NEW DISCRETE LOGARITHM COMPUTATION FOR THE MEDIUM PRIME CASE USING THE FUNCTION FIELD SIEVE

. The present work reports progress in discrete logarithm computation for the general medium prime case using the function ﬁeld sieve algorithm. A new record discrete logarithm computation over a 1051-bit ﬁeld having a 22-bit characteristic was performed. This computation builds on and implements previously known techniques. Analysis indicates that the relation collection and descent steps are within reach for ﬁelds with 32-bit characteristic and moderate extension degrees. It is the linear algebra step which will dominate the computation time for any discrete logarithm computation over such ﬁelds.


Introduction
Let p be a prime and n be a positive integer. Let F p n be the finite field consisting of p n elements. Let g be a generator of the cyclic group of all non-zero elements of F p n . The discrete logarithm problem in F p n is the following. Given a nonzero element h of F p n , find i such that h i = g. The computational difficulty of the discrete logarithm problem forms the basis for the security of cryptographic primitives such as the Diffie-Hellman key agreement scheme [10] and the Digital Signature Algorithm [23] both of which are always implemented over F p . It is useful to study the different cases of F p n together. It may be noted that Coppersmith's [8] algorithm for F 2 n was the origin of the best algorithm today for F p .
Let Q = p n and L Q (a, c), with 0 < a < 1 and c > 0, denote the sub-exponential expression L Q (a, c) = exp (c + o(1))(ln Q) a (ln ln Q) 1−a . Writing p = L Q (a, c) leads to several cases: a > 2/3 is called the large characteristic case, a = 2/3 is called the boundary case, 1/3 ≤ a < 2/3 is called the medium prime case while a < 1/3 is called the small characteristic case.
There are two major sub-exponential time algorithms for solving the discrete logarithm problem over a finite field, namely the number field sieve (NFS) [13] and the function field sieve (FFS) [3,4,19]. Both algorithms have seen substantial improvements over time and several variants of these algorithms are presently known. In the present state of the art, the NFS is generally used for large characteristic fields while the FFS is used for small to medium characteristic fields. In this work, we will consider discrete logarithm computation for a medium characteristic prime using the FFS.
For the small characteristic case, there has been a tremendous amount of progress in the FFS algorithm [12,11,9,18,6,14,2]. A quasi-polynomial time algorithm has been obtained in [6]. Record discrete logarithm computations have been made over large fields such as F 2 9234 [15] and F 2 30750 [16]. In case of characteristic 3, significant work has been done by Adj et al. [1] There has also been progress in discrete logarithm computation using the FFS for the medium prime case. This progress, however, has not been as remarkable as in the small characteristic case. We briefly summarise the previous works. Important simplification of the FFS was made by Joux and Lercier [20]. The next work was by Joux [18] who introduced the important idea of pinpointing. Later work by Sarkar and Singh [24] performed a detailed asymptotic analysis. See also [25,22] for a corrected version of the analysis.
All three of the works [20,18,24] reported discrete logarithm computations. These are summarised in Tables 1 and 2. Table 1 compares the various discrete logarithm computations in the medium prime case using the FFS algorithm. For Kummer extensions, the condition n | (p − 1) holds. Comparison of previously performed discrete logarithm computations for Kummer extensions are shown in Table 2. We note that Kummer extensions do not have real cryptographic significance.
In Tables 1 and 2, #B is the size of the factor basis. The parameter Λ is a measure of the feasibility of 2-1 descent. The lower the value of Λ, the more difficult it is to carry out a 2-1 descent. We provide the definition of Λ and explain its connection to the difficulty of 2-1 descent later.
The present work represents progress in the discrete logarithm computation for the medium prime case using the FFS algorithm. The challenge was to perform a larger discrete logarithm computation for a medium prime case field than what has been reported earlier. To keep the problem general, we decided not to work with Kummer extensions. We chose a 1051-bit field having a 22-bit characteristic and extension degree 50 as our target. While the size of this field is smaller than the 1175-bit and the 1425-bit fields considered by Joux [18], the Kummer extension property of the latter two fields make the discrete logarithm computation much easier than the field considered in this work. In particular, for the fields considered in [18], 20-bit factor bases suffice whereas in our case a 23-bit factor basis is required. Also, the 2-1 descent for the field considered in this work is more difficult than those considered in [18]. This is indicated by the value of Λ in Tables 1 and 2. More details on the 2-1 descent are provided later.
