Pollard's rho algorithm for logarithms: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:50, 23 October 2021 edit HashEditor (talk \| contribs) 4 edits No edit summary Tags: Mobile edit Mobile web edit ← Previous edit		Latest revision as of 18:02, 2 August 2024 edit undo 88.196.181.233 (talk) fix link in references
(18 intermediate revisions by 12 users not shown)
Line 1: {{Short description\|Mathematical algorithm}} '''Pollard's rho algorithm for logarithms''' is an algorithm introduced by [[John Pollard (mathematician)\|John Pollard]] in 1978 to solve the [[discrete logarithm]] problem, analogous to [[Pollard's rho algorithm]] to solve the [[integer factorization]] problem. The goal is to compute <math>\gamma</math> such that <math>\alpha ^ \gamma = \beta</math>, where <math>\beta</math> belongs to a [[cyclic group]] <math>G</math> generated by <math>\alpha</math>. The algorithm computes ~~integers~~[[integer]]s <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> such that <math>\alpha^a \beta^b = \alpha^A \beta^B</math>. If the underlying [[group (mathematics)\|group]] is cyclic of [[order of a group\|order]] <math>n</math>, by substituting b<math> \beta </math> as <math> a{\alpha}^{\gamma} </math> and ~~applying~~noting that two powers are equal [[if and only if]] the ~~index~~exponents ~~function~~are onequivalent ~~both~~modulo ~~sides~~the order of the ~~equation~~base, in this case modulo <math>n</math>, we get that <math>\gamma</math> is one of the solutions of the equation <math>(B-b) \gamma = (a-A) \pmod n</math>. Solutions to this equation are easily obtained using the [[~~Extended~~extended Euclidean algorithm]]. To find the needed <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> the algorithm uses [[Floyd's cycle-finding algorithm]] to find a cycle in the sequence <math>x_i = \alpha^{a_i} \beta^{b_i}</math>, where the [[function (mathematics)\|function]] <math>f: x_i \mapsto x_{i+1}</math> is assumed to be random-looking and thus is likely to enter into a loop ~~after~~of ~~approximately~~approximate length <math>\sqrt{\frac{\pi n}{28}}</math> after <math>\sqrt{\frac{\pi n}{8}}</math> steps. One way to define such a function is to use the following rules: ~~Divide~~[[Partition of a set\|Partition]] <math>G</math> into three [[disjoint ~~subsets of approximately equal size:~~subset]]s <math>S_0</math>, <math>S_1</math>, and <math>S_2</math> of approximately equal size using a [[hash function]]. If <math>x_i</math> is in <math>S_0</math> then double both <math>a</math> and <math>b</math>; if <math>x_i \in S_1</math> then increment <math>a</math>, if <math>x_i \in S_2</math> then increment <math>b</math>. ==Algorithm== Let <math>G</math> be a [[cyclic group]] of order <math>pn</math>, and given <math>\alpha, \beta\in G</math>, and a partition <math>G = S_0\cup S_1\cup S_2</math>, let <math>f:G\to G</math> be the map ~~and define maps <math>g~~ :~~G\times\mathbb{Z}\to\mathbb{Z}~~</math> ~~and <math>h:G\times\mathbb{Z}\to\mathbb{Z}</math> by~~ f(x) = \begin{cases} \beta x & x\in S_0\\ x^2 & x\in S_1\\ \alpha x & x\in S_2 \end{cases} </math> and define maps <math>g:G\times\mathbb{Z}\to\mathbb{Z}</math> and <math>h:G\times\mathbb{Z}\to\mathbb{Z}</math> by :<math>\begin{align} g(x,nk) &= \begin{cases} nk & x\in S_0\\ 2n2k \pmod p{n} & x\in S_1\\ nk+1 \pmod p{n} & x\in S_2 \end{cases} \\ h(x,nk) &= \begin{cases} nk+1 \pmod p{n} & x\in S_0\\ 2n2k \pmod p{n} & x\in S_1\\ nk & x\in S_2 \end{cases} \end{align}</math> Line 27 ⟶ 38: '''output:''' An integer ''x'' such that ''a<sup>x</sup>'' = ''b'', or failure Initialise ''i'' ← 0, ''a''<sub>0</sub> ← 0, ''b''<sub>0</sub> ← 0, ''x''<sub>0</sub> ← 1 ∈ ''G'' ~~''i'' ← 1~~ '''loop''' ''i'' ← ''i'' + 1 ''x<sub>i</sub>'' ← ''f''(''x''<sub>''i''-1−1</sub>), ''a<sub>i</sub>'' ← ''g''(''x''<sub>''i''-1−1</sub>, ''a''<sub>''i''-1−1</sub>), ''b<sub>i</sub>'' ← ''h''(''x''<sub>''i''-1−1</sub>, ''b''<sub>''i''-1−1</sub>) ''x''<sub>2''i''−1</sub> ← ~~''f''(~~''f''(''x''<sub>2''i''-2−2</sub>)), ''a''<sub>2''i''−1</sub> ← ''g~~''(''f~~''(''x''<sub>2''i''~~-2</sub>), ''g''(''x''<sub>2''i''-2~~−2</sub>, ''a''<sub>2''i''-2−2</sub>)), ''b''<sub>2''i''−1</sub> ← ''h~~''(''f~~''(''x''<sub>2''i''~~-2</sub>), ''h''(''x''<sub>2''i''-2~~−2</sub>, ''b''<sub>2''i''-2−2</sub>)) ''rx'' ~~← ''b~~<sub>2''i''</sub> ← '' - f''(''bx''<sub>2''i''−1</sub>),▼ ''xa''<sub>2''i''</sub> ← ''rg''~~<sup>−1</sup>~~(''ax''<sub>2''i''−1</sub> -, ''a''<sub>2''i''−1</sub>'') ~~mod ''p''~~,▼ ''b'~~else~~'<sub>2'' <i~~>//~~ ''~~x<sub>i~~</sub>'' &nelarr; ''h''(''x''<sub>2''i''−1</sub>, ''b''</sub>2''i''−1</sub>)▼ '''while''' ''x<sub>i</sub>'' ≠ ''x''<sub>2''i''</sub> '' 'if'r'' ← ''xb<sub>i</sub>'' =− ''xb''<sub>2''i''</sub> ~~'''then'''~~ '''if''' r = 0 '''return failure'''▼ ▲ ''r'' ← ''b<sub>i</sub>'' - ''b''<sub>2''i''</sub> '''return''' ''r''<sup><span class="nowrap" style="padding-left:0.1em">−1</span></sup>(''a''<sub>2''i''</sub> − ''a<sub>i</sub>'') mod ''n'' ▲ '''if''' r = 0 '''return failure''' ▲ ''x'' ← ''r''<sup>−1</sup>(''a''<sub>2''i''</sub> - ''a<sub>i</sub>'') mod ''p'' ~~'''return''' ''x''~~ ▲ '''else''' <i>// ''x<sub>i</sub>'' ≠ ''x''<sub>2''i''</sub></i> ~~''i'' ← ''i'' + 1~~ ~~'''end if'''~~ ~~'''end loop'''~~ ==Example== Line 99 ⟶ 109: 51 1010 681 378 1010 301 416 That is <math>2^{681} 5^{378} = 1010 = 2^{301} 5^{416} \pmod{1019}</math> and so <math>(416-378)\gamma = 681-301 \pmod{1018}</math>, for which <math>\gamma_1=10</math> is a solution as expected. As <math>n=1018</math> is not [[prime number\|prime]], there is another solution <math>\gamma_2=519</math>, for which <math>2^{519} = 1014 = -5\pmod{1019}</math> holds. ==Complexity== The running time is approximately <math>\mathcal{O}(\sqrt{n})</math>. If used together with the [[Pohlig–Hellman algorithm]], the running time of the combined algorithm is <math>\mathcal{O}(\sqrt{p})</math>, where <math>p</math> is the largest prime [[divisor\|factor]] of <math>n</math>. ==References== {{Reflist}} {{cite journal \|first=J. M. \|last=Pollard \|title=Monte Carlo methods for index computation (mod ''p'') \|journal=[[Mathematics of Computation]] \|volume=32 \|year=1978 \|issue=143 \|pages=918–924 \|doi= 10.2307/2006496 \|jstor=2006496 }} {{cite book \|~~first~~first1=Alfred J. \|~~last~~last1=Menezes \|first2=Paul C. \|last2=van Oorschot \|first3=Scott A. \|last3=Vanstone \|chapter-url=~~http~~https://~~www.~~cacr~~.math~~.uwaterloo.ca/hac/about/chap3.pdf \|title=Handbook of Applied Cryptography \|chapter=Chapter 3 \|year=2001 }} {{Number-theoretic algorithms}}