On the discrete logarithm in the divisor class group of curves

Let X be a curve which is defined over a finite field k of characteristic p. We show that one can evaluate the discrete logarithm in Pic0(X)pn by O(n2 log p) operations in k. This generalizes a result of Semaev for elliptic curves to curves of arbitrary genus. Let k be a finite field of characteristic p. We consider a projective irreducible nonsingular curve X of genus g ≥ 1 which is defined over k. We assume that the curve X has a k-rational point P0. Let Pic0(X)m be the subgroup of the m-torsion points in the group of divisor classes of degree 0 on X . In [1] it is shown that one can reduce the evaluation of the discrete logarithm in Pic0(X)m by O(log m) operations to the evaluation of the discrete logarithm in k(ζm)∗, where ζm is a primitive m-th root of unity, if the integer m is prime to p. If m = p and if the curve X is an elliptic curve (i.e., g = 1), then it is proved in [2] that the discrete logarithm in Pic0(X)p can be evaluated by O(log p) operations in k. We want to extend this result to curves X of arbitrary genus g, and we will see that its proof is based on the connection between Pic0(X)p and logarithmic holomorphic differentials on X . Theorem. The discrete logarithm in Pic0(X)pn can be evaluated by O(n log p) operations in k. Proof. Let x ∈ Pic0(X)pn be an element of order p and let y be contained in the cyclic group generated by x. We have to show that λ ∈ Z/pZ with y = λ · x can be evaluated by O(n log p) operations. It is a standard argument to reduce the evaluation of λ = ∑n−1 i=0 λip i with 0 ≤ λi < p to the evaluation of λi (by multiplication with p, 0 ≤ i ≤ n − 1) as solutions of n discrete logarithms in Pic0(X)p. Hence we can assume that n = 1. The key point of the proof is the following result of Serre ([3], Proposition 10). Let Ω(X) be the k-vector space of holomorphic differentials on X . Then there is an isomorphism from Pic0(X)p into Ω(X) given by the following rule: Choose a divisor D of degree 0 with p ·D = (f), where f is a function on X , then the divisor class D ∈ Pic0(X)p is mapped to the holomorphic differential df/f . Received by the editor August 8, 1997. 1991 Mathematics Subject Classification. Primary 11T71; Secondary 94A60. c ©1999 American Mathematical Society