Index calculus algorithm

Index calculus algorithm

In group theory, the index calculus algorithm is an algorithm for computing discrete logarithms. This is the best known algorithm for certain groups, such as mathbb{Z}_m^* (the multiplicative group modulo "m").Dubious|date=April 2008

Description

Roughly speaking, the discrete log problem asks us to find an "x" such that g^x equiv h pmod{n}, where "g", "h", and the modulus "n" are given.

The algorithm (described in detail below) applies to the group mathbb{Z}_q^* where "q" is prime. It requires a "factor base" as input. This "factor base" is usually chosen to be the number −1 and the first "r" primes starting with 2. From the point of view of efficiency, we want this factor base to be small, but in order to solve the discrete log for a large group we require the "factor base" to be (relatively) large. In practical implementations of the algorithm, those conflicting objectives are compromised one way or another.

It is noteworthy that the lack of the notion of "prime elements" in the group of points on elliptic curves, makes it impossible to find an efficient "factor base" to run index calculus in these groups. Therefore this algorithm is incapable of solving discrete logarithms efficiently in elliptic curve groups.

The algorithm is performed in three stages. The first two stages depend only on the generator "g" and prime modulus "q", and find the discrete logarithms of a "factor base" of "r" small primes. The third stage finds the discrete log of the desired number "h" in terms of the discrete logs of the factor base.

The first stage consists of searching for a set of "r" linearly independent "relations" between the factor base and power of the generator "g". Each relation contributes one equation to a system of linear equations in "r" unknowns, namely the discrete logarithms of the "r" primes in the factor base. This stage is embarrassingly parallel and easy to divide among many computers.

The second stage solves the system of linear equations to compute the discrete logs of the factor base. Although a relatively minor computation compared to the other stages, a system of hundreds of thousands or millions of equations is a significant computation requiring large amounts of memory, and it is "not" embarrassingly parallel, so a supercomputer is typically used.

The third stage searches for a power "s" of the generator "g" which, when multiplied by the argument "h", may be factored in terms of the factor base "gsh" = (−1)"f"0 2"f"1 3"f"2···"p""r""f""r".

Finally, in an operation too simple to really be called a fourth stage, the results of the second and third stages can be rearranged by simple algebraic manipulation to work out the desired discrete logarithm "x" = "f"0log"g"(−1) + "f"1log"g"2 + "f"2log"g"3 + ··· + "f""r"log"g""pr" − "s".

The first and third stages are both embarrassingly parallel, and in fact the third stage does not depend on the results of the first two stages, so it may be done in parallel with them.

The choice of the factor base size "r" is critical, and the details are too intricate to explain here. The larger the factor base, the easier it is to find relations in stage 1, and the easier it is to complete stage 3, but the more relations you need before you can proceed to stage 2, and the more difficult stage 2 is. The relative availability of computers suitable for the different types of computation required for stages 1 and 2 is also important.

The algorithm

Input: Discrete logarithm generator "g", modulus "q" and argument "h". Factor base {−1,2,3,5,7,11,...,"pr"}, of length "r"+1. Output: "x" such that "gx" ≡ "h" (mod "q").

* relations ← empty_list
* for "k" = 1, 2, ...
** Using an integer factorization algorithm optimized for smooth numbers, try to factor g^k using the factor base, i.e. find e_i's such that g^k = (-1)^{e_0}2^{e_1}3^{e_2}cdots p_r^{e_r}
** Each time a factorization is found:
*** Store "k" and the computed e_i's as a vector (e_0,e_1,e_2,ldots,e_r,k) (this is a called a relation)
*** If this relation is linearly independent to the other relations:
**** Add it to the list of relations
**** If there are at least "r"+1 relations, exit loop
* Form a matrix whose rows are the relations
* Obtain the reduced echelon form of the matrix
** The first element in the last column is the discrete log of −1 and the second element is the discrete log of 2 and so on
* for "s" = 0, 1, 2, ...
** Try to factor g^s h = (-1)^{f_0}2^{f_1}3^{f_1}cdots p^{f_r} over the factor base
** When a factorization is found:
*** Output x = f_0 log_g(-1) + f_1 log_g2 + cdots + f_r log_g p_r - s.

External links

* [http://www.dtc.umn.edu/~odlyzko/doc/arch/discrete.logs.pdf Discrete logarithms in finite fields and their cryptographic significance] , by Andrew Odlyzko
* [http://www.cs.toronto.edu/~cvs/dlog/ Discrete Logarithm Problem] , by Chris Studholme, including the June 21, 2002 paper "The Discrete Log Problem".


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Pollard's lambda algorithm — In mathematics, specifically computational number theory and computational algebra, Pollard s lambda algorithm (aka Pollard s kangaroo algorithm, see Naming below) is an algorithm for solving the discrete logarithm. The algorithm was introduced… …   Wikipedia

  • Algorithm characterizations — The word algorithm does not have a generally accepted definition. Researchers are actively working in formalizing this term. This article will present some of the characterizations of the notion of algorithm in more detail. This article is a… …   Wikipedia

  • Multiplication algorithm — A multiplication algorithm is an algorithm (or method) to multiply two numbers. Depending on the size of the numbers, different algorithms are in use. Efficient multiplication algorithms have existed since the advent of the decimal system.… …   Wikipedia

  • Cipolla's algorithm — In computational number theory, Cipolla s algorithm is a technique for solving a congruence of the form x2 = n, where , so n is the square of x, and where p is an odd prime. Here denotes the finite field with p elements; . Th …   Wikipedia

  • Cantor–Zassenhaus algorithm — In mathematics, particularly computational algebra, the Cantor–Zassenhaus algorithm is a well known method for factorising polynomials over finite fields (also called Galois fields).The algorithm consists mainly of exponentiation and polynomial… …   Wikipedia

  • Williams' p + 1 algorithm — In computational number theory, Williams p + 1 algorithm is an integer factorization algorithm, one of the family of algebraic group factorisation algorithms. It was invented by Hugh C. Williams in 1982. It works well if the number N to be… …   Wikipedia

  • Berlekamp's algorithm — In mathematics, particularly computational algebra, Berlekamp s algorithm is a well known method for factoring polynomials over finite fields (also known as Galois fields ). The algorithm consists mainly of matrix reduction and polynomial GCD… …   Wikipedia

  • Cornacchia's algorithm — In computational number theory, Cornacchia s algorithm is an algorithm for solving the Diophantine equation x2 + dy2 = m, where and d and m are coprime. The algorithm was described in 1908 by Giuseppe Cornacchia[1]. Contents 1 The algorithm …   Wikipedia

  • Propositional calculus — In mathematical logic, a propositional calculus or logic (also called sentential calculus or sentential logic) is a formal system in which formulas of a formal language may be interpreted as representing propositions. A system of inference rules… …   Wikipedia

  • Expectation-maximization algorithm — An expectation maximization (EM) algorithm is used in statistics for finding maximum likelihood estimates of parameters in probabilistic models, where the model depends on unobserved latent variables. EM alternates between performing an… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”