CS548 Advanced Information Security
An Improved Algorithm for Computing
Logarithms over GF(p) and Its Cryptographic
Significance Function
Stephen C. Pohlig and Margin E. Hellman
IEEE Transactions on Information Theory, 1978
2010. 03. 09.
Kanghoon Lee, AIPR Lab., KAIST
Contents
Introduction
Use in Cryptography
Mathematical Backgrounds
Algorithm for p = 2n+1
Algorithm for Arbitrary Primes
Discussion
What’s the problem ?
Pair of Inverse Functions
y ≡ αx
(mod p)
x ≡ logα y over GF(p)
easy
difficult
where p is prime, α is a fixed primitive element of GF ( p)
① y ≡ α x (mod p) : O (log 2 p ) time complexity
(ex. α 18 = (((α 2 ) 2 ) 2 ) 2 α 2 )
② :x ≡ logα y over GF ( p ) : Previously , O ( p ) time & space complexity
One-way Function : Original problem – easy
Inverse problem – difficult
Really ?
p-1 Must Have Large Prime Factor !
x ≡ logα y over GF(p)
Can we solve this problem faster than O ( p ) time ??
Over GF(p), when p-1 has only small prime factors,
2
the logarithm problem can be solved O(log p)
To make one-way function,
p-1 must have at least one large prime factor
Use in Cryptography
For plain-text M, key K, cipher-text C with the restrictions
1 ≤ M , C ≤ p −1 , 1 ≤ K ≤ p − 2 ,
GCD ( K , p − 1) = ,1
C ≡ M K (mod p)
For deciphering operation,
M ≡ C D (mod p) , where D ≡ K -1 ( mod p − 1 )
(D is uniquely determined because GCD(K, p-1) = 1)
Finding the key K is equivalent to computing
K ≡ log M C over GF(p)
Background – Finite Field (Algebra)
GF(p) : Galois Field (a.k.a. Finite Field)
A field that contains only finitely many elements
Computations over GF(p)
ex. When p=5 (i.e. GF(5)),
3 + 4 ≡ 2 (mod 5) , 3 − 4 ≡ 4 (mod 5)
32 = 9 ≡ 4 (mod 5) , log 3 4 ≡ 2 (mod 5)
Primitive Element : A generator of the multiplicative group of the field
ex. 31 ≡ 3 , 32 ≡ 4 , 33 ≡ 2 , 34 ≡ 1 (mod 5)
So, 3 is a primitive element of GF(5)
Background - Number Theory (1)
Euler’s ϕ - function (a.k.a. Euler’s totient function)
ϕ ( p1e p2 e L pk e ) = ( p1 − 1) p1e ( p2 − 1) p2 e L ( pk − 1) pk e , where pi ' s are prime
1
2
k
1
e
e
= p1 1 p2 2 L pk
k
2
ek