For our computation, the main techniques that were used are from [18,24]. Applying these techniques to a larger field, on the other hand, created complications, especially in the descent step. This required building on and implementing the alternating walk and branching technique. We considered the feasibility of using the FFS algorithm to solve a discrete logarithm challenge for a field having a 32-bit

Function field sieve in the medium prime case
We provide a brief description of the FFS algorithm for the medium prime case. For details we refer to [20,18,24]. We will assume that the extension degree n is greater than 1. Representation of F p n : The first task is to choose a convenient representation for F p n .
Choose n 1 , n 2 and k to be positive integers less than n. Let g 1 (X) = X −n1 and g 2 (X) be such that X k − g 2 (g 1 (X)) = f 1 (X)/X n1n2 , where f 1 (X) is a polynomial of degree n 1 n 2 +k. The idea is to choose g 2 (X) to be a polynomial over F p of degree n 2 such that f 1 (X) has an irreducible factor f (X) of degree n. Since the degree of f 1 (X) is n 1 n 2 + k, n ≤ n 1 n 2 + k. If n = n 1 n 2 + k, then experiments show that it is possible to choose g 2 (X) such that f 1 (X) itself is irreducible. In this case, we take f (X) to be equal to f 1 (X).
The field F p n is represented as , the relation x k = g 2 (y) holds in F p n . For k = 1, this method was described by Joux [18]. In the following, we will assume k = 1, y = g 1 (x) = x −n1 and x = g 2 (y) since these are the choices we use in our discrete logarithm computation. For other variants of choosing the field representation, we refer to [18,24]. But in the medium prime case the variant studied here gives the smallest norms. From the asymptotic analysis it turns out that the best variant has been used over here.
Note that representation of the finite field does not involve objects from function fields or number fields. This makes it possible to implement the algorithm entirely using finite field concepts.
Choice of generator: The non-zero elements of F p n forms a cyclic group under multiplication. Discrete logarithms are computed with respect to some generator. The actual choice of a generator is not important. It usually turns out that one of the polynomials x + a is a generator for some a ∈ F p .
Factor basis: The factor basis is Modulus of discrete logarithms: The requirement is to compute the discrete logarithm modulo p n − 1. In practice, p n − 1 is factored and the FFS algorithm is used to compute the discrete logarithm modulo the large prime factors. Let M = (p n − 1)/(p − 1). The discrete logarithms of elements of F p are equal to 0 modulo M and so in the computation of discrete logarithm modulo a large prime factor of M , one may ignore the discrete logarithms of the elements of F p . See [24] for an explanation.
2.1. Relation collection. For arbitrary elements a, b, c ∈ F p , consider the expression (x + a)y + (bx + c) = xy + ay + bx + c. Using y = g 1 (x) = x −n1 and x = g 2 (y), this expression can be written in two different ways as follows.
Note that h 1 (x) is a polynomial of degree n 1 + 1 and h 2 (y) is a polynomial of degree n 2 + 1. Over F p n , we have h 1 (x)/x n1 = h 2 (y). Suppose that both h 1 (x) and h 2 (y) are smooth polynomials, i.e., h 1 (x) = b Π αi (x + α i ) and h 2 (y) = d 1 Π βj (y + β j ) for some d 1 ∈ F p . Then, over F p n , we have the relation This gives the following linear equation among the discrete logarithms of the elements of the factor basis.
Each such linear equation involves n 1 + n 2 + 1 terms.
The factor basis contains 2p elements. To be able to solve the system of linear equations arising from linear equations of the above type, a little more than 2p relations are required. The free parameters are a, b and c giving rise to p 3 expressions of the type xy + ay + bx + c. Heuristically, we may assume that the p 3 expressions give rise to p 3 /((n 1 + 1)!(n 2 + 1)!) linear equations. So, for the relation collection phase to succeed, the following condition has to hold.
