Generic attacks The discrete-logarithm problem and index calculus - - PowerPoint PPT Presentation

Generic attacks and index calculus

• D. J. Bernstein

University of Illinois at Chicago The discrete-logarithm problem Define ♣ = 1000003. Easy to prove: ♣ is prime. Can we find an integer ♥ ✷ ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ such that 5♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5♥ mod ♣ permutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. So there exists an ♥ such that 5♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way?

Generic attacks index calculus Bernstein University of Illinois at Chicago The discrete-logarithm problem Define ♣ = 1000003. Easy to prove: ♣ is prime. Can we find an integer ♥ ✷ ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ such that 5♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5♥ mod ♣ permutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. So there exists an ♥ such that 5♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way? Typical cryptanalytic Imagine ♣ in the Diffie-Hellman User cho ♥ publishes

♥

♣ Can attack the discrete- Given public

♥

♣ quickly find ♥ (Warning: to attack Maybe there

calculus Illinois at Chicago The discrete-logarithm problem Define ♣ = 1000003. Easy to prove: ♣ is prime. Can we find an integer ♥ ✷ ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ such that 5♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5♥ mod ♣ permutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. So there exists an ♥ such that 5♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way? Typical cryptanalytic Imagine standard ♣ in the Diffie-Hellman User chooses secret ♥ publishes 5♥ mod ♣ Can attacker quickly the discrete-logarithm Given public key 5♥ ♣ quickly find secret ♥ (Warning: This is to attack the proto Maybe there are b

Chicago The discrete-logarithm problem Define ♣ = 1000003. Easy to prove: ♣ is prime. Can we find an integer ♥ ✷ ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ such that 5♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5♥ mod ♣ permutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. So there exists an ♥ such that 5♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way? Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.)

The discrete-logarithm problem Define ♣ = 1000003. Easy to prove: ♣ is prime. Can we find an integer ♥ ✷ ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ such that 5♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5♥ mod ♣ permutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. So there exists an ♥ such that 5♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way? Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.)

discrete-logarithm problem ♣ = 1000003. to prove: ♣ is prime. e find an integer ♥ ✷ ❢ ❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣ that 5♥ mod ♣ = 262682? to prove: ♥ ✼✦ 5♥ mod ♣ ermutes ❢1❀ 2❀ 3❀ ✿ ✿ ✿ ❀ ♣ 1❣. there exists an ♥ that 5♥ mod ♣ = 262682. find ♥ by brute force. there a faster way? Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.) Relations

• 1. Some

to elliptic-curve Use in evaluating security

• 2. Some

Use in evaluating advantages compared

• 3. Tricky:

extra applications See Tanja

• n Weil

discrete-logarithm problem ♣ 1000003. ♣ is prime. integer ♥ ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣

♥

d ♣ = 262682? ♥ ✼✦ 5♥ mod ♣ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. an ♥

♥

d ♣ = 262682. ♥ brute force. way? Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.) Relations to ECC:

• 1. Some DL techniques

to elliptic-curve DL Use in evaluating security of an elliptic

• 2. Some techniques

Use in evaluating advantages of elliptic compared to multiplication.

• 3. Tricky: Some techniques

extra applications See Tanja Lange’s

• n Weil descent etc.

roblem ♣ ♣ ♥ ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣

♥

♣ 262682? ♥ ✼✦

♥ mod ♣

❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣. ♥

♥

♣ 262682. ♥ rce. Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.) Relations to ECC:

• 1. Some DL techniques also

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

Typical cryptanalytic application: Imagine standard ♣ = 1000003 in the Diffie-Hellman protocol. User chooses secret key ♥, publishes 5♥ mod ♣ = 262682. Can attacker quickly solve the discrete-logarithm problem? Given public key 5♥ mod ♣, quickly find secret key ♥? (Warning: This is one way to attack the protocol. Maybe there are better ways.) Relations to ECC:

• 1. Some DL techniques also apply

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply.

