# R i 1 γ i output γ first let us analyze the

• Notes
• 74

This preview shows pages 57–59. Sign up to view the full content.

r i =1 γ i output γ First, let us analyze the correctness of this algorithm. When the i th loop iteration terminates, by construction, we have γ q e i i i = 1 but γ q e i - 1 i i 6 = 1 . It follows (c.f., Theorem 4.28) that γ i has order q e i i . From this, it follows (c.f., Theorem 4.29) that γ has order p - 1. Thus, we have shown that if the algorithm terminates, its output is always correct. Let us now analyze the running time of this algorithm. Consider the repeat/until loop in the i th iteration of the outer loop. Since the kernel of the ( p - 1) /q i -power map on Z * p has order ( p - 1) /q i , the probability that a random α Z * p lies in the kernel is 1 /q i . It follows that the expected number of iterations of the repeat/until loop is O (1), and therefore, the expected running time of the entire algorithm is O ( r L ( p ) 3 ), and since r log 2 p , this is O ( L ( p ) 4 ). Note that if we are not given the prime factorization of p - 1, but rather, just a prime q dividing p - 1, and we want to find an element of order q in Z * p , then the above algorithm is easily adapted to this problem. We leave the details as an exercise for the reader. 52

This preview has intentionally blurred sections. Sign up to view the full version.

8.2 Computing Discrete Logarithms Z * p In this section, we consider algorithms for computing the discrete logarithm of α Z * p to a given base γ . The algorithms we present here are in the worst case exponential-time algorithms, and are by no means the best possible; however, in some special cases, these algorithms are not so bad. 8.2.1 Brute-force search Suppose that γ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . The simplest algorithm to solve the problem is brute-force search : β 1 i 0 while β 6 = α do β β · γ i i + 1 output i This algorithm is clearly correct, and the main loop will always halt after at most q iterations (assuming, as we are, that α ∈ h γ i ). So the total running time is O ( q L ( p ) 2 ). 8.2.2 Baby step/giant step method As above, suppose that γ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . A faster algorithm than brute-force search is the baby step/giant step method . It works as follows. Let us choose an approximation m to q 1 / 2 . It does not have to be a very good approximation — we just need m = Θ( q 1 / 2 ). Also, let m 0 = b q/m c , so that m 0 = Θ( q 1 / 2 ) as well. The idea is to compute all the values γ i for 0 i < m (the “baby steps”) and to build a “lookup table” T that contains all the pairs ( γ i , i ). Using an appropriate data structure, such as a search trie , we can build the table in time O ( m L ( p ) 2 ), and we can perform a lookup in time O ( L ( p )). By a lookup, we mean that given β Z * p , we can determine if β = γ i for some i , and if so, determine the value of i . Let us define T ( β ) := i if β = γ i for some i ; and otherwise, T ( β ) := - 1.
This is the end of the preview. Sign up to access the rest of the document.
• Spring '13
• MRR

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern