The GHS Attack for Cyclic Extensions of Arbitrary Function Fields

Transcription

1 The GHS Attack for Cyclic Extensions of Arbitrary Function Fields Tomohiro Nakayama Abstract It is known that the discrete logarithm problem in the Jacobian group of a higher genus curve can be solved by several attacks such as the Gaudry variant. Inspired by Frey s talk in 1998, Gaudry, Hess and Smart considered a way of reducing the DLP of the Jacobian group of a small genus curve (original curve) to that of a high genus curve (reduced curve) under some conditions. Thus far, many authors extended to find the most general conditions under which the GHS attack can be applied. This paper clearly answers the question: the curve is expressed by a cyclic extension of any function field, which extends Hess for Artin-Schreier extensions, and Iijima, Shimura, Chao and Tsujii for rational function fields. In addition to the construction, this paper evaluates upper/lower bounds of the genus of the reduced curve when the original curve is expressed by a Kummer extension of any function field, which extends Diem, Iijima, Shimura, Chao and Tsujii for hyperelliptic and superelliptic curves, respectively. 1 Introduction With the development of security technology, various realizations of public key cryptosystems have been proposed. This paper give a generalization of the GHS attack which is a class of attacks for algebraic curve cryptography, proposed by Pierrick Gaudry, Florian Hess and Nigel P.Smart [9]. For a finite cyclic group G, we define the discrete logarithm problem (DLP) to find the 0 l n 1 such that α l = β for a generator α ( α = G) and other element β G, where n is the order of G ( G = n). Although the computational intractability of the problem depends on the group G, it generally increases with n as long as max i p i in n = i pe i i (p i : prime, e i 1) is large enough [16]. For the multiplicative group G = F q of a finite field F q, we can apply index calculus methods to solve the problem efficiently (subexponential time in q). In the mid of 1980 s, Victor Miller [15] and Neal Koblitz [13] independently conjectured that index calculus methods do not help solving the DLP for the group G = P generated by a F q -rational point P E(F q ) on an elliptic curve E over finite field F q. If the characteristic p := char(f q ) 2, 3, elliptic curves are expressed by {(x, y) F 2 q y 2 = x 3 + αx + β} {O}, (1) 1

2 where α, β F q, and O is the point at infinity. For elliptic curve E/F q, a associative group arithmetic P + Q E(F q ) between P, Q E(F q ) such that O is the unit element can be defined, and the order E(F q ) is known to be finite. Since the conjecture was raised, the public key cryptography based on such a DLP (elliptic curve cryptography, ECC) has been intensively investigated. It is believed that a less efficient method such as Pollard s ρ-method [17] than index calculus is needed to solve the DLP in almost all cases. After ECC was established, extending the notion of ECC, various classes of algebraic curve cryptography (ACC) were proposed based on hyperelliptic curves expressed by y 2 = f(x), f F q [x], deg f = 2g + 1 with genus g (if p 2), superelliptic curves expressed by y a = f(x), f F q [x], deg f = b, GCD(a, p) = 1, GCD(a, b) = 1 with genus g = (a 1)(b 1)/2, C ab curves (plane curves) expressed by α i,j x i y j = 0, α 0,a, α b,0 0, GCD(a, b) = 1 ai+bj ab,i,j 0 with genus g = (a 1)(b 1)/2, nonsingular curves which will be explained in later sections, etc. In those algebraic curves over finite field F q, a finite number of Jacobians which generalize F q -rational points in higher genus curves make the finite cyclic group. It had been believed that ECC/ACC were secure except for several specific curves such as supersingular curves [14], anomalous elliptic curves [18][19][21], etc. However, recently, several authors (Leonard Adleman, Jonathan DeMarrais and Ming-Deh Huang [1], Gaudry [8], Seigo Arita [2], Andreas Enge and Gaudry [5]) found that there exist methods to solve the DLP more efficiently than ρ- method for curves with relatively large genera. The situation has been dramatically changed by Gerhard Frey s talk at ECC conference in Waterloo in 1998 [6]. He proposed a method to reduce a DLP in a low genus curve over a non-prime field to a DLP in a high genus curve over a smaller field, so-called Weil descent. Gaudry, Hess and Smart [9] proposed Frey s idea to solve DLPs for low genus curves (the GHS attack). As the previous authors of the GHS attack did, we express each curve by its corresponding function field of one variable. If a field L is a finite algebraic extension of K(x) (rational function field) such that x is transcendental over a field K, then L/K is said to be a function field. For example, the minimal field L containing K(x) and y such that y 2 = x 3 + αx + β with α, β K makes a function field. In fact, L = K(x) + yk(x) (2) corresponds to (1). It is known that for each function field, there exists a set of curves which are birationally equivalent to each other, and that for each 2

