Selecting polynomials for the Function Field Sieve

The Function Field Sieve (FFS) algorithm is dedicated to computing discrete logarithms in a finite field Fqn , where q is a prime power, small compared to q. Introduced by Adleman in [Adl94] and inspired by the Number Field Sieve (NFS), the algorithm collects pairs of polynomials (a, b) ∈ Fq[t] such that the norms of a − bx in two function fields are both smooth (the sieving stage), i.e having only irreducible divisors of small degree. It then solves a sparse linear system (the linear algebra stage), whose solutions, called virtual logarithms, allow to compute the discrete algorithm of any element during a final stage (individual logarithm stage). The choice of the defining polynomials f and g for the two function fields can be seen as a preliminary stage of the algorithm. It takes a small amount of time but it can greatly influence the sieving stage by slightly changing the probabilities of smoothness. In order to solve the discrete logarithm in Fqn , the main required property of f, g ∈ Fq[t][x] is that their resultant Resx(f, g) has an irreducible factor φ(t) of degree n. Various methods have been proposed to build such polynomials, but the best results in practice correspond to the method of Joux and Lercier [JL02]. Its particularity is that one of the two polynomials, say g, is linear. Moreover, for any polynomial f in Fq[t][x] and any input Fqn , one can associate a linear polynomial g satisfying the requirements of the FFS. This allows us to precompute some polynomials f which have good properties for the sieving stage. For this, we define and measure the size property and the so-called root and cancellation properties. In short, the cancellation property is measured by a function σ related to the size of the coefficients of f as well as to the cardinality of the set of pairs (a, b) to be sieved. The root property is measured by α, which is inspired by the function used for the factorization algorithms. It is related to the number of roots of f when reduced modulo small irreducible polynomials of Fq[t]. Finally, α∞ measures the cancellation property, by evaluating the average loss of degree due to the cancellation of the terms of f(r) when r is a random rational fraction of Fq[t]. We present a sieving procedure which computes α, the most costly to evaluate of the three functions. We next combine the different criteria in order to compare arbitrary polynomials. In particular we show experimental evidence that , defined as σ + α + α∞, predicts the efficiency of any polynomial. Our methods were used in two records of discrete logarithm in F2n with prime values of n. In the last couple of weeks, new algorithms were proposed, which are particularly well adapted for the fields F2n for composite values of n. In the case when n is prime, the crossing point is to be computed, this latter being determined by the practical improvement of the FFS. See [Bar13] for a broader presentation of our work.