owned this note
owned this note
Published
Linked with GitHub
---
tags: vaje, kirv, discrete logarithm
hackmd: https://hackmd.io/eF6k1BOHTLK_y5NjUIvDPQ
plugins: mathjax
---
# Cryptography and computer security - Tutorial 15.12.2020
---
## Discrete logarithm problem
* Input: <i>$a, b, p$</i>
* Output: <i>$x \in \mathbb{Z}_{p-1}$</i> such that <i>$a^x \equiv b \pmod{p}$</i>
### Baby-step/giant-step algorithm (Shanks's algorithm)
1. Let <i>$H$</i> be an empty hash map.
2. Set <i>$m := \lceil \sqrt{r} \rceil$</i>, where <i>$r$</i> is (a multiple of) the order of <i>$a$</i> in <i>$\mathbb{Z}_p^*$</i> (in general, <i>$r = p-1$</i>). $O(\log^2 p)$
3. For <i>$i = 0, 1, \dots, m-1$</i> do <i>$H[a^{mi} \bmod{p}] := i$</i>. $O(\sqrt{p} \log^2 p)$
4. For <i>$j = 0, 1, \dots, m-1$</i> do: $O(\sqrt{p})$ steps, total $O(\sqrt{p} \log^2 p)$
1. Set <i>$c := ba^{-j} \bmod{p}$</i>. $O(\log^2 p)$
2. If <i>$c \in H$</i> then return <i>$m H[c] + j$</i>. $O(\log p)$
### Pohlig-Hellman algorithm
1. Write <i>$p-1 = \prod_{i=1}^t q_i^{e_i}$</i>, where <i>$q_i$</i> (<i>$1 \le i \le t$</i>) are prime numbers.
2. For <i>$i = 1, 2, \dots, t$</i>:
1. Compute <i>$a_i := a^{(p-1)/q_i} \bmod{p}$</i>.
2. Set <i>$c_{i0} := 1$</i> and <i>$k_{i0} := 0$</i>.
3. For <i>$j = 1, 2, \dots, e_i$</i> do:
1. Compute <i>$c_{ij} := c_{i,j-1} a^{-k_{i,j-1}} \bmod{p}$</i>.
2. Compute <i>$k_{ij} := q_i^{j-1} \log_{a_i} (b c_{ij})^{(p-1)/q_i^j}$</i> in <i>$\mathbb{Z}_p$</i> using the baby-step/giant-step algorithm with order <i>$q_i$</i>.
4. Compute <i>$x_i := \sum_{j=1}^{e_i} k_{ij}$</i>.
3. Solve the system <i>$x \equiv x_i \pmod{q_i^{e_i}}$</i> (<i>$1 \le i \le t$</i>) by CRT and return <i>$x$</i>.
### Index calculus algorithm
1. Choose a factor base <i>$(q_i)_{i=1}^t$</i> consisting of <i>$-1 \bmod{p}$</i> and small primes.
2. Find the logarithm table <i>$(f_i)_{i=1}^t$</i> for the factor base, i.e., <i>$a^{f_i} \equiv q_i \pmod{p}$</i> (<i>$1 \le i \le t$</i>).
3. Choose <i>$x \stackrel{R}{\in} \mathbb{Z}_{p-1}$</i>.
4. Compute <i>$c := b^x \bmod{p}$</i>.
5. Attempt to find <i>$(e_i)_{i=1}^t$</i> such that <i>$c \equiv \prod_{i=1}^t q_i^{e_i} \pmod{p}$</i> (on failure go to 3).
6. Compute <i>$g := \gcd(p-1, x)$</i> and <i>$m := {p-1 \over g}$</i>.
7. Compute <i>$y := \left(\sum_{i=1}^t e_i f_i \right) x^{-1} \bmod{m}$</i>.
8. For <i>$j = 0, 1, \dots, g-1$</i> do:
1. Compute <i>$z := y + jm$</i>.
2. If <i>$a^z \equiv b \pmod{p}$</i> then return <i>$z$</i>.
---
### Exercise 1
Determine the time and space complexities of the exhaustive search and the baby-step/giant-step algorithm for computing the discrete logarithm.
