Baby-step giant-step - Knowledge (XXG)

60:

Many of the most commonly used cryptography systems are based on the assumption that the discrete log is extremely difficult to compute; the more difficult it is, the more security it provides a data transfer. One way to increase the difficulty of the discrete log problem is to base the cryptosystem

1781: 533: 882:. The hashing is done on the second component, and to perform the check in step 1 of the main loop, γ is hashed and the resulting memory address checked. Since hash tables can retrieve and add elements in 1094:

There exist optimized versions of the original algorithm, such as using the collision-free truncated lookup tables of or negation maps and Montgomery's simultaneous modular inversion as proposed in.

320: 1785: 470: 220: 426: 1293: 740: 982: 948: 386: 353: 670: 563: 1326: 140: 281: 160: 1012: 910: 643: 623: 603: 583: 243: 180: 117: 97: 1087:

While this algorithm is credited to Daniel Shanks, who published the 1971 paper in which it first appears, a 1994 paper by Nechaev states that it was known to

625:

in the right-hand side of the congruence above, in the manner of trial multiplication. It tests to see if the congruence is satisfied for any value of

1650: 1286: 1081: 1518: 1846: 1460: 1279: 1389: 1566: 476: 1364: 1119: 1116:

A. Stein and E. Teske, Optimized baby step-giant step methods, Journal of the Ramanujan Mathematical Society 20 (2005), no. 1, 1–32.

1049:

Usually the baby-step giant-step algorithm is used for groups whose order is prime. If the order of the group is composite then the

878:

The best way to speed up the baby-step giant-step algorithm is to use an efficient table lookup scheme. The best in this case is a

1475: 1205:

V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm, Mathematical Notes, vol. 55, no. 2 1994 (165-172)

1513: 1450: 1394: 1357: 1019: 1655: 1546: 1465: 1455: 1113:, Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415—440. AMS, Providence, R.I., 1971. 1331: 1483: 1736: 287: 1104: 1731: 1660: 1561: 1050: 1023: 1698: 1612: 1129:

D. C. Terr, A modification of Shanks’ baby-step giant-step algorithm, Mathematics of Computation 69 (2000), 767–773.

1777: 1767: 1726: 1502: 1496: 1470: 1341: 1084:, which has about the same running time as the baby-step giant-step algorithm, but only a small memory requirement. 1762: 1703: 120: 28: 1665: 1538: 1384: 1336: 1018:

The baby-step giant-step algorithm could be used by an eavesdropper to derive the private key generated in the

73:. It is a fairly simple modification of trial multiplication, the naive method of finding discrete logarithms. 70: 432: 1680: 1571: 54: 188: 1791: 1741: 1721: 397: 1841: 1442: 1417: 1346: 712: 1801: 1796: 1688: 1670: 1607: 1351: 39: 954: 920: 1806: 1772: 1693: 1597: 1556: 1551: 1528: 1432: 1035:

The baby-step giant-step algorithm is a generic algorithm. It works for every finite cyclic group.

359: 326: 1637: 1584: 1581: 1422: 1321: 648: 541: 35: 1378: 1371: 1757: 1713: 1427: 1404: 1088: 1022:, when the modulus is a prime number that is not too large. If the modulus is not prime, the 125: 1602: 1181: 1130: 251: 145: 1193: 1592: 1491: 1189: 988: 913:

time (constant time), this does not slow down the overall baby-step giant-step algorithm.

886: 1242:

Computing Elliptic Curve Discrete Logarithms with Improved Baby-step Giant-step Algorithm

1622: 1523: 1508: 1412: 1313: 1069: 1068:

in the first step of the algorithm. Doing so increases the running time, which then is

1057: 985: 917: 883: 628: 608: 588: 568: 228: 165: 102: 82: 1266: 1835: 1617: 1302: 1215:

Panagiotis Chatzigiannis, Konstantinos Chalkias and Valeria Nikolaenko (2021-06-30).

