Indiscreet logarithms in finite fields of small characteristic

Recently, several striking advances have taken place regarding the discrete logarithm problem (DLP) in finite fields of small characteristic, despite progress having remained essentially static for nearly thirty years, with the best known algorithms being of subexponential complexity. In this expository article we describe the key insights and constructions which culminated in two independent quasi-polynomial algorithms. To put these developments into both a historical and a mathematical context, as well as to provide a comparison with the cases of so-called large and medium characteristic fields, we give an overview of the state-of-the-art algorithms for computing discrete logarithms in all finite fields. Our presentation aims to guide the reader through the algorithms and their complexity analyses ab initio.


Introduction
Given a finite cyclic group (G, •), a generator g ∈ G and another group element h ∈ G, the discrete logarithm problem (DLP) is the computational problem of finding an integer x such that g x = h.The integer x -denoted by log g h -is uniquely determined modulo the group order and is called the discrete logarithm of h to the base g.The most natural example is the multiplicative group F × p of the field F p of integers modulo a prime p, which is a cyclic group in which the DLP is believed to be hard in general.Besides this classical case, several other groups have been extensively studied, including the multiplicative group F × q of any finite field F q of prime power order q = p n , the group E(F q ) of F q -rational points on an elliptic curve E, or the group J C (F q ) associated with the Jacobian J C of a (usually hyperelliptic) curve C of genus > 1.
The study of discrete logarithms can be traced back to at least two centuries ago, when they appeared in Gauß' Disquisitiones Arithmeticae and were referred to as indices [Gauß,.Beyond its relevance as a natural computational problem, the study of the DLP really came of age with the advent of public-key cryptography in 1976, as the hardness of the DLP (originally in F × p ) forms the basis of the famous Diffie-Hellman protocol [DH76] and other cryptographic primitives.
To describe the hardness of the DLP in a group of order N one usually considers the asymptotic complexity in the input size of the problem, which is proportional to log N .To indicate the complexity, it has become customary to use the notation where α ∈ [0, 1], c > 0 and log denotes the natural logarithm; we may omit the subscript N when there is no ambiguity and sometimes write L(α) to mean L(α, c) for some c > 0. Note that L(0) = (log N ) c+o (1) , which corresponds to polynomial time, while L(1) = N c+o(1) corresponds to exponential time.An algorithm with a running time of L(α) for some 0 < α < 1 is said to be of subexponential complexity.
Algorithms for solving the DLP can be broadly classified into two classes.One class consists of the so-called generic algorithms, which do not exploit any representational properties of group elements and may thus be applied to any group.Generic algorithms, like Pollard's rho method [Pol78], necessarily have a running time of Ω( √ N ) [Nec94,Sho97b], if N is prime; if N is composite then one may reduce the original problem to the DLP in prime order subgroups, using the Pohlig-Hellman algorithm [PH78].The other class consists of the so-called index calculus algorithms, which exploit a suitable representation of group elements, which imbues a notion of smoothness.A basic version of index calculus was analysed by Adleman [Adl79] and shown to have complexity L(1/2).Subsequently, more advanced index calculus algorithms with lower complexity have been developed.
In particular, the first L(1/3) algorithm for computing discrete logarithms, published in 1984 by Coppersmith [Cop84], targeted binary finite fields.Later, the number field sieve, originally devised for the integer factoring problem [LL93], was adapted for the DLP in prime fields [Gor93,Sch93] and resulted again in an L(1/3) algorithm.Inspired by the number field sieve, the function field sieve was developed for computing discrete logarithms in small (fixed) characteristic [Adl94,AH99,JL02,JL06].Regarding general finite fields F p n , for n ≪ (log p) 1/2 the number field sieve and for log p ≪ n 1/2 the function field sieve still have complexity L(1/3).Finally, in 2006 the number field sieve was generalised [JLSV06] to work also in the remaining cases, thereby obtaining L(1/3) algorithms for all families of finite field DLPs.Some improvements of the medium number field sieve have been reported recently, see e.g., [BGGM15,BGK15].
Regarding the case of small characteristic, dramatic advances have recently taken place.Indeed, nearly thirty years after Coppersmith's algorithm the L(1/3) barrier was broken in a series of remarkable results, starting with the work of Göloglu,Granger,McGuire and Zumbrägel [GGMZ13], and independently Joux [Jou14].The approach of Joux led to the first heuristic quasipolynomial algorithm, i.e., one with running time exp(O((log log N ) 2 )) = (log N ) O(log log N ) , which is in L(o(1)), due to Barbulescu,Gaudry,Joux and Thomé [BGJT14].Independently, the approach of Göloglu et al. was later developed into an alternative algorithm by Granger, Kleinjung and Zumbrägel, which also has quasi-polynomial complexity, but is rigorous for a large family of fields [GKZ14b,GKZ15].
In this article we describe the key insights and constructions underlying the recent algorithms.To put these developments into both a historical and a mathematical context, as well as to provide a comparison with the cases of so-called large and medium characteristic fields, we give an overview of the state-of-the-art algorithms for computing discrete logarithms in all finite fields.All necessary mathematical prerequisites will be briefly introduced along the way.
As our focus is on DLP algorithms for finite fields, we cover generic algorithms only briefly.We refer to Odlyzko's paper [Odl00] or the recent survey [JOP14] for an overview on these and other general aspects of the DLP, including curve-based groups, which are not covered here.
A remark on terminology.The cardinality of any finite field F is a prime power |F | = p n , where the prime p is called the characteristic of F , which is the smallest positive integer m such that m1 F = 0. Conversely, given any prime power q = p n there exists a finite field of size q, which is unique up to isomorphism and is denoted by F q .
When considering families of finite fields of order q = p n , where p = L q (α) and q → ∞, then different DLP algorithms apply depending on α.Accordingly, in the case α > 2 3 we speak of large characteristic; for α ∈ ( 1 3 , 2 3 ) we speak of medium characteristic; and for α ∈ (0, 1 3 ) we say that the characteristic is medium-small, while the boundary cases α = 2 3 and α = 1 3 are special cases to be treated additionally.Finally, in the case α = 0, i.e., if p is of polynomial size in log q, we speak of finite fields of small characteristic.In particular, if q = p is a prime or q = p n with n fixed, then we are in (very) large characteristic p = L q (1), whereas if the characteristic p is fixed, then we have small characteristic p = L q (0); note however that p = L q (1) (or p = L q (0)) does not imply that n (or p) has to be fixed.
Furthermore, for complexity considerations we make use of the notation f ≈ g to indicate that f /g → 1 as the argument goes to infinity.
Outline.We discuss the DLP for general finite cyclic groups in Section 2 and briefly present the most common cryptographic applications and generic algorithms.The index calculus method serves as a framework for all advanced DLP algorithms for finite fields and will be described in Section 3, where we first present it abstractly in a general group and then give some basic concrete instances.Section 4 is devoted to the number field sieve, which is currently the fastest method for DLP in both large and medium characteristic, while Section 5 deals with the function field sieve in finite fields of small (and mediumsmall) characteristic.Section 6 presents the recent dramatic developments for small characteristic finite fields, as well as the key insights and ideas which led to them.Finally, we conclude in Section 7.

