Sponsored Links

Senin, 02 April 2018

Sponsored Links

Generic algorithms (for any
src: image.slidesharecdn.com

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in ( Z / q Z ) * {\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{*}} where q {\displaystyle q} is a prime, index calculus lead to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.


Video Index calculus algorithm



Description

Roughly speaking, the discrete log problem asks us to find an x such that g x ? h ( mod n ) {\displaystyle g^{x}\equiv h{\pmod {n}}} , where g, h, and the modulus n are given.

The algorithm (described in detail below) applies to the group ( Z / q Z ) * {\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{*}} where q is prime. It requires a factor base as input. This factor base is usually chosen to be the number -1 and the first r primes starting with 2. From the point of view of efficiency, we want this factor base to be small, but in order to solve the discrete log for a large group we require the factor base to be (relatively) large. In practical implementations of the algorithm, those conflicting objectives are compromised one way or another.

The algorithm is performed in three stages. The first two stages depend only on the generator g and prime modulus q, and find the discrete logarithms of a factor base of r small primes. The third stage finds the discrete log of the desired number h in terms of the discrete logs of the factor base.

The first stage consists of searching for a set of r linearly independent relations between the factor base and power of the generator g. Each relation contributes one equation to a system of linear equations in r unknowns, namely the discrete logarithms of the r primes in the factor base. This stage is embarrassingly parallel and easy to divide among many computers.

The second stage solves the system of linear equations to compute the discrete logs of the factor base. Although a minor computation compared to the other stages, a system of hundreds of thousands or millions of equations is a significant computation requiring large amounts of memory, and it is not embarrassingly parallel, so a supercomputer is typically used.

The third stage searches for a power s of the generator g which, when multiplied by the argument h, may be factored in terms of the factor base gsh = (-1)f0 2f1 3f2···prfr.

Finally, in an operation too simple to really be called a fourth stage, the results of the second and third stages can be rearranged by simple algebraic manipulation to work out the desired discrete logarithm x = f0logg(-1) + f1logg2 + f2logg3 + ··· + frloggpr - s.

The first and third stages are both embarrassingly parallel, and in fact the third stage does not depend on the results of the first two stages, so it may be done in parallel with them.

The choice of the factor base size r is critical, and the details are too intricate to explain here. The larger the factor base, the easier it is to find relations in stage 1, and the easier it is to complete stage 3, but the more relations you need before you can proceed to stage 2, and the more difficult stage 2 is. The relative availability of computers suitable for the different types of computation required for stages 1 and 2 is also important.

Applications in other groups

It is noteworthy that the lack of the notion of prime elements in the group of points on elliptic curves, makes it impossible to find an efficient factor base to run index calculus method as presented here in these groups. Therefore this algorithm is incapable of solving discrete logarithms efficiently in elliptic curve groups. However: For special kinds of curves (so called supersingular elliptic curves) there are specialized algorithms for solving the problem faster than with generic methods. While the use of these special curves can easily be avoided, in 2009 it has been proven that for certain fields the discrete logarithm problem in the group of points on general elliptic curves over these fields can be solved faster than with generic methods. The algorithms are indeed adaptations of the index calculus method.


Maps Index calculus algorithm



The algorithm

Input: Discrete logarithm generator g, modulus q and argument h. Factor base {-1,2,3,5,7,11,...,pr}, of length r+1.
Output: x such that gx ? h (mod q).