3 algebraic curves, there exists a set of function fields which are isomorphic to each other. Let k = F q and K = F q n for some n > 1. Let L/K be a function field, and M/L a cyclic extension. For example, if L = K(x), M/K is a C ab curve; if L = K(x) and M/L is Kummer, M/K is a superelliptic curve; and if L = K(x) and [M : L] = 2, M/K is a hyperelliptic curve. In the GHS attack, from M/K (original curve), we construct another function field F/k (reduced curve) to establish a mapping between the Jacobian groups from Cl 0 (M) to Cl 0 (F ), so that the DLP in M/K is reduced to the one in F/k. Then, it is known that g(m/k) g(f/k), where g(m/k), g(f/k) are the genera of M/K, F/k, respectively, which can be proved from Hurwitz genus formula [22]. Thus far, the important topics of the GHS attack contain 1. Constructing F/k for more general M/K, and 2. Giving upper/lower bounds of the genus g(f/k) of F/k in terms of M/K without actually constructing F/k from M/K. For the second topic, constructing F/k from M/K takes a large amount of time while the same computation looks small for solving the DLP in M/K. The original work by Gaudry, Hess and Smart [9] assumed that M/K is an elliptic curve with p = 2, where p is the characteristic of F q. Then, Steven Galbraith [7] extended [9] to the case of M/K being a hyperelliptic curve with p = 2. For algebraic curves with p odd, Claus Diem [4] constructed F/k for the case of M/K being a hyperelliptic curve, and gave upper/lower bounds of g(f/k). Nicolas Thériault [23][24] constructed F/k for the case of M/L being specific Artin-Schreier/Kummer extension of L = K(x). Tsutomu Iijima, Mahoro Shimura, Jinhui Chao and Shigeo Tsujii [12] extended [4] to the case of M/L being a cyclic extension of L = K(x), and gave upper/lower bounds of g(f/k) for the case of M/K being a superelliptic curve. On the other hand, above papers assumed L = K(x), they have been generalized by Hess [10] to the case of M/L being an Artin-Schreier extension of arbitrary L/K. For example, if p = 2 and L/K is given as in (2) and M is the minimal field containing L and z such that z 2 + z = xy + γ with γ K, M/L is Artin-Schreier. In this paper, we 1. construct F/k for M/K such that M/L is a cyclic extension of arbitrary L/K, and 2. give upper/lower bounds of the genus g(f/k) of F/k such that M/L is a Kummer extension of arbitrary L/K. Concrete differences from former papers are: 1. (i) While the previous GHS attack construction assumed that L = K(x) except Hess [10], this paper extends them to arbitrary L/K. 3

