Special prime numbers and discrete logs in finite prime fields

A set A of primes p involving numbers such as abt + c, where |a|, |b|, |c| = O(1) and t → ∞, is defined. An algorithm for computing discrete logs in the finite field of order p with p ∈ A is suggested. Its heuristic expected running time is Lp[ 1 3 ; ( 32 9 )1/3] for ( 32 9 )1/3 = 1.526 · · · , where Lp[α;β] = exp((β + o(1)) ln α p(ln ln p)1−α) as p → ∞, 0 < α < 1, and 0 < β. At present, the most efficient algorithm for computing discrete logs in the finite field of order p for general p is Schirokauer’s adaptation of the Number Field Sieve. Its heuristic expected running time is Lp[ 1 3 ; ( 64 9 )1/3] for ( 64 9 )1/3 = 1.9229 · · · . Using p ∈ A rather than general p does not enhance the performance of Schirokauer’s algorithm. The definition of the set A and the algorithm suggested in this paper are based on a more general congruence than that of the Number Field Sieve. The congruence is related to the resultant of integer polynomials. We also give a number of useful identities for resultants that allow us to specify this congruence for some p. Let Fp be a finite field of prime order p, and a ∈ Fp its primitive element. The discrete log problem in Fp is as follows: given a nonzero b ∈ Fp, find the residue y(mod p− 1) for y such that a = b in Fp. The security of several cryptographic systems depends on the difficulty of computing discrete logs [1, 2]. The best known algorithm for computing discrete logs in Fp with an arbitrary prime p is that suggested by Schirokauer in [3]. Its heuristic expected running time is L[13 ; ( 64 9 ) ] for ( 9 ) 1/3 = 1.9229 · · · . Here, as usual, L[α;β] = Lp[α;β] = exp((β + o(1)) ln p ln ln1−α p) as p → ∞, 0 < α < 1, and 0 < β. This method is an adaptation of the popular Number Field Sieve algorithm (NFS), which has been used previously for factorization. It comes from the Gaussian integers method derived in [4] for computing discrete logs in Fp. The NFS algorithm is based on the congruence f(m) ≡ 0(mod p), (1) where f(x) is an irreducible polynomial in Z[x] and m ∈ Z. The main parameter of the method is k = deg f(x); the other parameters, such as m and the coefficients of f(x), are bounded by p in absolute value. There exists p for which the coefficients of f(x) are no larger than p in absolute value. For example, let ab + c ≡ 0(mod p) for |a|, |b|, |c| = O(1) as t → ∞. Then we have (1) with f(x) = ax + cb0 , and m = b0, where t ≡ −t0(mod k) and 0 ≤ t0 < k. Received by the editor July 16, 1998 and, in revised form, April 3, 2000. 2000 Mathematics Subject Classification. Primary 11Y16, 94A60.