1: \documentclass[runningheads,oribibl]{llncs}

2: \usepackage[latin1]{inputenc}

3: \usepackage{amsmath,amsfonts,amssymb}

4: \usepackage{theorem}

5: \usepackage{url}

6: \usepackage{verbatim}

7: 

8: \newcommand {\FF}{\mathbb {F}}

9: \newcommand {\N}{\mathbb {N}}

10: \newcommand {\Z}{\mathbb {Z}}

11: \newcommand {\F}{\mathcal {F}}

12: \newcommand {\C}{\mathcal {C}}

13: \newcommand {\M}{\mathcal {M}}

14: \newcommand {\Lat}{\mathcal {L}}

15: \newcommand {\sO}{\tilde{O}}

16: \newcommand {\ddiv}{\operatorname {div}}

17: \newcommand {\Norm}{\operatorname {N}}

18: 

19: \spnewtheorem{heuristic}[theorem]{Heuristic}{\bfseries}{\itshape}

20: \spnewtheorem{algorithm}[theorem]{Algorithm}{\bfseries}{\itshape}

21: \spnewtheorem{heuprop}[theorem]{Heuristic Result}{\bfseries}{\itshape}

22: \spnewtheorem{prop}[theorem]{Proposition}{\bfseries}{\itshape}

23: \spnewtheorem*{heuproof}{Justification}{\itshape}{\rmfamily}

24: 

25: 

26: \title {An $L (1/3 + \varepsilon)$ Algorithm for the Discrete Logarithm

27: Problem for Low Degree Curves}

28: 

29: \titlerunning{An $L (1/3 + \varepsilon)$ Algorithm for Discrete Logarithm

30: for Low Degree Curves}

31: 

32: \author {Andreas Enge\inst{1} \and Pierrick Gaudry\inst{2}}

33: 

34: \institute{INRIA Futurs \& Laboratoire d'Informatique (CNRS/UMR 7161)\\

35: École polytechnique, 91128 Palaiseau Cedex, France 

36: \and

37: LORIA (CNRS/UMR 7503), Campus Scientifique, BP 239\\

38: 54506 Vand{\oe}uvre-lès-Nancy Cedex, France

39: }

40: 

41: 

42: \begin{document}

43: \maketitle

44: 

45: \begin{abstract}

46: The discrete logarithm problem in Jacobians of curves of high genus

47: $g$ over finite fields $\FF_q$

48: is known to be computable with subexponential complexity $L_{q^g}(1/2,

49: O(1))$. We

50: present an algorithm for a family of plane curves whose degrees in $X$ and $Y$

51: are low with respect to the curve genus, and suitably unbalanced. The finite

52: base fields are arbitrary, but their sizes should not grow too fast compared to

53: the genus.

54: For this family, the group structure can be computed in subexponential time of

55: $L_{q^g}(1/3, O(1))$, and a discrete logarithm computation takes

56: subexponential time of $L_{q^g}(1/3+\varepsilon, o(1))$ for any

57: positive~$\varepsilon$. These runtime bounds

58: rely on heuristics similar to the ones used in the number field sieve or the

59: function field sieve algorithms.

60: \end{abstract}

61: 

62: 

63: \section {Introduction}

64: 

65: The discrete logarithm problem in algebraic curves over finite fields has

66: been receiving particular attention since elliptic curves and

67: subsequently Jacobian groups of further algebraic curves have been

68: proposed for discrete logarithm based public key cryptosystems. Although

69: it is now clear that high genus curves are unsuitable for

70: cryptographical use, it remains crucial to study algorithms for solving

71: the discrete logarithm problem in those curves for several reasons.

72: The first reason is that having a better understanding of the situation

73: for high genus curves might lead to algorithmic improvements also in the

74: small genus case. The second reason is that the Weil descent

75: strategy of attacking the discrete logarithm problem in

76: elliptic curves defined over extension fields leads

77: to a discrete logarithm problem in the Jacobian of a high genus curve.

78: Therefore a better algorithm for high genus discrete logarithms becomes

79: naturally a potential threat for some elliptic curves.

80: 

81: It turned out very early that the

82: discrete logarithm problem in high genus hyperelliptic curves (for instance

83: in the sense that the size $q$ of the base field is fixed, while the genus

84: $g$ tends to infinity) can be solved by a subexponential algorithm of

85: complexity $L_{q^g}(1/2, O(1))$. The first such algorithm was proposed in \cite

86: {AdDeHu94}. As other subexponential algorithms, it consists of fixing a factor

87: base of small prime elements (here, prime divisors) and of creating

88: relations that correspond to the zero element modulo an equivalence

89: relation (here, equivalence of divisors modulo principal divisors). After

90: collecting sufficiently many relations and somehow introducing the base of

91: the discrete logarithm and the element whose logarithm is sought, linear

92: algebra yields the desired result.

93: Assuming that smooth elements, that are elements decomposing over the

94: factor base, have the same density as for instance smooth integers or

95: polynomials, such algorithms usually end up with a complexity of

96: $L_{q^g}(1/2, O(1))$.

97: 

98: The algorithm in \cite {AdDeHu94} creates relations by randomly taking low

99: degree functions (that are linear in $Y$ for the curve $Y^2 = f (X)$),

100: whose divisors are relations. Its analysis is only heuristic. The first

101: proven algorithms are given in \cite {MuStTh99} for the infrastructure of

102: real-quadratic hyperelliptic function fields and in \cite {Enge02} for

103: Jacobians of hyperelliptic curves. Relations are obtained in a process

104: similar to that of \cite {HaMc89} by taking random linear combinations of

105: factor base elements, reducing modulo the equivalence relation and checking

106: for smoothness. A rigorous analysis is derived from the lower bound on the

107: density of smooth divisors in \cite {EnSt02}. A generic description of a

108: similar algorithm can be found in \cite {EnGa02}; it applies to all class

109: groups in which a smoothness result is known. Heuristically, it obtains a

110: running time of $L_{q^g}(1/2, O(1))$ for the discrete logarithm problem in arbitrary

111: high genus curves, the smoothness result needed for a proof of the

112: complexity is however only available for hyperelliptic curves.

113: 

114: A proven algorithm of complexity $L_{q^g}(1/2+\varepsilon, O(1))$ for very general curves over a

115: fixed field $\FF_q$ and with genus $g$ tending to infinity (with the only

116: restriction that the curves contain a rational point and that the

117: cardinality of the Jacobian group is bounded by $q^{g + O (\sqrt g)}$) is

118: given in \cite {Couveignes01}. Unlike previous algorithms, it appears to be

119: specific to algebraic curves and relies on a double randomisation, taking

120: random combinations of factor base elements and a random function in a

121: Riemann--Roch space. A relation is obtained whenever the divisor of this

122: function is smooth.

123: A more general algorithm is proposed in \cite{Hess04}

124: that yields a proven $L_{q^g}(1/2, O(1))$ complexity without any restriction on the

125: input curve.

