Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

302 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS Assuming the ERH, see Conjecture 1.4.2, an algorithm of Shanks deterministically factors n in a running-time bound of O(n 1/5+o(1) ). This method is described in Section 5.6.4. That is it for rigorous, deterministic methods. What, then, of probabilistic methods? The first subexponential probabilistic factoring algorithm with a completely rigorous analysis was the “random-squares method” of J. Dixon; see [Dixon 1981]. His algorithm is to take random integers r in [1,n], looking for those where r 2 mod n is smooth. If enough are found, then congruent squares can be assembled, as in QS, and so a factorization of n may be attempted. The randomness of the numbers r that are used allows one to say rigorously how frequently the residues r 2 mod n are smooth, and how likely the congruent squares assembled lead to a nontrivial factorization of n. Dixon showedthat the expected running time for his algorithm to split n is bounded by exp (c + o(1)) √ ln n ln ln n ,wherec = √ 8. Subsequent improvements by Pomerance and later by B. Vallée lowered c to 4/3. The current lowest running-time bound for a rigorous probabilistic factoring algorithm is exp((1 + o(1)) √ ln n ln ln n). This is achieved by the “class-group-relations method” of [Lenstra and Pomerance 1992]. Previously, this time bound was achieved by A. Lenstra for a very similar algorithm, but the analysis required the use of the ERH. It is interesting that this time bound is exactly the same as that heuristically achieved by QS. Again the devil is in the “o(1),” making the class-group-relations method impractical in comparison. It is interesting that both the improved versions of the random-squares method and the class-group-relations method use ECM as a subroutine to quickly recognize smooth numbers. One might well wonder how a not-yetrigorously analyzed algorithm can be used as a subroutine in a rigorous algorithm. The answer is that one need not show that the subroutine always works, just that it works frequently enough to be of use. It can be shown rigorously that ECM recognizes most y-smooth numbers below x in y o(1) ln x arithmetic operations with integers the size of x. Theremaybesome exceptional numbers that are stubborn for ECM, but they are provably rare. Concerning the issue of smoothness tests, a probabilistic algorithm announced in [Lenstra et al. 1993b] recognizes all y-smooth numbers n in y o(1) ln n arithmetic operations. That is, it performs similarly as ECM, but unlike ECM, the complexity estimate is completely rigorous and there are provably no exceptional numbers. 6.4 Index-calculus method for discrete logarithms In Chapter 5 we described some general algorithms for the computation of discrete logarithms that work in virtually any cyclic group for which we can represent group elements on a computer and perform the group operation. These exponential-time algorithms have the number of steps being about the square root of the group order. In certain specific groups we have more

6.4 Index-calculus method for discrete logarithms 303 information that might be used profitably for DL computations. We have seen in this chapter the ubiquitous role of smooth numbers as an aid to factorization. In some groups sense can be made of saying that a group element is smooth, and when this is the case, it is often possible to perform DLs via a subexponential algorithm. The basic idea is embodied in the index-calculus method. We first describe the index-calculus method for the multiplicative group of the finite field Fp, wherep is prime. Later we shall see how the method can be used for all finite fields. The fact that subexponential methods exist for solving DLs in the multiplicative group of a finite field have led cryptographers to use other groups, the most popular being elliptic-curve groups; see Chapter 7. 6.4.1 Discrete logarithms in prime finite fields Consider the multiplicative group F ∗ p,wherep is a large prime. This group is cyclic, a generator being known as a primitive root (Definition 2.2.6). Suppose g is a primitive root and t is an element of the group. The DL problem for F ∗ p is, given p, g, t to find an integer l with g l = t. Actually, l is not well-defined by this equation, the integers l that work form a residue class modulo p − 1. We write l ≡ log g t (mod p − 1). What makes the index-calculus method work in F ∗ p is that we do not have to think of g and t as abstract group elements, but rather as integers, and we may think of the equation g l = t as the congruence g l ≡ t (mod p). The index-calculus method consists of two principal stages. The first stage involves gathering “relations.” These are congruences g r ≡ p r1 1 ···prk k (mod p), where p1,...,pk are small prime numbers. Such a congruence gives rise to a congruence of discrete logarithms: r ≡ r1 log g p1 + ···+ rk log g pk (mod p − 1). If there are enough of these relations, it may then be possible to use linear algebra to solve for the various logg pi. After this precomputation, which is the heart of the method, the final discrete logarithm of t is relatively simple. If one has a relation of the form gRt ≡ p τ1 1 ···pτk k (mod p), then we have that log g t ≡−R + τ1 log g p1 + ···+log g pk (mod p − 1). Both kinds of relations are found via random choices for the numbers r, R. A choice for r givesrisetosomeresidueg r mod p, which may or may not factor completely over the small primes p1,...,pk. Similarly, a choice for R gives rise to the residue g R t mod p. By taking residues closest to 0 and allowing a factor −1 in a prime factorization, a small gain is realized. Note that we do not have to solve for the discrete logarithm of −1; it is already known as (p − 1)/2. We summarize the index-calculus method for F ∗ p in the following pseudocode.

