Computing discrete logarithms using 𝒪((log q)2) operations from {+,-,×,÷,&}

Christian Schridde

doi:10.1515/gcc-2016-0009

Published by De Gruyter October 11, 2016

Computing discrete logarithms using 𝒪((log q)²) operations from {+,-,×,÷,&}

Christian Schridde

From the journal Groups Complexity Cryptology

https://doi.org/10.1515/gcc-2016-0009

Showing a limited preview of this publication:

Abstract

Given a computational model with registers of unlimited size that is equipped with the set {+,-,×,÷,&}=:𝖮𝖯 of unit cost operations, and given a safe prime number q, we present the first explicit algorithm that computes discrete logarithms in ℤq* to a base g using only 𝒪⁢((log⁡q)2) operations from 𝖮𝖯. For a random n-bit prime number q, the algorithm is successful as long as the subgroup of ℤq* generated by g and the subgroup generated by the element p=2⌊log2⁡(q)⌋ share a subgroup of size at least 2(1-𝒪⁢(log⁡n/n))⁢n.

Keywords: Cryptography; discrete logarithm problem; Fermat quotient; cyclicintegers

MSC 2010: 68Q25; 68W40; 11Y16

A Appendix

A.1 Vanishing coefficients

It is

K=∑i=0u-1ki⁢pi=∑i=0u-1ki⁢2t⁢i=∑i=0u-1∑j=0t-1(ci⁢j⁢2j)⁢2t⁢i

and for w=⌈(u-1)/2⌉ there are I1 and I2 with

I1≡(p-1)⁢∑i=0wp2⁢i⁢(mod⁡pu)≡∑i=0⌈(u-1)/2⌉(2t-1)⁢22⁢t⁢i⁢(mod⁡2t⁢u)≡∑i=0⌈(u-1)/2⌉∑j=0t-1(2j)⁢22⁢t⁢i⁢(mod⁡2t⁢u),

I2≡(p-1)⁢∑i=0wp2⁢i+1⁢(mod⁡pu)≡∑i=0⌈(u-1)/2⌉(2t-1)⁢22⁢t⁢i+t⁢(mod⁡2t⁢u)≡∑i=0⌈(u-1)/2⌉∑j=0t-1(2j)⁢22⁢t⁢i+t⁢(mod⁡2t⁢u).

Going from i=0 to w and taking always the value 2⁢i is the same as going from i=0 to 2⁢w and picking only the even values. Hence, we can use the indicator function 𝟣i⁢even and without loss of generality we assume u-1 is even:

I1≡∑i=0u-1𝟣i⁢even⁢∑j=0t-1(2j)⁢2t⁢i⁢(mod⁡2t⁢u).

Thus, it holds

&⁡K1I1≡∑i=0u-1𝟣i⁢even⁢∑j=0t-1&⁡(2j)⁢2t⁢i∑i=0u-1∑j=0t-1(ci⁢j⁢2j)⁢2t⁢i≡∑i=0u-1𝟣i⁢even⁢∑j=0t-1(ci⁢j⁢2j)⁢2t⁢i≡∑i=0u-1𝟣i⁢even⁢ki⁢pi⁢(mod⁡2t⁢u).

Hence all odd coefficients vanish. The case for K2 is analogous.

A.2 Example

For further clarity, we add short examples for some of the key computation steps of our approach using a toy setup. We set

q=37,g=5,
(g,r,q)=(5,19,37).

It follows from q/2<p=2t<q that p=32. In order to solve (g,r,q), we compute (p,r,q) and (p,g,q), which allows us to derive the solution of (g,r,q). However, in this example we only show how to compute (p,r,q), since the case (p,g,q) is analogous and deriving the solution of (g,r,q) is standard. The solution for (p,r,q)=(32,19,37) is 7 since 327≡19⁢(mod⁡37).

