arXiv:cs/0703032v1 [cs.CR] 7 Mar 2007
An L(1/3 + ε) Algorithm for the Discrete
Logarithm Problem for Low Degree Curves
Andreas Enge1and Pierrick Gaudry2
1INRIA Futurs & Laboratoire d’Informatique (CNRS/UMR 7161)
´Ecole polytechnique, 91128 Palaiseau Cedex, France
2LORIA (CNRS/UMR 7503), Campus Scientifique, BP 239
54506 Vandœuvre-l` es-Nancy Cedex, France
Abstract. The discrete logarithm problem in Jacobians of curves of
high genus g over finite fields Fq is known to be computable with subex-
ponential complexity Lqg(1/2,O(1)). We present an algorithm for a fam-
ily of plane curves whose degrees in X and Y are low with respect to the
curve genus, and suitably unbalanced. The finite base fields are arbitrary,
but their sizes should not grow too fast compared to the genus. For this
family, the group structure can be computed in subexponential time of
Lqg(1/3,O(1)), and a discrete logarithm computation takes subexponen-
tial time of Lqg(1/3 + ε,o(1)) for any positive ε. These runtime bounds
rely on heuristics similar to the ones used in the number field sieve or
the function field sieve algorithms.
The discrete logarithm problem in algebraic curves over finite fields has been
receiving particular attention since elliptic curves and subsequently Jacobian
groups of further algebraic curves have been proposed for discrete logarithm
based public key cryptosystems. Although it is now clear that high genus curves
are unsuitable for cryptographical use, it remains crucial to study algorithms for
solving the discrete logarithm problem in those curves for several reasons. The
first reason is that having a better understanding of the situation for high genus
curves might lead to algorithmic improvements also in the small genus case. The
second reason is that the Weil descent strategy of attacking the discrete loga-
rithm problem in elliptic curves defined over extension fields leads to a discrete
logarithm problem in the Jacobian of a high genus curve. Therefore a better al-
gorithm for high genus discrete logarithms becomes naturally a potential threat
for some elliptic curves.
It turned out very early that the discrete logarithm problem in high genus
hyperelliptic curves (for instance in the sense that the size q of the base field
is fixed, while the genus g tends to infinity) can be solved by a subexponential
algorithm of complexity Lqg(1/2,O(1)). The first such algorithm was proposed
in . As other subexponential algorithms, it consists of fixing a factor base
of small prime elements (here, prime divisors) and of creating relations that
correspond to the zero element modulo an equivalence relation (here, equivalence
2 Andreas Enge and Pierrick Gaudry
of divisors modulo principal divisors). After collecting sufficiently many relations
and somehow introducing the base of the discrete logarithm and the element
whose logarithm is sought, linear algebra yields the desired result. Assuming
that smooth elements, that are elements decomposing over the factor base, have
the same density as for instance smooth integers or polynomials, such algorithms
usually end up with a complexity of Lqg(1/2,O(1)).
The algorithm in  creates relations by randomly taking low degree func-
tions (that are linear in Y for the curve Y2= f(X)), whose divisors are relations.
Its analysis is only heuristic. The first proven algorithms are given in  for
the infrastructure of real-quadratic hyperelliptic function fields and in  for
Jacobians of hyperelliptic curves. Relations are obtained in a process similar to
that of  by taking random linear combinations of factor base elements, re-
ducing modulo the equivalence relation and checking for smoothness. A rigorous
analysis is derived from the lower bound on the density of smooth divisors in
. A generic description of a similar algorithm can be found in ; it applies to
all class groups in which a smoothness result is known. Heuristically, it obtains
a running time of Lqg(1/2,O(1)) for the discrete logarithm problem in arbitrary
high genus curves, the smoothness result needed for a proof of the complexity is
however only available for hyperelliptic curves.
A proven algorithm of complexity Lqg(1/2+ε,O(1)) for very general curves
over a fixed field Fqand with genus g tending to infinity (with the only restriction
that the curves contain a rational point and that the cardinality of the Jacobian
group is bounded by qg+O(√g)) is given in . Unlike previous algorithms, it
appears to be specific to algebraic curves and relies on a double randomisation,
taking random combinations of factor base elements and a random function
in a Riemann–Roch space. A relation is obtained whenever the divisor of this
function is smooth. A more general algorithm is proposed in  that yields a
proven Lqg(1/2,O(1)) complexity without any restriction on the input curve.
