Extending the GLS endomorphism to speed up GHS Weil descent using Magma

Let q=2n, and let E/Fqℓ be a generalized Galbraith–Lin–Scott (GLS) binary curve, with ℓ≥2 and (ℓ,n)=1. We show that the GLS endomorphism on E/Fqℓ induces an efficient endomorphism on the Jacobian JacH(Fq) of the genus-g hyperelliptic curve H corresponding to the image of the GHS Weil-descent attack applied to E/Fqℓ, and that this endomorphism yields a factor-n speedup when using standard index-calculus procedures for solving the Discrete Logarithm Problem (DLP) on JacH(Fq). Our analysis is backed up by the explicit computation of a discrete logarithm defined on a prime-order subgroup of a GLS elliptic curve over the field F25⋅31. A Magma implementation of our algorithm finds the aforementioned discrete logarithm in about 1,035 CPU-days.