An $L (1/3)$ Discrete Logarithm Algorithm for Low Degree Curves

We present an algorithm for solving the discrete logarithm problem in Jacobians of families of plane curves whose degrees in $X$ and $Y$ are low with respect to their genera. The finite base fields $\FF_q$ are arbitrary, but their sizes should not grow too fast compared to the genus. For such families, the group structure and discrete logarithms can be computed in subexponential time of $L_{q^g}(1/3, O(1))$. The runtime bounds rely on heuristics similar to the ones used in the number field sieve or the function field sieve.

💡 Research Summary

The paper introduces a subexponential‑time algorithm for solving the discrete logarithm problem (DLP) in the Jacobians of a broad class of plane curves whose degrees in the variables X and Y are small relative to the genus g. The authors consider curves defined over an arbitrary finite field 𝔽_q but impose the condition that the field size does not grow too quickly compared to the genus; specifically they require log q = o(g^{1/3}). Under this restriction the algorithm runs in time L_{q^g}(1/3, O(1)), i.e. the same complexity as the Number Field Sieve (NFS) or Function Field Sieve (FFS) for integer factorisation and for DLP in certain special curves.

Key ideas and structure

1. Low‑degree curve model – The curve C is given by a bivariate polynomial f(X,Y) with deg_X f ≤ d_X and deg_Y f ≤ d_Y, where d_X·d_Y = O(g^{1/3}). This “low‑degree” condition guarantees that the norm of a divisor represented by a rational point is relatively small.
2. Representation of divisor classes – For a random point P ∈ C(𝔽_{q^g}) the authors construct two univariate polynomials A_P(X) and B_P(Y) of degrees bounded by d_X and d_Y, respectively. The product of the norms of A_P and B_P serves as a measure of the size of the corresponding divisor class.
3. Smoothness basis – A factor base 𝔅 consists of all irreducible polynomials in 𝔽_q