Pinpointing: The idea of pinpointing was introduced by Joux [18] to speed up relation collection. Suppose that for some choice of a, b and c, the polynomial h 1 (x) turns out to be smooth, i.e., x + a + bx n1+1 + cx n1 = b · Π αi (x + α i ).
Using the transformation x → tx, for t ∈ F p \ {0, 1}, the right side of (5) remains smooth, while the left hand side corresponds to the expression obtained from a = a, b = bt n1+1 and c = ct n1 . So, once a smooth h 1 (x) is obtained, by varying t over all elements of F p , it is possible to obtain p − 2 smooth h 1 (x)'s without any further smoothness checking.
It was shown in [24] that the idea of smoothness checking can be combined with a sieving procedure which entirely avoids smoothness checking. Our implementation uses the sieving based pinpointing algorithm.
2.2. Linear algebra. The relation collection phase produces a little more than 2p linear equations involving the discrete logarithms of the elements of the factor basis. Each equation has n 1 + n 2 + 1 terms. Additionally, we include the linear equation log y = −n 1 log x to account for the relation y = x −n1 between x and y.
The obtained system of linear equations is sparse. Techniques from sparse linear algebra are used to solve the linear system. The standard methods for solving a sparse linear system are the Lanczos algorithm and the block Wiedemann algorithm. For a factor basis of size B, the cost of both the methods is O(B 2 ). The second method is preferable as it can be parallelised. We have used the block Wiedemann algorithm implemented in the CADO-NFS [27] to complete the linear algebra step.
The system of inhomogenous linear equations is given by a matrix M and a coefficient vector b. Before attempting to solve the system, a filtering step is applied. The goal of the filtering step is reduce the size of the matrix and/or make it more sparse. The basic filtering that we applied was to remove duplicate rows and empty columns of the matrix M. We have experimented with more sophisticated filtering methods available in the CADO-NFS software [27]. Details are provided later.
The completion of the linear algebra step provides discrete logarithms of some elements. This could have consequences to the real-life deployment of DSA, since the study in [5] suggests that in practice many servers use the same finite field.
2.3. Individual descent. Let Π(x) be the target element whose discrete logarithm is to be computed. Typically, Π(x) will be a polynomial of degree n − 1. After the linear algebra step, assume that we have computed the discrete logarithms of all linear polynomials of the form x + α i and y + β j . So, the goal is to be able to express Π(x) as a rational function where both the numerator and the denominator are products of linear polynomials. This procedure is called descent.
The entire descent is not done in a single step. The target polynomial is successively descended to lower degree polynomials until finally descent to linear polynomials become possible. For the initial descent, a simple randomisation strategy usually works. Suppose we wish to descend from an irreducible polynomial φ(x). Choose a random polynomial D(x) whose factors are of lower degree than that of . If the factors of N (x) are also of degrees lower than that of φ(x), then since φ(x) = N (x)/D(x), we have a descent from φ(x) to lower degree factors of N (x) and D(x). If these factors are not linear, then they would require to be further descended. More systematic techniques for descent are known. A method based on computing the kernel of a matrix has been described in [20,17]. Another method has been used in [24] and we provide further details in the next section.
The descent becomes more difficult as the degree of the polynomials become close to 1 with the 2-1 descent (i.e., descent from quadratic to linear polynomials) being the most difficult. A heuristic argument has been used to show that the probability of a successful 2-1 descent in a single trial is 1/((n 1 − 1)!(n 2 + 1)!) [18,24]. The work [24] provides the probability of a successful d-(d − 1) descent (i.e., descent from a degree d polynomial to polynomials of degrees at most d − 1) for d ≥ 2. In an asymptotic setting the effect of d-(d − 1) descent on the overall time for solving discrete logarithm has been analysed in [24]. It has been shown that for d > 2, the asymptotic cost of d-(d − 1) descent is always lower than the asymptotic cost of relation collection. On the other hand, for d = 2, there are situations where the asymptotic cost of 2-1 descent is more than the asymptotic costs of the other two phases.