  • relations <- empty_list
  • for k = 1, 2, ...
    • Using an integer factorization algorithm optimized for smooth numbers, try to factor g k mod q {\displaystyle g^{k}\mod q} (Euclidean residue) using the factor base, i.e. find e i {\displaystyle e_{i}} 's such that g k mod q = ( - 1 ) e 0 2 e 1 3 e 2 ? p r e r {\displaystyle g^{k}\mod q=(-1)^{e_{0}}2^{e_{1}}3^{e_{2}}\cdots p_{r}^{e_{r}}}
    • Each time a factorization is found:
      • Store k and the computed e i {\displaystyle e_{i}} 's as a vector ( e 0 , e 1 , e 2 , ... , e r , k ) {\displaystyle (e_{0},e_{1},e_{2},\ldots ,e_{r},k)} (this is a called a relation)
      • If this relation is linearly independent to the other relations:
        • Add it to the list of relations
        • If there are at least r+1 relations, exit loop
  • Form a matrix whose rows are the relations
  • Obtain the reduced echelon form of the matrix
    • The first element in the last column is the discrete log of -1 and the second element is the discrete log of 2 and so on
  • for s = 1, 2, ...
    • Try to factor g s h mod q = ( - 1 ) f 0 2 f 1 3 f 2 ? p r f r {\displaystyle g^{s}h\mod q=(-1)^{f_{0}}2^{f_{1}}3^{f_{2}}\cdots p_{r}^{f_{r}}} over the factor base
    • When a factorization is found:
      • Output x = f 0 log g ( - 1 ) + f 1 log g 2 + ? + f r log g p r - s . {\displaystyle x=f_{0}\log _{g}(-1)+f_{1}\log _{g}2+\cdots +f_{r}\log _{g}p_{r}-s.}

Advances in Discrete Logarithm Computations (Part 2) - YouTube
src: i.ytimg.com


Complexity

Assuming an optimal selection of the factor base, the expected running time (using L-notation) of the index-calculus algorithm can be stated as L n [ 1 / 2 , 2 + o ( 1 ) ] {\displaystyle L_{n}[1/2,{\sqrt {2}}+o(1)]} .


1975 Pollard's Rho in
src: image.slidesharecdn.com


History

The first to discover the idea was Kraitchik in 1922. After DLP became important in 1976 with the creation of the Diffie-Hellman cryptosystem, R. Merkle from Stanford University rediscovered the idea in 1977. The first publications came in the next two years from Merkle's colleagues. Finally, Adleman optimized the algorithm and presented it in the form we know it today.


1975 Pollard's Rho in
src: image.slidesharecdn.com


The Index Calculus family

Index Calculus inspired a large family of algorithms. In finite fields F q {\displaystyle \mathbb {F} _{q}} with q = p n {\displaystyle q=p^{n}} for some prime p {\displaystyle p} , the state-of-art algorithms are the Number Field Sieve for Discrete Logarithms, L q [ 1 / 3 , 64 / 9 3 ] {\displaystyle L_{q}\left[1/3,{\sqrt[{3}]{64/9}}\right]} , when p {\displaystyle p} is large compared to q {\displaystyle q} , the function field sieve, L q [ 1 / 3 , 32 / 9 3 ] {\displaystyle L_{q}\left[1/3,{\sqrt[{3}]{32/9}}\right]} , and Joux, L q [ 1 / 4 + ? , c ] {\displaystyle L_{q}\left[1/4+\epsilon ,c\right]} for c > 0 {\displaystyle c>0} , when p {\displaystyle p} is small compared to q {\displaystyle q} and the Number Field Sieve in High Degree, L q [ 1 / 3 , c ] {\displaystyle L_{q}[1/3,c]} for c > 0 {\displaystyle c>0} when p {\displaystyle p} is middle-sided. Discrete logarithm in some families of elliptic curves can be solved in time L q [ 1 / 3 , c ] {\displaystyle L_{q}\left[1/3,c\right]} for c > 0 {\displaystyle c>0} , but the general case remains exponential.


Search Engines - PageRank by Google | Coursera
src: d3c33hcgiwev3.cloudfront.net


External links

  • Discrete logarithms in finite fields and their cryptographic significance, by Andrew Odlyzko
  • Discrete Logarithm Problem, by Chris Studholme, including the June 21, 2002 paper "The Discrete Log Problem".
  • A. Menezes, P. van Oorschot, S. Vanstone (1997). Handbook of Applied Cryptography. CRC Press. pp. 107-109. ISBN 0-8493-8523-7. CS1 maint: Uses authors parameter (link)

Tensor Calculus 4a: The Tensor Notation - YouTube
src: i.ytimg.com


Notes

Source of the article : Wikipedia

Comments
0 Comments