This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Note that if we are not given the prime factorization of p 1, but rather, just a prime q dividing p 1, and we want to find an element of order q in Z * p , then the above algorithm is easily adapted to this problem. We leave the details as an exercise for the reader. 52 8.2 Computing Discrete Logarithms Z * p In this section, we consider algorithms for computing the discrete logarithm of α ∈ Z * p to a given base γ . The algorithms we present here are in the worst case exponentialtime algorithms, and are by no means the best possible; however, in some special cases, these algorithms are not so bad. 8.2.1 Bruteforce search Suppose that γ ∈ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . The simplest algorithm to solve the problem is bruteforce search : β ← 1 i ← while β 6 = α do β ← β · γ i ← i + 1 output i This algorithm is clearly correct, and the main loop will always halt after at most q iterations (assuming, as we are, that α ∈ h γ i ). So the total running time is O ( q L ( p ) 2 ). 8.2.2 Baby step/giant step method As above, suppose that γ ∈ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . A faster algorithm than bruteforce search is the baby step/giant step method . It works as follows. Let us choose an approximation m to q 1 / 2 . It does not have to be a very good approximation — we just need m = Θ( q 1 / 2 ). Also, let m = b q/m c , so that m = Θ( q 1 / 2 ) as well. The idea is to compute all the values γ i for 0 ≤ i < m (the “baby steps”) and to build a “lookup table” T that contains all the pairs ( γ i ,i ). Using an appropriate data structure, such as a search trie , we can build the table in time O ( m L ( p ) 2 ), and we can perform a lookup in time O ( L ( p )). By a lookup, we mean that given β ∈ Z * p , we can determine if β = γ i for some i , and if so, determine the value of i . Let us define T ( β ) := i if β = γ i for some i ; and otherwise, T ( β ) := 1. After building the lookup table, we execute the following procedure: γ ← γ m β ← α ; j ← 0; i ← T ( β ) while i = 1 do β ← β · γ ; j ← j + 1; i ← T ( β ) x ← jm + i output x To analyze this procedure, suppose that α = γ x for 0 ≤ x < q . Now, x can be written in a unique way as x = vm + u , where 0 ≤ u < m and 0 ≤ v ≤ m . In the j th loop iteration, for 53 j = 0 , 1 ,..., we have β = αγ mj = γ ( v j ) m + u . So we will find that i 6 = 1 precisely when j = v , in which case i = u . Thus, the output will be correct, and the total running time of the algorithm is easily seen to be O ( q 1 / 2 L ( p ) 2 )....
View
Full Document
 Spring '13
 MRR
 Math, Algebra, Number Theory

Click to edit the document details