1

−
1
∏
 p 
pi 
i 
The fraction ρ
ρ =
ϕ ( p − 1)
p −1
=

1

1
−
∏
 p 
pi | ( p −1) 
i 
( ∀p < 1.6 ×10
For primes of the form p = 2 p'+1 , with p’ prime, ρ =
103
⇒ p > 0.1
1
1 1
1 −  ≈
2  p'  2
)
Background - Number Theory (2)
Fermat’s Little Theorem
z p −1 ≡ 1 (mod p) , 1 ≤ z ≤ p − 1
From the theorem
z x ≡ z x (mod p −1) (mod p)
Chinese Remainder Theorem
Suppose that n1, n2, …, nk are positive integers which are pairwise coprime.
For any integers a1, a2, …, ak , there exist an integer x (mod n1n2…nk ) satisfying
x ≡ a1 (mod n1 ) , x ≡ a2 (mod n2 ) , L, x ≡ ak (mod nk )
c.f. Euler’s Theorem
For any positive integer n, z ( GCD(n,z)=1 )
z ϕ ( n ) ≡ 1 (mod n)
An Algorithm for p = 2n+1 (1)
Given α , p, y , ( α is a primitive element of GF(p) )
Must find x such that y ≡ α x (mod p)
n −1
Let
x = ∑ bi 2i ,
i =0
Then, b0 is determined by
y
( p −1) / 2
+ 1 , if b0 = 0
(mod p) = 
− 1 , if b0 = 1
(Q) Since α is primitive, α (p-1)/2 ≡ −1 (mod p)
Therefore, y ( p −1) / 2 = (α x ) ( p −1) / 2 ≡ (α ( p −1) / 2 ) x (mod p)
An Algorithm for p = 2n+1 (2)
Now, b1 is determined by letting
z ≡ yα −b0 ≡ α x1 (mod p) ,
n −1
where x1 = ∑i =1 bi 2i
Then,
z ( p −1) / 4 (mod p) ≡ (α x1 ) ( p −1) / 4 ≡ (α ( p −1) / 2 ) x1 / 2 ≡ (−1) x1 / 2
+ 1 , b1 = 0
≡ 
− 1 , b1 = 1
Remaining bit of x
m ≡ p −1
2i +1
z ≡ α xi (mod p) ,
n −1
where xi = ∑ j =i b j 2 j
+ 1 , bi = 0
z m (mod p) ≡ 
− 1 , bi = 1
Flowchart for p = 2n+1
START
bi1
ZZ β (mod p)
bi0
ZY
βα-1 (mod p)
m(p-1)/2
i0
W=1
W=-1
β β2 (mod p)
mm/2
ii+1
WZm (mod p)
i=n
TEST W
FALSE
TRUE
HALT
An Algorithm for Arbitrary Primes (1)
Generalize the algorithm to arbitrary primes p
• 216 + 1 is the largest known prime of the form 2 n + 1
n
n
n
Let p − 1 = p1 1 p2 2 L pk k , pi < pi +1
where the pi are distinct primes and the ni are positive integers
By Chinese Remainder Theorem,
n
if the value of x(mod pi i ) is determined for all i, then
k
x (mod ∏ pi i ) = x(mod p − 1) = x
i =1
n
An Algorithm for Arbitrary Primes (2)
n
Consider the following expansion of x (mod pi i )
ni −1
x (mod pi ) = ∑ b j pi ,
ni
j
where 0 ≤ b j ≤ pi − 1
j =0
Then,
y ( p −1) / pi ≡ α ( p −1) x / pi ≡ γ i ≡ γ i
x
b0
(mod p)
where γ i = α ( p −1) / pi
The resultant value uniquely determines b0
An Algorithm for Arbitrary Primes (3)
The function g i (w) is defined by
γ i g ( w) ≡ w (mod p) , 0 ≤ gi ( w) ≤ pi − 1
i
The resultant value, y ( p −1) / pi ≡ γ i b0 (mod p) determines bi
by g i (w)
So, dominant computational requirement : computing gi (w)
Flowchart for arbitrary primes
START
ZY
βα-1 (mod p)
n(p-1)/pi
j0
WZn (mod p)
bj gi(W)
ZZ β bj (mod p)
β β pi (mod p)
Nn/pi
jj+1
j=ni
FALSE
TRUE
HALT
Time & Space Complexity
Theorem
Let
n
n
p − 1 = p1 1 p2 2 L pk
nk
,
pi < pi +1
be the prime factorization of p-1, where p is prime, the pi are distinct
primes, and the ni are positive integer.
Then, for any {ri }ik=1 with all 0 ≤ ri ≤ 1 , logarithms over GF(p) can be
(
)
computed in O ∑ik=1 ni (log 2 p + pi1− ri (1 + log 2 pi ri )) operations with
(
r
)
O log 2 p ⋅ ∑ik=1 (1 + pi i ) bits of memory.
Proof. [1]
Discussion
p = 2 448 ⋅ 52 + 1 is a prime that p-1 has only small prime factors (i.e., 2, 5)
2+448 = 450 iterations of the loop in the flowchart
Not one-way
function
Dominant computational requirement: 450 exponentiations mod p
When p = 2 p'+1 , (p’ is also prime)
( ex. p' = 2121 ⋅ 52 ⋅ 7 2 ⋅112 ⋅13 ⋅17 ⋅19 ⋅ 23 ⋅ 29 ⋅ 31⋅ 37 ⋅ 41⋅ 43 ⋅ 47 ⋅ 53 ⋅ 59 + 1 )
Dominant computational requirement: g (w)
One-way
function
computing g(w): more than 1030 operations & 1030 bits of memory (r=1/2)
References
[1] S. C. Pohlig and M. E. Hellman, An Improved Algorithm for Computing Logarithms
over GF(p) and Its Cryptographic Significance, IEEE Transactions on Information
Theory, 1978