The DLP in finite cyclic groups
The discrete logarithm problem can be formulated for any finite cyclic group; indeed, most cryptographic protocols using the DLP can be formulated in this abstract setting.We present in this section the most important cryptographic applications and the common generic algorithms.Since our main focus is the DLP in finite fields to which index calculus algorithms may be applied, we will here be rather brief in our treatment.
Let (G, •) be a finite cyclic group of order N and let g ∈ G be a generator.We assume that the group operation can be computed efficiently, i.e., in polynomial time, and that the group order is known.The surjective group homomorphism Z → G, x → g x induces a group isomorphism The map ψ can be computed efficiently by using a square-and-multiply method, whereas the computation of ψ −1 is believed to be a difficult problem in general; this is of course the DLP.Indeed, for so-called generic algorithms, in which one can only perform group operations and check equality of elements, the DLP necessarily has an exponential running time of Ω( √ N ) if N is prime [Nec94,Sho97b].However, for particular groups with concrete representations, faster algorithms exist, and it is not proven in any such cases that the DLP is hard.
One should note that the DLP, as well as the integer factorisation problem, can be solved in polynomial time using quantum computers [Sho97a], but in this article we confine ourselves to the classical computational model.

Cryptographic applications.
The difficulty of the DLP is nowadays widely used, e.g., for secure communication over the Internet.Virtually all public-key cryptosystems in use today are based on either the integer factorisation problem or the DLP.Some common cryptographic protocols using the DLP are briefly presented below.In each case the group (G, •) and a generator g ∈ G are assumed to be publicly known.
In the Diffie-Hellman key-agreement protocol [DH76] two parties, usually referred to as Alice and Bob, choose random integers a and b, respectively, and exchange the group elements g a and g b over the public channel, hence they both can compute a common session key (g b ) a = g ab = (g a ) b .Clearly, if the DLP in G is feasible, then the key can be computed from the public information, so it is essential that the DLP is hard.
The Diffie-Hellman protocol can be transformed into a public-key encryption scheme as shown by ElGamal [ElG85].Indeed, if Bob has announced his public key g b and Alice has a secret message m ∈ G for Bob, she chooses a random integer a and sends the pair (g a , m(g b ) a ) to Bob, who can decrypt by computing (g a ) b = (g b ) a .Moreover, there are digital signature schemes based on the DLP, e.g., the ElGamal [ElG85] and Schnorr [Sch91] signature schemes.
More recently, the advent of pairing-based cryptography in 2000 provided new cryptographic functionalities, starting with identity-based non-interactive key distribution [SOK00], one-round tripartite key-agreement [Jou00] and identity-based encryption [BF01], followed by numerous others.It also renewed interest in the underlying DLPs and related security assumptions.
To summarise, the hardness of the DLP in any group in which any of the above protocols is instantiated is essential to their security.It is therefore imperative that these DLPs continue to be studied.
Generic algorithms.We now present examples of generic algorithms for solving the DLP in any finite cyclic group.Suppose that we want to find the discrete logarithm log g h for a target element h ∈ G. Recall that N = |G| is the group order.
In the Baby-Step-Giant-Step method, attributed to Shanks, let M = ⌈ √ N ⌉.One computes a table {(j, g j ) | j ∈ {0 . . .M − 1}} (baby steps) and sorts it by the second component.Then one computes k = g −M , as well as h, hk, hk 2 , . . .(giant steps) until a collision hk i = g j is detected, in which case the output is log g h = iM + j.The method requires O( √ N ) database entries and O( √ N log N ) group operations (or O( √ N ) if hash tables are used).Pollard's rho method [Pol78] reduces the memory requirement to a negligible amount while preserving the square-root running time.Therefore, it is the preferred method in practice.However, due to its randomised nature the analysis is more intricate.The idea is to define pseudorandom sequences (k i ) in G and (a i ), (b i ) in Z/N Z such that g a i h b i = k i holds for any i.If k j = k j+ℓ holds for some j, ℓ > 0, then there exists also i with k i = k 2i , and such collisions can be easily detected.In this case, log g h = a 2i −a i b i −b 2i is found, provided that the denominator is invertible modulo N .
Moreover, there is the Pohlig-Hellman method [PH78], the efficiency of which depends on the prime factorisation of N = p e 1 1 • . . .• p er r , which we assume is given.Then one has Z/N Z ∼ = Z/p e 1 1 Z × • • • × Z/p er r Z by the Chinese Remainder Theorem, hence x = log g h corresponds to a tuple (x 1 , . . ., x r ) and one can consider the DLP for each factor x i ∈ Z/p e i i Z separately.Furthermore, if e i > 1, then x i ∈ Z/p e i i Z can be found by obtaining the "p-ary" digits of x i , one at a time starting with the least significant digit, by solving a DLP of order p i .Therefore, the Pohlig-Hellman method essentially reduces the DLP complexity in a group of order N to a group of order the largest prime factor of N , for which either the Baby-Step-Giant-Step or Pollard's rho method may be applied.
We remark that, although we are mainly interested in the DLP in finite fields -to which more efficient index calculus algorithms apply -to compute the DLP modulo the order of the full multiplicative group it is often preferable to use the Pohlig-Hellman method for computing the solution modulo the small prime power factors.

