{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

# Note that if we are not given the prime factorization

This preview shows pages 57–60. Sign up to view the full content.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Note that if we are not given the prime factorization of p- 1, but rather, just a prime q dividing p- 1, and we want to find an element of order q in Z * p , then the above algorithm is easily adapted to this problem. We leave the details as an exercise for the reader. 52 8.2 Computing Discrete Logarithms Z * p In this section, we consider algorithms for computing the discrete logarithm of α ∈ Z * p to a given base γ . The algorithms we present here are in the worst case exponential-time algorithms, and are by no means the best possible; however, in some special cases, these algorithms are not so bad. 8.2.1 Brute-force search Suppose that γ ∈ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . The simplest algorithm to solve the problem is brute-force search : β ← 1 i ← while β 6 = α do β ← β · γ i ← i + 1 output i This algorithm is clearly correct, and the main loop will always halt after at most q iterations (assuming, as we are, that α ∈ h γ i ). So the total running time is O ( q L ( p ) 2 ). 8.2.2 Baby step/giant step method As above, suppose that γ ∈ Z * p generates a subgroup of order q (not necessarily prime), and we are given p , q , γ , and α ∈ h γ i , and wish to compute log γ α . A faster algorithm than brute-force search is the baby step/giant step method . It works as follows. Let us choose an approximation m to q 1 / 2 . It does not have to be a very good approximation — we just need m = Θ( q 1 / 2 ). Also, let m = b q/m c , so that m = Θ( q 1 / 2 ) as well. The idea is to compute all the values γ i for 0 ≤ i < m (the “baby steps”) and to build a “lookup table” T that contains all the pairs ( γ i ,i ). Using an appropriate data structure, such as a search trie , we can build the table in time O ( m L ( p ) 2 ), and we can perform a lookup in time O ( L ( p )). By a lookup, we mean that given β ∈ Z * p , we can determine if β = γ i for some i , and if so, determine the value of i . Let us define T ( β ) := i if β = γ i for some i ; and otherwise, T ( β ) :=- 1. After building the lookup table, we execute the following procedure: γ ← γ- m β ← α ; j ← 0; i ← T ( β ) while i =- 1 do β ← β · γ ; j ← j + 1; i ← T ( β ) x ← jm + i output x To analyze this procedure, suppose that α = γ x for 0 ≤ x < q . Now, x can be written in a unique way as x = vm + u , where 0 ≤ u < m and 0 ≤ v ≤ m . In the j th loop iteration, for 53 j = 0 , 1 ,..., we have β = αγ- mj = γ ( v- j ) m + u . So we will find that i 6 =- 1 precisely when j = v , in which case i = u . Thus, the output will be correct, and the total running time of the algorithm is easily seen to be O ( q 1 / 2 L ( p ) 2 )....
View Full Document

{[ snackBarMessage ]}

### Page57 / 74

Note that if we are not given the prime factorization of p...

This preview shows document pages 57 - 60. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online