There are well-known subexponential algorithms for finding discrete logarithms over finite fields. However, the methods which underlie these algorithms do not appear to be easily adaptable for finding discrete logarithms in the groups associated with elliptic curves and the Jacobians of hyperelliptic curves, except for very special cases (Menezes et al., IEEE Trans. Inform. Theory 39 (1993) 1639–1646, Okamoto and Sakurai, Lecture Notes in Computer Science, vol. 576, Springer, Berlin, 1991). This has led to the development of cryptographic systems based on the discrete logarithm problem for such groups (Koblitz, Math. Comput. 48 (1987) 203–209, J. Cryptogr. 1 (1989) 139–150, Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer, Dordrecht, 1993, Miller, Lecture Notes in Computer Science, Springer, Berlin, 1986, pp. 417– 426). In this paper a subexponential algorithm is presented for finding discrete logarithms in the group of rational points on the Jacobians of large genus hyperelliptic curves over prime fields. We give a heuristic argument that under certain assumptions, there exists a constant c⩽2.181 such that for g∈ Z >0 and odd prime powers q with log q⩽(2 g+1) 1− ε and 0< ε=o(1), the algorithm computes discrete logarithms in the group of rational points on the Jacobian of a genus g hyperelliptic curve over GF(q) of the form y 2= f( x) with deg( f)=2 g+1, within expected time L q 2 g+1 [1/2, c], or equivalently, L q g [1/2, c′] with c′= 2 c .
Read full abstract