1154: 1110: 50: 46: 1627: 77: 43: 20: 1134: 1161:, vol. 20, Providence, R.I.: American Mathematical Society, pp. 415–440 1123: 1218:

Homomorphic decryption in blockchains via compressed discrete-log lookup tables

1026:

has a smaller algorithmic complexity, and potentially solves the same problem.

1271: 1185: 879: 1305: 31: 53:. The discrete log problem is of fundamental importance to the area of 1172:

Maurer, Ueli M.; Wolf, Stefan (2000), "The Diffie-Hellman protocol",

1107:, A course in computational algebraic number theory, Springer, 1996. 1240: 1216: 1064:) memory. It is possible to use less memory by choosing a smaller 528:{\displaystyle \alpha ^{j}=\beta \left(\alpha ^{-m}\right)^{i}\,} 1275: 1239:

Steven D. Galbraith, Ping Wang and Fangguo Zhang (2016-02-10).

1157:(1971), "Class number, a theory of factorization and genera", 1038:

It is not necessary to know the exact order of the group

225:

The baby-step giant-step algorithm is based on rewriting

1822:

indicate that algorithm is for numbers of special forms

315:{\displaystyle m=\left\lceil {\sqrt {n}}\right\rceil } 991: 957: 923: 889: 715: 651: 631: 611: 591: 571: 544: 479: 435: 400: 362: 329: 290: 254: 231: 191: 168: 148: 128: 105: 85: 16:

