A New Angle on Lattice Sieving for the Number Field Sieve

Lattice sieving in two or more dimensions has proven to be an indispensable practical aid in integer factorization and discrete log computations involving the number field sieve. The main contribution of this article is to show that a different method of lattice enumeration in three dimensions will provide a significant speedup. We use the successive minima and shortest vectors of the lattice instead of transition vectors to iterate through lattice points. We showcase the new method by a record computation in a 133-bit subgroup of $\mathbb{F}_{p^6}$, with $p^6$ having 423 bits. Our overall timing nearly $3$ times faster than the previous record of a 132-bit subgroup in a 422-bit field. The approach generalizes to dimensions 4 or more, overcoming a key obstruction to the implementation of the tower number field sieve.