MATHEMATICS OF COMPUTATION Volume 71, Number 237, Pages 363{377 S 0025-5718(00)01308-9 Article electronically published on October 17, 2000 SPECIAL PRIME NUMBERS AND DISCRETE LOGS IN FINITE PRIME FIELDS IGOR A. SEMAEV Abstract. AsetA of primes p involving numbers such as abt + c,where jaj; jbj; jcj = O(1) and t !1, is defined. An algorithm for computing dis- crete logs in the finite field of order p with p 2 A is suggested. Its heuris- 1 32 1=3 32 1=3 ··· tic expected running time is Lp[ 3 ;( 9 ) ]for(9 ) =1:526 ,where α 1−α Lp[α; β]=exp((β + o(1)) ln p(ln ln p) )asp !1,0<α<1, and 0 <β. At present, the most efficient algorithm for computing discrete logs in the finite field of order p for general p is Schirokauer's adaptation of the 1 64 1=3 Number Field Sieve. Its heuristic expected running time is Lp[ 3 ;( 9 ) ]for 64 1=3 ··· 2 ( 9 ) =1:9229 .Usingp A rather than general p does not enhance the performance of Schirokauer's algorithm. The definition of the set A and the algorithm suggested in this paper are based on a more general congruence than that of the Number Field Sieve. The congruence is related to the resultant of integer polynomials. We also give a number of useful identities for resultants that allow us to specify this congruence for some p. Let Fp be a finite field of prime order p,anda 2 Fp its primitive element. The discrete log problem in Fp is as follows: given a nonzero b 2 Fp, find the residue y y(mod p − 1) for y such that a = b in Fp. The security of several cryptographic systems depends on the difficulty of com- puting discrete logs [1, 2]. The best known algorithm for computing discrete logs in Fp with an arbitrary prime p is that suggested by Schirokauer in [3]. Its heuristic 1 64 1=3 64 1=3 ··· expected running time is L[ 3 ;( 9 ) ]for(9 ) =1:9229 . Here, as usual, α 1−α L[α; β]=Lp[α; β]=exp((β + o(1)) ln p ln ln p) as p !1,0<α<1, and 0 <β. This method is an adaptation of the popular Number Field Sieve algorithm (NFS), which has been used previously for factor- ization. It comes from the Gaussian integers method derived in [4] for computing discrete logs in Fp. The NFS algorithm is based on the congruence (1) f(m) ≡ 0(mod p); where f(x) is an irreducible polynomial in Z[x]andm 2 Z. The main parameter of the method is k =degf(x); the other parameters, such as m and the coefficients of f(x), are bounded by p1=k in absolute value. There exists p for which the coefficients of f(x) are no larger than po(1=k) in absolute value. For example, let abt + c ≡ 0(mod p)forjaj; jbj; jcj = O(1) as t !1. Thenwehave(1)with k t0 (t+t0)=k f(x)=ax + cb ,andm = b ,wheret ≡−t0(mod k)and0≤ t0 <k. Received by the editor July 16, 1998 and, in revised form, April 3, 2000. 2000 Mathematics Subject Classification. Primary 11Y16, 94A60. Key words and phrases. Cryptography, discrete logarithms, Number Field Sieve. c 2000 American Mathematical Society 363 License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 364 I. A. SEMAEV p If k = o( ln p), then p is as required. Such p are called special prime numbers in [5]. K. McCurley offers a $100 reward for breaking the Diffie-Hellman scheme with the prime p =2· 739 · q +1,where q =(7149 − 1)=6 [6]. This requires solving the discrete log problem in Fp. The algorithms for solving the discrete log problem in Fp suggested by Gordon [5] and Schirokauer [3] give no advantage to special primes over general primes. There is yet another algorithm in Gordon's work 2 designed specifically for special p, but its expected running time is Lp[ 5 ;1; 004]. In other words, it is asymptotically slower than the algorithms for general p.In[7] McCurley's challenging problem was solved. In this paper, we define a set A of primes p that includes numbers of the form abt + c or their prime factors. We suggest an algorithm for solving the discrete log 2 1 32 1=3 32 1=3 problem in Fp for p A in heuristic expected running time Lp[ 3 ;( 9 ) ]; ( 9 ) = 1:526 ···. The definition of the set A and the algorithm are based on a more general congruence than (1), namely, (2) Res(f;g) ≡ 0(mod p); where Res is the resultant of the polynomials n1 ··· n2 ··· f(x)=a0x + + an1−1x + an1 and g(x)=b0x + + bn2−1x + bn2 over Z. By definition [8] Y Y Y n2 n1 − n2 − n2n1 n1 Res(f;g)=a0 b0 (α β)=a0 g(α)=( 1) b0 f(β); α,β α β where α and β range over the roots of f(x)andg(x), respectively, with multiplic- ities taken into account. Obviously, (1) is the special case of (2) corresponding to deg g(x)=1. 