✬
✩
A. Jurišić: CACS
280
2. ElGamal cryptosystem with public keys
(two keys, asymmetric system)
m∈M=G
(secret)
random k
public αk
(αk , mαkb)
✲
private b
public αb
Bob
Alice
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
If (y1 , y2 ) = eK (m, k) = (αk , mαkb ), then we define
the decryption by dK (y1 , y2 ) = y2 (y1b )−1 .
☛ ✖
✪
✬
✩
A. Jurišić: CACS
281
The message m can be read only by Bob (who has b),
however, it is not clear if it is comming from Alice
(she did not use her private key).
In public-key cryptography we consider that the public part (e.g. αk , αb )
does not help in any way searching for the secret/private part (e.g. k, b).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
(We will study digital signatures in Ch. 6.)
☛ ✖
✪
✬
✩
A. Jurišić: CACS
282
Massey-Omura Scheme
Anita
Bojan
Anita Bojan
Anita
Anita
Bojan
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Bojan
☛ ✖
✪
✬
✩
A. Jurišić: CACS
283
Example: for G we choose the group GF(23)∗ .
Elements of the finite field GF(23) are: 0, 1, . . . , 22.
Let us define:
a + b = r1 , where r1 is the sum a + b mod 23 (e.g. 12 + 20 = 32 = 9).
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
where r2 is the product ab mod 23 (8 · 9 = 72 = 3).
▲
ab = r2 ,
☛ ✖
✪
✬
✩
A. Jurišić: CACS
284
Multiplicative Group GF(23)∗
516 = 3
51 = 5
59 = 11
517 = 15
52 = 2
510 = 9
518 = 6
53 = 10
511 = 22
519 = 7
54 = 4
512 = 18
520 = 12
55 = 20
513 = 21
521 = 14
56 = 8
514 = 13
522 = 1
57 = 17
515 = 19
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
58 = 16
▲
50 = 1
▲
Elements of GF(23)∗ are the elements of GF(23)\{0}
and can be generated with only one element:
☛ ✖
✪
✬
✩
A. Jurišić: CACS
285
Diffie–Hellman Protokol in GF(23)∗
9
9
✛
19 9
(5 ) = 15
5 = 11
19
5 =7
19
✲
9 19
(5 ) = 15
Alice
Bob
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Alice and Bob now share the common element 59·19 = 15.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
286
Log Table
log
0
1
2
3
4
5
6
7
elt
1
5
2
10
4
20
8
17
log
8
9
10
11
12
13
14
15
elt
16
11
9
22
18
21
13
19
log
16
17
18
19
20
21
elt
3
15
6
7
12
14
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
A group G and a generator α are chosen so that the order of α is big
(so also the log table is big).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
287
elt
log
1
0
9
10
17
7
2
2
10
3
18
12
3
16
11
9
19
15
4
4
12
20
20
5
5
1
13
14
21
13
6
18
14
21
22
11
7
19
15
17
8
6
16
8
● ❙
▲
❙
▲
log
▲
elt
▲
University of Ljubljana
log
▲
✫
elt
▲
Antilog Table
☛ ✖
✪
✬
✩
A. Jurišić: CACS
288
Algorithms for calculating DLP
• Shank’s algorithm (giant step – baby step),
• The Pollard ρ-algorithm,
• The Pohlig-Hellman algorithm,
• The “Index Calculus” Method.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Today we will consider only the first one and the last two.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
289
The Giant Step Baby Step Method
GF(23)∗ with gen. 5: assamble the tabele of elements
50 , 55 , 510 , 515 , 520 and their logarithms.
element
1
20
9
19
12
logarithm
0
5
10
15
20
Calculate log(18): repeat 5 × 18, 52 × 18, . . .,
until you obtain an element from the table:
5 × 18 = 21, 52 × 18 = 13, 53 × 18 = 19.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
From the table we obtain log(53 × 18) = log 19 = 15.
