Experiments Using an Analogue of the Number Field Sieve Algorithm to Solve the Discrete Logarithm Problem in the Jacobians of Hyperelliptic Curves

In this paper we report on an implementation of the algorithm of Aldeman, De Marrais and Huang for the solution of the discrete logarithm problem on jacobians of hyperelliptic curves. The method of Aldeman, De Marrais and Huang is closely related to the Number Field Sieve factoring method which leads us to consider a \lattice sieve" version of the original method. The supposed intractability of the discrete logarithm (DLOG) problem in the Jacobians of curves de ned over a nite eld can be used as the basis of public key cryptosystems. For curves of genus one, elliptic curves, this was proposed in [11] and such systems are now in use. For hyperelliptic curves the analogous system was proposed in [12]. The reason for preferring the use of Jacobians of curves as the underlying group, rather than nite elds, is due to the fact that there is no known subexponential algorithm for solving the DLOG problem in the Jacobian of a general curve. This should be contrasted to the case of nite elds where there exists conjectural subexponential time methods (based on the number eld sieve factoring algorithm) to solve the DLOG problem. There are provably subexponential time methods for solving the discrete logarithm problem in nite elds, however in practice these are not as fast as the number eld sieve algorithm. In [1], Adleman, De Marrais and Huang (ADH), proposed a conjectural subexponential method for the DLOG problem in Jacobians of hyperelliptic curves of large genus. This method was based on the ideas of the function eld sieve algorithm which can be used to solve the discrete logarithm problem in F2n , [2]. The function eld sieve is itself based on Pollard's Number Field Sieve, NFS, algorithm for factoring integers, [14]. The ADH method appears to be only of theoretical interest as for practical systems the genus is usually chosen to be small so that the underlying group operations can be performed quickly. Indeed the group is usually the genus one case of the group of points on an elliptic curve. There is however some, at least theoretical, interest in studying where the cross over point comes between the various methods to solve the DLOG problem such as the exponential methods of Pollard, Pohlig and Hellman and the method of ADH. Recently Paulus, [16], and Flassenberg and Paulus, [8], have carried out such a comparison for imaginary quadratic function elds (or hyperelliptic curves with one rami ed point above in nity). Flassenberg and Paulus did not, however, use the method of ADH directly. Instead they made use of the fact that hyperelliptic curves correspond to degree two function eld extensions. Then using the analogy between