4 (ii) Furthermore, Hess [10] assumed that M/K is Artin-Schreier extensions of arbitrary L/K, this paper extends it to cyclic extensions. 2. While the previous GHS attack genus evaluation assumed L = K(x) (rational function field), this paper extends them to arbitrary L/K. This means the GHS attack could be applied to non-plane curves as well as plane curves as long as M/L is cyclic. In addition, the size of DLP in Jacobians of F/k in this paper is smaller than in Diem [4], Iijima, Shimura, Chao and Tsujii [12] in a certain condition. In fact, it is considered that the GHS attack are most powerful against algebraic curve cryptography. However, still we have not been sure of what curves the GHS attack are applied to. This paper answers the question clearly because the GHS attack are good only if M/L is cyclic. Section 2 gives basic materials of function fields, Section 3 constructs F/k from M/K for cyclic M/L, Section 4 evaluate g(f/k) in terms of M/K for Kummer M/L, and Section 5 summarizes the significance of this paper. 2 Function fields First, we give basic theory of function fields [22]. An algebraic function field F/K of one variable over K is an extension field F K such that F is a finite algebraic extension of K(x) for some element x F which is transcendental over K. Hereafter, we shall simply refer to F/K as a function field. Let K := {z F z is algebraic over K}. We have K K F, in particular, K/K is a finite extension. We say that K is the full constant field (or K is algebraically closed in F ) if K = K. A valuation ring of the function field F/K is a ring O F with the following properties: (1) K O F, and (2) for any z F, z O or z 1 O. Valuation ring O is a local ring, i.e. O has a unique maximal ideal P = O \ O, where O is the group of units of O. A place P of the function field F/K is the maximal ideal of some valuation ring O of F/K. We denote P F := {P P is a place of F/K}. A place P is a principle ideal, and any element t P such that P = to is called a prime element for P. To any place P = to P F, every 0 z F has a unique representation z = t n u with u O and n Z. Then we define a discrete valuation of F/K v P : F Z { } as v P (z) := n and v P (0) :=. According to definition, places, valuation rings, and discrete valuations of a function field essentially amount to the same thing. Hence we denote a valuation ring O P corresponding to a place P. We say that P is a zero of z F iff v P (z) > 0; P is a pole of z F iff v P (z) < 0. Since P is a maximal ideal, the residue class ring F P := O P /P is a field and we can construct a embedding of K(also K is) into F P. Henceforth, we shall always consider K K F P. Then we define the degree of P P F by degp := [F P : K]. In 4

5 particular, K is the full constant field of F/K if there exists P P F such that degp = 1 since 1 = degp = [F P : K] = [F P : K][ K : K]. The divisor group of F/K is defined by D F := {D = P P F n P P n P Z, almost all n P = 0}. For D = P P F n P P D F, the degree of a divisor is defined by degd := n P degp. We denote D 0 F := {D D F degd = 0}. Let 0 x F and denote by Z (resp. N) the set of zeros (poles) of x in P F. Then we define (x) = P P F v P (x)p, the principal divisor of x, (x) 0 = P Z v P (x)p, the zero divisor of x, (x) = P N v P (x)p, the pole divisor of x. P F := {(x) 0 x F } is called the group of principal divisors of F/K. It is known that degree of a principal divisor is 0. Therefore, P F is a subgroup of D 0 F. Then the Jacobian group of F/K is defined by Cl 0 (F ) := D 0 F /P F. A function field F /K is called an algebraic extension of F/K if F F is an algebraic extension and K K. The algebraic extension F /K of F/K is called a constant field extension if F = F K. If F /K is a constant field extension of F/K, F /K has the same genus as F/K. Let F /F be a algebraic extension of function field. A place P P F is said to lie over P P F if P P, and we write P P. Any place P P F has at least one, but only finitely many, P P F such that P P. There exists an integer e 1 such that v P (x) = e v P (x) for all x F. Then e(p P ) := e is called the ramification index of P over P, and f(p P ) := [F P : F P ] is called the relative degree of P of P. It is known that 1 e(p P ) <. P P is said to be tame if e(p P ) is relatively prime to the characteristic of F. Also, a extension F /F is said to be tame if e(p P ) is relatively prime to the characteristic F for P P F, P P F with P P. For a place P P F we define its conorm (with respect to F /F ) by Con F /F (P ) := P P e(p P ) P, where the sum runs over all places P P F lying over P. The conorm map is extended to a homomorphism from D F to D F by setting Con F /F ( n P P ) := n P Con F /F (P ). Let (x) F, (x) F be principal divisors of x in F, F respectively. It is known that Con F /F ((x) F ) = (x) F. Henceforth, Con F /F : Cl 0 (F ) Cl 0 (F ) 5

