Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case

We introduce a new variant of the number field sieve algorithm for discrete logarithms in $$\\mathbb {F}_{p^n}$$ called exTNFS. The most important modification is done in the polynomial selection step, which determines the cost of the whole algorithm: if one knows how to select good polynomials to tackle discrete logarithms in $$\\mathbb {F}_{p^\\kappa }$$, exTNFS allows to use this method when tackling $$\\mathbb {F}_{p^{\\eta \\kappa }}$$ whenever $$\\gcd \\eta ,\\kappa =1$$. This simple fact has consequences on the asymptotic complexity of NFS in the medium prime case, where the complexity is reduced from $$L_Q1/3,\\root 3 \\of {96/9}$$ to $$L_Q1/3,\\root 3 \\of {48/9}$$, $$Q=p^n$$, respectively from $$L_Q1/3,2.15$$ to $$L_Q1/3,1.71$$ if multiple number fields are used. On the practical side, exTNFS can be used when $$n=6$$ and $$n=12$$ and this requires to updating the keysizes used for the associated pairing-based cryptosystems.