## Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time (1999)

### Cached

### Download Links

- [www.ams.org]
- [www.ams.org]
- [www.ams.org]
- [cacr.math.uwaterloo.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | Mathematics of Computation |

Citations: | 37 - 7 self |

### BibTeX

@ARTICLE{Enge99computingdiscrete,

author = {Andreas Enge},

title = {Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time},

journal = {Mathematics of Computation},

year = {1999},

volume = {71},

pages = {729--742}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We provide a subexponential algorithm for solving the discrete logarithm problem in Jacobians of high-genus hyperelliptic curves over finite fields. Its expected running time for instances with genus g and underlying finite field Fq satisfying g ≥ ϑ log q for a positive constant ϑ is given by

### Citations

915 | A course in computational algebraic number theory - Cohen - 1993 |

203 |
A subexponential algorithm for discrete logarithms over all finite fields
- Adleman, DeMarrais
- 1993
(Show Context)
Citation Context ...However, in 1994 Adleman, DeMarrais and Huang showed that under some reasonable heuristic assumptions there is a subexponential algorithm for discrete logarithms in high-genus hyperelliptic Jacobians =-=[1]-=-. The algorithm was presented for curves over prime fields only. Müller, Stein and Thiel gave a rigorous subexponential algorithm for computing logarithms in the infrastructure of a real-quadratic con... |

155 |
Computing in Jacobian of a Hyperelliptic Curve,” in
- Cantor
- 1987
(Show Context)
Citation Context ...nic, deg b<deg a ≤ g and a|b2 + vb − u. Moreover, in this representation there is a deterministic algorithm for adding divisor classes, using O(g2 ) elementary operations in K, described by Cantor in =-=[5]-=- (see also [10]). So far, we have shown how to construct rational prime divisors with respect to their representations as div(a, b), and that it is possible to compute reduced expressions for arbitrar... |

147 |
Hyperelliptic Cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...ing time does not rely on any unproven assumptions. 1. Motivation and main result Jacobians of hyperelliptic curves over finite fields were suggested for use in public key cryptosystems by Koblitz in =-=[17]-=-. As abelian groups, these structures are adequate for Diffie-Hellman type systems, whose security relies on the intractability of the discrete logarithm problem in the underlying group. In principle,... |

58 |
An Elementary Introduction to Hyperelliptic Curves
- Menezes, Wu, et al.
- 1998
(Show Context)
Citation Context ...ning time. 2. Hyperelliptic Jacobians In this section we briefly present hyperelliptic curves and their Jacobians, relating all results without proof. An excellent elementary introduction is given in =-=[21]-=-. While we are chiefly interested in curves over finite fields, the results hold in full generality. Let K = Fq be the finite field with q elements and K its algebraic closure. A hyperelliptic curve o... |

56 | Quadratische Körper im Gebiete der höheren Kongruenzen - Artin - 1924 |

51 | A subexponential algorithm for the determination of class groups and regulators of algebraic number fields, Séminaire de Théorie des Nombres
- Buchmann
- 1988
(Show Context)
Citation Context ...ons in Steps (2) and (4). We argued in subsection 4.2 that the probability of finding a relation is heuristically NB h , a claim we make precise in this section, using techniques inspired by those in =-=[4]-=- and [27]. In a first step we determine how many exponent vectors e yield a fixed relation c: Lemma 5.1. Let c ∈ Γ. Then the number of vectors e ∈{0,...,E − 1} n which yield the relation c equals the ... |

50 |
Frobenius maps of abelian varieties and finding roots of unity in finite fields
- Pila
- 1990
(Show Context)
Citation Context ...rithm, without knowledge of h it will run forever if no discrete logarithm exists. Unfortunately, to date there is no polynomial time algorithm computing h; notice that Pila’s deterministic algorithm =-=[25]-=-, often referred to as “polynomial”, is so only for fixed g. The same is true for the algorithm described by Huang and Ierardi in [16]. However, an approximation Θ of the class number such that h ≤ Θ ... |

36 | Computing discrete logarithms in real quadratic congruence function fields of large genus
- Müller, Stein, et al.
(Show Context)
Citation Context ...ted for curves over prime fields only. Müller, Stein and Thiel gave a rigorous subexponential algorithm for computing logarithms in the infrastructure of a real-quadratic congruence function field in =-=[24]-=-. Again, only the odd characteristic case was described, and the authors did not take into account the dependence of the running time of the algorithm on the ratio g/ log q. The present paper deals wi... |

18 |
Cryptographic key distribution and computation in class groups
- McCurley, “Short
- 1989
(Show Context)
Citation Context ...ciples outlined so far are the same as those underlying the algorithm in [1]. The main difference in our algorithm is the creation of new relations, which follows ideas first presented by McCurley in =-=[20]-=-. Basically we compute random linear combinations of prime divisors, reduce them and try to express the reduced divisors as another linear combination of prime divisors. The probability of success for... |

14 | Ein Algorithmus zur Bestimmung der Klassengruppe positiv definiter binärer quadratischer Formen, Ph.D.thesis,Universität des Saarlandes - Düllmann - 1991 |