6 is well-defined. Let F/K be a function field in which K contains a primitive r-th root of unity (with r > 1 and r relatively prime to the characteristic of K). Let where F = F (y) with y r = u u w d for all w F and d r, d > 1. An extension such as F is said to be a Kummer extension of F. We list several formulae in function fields which will be used in later section. Lemma 1. [22] Prop III Let F /K be a finite extension of F/K, P a place of F/K and P 1,, P m all the places of F /K lying over P. Let e i := e(p i P ) and f i := f(p i P ), then m e i f i = [F : F ]. Lemma 2. [22] Prop III.6.6. Let F/K be a function field with full constant field K. Suppose that F /F is a finite extension field with full constant field K.Let K denote the algebraic closure of K. Then [F : F ] = [ KF : KF ][K : K]. In particular, if F = F (y) and ϕ(t ) F [T ] is the minimal polynomial of y over F, the following conditions are equivalent: (1) K = K. (2) ϕ(t ) is irreducible in KF [T ]. Lemma 3. [22] Prop III.7.3. Let F (y)/f with y r = u F be a Kummer extension of degree r. Suppose P P F and P P F such that P P. Then e(p P ) = r r P where r P := GCD(r, v P (u)) > 0. Lemma 4. [22] Prop III.8.9. Let F /F be a finite separable extension of function fields. Suppose that F = F 1 F 2 is the compositum of two intermediate fields F F 1, F 2 F. Let P P F be an extension of P P F, and set P i := P F i P Fi for i = 1, 2. Assume that at least one of the extensions P 1 P or P 2 P is tame. Then e(p P ) = LCM{e(P 1 P ), e(p 2 P )}. 6

7 Lemma 5. [22] Prop III.5.6. Suppose that F /F is a finite extension of algebraic function fields having the same constant field K. Let g (resp. g ) denote the genus of F/K (resp. F /K). Then 2g 2 [F : F ](2g 2) + (e(p P ) 1)degP. Equality holds if and only if F /F is tame. P P F P P Lemma 6. [22] Th I.8.9. Let F/K be an algebraic function field, x F \ K and (x) 0 resp. (x) denote the zero resp. pole divisor of x. Then deg(x) 0 = deg(x) = [F : K(x)]. The following proposition is used in the derivation of g(f/k) in Section 4. Proposition 1. Let L be a function field over an algebraically closed field K, M := L(y) with y r = u L a Kummer extension of L of degree r (u:polynomial). Suppose the algebraic curve corresponding function field M/K is nonsingular. Then v P (u) 1 for P P L. Proof. Suppose v P (u) 2 for some P P L. Then v Q (u) = e(q P )v P (u) 2 for Q P M with Q P. Let defined equation of L/K be f 1 (x 1,, x n 1 ) = 0,, f m 1 (x 1,, x n 1 ) = 0, m n 1. Furthermore, we construct M = L(y) by adding roots y := x n of equation f m (x 1,, x n 1, x n ) = x r n u where u = g(x 1,, x n 1 ) K[x 1,, x n 1 ]. Then if v Q (u) 2, u = g(x 1,, x n 1 ) = t a g(x 1,, x n 1 ) where a 2, t is a prime element of Q P M, and v Q ( g) = 0. Notice that place Q can be regarded as a point on the nonsingular curve since we assume M/K is nonsingular as an algebraic curve over an algebraically closed field [22]. Hence, for 1 i n 1 we obtain f m (x 1,, x n ) x i = x i {x r n t a g(x 1,, x n 1 )} Therefore = at a 1 g(x 1,, x n 1 ) t a x i { g(x 1,, x n 1 )}. f m (Q) = at(q) a 1 g(q) t(q) a { g(q)} = 0 (1 i n 1). x i x i We show f m x n (Q) = 0, as well. In fact, f m (x 1,, x n ) x n = rx r 1 n = r x n {u + f m (x 1,, x n )} = r x n {t a g(x 1,, x n ) + f m (x 1,, x n )}. 7

