Prime Numbers

232 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS
5.2.2 Pollard rho method for discrete logarithms
Pollard has also suggested a rho method for discrete logarithm computations,
but it does not involve iterating x 2 + 1, or any simple polynomial for that
matter, [Pollard 1978]. If we are given a finite cyclic group G and a generator
g of G, the discrete logarithm problem for G is to express given elements of
G in the form g l ,wherel is an integer. The rho method can be used for any
group for which it is possible to perform the group operation and for which we
can assign numerical labels to the group elements. However, we shall discuss
it for the specific group Z ∗ p of nonzero residues modulo p, wherep is a prime
greater than 3.
We view the elements of Z ∗ p as integers in {1, 2,...,p− 1}. Letg be a
generator and let t be an arbitrary element. Our goal is to find an integer l
such that g l = t; thatis,t = g l mod p. Since the order of g is p − 1, it is really
a residue class modulo (p − 1) that we are searching for, not a specific integer
l, though of course, we might request the least nonnegative value.
Consider a sequence of pairs (ai,bi) of integers modulo (p − 1) and a
sequence (xi) of integers modulo p such that xi = t ai g bi mod p, and we begin
with the initial values a0 = b0 =0,x0 = 1. The rule for getting the i +1
terms from the i termsisasfollows:
⎧
⎨
and so
(ai+1,bi+1) =
⎩
((ai +1)mod(p−1),bi), if 0