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques have

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

ypical cryptanalytic application: Imagine standard ♣ = 1000003 Diffie-Hellman protocol. chooses secret key ♥, publishes 5♥ mod ♣ = 262682. attacker quickly solve discrete-logarithm problem? public key 5♥ mod ♣, quickly find secret key ♥? rning: This is one way attack the protocol. there are better ways.) Relations to ECC:

• 1. Some DL techniques also apply

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply.

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques have

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

Understanding Can compute 51 mod ♣ 52 mod ♣ 53 mod ♣ ✿ ✿ ✿ 58 mod ♣ 59 mod ♣ ✿ ✿ ✿ 51000002 ♣ At some ♥ with 5♥ mo ♣ Maximum ✔ ♣ 1 ♣ ✔ ♣ 1 that does

cryptanalytic application: rd ♣ = 1000003 Diffie-Hellman protocol. secret key ♥,

♥

d ♣ = 262682. quickly solve rithm problem? 5♥ mod ♣, secret key ♥? is one way rotocol. better ways.) Relations to ECC:

• 1. Some DL techniques also apply

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply.

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques have

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

Understanding brute Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ 51000002 mod ♣ = 1. At some point we’ll ♥ with 5♥ mod ♣ = 262682. Maximum cost of ✔ ♣ 1 mults by 5 ♣ ✔ ♣ 1 nanoseconds that does 1 mult/nanosecond.

application: ♣ 1000003 rotocol. ♥,

♥

♣ 262682. roblem?

♥

♣, ♥ y ys.) Relations to ECC:

• 1. Some DL techniques also apply

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply.

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques have

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond.

Relations to ECC:

• 1. Some DL techniques also apply

to elliptic-curve DL problems. Use in evaluating security of an elliptic curve.

• 2. Some techniques don’t apply.

Use in evaluating advantages of elliptic curves compared to multiplication.

• 3. Tricky: Some techniques have

extra applications to some curves. See Tanja Lange’s talk

• n Weil descent etc.

Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond.

Relations to ECC: Some DL techniques also apply elliptic-curve DL problems. evaluating y of an elliptic curve. Some techniques don’t apply. evaluating advantages of elliptic curves red to multiplication. ricky: Some techniques have applications to some curves. anja Lange’s talk il descent etc. Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond. This is negligible for ♣ ✙ 2 But users standardize ♣ making the Attack cost ✙ 250 mults ♣ ✙ ✙ 2100 mults ♣ ✙ (Not exactly cost of mults ♣ But this

ECC: techniques also apply DL problems. evaluating elliptic curve. techniques don’t apply. evaluating elliptic curves multiplication. techniques have applications to some curves. Lange’s talk etc. Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond. This is negligible w for ♣ ✙ 220. But users can standardize a larger ♣ making the attack Attack cost scales ✙ 250 mults for ♣ ✙ ✙ 2100 mults for ♣ ✙ (Not exactly linearly: cost of mults grows ♣ But this is a minor

also apply roblems. curve. apply. curves multiplication. techniques have curves. Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond. This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.)

Understanding brute force Can compute successively 51 mod ♣ = 5, 52 mod ♣ = 25, 53 mod ♣ = 125, ✿ ✿ ✿ , 58 mod ♣ = 390625, 59 mod ♣ = 953122, ✿ ✿ ✿ , 51000002 mod ♣ = 1. At some point we’ll find ♥ with 5♥ mod ♣ = 262682. Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU that does 1 mult/nanosecond. This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.)

Understanding brute force compute successively d ♣ = 5, d ♣ = 25, d ♣ = 125, ✿ ✿ ✿ , d ♣ = 390625, d ♣ = 953122, ✿ ✿ ✿ ,

1000002 mod ♣ = 1.

some point we’ll find ♥

♥ mod ♣ = 262682.

