ) is divisible by a large prime r. A necessary condition for the security of these pairings is the intractability of the DLP in G T , and thus also in F q k [34,16]. Consequently, the DLP in such finite fields F 3 6n , F 2 4n and F 2 12n became especially important from a cryptographic point of view; we will henceforth say that these fields are 'cryptographically interesting'. In 2013, there were several spectacular developments in algorithms for computing discrete logarithms in small-characteristic finite fields, culminating in a quasipolynomial time algorithm [26,19,6]. These developments were accompanied by some striking computational results such as the computation of discrete logarithms in the 6120-bit field F 2 8·3·255 in only 750 CPU hours [20]; see [29] for a complete list. In 2014, Granger, Kleinjung and Zumbrägel [22] reported the first computation of discrete logarithms in one of the cryptographically-interesting finite fields F 3 6n , F 2 4n , F 2 12n that was believed to offer 128 bits of security against Coppersmith's attack, namely the 4404-bit field F 2 12·367 . Let q = 3 6 . In this paper, we shall focus on the DLP in cryptographicallyinteresting fields F q n = F 3 6n . In [3] and [4], Adj et al. showed that the new algorithms can in principle be used to compute logarithms in F 3 6·509 and F 3 6·1429 in 2 81.7 M q 2 and 2 95.8 M q 2 time, respectively, where M q 2 denotes the time to perform one multiplication in F q 2 . These results were cryptographically significant because the fields F 3 6·509 and F 3 6·1429 were believed to offer 128 and 192 bits of security against Coppersmith's attack (see [31]). However, the computations were still infeasible using existing computer technology. Then, in [5], Adj et al. used ideas from [28] and [22] to improve their estimates for discrete logarithm computations in F 3 6·509 and F 3 6·1429 to 2 58.9 M q and 2 78.8 M q 2 , respectively, where M q denotes the time to perform one multiplication in F q .
In §3, we describe our computation of discrete logarithms in the 4841-bit field F 3 6·509 . This is the second computation of discrete logarithms in a cryptographicallyinteresting finite field that was purported to provide 128 bits of security against Coppersmith's attack. Then, in §4, we show that a recent idea of Guillevic [25] can be used to compute discrete logarithms in F 3 6·709 using essentially the same resources as we expended on the F 3 6·509 computation. Furthermore, in §5 we lower the estimates for discrete logarithm computations in F 3 6·1429 to 2 63.4 M q . We argue that this computation is feasible today, even though it is just beyond the reach of the computer resources available to the authors of this paper. This is the first demonstration that pairing-based cryptosystems originally believed to offer 192 bits of security can be broken in practice today.
We begin in §2 by providing an overview of the key ingredients in the DLP algorithm.

Overview of the DLP algorithm
For the sake of concreteness, we focus on DLP instances in cryptographicallyinteresting finite fields F 3 6n . Let q = 3 6 and let n be prime. Let r be a large prime divisor of 3 n ± √ 3 n+1 + 1, whence r | (q n − 1). Let g be a generator of F * q n , and let h be an element of the order-r subgroup of F * q n . We wish to determine x = log g h mod r.
The elements of F q n are represented as polynomials of degree at most n − 1 over F q . The algorithm begins by building a factor base of logarithms of all degree-one, degree-two and degree-three polynomials over F q , and a proportion of degree-four polynomials. Then, in the descent stage, various techniques are used to recursively express log g h as a linear combination of logarithms of smaller-degree polynomials until all these polynomials belong to the factor base.
Notation. N q (m, n) denotes the number of monic m-smooth degree-n polynomials in F q [X], and S q (m, d) denotes the cost of testing m-smoothness of a degree-d polynomial in F q [X]. Formulas for N q (m, n) and S q (m, d) are given in [3] and [23], respectively.
The field F q n is represented as F q [X]/(I X ). This Frobenius representation, introduced by Joux [26], has the useful property that 2.2. Small degrees. We use the Joux-Pierrot [28] method for computing logarithms of small-degree polynomials. The main idea is to partition the set of irreducible cubics and quartics into smaller families, and to exploit the special form of h 0 and h 1 to find relations of logarithms of elements within a family. The Joux-Pierrot method requires that h 0 and h 1 have the form h 0 (X) = α 0 X + α 1 and h 1 (X) = X 2 + α 2 X.