Algorithm for solving the discrete logarithm problem

1750: 1712: 1679: 1636: 1580: 1537: 1441: 1403: 1312: 1015:running time of the naive brute force calculation. 1006: 976: 942: 904: 734: 664: 637: 617: 597: 577: 557: 527: 464: 420: 380: 347: 314: 275: 237: 214: 174: 154: 134: 111: 91: 951:, while the time complexity of the algorithm is 1287: 8: 1267:Baby step-Giant step – example C source code 1046:is merely an upper bound on the group order. 1245:. Advances in Mathematics of Communications 837:Check to see if γ is the second component ( 1294: 1280: 1272: 1042:in advance. The algorithm still works if 990: 964: 956: 930: 922: 916:The space complexity of the algorithm is 888: 720: 714: 656: 650: 630: 610: 590: 570: 549: 543: 524: 518: 505: 484: 478: 461: 440: 434: 417: 405: 399: 361: 328: 301: 289: 253: 230: 208: 196: 190: 167: 147: 127: 104: 84: 1146: 984:. This running time is better than the 465:{\displaystyle \alpha ^{im+j}=\beta \,} 1082:Pollard's rho algorithm for logarithms 215:{\displaystyle \alpha ^{x}=\beta \,.} 7: 1124:Order computations in generic groups 421:{\displaystyle \alpha ^{x}=\beta \,} 162:, the problem is to find an integer 735:{\displaystyle \alpha ^{x}=\beta } 645:, using the precomputed values of 14: 1503:Special number field sieve (SNFS) 1497:General number field sieve (GNFS) 142:of the group and a group element 789: 1174:Designs, Codes and Cryptography 23:, a branch of mathematics, the 1001: 995: 977:{\displaystyle O({\sqrt {n}})} 971: 961: 943:{\displaystyle O({\sqrt {n}})} 937: 927: 899: 893: 1: 1221:. CBT workshop 2021 (ESORICS) 1135:10.1090/S0025-5718-99-01141-2 1080:). Alternatively one can use 1461:Lenstra elliptic curve (ECM) 381:{\displaystyle 0\leq j<m} 348:{\displaystyle 0\leq i<m} 69:The algorithm is based on a 1847:Number theoretic algorithms 1126:, PhD thesis, M.I.T., 2007. 1020:Diffie Hellman key exchange 841:) of any pair in the table. 665:{\displaystyle \alpha ^{j}} 558:{\displaystyle \alpha ^{j}} 1863: 1768:Exponentiation by squaring 1451:Continued fraction (CFRAC) 538:The algorithm precomputes 1815: 1159:In Proc. Symp. Pure Math. 1051:Pohlig–Hellman algorithm 1024:Pohlig–Hellman algorithm 1681:Greatest common divisor 1186:10.1023/A:1008302122286 1056:The algorithm requires 135:{\displaystyle \alpha } 55:public key cryptography 1792:Modular exponentiation 1008: 978: 944: 906: 736: 666: 639: 619: 599: 579: 565:for several values of 559: 529: 466: 422: 382: 349: 316: 277: 276:{\displaystyle x=im+j} 239: 216: 176: 156: 155:{\displaystyle \beta } 136: 113: 93: 1519:Shanks's square forms 1443:Integer factorization 1418:Sieve of Eratosthenes 1009: 979: 945: 907: 737: 691:, having a generator 667: 640: 620: 600: 580: 560: 530: 467: 423: 383: 350: 317: 278: 240: 217: 177: 157: 137: 114: 94: 1797:Montgomery reduction 1671:Function field sieve 1646:Baby-step giant-step 1492:Quadratic sieve (QS) 1007:{\displaystyle O(n)} 989: 955: 921: 905:{\displaystyle O(1)} 887: 780:and store the pair ( 713: 649: 629: 609: 605:and tries values of 589: 569: 542: 477: 433: 398: 391:Therefore, we have: 360: 327: 288: 252: 229: 189: 166: 146: 126: 103: 83: 25:baby-step giant-step 1807:Trachtenberg system 1773:Integer square root 1714:Modular square root 1433:Wheel factorization 1385:Quadratic Frobenius 1365:Lucas–Lehmer–Riesel 788:) in a table. (See 585:. Then it fixes an 71:space–time tradeoff 61:on a larger group. 