8 If x n (Q) 0, If x n (Q) = 0, f m (Q) = r x n x n (Q) {t(q)a g(q) + f m (Q)} = 0. f m x n (Q) = r 0 = 0. Hence fm x i (Q) = 0 for all 1 i n. Therefore, the matrix J(Q) = f 1 f 1 x n x f m x 1 f m x n (Q) = f 1 f x 1 (Q) 1 x n 1 (Q) f x 1 (Q) m 1 x n 1 (Q) f m 1 Since M/K is nonsingular as an algebraic curve, rank J(Q) = n 1 is required [20]. But we have rank J(Q) < n 1 as above, which is a contradiction. 3 Constructing F/k from M/K Let k = F q and K = F q n for some n > 1. Also let L/K be an arbitrary function field, and M/L a cyclic extension of degree r such that GCD(r, n) = 1. We assume that there exists a place P of L/K of degree 1, which means K is the full constant field of L. Let σ be a Frobenius automorphism of L with respect to K/k, i.e. σ is an automorphism of L; σ K is the q-th power Frobenius automorphism of K/k; and the order of σ on L is n = [K : k]. Let L sep be the field containing all the separable elements over L, and ˆσ the σ extended to L sep. Also, let F := M ˆσ(M) ˆσ n 1 (M). Then, there exists 1 m n and 1 < r i r (1 i m) such that So, clearly, Gal(F /L) = [F : L] = m (Z/r i Z). m r i. Hereafter, let K be the full constant field of F. This section constructs a function field F/k such that 1. F is an intermediate field of F /L σ ; 8

9 F M cn F r L n L σ K n k Figure 1: Construction of F/k 2. KF = F ; and 3. k is the full constant field of F, as depicted in Figure 1, where L σ is the fixed field of L with respect to σ. Let Cl 0 (M), Cl 0 (F ) be the Jacobian groups in M, F, respectively, N F /F the norm map [3] of F /F, and Con F /M the conorm map [22] of F /M (see Section 2 for definition of conorm maps). If we construct F/k from M/K, then the following homomorphism (GHS conorm-norm homomorphism) can be defined ; N F /F Con F /M : Cl 0 (M) Cl 0 (F ). So we can transform the DLP in Cl 0 (M) into the DLP in Cl 0 (F ). The rest of this section is devoted to constructing F/k from M/K. c = [ K : K]. Lemma 7. c = 1 or c = w c i where w m, 1 < c i r, and {c i } are coprime. Proof. Since K is a finite extension of K [22], Gal( K/K) is a cyclic group. Then we notice Gal( K/K) = Gal( K/ K L) = Gal( KL/L) = Gal(F /L)/Gal(F / KL). Since Gal( K/K) is a cyclic group and Gal(F /L) = m (Z/r iz), we obtain Gal( K/K) = {1} or Z/cZ, where c = w c i such that w m, 1 < c i r, and {c i } are coprime. Lemma 8. Frobenius automorphism σ on L with respect to K/k can extend to an automorphism of F /L σ of order cn. Let 9