Following the methods of [20,18,24], using a single degree of freedom, the heuristic probability of success for a 2-1 descent is 1/((n 1 − 1)!(n 2 + 1)!). So, the number of trials required for a single 2-1 descent is about With a single degree of freedom, the number of trials that can be made is p. Let It has been suggested in [20,18,24] that for a 2-1 descent to be possible, Λ ≥ 1 has to hold. Experiments show that while Λ ≥ 1 makes the descent easy, it may be possible to perform a 2-1 descent even when Λ < 1. The parameter Λ does, however, play a role in determining the ease of descent. The higher the value of Λ, the easier is a 2-1 descent, while for lower values of Λ, a direct 2-1 descent may not be possible and one would have to use walk and/or branching techniques (as explained in the next section).

2.4.
Final discrete logarithm computation. The linear algebra step provides the discrete logarithm of the elements of the factor basis elements modulo the large prime divisors of p n −1. So, once the descent step is completed, it is possible to compute the discrete logarithm of the target element modulo the large prime divisors of p n − 1. The discrete logarithm of the target element modulo the smaller factors of p n − 1 are computed using the Pollard rho and the Pohlig-Hellman algorithms. Finally, all the discrete logarithms are combined using the Chinese remainder theorem to obtain the discrete logarithm of the target element modulo p n − 1.

Sieving using partial smoothness-divisibility
The technique of smoothness-divisibility and a sieving method based on it was introduced in [24]. Here we provide a brief account of this method based on the relations y = g 1 (x) = x −n1 and x = g 2 (y). (This description is somewhat different from the one in [24] which was based on y = g 1 (x) = x n1 and x = g 2 (y).) Let φ(x) be a polynomial of degree d ≥ 0. Let T (x, y) be a bivariate polynomial and let F (x) and C(y) be such that T (x, g 1 (x)) = F (x)/x n1 and C(y) = T (g 2 (y), y).
Suppose T (x, y) is a monic polynomial which has a total of ρ + 1 monomials. We assume d < ρ. Let the degrees of F (x) and C(y) be ρ 1 and ρ 2 respectively. The If we can find a 1 , . . . , a e ∈ F p such that F (x) can be written as in (9), then we are able to ensure that F (x) is divisible by φ(x) and partial smoothness of G(x). By trying various values of a 1 , . . . , a e , the smoothness of H(x) and the corresponding C(y) has to be ensured. A sieving based method for implementing this idea has been described in [24].
The partial smoothness-divisibility technique is useful for both relation collection and the descent step. In the context of relation collection, we set T (x, y) = xy + ay + bx + c and φ(x) = 1 so that ρ = 3 and d = 0 leading to e = ρ − d = 3. The resulting sieving technique can be combined with pinpointing. We refer to [24] for further details.
For application to the descent step, the 2-1 descent is described in details in [24] since it is for such descent that the partial smoothness-divisibility technique was applied. Here we describe how the technique can be used for d-(d − 1) descent for d ≥ 2. Let φ(x) be a polynomial of degree d and the goal is to descend to polynomials of degrees less than d. Let ρ = d + 1 so that e = ρ − d = 1, providing a single degree of freedom. With e = 1, we have where degree of H(x) is h. The ρ undetermined coefficients of T (x, y) appears in F (x). As before, let G(x) = (x − α)H(x).
Consider α to be a symbolic variable. From (10) and using a method described in [24], it is possible to symbolically solve for the coefficients of H(x) and F (x) in terms of α. The symbolic computation is a one-time task.