126: 

127: Another line of research on the discrete logarithm problem for algebraic

128: curves, started in \cite {Gaudry00} and not pursued in this article,

129: consists of fixing $g$ and having $q$ tend to infinity. This leads to

130: algorithms that are exponential, but faster than generic algorithms of

131: square root complexity as soon as $g \geq 3$, see \cite {GaThThDi07,Diem06}.

132: 

133: In the light of algorithms of complexity $L(1/3)$ for the discrete

134: logarithm problem in finite fields as well as for factoring integers, it has

135: been an open problem to determine whether this complexity can be achieved

136: also for algebraic curves. In this article, we present the first

137: probabilistic algorithm of heuristic complexity $L_{q^g}(1/3, O(1))$ to

138: compute the group structure of certain

139: curves whose total degree is relatively small compared to their genus. When

140: introducing the two elements of the Jacobian for which the discrete

141: logarithm problem is to be solved, some sacrifice has to be made; we obtain

142: an algorithm of complexity bounded by

143: $L_{q^g}(1/3 + \varepsilon, o(1))$ for any positive constant

144: $\varepsilon$.

145: 

146: The relation collection phase is the same as in \cite {AdDeHu94} and

147: consists of looking for smooth divisors of functions linear in $Y$.

148: By applying it to the curves of our special family, one readily obtains a lower

149: degree of the affine part of the intersection divisor than in the general case,

150: from which a complexity of $L_{q^g}(1/3, O(1))$ is derived.

151: For smoothing the two divisors involved in the discrete

152: logarithm problem, a process is employed that is similar to the one used

153: in the number field sieve or in the function field sieve. This is the

154: general {\em special-$Q$ descent} strategy (also related to the so-called

155: lattice sieving).  Each divisor is partially smoothed into prime divisors of

156: degree less than the starting divisor. Then each such prime divisor $Q$ is

157: smoothed again into smaller prime divisors, and we iterate until every

158: divisor is rewritten in terms of elements of the factor base. 

159: However, in our case it is necessary to add an arbitrarily small

160: constant $\varepsilon$ to the $1/3$ parameter to obtain a proper descent

161: phenomenon; otherwise, the process would get stuck after one step.

162: 

163: Let us mention that subsequently to our algorithm, Diem has presented at

164: the 10th Workshop on Elliptic Curve Cryptography (ECC 2006) an algorithm based

165: on similar ideas, but with a quite different point of view. He manages to

166: obtain a complexity of $L (1/3, O (1)$ for the discrete logarithm phase, for

167: which our algorithm takes $L (1/3 + \varepsilon, o (1))$. We will show how to

168: reach a complexity of $L (1/3, O (1))$ for discrete logarithms in our setting

169: in the long, journal version.

170: 

171: \paragraph{Acknowledgement.} We thank Claus Diem for his careful reading of

172: our article and many useful remarks. 

173: 

174: \section {Main idea}

175: 

176: Before describing our algorithm with all its technical details on a

177: general class of curves, we sketch in this section the main idea yielding a

178: complexity of $L_{q^g}(1/3, O(1))$ for the relation collection

179: phase for a restricted class of curves. We provide a simplified analysis by

180: hand waving; Section~\ref {sec:smoothness} is devoted to a more precise

181: description of the heuristics used and of the smoothness properties needed

182: for the analysis.

183: 

184: Let $\FF_q$ be a fixed finite field. We consider a family of $C_{ab}$ curves

185: over $\FF_q$, that is, curves of the form

186: \[

187: \C : Y^n + X^d + f (X, Y)

188: \]

189: without affine singularities such that

190: $\gcd (n, d) = 1$ and any monomial $X^i Y^j$ occurring in $f$ satisfies

191: $n i + d j < nd$.

192: Such a curve has genus $g = \frac {(n-1)(d-1)}{2}$; we assume that $g$

193: tends to infinity, and that $n \approx g^{1/3}$ and $d \approx g^{2/3}$

194: (we use the symbol $\approx$, meaning ``about the same size''

195: with no precise definition).

196: The non-singular model of a $C_{ab}$ curve has a unique point at infinity,

197: and it is $\FF_q$-rational; so there is a natural bijection between degree

198: zero divisors and affine divisors, and in the following, we shall only be

199: concerned with effective affine divisors. Choose as factor base $\F$ the

200: $L_{q^g}(1/3, O(1))$ prime divisors of smallest degree (that is, the prime

201: divisors up to a degree of $B \approx \log_q L_{q^g}(1/3, O(1))$).

202: To obtain relations, consider functions linear in $Y$ of the form

203: \[

204: \varphi = a (X) + b (X) Y

205: \]

206: with $a$, $b \in \FF_q [X]$, $\gcd (a, b) = 1$ and $\deg a$, $\deg b =

207: \delta \approx g^{1/3}$.

208: Whenever the affine part $\ddiv (\varphi)$ of the divisor of $\varphi$ is

209: smooth with respect to the factor base, it yields a relation, and we have

210: to estimate the probability of this event.

211: 

212: Let $\Norm$ be the norm of the function field extension

213: $\FF_q (\C) = \FF_q (X)[Y] / (Y^n + X^d + f (X, Y))$ relative to $\FF_q (X)$.

214: The norm of $\varphi$ is computed as

215: \begin {eqnarray*}

216: \Norm (\varphi) & = & \Norm (b) \Norm \left( Y + \frac {a}{b} \right) \\

217: & = & b^n \left( \left( -\frac {a}{b} \right)^n + X^d

218:    + f \left( X, - \frac {a}{b} \right) \right) \\

219: & = & (-a)^n + b^n X^d + f^* (X),

220: \end {eqnarray*}

221: where each monomial $X^i Y^j$ occurring in $f$ is transformed into a

222: monomial $X^i (-a)^j b^{n-j}$ in~$f^*$.

223: 

224: Since $\varphi$ is linear in $Y$, all prime divisors it contains are

225: totally split over $\FF_q (X)$, and $\varphi$ is $B$-smooth if and only if

226: its norm is.

227: We have

228: \[

229: \deg_X \Norm (\varphi)

230: \leq \max (n \deg a, n \deg b + d)

231: = n \delta + d

232: \approx g^{2/3}.

233: \]

234: Heuristically, we assume that the norm behaves like a random polynomial of

235: degree about $g^{2/3}$. Then it is $B$-smooth with probability

236: $1 / L_{q^g}(1/3, O(1))$ (this is the same theorem as the one stating that a random

237: polynomial of degree $g$ is $\log_q L_{q^g}(1/2, O(1))$-smooth with probability

238: $1 / L_{q^g}(1/2, O(1))$, cf., for instance, Theorem~2.1 of \cite {BePo98}).