10 Proof. First, we show the case c = 1. Notice that 1 Gal(F /L) is an exact sequence. Since with 1 m n, 1 < r i r, and we have ϕ Gal(F /L σ ) Gal(L/L σ ) 1 (3) Gal(F /L) = m r i, Gal(F /L σ )/Gal(F /L) = n, GCD(r, n) = 1, GCD( Gal(F /L), Gal(F /L σ )/Gal(F /L) ) = 1. Therefore, there exists H Gal(F /L σ ) such that H Gal(F /L) = {1} and H Gal(F /L) = Gal(F /L σ ) [11]. Let ϕ : Gal(F /L σ ) Gal(F /L) be ϕ(τ 1 τ 2 ) = τ 2 for τ 1 H, τ 2 Gal(F /L). Then ϕ is a homomorphism such that ϕ ϕ = id. Hence (3) splits, and Gal(F /L σ ) = Gal(F /L) Gal(L/L σ ). Therefore, there exists an automorphism of F of order n extending of σ. Next, we show the case c > 1. For a K, we define σ : a a q. Then σ can extended to a Frobenius automorphism of KL with respect to K/k. We notice 1 Gal(F / KL) ψ Gal(F /L σ ) Gal( KL/L σ ) 1 (4) is an exact sequence. Now we wish to construct the following homomorphism ψ ψ : Gal(F /L σ ) Gal(F / KL) such that ψ ψ = id. Since Gal(F / KL) Gal(F /L) = m (Z/r iz), we obtain Gal(F / KL) = m (Z/s iz), where s i r i. By this isomorphism, we can define a homomorphism ω : Gal(F /L) Gal(F / KL) by m m (Z/r i Z) (a 1,, a m ) (a 1 mod s 1,, a m mod s m ) (Z/s i Z). Notice that Gal(F / KL) τ (a 1,, a m ) m (Z/r iz) (a i < s i ) are corresponding each other. Therefore, the elements of Gal(F / KL) are invariant in ω. Thus ψ := ω ϕ is homomorphism such that ψ ψ = id. Hence (4) splits, and Gal(F /L σ ) = Gal(F / KL) Gal( KL/L σ ). Therefore, there exists an automorphism on F of order cn extending of σ. 10

11 Theorem 1. There exists an intermediate field F of F /L σ with full constant field k and KF = F. Proof. Frobenius automorphism σ of L with respect to K/k extends to an automorphism σ of F /L σ of order cn (Lemma 8). Let F := F σ = {a F σ(a) = a}. Since σ(f ) = F and σ( K) = K, σ KF is an automorphism of KF of order cn. Noting [ KF : ( KF ) σ ] = [ KF : F ] = cn and cn = [F : F ] = [F : KF ][ KF : F ], we have [F : KF ] = 1, i.e. F = KF. It is clear that k is the full constant field of F. Remark. Diem [4], Iijima, Shimura, Chao and Tsujii [12] found a different F such that the full constant field is an extension of k of degree c, which means that the size of the obtained DLP is larger than the DLP in this paper, if c = [ K : K] > 1. In this sense, the construction in this paper corrects the fault in [4] [12] as well as generalizes them. 4 Evaluating g(f/k) in terms of M/K In this section, we assume L/K be a function field and M/L a Kummer extension of degree r. We assume that we have constructed a function field F/k as in Section 3. Hereafter, we evaluate upper/lower bounds of the genus of F/k. Proposition 2. Let L/K be a function field and M = L(y) with y r = u L a Kummer extension of L of degree r (u:polynomial). Suppose that the algebraic curve corresponding to function field M/K is nonsingular and T r u L[T ] is absolutely irreducible, i.e., T r u is irreducible in KL[T ]. Let Φ L (u) := v P (u) be the pole order of u in L/K. Then following equality holds for the genus of function field F/k which obtained from M/K as in section 3: where m g(f/k) = r i (g(l/k) 1 + t c 2 t 2r ) + 1 (5) t = {P P KL e(p P ) = r, P P KF }. Proof. Let K be the algebraic closure of K and σ the Frobenius automorphism of L with respect to K/k. Then σ extends to ˆσ in L sep, and ˆσ extends to σ in L as well. Thus KF = KM ˆσ(M) ˆσ n 1 (M) = KM σ( KM) σ n 1 ( KM) and each σ i ( KM)/ KL (i = 0,, n 1) is a Kummer extension of degree r (Apply Lemma 2 to extension σ i (M)/L). Furthermore, 11