Sledi 3 + log 18 = 15, i.e., log 18 = 12.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
290
GF(89)∗ with generator 3: assamble the tabele of elements
30 , 310 , 320 , . . . , 380 and their logarithms.
elt
1
42
73
40
78
72
87
5
32
log
0
10
20
30
40
50
60
70
80
Calculate log(36): repeat 3 × 36, 32 × 36, . . .,
until you obtain an element from the table:
3 × 36 = 19, 33 × 36 = 82, 35 × 36 = 26,
32 × 36 = 57, 34 × 36 = 68, 36 × 36 = 78.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
From the table we obtain log(36 × 36) = log 78.
Therefore, 6 + log 36 = 40, i.e., log 36 = 34.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
291
Longer the table used, longer we need calculate it (one time expense), on
the other hand, we search faster in the shorter tables.
�
Usually we assamble a table for the size m = � |G|�,
and we use for searching O(m) time.
Pollard ρ algorithm
(togheter with Floyd’s algoritm to search of cycle)
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Its time complexity is the same as the basic giant step – small step,
however, almost no memory.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
292
The Pohlig-Hellman algorithm
p − 1 = Πki=1 pci i
for distinct primes pi .
The value a = logα β is precisely determined mod p − 1.
First we compute a mod pci i for each i = 1, . . . , k
and then we compute a mod (p − 1) using CRT.
We assume that q is a prime and c the biggest positive integer such that
How do we calculate
▲
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
x = a mod q c , where 0 ≤ x ≤ q c − 1?
▲
✫
p − 1 ≡ 0 (mod q c ).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
293
Let us write x in the system base q:
x=
c−1
�
i=0
Therefore,
ai q i , kjer je 0 ≤ ai ≤ q − 1.
a = a0 + a1 q + · · · + ac−1 q c−1 + sq c ,
where s is some positive integer and a = a0 + Kq.
a0 can be derived from the following identiy
β (p−1)/q ≡ αa0 (p−1)/q
(mod p).
Let us prove the above congruence:
(mod p).
● ❙
▲
❙
▲
αa0 (p−1)/q α(p−1)K ≡ αa0 (p−1)/q
▲
≡
▲
University of Ljubljana
(αa )(p−1)/q ≡ (αa0 +Kq )(p−1)/q
▲
✫
≡
▲
β (p−1)/q
☛ ✖
✪
✬
✩
A. Jurišić: CACS
294
First we calculate
β (p−1)/q
mod p.
If β (p−1)/q ≡ 1 (mod p), we set a0 = 0,
otherwise we recursively calculate
γ = α(p−1)/q
mod p, γ 2
mod p, . . . ,
untill we obtain
γi
mod p = β (p−1)/q
mod p
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and we have a0 = i.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
295
Now we have to make a decision a1 , . . . , ac−1 (if c > 1). Let
βj = βαa0 +a1 q+···+aj−1 q
j−1
mod p,
for 0 ≤ j ≤ c − 1. This time we have a more general identity:
(βj )(p−1)/q
j+1
≡ αaj (p−1)/q
(mod p),
which can be proven in the same way as the previous one.
For a given βj it is not difficult to calculate aj .
Let us also mention the recursion
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
For a given factorization of an integer n, the time
complexity of the Pohlig-Hellman algorithm is
�k
√
O( i=0 ci (log n + pi )) of group multiplications.
✫
▲
mod p.
▲
βj+1 = βj α
−aj q j
☛ ✖
✪
✬
✩
A. Jurišić: CACS
296
Example: Let p = 251. Then
n = p − 1 = 250 = 2. 53 .
Let α = 71 and β = 210, so we want to calculate a = log71 210.
Module 2: γ0 = 1,
γ1 ≡ α250/2 ≡ 250
(mod p)
and
β 250/2 ≡ 250
(mod p),
and
β 250/5 ≡ 149
(mod p),
so a0 = 1 in log71 210 ≡ 1 (mod 2).
