Extending the GLS endomorphism to speed up GHS Weil descent using Magma
share
Let q = 2^n, and let E / 𝔽_q^ℓ be a generalized Galbraith–Lin–Scott (GLS) binary curve, with ℓ≥ 2 and (ℓ, n) = 1.We show that the GLS endomorphism on E / 𝔽_q^ℓ induces an efficient endomorphism on the Jacobian J_H(𝔽_q) of the genus-g hyperelliptic curve H corresponding to the image of the GHS Weil-descent attack applied to E/𝔽_q^ℓ, and that this endomorphism yields a factor-n speedup when using standard index-calculus procedures for solving the Discrete Logarithm Problem (DLP) on J_H(𝔽_q). Our analysis is backed up by the explicit computation of a discrete logarithm defined on a prime-order subgroup of a GLS elliptic curve over the field 𝔽_2^5· 31. A Magma implementation of our algorithm finds the aforementioned discrete logarithm in about 1,035 CPU-days.
READ FULL TEXT