14 | Computational aspects of curves of genus at least 2
- Poonen
- 1996
(Show Context)
Citation Context ...nal prime divisor, we consider hyperelliptic curves of genus g over K which admit an affine model of the form H : Y 2 + vY = u, where v ∈ K[X] isofdegreeatmostg and u ∈ K[X] monic of degree 2g +1(see =-=[26, 11, 12]-=-). We first examine H as a curve over K. Then it consists of the finite points P =(x, y) ∈ K×K whose coordinates satisfy the equation, and an additional point at infinity, denoted by O. These are in b... |

13 | Counting points on curves over finite fields - Huang, Ierardi - 1998 |

13 | Algebraic Aspects of Cryptography, volume 3 of Algorithms and Computation in Mathematics - Koblitz - 1998 |

9 | Smooth ideals in hyperelliptic function fields
- Enge, Stein
- 2002
(Show Context)
Citation Context ...al, and to this purpose we must NB raise B to subexponential size. Precisely, we set C = � logq L(ρ) � for a positive constant ρ to be determined later. Then the following theorem, which is proved in =-=[13]-=-, provides the desired result: Theorem 4.3. Let C = � log q L(ρ) � for a positive constant ρ, andletB consist of the split and ramified rational prime divisors of degree at most C. Then there is a fun... |

6 |
Trotter Jr., Hermite normal form computation using modulo determinant arithmetic, Center for Operations Research and Econometrics
- Domich, Kannan, et al.
- 1985
(Show Context)
Citation Context ...tions. This naïve approach, however, involves intermediate results of possibly exponential size. To remedy to this problem, Domich, Kannan and Trotter described an algorithm using modular arithmetics =-=[8]-=-. It was analysed in detail by Müller (see [23, Satz 4.12]). 3. See [9, Satz 3.29]. 5.3. Expected time for one run. In this section we determine the expected time needed for one run of the algorithm, ... |

6 | Sieving in function fields
- Flassenberg, Paulus
- 1999
(Show Context)
Citation Context ...ould usually suffice to create about 2n relations and the relations should not be obtained randomly, but by sieving techniques. For a description of an implementation based on a sieving approach, see =-=[14]-=-. 3.2. Computing individual logarithms. To relate D (1) and D (2) to the primes in B, we have to find B-smooth divisors ˜ D (1) ∼ D (1) and ˜ D (2) ∼ D (2) , i.e., divisors which can be decomposed int... |

5 |
Algorithmen in reell-quadratischen Kongruenzfunktionenk"orpern
- Stein
- 1996
(Show Context)
Citation Context ...ns have been collected, since we could stop as soon as the determinant of the Smith normal form no longer exceeds Θ. Such an approximation can probably be obtained using methods analogous to those in =-=[27]-=-. Concerning the maximal exponent E, so far it is only necessary that it be at least the exponent of J(H), which is a divisor of h. We recall a bound on h due to Artin (see [3, §24, Formula (8)]): The... |

4 | The extended Euclidian algorithm on polynomials, and the computational efficiency of hyperelliptic cryptosystems
- Enge
(Show Context)
Citation Context ... a ≤ g and a|b2 + vb − u. Moreover, in this representation there is a deterministic algorithm for adding divisor classes, using O(g2 ) elementary operations in K, described by Cantor in [5] (see also =-=[10]-=-). So far, we have shown how to construct rational prime divisors with respect to their representations as div(a, b), and that it is possible to compute reduced expressions for arbitrary sums of these... |

3 | Fast and rigorous factorization under the generalized riemann hypothesis - Lenstra - 1988 |

3 | Effiziente Algorithmen fur Probleme der linearen Algebra uber Z - Muller - 1994 |

2 | Sieving in function fields. Preprint; available at ftp://ftp.informatik.tu-darmstadt.de/pub/TI - Flassenberg, Paulus - 1997 |

1 | Adleman and Ming-Deh Huang (eds.), Algorithmic number theory - Leonard - 1994 |

1 |
cryptosystems: Efficiency and subexponential attacks
- Hyperelliptic
(Show Context)
Citation Context ...nal prime divisor, we consider hyperelliptic curves of genus g over K which admit an affine model of the form H : Y 2 + vY = u, where v ∈ K[X] isofdegreeatmostg and u ∈ K[X] monic of degree 2g +1(see =-=[26, 11, 12]-=-). We first examine H as a curve over K. Then it consists of the finite points P =(x, y) ∈ K×K whose coordinates satisfy the equation, and an additional point at infinity, denoted by O. These are in b... |

1 |
to distinguish hyperelliptic curves in even characteristic, to appear
- How
- 2000
(Show Context)
Citation Context ...nal prime divisor, we consider hyperelliptic curves of genus g over K which admit an affine model of the form H : Y 2 + vY = u, where v ∈ K[X] isofdegreeatmostg and u ∈ K[X] monic of degree 2g +1(see =-=[26, 11, 12]-=-). We first examine H as a curve over K. Then it consists of the finite points P =(x, y) ∈ K×K whose coordinates satisfy the equation, and an additional point at infinity, denoted by O. These are in b... |

1 | On the number of smooth divisors in hyperelliptic function fields. Work in progress - Enge, Stein - 1999 |

1 | S'eminaire de Th'eorie des Nombres - Goldstein, editor - 1990 |