Maximum cost of computation: ✔ ♣ 1 mults by 5 mod ♣; ✔ ♣ 1 nanoseconds on a CPU does 1 mult/nanosecond. This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.) Computation

• f finishing

Chance scales 1❂2 chance ❂ 1❂10 chance ❂ “So users ♥ That’s p “random choose random r compute

r

♣ compute

r ♥

♣ (515040 ✁

♥

♣ ♣ compute subtract r ♣ ♥

rute force successively ♣ ♣ ♣ 125, ✿ ✿ ✿ , ♣ 390625, ♣ 953122, ✿ ✿ ✿ , ♣ 1. e’ll find ♥

♥

♣ 262682.

• f computation:

✔ ♣ y 5 mod ♣; ✔ ♣ nanoseconds on a CPU mult/nanosecond. This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.) Computation has a

• f finishing earlier.

Chance scales linea 1❂2 chance of 1❂2 1❂10 chance of 1❂ “So users should cho ♥ That’s pointless. W “random self-reduction”: choose random r, compute 5r mod ♣ compute 5r5♥ mod ♣ (515040 ✁ (5♥ mod ♣ ♣ compute discrete log; subtract r mod ♣ ♥

♣ ♣ ♣ ✿ ✿ ✿ ♣ ♣ ✿ ✿ ✿ ♣ ♥

♥

♣ computation: ✔ ♣ ♣; ✔ ♣ CPU mult/nanosecond. This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.) Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥ That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣ compute discrete log; subtract r mod ♣ 1; obtain ♥

This is negligible work for ♣ ✙ 220. But users can standardize a larger ♣, making the attack slower. Attack cost scales linearly: ✙ 250 mults for ♣ ✙ 250, ✙ 2100 mults for ♣ ✙ 2100, etc. (Not exactly linearly: cost of mults grows with ♣. But this is a minor effect.) Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥.” That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥.

negligible work ♣ ✙ 220. users can rdize a larger ♣, making the attack slower. cost scales linearly: ✙ mults for ♣ ✙ 250, ✙ mults for ♣ ✙ 2100, etc. exactly linearly:

• f mults grows with ♣.

this is a minor effect.) Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥.” That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥. Computation One low-cost many pa Example, 210 cores each 230 Maybe; see for detaile Attacker many pa Example, so 234 co so 264 mults/second, so 289 mults/y

work ♣ ✙ rger ♣, attack slower. scales linearly: ✙ ♣ ✙ 250, ✙ ♣ ✙ 2100, etc. linearly: grows with ♣. minor effect.) Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥.” That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥. Computation can b One low-cost chip many parallel searches. Example, 26 e: one 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 2 so 234 cores, so 264 mults/second, so 289 mults/year.

♣ ✙ ♣ ly: ✙ ♣ ✙ ✙ ♣ ✙ , etc. ♣. effect.) Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥.” That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥. Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year.

Computation has a good chance

• f finishing earlier.

Chance scales linearly: 1❂2 chance of 1❂2 cost; 1❂10 chance of 1❂10 cost; etc. “So users should choose large ♥.” That’s pointless. We can apply “random self-reduction”: choose random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥. Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year.

Computation has a good chance finishing earlier. Chance scales linearly: ❂ chance of 1❂2 cost; ❂ chance of 1❂10 cost; etc. users should choose large ♥.”

• pointless. We can apply

“random self-reduction”: random r, say 726379; compute 5r mod ♣ = 515040; compute 5r5♥ mod ♣ as (515040 ✁ (5♥ mod ♣)) mod ♣; compute discrete log; subtract r mod ♣ 1; obtain ♥. Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year. Multiple Computation to many Given 100

♥

♣ 5♥2 mod ♣ ✿ ✿ ✿

♥

♣ Can find ♥ ❀ ♥ ❀ ✿ ✿ ✿ ❀ ♥ with ✔ ♣ ♣ Simplest a sorted 5♥1 mod ♣ ✿ ✿ ✿

♥

♣ Then check 51 mod ♣ ♣

has a good chance rlier. linearly: ❂ ❂2 cost; ❂ 1❂10 cost; etc. choose large ♥.”

