Pollard's rho algorithm for logarithms: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 18:59, 20 June 2022 edit 2a01:41e3:143a:1700:31fc:8253:2273:aa42 (talk) No edit summary ← Previous edit		Latest revision as of 18:02, 2 August 2024 edit undo 88.196.181.233 (talk) fix link in references
(6 intermediate revisions by 4 users not shown)
Line 2: '''Pollard's rho algorithm for logarithms''' is an algorithm introduced by [[John Pollard (mathematician)\|John Pollard]] in 1978 to solve the [[discrete logarithm]] problem, analogous to [[Pollard's rho algorithm]] to solve the [[integer factorization]] problem. The goal is to compute <math>\gamma</math> such that <math>\alpha ^ \gamma = \beta</math>, where <math>\beta</math> belongs to a [[cyclic group]] <math>G</math> generated by <math>\alpha</math>. The algorithm computes [[integer]]s <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> such that <math>\alpha^a \beta^b = \alpha^A \beta^B</math>. If the underlying [[group (mathematics)\|group]] is cyclic of [[order of a group\|order]] <math>n</math>, by substituting <math> \beta </math> as <math> a{\alpha}^{\gamma} </math> and noting that two powers are equal [[if and only if]] the exponents are equivalent modulo the order of the base, in this case modulo <math>n</math>, we get that <math>\gamma</math> is one of the solutions of the equation <math>(B-b) \gamma = (a-A) \pmod n</math>. Solutions to this equation are easily obtained using the [[extended Euclidean algorithm]]. To find the needed <math>a</math>, <math>b</math>, <math>A</math>, and <math>B</math> the algorithm uses [[Floyd's cycle-finding algorithm]] to find a cycle in the sequence <math>x_i = \alpha^{a_i} \beta^{b_i}</math>, where the [[function (mathematics)\|function]] <math>f: x_i \mapsto x_{i+1}</math> is assumed to be random-looking and thus is likely to enter into a loop of approximate length <math>\sqrt{\frac{\pi n}{8}}</math> after <math>\sqrt{\frac{\pi n}{8}}</math> steps. One way to define such a function is to use the following rules: ~~Divide~~[[Partition of a set\|Partition]] <math>G</math> into three [[disjoint ~~subsets~~subset]] ~~of approximately equal size:~~s <math>S_0</math>, <math>S_1</math>, and <math>S_2</math> of approximately equal size using a [[hash function]]. If <math>x_i</math> is in <math>S_0</math> then double both <math>a</math> and <math>b</math>; if <math>x_i \in S_1</math> then increment <math>a</math>, if <math>x_i \in S_2</math> then increment <math>b</math>. ==Algorithm== Let <math>G</math> be a [[cyclic group]] of order <math>pn</math>, and given <math>\alpha, \beta\in G</math>, and a partition <math>G = S_0\cup S_1\cup S_2</math>, let <math>f:G\to G</math> be the map :<math> Line 21: :<math>\begin{align} g(x,nk) &= \begin{cases} nk & x\in S_0\\ 2n2k \pmod {~~p-1~~n} & x\in S_1\\ nk+1 \pmod {~~p-1~~n} & x\in S_2 \end{cases} \\ h(x,nk) &= \begin{cases} nk+1 \pmod {~~p-1~~n} & x\in S_0\\ 2n2k \pmod {~~p-1~~n} & x\in S_1\\ nk & x\in S_2 \end{cases} \end{align}</math> Line 38: '''output:''' An integer ''x'' such that ''a<sup>x</sup>'' = ''b'', or failure Initialise ''i'' ← 0, ''a''<sub>0</sub> ← 0, ''b''<sub>0</sub> ← 0, ''x''<sub>0</sub> ← 1 ∈ ''G'' ~~''i'' ← 1~~ '''loop''' ''~~x<sub>~~i~~</sub>~~'' ← ~~''f''(''x''<sub>~~''i''- + 1~~</sub>),~~ ''a<sub>i</sub>'' ← ''g''(''x''<sub>''i''-1</sub>, ''a''<sub>''i''-1</sub>), ▼ ''b<sub>i</sub>'' ← ''h''(''x''<sub>''i''-1</sub>, ''b''<sub>''i''-1</sub>)▼ ''x''<sub>~~2''~~i''</sub>'' ← ~~''f''(~~''f''(''x''<sub>2''i''-2−1</sub>)), ''a''<sub>~~2''~~i''</sub>'' ← ''g~~''(''f~~''(''x''<sub>2''i''~~-2</sub>), ''g''(''x''<sub>2''i''-2~~−1</sub>, ''a''<sub>2''i''-2−1</sub>)), ''b''<sub>~~2''~~i''</sub>'' ← ~~''h''(''f''(''x''<sub>2''i''-2</sub>),~~ ''h''(''x''<sub>2''i''-2−1</sub>, ''b''<sub>2''i''-2−1</sub>)) ''x'if'<sub>2'' i''~~x<sub>i~~−1</sub>'' =← ''f''(''x''<sub>2''i''−2</sub> ~~'''then'''~~), ''ra''<sub>2''i''−1</sub> ← ''bg''(''x''<sub>2''i''−2</sub>~~'' -~~, ''ba''<sub>2''i''−2</sub>), ▲ ''b''<sub>2''i''−1</sub>'' ← ''h''(''x''<sub>2''i''-1−2</sub>, ''b''<sub>2''i''-1−2</sub>) '''if''' r = 0 '''return failure'''▼ ''x''<sub>2''i''</sub> ← ''rf''~~<sup>−1</sup>~~(''ax''<sub>2''i''−1</sub> ~~- ''a<sub>i</sub>''~~) ~~mod ''p-1''~~, ▲ ''a''<sub>2''i''</sub>'' ← ''g''(''x''<sub>2''i''-1−1</sub>, ''a''<sub>2''i''-1−1</sub>), ~~'''return''' ''x''~~ ''b'~~else~~'<sub>2'' <i~~>//~~ ''~~x<sub>i~~</sub>'' &nelarr; ''h''(''x''<sub>2''i''−1</sub>, ''b''</sub>2''i''−1</sub>) '''while''' ''x<sub>i</sub>'' &~~larr~~ne; ''x''<sub>2''i'' ~~+ 1~~</sub> ~~'''end if'''~~ ''r'' ← ''b<sub>i</sub>'' − ''b''<sub>2''i''</sub> ~~'''end loop'''~~ ▲ '''if''' r = 0 '''return failure''' '''return''' ''r''<sup><span class="nowrap" style="padding-left:0.1em">−1</span></sup>(''a''<sub>2''i''</sub> − ''a<sub>i</sub>'') mod ''n'' ==Example== Line 117 ⟶ 116: ==References== {{Reflist}} {{cite journal \|first=J. M. \|last=Pollard \|title=Monte Carlo methods for index computation (mod ''p'') \|journal=[[Mathematics of Computation]] \|volume=32 \|year=1978 \|issue=143 \|pages=918–924 \|doi= 10.2307/2006496 \|jstor=2006496 }} {{cite book \|~~first~~first1=Alfred J. \|~~last~~last1=Menezes \|first2=Paul C. \|last2=van Oorschot \|first3=Scott A. \|last3=Vanstone \|chapter-url=~~http~~https://~~www.~~cacr~~.math~~.uwaterloo.ca/hac/about/chap3.pdf \|title=Handbook of Applied Cryptography \|chapter=Chapter 3 \|year=2001 }} {{Number-theoretic algorithms}}