Selected Topics in Cryptography

Pollards algorithm for logarithms

Michel Ruiz Tejeida
mruiz@computacion.cs.cinvestav.mx
Computer Science Department
CINVESTAV IPN
Description
Let p be a prime. The discrete logarithm problem over
p
is:
Given a and b , find x such that a
x
b | mod p ] .
The security of many cryptosystems is based on the difficulty of solving the discrete logarithm problem. In
this lecture note, we shall discuss the Pollards algorithm to solve the discrete logarithm problem. It is also
called "squareroot attack".
Pollards algorithm is a Monte Carlo type probabilistic algorithm. The algorithm first finds two numbers u
and v such that
a
u
b
v
| mod p ] (1)
The method used in this step is to find a sequence of numbers x
0
, x
1
... until two equal ones are found.
The sequence is defined to be:
x
0
= 1
x
i +1
= {
b x
i
if 0 < x
i
s p 3
x
i
2
if p 3 < x
i
s 2 p 3
a x
i
if 2 p 3 < x
i
< p
(2)
(3)
Note that x
i
can also be expressed as
x
i
a

i
b

i
| mod p ]
To compute the sequence, the algorithm computes

0
= 0

i +1
= {

i
if 0 < x
i
s p 3
2
i
if p 3 < x
i
s 2 p 3

i
+ 1 if 2 p 3 < x
i
< p

0
= 0

i +1
= {

i
+ 1 if 0 < x
i
s p 3
2
i
if p 3 < x
i
s 2 p 3

i
if 2 p 3 < x
i
< p
The algorithm needs not store all the numbers to find an equal pair. The algorithm run through the sets
| x
i
,
i
,
i
, x
2 i
,
2 i
,
2 i
] , i = 1, 2 , ... ,
generating each one from the previous one, until the one with x
i
= x
2 i
is generated. Then we have
a
u
b
v
| mod p ] , where
u =
2 i

i
| mod p 1]
v =
2 i

i
| mod p 1]
Note that the sequence x
i
can be regarded as a random sequence. It is estimated that the period of the
random sequence is

5
p
288
~ 1.0308 p
That is, the algorithm may need to try O_ p iterations to obtain the right pair x
i
and x
2 i
The second step is to find x . If v 0 | mod p 1] , then the algorithms fails. Assume that
v 0 | mod p 1] . The algorithm then finds d , the greatest common divisor of v and p 1, by the
Extended Euclid algorithm.
That is,
d = | v , p 1] = u v + | p 1]
Raising both sides of a
u
b
v
| mod p ] to the power v gives
a
u . v
b
u . v
b
d ( p 1)
b
d
| a
x
]
d
| mod p ]
Therefore, x - d u - v | mod p 1] , which implies that
x - d = u - v + w | p 1]
Since d | p 1] , hence d n - v . We obtain
x = | u - v + w | p 1] ] d (4)
The value of w is between 0 and d . In the case that d is small, we can do an exhaustive search. If d is large,
then the search will take a long time to finish.
If d =1, that is | v , p 1] = 1, then equation 4 can be reduced to
x = u - v = u - v
1
| mod p 1]
The above algorithm can also be adapted to work on the factors of p 1. This is called the multistage
method. Let p 1 = s - t . The method is to use a
s
and b
s
to replace a and b . This leads to find u and v
such that
| a
s
]
u
| b
s
]
s
| mod p ]
2 Pol l ards. nb
The other steps are similar.
Algorithm
Algorithm: Pollards rho for computing discrete logarithms
input: A generator of a cyclic group G of prime order n, and an
element G
output: the discrete logarithm x log