0 Let jfj =maxi jaij and jgj =maxj jbjj. Consider the set A of the primes p for which congruence (2) is valid. The degrees of the polynomials are related to the coefficients as δ 1=3 1=3 ln p ≤ k = n1 + n2 ≤ ((3=2) + o(1))(ln p= ln ln p) ; (3) o(1=k) 1=k n2 = o(n1); jf|≤p ; jg|≈p for any fixed positive δ<1=3. For two positive real-valued functions a(x)andb(x) we write a(x) ≈ b(x)iflna(x)= ln b(x) ! 1asx !1. We estimate the complexity 0 2=k2 of the discrete log problem in Fp with p 2 A by ≈ p operations. In the set A, we include those primes p 2 A0 for which k = ((3=2)1=3 + o(1))(ln p= ln ln p)1=3 in 2=k2 ≈ 1 32 1=3 2 (3). It is easy to see that p Lp[ 3 ;( 9 ) ]forp A. The algorithm has two parts. The first is computing the discrete logs to some base; this only must be done ≈ 2=k2 once for a given p and requires p operations. The second finds thep logarithm 2 ≈ (1+ 2)=2k2 of anp individual b Fp. It is asymptotically faster and takes p for (1 + 2)=2=1:914 ···. We believe that our algorithm would solve McCurley's challenging problem faster than those suggested in [3, 5, 7]. " Let AX be a set of primes p<Xfrom A. The definition suggests that jAX |≥X for any " = "(X) such that "(X) ! 0asX !1. Note that recognizing p 2 A requires generally more calculations than solving the discrete log problem in Fp. We note also that the prime numbers p; p !1,suchasabt + c or their big prime factors, are in the set A for ln(maxfjaj; jbj; jcjg)=o(ln1=3 p ln ln2=3 p). License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use SPECIAL PRIME NUMBERS AND DISCRETE LOGS 365 We stress that our method differs from those of [3, 5]. Indeed, evaluating an individual logarithm by the methods of [3, 5] involves finding an integer l such that l a b ≡ q1q2 ···qr(mod p) 1=k for prime integers qi ≤ p . Next the logarithm of each qi must be evaluated. For this purpose, authors of [3, 5] sieve the values of polynomials f(x)=fqi (x) depen- dent on qi for which (1) holds. The advantage of our method is that congruence (2) or (1) does not depend on qi (see Section 5). This allows us to apply relations (3) or use a polynomial f(x) with small coefficients. In other words, we make extensive use of the structure of special primes. This author has already used congruence (2) for factoring purposes [9]; simi- lar but more special results are obtained in [10]. Section 7 contains some useful identities for resultants derived in [9]. The author is grateful to MacCentre, Moscow, for technical assistance in prepa- ration of this paper and to Olga Sipacheva for her transformations of my English prose. 1. Algebraic numbers In this section, we recall some results from algebraic number theory that are used in what follows. We assume that the polynomials f(x)andg(x) in (2) are irreducible over Q.Letα and β be roots of f(x)andg(x), respectively. Then K1 = Q(α)andK2 = Q(β) are fields of algebraic numbers of degrees n1 and n2. Let Oi be the ring of integers in Ki. Generally, α and β are not integers over Q. But α1 = a0α, β1 = b0β are integers. They are roots of the polynomials − − n1 n1 1 ··· n1 1 f1(x)=x + a1x + + a0 an1 ; − − n2 n2 1 ··· n2 1 g1(x)=x + b1x + + b0 bn2 ; respectively. Proposition 1. Let gcd(a0;an1 )=1,andletR denote the ideal that is the gcd of the ideals α1O1 and a0O1 in O1.Then n1−1 Norm R = ja0j : Proposition 1 is proved in [9]. Put k k−1 h(x)=c0x + c1x + ···+ ck 2 Z[x]: O −1 O Proposition 2. Let gcd(a0;an1 )=1and R1 =(a0 1)R .Thenh(α) 1 = −k QR1 ,whereQ is an integer ideal in K1 with j k |≤ n1 k=2j jkj jn1 Norm Q = a0 Norm h(α) (k +1) (n1 +1) f h : Proof.