It is |𝔾g|=18 and |𝔾p|=36=u, hence 𝔾g⊂𝔾p. The integer Q37,36⁢(32) in base-32 representation is equal to

Q37,36⁢(32)=3236-137

=0⋅3235+27⋅3234+21⋅3233+19⋅3232+28⋅3231

+17⋅3230+9⏟k^⋅3229+16⋅3228+13⋅3227+26⋅3226

+25⋅3225+30⋅3224+8⋅3223+20⋅3222+24⋅3221

+6⋅3220+29⋅3219+12⋅3218+31⏟k¯⋅3217+4⋅3216

+10⋅3215+12⋅3214+3⋅3213+14⋅3212+22⋅3211

+15⋅3210+18⋅329+5⋅328+6⋅327+1⋅326

+23⋅325+11⋅324+7⋅323+25⋅322+2⋅321+19⋅320.

Since p is a primitive root in ℤq*, the largest coefficient k¯ is k¯=31=p-1, and hence we get b=1, see Section 4.3. Now we can compute |SQ37,36⁢(32)⁢(32)| via Corollary 4:

|SQ37,36⁢(32)⁢(32)|=dsp⁡(Q37,36⁢(32))+dsp⁡(𝖱32,36)-dsp⁡(Q37,36⁢(32)+𝖱32,36)31=558+36-56331=1.

Thus, k¯=31 only appears once. Next, we compute the r¯∈𝔾p via

φ2,q,p⁢(k¯,i)=φ2,37,32⁢(31,i)=-37⋅31⁢(mod⁡32)+32⁢i=5+32⁢i.

Since |SQ37,36⁢(32)⁢(32)|=1, we have i=0 and hence

φ2,37,32⁢(31,0)=5=r¯.

The coefficient k^ that is associated with the target residue r=19 is

φ1,q,p⁢(r)=φ1,37,32⁢(19)=-19⋅37-1⁢(mod⁡32)=9=k^.

The next step is to apply the cyclic shift to shift k¯ to k^:

Q←37,36⁢(32)=Q37,36⁢(32)⁢[r¯⁢r-1⁢(mod⁡q)]

=Q37,36⁢(32)⁢[5⋅19-1⁢(mod⁡37)]

=Q37,36⁢(32)⋅10,

which is equal to

Q←37,36⁢(32)=8⋅3235+20⋅3234+24⋅3233+6⋅3232+29⋅3231

+12⋅3230+31⏟k¯⋅3229+4⋅3228+10⋅3227+12⋅3226

+3⋅3225+14⋅3224+22⋅3223+15⋅3222+18⋅3221

+5⋅3220+6⋅3219+1⋅3218+23⋅3217+11⋅3216

+7⋅3215+25⋅3214+2⋅3213+19⋅3212+0⋅3211

+27⋅3210+21⋅329+19⋅328+28⋅327+17⋅326

+9⏟k^⋅325+16⋅324+13⋅323+26⋅322+25⋅321+30⋅320.

Now, the largest coefficient 31 is at the position of the former coefficient 9. Its position (starting from the largest monomial) is now, due to the cyclic shift, equal to the solution for (32,19,37), i.e., x=7=36-29.

To actually compute the position x, we split the Q←37,36⁢(32) into

Q←(1)=Q37,36⁢(32)⁢(mod⁡3218)

=23⋅3217+11⋅3216+7⋅3215+25⋅3214+2⋅3213

+19⋅3212+0⋅3211+27⋅3210+21⋅329+19⋅328

+28⋅327+17⋅326+9⏟k^⋅325+16⋅324+13⋅323

+26⋅322+25⋅321+30⋅320,

Q←(2)=⌊Q37,36⁢(32)3218⌋⁢(mod⁡3218)

=8⋅3217+20⋅3216+24⋅3215+6⋅3214+29⋅3213

+12⋅3212+31⏟k¯⋅3211+4⋅3210+10⋅329+12⋅328

+3⋅327+14⋅326+22⋅325+15⋅324+18⋅323

+5⋅322+6⋅321+1⋅320.

Next, we test which integer does contain the coefficient 31. We add 𝖱32,18 and test if a carry occurs. For Q←(1) it is

dsp⁡(Q←(1))+dsp⁡(𝖱32,18)=?dsp⁡(Q←(1)+𝖱32,18),

318+18=336,

336=336,

i.e., no carry occurs in this case, but

dsp(Q←(2)+dsp(𝖱32,18)=?dsp(Q←(2)+𝖱32,18),

240+18≠227,

258≠227.