Another line of research on the discrete logarithm problem for algebraic
curves, started in  and not pursued in this article, consists of fixing g and
having q tend to infinity. This leads to algorithms that are exponential, but
faster than generic algorithms of square root complexity as soon as g ≥ 3, see
In the light of algorithms of complexity L(1/3) for the discrete logarithm
problem in finite fields as well as for factoring integers, it has been an open
problem to determine whether this complexity can be achieved also for algebraic
curves. In this article, we present the first probabilistic algorithm of heuris-
tic complexity Lqg(1/3,O(1)) to compute the group structure of certain curves
whose total degree is relatively small compared to their genus. When introducing
the two elements of the Jacobian for which the discrete logarithm problem is to
be solved, some sacrifice has to be made; we obtain an algorithm of complexity
bounded by Lqg(1/3 + ε,o(1)) for any positive constant ε.
The relation collection phase is the same as in  and consists of looking for
smooth divisors of functions linear in Y . By applying it to the curves of our spe-
cial family, one readily obtains a lower degree of the affine part of the intersection
An L(1/3 + ε) Algorithm for Discrete Logarithm for Low Degree Curves3
divisor than in the general case, from which a complexity of Lqg(1/3,O(1)) is
derived. For smoothing the two divisors involved in the discrete logarithm prob-
lem, a process is employed that is similar to the one used in the number field
sieve or in the function field sieve. This is the general special-Q descent strategy
(also related to the so-called lattice sieving). Each divisor is partially smoothed
into prime divisors of degree less than the starting divisor. Then each such prime
divisor Q is smoothed again into smaller prime divisors, and we iterate until ev-
ery divisor is rewritten in terms of elements of the factor base. However, in our
case it is necessary to add an arbitrarily small constant ε to the 1/3 parameter
to obtain a proper descent phenomenon; otherwise, the process would get stuck
after one step.
Let us mention that subsequently to our algorithm, Diem has presented at
the 10th Workshop on Elliptic Curve Cryptography (ECC 2006) an algorithm
based on similar ideas, but with a quite different point of view. He manages to
obtain a complexity of L(1/3,O(1) for the discrete logarithm phase, for which
our algorithm takes L(1/3+ε,o(1)). We will show how to reach a complexity of
L(1/3,O(1)) for discrete logarithms in our setting in the long, journal version.
Acknowledgement. We thank Claus Diem for his careful reading of our article
and many useful remarks.
2 Main idea
Before describing our algorithm with all its technical details on a general class
of curves, we sketch in this section the main idea yielding a complexity of
Lqg(1/3,O(1)) for the relation collection phase for a restricted class of curves.
We provide a simplified analysis by hand waving; Section 3 is devoted to a more
precise description of the heuristics used and of the smoothness properties needed
for the analysis.
Let Fqbe a fixed finite field. We consider a family of Cabcurves over Fq, that
is, curves of the form
C : Yn+ Xd+ f(X,Y )
without affine singularities such that gcd(n,d) = 1 and any monomial XiYj
occurring in f satisfies ni + dj < nd. Such a curve has genus g =
we assume that g tends to infinity, and that n ≈ g1/3and d ≈ g2/3(we use
the symbol ≈, meaning “about the same size” with no precise definition). The
non-singular model of a Cab curve has a unique point at infinity, and it is Fq-
rational; so there is a natural bijection between degree zero divisors and affine
divisors, and in the following, we shall only be concerned with effective affine
divisors. Choose as factor base F the Lqg(1/3,O(1)) prime divisors of smallest
degree (that is, the prime divisors up to a degree of B ≈ logqLqg(1/3,O(1))).
To obtain relations, consider functions linear in Y of the form
ϕ = a(X) + b(X)Y
An L(1/3 + ε) Algorithm for Discrete Logarithm for Low Degree Curves 15
Fix a smoothness bound of gβ+γ; with the usual heuristic, one can find E
that is smooth in time about gmax(α−γ,(1−α)−β). The consistency check that the
sieving space must be larger than the factor base yields the condition
β + γ ≥ max(α − γ,(1 − α) − β),
which gives β + 2γ ≥ α and γ + 2β ≥ 1 − α. This in turn imposes that β + γ ≥
1/3. Therefore, in this setting we can not hope to get something better than
an L(1/3) complexity. We now show that this complexity is achievable: taking
β = 2/3−α and γ = α−1/3, all the conditions are verified, and the complexity
is as announced.