• intless. We can apply

self-reduction”: r, say 726379;

r

♣ = 515040;

r ♥ mod ♣ as

✁

♥ mod ♣)) mod ♣;

discrete log; r ♣ 1; obtain ♥. Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year. Multiple targets and Computation can b to many targets at Given 100 DL targets

♥

♣ 5♥2 mod ♣, ✿ ✿ ✿ , 5♥ ♣ Can find all of ♥1❀ ♥ ❀ ✿ ✿ ✿ ❀ ♥ with ✔ ♣ 1 mults ♣ Simplest approach: a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥ ♣ Then check table fo 51 mod ♣, 52 mod ♣

chance ❂ ❂ ❂ ❂ etc. rge ♥.” apply r 726379;

r

♣ 515040;

r ♥

♣ ✁

♥

♣ d ♣; r ♣

• btain ♥.

Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year. Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mo ♣ 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣ Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥ with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣ Then check table for 51 mod ♣, 52 mod ♣, etc.

Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 26 e: one chip, 210 cores on the chip, each 230 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 230 e: 224 chips, so 234 cores, so 264 mults/second, so 289 mults/year. Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mod ♣, 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣: Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣. Then check table for 51 mod ♣, 52 mod ♣, etc.

Computation can be parallelized. w-cost chip can run parallel searches. Example, 26 e: one chip, res on the chip,

30 mults/second?

e; see SHARCS workshops tailed cost analyses. er can run parallel chips. Example, 230 e: 224 chips, cores, mults/second, mults/year. Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mod ♣, 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣: Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣. Then check table for 51 mod ♣, 52 mod ♣, etc. Interesting Solving all isn’t much solving one Interesting Solving at

• ut of 100

is much solving one When did find its first ♥✐ Typically ✙ ♣ ❂

can be parallelized. chip can run searches.

• ne chip,

chip, mults/second? SHARCS workshops analyses. chips. 224 chips, mults/second, r. Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mod ♣, 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣: Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣. Then check table for 51 mod ♣, 52 mod ♣, etc. Interesting consequence Solving all 100 DL isn’t much harder solving one DL problem. Interesting consequence Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂

rallelized. rkshops chips, Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mod ♣, 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣: Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣. Then check table for 51 mod ♣, 52 mod ♣, etc. Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults.

Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5♥1 mod ♣, 5♥2 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣: Can find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 with ✔ ♣ 1 mults mod ♣. Simplest approach: First build a sorted table containing 5♥1 mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣. Then check table for 51 mod ♣, 52 mod ♣, etc. Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults.

Multiple targets and giant steps Computation can be applied many targets at once. 100 DL targets 5♥1 mod ♣,

♥ mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣:

find all of ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 ✔ ♣ 1 mults mod ♣. Simplest approach: First build rted table containing

♥ mod ♣, ✿ ✿ ✿ , 5♥100 mod ♣.

check table for d ♣, 52 mod ♣, etc. Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults. Can use to turn a into multiple Given 5♥ ♣ Choose random r ❀ r ❀ ✿ ✿ ✿ ❀ r Compute

r ♥

♣ 5r25♥ mo ♣ Solve these Typically ✙ ♣ ❂ to find at r✐ + ♥ mo ♣ immediately ♥

and giant steps can be applied at once. rgets 5♥1 mod ♣,

♥

♣ ✿ ✿ ✿ 5♥100 mod ♣: ♥1❀ ♥2❀ ✿ ✿ ✿ ❀ ♥100 ✔ ♣ mults mod ♣.