42:of an element in a 1699:Extended Euclidean 1638:Discrete logarithm 1567:Schönhage–Strassen 1423:Sieve of Pritchard 1053:is more efficient. 1004: 974: 940: 902: 790:§ In practice 732: 662: 635: 615: 595: 575: 555: 525: 462: 418: 378: 345: 312: 273: 235: 212: 172: 152: 132: 109: 89: 36:discrete logarithm 34:for computing the 29:meet-in-the-middle 1829: 1828: 1428:Sieve of Sundaram 969: 935: 683:: A cyclic group 638:{\displaystyle j} 618:{\displaystyle i} 598:{\displaystyle m} 578:{\displaystyle j} 306: 238:{\displaystyle x} 175:{\displaystyle x} 112:{\displaystyle n} 92:{\displaystyle G} 1854: 1778:Integer relation 1751:Other algorithms 1656:Pollard kangaroo 1547:Ancient Egyptian 1405:Prime-generating 1390:Solovay–Strassen 1303:Number-theoretic 1296: 1289: 1282: 1273: 1254: 1253: 1251: 1250: 1236: 1230: 1229: 1227: 1226: 1212: 1206: 1203: 1197: 1196: 1180:(2–3): 147–171, 1169: 1163: 1162: 1151: 1120:A. V. Sutherland 1013: 1011: 1010: 1005: 983: 981: 980: 975: 970: 965: 949: 947: 946: 941: 936: 931: 911: 909: 908: 903: 757: 756: 741: 739: 738: 733: 725: 724: 671: 669: 668: 663: 661: 660: 644: 642: 641: 636: 624: 622: 621: 616: 604: 602: 601: 596: 584: 582: 581: 576: 564: 562: 561: 556: 554: 553: 534: 532: 531: 526: 523: 522: 517: 513: 512: 489: 488: 471: 469: 468: 463: 454: 453: 427: 425: 424: 419: 410: 409: 387: 385: 384: 379: 354: 352: 351: 346: 321: 319: 318: 313: 311: 307: 302: 282: 280: 279: 274: 244: 242: 241: 236: 221: 219: 218: 213: 201: 200: 181: 179: 178: 173: 161: 159: 158: 153: 141: 139: 138: 133: 118: 116: 115: 110: 98: 96: 95: 90: 1862: 1861: 1857: 1856: 1855: 1853: 1852: 1851: 1832: 1831: 1830: 1825: 1811: 1746: 1708: 1675: 1632: 1576: 1533: 1437: 1399: 1372:Proth's theorem 1314:Primality tests 1308: 1300: 1263: 1258: 1257: 1248: 1246: 1238: 1237: 1233: 1224: 1222: 1214: 1213: 1209: 1204: 1200: 1171: 1170: 1166: 1153: 1152: 1148: 1143: 1101: 1099:Further reading 1032: 987: 986: 953: 952: 919: 918: 885: 884: 876: 752: 750: 716: 711: 710: 695:and an element 678: 652: 647: 646: 627: 626: 607: 606: 587: 586: 567: 566: 545: 540: 539: 501: 497: 496: 480: 475: 474: 436: 431: 430: 401: 396: 395: 358: 357: 325: 324: 297: 286: 285: 250: 249: 227: 226: 192: 187: 186: 164: 163: 144: 143: 124: 123: 101: 100: 81: 80: 67: 17: 12: 11: 5: 1860: 1858: 1850: 1849: 1844: 1834: 1833: 1827: 1826: 1824: 1823: 1816: 1813: 1812: 1810: 1809: 1804: 1799: 1794: 1789: 1775: 1770: 1765: 1760: 1754: 1752: 1748: 1747: 1745: 1744: 1739: 1734: 1732:Tonelli–Shanks 1729: 1724: 1718: 1716: 1710: 1709: 1707: 1706: 1701: 1696: 1691: 1685: 1683: 1677: 1676: 1674: 1673: 1668: 1666:Index calculus 1663: 1661:Pohlig–Hellman 1658: 1653: 1648: 1642: 1640: 1634: 1633: 1631: 1630: 1625: 1620: 1615: 1613:Newton-Raphson 1610: 1605: 1600: 1595: 1589: 1587: 1578: 1577: 1575: 1574: 1569: 1564: 1559: 1554: 1549: 1543: 1541: 1539:Multiplication 1535: 