The index calculus method
The index calculus method can be much more efficient than generic algorithms for certain groups and representations, and is the template for all subexponential DLP algorithms.While we describe the framework for any group, the details will depend on the concrete representation of the group elements.
As before let log g h be the target logarithm in a cyclic group G of order N .We choose a subset F ⊆ G such that F = G (often we have g ∈ F ), called the factor base.The idea is to first obtain log g f for all f ∈ F .Let A = Z/N Z and consider the surjective group homomorphism The index calculus method consists of three phases.
1. Relation generation.Find vectors (e f ) f ∈F in ker ϕ, called relations, thus generating a subset R ⊆ ker ϕ. 2. Linear algebra.Compute an element 0 = (x f ) f ∈F ∈ R ⊥ , i.e., satisfying f ∈F x f e f = 0 for all (e f ) f ∈F ∈ R. 3. Individual logarithm.Find a preimage (e f ) f ∈F ∈ ϕ −1 (h), for then we have found log g h = f ∈F e f log g f , cf.Lemma 1.
As the next result shows, provided that enough relations have been found, the discrete logarithms of the factor base elements are determined up to a scalar multiple.In practice, the condition given in the lemma is satisfied, if a few more relations than factor base elements have been obtained.
Lemma 1. Suppose that span R = ker ϕ and (x f ) f ∈F ∈ R ⊥ , then there exists λ ∈ A such that x f = λ log g f for all f ∈ F .
Proof.It holds that R ⊥ = (span R) ⊥ = (ker ϕ) ⊥ and A F / ker ϕ ∼ = im ϕ ∼ = A, while (ker ϕ) ⊥ ∼ = A F / ker ϕ as can be seen by considering the Smith normal form, hence R ⊥ ∼ = A. On the other hand, we have (log Sparse linear algebra.After the relation generation step an r × m-matrix M over Z/N Z has been found, where m is the size of the factor base F and r ≈ m is the number of relations.In order to obtain the factor base logarithms we need a solution 0 = x ∈ (Z/N Z) m of M x = 0. Due to the relation generation method the matrix is usually of low average row weight w.For such sparse matrices iterative algorithms are available, most commonly used are the Lanczos method [Lan50] (for an adaption to finite fields see, e.g., [LO91]) or the Wiedemann algorithm [Wie86].Their cost is dominated by repeated computations of matrix-vector products M v, and the running time is O(m 2 w) operations in Z/N Z. Provided that log w = o(log m) (and log log N = o(log m)), which is usually the case, this is of complexity m 2+o(1) .We note that, as O(m) divisions in Z/N Z are necessary (when using the Lanczos method), the group order N should avoid small prime factors, therefore the Pohlig-Hellman reduction and Pollard's rho algorithm should be used for the small prime power factors.In practice, for large-scale computations the linear algebra step poses some challenges, as the iterative algorithms are not easily parallelisable.We also remark that so-called structured Gaussian elimination (cf.[LO91,JL03]) can be used to decrease the matrix dimension m, while increasing the weight w only moderately.

A variant permitting rigorous analysis
The following variant of the index calculus method, proposed by Enge and Gaudry [EG00] and subsequently refined by Diem [Die11], is valuable for theoretical analysis.With this variant one can compute discrete logarithms, provided only that it is feasible to express group elements as products over the factor base, as in the individual logarithm step of the classical index calculus method.
As before, let (G, •) be a cyclic group of order N , let g ∈ G be a generator and let h ∈ G be the target element for the DLP.Suppose that F ⊆ G is a factor base of cardinality |F | = m.We choose a, b ∈ Z/N Z uniformly and independently at random and try to express g a h b as a product g a h b = f ∈F f e f .Once more than m such expressions have been found, we consider the matrix consisting of the collected rows (e f ) f ∈F over Z/N Z, and compute using invertible row transformations a row echelon form, which contains a vanishing row.Contrary to the classical index calculus method we do not require a rank condition for this matrix.Applying the invertible row transformations also to the numbers a and b, then considering the vanishing row we obtain an identity Instead of computing a row echelon form by a variant of the Gauß algorithm one may use sparse linear algebra techniques, which have an improved running time, however their analysis is more difficult and the above algorithm has to be modified [EG00].In particular, it is then necessary to fulfil rank conditions for the generated matrix following a technique from Pomerance [Pom87].

Basic concrete versions
The class of groups to which the index calculus method is applicable includes the multiplicative groups of prime fields and fields of small fixed characteristic.We describe for these cases a simple index calculus method and provide a running time analysis, which also serves as a basis for the more advanced index calculus algorithms.
Suppose that G is F × p , the multiplicative group of a prime field F p , of order N = p − 1, with a given generator g ∈ G.As factor base we choose for some bound B (by slight abuse of notation, for f ∈ Z we denote the class [f ] ∈ F p also by f ).For simplicity, we assume that g ∈ F (otherwise, we include it into the factor base).To generate relations, for random e ∈ Z/N Z we compute g e ∈ F p , lift it to an element in N, and check by trial division whether it has only prime divisors ≤ B. If successful, we obtain a relation g e ≡ f ∈F f e f mod p in G. Once enough relations (more than |F |) have been found, we compute log g f for all f ∈ F by solving a linear system over Z/N Z. Finally, given a target element h ∈ G we similarly obtain one more relation of the form hg e = f ∈F f e f to obtain log g h.
Considering a finite field F q = F p n of fixed characteristic p, note that F p n is usually represented as a quotient ring F p [X]/(I), where I ∈ F p [X] is an irreducible polynomial of degree n.For G = F × q , it is then straightforward to adapt the basic index calculus method for F × p described above to the present situation.In particular, as factor base we choose all irreducible polynomials in F p [X] of some bounded degree b, i.e., (where we employ a similar abuse of notation).It suffices in practice to include only the monic polynomials into the factor base.In fact, one may perform the discrete logarithm computation in F × q /F × p , i.e., ignoring constants in F × p , to obtain log g h modulo N p−1 .Using the Pohlig-Hellman method with the fact that p − 1 divides the product of the small prime power divisors of the group order N = p n − 1, the remaining information of log g h is deduced easily.