• ach: First build

containing

♥

♣ ✿ ✿ ✿ 5♥100 mod ♣. table for ♣ d ♣, etc. Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r ❀ ✿ ✿ ✿ ❀ r Compute 5r15♥ mo ♣ 5r25♥ mod ♣, etc. Solve these 100 DL Typically ✙ (♣ 1)❂ to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥

steps applied

♥ mod ♣, ♥

♣ ✿ ✿ ✿

♥

♣: ♥ ❀ ♥ ❀ ✿ ✿ ✿ ❀ ♥100 ✔ ♣ ♣. build

♥

♣ ✿ ✿ ✿

♥

♣. ♣ ♣ Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥.

Interesting consequence #1: Solving all 100 DL problems isn’t much harder than solving one DL problem. Interesting consequence #2: Solving at least one

• ut of 100 DL problems

is much easier than solving one DL problem. When did this computation find its first ♥✐? Typically ✙ (♣ 1)❂100 mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r100. Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥.

Interesting consequence #1: Solving all 100 DL problems much harder than

• ne DL problem.

Interesting consequence #2: Solving at least one 100 DL problems much easier than

• ne DL problem.

did this computation its first ♥✐? ypically ✙ (♣ 1)❂100 mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r100. Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥. Also spent to compute

r✐

♣ ✙ lg ♣ mults ✐ Faster: Cho r✐ ✐r with r1 ✙ ♣ ❂ Compute

r

♣ 5r15♥ mo ♣ 52r15♥ mo ♣ 53r15♥ mo ♣ Just 1 mult ✐ ✙ 100 + ♣ ♣ ❂ to find ♥

♥

♣

consequence #1: DL problems rder than roblem. consequence #2:

• ne

roblems than roblem. computation ♥✐ ✙ ♣ 1)❂100 mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r100. Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥. Also spent some mults to compute each 5r✐ ♣ ✙ lg ♣ mults for each ✐ Faster: Choose r✐ ✐r with r1 ✙ (♣ 1)❂ Compute 5r1 mod ♣ 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each ✐ ✙ 100 + lg ♣ + (♣ ❂ to find ♥ given 5♥ ♣

#1: roblems #2: computation ♥✐ ✙ ♣ ❂ mults. Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r100. Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥. Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 to find ♥ given 5♥ mod ♣.

Can use random self-reduction to turn a single target into multiple targets. Given 5♥ mod ♣: Choose random r1❀ r2❀ ✿ ✿ ✿ ❀ r100. Compute 5r15♥ mod ♣, 5r25♥ mod ♣, etc. Solve these 100 DL problems. Typically ✙ (♣ 1)❂100 mults to find at least one r✐ + ♥ mod ♣ 1, immediately revealing ♥. Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 mults to find ♥ given 5♥ mod ♣.

use random self-reduction a single target multiple targets. 5♥ mod ♣:

• se random r1❀ r2❀ ✿ ✿ ✿ ❀ r100.

Compute 5r15♥ mod ♣,

r ♥ mod ♣, etc.

these 100 DL problems. ypically ✙ (♣ 1)❂100 mults at least one r✐ ♥ mod ♣ 1, immediately revealing ♥. Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 mults to find ♥ given 5♥ mod ♣. Faster: Increase ✙ ♣♣ Only ✙ 2♣♣ to solve “Shanks discrete-loga Example: ♣ 5♥ mod ♣ Compute ♣ Then compute 510245♥ ♣ 52✁10245♥ ♣ 53✁10245♥ ♣ ✿ ✿ ✿ 51000✁1024 ♥ ♣

self-reduction target rgets.