239: Equivalently, we may observe that $\deg (\ddiv (\varphi)) = \deg_X (\Norm

240: (\varphi))$ and assume heuristically that $\ddiv (\varphi)$ behaves like a

241: random effective divisor of the same degree. Then the standard results on

242: arithmetic semigroups (cf. Section~\ref {sec:smoothness}) yield again that

243: $\ddiv (\varphi)$ is smooth with probability $1 / L_{q^g}(1/3, O(1))$.

244: 

245: Thus, the expected time for obtaining $|\F| = L_{q^g}(1/3, O(1))$ relations is

246: $L_{q^g}(1/3, O(1))$, which is also the complexity of the linear algebra step for

247: computing the Smith normal form and thus the group structure of the

248: Jacobian. The complexity of the discrete logarithm problem is not

249: considered here, an analysis for the full algorithm is given in

250: Section~\ref {sec:logarithms}.

251: 

252: It remains to show that the search space is sufficiently large to yield the

253: required $L_{q^g}(1/3, O(1))$ relations, or otherwise said, that the number of

254: candidates for $\varphi$ is at least $L_{q^g}(1/3, O(1))$. The number of

255: $\varphi$ is about

256: \begin {eqnarray*}

257: q^{2 \delta} & = & q^{2 g^{1/3}} = \exp (2 \log q g^{1/3}) \\

258: & < & \exp (2 (g^{1/3} (\log q)^{1/3}) (\log (g \log q))^{2/3})

259: = L_{q^g}(1/3, O(1)).

260: \end {eqnarray*}

261: 

262: The previous inequality in the place of the desired equality shows that a

263: more rigorous analysis requires a more careful handling of the $\log q$

264: factors; in particular, $\delta$ has to be slightly increased. Moreover,

265: the constant exponent in the subexponential function needs to be taken into

266: account. This motivates the following section, in which we examine in more

267: detail the smoothness heuristics and results that are needed for the

268: algorithm.

269: 

270: 

271: 

272: \section {Smoothness}

273: \label {sec:smoothness}

274: 

275: The algorithm presented in this article relies on finding relations as

276: smooth divisors of random polynomial functions of low degree. We suppose

277: that all curves are given by an absolutely irreducible plane affine model

278: \[

279: \C : F (X, Y)

280: \]

281: with $F \in \FF_q [X, Y]$, where $\FF_q$ is the exact constant field of

282: the function field of $\C$.

283: The factor base $\F$ consists essentially of the places of degree bounded by

284: some parameter $\mu$, with a few technical modifications. Precisely, $\F$ is

285: composed of the following places:

286: \begin {itemize}

287: \item

288: the places corresponding to the resolution of singularities, regardless of

289: their degrees, whose number is bounded by $\frac {(d-1)(d-2)}{2}$ with $d =

290: \deg F$. By including them in $\F$, the algorithm can be described as if the curves

291: were non-singular.

292: \item

293: the infinite places corresponding to non-singularities, regardless of their

294: degrees, whose number is bounded by $d$ by Bézout's theorem. By adding them,

295: it becomes sufficient to only examine the affine part of any divisor.

296: \item

297: places of degree bounded by some parameter $\mu$ and of inertia degree $1$

298: with respect to the function field extension $\FF_q (X)[Y] / (F)$ over $\FF_q

299: (X)$. Otherwise said, places corresponding to prime ideals of the form $(u, Y

300: - v)$ with $u \in \FF_q [X]$ irreducible of degree at most $\mu$ and $v \in

301: \FF_q [X]$ of degree less than $\deg u$; the inertia degree is in fact the

302: degree of the second generator in $Y$. Due to the way relations are obtained

303: in the algorithm, no places of higher inertia degree may occur.

304: \end {itemize}

305: 

306: A divisor is called $\F$-smooth if it can be decomposed over the factor

307: base; thus only its affine part plays a role, and for polynomial functions,

308: this is an effective (i.e. non-negative) divisor. An effective divisor is

309: called $\mu$-smooth if it is composed only of places of degree up to $\mu$.

310: To be able to analyse the smoothness probability, we need the

311: following reasonable assumption.

312: 

313: \begin {heuristic}

314: \label {heu1}

315: Let $D$ be the divisor of a uniformly randomly chosen polynomial of the form

316: $b (X) Y - a (X)$ and $\nu$ the degree of its affine part. Then the

317: probability of $D$ to be $\F$-smooth is the same as that of a random effective

318: divisor of degree $\nu$ to be $\mu$-smooth.

319: \end {heuristic}

320: 

321: Heuristic~\ref {heu1} covers the relation collection phase. For computing

322: discrete logarithms, arbitrary non-principal divisors need to be smoothed, and

323: another assumption is needed.

324: 

325: \begin {heuristic}

326: \label {heu2}

327: The probability of a uniformly randomly chosen effective divisor of degree

328: $\nu$ to be $\F$-smooth is essentially the same as that of being $\mu$-smooth.

329: \end {heuristic}

330: 

331: Heuristic~\ref {heu2} claims in fact that places of inertia degree larger

332: than~$1$ do not play a role for smoothness considerations.

333: In the analogous case

334: of number fields this is justified by the observation that these places have a

335: Dirichlet density of~$0$, and the situation is completely analogous for

336: function fields: A place of degree $\mu$ and inertia degree $f$ dividing $\mu$

337: corresponds to a closed point on $\C$ with $X$-coordinate in $\FF_{q^{\mu/f}}$

338: and $Y$-coordinate in $\FF_{q^\mu}$, of which there are on the order of

339: $q^{\mu/f}$. Clearly, places with $f \geq 2$ are completely negligible.

340: 

341: The probability of $\mu$-smoothness is ruled by the usual results on

342: smoothness probabilities in arithmetic semigroups such as the integers or

343: polynomials over a finite field, cf. \cite {Manstavicius92}.

344: 

345: Unfortunately, most results in the literature assume a fixed semigroup and

346: give asymptotics for $\mu$ and $\nu$ tending to infinity, whereas we need

347: information that is uniform over an infinite family of curves. Theorem~13

348: of \cite {Hess04} provides such a result:

349: 

350: \begin {theorem}[He\ss]

351: \label {th:hess}

352: Let $0 < \varepsilon < 1$, $\gamma = \frac {3}{1 - \varepsilon}$ and $\nu$,

353: $\mu$ and $u = \frac {\nu}{\mu}$ such that

354: $3 \log_q (14 g + 4) \leq \mu \leq \nu^\varepsilon$ and

355: $u \geq 2 \log (g + 1)$.

356: Denote by $\psi (\nu, \mu)$ the number of $\mu$-smooth effective divisors of

357: degree $\nu$. Then for $\mu$ and $\nu$ sufficiently large (with an explicit

358: bound depending only on $\varepsilon$, but not on $q$ or $g$),

359: \[

360: \frac {\psi (\nu, \mu)}{q^\nu} \geq e^{- u \log u \left( 1 +

361: \frac {\log \log u + \gamma}{\log u} \right)}

362: = e^{- u \log u (1 + o (1))}.

