How robust is discrete logarithm in $GF(2^n)$?

Question

"Normal" discrete logarithm based cryptosystems (DSA, Diffie-Hellman, ElGamal) work in the finite field of integers modulo a big prime $p$. However, there exist other finite fields out there, in particular binary fields $GF(2^n)$. There is a specific attack described by Coppersmith for discrete logarithm in a binary field, and it was later on refined into the more general Function Field Sieve by Adleman and Huang. The FFS was used by Joux and Lercier to obtain the current record in $GF(2^n)$ discrete logarithm, where $n = 613$.

What I would like to know is:

• How does discrete logarithm in $GF(2^n)$ compares to discrete logarithm modulo a prime $p$ of $n$ bits ? At the time when Coppersmith published his algorithm, it made discrete logarithm in binary fields look easier than its prime $p$ counterpart, but the latter also got improved later on.
• Is it important, for discrete logarithm in $GF(2^n)$, whether $n$ is itself prime or not ? The current record is for $GF(2^{613})$, beating the previous record of $GF(2^{607})$, and both 607 and 613 are prime numbers. Would discrete logarithm in $GF(2^{1024})$ be easier than in $GF(2^{1021})$ ?

Answer 1

Discrete logarithms in $\mathbb{F}_{p}$ share the same asymptotic complexity as integer factorization for general numbers: $L_p[1/3,1.923]$ for general integers, $L_p[1/3,1.587]$ for special integers. Discrete logarithms in $\mathbb{F}_{p^n}$ have the same asymptotic complexity as factoring special integers, i.e. $L_{p^n}[1/3, 1.587]$, via the Function Field Sieve.

So, extrapolating from the factoring records, we can handwave that a discrete log in $\mathbb{F}_{2^{1021}}$ is an order of magnitude easier than a discrete log modulo a 768-bit general prime, and about the same as modulo a pseudo-Mersenne prime $2^{1021} - c$.

As to whether composite degree extension fields are easier to solve, maybe. It is possible to represent the same composite field in a number of ways (usually known as tower of fields), and it is possible that some representations allow for faster breaks than others. Here's a quote from Andrew Odlyzko's 1985 paper Discrete logarithms and their cryptographic significance:

In fact, these fields may be very weak because of the possibility of moving between the field and its subfields.

However, there is no data on significant asymptotic advantages of composite degree over prime degree (if there was, pairing-based schemes would be toast, as embedding degrees are by and large composite).

One shouldn't also forget to check the smoothness of $p^n-1$, to avoid embarrassing Pohlig-Hellman breaks.

May 2013 Update

It seems that composite degree is indeed weaker than prime degree. The recent results of Göloğlu et al and Joux attack fields $\mathbb{F}_{2^n}$, for composite $n$, much faster than the function field sieve referred above. See this question for more information.

Answer 2

Antoine Joux very kindly sent me the following on the topic:

People worry that [logarithms over fields with composite exponent] might be easier, this is why they use prime exponent. For some factorization of the exponent, viewing the finite field as a tower of extensions $(p^{n_1})^{n_2}$ indeed makes things easier.

See "The function field sieve in the Medium Prime Case" by R. Lercier and myself.

---

^{[The portion below, while correct, is not relevant to this question. I have not deleted it as that would leave the comment dangling.]}
Elliptic cuves over $GF(2^m)$ where $m$ is composite are potentially vulnerable to attacks based on Weil descent. People wishing to show the state of the art in discrete logarithm computation choose problems with m a prime so that no such shortcuts are possible.

The paper Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree (2001) by Markus Maurer, Alfred Menezes and Edlyn Teske is the most recent work on the topic I can conveniently find.

Answer 3

To complete @Samuel's answer, there are a few shortcuts that can be used when $n$ is composite; however, they only contribute small constant factors, hence they do not change the asymptotic behavior:

• If $n$ can be divided by $r$, then one can first solve the discrete logarithm in the subfield $GF(2^r)$. In a sieve-based algorithm, this can provide up to half the relations that we need for the final linear algebra step.
• The final linear algebra step of the FFS computes things modulo $2^n-1$. If $n$ is not prime, then $2^n-1$ is not prime either, and such operations can be implemented more efficiently through the use of the Chinese Remainder Theorem.

Also, if working in a subgroup, one can botch the choice of the subgroup. If $n = rs$ for non-trivial factors $r$ and $s$, then $GF(2^n)^{*}$ has size $2^n-1$, which is a multiple of $2^r-1$. If we choose a subgroup generated by a value $g$ of order $q$ where $q$ divides $2^r-1$, then we are actually computing things in $GF(2^r)$ and we can solve the discrete log by working in that subfield, where attacks are much more efficient, since $r$ is no more than $n/2$. In other words, when choosing the subgroup order $q$ (a prime), we must make sure that $q$ does not divide any $2^r-1$ for any $r$ which divides $n$. A prime $n$ is a simple way to ensure that.