Module 5: γ0 = 1,
γ1 ≡ α250/5 ≡ 20
(mod p)
so a0 = 2. ...
a1 = 4 = log20 113 and a2 = 2 = log20 149,
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
Finally, by CRT, we obtain log71 210 = 197.
✫
▲
log71 210 ≡ 2 + 4. 5 + 2. 52 ≡ 72 (mod 125).
☛ ✖
✪
✬
✩
A. Jurišić: CACS
297
The Index Calculus Method
GF(23)∗ with a generator 5.
Choose a basis of small factors: B = {−1, 2, 3}
and assamble the tabele of their logarithms:
elt
-1
2
3
log
11
2
16
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
We are looking for the logarithm of the element β (Las Vegas).
Search for the ‘smooth’ power of β,
i.e., β x , that can be factored in B.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
298
Calculate log(13): 132 = 169 = 23 ⇐⇒
log 132 = log 23 ⇐⇒ 2 log 13 ≡ 3 log 2 ⇐⇒
2 log 13 ≡ 6 (mod 22)
Thus log 13 ≡ 3 or 14 (mod 22).
Verify log 13 = 14.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Calculate log(14):
143 = 23 73 = 23 · 21 = 23 · (−2) = −24 .
3 log 14 = log(−24 ) = log(−1) + log 24 = 11 + 4 · 2 = 19,
log 14 = 19
3 = 19 · (−7) = (−3)(−7) = 21.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
299
Calculate log(15):
153 = 33 · 53 = 33 · 2 · 5 = (−1) · 2 · 3,
3 log 15 = log(−1) + log 2 + log 3 = 11+2+16 = 29 = 7,
log 15 = 73 = 7(−7) = −49 = −5 = 17.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Calculate log(7):
73 = 49 · 7 = 3 · 7 = 21 = (−1) · 2,
3 log 7 = log(−1) + log 2 = 11 + 2 = 13,
log 7 = 13
3 = 13 · (−7) = 63 = −3 = 19.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
300
Another example: GF(89)∗ with a generator 3.
tabele of logarithms:
element
-1
2
3
5
log
44
16
1
70
Calculate log(7):
73 = 76 = 22 · 19, 75 = 3 · 52 ,
5 log 7 = log 3 + 2 log 5 = 1 + 2 · 70 = 141 = 53,
log 7 = 53
5 = 53 · (−35) = 81.
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
Calculate log(53):
533 = 3 · 23, 535 = 22 · 17, 537 = 2 · 32 ,
7 log 53 = log 2 + 2 log 3 = 16 + 2 = 8,
log 53 = 18
7 = 18 · (−25) = 78.
☛ ✖
✪
✬
✩
A. Jurišić: CACS
301
The Index Calculus Method (in general)
1. Choose a basis of factors B = {p1 , . . . , pt }, so that big portion of
elements from the group G can be efficiently factored in B.
2. Find t + 10 linear relations with logarithms of the elements in B:
Choose an integer k < n, calculate αk and try to express it as
▲
● ❙
▲
❙
▲
(mod p − 1).
▲
University of Ljubljana
i=1
ci log pi
▲
✫
k≡
▲
αk = Πti=1 pci i ⇐⇒
t
�
☛ ✖
✪
✬
✩
A. Jurišić: CACS
302
3. Assamble the table of the logarithms of elements from B.
4. Choose a random k ∈ {1, . . . , n},
calculate βαk and try to express it as
βαk = Πti=1 pdi i .
Finally, we obtain
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
mod n.
▲
i=1
di logα pi − k
�
▲
logα β =
��
t
☛ ✖
✪
✬
✩
A. Jurišić: CACS
303
There are various random algorithms for the Index Calculus Method.
With acceptable assumptions their time complexity for the preparation
phase is
�
�
√
O e1+o(1)) log p log log p ,
▲
▲
● ❙
▲
❙
▲
University of Ljubljana
▲
✫
▲
and to calculate an individual logarithm
�
�
√
O e1/2+o(1)) log p log log p .
☛ ✖
✪
© Copyright 2026 Paperzz