363: \]

364: \end {theorem}

365: 

366: Notice that the proof of Theorem~\ref {th:hess}, similar in spirit to that for

367: hyperelliptic curves in \cite{EnSt02}, is entirely combinatorial and relies on

368: the fact that there are essentially $q^\mu / \mu$ places of degree $\mu$.

369: So we expect the result to hold even if one restricts to places of inertia

370: degree~$1$.

371: 

372: Denote by

373: \[

374: L (\alpha, c) = L_{q^g} (\alpha, c)

375: = e^{c (g \log q)^\alpha (\log (g \log q))^{1 - \alpha}}

376: \]

377: for $0 \leq \alpha \leq 1$ and $c > 0$

378: the subexponential function with respect to $g \log q$, and

379: let

380: \[

381: \M = \M_{q^g} = \log_q (g \log q) = \frac {\log (g \log q)}{\log q}.

382: \]

383: The parameter $g \log q$ will be the input size for the class of curves

384: we consider; more intrinsically, this is

385: the logarithmic size

386: of the group in which the discrete logarithm problem is defined.

387: 

388: \begin {prop}

389: \label {prop:smoothness}

390: Let

391: $

392: \nu = \lfloor \log_q L (\alpha, c) \rfloor

393:     = \lfloor c g^\alpha \M^{1 - \alpha} \rfloor

394: $

395: and

396: $

397: \mu = \lceil \log_q L (\beta, d) \rceil

398:     = \lceil d g^\beta \M^{1 - \beta} \rceil

399: $

400: with $0 < \beta < \alpha \leq 1$ and $c$, $d > 0$.

401: Assume that there is a constant

402: $\delta > \frac {1 - \alpha}{\alpha - \beta}$ such that

403: $g \geq (\log q)^\delta$.

404: Then for $g$ sufficiently large,

405: \[

406: \frac {\psi (\nu, \mu)}{q^\nu} \geq L \left( \alpha - \beta, - \frac {c}{d}

407: (\alpha - \beta) + o (1) \right),

408: \]

409: where $o (1)$ is a function that is bounded in absolute value by a constant

410: (depending on $\alpha$, $\beta$, $c$, $d$ and $\delta$) times

411: $\frac {\log \log (g \log q)}{\log (g \log q)}$.

412: \end {prop}

413: 

414: \begin {proof}

415: One computes

416: \[

417: u = \frac {\nu}{\mu}

418:   \leq \frac {c}{d} \left( \frac {g \log q}{\log (g \log q)}

419:   \right)^{\alpha - \beta}

420: \]

421: (the inequality being due only to the rounding of $\nu$ and $\mu$),

422: \[

423: \log u = (\alpha - \beta) \log (g \log q) (1 + o (1))

424: \]

425: and 

426: \[

427: \frac {\log \log u}{\log u} = o (1),

428: \]

429: with both $o (1)$ terms being of the form stipulated in the proposition.

430: Applying Theorem~\ref {th:hess} yields the desired result. Its

431: prerequisites are satisfied since

432: \begin {eqnarray*}

433: \overline \lim_{g \to \infty} \frac {\log \mu}{\log \nu}

434: & = & \overline \lim_{g \to \infty} \frac {\beta \log g - (1 - \beta) \log

435:   \log q}{\alpha \log g - (1 - \alpha) \log \log q} \\

436: & \leq & \overline \lim_{g \to \infty} \frac {\beta \log g}{\alpha \log g -

437: \frac {1 - \alpha}{\delta} \log g} \\

438: & = & \frac {\beta}{\alpha - \frac {1 - \alpha}{\delta}}

439: =: \varepsilon < 1

440: \end {eqnarray*}

441: because of the definition of $\delta$.

442: Notice further that $g \to \infty$ is equivalent to $g \log q \to \infty$,

443: and that also $\mu$ and $\nu$ tend to infinity when $g$ does.

444: \hfill \qed

445: \end {proof}

446: 

447: The choice of $\mu$ shall insure that the factor base size, that is about

448: $q^\mu$, becomes subexponential. But the necessary rounding of $\mu$, which

449: may increase $q^\mu$ by a factor of almost $q$, may result in more than

450: subexponentially many elements in the factor base when $q$ grows too fast

451: compared to~$g$.

452: 

453: \begin {prop}

454: \label {prop:subexponentiality}

455: Let $0 < \beta < 1$ and $\delta > \frac {1 - \beta}{\beta}$.

456: If $g \geq (\log q)^\delta$, then

457: $q = L (\beta, o (1))$ for $g \to \infty$.

458: In particular,

459: $\delta > \max \left( \frac {1 - \alpha}{\alpha - \beta}, \frac {1 -

460: \beta}{\beta} \right)$ in Proposition~\ref {prop:smoothness} implies that

461: $q^\mu = L (\beta, d + o (1))$.

462: \end {prop}

463: 

464: \begin {proof}

465: To verify the first assertion, one computes

466: \begin {eqnarray*}

467: q & = & e^{\log q} = e^{(\log q)^{1 - \beta} (\log q)^\beta} \\

468: & \leq & e^{g^{(1 - \beta) / \delta} (\log q)^\beta (\log (g \log q))^{1 -

469: \beta}} \\

470: & = & e^{(g \log q)^\beta (\log (g \log q)^{1 - \beta})

471: g^{\frac {1 - \beta}{\delta} - \beta}},

472: \end {eqnarray*}

473: and $g^{\frac {1 - \beta}{\delta} - \beta} \to 0$

474: since $\frac {1 - \beta}{\delta} - \beta < 0$.

475: The second assertion is obvious.

476: \hfill \qed

477: \end {proof}

478: 

479: 

480: \section {Computing the group structure}

481: \label{sec:grp}

482: 

483: This section is concerned with the relation collection phase of the discrete

484: logarithm algorithm; an immediate application is the computation of the

485: cardinality and the group structure of the Jacobian of the curve.

486: Relation collection is virtually identical to the process described for

487: hyperelliptic curves in \cite {AdDeHu94}; the running time of $L (1/3,

488: O(1))$ is

489: obtained by applying it to a particular class of curves that are of relatively

490: low degree with respect to their genus and for which the degrees in $X$ and

491: $Y$ of a plane model are balanced in a certain way.

492: 

493: We consider absolutely irreducible curves over finite fields $\FF_q$ of

494: characteristic $p$ of the form

495: \[

496: \C : Y^n + F (X,Y)

497: \]

498: with $F (X, Y) \in \FF_q [X]$ of degree $d$ in $X$ and at most $n-1$ in $Y$.

499: The function field extension $\FF_q (\C) = \FF_q (X)[Y] / (Y^n+F(X,Y))$ over $\FF_q

500: (X)$ is supposed to be separable (which is for instance the case if

501: $p \nmid n$).

502: 

503: Most importantly, the degrees $n$ and $d$ are related to the genus $g$ by

504: \[

505: n \leq n_0 g^{1/3} \M^{-1/3} \text { and } d \leq d_0 g^{2/3} \M^{1/3}

506: \]

507: where $\M = \frac {\log (g \log q)}{\log q}$ and

508: $n_0$, $d_0$ are some positive constants.

