Pollard's rho algorithm for logarithms: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:49, 1 January 2006 edit GBL (talk \| contribs) 187 edits mNo edit summary ← Previous edit		Latest revision as of 18:02, 2 August 2024 edit undo 88.196.181.233 (talk) fix link in references
(138 intermediate revisions by 99 users not shown)
Line 1: {{Short description\|Mathematical algorithm}} '''Pollard's rho algorithm for logarithms''' is an algorithm ~~for~~introduced ~~solving~~by [[John Pollard (mathematician)\|John Pollard]] in 1978 to solve the [[discrete logarithm]] problem, analogous to [[Pollard's rho algorithm]] ~~for~~to ~~solving~~solve the [[~~Integer~~integer factorization]] problem. The ~~algorithm~~goal ~~computes~~is to compute <math>\gamma</math> such that <math>\alpha ^ \gamma = \beta</math>, where <math>\beta</math> belongs to ~~the~~a [[cyclic group]] <math>G</math> generated by <math>\alpha</math>. The algorithm computes ~~integers~~[[integer]]s <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> such that <math>\alpha^a \beta^b = \alpha^A \beta^B</math>. ~~Assuming, for simplicity, that~~If the underlying [[group (mathematics)\|group]] is cyclic of [[order of a group\|order]] <math>n</math>, by substituting <math> \beta </math> as <math> {\alpha}^{\gamma} </math> and noting that two powers are equal [[if and only if]] the exponents are equivalent modulo the order of the base, in this case modulo <math>n</math>, we ~~can~~get ~~calculate~~that <math>\gamma</math> =is one of the solutions of the equation <math>(B-b) \~~frac{~~gamma = (a-A~~}{B-b}~~) \pmod{ n}</math>. Solutions to this equation are easily obtained using the [[extended Euclidean algorithm]]. To find the needed <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> the algorithm uses [[Floyd's cycle-finding algorithm]] to find a cycle in the sequence <math>x_i = \alpha^{a_i} \beta^{b_i}</math>, where the [[function (mathematics)\|function]] <math>f: x_i \mapsto x_{i+1}</math> is assumed to be random-looking and thus is likely to enter into a loop ~~after~~of ~~approximately~~approximate length <math>\sqrt{\frac{\pi n}{28}}</math> after <math>\sqrt{\frac{\pi n}{8}}</math> steps. One way to define such a function is to use the following rules: ~~Divide~~[[Partition of a set\|Partition]] <math>G</math> into three ~~subsets (not necessarily~~ [[~~subgroup~~disjoint subset]]s~~) of approximately equal size:~~ <math>~~G_0~~S_0</math>, <math>~~G_1~~S_1</math>, and <math>~~G_2~~S_2</math> of approximately equal size using a [[hash function]]. If <math>x_i</math> is in <math>~~G_0~~S_0</math> then double both <math>a</math> and <math>b</math>; if <math>x_i \in ~~G_1~~S_1</math> then increment <math>a</math>, if <math>x_i \in ~~G_2~~S_2</math> then increment <math>b</math>. ==Algorithm== Let <math>G</math> be a [[cyclic group]] of order <math>n</math>, and given <math>\alpha, \beta\in G</math>, and a partition <math>G = S_0\cup S_1\cup S_2</math>, let <math>f:G\to G</math> be the map :<math> f(x) = \begin{cases} \beta x & x\in S_0\\ x^2 & x\in S_1\\ \alpha x & x\in S_2 \end{cases} </math> and define maps <math>g:G\times\mathbb{Z}\to\mathbb{Z}</math> and <math>h:G\times\mathbb{Z}\to\mathbb{Z}</math> by :<math>\begin{align} g(x,k) &= \begin{cases} k & x\in S_0\\ 2k \pmod {n} & x\in S_1\\ k+1 \pmod {n} & x\in S_2 \end{cases} \\ h(x,k) &= \begin{cases} k+1 \pmod {n} & x\in S_0\\ 2k \pmod {n} & x\in S_1\\ k & x\in S_2 \end{cases} \end{align}</math> '''input:''' ''a'': a generator of ''G'' ''b'': an element of ''G'' '''output:''' An integer ''x'' such that ''a<sup>x</sup>'' = ''b'', or failure Initialise ''i'' ← 0, ''a''<sub>0</sub> ← 0, ''b''<sub>0</sub> ← 0, ''x''<sub>0</sub> ← 1 ∈ ''G'' '''loop''' ''i'' ← ''i'' + 1 ''x<sub>i</sub>'' ← ''f''(''x''<sub>''i''−1</sub>), ''a<sub>i</sub>'' ← ''g''(''x''<sub>''i''−1</sub>, ''a''<sub>''i''−1</sub>), ''b<sub>i</sub>'' ← ''h''(''x''<sub>''i''−1</sub>, ''b''<sub>''i''−1</sub>) ''x''<sub>2''i''−1</sub> ← ''f''(''x''<sub>2''i''−2</sub>), ''a''<sub>2''i''−1</sub> ← ''g''(''x''<sub>2''i''−2</sub>, ''a''<sub>2''i''−2</sub>), ''b''<sub>2''i''−1</sub> ← ''h''(''x''<sub>2''i''−2</sub>, ''b''<sub>2''i''−2</sub>) ''x''<sub>2''i''</sub> ← ''f''(''x''<sub>2''i''−1</sub>), ''a''<sub>2''i''</sub> ← ''g''(''x''<sub>2''i''−1</sub>, ''a''<sub>2''i''−1</sub>), ''b''<sub>2''i''</sub> ← ''h''(''x''<sub>2''i''−1</sub>, ''b''<sub>2''i''−1</sub>) '''while''' ''x<sub>i</sub>'' ≠ ''x''<sub>2''i''</sub> ''r'' ← ''b<sub>i</sub>'' − ''b''<sub>2''i''</sub> '''if''' r = 0 '''return failure''' '''return''' ''r''<sup><span class="nowrap" style="padding-left:0.1em">−1</span></sup>(''a''<sub>2''i''</sub> − ''a<sub>i</sub>'') mod ''n'' ==Example== Consider, for example, the group generated by 2 modulo <math>N=1019</math> (the order of the group is <math>n=~~509~~1018</math>, 2 generates the group of units modulo 1019). The algorithm is implemented by the following [[~~C plus plus\|~~C++]] program:▼ <syntaxhighlight lang="cpp"> ▲Consider, for example, the group generated by 2 modulo <math>N=1019</math> (the order of the group is <math>n=509</math>). The algorithm is implemented by the following [[C plus plus\|C++]] program: #include <stdio.h>▼ const int n = 1018, N = n + 1; /* N = 1019 -- prime / ▲ #include <stdio.h> const int nalpha = ~~509,~~2; N = ~~2n~~ + 1; //* Ngenerator = ~~1019~~ -- ~~prime~~ / const int ~~alpha~~beta = 25; // ~~generator~~2^{10} = 1024 = 5 (N) / ~~const int beta = 5; // 2^{10} = 1024 = 5 (N)~~ void new_xab(int& x, int& a, int& b) { switch (x % 3) { case 0: x = x x % N; % N; a = a2 % n; b = b2 % n; break; case 1: x = x * alpha % N; a = (a+1) % n; break; case 2: x = x * beta % N; b = (b+1) % n; break; } } ~~int main(){~~ int ~~x=1, a=0,~~main(void) ~~b=0;~~{ int X=x, A=a 1, Ba = 0, b = 0; ~~for(~~int iX = 1;x, iA <= n;a, ~~++i){~~B = b; for (int i = 1; i < n; ++i) { ~~new_xab(x, a, b);~~ new_xab(Xx, Aa, Bb); new_xab(X, A, B); new_xab(X, A, B); printf("%3d %4d %3d %3d %4d %3d %3d\n", i, x, a, b, X, A, B); if (x == X) break; } return 0; } </syntaxhighlight> The results are as follows (edited): Line 45 ⟶ 104: 8 425 8 6 194 17 19 .............................. 48 224 ~~171~~680 376 86 299 412 49 101 ~~171~~680 377 860 300 413 50 505 ~~171~~680 378 101 300 415 51 1010 ~~172~~681 378 1010 301 416 That is <math>2^{~~172~~681} 5^{378} = 1010 = 2^{301} 5^{416} \pmod{1019}</math> and so <math>(416-378)\gamma = ~~\frac{172~~681-301 \pmod{1018}</math>, for which <math>\gamma_1=10</math> is a solution as expected. As <math>n=1018</math> is not [[prime number\|prime]], there is another solution <math>\gamma_2=519</math>, for which <math>2^{~~416-378~~519} = 101014 = -5\pmod{~~509~~1019}</math>, ~~as expected~~holds. ==Complexity== The running time is approximately <math>\mathcal{O}(\sqrt{n})</math>. If used together with the [[Pohlig–Hellman algorithm]], the running time of the combined algorithm is <math>\mathcal{O}(\sqrt{p})</math>, where <math>p</math> is the largest prime [[divisor\|factor]] of <math>n</math>. ==References== {{Reflist}} {{cite journal \|first=J. M. \|last=Pollard, ''\|title=Monte Carlo methods for index computation (mod ''p'',) \|journal=[[Mathematics of Computation~~, Volume~~]] \|volume=32, \|year=1978 \|issue=143 \|pages=918–924 \|doi= 10.2307/2006496 \|jstor=2006496 }} {{cite book \|first1=Alfred J. \|last1=Menezes, \|first2=Paul C. \|last2=van Oorschot~~, and~~ \|first3=Scott A. \|last3=Vanstone, ~~[http~~\|chapter-url=https://~~www.~~cacr~~.math~~.uwaterloo.ca/hac/about/chap3.pdf \|title=Handbook of Applied Cryptography, \|chapter=Chapter 3], \|year=2001. }} {{Number-theoretic algorithms}} [[Category:Logarithms]] [[Category:Number theoretic algorithms]]