Discrete Log Problem and Pollard's Methods：離散對數(shù)問題的方法

DiscreteLogProblemandPollard’sMethodsAlexLoOverviewDiscretelogproblemPollard’smethodsforcomputingdiscretelogsPollard’sRhoMethodPollard’sKangarooMethodComparemethodsConclusionDiscreteLogProblem(DLP)Gisafinitecyclicgroup(usuallymodp)g,haremembersofGsuchthat<g>generatesG(G={g,g2,g3,g4…gn=1}nistheorderofgFindxsuchthath=gx

WhyStudytheDLP?Severalcryptographicandsignaturealgorithms/methodslike

Diffie-HellmankeyexchangeprotocolUSGovernment’sDigitalSignatureAlgorithm(DSA)andellipticcurveversion(ECDSA) relyonthefactthatitishard.DifficultyofDLPCanbeprovendifficult(asopposedtointegerfactorization)Dependsonthesizeofthelargestprimefactorofthegroup(theorder)O(n),n=largestprimesuchthatn||G|DLPvs.IntegerFactorizationDLPisusedforsignatureandpublickey(Diffie-Hellman,DSS/DSA,ElGamal)DLPcanbeprovedtobehardAsolutiontotheIFproblemdoesnothelpwithDLPIntegerfactorizationusedforprotectingpublickeycryptosystems(RSA)IntegerfactorizationisbelievedtobehardAsolutiontotheDLPproblemyieldsasolutiontoIFproblemInitialMethodsExhaustivesearchRuntime:O(|G|)Spacerequirement:O(1)Shank’sBabyStep-GiantStepMethod(1971)Runtime:O( )Spacerequirement:O( )Pollard’sRhoMethod(1975)TheRhomethodreliesonthebirthdayparadox.Elementsdrawnatrandomfrom<g>thentheexpectednumberofdrawsbeforeanelementisdrawntwice(acollision)isDefinearandomwalkon<g>consistingofelementsoftheformgehdforknowneandd,waitforacollisionwithe’andd’suchthatgehd=ge’hd’andcomputeloggh=(e–e’)/(d’–d)modorder(g).

Pollard’sRhoMethodgehd=ge’hd’Pollard’sRhoMethodRandomWalkPartitionGintothreesubsets:G1,G2,G3withapproximatelyequalcardinality.Takew1=g(soe=1,d=0)anddefinewi+1asafunctionofwi:Pollard’sRhoMethodRandomWalkComparewitow2ifori=1,2….Whenwi=w2i,thenwehavegehd=ge’hd’,wecangetalinearequationforloggh:loggh=(e–e’)/(d’–d)modorder(g).

How?How? geihdi

=ge2ihd2ige2i-ei=hdi-d2ilogg

ge2i-ei

=logg

hdi-d2ilogg

h=e2i-ei/di-d2imodnAnalysis:Pollard’sRhoMethodForsufficientlylargen:Asymptoticanalysis:Spacerequirements:O(1)ProbabilisticParallelizationoftheRhoMethodTrivialparallelization(1990)Runsameprocessindependentlyonmmachines.Payoff:factorofspeedupDistinguished-pointmethod(1994/1999)Runsclient/serverPayoff:factorofmspeedupPollard’sKangarooMethod(1978)SubsetofDLP,whereGisafinitecyclicgroupg,haremembersofGsuchthat<g>generatesG(G={g,g2,g3,g4…gn=1}Findxsuchthath=gx

Assumeweknowa<=x<bPollard’sKangarooMethodDefinetwokangaroos:Atamekangaroo,T,startingpointt0=gb

Awildkangaroo,W,startingpointw0=hLetd0(T)=b,theinitialdistanceofTfromoriginLetd0(W)=0,theinitialdistanceofWfromhPollard’sKangarooMethodLetS={gs1,gs2,gs3,gs4….gsr}(si

>0)bethesetofjumpsWethinkofsi

astravelingdistances,whichshouldbesmallcomparedtob-aLetv:G{1,…,r}beahashfunctionPollard’sKangarooMethodNowweletthetamekangarootravelthroughthegroup:Whilecomputingpath,keeptrackofdj(T):Sotj=gdj(T)

Pollard’sKangarooMethodAfteracertainnumberofjumps,thetamekangaroostopsandinstallsatrapatit’sfinalspot,tm,wehopethewildkangaroowillhitthatpoint(oranyotherti)Thewildkangarooisthensetloose,followingthepath:Keeptrackofdj(W):Pollard’sKangarooMethodIfW’strailhitsanyofti

thenitwillleadustoasolution.WhenW’strailwn=tm,thesearchisover.x=dm(T)-dn(W)Otherwisethewildkangarooishaltedandanewwildkangaroowithstartingpointh*gz

issetoffPollard’sKangarooMethodGraphicAnalysis:Pollard’sKangarooMethodWisthesizeoftheinterval(b-a)Time:O(sqrt(W))Space:O(logW)ProbabilisticParallelizationoftheKangarooMethodTrivialparallelization(1990)Runsameprocessindependentlyonmmachines.Payoff:factorofspeedupDistinguished-pointmethod(1994/1999)Runsclient/serverPayoff:factorofmspeedupRhovs.KangarooRhoSimulatesarandomwalkonG(<g>)KangarooJumps wheresiaresmalldistancesinsqrt(b-a)Rhovs.KangarooIfa=0andb=|G|--so(b-a)=|G|,thekangaroomethodtakes1.6timeslongerthantherhomethod.Kangaroobeco