509: 

510: For instance, $\C$ may be a $C_{ab}$ curve of degree $n \sim g^{1/3}

511: \M^{-1/3}$ in $Y$ and $d \sim 2 g^{2/3} \M^{1/3}$ in $X$.

512: 

513: For the running time analysis, we will want to apply Propositions~\ref

514: {prop:smoothness} and \ref {prop:subexponentiality} with $\alpha = 2/3$ and

515: $\beta = 1/3$; so we have to assume that the curves belong to a family

516: satisfying $g \geq (\log q)^\delta$ for some $\delta > 2$.

517: 

518: \goodbreak

519: \begin {algorithm}[Group structure]\label{algo:grp} \\

520: \textbf {Input:} a curve $\C$ as above

521: 

522: \noindent

523: \textbf {Output:} $h = |J_{\C} (\FF_q)|$ and divisors

524:    $D_1, \ldots, D_r$ with their orders $h_1, \ldots, h_r$

525:    s.t. $J_{\C} (\FF_q) = \langle D_1 \rangle \times \cdots \times

526:    \langle D_r \rangle$

527: 

528: \begin {enumerate}

529: \item

530: Compute an approximation of $h$ within a factor of $2$, that is,

531: $h_-$ and $h_+$ s.t.

532: \[

533: h_- < h < h_+ \text { and } h_+ \leq 2 h_-.

534: \]

535: \item

536: Fix a smoothness bound $B = \lceil \log_q L (1/3, \rho) \rceil$

537: (with a parameter $\rho$ to be determined later) and compute the factor base

538: $\F$ consisting of all affine prime divisors of $\C$ of degree at most $B$ as

539: well as all infinite prime divisors

540: and prime divisors corresponding to singularities

541: regardless of their degrees. Let $t =

542: |\F|$ and $\F = \{ P_1, \ldots, P_t \}$.

543: \item

544: Start with an empty matrix of relations $R$ and repeat the following step

545: until $s \ge 2t$ relations are obtained (in practice, $s$ slightly larger

546: than $t$ should suffice):

547: 

548: Draw uniformly at random a function

549: \[

550: \varphi = b (X) Y - a(X) \in \FF_q (\C)

551: \]

552: with $a$, $b \in \FF_q [X]$ of degree at most

553: \[

554: m = \lfloor \sigma g^{1/3} \M^{2/3} \rfloor

555: \]

556: (with a parameter $\sigma$ to be determined later). If its divisor is

557: $\F$-smooth, that is,

558: \[

559: \ddiv \varphi = \sum_{i=1}^t e_i P_i,

560: \]

561: add a column $(e_1, \ldots, e_t)^T$ to the matrix $R$.

562: \item

563: Compute the rank of $R$; if it is less than $t$, declare failure and stop.

564: \item

565: Compute the Smith normal form $S = \operatorname {diag} (h_r, \ldots, h_1, 1,

566: \ldots, 1)$ of $R$, where $1 \neq h_1 | h_2 | \cdots | h_r$, and

567: unimodular transformation matrices $T \in \Z^{t \times t}$ and

568: $U \in \Z^{s \times s}$ s.t.

569: $T R U = (S | 0)$.

570: 

571: Let $h = h_1 \cdots h_r$. If $h \geq h_+$, declare failure and stop.

572: 

573: Otherwise return $h$, $D_1, \ldots, D_r$ s.t.

574: \[

575: (D_1, \ldots, D_r, 0, \ldots, 0) = (P_1, \ldots, P_t) \, T^{-1}

576: \]

577: and $h_1, \ldots, h_r$.

578: \end {enumerate}

579: \end {algorithm}

580: 

581: That the algorithm is correct follows from standard arguments such as given in

582: \cite{AdDeHu94,Enge02,EnGa02}. It remains to

583: prove its failure probability and running time. We also have to show that

584: there actually are subalgorithms to carry out the different steps; these are

585: given together with the following running time analysis.

586: 

587: \begin {enumerate}

588: \item

589: An approximation $\tilde h$ of $h$ can be obtained by appropriately truncating

590: the $L$-series of the curve as in \cite [Section~6]{Hess04}. The necessary

591: counting of the number of points on the curve over a small number of extension

592: fields is shown in \cite {Hess04} to be polynomial in $g$ and $\log q$

593: for curves of degree in $O (g)$. The bounds on $h$ are then given by $h_- =

594: \tilde h / \sqrt 2$ and $h_+ = \sqrt 2 \tilde h$.

595: \item

596: The affine prime divisors of degree up to $B$ are obtained by enumerating all

597: irreducible monic polynomials $f \in \FF_q [X]$ of degree up to $B$ and

598: factoring

599: $Y^n + F (X, Y)$ over

600: $\FF_q [X] / (f) [Y]$. Each factor of degree $w$ yields a prime divisor of

601: degree $w \deg f$.

602: Altogether, these factorisations can be carried out by $O (q^B)$ repetitions

603: of a randomised algorithm with an expected running time that is polynomial in

604: $n$, $B$ and $\log q$, and thus ultimately in $g \log q$. Since polynomial

605: terms are in $L (1/3, o (1))$, they can be neglected, and we retain only the

606: term $O (q^B)$ for the remainder of the analysis.

607: 

608: The number of singular places is bounded by $O ((n d)^2) = O(g^2)$ using the

609: genus formula for a plane curve. They can be fully described in polynomial

610: time, by computing the desingularisation trees of the singular points

611: (see for instance~\cite{Hache96}).

612: 

613: The non-singular places at infinity are included in the intersection of the

614: projective curve with the line $Z = 0$, which has at most $O (nd) = O (g)$

615: elements by Bézout's theorem, and these are also computable in polynomial

616: time.

617: 

618: So this step terminates with a factor base of size

619: \[

620: t = O \left( n q^B \right) = L (1/3, \rho + o (1))

621: \]

622: that is computed in time $L (1/3, \rho + o (1))$.

623: \item

624: To estimate the smoothness probability of $\ddiv \varphi$ under Heuristic~\ref

625: {heu1}, we need to compute the degree of its affine part. Denote the affine

626: degree of a divisor by $\deg_\text {aff}$.

627: Let $\sigma_1, \ldots, \sigma_n$ be the different embeddings of $\FF_q (\C)$

628: into its Galois closure (that exists because the function field extension is

629: assumed to be separable). The $\sigma_i$ fixing $\FF_q (X)$, they send affine

630: to affine and infinite to infinite prime divisors. Hence, all the

631: $\deg_\text {aff} (\varphi^{\sigma_i})$ are the same and given by

632: \[

633: \deg_\text {aff} \varphi

634: = \frac {1}{n} \deg_\text {aff} \Norm_{\FF_q (\C) / \FF_q (X)} (\varphi)

635: = \deg_X \Norm (\varphi).

