Choice of the factor base S: the first k prime numbers,
If k is sufficiently big, a large proportion of the elements in G can be expressed as product of powers of these k primes, i.e. they will be smooth with respect to S.
Technique to express an element in G as product of elements of S: divide the element by the Complexity
Adleman in [Adle79] analyzes this technique in detail and arrives at a complexity of
for some constant C.
Example 8.10
Consider with primitive element That 541 is prime and that 2 is a primitive element can be checked with the Mathematica functionsPrimeQ, FactorInteger, andPowerMod. Indeed, the order of 2 divides by Theorem B.5, therefore, we only have to check that for the divisors of
As factor base S we take the set of the first five prime numbers, which can be generated with the Mathematica functionsPrime andTable.
We want to write each of the elements in this factor base as a power of i.e. we want to solve the logarithm problem for the elements in the factor base. To this end, we try to find powers of
in that can be expressed as product of elements in {2, 3, 5, 7, 11}. For this, we can use the Mathematica function FactorInteger andPowerMod.When trying
we see that we have no complete factorization in {2, 3, 5, 7, 11}.
Writing and taking the logarithms on both sides gives five linear congruence relations in
For example, can be rewritten as
Taking on both sides gives the congruence relation
So, we have:
or, equivalently
If the above linear congruence relations are not linearly independent one has to replace some equations by others until they are linearly independent.
Let us now find a solution of From
we see that 345 can not be expressed as product of elements of S, nor can and
but in GF(541).
We conclude that
therefore, the solution of is given by
Because of the small parameters, we can find out explicitly how many elements in {1, 2, ..., 540} can be expressed as product of elements of S. We use the Mathematica functions Select. Flatten, Table, Sort, andLength and make use of the fact that the exponent of 2 is at most
the exponent of 3 is at most etc., in any number less than 541.
Therefore, about a quarter of all elements in G can be expressed as product of elements of S. That means that on the average it takes four trials (choices of r) before can expressed as a product of elements of {2, 3, 5, 7, 11}.
Let the polynomial denote a primitive element of Then can also be represented by binary polynomials of degree modulo the minimal polynomial p(x) of It follows that is a primitive element in i.e. x is a primitive element in
See Example B.6, where defines and where is a
primitive element of This element is a zero of the primitive polynomial In the element x is a primitive element
Equation (8.1), that we want so solve, can be reformulated as:
for every polynomial c(x) of degree find the exponent m, such that
As choice of the factor base 5 we take all binary, irreducible polynomials of degree say (The number of such polynomials is given by Theorem B. 17).
As a technique to express an element in as a product of elements of S, we simply divide the element by the polynomials
A polynomial u(x) that can be expressed as a product of elements of S is called smooth with respect to S.
Complexity
Coppersmith [Copp84] analyzes this algorithm and finds as asymptotic running time
Later, further improvements have been found with names like number field sieve and function field
sieve (see [AdDM93], [Adle94], and [HelR83]).
For an excellent survey on the discrete logarithm problem we refer the reader to [Odly85].
Example 8.11
We want to take a logarithm in To represent properly and to find a primitive element in it, we look for a primitive polynomial of degree 10. We do this with the Mathematica function
So, we take which has x as primitive element. Equation (8.1) now reads like:
find m such that
As factor base S we shall take the set of all irreducible polynomials of degree
The reader may remember that all binary, irreducible polynomials of degree d appear in the factorization of (see Theorem B.35).
Hence, as factor base S we have:
We want to write each of the elements in this factor base as a power of x, i.e. we want to solve the logarithm problem for the elements in the factor base. To this end, we try to find powers of x in
that can be expressed as a product of the polynomials We use the Mathematica functionFactor andPolynomialMod.
Writing these relations give rise to eight linear congruence relations. For instance, the last equation gives
Taking the logarithm on both sides gives the linear congruence relations
since 1023 is the multiplicative order of the primitive element x. In this way, the eight relations above can be rewritten as
This forms a system of congruence relations that can be solved with the Mathematica function Solve.
