In this paper, we study the bounded sum-of-digits discrete logarithm problem in finite fields. Our results concern primarily with fields Fqn where n|q − 1. The fields are called Kummer extensions of Fq. It is known that we can efficiently construct an element g with order greater than 2 n in the fields. Let Sq(•) be the function from integers to the sum of digits in their q-ary expansions. We first present an algorithm that given g e (0 ≤ e < q n ) finds e in random polynomial time, provided

more »

... t Sq(e) < n. We then show that the problem is solvable in random polynomial time for most of the exponent e with Sq(e) < 1.32n, by exploring an interesting connection between the discrete logarithm problem and the problem of list decoding of Reed-Solomon codes, and applying the Guruswami-Sudan algorithm. As a side result, we obtain a sharper lower bound on the number of congruent polynomials generated by linear factors than the one based on Stothers-Mason ABC-theorem. We also prove that in the field F q q−1 , the bounded sum-of-digits discrete logarithm with respect to g can be computed in random time O(f (w) log 4 (q q−1 )), where f is a subexponential function and w is the bound on the q-ary sum-of-digits of the exponent, hence the problem is fixed parameter tractable. These results are shown to be generalized to Artin-Schreier extension Fpp where p is a prime. Since every finite field has an extension of reasonable degree which is a Kummer extension, our result reveals an unexpected property of the discrete logarithm problem, namely, the bounded sum-of-digits discrete logarithm problem in any given finite field becomes polynomial time solvable in certain low degree extensions.