Complexity analysis
A positive integer is called B-smooth if all its prime divisors are ≤ B. The (heuristic) running time analysis for the basic index calculus method in F × p , as well as for the more advanced algorithms presented in Section 4, is based on the following result on the asymptotic density of smooth numbers among the integers.
For analysing the basic version of the index calculus method in F × p , we set the smoothness bound B = L( 1 2 , β) and we have M = N = L(1, 1).As we need about |F | ≈ B/ log B ≤ B relations, our estimated running time equals and the optimal choice β = 1 √ 2 results in a running time of L( 1 2 , √ 2) for the relation generation.The linear algebra running time (using iterative techniques for sparse matrices) is about 2) as well, while the individual logarithm phase is of lower complexity.
Similarly, a polynomial is called b-smooth if all its irreducible factors are of degree ≤ b; hence, the 1-smooth polynomials are precisely those that split into linear factors.
For the DLP in G = F × p n , where p is fixed, we obtain quite analogously a running time of 4 The number field sieve The number field sieve is an advanced index calculus method with heuristic L(1/3)-complexity.It was originally devised for the integer factorisation problem, but the method can be adapted to apply for the DLP in prime fields [Gor93,Sch93] and more generally fields of large or medium characteristic [Sch00,JLSV06].The principle difference between these algorithms and the basic version of the previous section is that the two sides of each relation are of a considerably smaller "size" than before, so that the smoothness probability is -at least heuristically -greatly increased.
The setup for computing discrete logarithms in F × p for a prime p is as follows.Let f 1 , f 2 ∈ Z[X] be coprime irreducible polynomials and m ∈ Z such that f 1 (m) ≡ f 2 (m) ≡ 0 mod p.To simplify the description we assume that f 1 and f 2 are monic, although this requirement is not essential.We have the following commutative diagram: For applying the index calculus method we need a way to factor elements [h] in the ring Z[X]/(f i ) over a smoothness base, which is a more intricate issue, requiring some concepts from algebraic number theory (see, e.g., [Neu99]).For i = 1, 2 let d i be the degree and let x i be a root of the polynomial f i .Then K i = Q(x i ) is a number field, i.e., a finite extension of Q, of degree d i , and its associated ring of integers O i is a Dedekind domain, thus every nonzero ideal factors uniquely into a product of prime ideals.We have Z In order to generate relations we make use of the multiplicative norm map p ep is the decomposition of the principal ideal (α) into prime ideals, then |N (α)| = N (p) ep .Therefore, the prime ideal decomposition of (α) can be easily obtained from the prime factorisation of the norm N (α) ∈ Z, provided that every prime ideal p containing α has prime norm; this holds for example in the situation α = h(x i ) and h = h 1 X+h 0 with coprime integers h 0 , h 1 ∈ Z.
Accordingly, as factor base we choose elements, which are represented by prime ideals in O i of small norm, and we look for linear polynomials h , 2, are smooth.After collecting sufficiently many relations we obtain the "virtual logarithms" of the prime ideals using linear algebra, cf.[JL03,Sch05].We remark that one has to account for the unit groups of O 1 and O 2 , for which one usually includes up to (d 1 + d 2 ) further factor base elements corresponding to certain computable logarithmic maps devised by Schirokauer [Sch93].
Parameter choices and complexity analysis.Classically one chooses d 2 = 1, so that there is a rational side K 2 = Q and O 2 = Z, as well as where |h i | ≤ E, be the sieving polynomial one wants both N (h(x)) and h(m) to be B-smooth.
Under the heuristic assumption that the quantity |N (h(x))h(m)| is uniformly distributed for a random polynomial h, we get from Corollary 3 for the probability P of this quantity being B-smooth ).The sieving space size ≈ E 2 should be equal to the linear algebra complexity ≈ B 2 , therefore β = ε, and as about B relations are needed one sets 1 P ≈ B. Therefore, we obtain the condition δ 2 β+2 3βδ = β, or δ 2 β + 2 = 3β 2 δ.The optimal choice δ 2 = 2/β then yields β = ( 8 9 ) 1/3 , resulting in a complexity of L( 13 , ( 64 9 ) 1/3 ≈ 1.923) for the first two phases of the index calculus method.For prime fields in which the prime is of particular shape the so-called special number field sieve is available [Sem02].In this case one may have small coefficients of f , namely log f ∞ = o(log m), which leads to a faster algorithm.Indeed, one gets δ 2 β + 1 = 3β 2 δ, and for δ 2 = 1/β one obtains β = ( 4 9 ) 1/3 , resulting in a complexity of L( 1 3 , ( 32 9 ) 1/3 ≈ 1.526).Note that these two complexities are the same as for factoring using the number field sieve and the special number field sieve, respectively.Individual logarithms.For obtaining an individual logarithm log g h the previous approach, i.e., multiplying h by random powers of g until it factors over the factor base, is not viable as the factor base is now much smaller.Instead one uses a recursive strategy commonly referred to as the descent.At each step of the descent one eliminates a given element which is not in the factor base, i.e., rewrites it as a product of elements of smaller norm.Starting with h, eliminations are carried out recursively until only factor base elements remain.In this way a tree is constructed with h as root and with factor base elements as leaves, from which the logarithm log g h can easily be deduced from the factor base logarithms by traversing the tree.
We omit the technical details for this section and simply remark that this phase can be shown to have negligible (heuristic) complexity compared to the other steps (see, e.g., [CS06]).

The medium number field sieve
This variation of the number field sieve applies to the DLP in finite fields of large or medium characteristic [JLSV06].
The setup is as follows.Choose irreducible polynomials f 1 , f 2 ∈ Z[X] such that f 1 mod p and f 2 mod p have a common irreducible factor I ∈ F p [X] of degree n. (A simple choice is to let f 2 = f 1 + p, if f 1 mod p contains an irreducible degree n factor; more advanced selection methods are sketched below.)We have thus the following commutative diagram: As in the number field sieve for prime fields one obtains relations by finding polynomials h ∈ Z[X] (of some degree ≤ t and h ∞ ≤ E) such that both norms N (h(x i )) = Res(h, f i ) are B-smooth, where x i is a root of f i and Res denotes the resultant.The Kalkbrener bound [Kal97] implies here that where d i is the degree of f i (if d i is small enough).Therefore, the running time will crucially depend on the degree and the coefficient size of the selected polynomials f i in the setup phase of the algorithm.The recent work [BGGM15] achieves improvements by a clever polynomial selection.
Indeed, for large characteristic one first chooses a polynomial f 1 ∈ Z[X] of degree d + 1 with f 1 ∞ small such that f 1 mod p has an irreducible factor I of degree n.Then a polynomial f 2 ∈ Z[X] of degree d is chosen such that I | f 2 mod p and f 2 ∞ as small as possible; this can be achieved by lattice reduction [LLL82], resulting in the estimation log f 2 ∞ ≈ n d+1 log p, while one has d 1 = d + 1 and d 2 = d ≥ n.With suitably chosen parameters this results in a running time of L( 13 , ( 64 9 ) 1/3 ), the same as for the prime field case.For medium characteristic the so-called Conjugation Method improves upon the original selection method.Here, one lets µ = Y 2 + aY + b ∈ Z[Y ] be an irreducible polynomial with small coefficients such that µ mod p has a root λ ∈ F p .Then one chooses g 0 , g 1 ∈ Z[X] with g i ∞ small and deg The complexity analysis results in a running time of L( 13 , ( 96 9 ) 1/3 ≈ 2.201).
The tower number field sieve.An alternative method to deal with the DLP in extension fields stems from work of Schirokauer [Sch00], in which an algorithm for finite fields F p n of fixed extension degree n is presented with a heuristic running time of L( 1 3 , ( 64 9 ) 1/3 ).It uses a field extension on top of a number field F , for which its ring of integers O F satisfies O F /(p) ∼ = F p n .The setup is then very similar to the number field sieve for prime fields, with Z replaced by the ring O F .
The algorithm has been analysed and extended in a recent work [BGK15], in which the authors coined the term tower number field sieve.In particular, it has been shown that it applies to the whole range of large characteristic fields, achieving the same complexity L( 13 , ( 64 9 ) 1/3 ) as the medium number field sieve of [JLSV06], while being practically advantageous for certain cases.