♥

♣: r1❀ r2❀ ✿ ✿ ✿ ❀ r100.

r ♥ mod ♣, r ♥

♣ etc. DL problems. ✙ ♣ 1)❂100 mults

• ne

r✐ ♥ ♣ 1, revealing ♥. Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 mults to find ♥ given 5♥ mod ♣. Faster: Increase 100 ✙ ♣♣ Only ✙ 2♣♣ mults to solve one DL prob “Shanks baby-step-giant-st discrete-logarithm Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mo ♣ Then compute 1000 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 53✁10245♥ mod ♣ = ✿ ✿ ✿ 51000✁10245♥ mod ♣

self-reduction

♥

♣ r ❀ r ❀ ✿ ✿ ✿ ❀ r100.

r ♥

♣

r ♥

♣ ms. ✙ ♣ ❂ mults r✐ ♥ ♣ ♥ Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 mults to find ♥ given 5♥ mod ♣. Faster: Increase 100 to ✙ ♣♣ Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ 51000✁10245♥ mod ♣ = 321705.

Also spent some mults to compute each 5r✐ mod ♣: ✙ lg ♣ mults for each ✐. Faster: Choose r✐ = ✐r1 with r1 ✙ (♣ 1)❂100. Compute 5r1 mod ♣; 5r15♥ mod ♣; 52r15♥ mod ♣; 53r15♥ mod ♣; etc. Just 1 mult for each new ✐. ✙ 100 + lg ♣ + (♣ 1)❂100 mults to find ♥ given 5♥ mod ♣. Faster: Increase 100 to ✙ ♣♣. Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ , 51000✁10245♥ mod ♣ = 321705.

spent some mults compute each 5r✐ mod ♣: ✙ ♣ mults for each ✐. aster: Choose r✐ = ✐r1 r ✙ (♣ 1)❂100. Compute 5r1 mod ♣;

r ♥ mod ♣; r ♥ mod ♣; r ♥ mod ♣; etc.

mult for each new ✐. ✙ + lg ♣ + (♣ 1)❂100 mults ♥ given 5♥ mod ♣. Faster: Increase 100 to ✙ ♣♣. Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ , 51000✁10245♥ mod ♣ = 321705. Build a s 2573 = 5

✁ ♥

♣ 3371 = 5

✁ ♥

♣ 3593 = 5

✁ ♥

♣ 4960 = 5

✁ ♥

♣ 5218 = 5

✁ ♥

♣ ✿ ✿ ✿ 999675 =

✁ ♥

♣ Look up ♣ ♣ 53 mod ♣ 5755 mod ♣ 966603 =

✁ ♥

♣ in the tab so 755 = ✁ ♥ ♣ deduce ♥

mults 5r✐ mod ♣: ✙ ♣ each ✐. r✐ = ✐r1 r ✙ ♣ 1)❂100.

r

d ♣;

r ♥

♣

r ♥

♣

r ♥

♣ etc. each new ✐. ✙ ♣ ♣ 1)❂100 mults ♥

♥ mod ♣.

Faster: Increase 100 to ✙ ♣♣. Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ , 51000✁10245♥ mod ♣ = 321705. Build a sorted table 2573 = 5430✁10245♥ ♣ 3371 = 5192✁10245♥ ♣ 3593 = 5626✁10245♥ ♣ 4960 = 5663✁10245♥ ♣ 5218 = 5376✁10245♥ ♣ ✿ ✿ ✿ 999675 = 5344✁1024 ♥ ♣ Look up 51 mod ♣, ♣ 53 mod ♣, etc. in this 5755 mod ♣ = 966603; 966603 = 5332✁1024 ♥ ♣ in the table of targets; so 755 = 332✁1024 ♥ ♣ deduce ♥ = 660789.

r✐

♣: ✙ ♣ ✐ r✐ ✐r r ✙ ♣ ❂

r

♣

r ♥

♣

r ♥

♣

r ♥

♣ ✐. ✙ ♣ ♣ ❂100 mults ♥

♥

♣ Faster: Increase 100 to ✙ ♣♣. Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ , 51000✁10245♥ mod ♣ = 321705. Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ 999675 = 5344✁10245♥ mod ♣ Look up 51 mod ♣, 52 mod ♣ 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣ deduce ♥ = 660789.