1534: 1532: 1531: 1526: 1524:Trial division 1521: 1516: 1511: 1509:Rational sieve 1506: 1499: 1494: 1489: 1481: 1473: 1468: 1463: 1458: 1453: 1447: 1445: 1439: 1438: 1436: 1435: 1430: 1425: 1420: 1415: 1413:Sieve of Atkin 1409: 1407: 1401: 1400: 1398: 1397: 1392: 1387: 1382: 1375: 1368: 1361: 1354: 1349: 1344: 1339: 1337:Elliptic curve 1334: 1329: 1324: 1318: 1316: 1310: 1309: 1301: 1299: 1298: 1291: 1284: 1276: 1270: 1269: 1262: 1261:External links 1259: 1256: 1255: 1231: 1207: 1198: 1164: 1145: 1144: 1142: 1139: 1138: 1137: 1127: 1117: 1114: 1108: 1100: 1097: 1096: 1095: 1092: 1085: 1054: 1047: 1036: 1031: 1028: 1003: 1000: 997: 994: 973: 968: 963: 960: 939: 934: 929: 926: 901: 898: 895: 892: 875: 872: 871: 870: 869: 868: 853: 844:If so, return 842: 820: 802: 795: 794: 793: 759: 731: 728: 723: 719: 677: 674: 659: 655: 634: 614: 594: 574: 552: 548: 536: 535: 521: 516: 511: 508: 504: 500: 495: 492: 487: 483: 472: 460: 457: 452: 449: 446: 443: 439: 428: 416: 413: 408: 404: 389: 388: 377: 374: 371: 368: 365: 355: 344: 341: 338: 335: 332: 322: 310: 305: 300: 296: 293: 283: 272: 269: 266: 263: 260: 257: 234: 223: 222: 211: 207: 204: 199: 195: 171: 151: 131: 108: 88: 66: 63: 15: 13: 10: 9: 6: 4: 3: 2: 1859: 1848: 1845: 1843: 1840: 1839: 1837: 1821: 1818: 1817: 1814: 1808: 1805: 1803: 1800: 1798: 1795: 1793: 1790: 1787: 1783: 1779: 1776: 1774: 1771: 1769: 1766: 1764: 1761: 1759: 1756: 1755: 1753: 1749: 1743: 1740: 1738: 1735: 1733: 1730: 1728: 1727:Pocklington's 1725: 1723: 1720: 1719: 1717: 1715: 1711: 1705: 1702: 1700: 1697: 1695: 1692: 1690: 1687: 1686: 1684: 1682: 1678: 1672: 1669: 1667: 1664: 1662: 1659: 1657: 1654: 1652: 1649: 1647: 1644: 1643: 1641: 1639: 1635: 1629: 1626: 1624: 1621: 1619: 1616: 1614: 1611: 1609: 1606: 1604: 1601: 1599: 1596: 1594: 1591: 1590: 1588: 1586: 1583: 1579: 1573: 1570: 1568: 1565: 1563: 1560: 1558: 1555: 1553: 1550: 1548: 1545: 1544: 1542: 1540: 1536: 1530: 1527: 1525: 1522: 1520: 1517: 1515: 1512: 1510: 1507: 1505: 1504: 1500: 1498: 1495: 1493: 1490: 1488: 1486: 1482: 1480: 1478: 1474: 1472: 1471:Pollard's rho 1469: 1467: 1464: 1462: 1459: 1457: 1454: 1452: 1449: 1448: 1446: 1444: 1440: 1434: 1431: 1429: 1426: 1424: 1421: 1419: 1416: 1414: 1411: 1410: 1408: 1406: 1402: 1396: 1393: 1391: 1388: 1386: 1383: 1381: 1380: 1376: 1374: 1373: 1369: 1367: 1366: 1362: 1360: 1359: 1355: 1353: 1350: 1348: 1345: 1343: 1340: 1338: 1335: 1333: 1330: 1328: 1325: 1323: 1320: 1319: 1317: 1315: 1311: 1307: 1304: 1297: 1292: 1290: 1285: 1283: 1278: 1277: 1274: 1268: 1265: 1264: 1260: 1244: 1243: 1235: 1232: 1220: 1219: 1211: 1208: 1202: 1199: 1195: 1191: 1187: 1183: 1179: 1175: 1168: 1165: 1160: 1156: 1155:Daniel Shanks 1150: 1147: 1140: 1136: 1132: 1128: 1125: 1121: 1118: 1115: 1112: 1109: 1106: 1103: 1102: 1098: 1093: 1090: 1086: 1083: 1079: 1075: 1071: 1067: 1063: 1059: 1055: 1052: 1048: 1045: 1041: 1037: 1034: 1033: 1029: 1027: 1025: 1021: 1016: 1014: 998: 992: 966: 958: 950: 932: 924: 914: 912: 896: 890: 881: 873: 866: 862: 858: 854: 851: 847: 843: 840: 836: 835: 833: 829: 825: 821: 818: 814: 810: 806: 803: 800: 796: 791: 787: 783: 779: 775: 774: 772: 768: 764: 