12 [ KF : KL] Q m = ri c, 1 m n, 1 < r i r (Apply Lemma 2 to extension F /L). Using Lemma 3 and Lemma 4, we examine the action of ramification of P P KL in σ i ( KM)/ KL for some i {0,, n 1} instead of P in KF / KL. By Proposition 1, v P (u) = 0 or 1 for P P KL \ {P }, therefore e(p P ) = 1 or r for P P KF with P P. Let T := {P P KL e(p P ) = r, P P KF }, t = T. We apply Lemma 1 and Lemma 5 to extension KF / KL to obtain 2g( KF / K) 2 = [ KF : KL](2g( KL/ K) 2) + (e(p P ) 1)degP, thus, P P KL P P i.e. Since m 2g( KF / K) 2 = r i (2g( c KL/ K) 2) + t m r r i (r 1), c m g( KF / K) = r i (g( c KL/ K) 1 + t 2 t 2r ) + 1. g( KF / K) = g(f / K) = g(f/k) g( KL/ K) = g(l/k), we have m g(f/k) = r i (g(l/k) 1 + t c 2 t 2r ) + 1. By giving upper/lower bounds of t, we obtain those of g(f/k) in Theorem 2,3. Theorem 2. g(f/k) r n {g(l/k) 1 + nφ L(u) 2 (1 1 r )} + 1. Proof. Let R := {P P KL e( P P ) = r, P P KM }. Since T = n 1 i=0 σi (R), (In particular, T can be written as the sum of m σ i (R).) t m R n R. (6) Since v P (u) = 0 or 1 for P P KL \ {P }, and from Lemma 3, we have P R v P (u) = 1. 12

13 Therefore, by Lemma 2 and Lemma 6, R = {P P KL v P (u) = 1} = P R v P (u)degp = deg(u) KL 0 = [ KL : K(u)] = [L : K(u)] = deg(u) L = Φ L (u). (7) By substituting (6) and (7) into (5), m g(f/k) r i c (g(l/k) 1 + nφ L(u) (1 1 2 r )) + 1 r n (g(l/k) 1 + nφ L(u) (1 1 )) r Theorem 3. Suppose that there exists no intermediate field k µ K, µ K such that M/µL σ is Galois. Then m g(f/k) r i p,n {g(l/k) 1 + p 0 pnp (1 1 c 2 r )} + 1 where n = p:prime,n p 0 pn p, 1 m n, 1 < r i r. In particular, if r is a prime number, P g(f/k) r p,np 0 pnp Φ L (u) {g(l/k) Proof. Noting p,n p 0 pn p Gal( K/k) = Gal( KL/L σ ), (1 1 )} + 1. r we identify the action of Gal( K/k) on T with that of Gal( KL/L σ ) on T. The action of Gal( KL/L σ ) on a prime element of P T P KL induces the following homomorphism: φ : Gal( K/k) Aut T. Let be an intermediate field of K/k such that ker φ = Gal( K/ ). Then we obtain the following injective homomorphism ψ : Gal( /k) Aut T. Here we put ɛ := [ : k] = p:prime pɛp. We can identify Aut T with degree t symmetric group S t. Hence t p ɛ p. p:prime Let n := p:prime pnp. Since K by [4] and [ : k] = [ : K][K : k], we obtain n ɛ. It follows that n p ɛ p for all prime p. Henceforth, t p np p:prime,n p 0 13

14 By substituting this into (5), we obtain m g(f/k) r i {g(l/k) 1 + c p,n p 0 pn p In particular if r is a prime number, [ KF : KL] = r m. Since t m R mφ L (u), t m Φ L (u) n Φ L (u). By substituting this into (8), we obtain P g(f/k) r p,np 0 pnp Φ L (u) {g(l/k) p,n p 0 pn p 2 (1 1 )} + 1. (8) r (1 1 )} + 1. r For example, let char 2, 3, L = K(x, z), z 2 = x 3 + ax + b (a, b k) (elliptic function field), and M = L(y) with y 2 = xz + c (c K) a Kummer extension of L of degree 2. If we apply the GHS attack to M/K to obtain a function field F/k for odd n. Since Φ L (xy + c) = 5. Therefore genera of F/k is 3 g(f/k) 31 if n = 3, 4 g(f/k) 201 if n = 5, etc. 5 Concluding Remarks We constructed the function field F/k for arbitrary L/K and cyclic M/L, which extends Hess [10] for Artin-Schreier extensions and Iijima, Shimura, Chao and Tsujii [12] for L = K(x). Moreover, we evaluated the genus g(f/k) for Kummer extensions of arbitrary L/K, which extends Diem [4], Iijima, Shimura, Chao and Tsujii [12] for hyperelliptic and superelliptic curves. This means the GHS attack could be applied to non-plane curves as well as plane curves as long as M/L is cyclic. We conjecture that the proposed GHS attack is the most general in the sense that no essential extension of the conditions will appear in the future because the M/L being a cyclic extension is essential to the GHS attack. Acknowledgments I would like to express my sincere gratitude to Professor Joe Suzuki for his useful advice, his constant encouragement and discussions with him. I also thank all the graduate students who study under the Professor for their support and discussions. References [1] L.Adleman, J.DeMarrais and M.Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large 14