The function field sieve -classical variant
The first (heuristic) L(1/3) algorithm for the DLP in finite fields was devised by Coppersmith in 1984 [Cop84] -thus predating the number field sieve -and as originally described applies to binary finite fields, i.e., finite fields of characteristic 2. As a result of this algorithm, binary field DLPs fell out of favour in cryptography; only much later with the advent of pairing-based cryptography did they become fashionable once again, when the lower security-per-bit they offer was considered tolerable thanks to the functionality afforded by pairings on supersingular curves [Gal01].
The function field sieve was conceived of by Adleman [Adl94] in analogy with the number field sieve, and later refined by Adleman and Huang [AH99], but can also be seen as a generalisation of Coppersmith's algorithm.Joux and Lercier later provided a more streamlined version [JL02], as well as an improved version for medium-size base fields [JL06].In this section we briefly describe these algorithms in turn, as not only are they historically relevant to the DLP in small characteristic fields, but they also serve as the benchmark against which the recent developments may be compared.
Before describing the algorithms we remark that it is possible to map between any two representations of a finite extension field efficiently [Len91]; therefore when solving a DLP one is free to choose a field-defining polynomial to one's advantage.

Coppersmith's algorithm
Coppersmith's algorithm [Cop84] is an index calculus algorithm for solving the DLP in F 2 n , represented as F 2 [X]/(I), where I ∈ F 2 [X] is an irreducible degree n polynomial of the form I = X n + J, where J ∈ F 2 [X] is of relatively low degree (less than n 2/3 ).Let the factor base consist of the irreducible polynomials up to a degree bound ≤ b, and choose positive integers h and ℓ such that h2 ℓ ≥ n.For relation generation, consider f = uX h + v ∈ F 2 [X], with u, v ∈ F 2 [X] coprime polynomials of degree ≤ d, where d is a sieving parameter, and compute A relation is found if the polynomials f, g ∈ F 2 [X] on both sides are bsmooth.Note that the corresponding degrees, namely deg f ≤ h + d and deg g ≤ r + 2 ℓ d with r = deg X h2 ℓ −n J, can be made rather small by suitably chosen parameters.Indeed, we let d = (c + o(1))n 1/3 (log n) 2/3 and suppose that 2 ℓ ≈ n d , as well as h = ⌈ n 2 ℓ ⌉.Then deg f and deg g are about applying an analogue of Corollary 3, we get for the probability P of both polynomials being b-smooth In order to generate enough relations we set 2 3 √ c = c, so that c = ( 4 9 ) 1/3 , resulting in an overall complexity of L( 13 , ( 32 9 ) 1/3 ) for relation generation.This matches the linear algebra complexity using sparse matrix techniques, while the individual logarithm phase was shown to have lower complexity.
This analysis supposes that n d is close to some power 2 ℓ , which cannot be fulfilled for all n.In general one obtains a complexity between L( 13 , ( 32 9 ) 1/3 ) and L( 13 , 4 1/3 ), with ( 32 9 ) 1/3 ≈ 1.526 and 4 1/3 ≈ 1.587.Observe that the algorithm exploits the basic identity (u + v) 2 = u 2 + v 2 , which holds for any polynomials u, v ∈ F 2 [X], and can thus be adapted easily to the case of fields of fixed characteristic p, by using the identity (u + v) p = u p + v p for u, v ∈ F p [X], with a correspondingly increased upper bound on the resulting complexity.

The function field sieve
The function field sieve is an adaption of the number field sieve and applies to finite fields F p n of small characteristic p.The principle idea is to replace Z[X] by F p [X, Y ], and one usually chooses the polynomial f 2 to be of degree 1.More precisely, define F p n as F p [X]/(I), where the irreducible degree n poly- The factor base consists of all irreducible polynomials in F p [X] up to degree b.In order to generate relations we search for polynomials h = h 1 Y +h 0 ∈ F p [X, Y ] such that both h 1 m + h 0 and the norm of h from F p (C) to F p (X) are b-smooth.In this case, we can express the divisor of h 1 Y + h 0 as a sum of places in F p (C) over factor base elements, and relate the corresponding socalled surrogates via the map ϕ with the factors of h 1 m + h 0 .Then we solve as usual the logarithms of the factor base elements by linear algebra.
As already mentioned there are three variations of the function field sieve, which differ by the choice of the polynomials I, f and m.In Adleman's original version [Adl94] the field-defining polynomial is written as using the base-m technique prevalent in the number field sieve.The refined version by Adleman and Huang [AH99] improves upon this approach by choosing I = X n + J with J ∈ F p [X] of small degree deg J < n 2/3 , f = Y d + X ed−n J and m = X e , which results in a complexity of L( 13 , ( 32 9 ) 1/3 ), the same as for the special number field sieve.It is worth noting that Coppersmith's algorithm can be seen as a particular case of this variation.Finally, the function field sieve version of Joux and Lercier [JL02] achieves the same complexity, but has some practical advantages.The idea is to start by choosing f with coefficients of low degree in X and then letting is now a rational function.In all cases the individual logarithm phase can be shown to have a lower complexity than the other two phases.