So, we know that and
If the linear congruence relations are not linearly independent one has to replace some equations by others until they are linearly independent.
Let us now find a solution of From
we see that can not be written as product of polynomials in S, but can.
We conclude that so the solution of
8.4 Problems
Problem
Users A and B want to use the Diffie-Hellman system to fix a common key over a public channel. They use
GF(p), with and primitive element
User B makes public. If what will be the common key that A and B use for their communication?
Problem 8.2
Users A and B want to use the Diffie-Hellman system to fix a common key over a public channel. They use
as representation of User B makes public, which stands for the field element If what will be the common key that A and B use for their
communication?
Problem 8.3
Demonstrate the Special Case version of the Pohlig-Helmann algorithm, that computes logarithms in finite
fields of size by evaluating in GF(257).
Problem
Check that 953 is a prime number and that 3 is a generator of Find the three least significant bits of the solution m of the congruence relation
(See the remark in the discussion of the special case in Subsection 8.3.1.)
Problem 8.5
Compute in GF(353) with the Pohlig-Hellman algorithm.
Problem
Find a solution of in GF(197) by means of the Baby-Step Giant-Step method, when only 15 field elements can be stored.
Problem
Check that is a primitive 2003-th root of unity in GF(4007) (note that 4007 is a prime number). Let G be the multiplicative subgroup G of order 2003 in GF(4007) generated by Check that 2124 is an element of G.
Determine by the Pollard method.
Problem
Check that is a generator of the multiplicative group Set up the index-calculus method with a factor base of size 6 and determine
Problem
Solve the equation in the setting of Example 8.11.
Problem
What is the probability that a random element is smooth with respect to the set of
that has become known as the RSA system. It makes use of the following three facts:
1) Exponentiation modulo a composite number n, i.e. computing c from for given
m and e, is a relatively simple operation (see Subsection 8.1.1).
2) The opposite problem of taking roots modulo a large, composite number n, i.e. computing m from (which can be written as for given c and e, is, in general, believed to be intractable.
3) If the prime factorization of n is known, the problem of taking roots modulo n is feasible.
9.1.1 Some Mathematics
From Appendix A we quote Theorem A. 14 and the definition of Euler's Totient function (Def. A.6):
The reader can check the above in any example with the Mathematica functions GCD and EulerPhi.
9.1.2 Setting Up the System
Step 1 Computing the Modulus
Each user U of the system chooses two different large prime numbers, say and In the original proposal the suggested length was about 100 digits.
Let It follows from (9.2) that
This can also be seen directly. The n integers in between 1 and are all coprime with
except for the multiples of (namely and the multiples of (namely In this counting, one should realize that the number
has been subtracted once too often.
Example 9.1 (Part 1)
To keep this example manageable participant Bob will keep his primes reasonably small. He makes use of the Mathematica functionsPrime andEulerPhi.
Step 2 Computing the Exponents and
User U chooses an integer with User U computes the unique integer satisfying
For instance, U can use Euclid's Algorithm (see Section A.2) to find in less than operations (Theorem A.9) with
Example 9.1 (Part 2)
The random choice of and the computation of can be made with the Mathematica functions Random, While, and ExtendedGCD.
Step 3 Making Public: and
Each user U makes and public, but keeps secret. The primes numbers and no longer play a role. User U may use them to reduce the complexity of his calculations as we shall see later on. They may not be made public by U.
9.1.3 RSA for Privacy
If user A, say Alice, wants to send a secret message to Bob (user B) she represents her message in any standardized way by a number m, Next, Alice looks up the public exponent of Bob. She will send the ciphertext c computed from
Bob can recover m from c by raising it to the power which he only knows. Indeed, for some integer l one has
when In Problem 9.2 the reader is invited to verify that the system also works when
We summarize the RSA secrecy system in the next table.
The public and secret exponents in the RSA system are traditionally called and to denote the encryption resp. decryption functions that they have in this subsection.