Faster: Increase 100 to ✙ ♣♣. Only ✙ 2♣♣ mults to solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003, 5♥ mod ♣ = 262682. Compute 51024 mod ♣ = 58588. Then compute 1000 targets: 510245♥ mod ♣ = 966849, 52✁10245♥ mod ♣ = 579277, 53✁10245♥ mod ♣ = 579062, ✿ ✿ ✿ , 51000✁10245♥ mod ♣ = 321705. Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. Look up 51 mod ♣, 52 mod ♣, 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣1; deduce ♥ = 660789.

aster: Increase 100 to ✙ ♣♣. ✙ 2♣♣ mults solve one DL problem! “Shanks baby-step-giant-step discrete-logarithm algorithm.” Example: ♣ = 1000003,

♥

d ♣ = 262682. Compute 51024 mod ♣ = 58588. compute 1000 targets:

♥ mod ♣ = 966849, ✁

5♥ mod ♣ = 579277,

✁

5♥ mod ♣ = 579062, ✿ ✿ ✿ ,

✁10245♥ mod ♣ = 321705.

Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. Look up 51 mod ♣, 52 mod ♣, 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣1; deduce ♥ = 660789. Eliminating Improved ① ①✐+1 = 5①✐ ♣ ①✐ ✷ ①✐+1 = ①✐ ♣ ①✐ ✷ ①✐+1 = 5♥①✐ ♣ Then ①✐

❛✐♥ ❜✐

♣ where (❛ ❀ ❜ ❀ (❛✐+1❀ ❜✐ ❛✐❀ ❜✐ (❛✐+1❀ ❜✐ ❛✐❀ ❜✐ (❛✐+1❀ ❜✐ ❛✐ ❀ ❜✐ Search fo ①✐ ①1 = ①2? ① ① ① ① ①4 = ①8? ① ① Deduce linea ♥

100 to ✙ ♣♣. ✙ ♣♣ mults problem! y-step-giant-step rithm algorithm.” ♣ 1000003,

♥

♣ 262682. mod ♣ = 58588. 1000 targets:

♥

♣ 966849,

✁ ♥

♣ = 579277,

✁ ♥

♣ = 579062, ✿ ✿ ✿ ,

✁ ♥

d ♣ = 321705. Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. Look up 51 mod ♣, 52 mod ♣, 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣1; deduce ♥ = 660789. Eliminating storage Improved method: ① ①✐+1 = 5①✐ mod ♣ ①✐ ✷ ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷

①✐+1 = 5♥①✐ mod ♣ Then ①✐ = 5❛✐♥+❜✐ ♣ where (❛0❀ ❜0) = (0❀ (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ (❛✐+1❀ ❜✐+1) = (2❛✐❀ ❜✐ (❛✐+1❀ ❜✐+1) = (❛✐ ❀ ❜✐ Search for a collision ①✐ ①1 = ①2? ①2 = ①4 ① ① ①4 = ①8? ①5 = ①10 Deduce linear equation ♥

✙ ♣♣. ✙ ♣♣ y-step-giant-step rithm.” ♣

♥

♣ ♣ 58588. rgets:

♥

♣

✁ ♥

♣ 579277,

✁ ♥

♣ 579062, ✿ ✿ ✿ ,

✁ ♥

♣ 321705. Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. Look up 51 mod ♣, 52 mod ♣, 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣1; deduce ♥ = 660789. Eliminating storage Improved method: Define ①0 ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 +

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), o (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6 ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥

Build a sorted table of targets: 2573 = 5430✁10245♥ mod ♣, 3371 = 5192✁10245♥ mod ♣, 3593 = 5626✁10245♥ mod ♣, 4960 = 5663✁10245♥ mod ♣, 5218 = 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. Look up 51 mod ♣, 52 mod ♣, 53 mod ♣, etc. in this table. 5755 mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ in the table of targets; so 755 = 332✁1024+♥ mod ♣1; deduce ♥ = 660789. Eliminating storage Improved method: Define ①0 = 1; ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6? ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥.