Once the polynomial φ(x) in (10) is fixed, the coefficients of H(x) and G(x) are functions of α. For each possible value of α, denote the corresponding H(x) and G(x) as H α (x) and G α (x) respectively. Next, for each possible value of α ∈ F p , compute the coefficients of H α (x) and hence obtain G α (x) = (x − α)H α (x). Store all the G α (x)'s in a list L. After G α (x) has been added to L for all α ∈ F p , sort L. If a G(x) occurs h − d + 2 or more times in the list, then at least h − d + 2 roots of G(x) have been encountered in the sieving process. The remaining factor of G(x) has degree at most d − 1 and so G(x) is (d − 1)-smooth. For such a G(x), construct the corresponding F (x) as φ(x)G(x). Using Proposition 1 of [24], obtain C(y) and check whether C(y) is also (d − 1) smooth. If it turns out that C(y) is indeed (d − 1) smooth, then we have where both C(y) and G(x) are (d − 1)-smooth. So, it has been possible to descend from the polynomial φ(x) of degree d to the polynomials C(y) and G(x) which are (d − 1)-smooth. Note that for d > 2, while aiming for d-(d − 1) descent, it might be possible to reach smaller degrees if in the sieving process, a G(x) appears more than h + d − 2 times. The above description is for descending from a polynomial φ(x). A similar method works for descending from a polynomial ψ(y). Suppose the above method is not successful, i.e., the sieving procedure does not result in a suitable G(x) and C(y). At this point, there are several ways to proceed. The x-x walk: Suppose the sieving procedure results in a G(x) which has h − d + 1 linear factors. Then the other factor of G(x) is of degree d. Let this factor be φ 1 (x). Further, suppose that C(y) turns out to be (d − 1)-smooth. Then, in effect, we have moved from a φ(x) of degree d to the polynomial φ 1 (x) also of degree d. Descent may now be attempted from φ 1 (x). Similarly, one may need to move from a polynomial ψ(y) of degree d to a polynomial ψ 1 (y) also of degree d and try to descend from ψ 1 (y). Such a method is called the walk technique.
The x-y walk: Suppose the sieving procedure results in a desirable G(x), i.e., one that has at least h − d + 2 linear factors. On the other hand, suppose that the corresponding C(y) turns out to be d-smooth, instead of being (d − 1)-smooth. For each factor ψ(y) of C(y) of degree d, one may try to descend to lower degree polynomials.
Similarly, one may define the y-y and the y-x walks. It is possible that neither x-x nor x-y walks succeed for a polynomial φ(x) of degree d. Then the following strategies can be tried.
1. Move from a single degree d polynomial in x to two degree d polynomials in x. 2. Move from a single degree d polynomial in x to one degree d polynomials in x and one degree d polynomial in y.
Analogous strategies hold for moving from a degree d polynomial ψ(y) in y. Since this strategy moves from a single degree d polynomial to two degree d polynomials, it is called a branching strategy. The walk and branching strategies were briefly mentioned in [18]. Detailed discussion of these strategies in the context of 2-1 descent is given in [24]. The computations in [24] used these techniques only for 2-1 descent. For the present computation, we needed the walk technique for both 3-2 and 2-1 descent.
For the x-y walk, an important implementation issue is to avoid cycling. Suppose the x-y walk starts from φ(x). It is possible that after a number of steps, the walk again enters φ(x). This is called cycling. In the presence of cycling, the descent fails. By suitably using randomisation, it is usually possible to avoid such cycling. Alternatively, cycle detection algorithms may be used to detect the presence of cycling and abort.

A concrete discrete logarithm computation
In this section, we present the details of an actual discrete logarithm computation. The prepatory phase, relation collection and the descent steps were done using Magma V2.21-10 on four servers. Out of the four servers, three have the same configuration with each of these three servers consisting of Intel(R) Xeon(R) E7-4890 @ 2.80 GHz (60 physical cores and 120 logical cores) and the fourth server consists of Intel Xeon E7-8890 @ 2.50 GHz (72 physical cores and 144 logical cores). These servers are shared resources and were simultaneously utilised by other users to run heavy simulation programs. We were never able to obtain exclusive access to the servers. The linear algebra phase was run on a cluster of 16 dual-socket Intel(R) Xeon(R) Gold 6130 CPU @ 2.10GHz connected with Intel 100 Gbps Omni-Path.
In our computation, we chose p = 2111023 and n = 50. Note that log 2 (p) = 22 and log 2 (p n ) = 1051. So, the discrete logarithm computation is over a 1051-bit field having a 22-bit characteristic. Preparatory phase: We chose n 1 = n 2 = 7. Experimentally we obtained g 1 (x) = x −7 and g 2 (x) = x 7 + 1224488 such that x − g 2 (g 1 (x)) = f (x)/x 49 where f (x) = x 50 + 886535x 49 + 2111022. The polynomial f (x) is irreducible over F p and we represented F p n as F p [x]/(f (x)). Under this representation, x + 11 turned out to be a primitive element and was taken as the base of our discrete logarithm computation.

28184706647588814170320419857377117657456062927786722348951.
