1045INTERCAMBIO COMERCIAL CON CANADÁ Y ESTADOS UNIDOS DE AMÉRICA

In this section we describe the details of the model we use in our estimates, which is based on the FFS as set forth in [3].

Let d be the degree in X of the curve H(t, X), and let d0 _{= dn/de, where}

n is the extension degree of Fq over Fp. Let δ(·) be the degree function. The

irreducible polynomialf of degree n which defines Fqis chosen to be of the form

f (t) = tn _{+ ˆf (t), where δ( ˆf ) ≈ log}

pn. We make this last assertion since by

(7.1) the proportion of degreen monic polynomials in Fp[t] that are irreducible is

about1/n, and so we expect to be able to find one satisfying δ( ˆ_{f ) ≤ log}pn. A

further condition on ˆf is that it has at least one root of multiplicity one, so that

the curveH(t, X) = Xd _{+ t}dd0_−nˆ

f (t) is absolutely irreducible. We let µ(t) = td0

and it is easily checked then that_{H(t, µ(t)) ≡ 0 mod f. Lastly we assume that} we can easily find such curves for each set of parameter values we analyse, that furthermore satisfy the remaining technical requirements.

Within the model itself, we are slightly conservative in some approximations. This means our final estimates for the running-times will tend to err on the upper side of the average case, so that we know with a fair degree of certainty that given a final estimate, we can compute discrete logarithms within this time. We take as the unit run-time of our calculations the time to perform a basic field operation inFp, but do not discriminate between which ones as this will only introduce a

logarithmic factor into the estimates. Furthermore, for a real implementation the computational difference for differentp will often be irrelevant, since all small p

will fit in the word size, and for characteristics two and three, there will be only a small constant difference in performance.

Given a factor base sizeη as in Section 7.3.1, we determine the corresponding m, and α. We assume that FA has the same cardinality as the set of primes we

use in the factor base_FRon the rational side. So the set of useful logarithms that

we obtain is only half the size of the matrix that we can theoretically handle in the linear algebra step.

We now consider the number of relations we expect to obtain. Since we wish to minimise the degree of the polynomials we generate, we consider those pairs

Estimates for Discrete Logarithm Computations in Finite Fields of Small Characteristic

(r, s) ∈ Fp[t]2 where δ(r) = R, δ(s) = S are as small as possible, and R ≤ S.

We refer to this collection of elements as the sieve base, and it is typically chosen to consist of all relatively prime pairs of polynomials with degrees bounded byl, a

parameter to be selected. We observe though that since we are looking to generate pairs(r, s) such that rµ + s and rX + s give useful relations, we may assume that

either_{r or s is a monic polynomial, as otherwise we will obtain p − 1 copies of} each useful pairrµ + s and rX + s.

For a given_{µ ∈ F}×_q of degree_{dn/de and a given pair (r, s) with degrees (R, S),}

0 ≤ R, S ≤ l, the degrees of the rational and algebraic sides are respectively

bounded by

δRATd(R, S) ≤ max{R + dn/de, S},

δALGd(R, S) ≤ max{dR + d + logpn, dS}.

As discussed above we assume both these bounds are equalities.

The probability that each of these is (m, α)-smooth, assuming they are inde-

pendent, is

ρp,α(δRATd(R, S), m).ρp,α(δALGd(R, S), m),

and the number of suitable pairs(r, s) is aR,S, given in (7.2). Since0 ≤ R ≤ S ≤

l, the number of (m, α)-smooth relations we expect to obtain is

M (l) = l X S=0 S X R=0

ρp,α(δRATd(R, S), m).ρp,α(δALGd(R, S), m)aR,S

For each such set of relations we assume that we obtain the same number of lin- early independent equations amongst the corresponding logarithms. To obtain a matrix of full rank we require that this number exceeds _|FR| + |FA|. A basic

constraint therefore is

M (l) ≥ 2η. (7.3)

When this is the case, we calculate the expected running-time as follows. We estimate the running-time of a gcd calculation for a pairr, s simply as RS, as we

7.3 Methodology of our Analysis

do not presume any fast multiplication algorithm. The time for this part of the computation is therefore l X S=1 S X R=1 RSpR+S, (7.4)

as for each(R, S) there are pR+S _{such pairs of monic polynomials (r, s). Fur-}

thermore, with regard to factoring both the rational and algebraic sides, it only makes sense to factor both if the first one factored possesses factors lying entirely within the factor base, which cuts down the number of factorisations to be per- formed considerably. With this in mind and noting the form ofδALGd andδRATd,

we choose the rational side to be the first factored. Again we suppose a naive polynomial factoring algorithm and simply estimate the running time asδ3_{. For}

this part of the computation the running-time is therefore

l X S=0 S X R=0 aR,S  δRATd(R, S) 3_{+ ρ} p,α(δRATd(R, S), m)δALGd(R, S) 3  . (7.5)

This is essentially all that we need. The process of minimising the expected running-time for each factor base size is to compute, for various pair values(d, l),

the value of (7.4) and (7.5) provided the constraint (7.3) is satisfied, and simply choose the pair which gives the smallest result.

In performing a few prelimary parameter estimates with this model, it was apparent that the estimated running-times altered considerably when the optimal value forl was changed by just one. A little reflection will reveal that the process

of varyingl, the bound of the degrees of the sieve base elements, is analogous to

the way in which we initially regardedm, the bound of the degrees of the factor

base elements. To remedy this problem we interpolate between successive values ofl. Let

Ll(i) = bpl+1i/100c, i = 0, ..., 100,

and suppose that we haveLl(i) additional monic sieve base polynomials of degree

l + 1. The choice of 100 here is arbitrary, but we did not want to extend running-

times excessively, and we can view this number simply as the percentage of monic

Estimates for Discrete Logarithm Computations in Finite Fields of Small Characteristic

polynomials of degreel+1 in the sieve base, since there are pl+1_{monic polynomi-}

als of degreel + 1. This gives us an additional number of expected doubly-smooth

relationsM+(Ll(i)) equal to l+1

X

R=0

ρp,α(δRATd(R, l + 1), m).ρp,α(δALGd(R, l + 1), m)aR,l+1Ll(i)/p

l+1_,

where here we have implicitly assumed that the proportion of pairs that are co- prime is propagated uniformly for each interpolation value. Our constraint (7.3) then becomes

M (l) + M+(Li(l)) ≥ 2η,

and the total expected running-time is then

T (m, α, l, d, i) = l X S=0 S X R=0  RSpR+S + δRATd(R, S) 3_a R,S+ + ρp,α(δRATd(R, S), m)δALGd(R, S) 3_a R,S  + l+1 X R=0  R(l + 1)pR_L l(i) + δRATd(R, l + 1) 3_a R,l+1Ll(i)/pl+1+ + ρp,α(δRATd(R, l + 1), m)δALGd(R, l + 1) 3_a R,l+1Ll(i)/pl+1  . (7.6)

This equation accounts for the effect of the differing degrees in sieve base pairs, the necessary gcd and factorisation computations, and for thel value interpola-

tions. Note that this differs considerably from the

2η/ρp,0(dl + d + l + dn/de + logpn, m)