Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Index calculus algorithm
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Description == Roughly speaking, the [[Discrete logarithm|discrete log]] problem asks us to find an ''x'' such that <math>g^x \equiv h \pmod{n}</math>, where ''g'', ''h'', and the modulus ''n'' are given. The algorithm (described in detail below) applies to the group <math>(\mathbb{Z}/q\mathbb{Z})^*</math> where ''q'' is prime. It requires a ''factor base'' as input. This ''factor base'' is usually chosen to be the number β1 and the first ''r'' primes starting with 2. From the point of view of efficiency, we want this factor base to be small, but in order to solve the discrete log for a large group we require the ''factor base'' to be (relatively) large. In practical implementations of the algorithm, those conflicting objectives are compromised one way or another. The algorithm is performed in three stages. The first two stages depend only on the generator ''g'' and prime modulus ''q'', and find the discrete logarithms of a ''factor base'' of ''r'' small primes. The third stage finds the discrete log of the desired number ''h'' in terms of the discrete logs of the factor base. The first stage consists of searching for a set of ''r'' [[linearly independent]] ''relations'' between the factor base and power of the [[Generating set of a group|generator]] ''g''. Each relation contributes one equation to a [[system of linear equations]] in ''r'' unknowns, namely the discrete logarithms of the ''r'' primes in the factor base. This stage is [[embarrassingly parallel]] and easy to divide among many computers. The second stage solves the system of linear equations to compute the discrete logs of the factor base. A system of hundreds of thousands or millions of equations is a significant computation requiring large amounts of memory, and it is ''not'' embarrassingly parallel, so a [[supercomputer]] is typically used. This was considered a minor step compared to the others for smaller discrete log computations. However, larger discrete logarithm records<ref>Thorsten Kleinjung, Claus Diem, Arlen K. Lenstra, Christine Priplata, Colin Stahlke, [https://eprint.iacr.org/2017/067.pdf "Computation of a 768-bit prime field discrete logarithm"], IACR sprint, 2017</ref><ref>Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome, [https://eprint.iacr.org/2016/961.pdf "A kilobit hidden snfs discrete logarithm computation"], IACR spring, July 2016</ref> were made possible only by shifting the work away from the linear algebra and onto the sieve (i.e., increasing the number of equations while reducing the number of variables). The third stage searches for a power ''s'' of the generator ''g'' which, when multiplied by the argument ''h'', may be factored in terms of the factor base ''g<sup>s</sup>h'' = (β1)<sup>''f''<sub>0</sub></sup> 2<sup>''f''<sub>1</sub></sup> 3<sup>''f''<sub>2</sub></sup>Β·Β·Β·''p''<sub>''r''</sub><sup>''f''<sub>''r''</sub></sup>. Finally, in an operation too simple to really be called a fourth stage, the results of the second and third stages can be rearranged by simple algebraic manipulation to work out the desired discrete logarithm ''x'' = ''f''<sub>0</sub>log<sub>''g''</sub>(β1) + ''f''<sub>1</sub>log<sub>''g''</sub>2 + ''f''<sub>2</sub>log<sub>''g''</sub>3 + Β·Β·Β· + ''f''<sub>''r''</sub>log<sub>''g''</sub>''p<sub>r</sub>'' β ''s''. The first and third stages are both embarrassingly parallel, and in fact the third stage does not depend on the results of the first two stages, so it may be done in parallel with them. The choice of the factor base size ''r'' is critical, and the details are too intricate to explain here. The larger the factor base, the easier it is to find relations in stage 1, and the easier it is to complete stage 3, but the more relations you need before you can proceed to stage 2, and the more difficult stage 2 is. The relative availability of computers suitable for the different types of computation required for stages 1 and 2 is also important. === Applications in other groups === The lack of the notion of ''prime elements'' in the group of points on [[elliptic curves]] makes it impossible to find an efficient ''factor base'' to run index calculus method as presented here in these groups. Therefore this algorithm is incapable of solving discrete logarithms efficiently in elliptic curve groups. However: For special kinds of curves (so called [[supersingular elliptic curve]]s) there are specialized algorithms for solving the problem faster than with generic methods. While the use of these special curves can easily be avoided, in 2009 it has been proven that for certain fields the discrete logarithm problem in the group of points on ''general'' elliptic curves over these fields can be solved faster than with generic methods. The algorithms are indeed adaptations of the index calculus method.<ref>{{cite journal|last=Diem|first=C|title=On the discrete logarithm problem in elliptic curves|journal=Compositio Mathematica|year=2010}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)