Note log 2 (p 1 ) = 141, log 2 (p 1 ) = 156 and log 2 (p 1 ) = 353. Based on the choices of g 1 (x) and g 2 (x), we have y = g 1 (x) = x −7 and x = g 2 (y) = y 7 + 1224488. The factor basis was set to be B Relation collection: The relation collection was done using sieving based on partial smoothness-divisibility technique combined with pinpointing. The computation is highly parallelisable. It was distributed on four servers with 90 processes per server. The total time required for the relation collection phase was about 25 hours. Assuming that our jobs were allocated about 75% of the server time, a rough estimate of the number of core-years required for relation collection is 0.53 core-years.
A total of 2p + 100 = 4222146 relations were generated among the elements of the factor basis which includes the relation y = x −7 . Except for (y + 1849709), all elements of the factor basis were involved in at least one relation.
The fact that none of the 2p+100 relations involved (y+1849709) seemed peculiar to us. So, we decided to investigate this further. For this we considered applying the partial smoothness-divisibility technique for relation collection from the y-side. The starting point of this technique is to write We set (y − α 1 ) = (y + 1849709). This is to ensure that any relation obtained from C(y) and the corresponding F (x) will necessarily involve (y + 1849709). There are two degrees of freedom given by α 1 and α 2 . This allows trying p 2 options. We were surprised to find that no relation could be obtained. It was possible to ensure that C(y) is smooth. However, in each such case, it turned out that the corresponding F (x) is not smooth. This suggests that it may indeed be the case that there is no relation among the factor basis elements which involves (y + 1849709).
Since we were unable to obtain any relation involving (y + 1849709), we decided to proceed without this element. The resulting matrix for the linear algebra stage consisted of 2p + 100 relations involving 2p − 1 unknowns. Linear algebra: The linear algebra step was performed for the three primes p 1 , p 2 and p 3 . The block Wiedemann algorithm implemented in the CADO-NFS software was used to complete the linear algebra step. For the largest prime p 3 , the Krylov step took about 1.6 core years, Lingen required negligible time and Mksol required about 0.25 core years. The time requirements for the two smaller sized primes were smaller. In terms of space, for p 1 and p 2 about 29GB each was required and for p 3 about 53GB was required. We used n = 4 distinct sequences for the block Wiedemann algorithm, so that we were able to simultaneously use 16 nodes as 4 groups of 4 nodes, each group working on one sequence.
After the linear algebra step, the discrete logarithms of all the elements in the factor basis other than (y + 1849709) were obtained modulo p 1 , p 2 and p 3 .
Individual logarithm -descent to factor basis elements: As the target for the individual discrete logarithm computation we chose the following element derived from the digits of the real number π. The function 'Normalize' mentioned below makes the input polynomial monic by multiplying with the inverse of the leading coefficient.
Explicitly Π(x) is given by the following degree 49 polynomial. For the initial descent a simple randomisation strategy was utilised which led to where N (x) and D(x) are as follows. Note that N (x) is 7-smooth while D(x) is smooth. This decomposition required about 30 minutes using 50 processes.
In the next step, the goal was to reduce to quadratic polynomials using successive d-(d − 1) descent for polynomials of degree d > 2. This strategy mostly succeeded, except for three cubic polynomials. For these polynomials, we had to resort to alternating walk, i.e., move from degree 3 polynomials in x to degree 3 polynomials in y, as explained earlier. Using such a walk, we were able to descend to quadratic and linear polynomials. The total number of quadratic polynomials that were generated was 1212, of which 673 were quadratic polynomials in x and 539 were quadratic polynomials in y. The total time required for descending to quadratic polynomials was about 1481 minutes using 50 processes.
Finally we performed the 2-1 descent on all the quadratic polynomials. This was the most time consuming of all the descent steps. We used 50 processes on each of the four servers to perform either direct 2-1 descent or to apply alternating walk and/or branching. The entire 2-1 descent step was automated. The total time for all the 2-1 descents required about 10 days. Assuming that our jobs were allocated about 75% of the server time, a rough estimate of the number of core-years required for all the 2-1 descents is about 4.1 core-years.