636: \]

637: The norm of $\varphi$ is computed as

638: $\Norm (\varphi) = \operatorname {Res}_Y (\varphi, Y^n+F(X,Y))$, and its degree in $X$

639: is bounded from above by

640: \[

641: \deg_X \varphi \cdot \deg_Y \C + \deg_Y \varphi \cdot \deg_X \C

642: = n m + d.

643: \]

644: The divisor of $\varphi$ is $B$-smooth if and only if its norm is; this test

645: as well as the decomposition of a smooth $\ddiv \varphi$ into prime divisors

646: boils down to a factorisation of the norm in $\FF_q [X]$ and takes random

647: polynomial time.

648: 

649: Let $\tau = (n_0 \sigma + d_0) / 3$.

650: Applying Propositions~\ref {prop:smoothness} and \ref {prop:subexponentiality}

651: under Heuristic~\ref {heu1} with

652: $n m + d \leq 3 \tau g^{2/3} \M^{1/3}$ in the place of $\nu$

653: and $B = \lceil \rho g^{1/3} \M^{2/3} \rceil$ in the place of $\mu$ shows that

654: a relation is obtained on average in time

655: $

656: L \left( 1/3, \frac {\tau}{\rho} + o (1) \right),

657: $

658: so that this step takes overall

659: \[

660: L \left( 1/3, \frac {\tau}{\rho} + \rho + o (1) \right).

661: \]

662: \item and 5.

663: Since all entries of the matrix are of bit size polynomial in $g \log q$, its

664: rank and Smith normal form can be computed in quartic time according to

665: \cite[Proposition~8.10]{Storjohann00}, that is in

666: \[

667: L (1/3, 4 \rho + o (1)).

668: \]

669: \end {enumerate}

670: 

671: The total running time of the algorithm thus becomes

672: \[

673: L \left( 1/3, \max \left( \frac {\tau}{\rho} + \rho, 4 \rho \right) + o (1)

674: \right)

675: \]

676: with

677: $\tau = (n_0 \sigma + d_0) / 3$.

678: 

679: For any fixed $\sigma$ (and thus $\tau$), the value of $\rho$ that

680: minimises the running time is  $\rho = \sqrt {\tau / 3}$ and we get a

681: complexity of $L \left( 1/3, \frac {4 \sqrt \tau}{\sqrt 3} + o (1) \right)$.

682: 

683: Now $\tau$ is not a completely free parameter; it is connected to the success

684: probability of the algorithm.

685: It is in fact not clear whether the algorithm has a non-zero success

686: probability at all; as in \cite {AdDeHu94}, it is already unknown whether the

687: principal divisors of the special form considered in Step~3. generate the full

688: relation lattice. The analysis of the proven subexponential algorithm in \cite

689: {Enge02}, for instance, exploits the fact that the created relations are

690: essentially uniformly distributed among all possible relations in a hypercube

691: of side length about $|J_{\C} (\FF_q) |$. Since all our relations are sparse,

692: this line of argumentation definitely cannot be applied; as in \cite

693: {AdDeHu94},

694: the non-negligible success probability of the algorithm can only be

695: conjectured (and notice also that it does not follow from a smoothness

696: assumption such as Heuristic~\ref {heu1}).

697: 

698: A necessary condition for the success of the algorithm is nonetheless that the

699: number of potential functions $\varphi$ tested for smoothness in Step~3. must

700: be at least as large as the number of tests, since otherwise the matrix is

701: filled with redundant multiple relations. Thus we need

702: $q^{2m} \geq L \left( 1/3, \frac {4 \sqrt \tau}{\sqrt 3} \right)$ or, taking

703: logarithms,

704: \[

705: 2 \sigma \geq \frac {4}{\sqrt 3} \sqrt \tau = \frac {4}{3}

706: \sqrt {n_0 \sigma + d_0},

707: \]

708: which holds asymptotically for $\sigma \to \infty$. Precisely, the optimal

709: value of $\sigma$ is the positive solution of the quadratic equation

710: $\sigma^2 - \frac {4}{9} n_0 \sigma - \frac {4}{9} d_0 = 0$.

711: 

712: 

713: \section{Computing discrete logarithms}

714: \label{sec:logarithms}

715: 

716: In order to smooth the basis of the discrete logarithm and the element whose

717: logarithm is sought, we are going to perform a special-Q descent with a

718: slightly larger subexponentiality parameter $1/3+\varepsilon$. Let us first

719: describe an algorithm that does one step of the special-Q descent and that

720: will be used as a building block by the final algorithm.

721: 

722: \begin{heuprop}\label{prop:descent}

723: Let $Q$ be an affine prime divisor of

724: the curve

725: $\C$ of the form

726: $\ddiv(u(X),Y-v(X))$, with $\deg u(X)\le \log_q L(1/3+t, c)$ for some

727: constants $c>0$ and $\varepsilon < t\le 1/3-\varepsilon$. 

728: There is an algorithm that finds a divisor $R$ equivalent to $Q$ such that all

729: prime divisors of $R$ are either in $\F$ or have a degree bounded by $\log_q

730: L(1/3+t-\varepsilon, c')$, and such that all these

731: prime divisors are of the form $\ddiv (u_i(X), Y - v_i(X))$.

732: The heuristic expected running time is bounded by

733: $L(1/3+\varepsilon, \frac{cn_0}{c'}(1/3+\varepsilon + o(1)))$.

734: \end{heuprop}

735: 

736: \begin{heuproof}

737: Let us consider the set $\Lat_Q$ of functions of the form $a(X) + b(X)Y$ whose

738: divisors contain $Q$ in their support. In other words, this is the

739: $\FF_q[X]$-lattice

740: $$ \Lat_Q = \{ a(X) + b(X)Y\ :\ u(X) | a(X) + v(X)b(X) \}.$$

741: A basis of this lattice is given by the two vectors $b_1 = u(X)$

742: and $b_2 = -v(X) + Y$.

743:  Hence,

744: $$ \Lat_Q = \{ \lambda(X) b_1 + \mu(X) b_2\ : \ \lambda, \mu \in \FF_q[X]

745: \}.$$

746: When $\lambda$ and $\mu$ are taken of degree at most $\delta = \log_q

747: L(1/3+t, c)$, the

748: function $\varphi$ corresponding to $\lambda(X) b_1 + \mu(X) b_2$ has the

749: form $a(X)+b(X)Y$ with $a$ and $b$ of degree $\Delta \le 2\log_q

750: L(1/3+t, c)$. The degree of the norm of $\varphi$ is then $\Delta n + d$,

751: which is dominated by $\log_q L(2/3+t, cn_0)$.

752: 

753: We rely now on Heuristic~\ref{heu1} that says that the zero divisor of the

754: function has the same smoothness properties as a random effective

755: divisor of the same degree, and apply Proposition~\ref{prop:smoothness}. 