6.4 Index-calculus method for discrete logarithms 303<br />

information that might be used profitably for DL computations. We have<br />

seen in this chapter the ubiquitous role of smooth numbers as an aid to<br />

factorization. In some groups sense can be made of saying that a group element<br />

is smooth, and when this is the case, it is often possible to perform DLs via<br />

a subexponential algorithm. The basic idea is embodied in the index-calculus<br />

method.<br />

We first describe the index-calculus method for the multiplicative group<br />

of the finite field Fp, wherep is prime. Later we shall see how the method can<br />

be used for all finite fields.<br />

The fact that subexponential methods exist for solving DLs in the<br />

multiplicative group of a finite field have led cryptographers to use other<br />

groups, the most popular being elliptic-curve groups; see Chapter 7.<br />

6.4.1 Discrete logarithms in prime finite fields<br />

Consider the multiplicative group F ∗ p,wherep is a large prime. This group is<br />

cyclic, a generator being known as a primitive root (Definition 2.2.6). Suppose<br />

g is a primitive root and t is an element of the group. The DL problem for F ∗ p<br />

is, given p, g, t to find an integer l with g l = t. Actually, l is not well-defined<br />

by this equation, the integers l that work form a residue class modulo p − 1.<br />

We write l ≡ log g t (mod p − 1).<br />

What makes the index-calculus method work in F ∗ p is that we do not<br />

have to think of g and t as abstract group elements, but rather as integers,<br />

and we may think of the equation g l = t as the congruence g l ≡ t<br />

(mod p). The index-calculus method consists of two principal stages. The first<br />

stage involves gathering “relations.” These are congruences g r ≡ p r1<br />

1 ···prk<br />

k<br />

(mod p), where p1,...,pk are small prime numbers. Such a congruence gives<br />

rise to a congruence of discrete logarithms:<br />

r ≡ r1 log g p1 + ···+ rk log g pk (mod p − 1).<br />

If there are enough of these relations, it may then be possible to use linear<br />

algebra to solve for the various logg pi. After this precomputation, which is<br />

the heart of the method, the final discrete logarithm of t is relatively simple.<br />

If one has a relation of the form gRt ≡ p τ1<br />

1 ···pτk k (mod p), then we have that<br />

log g t ≡−R + τ1 log g p1 + ···+log g pk (mod p − 1).<br />

Both kinds of relations are found via random choices for the numbers r, R. A<br />

choice for r givesrisetosomeresidueg r mod p, which may or may not factor<br />

completely over the small primes p1,...,pk. Similarly, a choice for R gives rise<br />

to the residue g R t mod p. By taking residues closest to 0 and allowing a factor<br />

−1 in a prime factorization, a small gain is realized. Note that we do not have<br />

to solve for the discrete logarithm of −1; it is already known as (p − 1)/2. We<br />

summarize the index-calculus method for F ∗ p in the following pseudocode.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!