1.Set x
o
1, a
0
0, b
o
0
2.For i 1, 2, ... do the following:
2.1 Using the quantities x
i1
, a
i1
, b
i1
and x
2 i1
, a
2 i1
, b
2 i1

computed
previously, compute x
i
, a
i
, b
i
and x
2 i
, a
2 i,
b
2 i
using equations
(2),(3)
2.2 If x
i
x
2 i
then do the following:
Set r b
i
b
2 i
mod n.
If r 0 then
Set a
0
, b
0
in the inverval 1, n 1 and x
0

a0

b0
and
go step 2
else
x r
1
a
2 i
a
i
mod n and return x.
Running time
Let Gbe a group of order n , a prime. Assume that the function f : G G defined by equation (2) and (3)
behavies like a random function. Then the expected running time of Pollards rho algorithm for discrete
logarithms in G is O(
_
n ) group operations. Moreover, the algorithm requires negligible storage.
Implementation
PollardRhog_Integer, a_Integer, p_Integer :=
Modulex1 = 1, x2 = 1, s1 = 0, s2 = 0, t1 = 0, t2 = 0, u, h,
d, k, l, r, i, j = 1, q, n = EulerPhip, Ifa = g, r = 1,
Whilex1 , x2 j = 1, Ifx1 < p3, x1 = Moda + x1, p; s1 = Mods1 + 1, n;
Ifx1 z p3 && x1 < 2 p3, x1 = Modx1 + x1, p;
s1 = Mod2 + s1, n; t1 = Mod2 + t1, n;
Ifx1 z 2 + p3, x1 = Modg + x1, p; t1 = Modt1 + 1, n;
DoIfx2 < p3, x2 = Moda + x2, p; s2 = Mods2 + 1, n;
Ifx2 z p3 && x2 < 2 p3,
x2 = Modx2 + x2, p; s2 = Mod2 + s2, n; t2 = Mod2 + t2, n;
Ifx2 z 2 + p3, x2 = Modg + x2, p; t2 = Modt2 + 1, n, i, 2;
j = j + 1;;
s = Mods2 - s1, n; t = Modt1 - t2, n;
h = ExtendedGCDs, n;
d = h1; u = h2, 1;
Ifd = 1, r = ModPowerMods, -1, n + t, n,
k = u + t d; l = n d; i = 1; q = PowerModg, k + l, p;
o = PowerModg, l, p;
Whilea , Modq, p && i s d, q = Modq + o, p; i = i + 1;
r = Modk + i + l, n;;;
Returnr;;
Pol l ards. nb 3
Test
In order to get an experimentation area, let us calculate Z
p
-
, and its list of generators. The main
definition of the used procedure is in the notebook 01ModularArithmetic.
mulgr md_ := Modulex, ls, gcd,
x = 1; ls = x;
Whilex < md - 1,
x++; gcd = GCDx, md;
Ifgcd = 1, AppendTols, x;
ls

orbitz_ , md_ := Modulecp, or, flg,

cp = 1; or = cp; flg = False;
While! flg,
cp = Modcp z, md ; flg = MemberQor, cp ;
If! flg, AppendToor, cp;
or

genr md_ := Modulegrm, or, lg, k, fmd, gel, flg, i, g, bi, bii, j,
grm = mulgr md;
or = Lengthgrm;
fmd = FactorInteger md;
If! Lengthfmd = 1 && ! Lengthfmd = 2 && fmd1 = 2, 1,
gel = ,
flg = True;
i = 1;
Whileflg, i++;
g = grmi;
bi = orbitg, md;
flg = ! Lengthbi = or
;
bii = mulgror;
gel = SortTablebibiij + 1, j, Lengthbii
;
or, grm, gel

Let us pick a prime number p , a generator of Z

p
-
, and target value Z
p 1
p = Prime170; or, grm, gel = genrp; g, b = gel4, 154;
Print"p = ", p, " g = ", g, " b = ", b
p 1013 g 12 b 154
x = PollardRhoa, g, p
951
References
[1] J. M. Pollard. Monte Carlo method for index computation (mod p). Mathematics of
Computation, 32(143):918 924, July 1978.
[2] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography, CRC
Press, 1996.
4 Pol l ards. nb