The medium function field sieve
Joux and Lercier in 2006 proposed the following simplified variant of the function field sieve, which employs just the rational function field of a univariate polynomial ring [JL06].The algorithm applies to the whole range of finite fields F p n of medium-small characteristic, i.e., p = L p n (α), where α ≤ 1 3 .It also applies to extension fields F q m , where q is any prime power.
The representation of the field F q m is as follows.Let f, g ∈ F q [X] be polynomials such that g(f (X))−X has an irreducible factor I ∈ F q [X] of degree m.Let x be a root of I in F q m and let y = f (x), hence x = g(y).Again we have the following commutative diagram: Now if q = L q m (1/3) then for a, b, c ∈ F q we consider h = XY + aY + bX + c ∈ F q [X, Y ], which leads in F q m to the following identity xf (x) + af (x) + bx + c = g(y)y + ay + bg(y) + c.
Let the factor base consist of the linear polynomials in X or in Y .If the corresponding polynomials on both sides, namely h(X, f (X)) = Xf (X) + af (X) + bX + c and h(g(Y ), Y ) = g(Y )Y + aY + bg(Y ) + c are 1-smooth, then a relation has been found.We may choose the polynomials f and g such that deg f, deg g ≈ √ m, which leads to an algorithm with complexity Here, the individual logarithm phase turns out to have the same complexity as the main phase, with the bottleneck being the elimination of degree two polynomials, see [JL06,Sec. 3].
In the general case, where q = L q m (α) with α ≤ 1/3, to obtain an L(1/3) algorithm we set as the degree bound for the factor base (C +o( 1))( log q log log q ) 1/3−α and consider polynomials of the form h = h 1 (X)Y + h 0 (X) in order to generate relations.Note that for α = 0 the case log q = o(log log q m ) has to be treated extra with a slightly modified analysis.If q = L q m (0), i.e., the case of small characteristic, this results in an algorithm of complexity L( 13 , ( 32 9 ) 1/3 ), with a less costly individual logarithm phase.

Small characteristic quasi-polynomial time algorithms
In this section we present the two recent quasi-polynomial time algorithms for the small characteristic DLP.The first of these was due to Barbulescu,Gaudry,Joux and Thomé [BGJT14], while the second was due to Granger,Kleinjung and Zumbrägel [GKZ14b,GKZ15].For the purpose of assisting the reader in comparing the key insights and ideas behind the two algorithms, we present these for relation generation and individual logarithms, in turn.

Resisting smoothness heuristics
Before presenting the aforementioned developments, we start with some general remarks on how to obviate smoothness heuristics.
As detailed in Section 3, a complexity of L(1/2) could be said to be the "natural complexity" of the DLP when elements are generated uniformly in the multiplicative group.In order to obtain algorithms of complexity better than L(1/2) -at least for the relation generation phase of the index calculus method -there are (at least) two approaches that one can explore.Firstly, one can try to generate relations between elements of smaller norm, which heuristically would have a higher probability of being sufficiently smooth, which is what the L(1/3) algorithms do.Secondly, one can try to generate relations which have better than expected smoothness properties (or possibly a combination of both of these approaches).The second idea is perhaps far less obvious and more nuanced than the first; indeed, until recently it does not seem to have been appreciated that it was even a possibility, most likely because from an algorithm analysis perspective it is desirable that the expected smoothness properties hold.
However, in 2013 a series of algorithmic breakthroughs occurred which demonstrated that for small characteristic fields the DLP is, at least heuristically, far easier than originally believed.Central to these developments was the fundamental insight that one can produce families of polynomials that are smooth by construction [GGMZ13,Jou14] and use these to generate relations, while uniformly generated polynomials of the same degree are smooth with only an exponentially small probability.These results were the first to succeed in applying the second approach described above, and the families of polynomials used lay the foundation for the two quasi-polynomial algorithms.

Polynomial time relation generation
We now explain the polynomial time relation generation methods due to Göloglu,Granger,McGuire and Zumbrägel [GGMZ13] and Joux [Jou14], which while different are essentially isomorphic, and were discovered independently at essentially the same time.
The finite fields to which the methods apply are of the form F Q = F q kn , with k ≥ 2 and n ≈ q.A given small characteristic finite field F p n can be embedded into one of this form by letting q = p ℓ with ℓ = ⌈log p n⌉, thus increasing the extension degree by a factor of k⌈log p n⌉, which does not impact upon the resulting complexity too much, see Section 6.4.
The GGMZ method.The field setup used in [GGMZ13] can be seen in the context of the Joux-Lercier function field sieve [JL06], described in Section 5.3, but for which the degrees of the polynomials f and g are extremely unbalanced.In fact, we consider f = X q and g = h 0 h 1 for some h 0 , h 1 ∈ F q k [X] of low degree1 , which leads to the following field representation.We define F q kn as F q k [X]/(I), where y) .The factor base consists of h 1 (x q ) and all linear polynomials on the x-side; note that the y-side factor base is not needed since for all d ∈ F q k one has (y + d) = (x + d 1/q ) q .
As in Section 5.3, let a, b, c be in the base field F q k , and consider elements of F q kn of the form xy + ay + bx + c.Using the field isomorphisms we have the following identity for such elements: An extremely useful observation is that the l.h.s. of Eq. ( 1) splits completely over F q k with probability ≈ 1/q 3 , which is exponentially higher than the splitting probability of a uniformly random polynomial of the same degree, which is ≈ 1/(q+1)!.Indeed, let k ≥ 3 and consider the polynomial X q+1 +aX q +bX+c.If ab = c and a q = b, this may be transformed (up to a scalar) into Clearly, the original polynomial splits whenever F B splits and we have a valid transformation from X to X.The following theorem of Bluher counts the number of B ∈ F q k for which F B splits completely over F q k .Theorem 5. (Bluher [Blu04]) The number of elements Using the expression for B as a function of a, b, c one can easily generate triples (a, b, c) for which the l.h.s.always splits.In particular, one first computes the set B of all B ∈ F q k for which F B splits over F q k .Then for any a, b = a q and B ∈ B there is a unique c for which the l.h.s.splits.Furthermore, by Theorem 5 there are ≈ q 3k−3 such triples, and for each one whenever the r.h.s.splits as well, one has a relation.For k = 2 there are no such F B , however in this case the set of triples for which the l.h.s.splits non-trivially is easily shown to be {(a, a q , c) | a ∈ F q 2 and c ∈ F q , c = a q+1 }.
In all cases, assuming the r.h.s.splits with probability 1/(d h + 1)!, in order for there to be sufficiently many relations one requires that q 2k−3 > (d h + 1)!.
For fixed d h and q → ∞ the cost of computing the logarithms of all the factor base elements is heuristically O(q 2k+1 ) (operations in Z/(Q−1)Z), using sparse (weight q) linear algebra techniques, which is polynomial in log Q = q 1+o(1) for fixed k.
Joux's method.The method of Joux [Jou14] works for fields of the same shape as those in the GGMZ method (although only k = 2 was used for the exposition and initial examples), however the field representation is slightly different.In particular, let x) .Fixing some notation, for any a ∈ F q k [X] we have a(X) q = ã(X q ) with deg ã = deg a, where the coefficients of ã are the q-th powers of the coefficients of a.
As already mentioned, Joux's method is essentially isomorphic to the GGMZ method and starts with the identity µ∈Fq (X − µ) = X q − X.
Substituting X by αX+β γX+δ with α, β, γ, δ ∈ F q k and αδ−βγ = 0, and multiplying by (γX + δ) q+1 one obtains (γX+δ) µ∈Fq (αX+β)−µ(γX+δ) = (αX+β) q (γX+δ)−(αX+β)(γX+δ) q .(2) Observe that the r.h.s. of Eq. ( 2) has (up to a scalar factor) the same form as the l.h.s. of Eq. ( 1), and automatically splits over F q k by virtue of the l.h.s. of Eq. ( 2).Using the field equation x q = h 0 (x) h 1 (x) , the r.h.s. of Eq. ( 2) becomes and if it also splits over F q k then one has a relation between the linear elements and h 1 (x).As for the number of different relations one can obtain in this way, observe that the total number of (α, β, γ, δ)-transformations is just | PGL 2 (F q k )| = q 3k − q k .However, two transformations will give the same relation (up to multiplication by a scalar in F × q k ) if there exists an element of PGL 2 (F q ) which gives the second transformation when multiplied by the first.Hence the total number of different transformations is ≈ q 3k−3 , just as for the GGMZ method.One should therefore compute a set of coset representatives for the quotient PGL 2 (F q k )/ PGL 2 (F q ) to avoid repetitions; the GGMZ method by contrast already does this implicitly.