Remark: The descent to quadratic polynomials resulted in a total of 1212 quadratic polynomials. For comparison, we mention the number of quadratic polynomials obtained in previous computations. In [24], the numbers of quadratic polynomials were 92 and 59 for the 592-bit and the 728-bit cases respectively. In [18], the number of quadratic polynomials for the 1125-bit case was 278; the number of quadratic polynomials for the 1425-bit case was not reported.
We note that the descent is a random procedure. So, different runs of the descent procedure may lead to different numbers of quadratic polynomials. Since the 2-1 descent is the most time consuming of all the descent steps, it would be worthwhile to try and minimise the number of quadratic polynomials that arise from the upper levels of the descent. There is, however, no known method for such minimisation. Individual logarithm -final discrete logarithm computation: After the completion of the 2-1 descent, the target polynomial Π(x) was expressed as a ratio N 1 (x)/D 1 (x), where N 1 (x) is a product of 147126 linear polynomials in x and 127149 linear polynomials in y, and D 1 (x) is a product of 147164 linear polynomials in x and 126001 linear polynomials in y.
Recall that the relation collection and linear algebra steps were not able to compute the discrete logarithm of (y + 1849709). Fortunately, this element does not appear among the linear factors of N 1 (x) and D 1 (x).
The discrete logarithms modulo p 1 , p 2 and p 3 of the linear factors of N 1 (x) and D 1 (x) had already been obtained after the completion of the linear algebra step. Consequently, after the descent step we were able to obtain the discrete logarithm of Π(x) modulo p 1 , p 2 and p 3 .
We used Pollard rho and Pohlig-Hellman to compute the discrete logarithm of Π(x) modulo the smaller factors of p n − 1. The final discrete logarithm of Π(x) to base (x + 11) was computed using the Chinese Remainder Theorem. This value is given below. A short Magma program to verify the discrete logarithm is given in the Appendix A.

4.1.
Experiments with filtering . The filtering step can reduce the size of the matrix to which the linear algebra step is to be applied. The basic filtering step that we applied ensured that there are no duplicates and no empty column. Following a suggestion from a reviewer, we carried out experiments to determine the effectiveness of the filtering step. To this end, we utilised the filtering algorithm implemented in the CADO-NFS software which has been used in the recent 240-bit DLP computation [7]. For the filtering algorithm, an important parameter is the distribution of the weights of the columns. In the relations that we collect, the variable x is present in all the relations and the corresponding column has weight equal to the number of rows. While mentioning the maximum weight of columns, we will ignore this particular column. For our experiments, we converted the relation matrix obtained using Magma to a format suitable to CADO-filtering and used the subroutines purge, merge-dl and replay-dl of CADO-NFS in the given order. Two sets of experiments were performed.
The first experiment was on the relation matrix used for the DLP computation over GF (p 50 ) with p = 2111023. This matrix has 4222146 (i.e., 2p + 100) rows and 4222045 (i.e., 2p − 1) columns; each row has at most 23 non-zero entries; the maximum weight of a column is 40 and the minimum weight is 1 and if we ignore a few thousand columns, the minimum weight is 6; the overall weight of the matrix is approximately (2p + 100)23 = 97109358. On applying filtering, we obtained a matrix with dimension 3234915 × 3234905 and weight 248322355. We note that the reduction in the dimension of the matrix is not much, but the overall weight of the matrix increases 2.5 fold.
The second experiment was for a smaller prime where the number of relations that we collected was about 50 times more than what is needed. The following parameters were considered: n = 37, p = 64373, n 1 = n 2 = 6, g 1 (X) = X −6 , g 2 (X) = X 6 + 14833X 5 + 50952X 4 + 62125X 3 + 6269X 2 + 35223X + 53172, and f (X) = X 37 +11201X 36 +29150X 30 +58104X 24 +2248X 18 +13421X 12 +49540X 6 + 64372. With these parameters, we collected 56(2p) relations leading to a matrix of dimension 112p × (2p − 1). Each row has at most 20 non-zero entries; the maximum weight of a column is 923 and the minimum weight is 669; the overall weight of the matrix is about 20(112p). On applying filtering, we obtained a matrix with dimension 94731 × 93731 with weight 6679667. If we had instead collected only 2p+100 relations, then the dimension of the matrix would have been (2p+100)×2p, with 2p = 128746 and the total weight of the matrix would have been 20(2p) = 2574920. So, the filtering did not reduce the dimension of the matrix substantially, but increased the overall weight of the matrix by a factor of 4.