Hence Q←(2) contains the coefficient and we keep Q←(2) and drop Q←(1). So the position of the coefficient 31 must be somewhere in the interval [18,35]. This procedure is repeated with Q←(2) as the input integer until the position of 31 is determined. Note that the final output is then |Qq,u⁢(p)|p minus the computed position, in this case 36-29=7. Algorithm 2 considers that by reducing the bounds in the opposite way, but only for minor technical reasons.

Digit sum example.

We use the integer Q←(1) to give an example for the digit sum computation. Since

|Q←(1)|p=18<33=p+1

(Requirement 1), we do not need to split it, and hence we have

ds⁡(Q←(1))≡Q←(1)≡8⁢(mod⁡31)

as the first input to the Chinese Remainder Theorem. Then the four integers I1, I2, K1, K2 from equation (4.2), equation (4.3) and equation (4.4), equation (4.5) are computed:

I1=31⁢3236-1322-1⁢(mod⁡3218)=37513334523799402269670431,

I2=31⋅32⁢3236-1322-1⁢(mod⁡3218)=1200426704761580872629453792,

K1=&⁡I1K=1200426704761580872629453792,

K2=&⁡I2K=890033929547123901742875424,

which yields the next remainder of ds⁡(Q←(1))⁡(mod⁡p+1):

ds⁡(Q←(1))≡K1-K2≡21⁢(mod⁡33).

Finally, the application of the Chinese remainder theorem yields

CRT⁢({8,21},{31,33})=318,

which indeed is the correct base-p digit sum of Q←(1).

References

[1] Allender E., Bürgisser P., Kjeldgaard-Pedersen J. and Miltersen P. B., On the complexity of numerical analysis, Proceeding of the 21st Annual IEEE Conference on Computational Complexity (CCC 2006), IEEE Press, Piscataway (2006), 331–339. 10.1109/CCC.2006.30Search in Google Scholar

[2] Baran I., Demaine E. D. and Pǎtraşcu M., Subquadratic algorithms for 3SUM, Algorithms and Data Structures, Lecture Notes in Comput. Sci. 3608, Springer, Berlin (2005), 409–421. 10.1007/11534273_36Search in Google Scholar

[3] Du X., Klapper A. and Chen Z., Linear complexity of pseudorandom sequences generated by Fermat quotients and their generalizations, Inf. Process. Lett. 112 (2012), no. 6, 233–237. 10.1016/j.ipl.2011.11.017Search in Google Scholar

[4] Goresky M., Klapper A., Murty R. and Shparlinski I. E., On decimations of l-sequences, SIAM J. Discrete Math. 18 (2004), no. 1, 130–140. 10.1137/S0895480102403428Search in Google Scholar

[5] van Lint J. H., Introduction to Coding Theory, 3rd ed., Springer, Berlin, 1999. 10.1007/978-3-642-58575-3Search in Google Scholar

[6] Lürwer-Brüggemeier K. and Ziegler M., On faster integer calculations using non-arithmetic primitives, Proceedings of the 7th International Conference on Unconventional Computation (UC’08), Lecture Notes in Comput. Sci. 5204, Springer, Berlin (2008), 111–128. 10.1007/978-3-540-85194-3_11Search in Google Scholar

[7] Pomerance C. and Shparlinski I., Smooth orders and cryptographic applications, ANTS-V Proceedings of the 5th International Symposium on Algorithmic Number Theory, University of Sydney, Sydney (2002), 338–348. 10.1007/3-540-45455-1_27Search in Google Scholar

[8] Pratt V. R., Rabin M. O. and Stockmeyer L. J., A characterization of the power of vector machines, STOC – Sixth Annual ACM Symposium on Theory of Computing, ACM, San Diego (1974), 122–134. 10.1145/800119.803892Search in Google Scholar

[9] Shamir A., Factoring numbers in 𝒪⁢(log⁡(n)) arithmetic steps, Inf. Process. Lett. 8 (1979), no. 1, 28–31. 10.1016/0020-0190(79)90087-5Search in Google Scholar

Received: 2015-9-8

Published Online: 2016-10-11

Published in Print: 2016-11-1