----
* <i>$x = \log_a b$ in $\mathbb{Z}_p^*$</i>, <i>$p$</i> prime
* <i>$a^x \equiv b \pmod{p}$</i>
* <i>$x \in \mathbb{Z}_{p-1}$</i>
Exhaustive search:
* time complexity: <i>$O(p \log^2 p)$</i>
* space complexity: <i>$O(\log p)$</i>
Baby-step/giant-step:
* time complexity: <i>$O(\sqrt{p} \log^2 p)$</i>
* space complexity: <i>$O(\sqrt{p} \log p)$</i>
---
### Exercise 2
Find <i>$\log_{47} 191$</i> in <i>$\mathbb{Z}^*_{829}$</i> using the baby-step/giant-step algorithm.
----
[Computation](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/BabyStepGiantStep.ipynb)
---
### Exercise 3
Find <i>$\log_2 181$</i> in <i>$\mathbb{Z}^*_{197}$</i> using the Pohlig-Hellman algorithm. Then, compute <i>$\log_{11} 2020$</i> in <i>$\mathbb{Z}^*_{15121}$</i>.
----
* <i>$p = 197$</i>
* <i>$p-1 = 196 = 2^2 \cdot 7^2$</i>
* <i>$a = 2$</i>
* <i>$b = 181$</i>
- <i>$q_1 = 2$</i>
+ <i>$a_1 = 2^{98} \bmod{197} = 196$</i>
+ <i>$c_{11} = 1$</i>
+ <i>$\log_{196} 181^{98} = \log_{196} 1 = 0$</i>
+ <i>$k_{11} = 0$</i>
+ <i>$c_{12} = 1$</i>
+ <i>$\log_{196} 181^{49} = \log_{196} 196 = 1$</i>
+ <i>$k_{12} = 2$</i>
+ <i>$x_1 = 2$</i>
+ <i>$x \equiv 2 \pmod{4}$</i>
- <i>$q_2 = 7$</i>
+ <i>$a_2 = 2^{28} \bmod{197} = 104$</i>
+ <i>$c_{21} = 1$</i>
+ <i>$\log_{104} 181^{28} = \log_{104} 164 = 4$</i>
+ <i>$k_{21} = 4$</i>
+ <i>$c_{22} = 2^{-4} \bmod{197} = 37$</i>
+ <i>$\log_{104} (181 \cdot 37)^4 = \log_{104} 1 = 0$</i>
+ <i>$k_{22} = 0$</i>
+ <i>$x_2 = 4$</i>
+ <i>$x \equiv 4 \pmod{49}$</i>
- <i>$x = 102$</i>
[Computation](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/PohligHellman.ipynb)
---
### Exercise 4
Find <i>$\log_5 4389733$</i> and <i>$\log_5 1234567$</i> in <i>$\mathbb{Z}^*_{9330887}$</i> using the index calculus method.
----
[Computation](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/IndexCalculus.ipynb)
---
### Exercise 5
Find <i>$\log_{47} 191$</i> in <i>$\mathbb{Z}^*_p$</i> for
$$
\begin{aligned}
p \in \{&{} 100000000003, 10000000000000000051, 1000000000000000000117, \\
&{} 10000000000000000000000343, 10000000000000000000000000331\}.
\end{aligned}
$$
Compare the running times of the baby-step/giant-step, Pohlig-Hellman and index calculus algorithms.
----
* [Baby-step/giant-step](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/BabyStepGiantStep.ipynb#Running-time-comparison)
* [Pohlig-Hellman](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/PohligHellman.ipynb#Running-time-comparison)
* [Index calculus](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/IndexCalculus.ipynb#Running-time-comparison)
Sign in with Wallet