760: 755: 748: 745: 744: 743: 729: 726: 721: 717: 708: 704: 700: 698: 694: 690: 686: 682: 676:The algorithm 675: 673: 657: 653: 632: 612: 592: 572: 550: 546: 519: 514: 509: 506: 502: 498: 493: 490: 485: 481: 473: 458: 455: 450: 447: 444: 441: 437: 429: 414: 411: 406: 402: 394: 393: 392: 375: 372: 369: 366: 363: 356: 342: 339: 336: 333: 330: 323: 308: 303: 298: 294: 291: 284: 270: 267: 264: 261: 258: 255: 248: 247: 246: 232: 209: 205: 202: 197: 193: 185: 184: 183: 169: 149: 129: 122: 106: 86: 79: 74: 72: 64: 62: 58: 56: 52: 51:Daniel Shanks 48: 47:abelian group 45: 41: 37: 33: 30: 26: 22: 1842:Group theory 1819: 1645: 1501: 1484: 1476: 1395:Miller–Rabin 1377: 1370: 1363: 1358:Lucas–Lehmer 1356: 1247:. Retrieved 1241: 1234: 1223:. Retrieved 1217: 1210: 1201: 1177: 1173: 1167: 1158: 1149: 1077: 1073: 1065: 1061: 1043: 1039: 1017: 915: 877: 864: 860: 856: 849: 845: 838: 831: 827: 823: 816: 812: 808: 804: 798: 785: 781: 777: 770: 766: 762: 753: 746: 706: 702: 701: 696: 692: 688: 684: 680: 679: 537: 390: 224: 78:cyclic group 75: 68: 59: 24: 21:group theory 18: 1651:Pollard rho 1608:Goldschmidt 1342:Pocklington 1332:Baillie–PSW 874:In practice 709:satisfying 1836:Categories 1763:Cornacchia 1758:Chakravala 1306:algorithms 1249:2021-09-07 1225:2021-09-07 1141:References 880:hash table 826:where 0 ≤ 765:where 0 ≤ 749:← Ceiling( 705:: A value 182:such that 1737:Berlekamp 1694:Euclidean 1582:Euclidean 1562:Toom–Cook 1557:Karatsuba 1111:D. Shanks 730:β 718:α 687:of order 654:α 547:α 507:− 503:α 494:β 482:α 459:β 438:α 415:β 403:α 367:≤ 334:≤ 206:β 194:α 150:β 130:α 121:generator 99:of order 32:algorithm 1704:Lehmer's 1598:Chunking 1585:division 1514:Fermat's 1105:H. Cohen 1091:in 1962. 855:If not, 822:For all 797:Compute 776:Compute 761:For all 309:⌉ 299:⌈ 76:Given a 1820:Italics 1742:Kunerth 1722:Cipolla 1603:Fourier 1572:Fürer's 1466:Euler's 1456:Dixon's 1379:Pépin's 1194:1759615 1089:Gelfond 811:. (set 751:√ 1802:Schoof 1689:Binary 1593:Binary 1529:Shor's 1347:Fermat 1192: 703:Output 65:Theory 44:finite 1623:Short 1352:Lucas 1030:Notes 830:< 769:< 681:Input 40:order 27:is a 1618:Long 1552:Long 373:< 340:< 119:, a 1782:LLL 1628:SRT 1487:+ 1 1479:− 1 1327:APR 1322:AKS 1182:doi 1131:doi 49:by 38:or 19:In 1838:: 1786:KZ 1784:; 1190:MR 1188:, 1178:19 1176:, 1122:, 863:• 859:← 848:+ 846:im 834:: 815:= 807:← 784:, 773:: 742:. 699:. 672:. 245:: 57:. 1788:) 1780:( 1485:p 1477:p 1295:e 1288:t 1281:v 1252:. 1228:. 1184:: 1133:: 1078:m 1076:/ 1074:n 1072:( 1070:O 1066:m 1062:m 1060:( 1058:O 1044:n 1040:G 1002:) 999:n 996:( 993:O 972:) 967:n 962:( 959:O 938:) 933:n 928:( 925:O 900:) 897:1 894:( 891:O 867:. 865:α 861:γ 857:γ 852:. 850:j 839:α 832:m 828:i 824:i 819:) 817:β 813:γ 809:β 805:γ 801:. 799:α 792:) 786:α 782:j 778:α 771:m 767:j 763:j 758:) 754:n 747:m 727:= 722:x 707:x 697:β 693:α 689:n 685:G 658:j 633:j 613:i 593:m 573:j 551:j 520:i 515:) 510:m 499:( 491:= 486:j 456:= 451:j 448:+ 445:m 442:i 412:= 407:x 376:m 370:j 364:0 343:m 337:i 331:0 304:n 295:= 292:m 271:j 268:+ 265:m 262:i 259:= 256:x 233:x 210:. 203:= 198:x 170:x 107:n 87:G

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.