15 genus hyperelliptic curves over finite fields, Algorithmic Number Theory, LNCS 877, pp.28-40, Springer-Verlag, 1994 [2] S.Arita, Gaudry s variant against C ab curve, Proceedings of PKC2000, LNCS 1751, pp.58-67, 2000 [3] C.Chevalley, Introduction to the theory of algebraic functions of one variable, Mathematical Surveys Number, American Mathematical Society, 1951 [4] C.Diem, The GHS attack in odd characteristic, J.Ramanujan Math. Soc 18, pp.1-32, 2003 [5] A.Enge and P.Gaudry, A general framework for subexponential discrete logarithm algorithms, Acta Arith., vol.102, pp , 2002 [6] G.Frey, How to disguise an elliptic curve, Talk at the 2nd Elliptic Curve Cryptography Workshop, 1998 [7] S.D.Galbraith, Weil descent of Jacobians, Discrete appl. Math., vol.128, no.1, pp , 2003 [8] P.Gaudry, An algorithm for solving the discrete logarithm problem on hyperelliptic curves, Advances in cryptology - EUROCRYPT 2000, LNCS 1807, pp.19-34, Springer-Verlag, 2000 [9] P.Gaudry, F.Hess and N.P.Smart, Constructive and destructive facets of Weil descent on elliptic curves, J.Cryptol, vol.15, pp.19-46, 2002 [10] F.Hess, Generalizing the GHS Attack on the Elliptic Curve Discrete Logarithm, LMSJ.Comput.Math.,vol.7, pp , 2004 [11] B.Huppert, Endliche Gruppen, Springer-Verlag, 1967 (in Deutsch) [12] T.Iijima, M.Shimura, J.Chao and S.Tsujii, An extension of GHS Weil Descent Attack, IEICE Trans. Fundamentals, vol.e88-a, no.1, pp , 2005 [13] N.Koblitz, Elliptic curve cryptosystems, Math. of Computation, vol.48, pp , 1987 [14] A.Menezes, T.Okamoto and S.Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, vol.it-39, no.5, pp , 1993 [15] V.Miller, Uses of elliptic curves in cryptography, Advances in Cryptology - CRYPTO 85, Lecture Notes in Computer Science, vol.218, pp , Springer-Verlag, 1986 [16] S.Pohlig and M.Hellman, An improved algorithm for computing logarithms over GF (p) and its cryptographic significance, IEEE Transactions on Information Theory, vol.24, pp ,

16 [17] J.Pollard, Monte Carlo methods for index computation mod p, Math. of Computation, vol.32, pp , 1978 [18] T.Satoh and K.Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Commentarii Math. Univ. St. Pauli, vol.47, pp.81-92, 1998 [19] I.Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Math. of Computation, vol.67, pp , 1998 [20] J.H.Silverman, The Arithmetic of Elliptic Curves, GTM 106, Springer- Verlag, 1986 [21] N.P.Smart, The Discrete Logarithm Problem on Elliptic Curves of Trace One, Journal of Cryptology, vol.12, pp , 1999 [22] H.Stichtenoth, Algebraic Function Fields and Codes, Universitext, Springer-Verlag, 1993 [23] N.Thériault, Weil descent attack for Kummer extensions, J.Ramanujan Math. Soc, vol.18, pp , 2003 [24] N.Thériault, Weil descent attack for Artin-Schreier curves, preprint,