756: Therefore the expected number of functions one has to try before having

757: found one whose divisor is $\log_q L(1/3+t-\varepsilon, c')$-smooth is 

758: $$ L\left(1/3+\varepsilon, \frac{cn_0}{c'}(1/3+\varepsilon + o(1))\right).$$

759: 

760: The fact that the prime divisors that we obtain are of the same

761: form as $Q$ comes from the shape of the function we have chosen.

762: 

763: It remains to check that the number of functions we can test in the

764: lattice is large enough compared to this expected number of tests. With

765: our choice of $\delta$, the size of the sieving space is $L(1/3+t, 2c)$, which

766: is larger than any $L(1/3+\epsilon)$ since $t$ is greater than

767: $\varepsilon$.

768: \hfill \qed

769: \end{heuproof}

770: 

771: This result suffices to carry out a full descent if one can initialise

772: the process and finish it once smoothness is reached up to a

773: $t<\varepsilon$. The next two heuristic results explain these steps.

774: 

775: \begin{heuprop}\label{prop:finaldescent}

776: Assume that $\rho>(\frac13+\varepsilon)\frac{n_0}{2}$.

777: Let $Q$ be an affine prime divisor of $\C$ of the form $\ddiv (u (X),

778: Y-v(X))$, with $\deg u(X)\le \log_q L(1/3+t, c)$, for some

779: constants $c>0$ and $0 < t\le \varepsilon$.

780: There is an algorithm that finds a divisor $R$ equivalent to $Q$ such

781: that all prime

782: divisors of $R$ are in $\F$ (defined with this value of $\rho$),

783: and such that all these

784: prime divisors are of the form $\ddiv (u_i(X), Y - v_i(X))$. The

785: heuristic expected running time is bounded by

786: $L\left(1/3+t, (1/3+t)\frac{cn_0}{\rho}+o(1)\right).$

787: \end{heuprop}

788: 

789: \begin{heuproof}

790: Let us consider the same lattice $\Lat_Q$ as in the proof of

791: Proposition~\ref{prop:descent}. Assume that $\lambda$ and $\mu$ are taken

792: of degree at most $\delta = \log_q L(1/3 + t, c)$, then, as before, the

793: norm of the corresponding functions are of degree bounded by $\log_q

794: L(2/3 + t, cn_0)$. Using again Heuristic~\ref{heu1}, one gets by

795: Proposition~\ref{prop:smoothness} that a $\log_q L(1/3, \rho)$-smooth

796: divisor can be obtained in heuristic expected time

797: $$ L\left(1/3 + t, (1/3+t)\frac{cn_0}{\rho}+o(1)\right).$$

798: 

799: One has to check that we have enough possibilities for $\lambda$ and

800: $\mu$ to cover this search. The sieving space is $q^{2\delta} = L(1/3+t,

801: 2c)$. Therefore it is large enough if $2c > (1/3+t)\frac{cn_0}{\rho}$,

802: that is if $\rho > (1/3+t)\frac{n_0}{2}$. Since $\varepsilon>t$, this is

803: guaranteed by our hypothesis on $\rho$.

804: \hfill \qed

805: \end{heuproof}

806: 

807: \begin{heuprop}\label{prop:hm}

808: Let $D$ be a degree 0 divisor and $\sum_P e_P P$ its decomposition into prime

809: divisors such that $\sum_P |m_P| \in O (g)$.

810: Then there is an algorithm that finds a divisor $R$ equivalent to $D$ such

811: that all prime divisors of $R$ are of the form $\ddiv (u_i(X), Y -

812: v_i(X))$ with $\deg u_i(X) \le \log_q L(2/3-\varepsilon, c)$. 

813: The heuristic expected running time is bounded by

814: $L(1/3+\varepsilon, (1/3+\varepsilon)\frac1c+o(1))$.

815: \end{heuprop}

816: 

817: \begin{heuproof}

818: In order to smooth $D$, we apply the classical Hafner-McCurley strategy: a

819: random linear combination of elements of the factor base is added to $D$,

820: and the obtained divisor is tested for smoothness. Each test takes

821: polynomial time since the effective group law in the Jacobian reduces to

822: computing Riemann-Roch spaces as in \cite{Hess02}. 

823: 

824: Following Heuristic~\ref{heu2}, the additional restriction on the form of the

825: prime divisors has no influence on the running time, and the desired result

826: follows from Proposition~\ref{prop:smoothness}.

827: \hfill \qed

828: \end{heuproof}

829: 

830: 

831: Armed with these heuristic partial smoothing results, we can now derive a full

832: special-Q descent algorithm. Let us fix a constant $\varepsilon>0$, a

833: parameter of the algorithm. This $\varepsilon$ is to be thought of as small

834: (and of course $\varepsilon<1/6$). The algorithm assumes that

835: Algorithm~\ref{algo:grp} has been run as a precomputation, 

836: with a value

837: of $\rho$ that is larger than a bound given below. Similarly, the

838: constants $c_0$ and $c_K$ are made explicit below.

839: 

840: \begin{algorithm}[Discrete logarithm]

841: \label {alg:dlog}

842: \begin{enumerate}

843: \item Use Heuristic Result~\ref{prop:hm} to build a list $L$ of prime

844: divisors of degree at most $\log_q L(2/3-\varepsilon, c_0)$, such that if

845: we know their discrete logarithms, the discrete logarithm of $D$ is implied.

846: \item While there is a $Q$ in $L$ of degree more than $\log_q

847: L(1/3+\varepsilon,c_K)$, use Heuristic Result~\ref{prop:descent} to replace $Q$

848: in $L$ by a list of prime divisors of degree bounded by a subexponential

849: function with parameter reduced by $\varepsilon$.

850: \item For each $Q$ in $L$ that is not in $\F$, use

851: Heuristic Result~\ref{prop:finaldescent} to decompose $Q$ in~$\F$.

852: \end{enumerate}

853: \end{algorithm}

854: 

855: In order to analyse the algorithm, let us model it by a tree: the root is

856: the divisor $D$, its sons are the prime divisors coming from its

857: decomposition using Heuristic Result~\ref{prop:hm}, then each internal node

858: corresponds to a prime divisor and its sons are the prime divisors

859: obtained using Heuristic Result~\ref{prop:descent} or

860: Heuristic Result~\ref{prop:finaldescent}. The depth of the tree is

861: bounded by $1/ (3\varepsilon)$ since at each intermediate step the

862: subexponential

863: parameter is reduced by at least $\varepsilon$ and one has to cover a

864: range of $1/3$. The number of sons of each node is bounded by $g$. Hence

865: the total number of nodes is bounded by $g^{1/ (3\varepsilon)}$. Since

866: $\varepsilon$ is a fixed constant, this is a polynomial in $g\log q$ and

867: therefore contributes only for a $o(1)$ in the subexponential complexity.

