Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time

Abstract

We provide a subexponential algorithm for solving the discrete logarithm problem in Jacobians of high-genus hyperelliptic curves over finite fields. Its expected running time for instances with genus g and underlying finite field Fq satisfying g ≥ ϑ log q for a positive constant ϑ is given by O e 5 √ 6 1+ 3 2ϑ + 3 2ϑ +o(1) √ (g log q) log(g log q). The algorithm works over any finite field, and its running time does not rely on any unproven assumptions. 1. Motivation and main result Jacobians of hyperelliptic curves over finite fields were suggested for use in public key cryptosystems by Koblitz in [17]. As abelian groups, these structures are adequate for Diffie-Hellman type systems, whose security relies on the intractability of the discrete logarithm problem in the underlying group. In principle, hyperellip-tic cryptosystems offer the same security as elliptic cryptosystems of the same key length. However, in 1994 Adleman, DeMarrais and Huang showed that under some reasonable heuristic assumptions there is a subexponential algorithm for discrete logarithms in high-genus hyperelliptic Jacobians [1]. The algorithm was presented for curves over prime fields only. Müller, Stein and Thiel gave a rigorous subexponen-tial algorithm for computing logarithms in the infrastructure of a real-quadratic congruence function field in [24]. Again, only the odd characteristic case was described , and the authors did not take into account the dependence of the running time of the algorithm on the ratio g/ log q. The present paper deals with a randomised subexponential algorithm whose expected running time can be rigorously proven without any heuristic arguments. Its running time depends on the minimal ratio g/ log q for all instances under consideration , and this dependence can be quantified. On the other hand, the running time does not depend on the knowledge of the class number. Finally the algorithm is valid for hyperelliptic curves over any finite field, in particular over fields of characteristic 2.