2.2.1.
Linear and quadratic polynomials. The dominant cost of finding logarithms of elements in B 2 , the set of all linear and irreducible quadratic polynomials over F q , is the solution of a linear system of size ≈ q 2 /2 × q 2 /2 and row density ≈ 3q/2. The linear system can be solved using Wiedemann's algorithm [36] at a cost of approximately 9q 5 /8A r , where A r denotes the cost of an addition modulo the integer r. 1 2.2.2. Cubic polynomials. The set B 3 of irreducible cubics over F q is partitioned into q − 1 families B 3,γ = {X 3 + aX 2 + bX + γ}, each of size exactly (q 2 + q)/3. The dominant cost of finding logarithms of polynomials in a family B 3,γ is the solution of a linear system of size ≈ q 2 /3 × q 2 /3 and row density ≈ q/3; the total cost of solving the q − 1 linear systems is ≈ q 6 /9A r . Note that the q − 1 linear systems can be generated and solved independently of each other.
To compute logarithms of all quartics Q in a subfamily B 4,γ,δ , one first attempts a 4-to-3 Gröbner bases descent on Q (see §2.5). This is expected to be successful about 50% of the time. If unsuccessful, then the 'Frobenius strategy' described in [5] is employed. Namely, one has The polynomialQ is either irreducible or a product of two irreducible quartics, the latter occurring with probability 2 approximately 1 2 (see Lemma 2 in [28]). In the latter case, a 4-to-3 Gröbner bases/Frobenius descent is recursively attempted on each of the two quartic factors ofQ. If both are successful, then we have succeeded in descending Q.
About 58.6% of all quartics Q can be descended in this way [28]. Thus, one expects there to be (1−0.586)·q 2 /4 ≤ 0.11q 2 quartics in B 4,γ,δ whose logarithms are yet to be determined. The Joux-Pierrot technique is then used to generate relations of logarithms of these quartics, yielding a linear system of size ≈ 0.11q 2 ×0.11q 2 and row density ≈ 0.11q. The 0.00399q 5 A r cost of solving this linear system dominates the cost of computing logarithms of all polynomials in a subfamily. Thus, the cost of computing logarithms of all polynomials in a family is 0.00399q 6 A r , and the cost of computing logarithms of all quartics is 0.00399q 7 A r .
Note that the q(q − 1) linear systems can be generated and solved independently of each other. While sacrificing some parallelizability, Joux and Pierrot [28] described how the linear systems associated with families can be recursively halved in dimension using the family-based Gröbner bases descent method described in §2.2.4. With this modification, the dominant cost of computing logarithms of irreducible quartics is the cost of the linear algebra for the first few of the q − 1 families.

2.2.4.
Family-based Gröbner bases descent for quartics. To avoid the high storage and lookup costs for the factor base of logarithms of all (q 4 − q 2 )/4 irreducible quartics, one can instead compute and store the logarithms of quartics in a relatively small number of families, say B 4,γi for i = 1, 2, . . . , s. Suppose that Q ∈ F q [X] is an irreducible quartic that is not in one of these s families. Then log g Q can be computed on-the-fly as follows.
We first attempt a 4-to-3 Gröbner bases descent and the Frobenius strategy on Q. If this fails, we consider the first family B 4,γ1 . Our goal is to find polynomials k 1 (X) = X 4 + a 2 X 2 + a 1 X + γ 1 and k 2 ( In this case, we have as can be seen by making the substitution Y → k 1 /k 2 into the systematic equation and clearing denominators. It is clear that all the irreducible quartics appearing in the right side of (1) are B 4,γ1 -elements. Note that , which is a degree-11 polynomial divisible by X(h 1 X − h 0 ) and Q. The cofactor of X · (h 1 X − h 0 ) · Q in G is a degree-3 polynomial. Thus, equation (1) yields an expression for log g Q in terms of logarithms of polynomials of degree ≤ 3 and polynomials in B 4,γ1 . Since these logarithms are all known, we can determine log g Q.
To find polynomials (k 1 , k 2 ) such that Q | G, one proceeds as in the classical Gröbner bases descent (see §2.5), with the same computational cost, whereby a system of multivariate bilinear equations is solved using a Gröbner basis finding algorithm.