Degree two elimination
The methods of the previous subsection demonstrate that the factor base can be extremely small and the logarithms of its elements computed efficiently.Therefore, our attention now falls on the individual logarithm phase.For the L(1/2) and L(1/3) algorithms this phase had those respective complexities, although usually with smaller constants.In contrast, for the new algorithms it becomes the dominant phase.
If one employs the usual descent method for the individual logarithm phase for our setup, then as in [JL06] the degree two eliminations are the bottleneck.However, the work of GGMZ and Joux shows how to eliminate degree two elements efficiently, and the respective methods were developed into the building blocks of the quasi-polynomial descent algorithms.Thus, due to their importance, we now present them.
The GGMZ degree two elimination method.As before consider F q kn = F q k (x) with y = x q and x = h 0 (y) h 1 (y) .Let P (x) be a degree two irreducible element to be eliminated, i.e., written as a product of linear elements, and let P (y) = P (x) q .For a, b, c ∈ F q k consider Eq. (1) from the setup for relation generation.
Imposing the condition that P (y) divides the r.h.s. of Eq. (1), we get an F q klinear system in (a, b, c), whose solution can in general be expressed in terms of a.In particular, there exists u 0 , u 1 , v 0 , v 1 ∈ F q k dependent on P (x) such that b = u 0 + au 1 and c = v 0 + av 1 and hence x q+1 + ax q + bx + c = 1 h 1 (y) h 0 y + ah 1 y + (u 0 + au 1 )h 0 + (v 0 + av 1 )h 1 .
The r.h.s. has degree d h +1, so the cofactor heuristically splits with probability ≈ 1/(d h − 1)!, while the l.h.s.heuristically splits with probability 1/q 3 for randomly chosen a.
To find such a more directly, we again use the set B of splitting F B polynomials.In particular, as a function of a we transform the l.h.s. to obtain an F B , so that (3) Then for each B ∈ B we solve Eq. ( 3) for a, which one can do by taking the greatest common divisor with a q k − a for instance, which takes time which is polynomial in log Q.
Joux's degree two elimination method.In [Jou14] Joux used the following extension of the degree one relation generation to compute the logarithms of the degree two elements in batches.In particular, let u ∈ F q k and substitute X in X q − X by α(X 2 + uX) + β γ(X 2 + uX) + δ , with α, β, γ, δ ∈ F q k and αδ − βγ = 0, and multiply by (γ(X 2 + uX) + δ) q+1 .This gives Observe that in the l.h.s. of Eq. (4) all of the factors are of the form X 2 +uX +v for some v ∈ F q k .Replacing all occurrences of X q by h 0 (X) h 1 (X) on the r.h.s. of Eq. ( 4) gives a low degree expression, which if 1-smooth gives a relation.Once more than ≈ q k /2 such relations have been obtained -which is the expected number of irreducibles of this form -one may take logs and solve the resulting system.Doing this for each u ∈ F q k means the logarithms of all degree two elements can be computed in time O(q 3k+1 ) .
Joux also gave a new elimination method which relies on Gröbner basis computations, whose cost increases with the degree.Balancing the costs of the Gröbner basis descent and the classical descent (whose cost decreases with the degree) results in a heuristic L(1/4 + o(1)) algorithm, which was the first algorithm to break the long-standing L(1/3) barrier.
The BGJT quasi-polynomial algorithm.Joux's idea for performing degree two elimination in batches can be generalised to polynomials P of any degree, which leads to the quasi-polynomial descent algorithm of Barbulescu et al. [BGJT14].As before, let the finite field F Q = F q kn be given as F q k [X]/(I), where the degree n irreducible polynomial Suppose an element to be eliminated is represented by a polynomial P ∈ F q k [X] of some degree D < n.The goal of each elimination step is to find an expression for P in terms of elements of degree less than D/2.Substituting X by P in Eq. ( 2) one obtains (γP +δ) µ∈Fq (αP +β)−µ(γP +δ) = (αP +β) q (γP +δ)−(αP +β)(γP +δ) q , for any α, β, γ, δ ∈ F q k with αδ − βγ = 0. Observe that all factors in the l.h.s. are (up to a scalar) of the form P + v for some v ∈ F q k .Similarly to before, replacing all occurrences of X q by h 0 (X) h 1 (X) on the r.h.s.gives an expression of relatively low degree (d h + 1)D, which if D/2-smooth is viewed as a relation.In order to get a degree D/2-smooth expression for P not involving its F q ktranslates, one collects more than ≈ q k relations of the above form, so that the associated linear system (in the logarithms of the factors P + v, for v ∈ F q k ) is expected to have full rank, and performs a linear algebra elimination to find an expression for P as a D/2-smooth product, as desired.
By this process the polynomial P is rewritten modulo I as a product i R e i i of polynomials of degree ≤ D/2, in time polynomial in q k and n, where the number of factors R i is in O(nq k ).Iterating these elimination steps down to the factor base gives for fixed d h and k a heuristic descent running time of which is, taking into account the polynomial time relation generation, also the heuristic total complexity for solving the DLP in F Q .In fact, the running time of the algorithm can be improved slightly by replacing the degree bound D/2 above by O(D log log q/ log q), leading to the heuristic complexity q O(log n/ log log q) .While this quasi-polynomial algorithm is asymptotically the fastest, it has however not yet been used in record computations, see Section 6.5.
Impact on small and medium-small characteristic.Having a quasi-polynomial time algorithm for finite fields of the form F Q = F q kn affects also the DLP in general finite fields of small or medium-small characteristic.Indeed, if a image of F q kd \ F q 2 under the map z → (z − z q 2 ) q+1 (z − z q ) q 2 +1 .
By this and Eq. ( 3), in order to eliminate P we need to find (a, z) ∈ F q kd × (F q kd \ F q 2 ) satisfying That there are sufficiently many appropriate (a, z) pairs was proven using the classification of subgroups of PGL 2 (F q kd ) and the Weil bound for absolutely irreducible curves.One also needs to deal carefully with so-called descent traps, i.e., elements that divide h 1 (X)X q kd+1 −h 0 (X) for d ≥ 0 which can be shown to be ineliminable in the above manner.These considerations led to the following theorem.
Theorem 6.Given a prime power q > 61 that is not a power of 4, an integer k ≥ 18, coprime polynomials h 0 , h 1 ∈ F q k [X] of degree at most two and an irreducible degree n factor I of h 1 X q − h 0 , the DLP in F q kn ∼ = F q k [X]/(I) can be solved in expected time q log 2 n+O(k) .
That the degree of h 0 , h 1 is at most two is essential to eliminating smoothness heuristics, since this ensures that the cofactor of the r.h.s. of Eq. ( 1) has degree at most one, and is thus automatically 1-smooth.Thanks to Kummer theory, such h 1 , h 0 are known to exist when n = q − 1, which gives the following easy corollary when m = ik(p i − 1).
Theorem 7.For every prime p there exist infinitely many explicit extension fields F p m in which the DLP can be solved in expected quasi-polynomial time Proving the existence of h 0 , h 1 for general extension degrees as per Theorem 6 seems to be a hard problem, even if heuristically it would appear to be almost certain, and in practice it is very easy to find such polynomials.