868: 

869: Let us allow a computation time of $L(1/3+\varepsilon, \nu+o(1))$, for

870: fixed positive constants $\varepsilon$ and $\nu$. Then the first step that uses

871: Heuristic Result~\ref{prop:hm} can decompose $D$ in prime divisors of degree

872: at most $\log_q L(2/3-\varepsilon, c_0)$ in time $L(1/3+\varepsilon,

873: \nu + o(1))$ for $c_0 = (1/3+\varepsilon)/\nu$. Going one step down the tree,

874: one can decompose these primes using Heuristic Result~\ref{prop:descent} in

875: primes of degrees at most $\log_q L(2/3-2\varepsilon, c_1)$ in the same

876: time, for $c_1 = c_0n_0(1/3+\varepsilon)/\nu$. Going from level $k$ to

877: level $k+1$ in the tree will decompose in primes of degree at most

878: $\log_q L(2/3-(k+2)\varepsilon, c_{k+1})$ in the same

879: time, for $c_{k+1} = c_{k}n_0(1/3+\varepsilon)/\nu$. Finally, each last

880: step will be feasible in the same running time if

881: $\rho>c_{K}n_0(1/3+\varepsilon)/\nu$, where $K$ is the depth of the tree.

882: 

883: This value of $\rho$ is feasible and does not affect the overall

884: complexity. It only changes the exponent in the $L(1/3)$ runtime

885: of the group structure algorithm, whose complexity remains negligible

886: compared to the $L(1/3+\varepsilon)$ of the present algorithm.

887: Therefore, a suitable choice of $\rho$, $c_0$ and $c_K$ in Algorithm~\ref

888: {alg:dlog} results in a running time of $L (1/3 + \varepsilon, \nu + o (1))$ for

889: any given $\varepsilon$ and $\nu$.

890: 

891: Choosing $\varepsilon / 2$ in the place of $\varepsilon$ (and an arbitrary

892: $\nu$) shows that even a complexity of $L (1/3 + \varepsilon, o (1))$ is

893: achievable.

894: \medskip

895: 

896: \noindent {\bf Remark.} 

897: In the analysis, we have remained silent about the exact nature of the $o(1)$

898: terms. As long as a fixed number of them is involved, this does not pose any

899: problem. But at first sight, since Heuristic Result~\ref{prop:descent} is used

900: a non-constant number of times, one apparently needs to make the $o(1)$ terms

901: explicit to check that they do not sum up to something that is not

902: tending to zero. However, although the number of nodes in the tree of

903: Algorithm~\ref{alg:dlog} is in $g^{1/(3\varepsilon)}$, the $o(1)$ term is

904: the same for any given level in the tree, so that actually only the depth

905: of the tree is important for these $o(1)$-terms considerations. The depth

906: of the tree is in $1/(3\varepsilon)$, which is a constant, so that we

907: actually consider a constant number of $o(1)$ terms and need not make them

908: explicit.

909: 

910: \section{Extensions to wider families of curves}

911: \label{sec:extensions}

912: 

913: \subsection{Highly singular curves}

914: 

915: Consider the case where the curve has an equation of the appropriate

916: form, but with a genus that is much smaller than $nd$. Then letting

917: $g'=nd$, one may apply the exact same algorithms yielding an

918: $L(1/3+\varepsilon)$ complexity. However, the subexponential function is

919: now taken with respect to $q^{g'}$. This may still result in a subexponential

920: complexity in $q^g$, depending on the relation between $q$, $g$ and~$g'$.

921: 

922: \subsection{Different balancing between $n$ and $d$}

923: 

924: Here we consider the case where $n\approx g^\alpha$ and $d\approx

925: g^{1-\alpha}$ for $\alpha\in\left[\frac13, \frac12\right]$. We shall just give

926: an informal description of an algorithm that yields an $L(1/3)$ complexity

927: for the group structure.

928: Note that to obtain the claimed complexity without

929: $\varepsilon$, the bounds on $n$ and $d$ should resemble the ones we have in

930: Section~\ref{sec:grp}. For instance, bounds of the form

931: $n\le n_0g^\alpha\M^{-\alpha}$ and $d\le d_0g^{1-\alpha}\M^\alpha$ would

932: suffice. For the sake of better readability, we content ourselves with

933: approximate bounds.

934: 

935: Let us restrict to $C_{ab}$ curves for simplicity, and let us call

936: $P_\infty$ the unique place at infinity. We proceed as in

937: Algorithm~\ref{algo:grp}, but the functions we consider are of the more

938: general form:

939: $$ \varphi = a_0(X) + a_1(X)Y + \cdots + a_k(X)Y^k,$$

940: where the $a_i(X)$ have a degree bounded by $g^\beta$ and $k$ is taken of

941: the form $g^\gamma$, for some $\beta$ and $\gamma$ to be determined. Then

942: the divisor of $\varphi$ is of the form $E - (\deg E)P_\infty$, with $E$

943: effective of degree bounded by

944: $g^{\gamma+1-\alpha} + g^{\beta+\alpha}$.

945: 

946: Fix a smoothness bound of $g^{\beta + \gamma}$;

947: with the usual heuristic, one can find

948: $E$ that is smooth in time about $g^{\max(\alpha-\gamma,

949: (1-\alpha)-\beta)}$.

950: The consistency check that the sieving space must be

951: larger than the factor base yields the condition

952: $$ \beta+\gamma \ge \max(\alpha-\gamma, (1-\alpha)-\beta),$$

953: which gives $\beta+2\gamma\ge \alpha$ and $\gamma+2\beta\ge 1-\alpha$.

954: This in turn imposes that $\beta+\gamma \ge 1/3$. Therefore, in this

955: setting we can not hope to get something better than an $L(1/3)$

956: complexity. We now show that this complexity is achievable: taking

957: $\beta=2/3-\alpha$ and $\gamma = \alpha-1/3$, all the conditions are

958: verified, and the complexity is as announced.

959: 

960: In the particular case of $\alpha=1/3$, we recover $\beta=1/3$ and

961: $\gamma=0$, which corresponds to Algorithm~\ref{algo:grp}. In the other

962: extremal case $\alpha=1/2$, we get $\beta=\gamma=1/6$.

963: 

964: If $\alpha$ gets smaller than $1/3$, then the $L(1/3)$ complexity is not

965: achievable with this algorithm. In fact, for each value of $\alpha \in

966: [0,1/3]$, there is an $L(x)$ complexity with $x \in [1/3, 1/2]$, and

967: finally, for hyperelliptic curves one essentially recovers

968: Adleman-Demarrais-Huang's $L(1/2)$ algorithm.

969: \bigskip

970: 

971: All of this concerns only the group structure. For the special-Q descent

972: however, things get more complicated and the $L(1/3+\varepsilon)$

973: complexity is lost when $\alpha$ is bigger than $1/3$. More precisely,

974: the same kind of computations as above yields a complexity of

975: $L(\alpha+\varepsilon)$ for $\alpha \in [1/3,1/2]$.

976: 

977: 

978: 

979: \bibliographystyle{plain}

980: \bibliography{l13}

981: 

982: \end{document}

983: