Discrete logarithms in curves over finite fields

The discrete logarithm problem in finite groups is one of the supposedly difficult problems at the foundation of asymmetric or public key cryptography. The first cryptosystems based on discrete logarithms were implemented in the multiplicative groups of finite fields, in which the discrete logarithm problem turned out to be easier than one would wish, just as the factorisation problem at the heart of RSA. The focus has then shifted towards elliptic and more complex algebraic curves over finite fields. Elliptic curves have essentially resisted all cryptanalytic efforts and to date yield the cryptosystems relying on a number theoretic complexity assumption with the shortest key lengths for a given security level, while other classes of curves have turned out to be substantially weaker. This survey presents the history and state of the art of algorithms for computing discrete logarithms in non-elliptic curves over finite fields; the case of elliptic curves is touched upon, but a thorough treatment would require an article of its own, see [10, Chapter V] and [42]. For a previous survey on hyperelliptic curves in cryptography, including the discrete logarithm problem, see [37]. Let us fix the notation used in the following. Given a cyclic group (G,+) of order N , generated by some element P , the discrete logarithm of Q ∈ G to the base P is given by the integer x = logQ = logP Q, uniquely determined modulo N , such that Q = xP . The discrete logarithm problem (DLP) in G is to compute x given Q. A cryptosystem is said to be based on the discrete logarithm problem in G if computing discrete logarithms in G breaks the cryptosystem (in some specified sense). Note that it is usually unknown whether breaking the system is indeed equivalent to the discrete logarithm problem (but see the treatment of the computational Diffie–Hellman problem in Section 1.2). Figure 1 illustrates the complexity of the discrete logarithm problem depending on N , as it presents itself in a number of groups suggested for cryptographic use. In the following sections, we will examine more closely algorithms in each of the