Both the above experiments indicate that the CADO-filtering step is not very effective for this variant of the FFS algorithm. On the other hand, the filtering step leads to a substantial reduction in the dimension of the matrix for the NFS algorithm as can be noted from the recent 240-bit DLP computation in [7]. A possible explanation for this difference in behaviour is the following. In the context of NFS, filtering works well because it exploits the fact that typical NFS matrices are extremely far from having uniform density. There are dense "small-prime" columns as well as extremely sparse "large-prime" columns. Most of the story in NFS filtering is connected to the idea of getting rid of that immense near-vacuum formed by the sparsest columns, without making the resulting matrix too dense. In the present context, all columns (apart from the single column corresponding to the variable x) have more or less uniform weights. So, it is perhaps not completely surprising that the heuristics that work with typical NFS matrices do not play out well in the present context.

Unsolved DLP challenge for the medium prime case
In [21], the following has been stated.
"For powers of very small primes and for large prime fields the function-field sieve and the number-field sieve are highly optimized; for intermediate fields algorithms with the same asymptotic behavior exist but the actual running times are slower." To encourage research for intermediate size fields, the following challenge has been proposed in [21]. Solve DLP in F p 17 = F p [x]/(x 17 − 2) where p = 2 32 − 27897.
This problem can be tackled using the FFS for the medium prime case. For this, we set n 1 = n 2 = 4 so that n = n 1 n 2 + 1 = 17. We estimate the costs of the relation collection, linear algebra and the descent steps.
: Cost of linear algebra: For this problem, n | (p − 1) which will allow the factor basis to be reduced by a factor of 17. So, the size of the factor basis will be about 2 29 and hence, linear algebra step will require about 2 58 operations in F p . : Cost of relation collection: Using n 1 = n 2 = 4, from (6), the number of trials required to obtain a single relation is about 2 6.9 . So, the total number of trials required to obtain about 2 29 relations is about 2 35.9 . Further, the feasibility condition given by (4) holds. : Cost of 2-1 descent: Using n 1 = n 2 = 4, from (7), the number of trials required to obtain a single 2-1 descent is about 2 9.5 . We would expect a few thousand quadratic polynomials would be required to be descended. The feasibility condition given by (8) holds. So, based on the above analysis, we see that while the relation collection and the descent steps are well within reach, the major cost of performing the computation required for solving the challenge lies in the linear algebra computation.
Remark: The above estimates are rough. For one thing, we have estimated that the time required for the linear algebra step on a factor basis of size N is about N 2 . Secondly, the time for individual operations for the linear algebra step and the times for individual trials of the relation collection step and the 2-1 descent step have been assumed to be equal. To obtain more precise estimates, these issues would be required to be taken into consideration. Nevertheless, even with the rough estimates, the main conclusion that for this particular DLP computation it is the linear algebra step which will be the main challenge, remains valid.
Larger extension degree: The extension degree suggested in the above problem is 17 which is quite low. Let us consider a higher value of n. Suppose n 1 = n 2 = 8 and n = n 1 n 2 + 1 = 65. As in the above problem, assume that p is a 32-bit prime. Also, let us not make the assumption that n | (p − 1) holds. So, the factor basis will have about 2p elements. From (6), the number of trials required to obtain a single relation is about 2 18 and to obtain about 2 33 relations, about 2 51 trials would be required. From (7), the number of trials required to obtain a single 2-1 descent is about 2 31 . The feasibility condition (4) and (8) both hold. Since the size of the factor basis is about 2 33 , the linear algebra will require about 2 66 F p -operations. So, it is the linear algebra step which will be the major challenge in any such discrete logarithm computation.

Conclusion
In this paper, we have reported the computation of discrete logarithm in a 1051bit field having a 22-bit characteristic. For the general medium prime case (i.e., fields for which the condition n | (p − 1) does not hold), the computation reported here is the current discrete logarithm record computation. The techniques used in this work can be extended to solve relation collection and descent phases for 32-bit primes and moderate extension degrees. It is the linear algebra phase that will require the maximum time for performing any record discrete logarithm computation for such fields.