Practical considerations
While rigorously proving the correctness of a new DLP algorithm is of theoretical interest, a perhaps more immediate measure of its value arises from its practical impact.Furthermore, the challenge of setting new DLP records often leads to theoretical insights that give rise to novel or superior algorithms, which may not have been at all obvious.In addition, such large-scale computations are of cryptologic relevance since they allow one to assess the security of contemporary or future DLP-based cryptosystems.Hence, the value of practical considerations should not be underestimated.Kummer extensions and automorphisms.Kummer theory provides us with particularly useful polynomials for the field representation, as observed in [Jou13].In fact, whenever n | q k − 1 there exists c ∈ F q k such that X n − c ∈ F q k [X] is irreducible (one may, for instance, take c to be a multiplicative generator).In particular, for n = q −1 we have I = X q−1 −c | X q −cX = h 1 X q −h 0 , with h 1 = 1, h 0 = cX of degree ≤ d h = 1.
Having degree at most one for the polynomials h 0 , h 1 in the field representation has some practical advantages for the relation generation and especially for the individual logarithm phase.Furthermore, when defining F q kn by F q k [X]/(I) one can use factor base preserving automorphisms to reduce the complexity of the linear algebra step.In fact, for the q-th power Frobenius one has (x + a) q = x q + a q = cx + a q = c(x + a q c ).The group generated by the Frobenius automorphism of order kn acts on the factor base, effectively reducing the variables of the linear algebra problem by a factor of about kn.Similar observations hold for so-called twisted Kummer extensions, when n | q + 1.
New discrete logarithm records.In order to obtain the best performance in practice one typically uses a combination of elimination techniques to develop the descent tree.For currently considered bitlengths these consist of: -Continued fraction initial split, -Large degree classical descent, -quasi-polynomial time descent [GKZ14b,GKZ15], -low degree Gröbner Basis descent [Jou14], -degree two elimination [GGMZ13,Jou14].
The new DLP algorithms have lead to a series of records, see Table 1.At the time of writing the largest one was in the field of 2 9234 elements.
Impact on pairing-based cryptography.The recent advances in solving the DLP in finite fields of small characteristic have had a considerable impact on cryptology research, particularly in the area of identity-based cryptography in which such DLPs are extremely important.This application was investigated by Adj et al. [AMOR14a] and Granger et al. [GKZ14a].In particular, in [GKZ14a] the new methods were improved and extended to make the algorithms more efficient and more widely applicable.At the "128-bit security level" it was shown that a common genus one curve offered only 59 bits of security (which is now much reduced thanks to [GKZ14b]), while a genus two curve over F 2 367 with embedding degree 12 was totally broken.

Summary and outlook
After three decades of relatively little progress in the DLP in small characteristic fields, in the past three years the area has transformed dramatically.Not only are the algorithms much faster, but the ingredients are much simpler too, which raises the question of why these techniques were not discovered earlier?While not historians we proffer two tentative speculations.
Firstly, since Coppersmith's algorithm was so much faster than the contemporary L(1/2) algorithms, small characteristic fields were avoided in cryptographic applications and so became less important to study as attention moved away to larger characteristic fields (this changed however with the advent of pairing-based cryptography).
Secondly, and perhaps crucially, one might deduce from Theorems 2 and 4 that for large prime fields and small characteristic fields, DLP algorithms that rely on smoothness heuristics should have the same complexity when index calculus methods are used.As well as being true for the above two algorithms, in which elements are generated uniformly, it is also the caseat least heuristically -for the number field sieve and function field sieve, in which elements are generated non-uniformly.Hence algorithms which exploit the additional structure of small characteristic fields, namely the splitting of X q − X, were simply not considered.
Looking ahead, there are three natural problems that remain open.The first is to provide a rigorous quasi-polynomial algorithm for the small characteristic DLP.The second, perhaps more challenging problem is to find a polynomial time algorithm for small characteristic, either heuristic or rigorous.Finally, the third, probably much harder problem is to develop faster algorithms for medium and large characteristic.Since there is less structure for prime fields in particular, it seems that fundamentally new ideas will be required.

Table 1 .
Discrete logarithm record computations in finite fields of small or medium characteristic.Details, as well as further announcements, can be found in the number theory mailing list (https://listserv.nodak.edu/cgi-bin/wa.exe?A0=NMBRTHRY).