As discussed in §2.2.3, this descent method, together with the Frobenius strategy, is successful for only about 58.6% of all irreducible quadratics Q not in B 4,γ1 . If the descent fails, then the procedure is iterated with the other families B 4,γi for i = 2, . . . , s. The probability that the descent fails after s iterations is (1−0.586) s+1 .

2.3.
Continued-fractions descent. Suppose that deg h = n − 1. The descent begins by multiplying h by a random power of g. The extended Euclidean algorithm is used to express the resulting field element h in the form h = w 1 /w 2 where deg w 1 , deg w 2 ≈ n/2 [9]. This process is repeated until both w 1 and w 2 are msmooth for some chosen m < (n − 1)/2, thus giving log h h as a linear combination of logarithms of polynomials of degree at most m. The expected cost of this continuedfractions descent is approximately (2) q (n−1)/2 N q (m, (n − 1)/2) 2 · S q (m, (n − 1)/2).
The logarithms of the polynomials of degree ≤ m are then expressed as linear combinations of logarithms of smaller-degree polynomials using one of the descent methods described in §2.4, §2.5 and §2.6.
2.4. Classical descent. The classical descent method has its origins in the work of Joux and Lercier [27]. We follow the description in §5.5 of [4] and refer to that paper for further details.
Suppose that we wish to determine log g Q, where deg Q = D. One selects parameters m < D, s ∈ [0, 6], and δ ≥ 1. The classical descent method yields candidate polynomials ( , and such that log g Q can be written in terms of log g (R 1 /Q) and log g R 2 . Pairs (R 1 , R 2 ) are generated until one is found where both R 1 /Q and R 2 are m-smooth. In order to ensure that there are sufficiently many candidates (R 1 , R 2 ), the parameters m, s and δ must be selected so that .
If this condition is satisfied, then the expected cost of the D-to-m classical descent is be an irreducible polynomial of degree D, and let m ≥ 1. In Joux's D-to-m descent [26] (see also §2.5 of [5]), one obtains a system of 3m + 1 bilinear equations in 5m − D + 3 variables over F q .
The system of equations can be solved by finding a Gröbner basis for the ideal it generates. Provided that the condition is satisfied [22], one expects to obtain an expression for log g Q in terms of the logarithms of slightly more than q (not necessarily irreducible) polynomials of degree m.
2.6. Zigzag descent. Let Q ∈ F q [X] be an irreducible polynomial of degree 2m, m ≥ 3. In [24], one begins by lifting Q to F q m [X], where it factors into m irreducible quadratics. The factors Q i , where 0 ≤ i < m, are conjugates and can be ordered so 0 denotes the polynomial obtained by raising each coefficient of Q 0 to the power q i .
Next, the 2-to-1 on-the-fly descent method [19,20] is employed to obtain a relation involving Q 0 and slightly more than q linear polynomials over F q m . The descent is always expected to be successful if m ≥ 4. In contrast, when m = 3 only 50% of the irreducible quadratics over F q m are expected to descend.
Suppose now that we have a relation where the F s and G t are linear polynomials over F q m . Then, for each 0 ≤ i < m, t . This gives Since for every pair of indexes (s, t), the products F are nothing more than the respective polynomial norms of the linear polynomials F s and G t over F q and, therefore, are degree-m polynomials in F q [X], we get an expression for log g Q in terms of the logarithms of polynomials of degree (at most) m over F q .

Discrete logarithms in F 3 6·509
The DLP instance we solved is described in §3.1. Some details of our implementation are presented in §3.2.
3.1. Problem instance. Let N denote the order of F * 3 6·509 . Using the tables from the Cunningham Project [14], we partially factored N as We verified that gcd(C, N/C) = 1 and that C is not divisible by any of the first 10 7 primes. Consequently, if an element g is selected uniformly at random from F * 3 6·509 , and g satisfies g N/pi = 1 for 1 ≤ i ≤ 21, then g is a generator of F * 3 6·509 with very high probability.
