Let’s say I have 2 finite fields elements ${\displaystyle A}$ and ${\displaystyle B}$ in ${\displaystyle GF_{p}^{6}}$ having their discrete logarithm belonging to a large semiprime' suborder/subgroup ${\displaystyle s}$ such as ${\displaystyle p>s}$.

${\displaystyle A}$ and ${\displaystyle B}$ can be represented as the cubic extension of ${\displaystyle GF_{p}^{2}}$ by splitting their finite field elements. This give ${\displaystyle A.x\in GF_{p}^{2}}$ ; ${\displaystyle A.\in GF_{p}^{2}}$ ; ${\displaystyle A.z\in GF_{p}^{2}}$ ; and ${\displaystyle B.x\in GF_{p}^{2}}$ ; ${\displaystyle B.y\in GF_{p}^{2}}$ ; ${\displaystyle B.z\in GF_{p}^{2}}$. This is useful for simplifying computations on ${\displaystyle A}$ or ${\displaystyle B}$ like multiplying or squaring by peforming such computations component wise. An example of which can be found here : https://github.com/ethereum/go-ethereum/blob/24c5493becc5f39df501d2b02989801471abdafa/crypto/bn256/cloudflare/gfp6.go#L94

However when the suborder/subgroup ${\displaystyle s}$ from ${\displaystyle GF_{p}^{6}}$ doesn’t exists in ${\displaystyle GF_{p}^{2}}$, why does solving the 3 discrete logarithm between each subfield element that are :

1. dlog of ${\displaystyle A.x}$ and ${\displaystyle B.x}$
2. dlog of ${\displaystyle A.y}$ and ${\displaystyle B.y}$
3. dlog of ${\displaystyle A.z}$ and ${\displaystyle B.z}$

doesn’t help establishing the discrete log of the whole ${\displaystyle A}$ and ${\displaystyle B}$ ? 82.66.26.199 (talk) 13:30, 25 October 2024 (UTC)[reply]

Supposing that you can solve the discrete log in GF(q), the question is to what extent this helps to compute the discrete log in GF(q^k). Let g be a multiplicative generator of ${\displaystyle GF(q^{k})^{\times }}$. Then Ng is a multiplicative generator of ${\displaystyle GF(q)^{\times }}$, when N is the norm map down to GF(q). Given A in ${\displaystyle GF(q^{k})^{\times }}$, suppose that we have x such that ${\displaystyle NA=Ng^{x}}$. Then ${\displaystyle Ag^{-x}}$ belongs to the kernel of the norm map, which is the cyclic group of order (q^k-1)/(q-1) generated by g^{q-1}. Therefore it is required to solve an additional discrete log problem in this new group, the kernel of the norm map. When the degree k is composite, we can break the process down iteratively by using a tower of norm maps. If (a big if) each of the norm one groups in the tower has order a product of small prime factors, then Pohlig-Hellman can be used in each of them. Tito Omburo (talk) 14:53, 25 October 2024 (UTC)[reply]

And when the order contains a 200‒bits long prime too large for Pohlig‑Hellman ? 82.66.26.199 (talk) 15:39, 25 October 2024 (UTC)[reply]

Well, the basic idea is that if k is composite, then the towers are "relatively small", so they would be smoother than the original problem, and might be a better candidate for PH than the original problem. It seems unlikely that a more powerful method like the function field sieve would be accelerated by having a discrete log oracle in the prime field. The prime field in that case is usually very small already. For methods with p^n where p is large, an oracle for the discrete log in the prime field also doesn't help much (unless you can do Pohlig-Hellman). Tito Omburo (talk) 16:06, 25 October 2024 (UTC)[reply]