# Project : tanc

## Section: New Results

### The discrete logarithm in jacobians of curves

Participant : Pierrick Gaudry.

#### Attacking elliptic curves over small degree extension fields

P. Gaudry [23] has developped an algorithm that can solve the
discrete logarithm problem in elliptic curves defined over a finite field
of the form $GF({q}^{n})$, when $n\ge 3$ is a small integer. His algorithm
lies in the family of the so-called Weil-descent attacks. The main
difference with previously known algorithms is that the use of the theory
of function fields is replaced by Gröbner basis computations. As a
consequence, the range of application of the algorithm is less
restrictive than previously known attacks (that often worked only for
small classes of curves). On the other hand, the dependance in *n* is so
bad that only the case $n=3$ and $n=4$ are meaningful in practice.

It is important to stress that the two cases widely used in practice,
which are $GF\left(p\right)$ and $GF({2}^{n})$ with a prime *n*, are not vulnerable to
this approach. Gaudry's result can be viewed as a confirmation about
``bad feelings'' that most researcher had about the security of curves
over small degree extension fields.

#### Attacking low genus hyperelliptic curves

P. Gaudry, E. Thomé and N. Thériault [34] have improved index calculus algorithms for computing discrete logarithms in jacobians of hyperelliptic curves of low genus at least 3. Their attack is based on the addition of a double large prime variation to a previously known algorithm. The surprise is that in the case of discrete logarithm of curves, the complexity is improved, whereas in all other application ranges of double large prime variations, the gain is only by a constant factor. Hence, the main difficulty for this work was to provide a complexity analysis that was also validated by numerous computer experiments.

As a consequence, curves of genus 3 and larger than 3 should be used with extreme care when deployed in a cryptosystem. At the very least, a cryptosystem based on a genus 3 curves must have a key-size about $12\%$ larger than an elliptic cryptosystem to offer the same level of security.