We chose the (presumed) generator g = X + u 2 of F * 3 6·509 . To generate an order-r discrete logarithm challenge h, we computed and then set h = (h ) N/r . The discrete logarithm x = log g h mod r was found to be  [15,32]. Polynomial smoothness testing was implemented in C [2,12]. Table 1 gives the number of CPU years that were expended on each stage of the computation. The CPU frequency column lists the average clock speed of the cores used. Cubics. For every γ ∈ F * q , B 3,γ has size exactly 177, 390. The total relation generation running time is 1, 232 CPU hours using Magma on Intel i7-3930K 3.20GHz CPU cores. The resulting 728 sparse systems of linear equations were solved using our C implementation of Wiedemann's algorithm. Each linear system was solved in parallel on 7 ABACUS cores. 3 The 728 linear systems were solved simultaneously using 5096 ABACUS cores. The total execution time was 379, 142 CPU hours. This time, and also the time for the linear algebra for the quartics (see §3.2.3), was more than expected in part because ABACUS was still running in an experimental phase and the machine was under-clocked to prevent over-heating. The increased CPU time did not have a significant impact on the total calendar time for the discrete log computation because of the large number of cores that were at our disposal.
The logarithms were stored in files whose total size is 26.4 gigabytes.

Quartics.
We computed logarithms of s = 29 families B 4,u i , 0 ≤ i ≤ 28. We elected not to used the technique of iteratively decreasing the size of the corresponding linear systems. Consequently, each subfamily of quartics yielded a linear system of dimension approximately 55,050. The total relation generation running time was 35, 118 CPU hours using Magma on Intel Xeon E5-2650 v2 2.60GHz CPU cores. The resulting 29×729 = 21, 141 sparse systems of linear equations were solved using our C implementation of Wiedemann's algorithm in 829, 573 CPU hours on ABA-CUS. Each linear system was solved in parallel on 2 cores. We used approximately 5000 cores to solve all 21,141 linear systems. The logarithms of a family were stored in files whose total size is 20.4 gigabytes. The total size of the files of factor base logarithms is 618 gigabytes. Note that the total size of the files for logarithms of all polynomials of degree ≤ 4 would be about 14.9 terabytes. Theorem 4 of [30] shows that the expected number of degree-d irreducible factors of a randomly selected degree-n polynomial over F q is approximately 1/d. Using this result, we computed the expected number of degree-4 elements obtained after a descent of a polynomial of degree in the interval [5,15]. We then used Table 4 to estimate the expected number of irreducible quartics that result from all the descent steps. These estimates are shown in Table 2; the total number of irreducible quartics is 2 31.15 .
To compute the logarithm of a polynomial in B 4,u i , i > 28, we used the familybased descent method described in §2.2.4. The descent considered the families in the order B 3 , B 4,u 0 , B 4,u 1 , . . . , B 4,u 28 . Table 3 shows, for each i ∈ [0, 28], the inverse of the probability that a randomly-selected irreducible quartic descends based on that family. In particular, note that the probability that a quartic fails to descend is less than 2 −38.2 . Since the reciprocal of the failure probability is 2 31.15 , the number of quartics encountered that fail to descend is expected to be very small. In  Table 2. Expected number of irreducible quartics resulting from all the Gröbner bases and zigzag descent steps for each degree in [5,15]. the event that a quartic fails to descent, the computation that yielded that quartic is repeated (with different parameters).  Table 3. For every family from B 3 , B 4,u i , i ∈ [0, 28], the inverse of the probability for a random irreducible quartic to descend based on that family.
The computers available to us had at most 256 gigabytes of RAM. Thus, only the logarithms of the cubics and the logarithms of the first 10 quartics families B 4,u 0 , B 4,u 1 , . . . , B 4,u 9 were placed in RAM, and the logarithms of the remaining quartic families were stored in hard disk (HD), which is much slower to access than virtual memory (VM). Since many copies of the Magma code will be executed in parallel, each of which will be accessing the same logarithm files, the memory accesses have to be carefully scheduled to avoid traffic congestion. In addition, we had to deal with some restrictions on Magma's file reading capabilities (for example, whether the files are stored in hexadecimal encoding or binary encoding) and with limits on the total number of open files permitted on Linux. In the end, the average time to descend a randomly selected quartic was found to be 0.0614 seconds of CPU time (0.0640 seconds of real time) on a 20-core Intel Xeon E5-2658 v2 2.40GHz machine with 256 gigabytes of RAM. For further details, see [2].

3.2.4.
Continued-fractions descent. The two degree-254 polynomials yielded 22 irreducible factors with 2 of degree 40, 1 of degree 39, 1 of degree 38, 1 of degree 37, and 7 of degree in the interval [22,35]. The computation took 446, 768 CPU hours on CPU cores with average frequency 2.87 GHz (270 cores of different frequencies were used in this stage).

Classical descent.
In the first classical descent phase, 255 polynomials of degree ≤ 21 were obtained from the 12 polynomials of degree ≥ 22. These computations took 86, 323 CPU hours on CPU cores with average frequency 2.66 GHz (390 cores of different frequencies were used in the two phases of the classical descent).
The second classical descent phase was used on the 84 polynomials of degree ≥ 16 arising from the first phase, to obtain polynomials of degree ≤ 15. These computations took 88, 452 CPU hours.
The number of polynomials of each degree in [5,15] that were obtained from the continued-fractions and classical descents is shown in Table 4.  Table 4. Number of polynomials of each degree in the interval [5,15] obtained after the continued-fractions and classical descents. The total number of polynomials is 1409.
3.2.6. Small-degree descent. In the last descent stage, the 1409 polynomials of degrees in [5,15] that resulted from the continued-fractions and classical descents should have their logarithms expressed in terms of logarithms of elements in the factor base, namely, in B 2 , B 3 and B 4,u i , i ∈ [0, 28].
The Gröbner bases descent expresses the logarithm of a degree-D element, D ∈ [5,15], as a linear combination of logarithms of polynomials of degree ≤ d where d = D/2 + 2. This is the best that can be done because of condition (5).
Gröbner bases descent was used on polynomials of odd degree. For those of even degree the zigzag descent was employed (except for degree-14 polynomials, see below) because of its more aggressive descent character. Indeed, a polynomial of degree 2d, d > 2, is related with polynomials of degree d using the zigzag descent instead of polynomials of degree d + 2 when using the Gröbner bases descent. The degree-4 polynomials which are not in the factor base are descended using the classical or family-based Gröbner bases descent combined with the Frobenius strategy.
As mentioned in §2.6, the zigzag descent is successful for only 50% of degree-6 polynomials. For the remainder, we used a hybrid Gröbner bases-zigzag descent. In this hybrid descent, a degree-6 polynomial is lifted to the quadratic extension of F 3 6 , where it splits into two cubics. Over F 3 12 , we adapted the Gröbner bases descent in §2.5 and used it to perform a 3-to-2 descent on one of the two degree-3 polynomials. Then, using the polynomial norm as in §2.6, we obtained the logarithm of the degree-6 polynomial expressed in term of logarithms of polynomials of degree (at most) 4. This strategy allowed us to avoid the more costly 6-to-5 and then 5to-4 Gröbner bases descent steps (recall that each of these descents has a branching factor of q).
We also employed the hybrid descent on the degree-14 polynomials to perform 14-to-8 descents instead of 14-to-7 zigzag descents. In fact, a complete descent is more costly on a degree-7 polynomial than on a degree-8 polynomial since in the former two Gröbner bases descent stages, 7-to-5 then 5-to-4, are needed whereas only one zigzag 8-to-4 descent stage is needed in the latter. Table 5 lists the (scaled) times for computing the logarithms of all polynomials of degrees in the interval [5,15] that arose from the continued-fractions and classical descents stages.
Remark 1. In hindsight, the total running time for computing logarithms in F 3 6·509 can be reduced substantially with two modifications to the algorithm. First, as mentioned at the end of §2.2.3, the linear systems associated with families of quartics can be reduced after discrete logarithms of a few families have been computed.  Table 5. Total and average CPU times in seconds to obtain the logarithms of all the polynomials of degrees in [5,15]

Discrete logarithms in F 3 6·709
Recall that the Frobenius representation of F 3 6n requires a degree-n irreducible factor of h 1 (X) · X q − h 0 (X) over F q where max(deg h 0 , deg h 1 ) = 2. Now, n = 709 is the largest prime ≤ 731 for which there is a supersingular elliptic curve E over F 3 n with r = #E(F 3 n ) a prime. More precisely, we have r = 3 709 −3 355 +1 = #E(F 3 709 ) where E is the supersingular elliptic curve Y 2 = X 3 − X − 1 defined over F 3 . The Weil and Tate pairings can be used to embed E(F 3 709 ) in the multiplicative group of the 6743-bit field F 3 6·709 . Thus, we are interested in computing x = log g h mod r, where g is a generator of F * 3 6·709 and h is an element of the order-r subgroup of F * 3 6·709 . In §4.1 we describe a slight modification of a descent method proposed by Guillevic [25] that is considerably more effective than the continued-fractions descent. Then, in §4.2, we demonstrate that Guillevic's descent method can be utilized to compute discrete logarithms in the cryptographically-interesting field F 3 6·709 with essentially the same resources as we expended on the F 3 6·509 discrete logarithm computation. Thus, we conclude that discrete logarithms in the cryptographicallyinteresting field F 3 6·709 can be feasibly computed today. 4.1. Guillevic descent. Let q = 3 6 and let r be a prime divisor of Φ 6 (3 n ), where Φ 6 (X) denotes the 6th cyclotomic polynomial. Suppose that elements of the finite field F q n are represented as polynomials of degree at most n − 1 over F q , with multiplication performed modulo a degree-n irreducible polynomial. Let g be a generator of F * q n , and let h ∈ F * q n . We wish to determine x = log g h mod r. Since h is an arbitrary element of F * q n , its degree can be as high as n−1. Without loss of generality, we can suppose that h has degree exactly n−1. Guillevic observed that if h = hv, where v is an element of the proper subfield F 3 3n of F q n , then log g h ≡ log g h (mod r).
Her descent method consists of searching for v until h has degree n ≈ n/2 and is smooth with respect to some smoothness bound m.
Let n = n/2 + c, where c is chosen so that 3 6n −3n q n /N q (m, n ), the right hand side of the inequality being the reciprocal of the proportion of degreen polynomials over F q that are m-smooth. Let {1, w, w 2 , ..., w 3n−1 } be a basis for F 3 3n over F 3 . Thus, we can write v = v 0 + v 1 w + · · · + v 3n−1 w 3n−1 , where v i ∈ F 3 . Let H be the 6n × 3n matrix over F 3 whose columns are the coefficients of h, wh, w 2 h, . . . , w 3n−1 h. Here, if w i h = h 0 + h 1 X + · · · + h n−1 X n−1 with h j ∈ F q , then the column vector corresponding to w i h is (h 0 , h 1 , . . . , h n−1 ) where each h j is written as a length-6 vector over F 3 . Thus, we wish to find vectors v such that h = Hv is an F 3 -vector corresponding to a monic polynomial of degree n over F q . Now, let H be the 6(n−n )×3n matrix consisting of the last 6(n−n ) rows of H. We expect that H has full row rank (otherwise we can randomize h and repeat). Thus, each of the 3 6n −3n solutions v to the matrix equation H v = e, with e being the unit vector having a 1 in its first position, yields a monic polynomial h = Hv of degree n over F q . These polynomials are tested for m-smoothness until an msmooth polynomial is found. The expected running time is S q (m, n )·q n /N q (m, n ), the cost of the linear algebra being negligible.
As proof-of-concept, we used the new descent method to write a degree-708 polynomial h ∈ F 3 6·709 in terms of a 52-smooth degree-358 monic polynomial h (so n = 709, c = 4, n = 358, and m = 52). The estimated cost of finding such an h is only 2 43.8 M q . We found a 52-smooth h in about 245 CPU hours, after testing about 2 19.6 candidates h (the search was implemented in Magma using a sub-optimal procedure for smoothness testing). In contrast, the expected cost of continued-fractions descent to write h as w 1 /w 2 where each w i is 52-smooth and has degree approximately 354 is 2 62.5 M q ; this computation is feasible but only with a considerable effort.
To find x = log g h mod r, we first use Guillevic's descent to find a degree-358 monic polynomial h that is 40-smooth. The expected cost of this step is 2 53.3 M q . (In contrast, the expected cost of continued-fractions descent to express h as the ratio of two 40-smooth degree-354 polynomials is 2 81.3 M q .) Thus, the expected cost of the 708-to-40 Guillevic descent is less than the expected cost of the 508-to-40 continued-fractions descent. Furthermore, the 709-to-40 Guillevic descent will yield fewer polynomials of degree ≤ 40 than the 508-to-40 continued-fractions descent.
The remainder of the discrete logarithm computation in F 3 6·709 proceeds in the same way as the F 3 6·509 discrete logarithm computation, except that we have to work modulo the 1124-bit prime r instead of an 804-bit prime. The larger r will only have a slight impact on the cost of the linear algebra. Hence, we can conclude that discrete logarithms in F 3 6·709 can be computed using essentially the same resources as we expended in the F 3 6·509 computation.

Discrete logarithms in F 3 6·1429
The supersingular elliptic curve E : Y 2 = X 3 − X − 1 defined over F 3 has #E(F 3 1429 ) = cr, where c = 7622150170693 is a 43-bit cofactor and r = (3 1429 − 3 715 + 1)/c is a 2223-bit prime. The Weil and Tate pairings can be used to embed the order-r subgroup of E(F 3 1429 ) in the multiplicative group of the 13590-bit field F 3 6·1429 . Thus, we are interested in computing x = log g h mod r, where g is a generator of F * 3 6·1429 and h is an element of the order-r subgroup of F * 3 6·1429 . In §5.1, we show that discrete logarithms in the order-r subgroup of F * 3 6·1429 can be computed in time 2 63.4 M q . In §5.2 we present our arguments that this computation is feasible using existing computer technology. 5.1. Estimates. Let F 3 6 = F 3 [u]/(u 6 + 2u 4 + u 2 + 2u + 2), h 0 (X) = X + u 28 , and h 1 (X) = X 2 + u 420 X. Then h 1 (X q ) · X − h 0 (X q ) has a degree-1429 irreducible factor I X , the cofactor being the product of six irreducible polynomials of degrees 1, 1, 1, 3, 12 and 12. The field F 3 6·1429 can be represented as F 3 6 [X]/(I X ). This dual Frobenius representation, introduced in [22], has the useful property that The estimated costs of computing discrete logarithms in F 3 6·1429 are given in Table 6 and explained in § §5.  Table 6. Estimated costs of the main steps for computing discrete logarithms in F 3 6·1429 .

Remark 2.
To gauge the accurateness of our F 3 6·1429 estimates, we generated estimates for the F 3 6·509 computation using the same methodology as for the F 3 6·1429 estimates. The cost estimates (in CPU years) for the main steps in the F 3 6·509 computation are 15.7 (linear algebra for cubics), 16.4 (linear algebra for 29 families of quartics), 31.8 (continued-fractions descent), 7.4 (first classical descent), 7.9 (second classical descent), and 4.7 (small-degree descent). These estimates compare well with the observed times in Table 1 with the exception of the linear algebra as explained in §3.2.2.  Table 6. We chose 36 quartic families to ensure that the probability of an irreducible quartic failing to descend using the family-based Gröbner bases descent method (see §2.2.4) is small. If we precompute logarithms of 36 quartic families, then this failure probability is less than 2 −47. 15 . This can be considered to be sufficiently small since we expect to descend about 2 36.94 irreducible quartics during the entire computation.
In fact, we only need to compute the logarithms of 18 families of quartics since we then get the logarithms of another 18 families for free. To see this, observe that the coefficients of h 0 (X) and h 1 (X) are elements of F 3 3 . Thus, and so the order-2 F 3 6·1429 -automorphism σ : α → α 3 3·1429 fixes X. Now, if γ ∈ F 3 6 \ F 3 3 , then σ gives a one-to-one correspondence between elements of the quartic families B 4,γ and B 4,σ(γ) . Hence, if we compute the logarithms of all elements in B 4,γ , then we can obtain the logarithms of elements f ∈ B 4,σ(γ) for free via since σ(f ) ∈ B 4,γ . In order to obtain a tighter estimate for the running time of the entire descent, we undertake a top-down analysis of the expected number of polynomials of each degree that are produced after each descent step. For this analysis, we use the generating function F k,m (u, z) for m-smooth monic polynomials over F q , where z marks the degree of a polynomial and u marks distinct degree-k monic irreducible factors of the polynomial. It is easy to see that where I i (q) denotes the number of monic irreducible polynomials of degree i over F q . Then the average number of distinct degree-k monic irreducible factors of an m-smooth degree-n monic polynomial over F q is (6) c k,m,n =  32). Suppose that one wishes to express a degree-D polynomial Q over F q in terms of irreducible polynomials of degrees at most m.
We also use the expression (6) to estimate the expected number d k of polynomials of each degree k ∈ [1,32] at the conclusion of this descent. Suppose that one wishes to express a degree-D polynomial Q over F q in terms of irreducible polynomials with degrees in S. In the classical descent described in [4, §3.5], parameters s ∈ [0, 6] and δ ≥ 1 are selected. One then searches for a pair of polynomials (R 1 , R 2 ) such that Q | R 1 , deg R 1 = t 1 ≈ ( D/2 + δ) + 2 · 3 6−s , deg R 2 = t 2 ≈ ( D/2 + δ)3 s + 1, and both R 1 /Q and R 2 are S-smooth (i.e., all irreducible factors of R 1 /Q and R 2 have degrees in S). The expected cost of the classical descent is is the number of S-smooth degree-n monic polynomials over F q . We selected s = 2 and δ = 2. Then, the expected cost of the 31-to-S classical descent is D∈D (CD2 D,S · d D ) ≈ 2 59.2 M q . 5.1.5. Small-degree descent (S to 4). We used the expression (6) to estimate the expected number of polynomials e D of each degree D ∈ S at the conclusion of the second classical descent. These numbers are listed in Table 7. For each polynomial  Table 7. M q costs of performing all the D-to-4 descents for each D ∈ S.
of degree D ∈ [5,15], the D-to-4 descent is performed using the strategies in §3.2.6. For each polynomial of degree D ∈ {16, 18, 20, 24, 28, 32}, one first performs a D-to-D/2 zigzag descent; in the analysis we assume that the descent yields q irreducible polynomials of degree D/2. A degree-22 polynomial is lifted to F q 2 , resulting in a degree-11 irreducible polynomial and its conjugate. An 11-to-8 Gröbner-bases descent is performed, and the resulting polynomials are projected down to F q . One expects to obtain q/i polynomials of degree 2i, for each i ≤ 8 [30]. The even degrees 26 and 30 are omitted from S because of the relative high cost of performing 13-to-4 and 15-to-4 descents (see Table 5). The costs of all the descents are given in Table 7. The total cost is 2 60.0 M q . 5.2. Feasibility. In this section we argue that the computation outlined in §5.1 is feasible today, even though it is just beyond the reach of the computer resources available to the authors of this paper.
We assume that we have access to a 9000-core machine A such as ABACUS [1], where each core has 16 gigabytes of RAM. In addition, we assume that we have access to a 1500-core machine B with 1 terabyte of shared RAM. We further assume that both machines can execute 2 27 M q per second; we achieved these speeds in our experiments using a look-up table approach. Table 8 shows the estimated calendar time for computing a discrete logarithm in F 3 6·1429 . All computations are performed on machine A except for the small-  degree descents which are performed on machine B. The 728 matrices for degree-3 logarithms are solved simultaneously, with each linear system assigned to 8 cores. Then, 4,500 of the 13,122 matrices for degree-4 logarithms are solved simultaneously using 2 cores per matrix. The next 4,500 matrices are solved after that, and finally the remaining 4,122 matrices. The estimated size of the files containing logarithms of cubics is 38.3 gigabytes (only half the logarithms have to be stored thanks to the automorphism σ). The estimated size of the files containing logarithms of one family of quartics is 59.2 gigabytes. Thus, the logarithms of cubics and 15 quartic families, whose total size is 926.3 gigabytes, can be stored in shared RAM. Since the familybased Gröbner bases descent can be performed with respect to 30 quartic families without resorting to the quartic families stored in hard disk, we can reasonably expect that the time to compute the logarithm of a randomly-selected irreducible quartic to be no more than the time for this operation in the F 3 6·509 computation (where only 10 quartic families were stored in RAM), namely 0.064 seconds. Since we expect to perform 2 36.94 such descents in total, we obtain an upper bound of 65 days on the time for all the small-degree descents. The total estimated calendar time for computing a logarithm in F 3 6·1429 is 173 days. It would be worthwhile to consider alternate descent strategies to reduce the expected time to the extent that the computation could be performed with relatively modest computational resources.