In the particular case of α = 1/3, we recover β = 1/3 and γ = 0, which
corresponds to Algorithm 6. In the other extremal case α = 1/2, we get β = γ =
If α gets smaller than 1/3, then the L(1/3) complexity is not achievable with
this algorithm. In fact, for each value of α ∈ [0,1/3], there is an L(x) complexity
with x ∈ [1/3,1/2], and finally, for hyperelliptic curves one essentially recovers
Adleman-Demarrais-Huang’s L(1/2) algorithm.
All of this concerns only the group structure. For the special-Q descent how-
ever, things get more complicated and the L(1/3 + ε) complexity is lost when
α is bigger than 1/3. More precisely, the same kind of computations as above
yields a complexity of L(α + ε) for α ∈ [1/3,1/2].
 L. M. Adleman, J. DeMarrais, and M.-D. Huang. A subexponential algorithm
for discrete logarithms over the rational subgroup of the jacobians of large genus
hyperelliptic curves over finite fields. In L. Adleman and M.-D. Huang, editors,
ANTS-I, volume 877 of Lecture Notes in Comput. Sci., pages 28–40. Springer–
 R. L. Bender and C. Pomerance. Rigorous discrete logarithm computations in
finite fields via smooth polynomials. In D. A. Buell and J. T. Teitelbaum, editors,
Computational Perspectives on Number Theory: Proceedings of a Conference in
Honor of A.O.L. Atkin, volume 7 of Studies in Advanced Mathematics, pages
221–232. American Mathematical Society, 1998.
 J.-M. Couveignes. Algebraic groups and discrete logarithm. In Public-key cryp-
tography and computational number theory, pages 17–27. de Gruyter, 2001.
 C. Diem. An index calculus algorithm for plane curves of small degree. In F. Heß,
S. Pauli, and M. Pohst, editors, ANTS-VII, volume 4076 of Lecture Notes in
Comput. Sci., pages 543–557. Springer–Verlag, 2006.
 A. Enge. Computing discrete logarithms in high-genus hyperelliptic Jacobians in
provably subexponential time. Math. Comp., 71:729–742, 2002.
 A. Enge and P. Gaudry. A general framework for subexponential discrete loga-
rithm algorithms. Acta Arith., 102:83–103, 2002.
 A. Enge and A. Stein. Smooth ideals in hyperelliptic function fields. Math. Comp.,
16Andreas Enge and Pierrick Gaudry
 P. Gaudry. An algorithm for solving the discrete log problem on hyperelliptic
curves.In B. Preneel, editor, Advances in Cryptology – EUROCRYPT 2000,
volume 1807 of Lecture Notes in Comput. Sci., pages 19–34. Springer–Verlag,
 P. Gaudry, E. Thom´ e, N. Th´ eriault, and C. Diem. A double large prime variation
for small genus hyperelliptic index calculus. Math. Comp., 76:475–492, 2007.
 G. Hach´ e. Construction effective de codes g´ eom´ etriques. PhD thesis, Universit´ e
de Paris VI, 1996.
 J. L. Haffner and K. S. McCurley. A rigorous subexponential algorithm for com-
putation of class groups. J. Amer. Math. Soc., 2(4):837–850, 1989.
 F. Heß. Computing Riemann-Roch spaces in algebraic function fields and related
topics. J. Symbolic Comput., 33:425–445, 2002.
 F. Heß. Computing relations in divisor class groups of algebraic curves over finite
fields. Preprint, 2004.
 E. Manstaviˇ cius. Semigroup elements free of large prime factors. In F. Schweiger
and E. Manstaviˇ cius, editors, New Trends in Probability and Statistic, pages 135–
 V. M¨ uller, A. Stein, and C. Thiel. Computing discrete logarithms in real quadratic
congruence function fields of large genus. Math. Comp., 68(226):807–822, 1999.
 A. Storjohann.
Algorithms for Matrix Canonical Forms.
gen¨ ossische Technische Hochschule Z¨ urich, 2000.
PhD thesis, Eid-