a sorted table of targets: 5430✁10245♥ mod ♣, 5192✁10245♥ mod ♣, 5626✁10245♥ mod ♣, 5663✁10245♥ mod ♣, 5376✁10245♥ mod ♣, ✿ ✿ ✿ , 999675 = 5344✁10245♥ mod ♣. up 51 mod ♣, 52 mod ♣, d ♣, etc. in this table. mod ♣ = 966603; find 966603 = 5332✁10245♥ mod ♣ table of targets; = 332✁1024+♥ mod ♣1; deduce ♥ = 660789. Eliminating storage Improved method: Define ①0 = 1; ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6? ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥. The ①✐’s typically ✙ ♣♣ Example: Modulo ①1 = 5♥ ①2 = 52♥ ①3 = 52♥ ✁ ①4 = 52♥ ✁ ①5 = 52♥ ✁ ①6 = 52♥ ✁ ①7 = 54♥ ①8 = 54♥ ✁ etc.

table of targets:

✁

5♥ mod ♣,

✁

5♥ mod ♣,

✁

5♥ mod ♣,

✁

5♥ mod ♣,

✁

5♥ mod ♣, ✿ ✿ ✿ ,

✁10245♥ mod ♣.

♣, 52 mod ♣, ♣ in this table. ♣ 966603; find

✁10245♥ mod ♣

targets; ✁1024+♥ mod ♣1; ♥ 660789. Eliminating storage Improved method: Define ①0 = 1; ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6? ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ Example: 1000003, Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 262682 ①3 = 52♥+1 = 5✁626121 ①4 = 52♥+2 = 5✁130596 ①5 = 52♥+3 = 5✁652980 ①6 = 52♥+4 = 5✁264891 ①7 = 54♥+8 = 324452 ①8 = 54♥+9 = 5✁784500 etc.

rgets:

✁ ♥

♣,

✁ ♥

♣,

✁ ♥

♣,

✁ ♥

♣,

✁ ♥

♣, ✿ ✿ ✿ ,

✁ ♥

♣. ♣ d ♣, ♣ table. ♣

✁ ♥

♣ ✁ ♥ mod ♣1; ♥ Eliminating storage Improved method: Define ①0 = 1; ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6? ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc.

Eliminating storage Improved method: Define ①0 = 1; ①✐+1 = 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐+1 = ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐+1 = 5♥①✐ mod ♣ otherwise. Then ①✐ = 5❛✐♥+❜✐ mod ♣ where (❛0❀ ❜0) = (0❀ 0) and (❛✐+1❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or (❛✐+1❀ ❜✐+1) = (2❛✐❀ 2❜✐), or (❛✐+1❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). Search for a collision in ①✐: ①1 = ①2? ①2 = ①4? ①3 = ①6? ①4 = ①8? ①5 = ①10? etc. Deduce linear equation for ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc.

Eliminating storage roved method: Define ①0 = 1; ①✐ 5①✐ mod ♣ if ①✐ ✷ 3Z; ①✐ ①2

✐ mod ♣ if ①✐ ✷ 2 + 3Z;

①✐ 5♥①✐ mod ♣ otherwise. ①✐ = 5❛✐♥+❜✐ mod ♣ (❛0❀ ❜0) = (0❀ 0) and ❛✐ ❀ ❜✐+1) = (❛✐❀ ❜✐ + 1), or ❛✐ ❀ ❜✐+1) = (2❛✐❀ 2❜✐), or ❛✐ ❀ ❜✐+1) = (❛✐ + 1❀ ❜✐). for a collision in ①✐: ① ①2? ①2 = ①4? ①3 = ①6? ① ①8? ①5 = ①10? etc. Deduce linear equation for ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc. ①1785 =

♥

①3570 =

♥

(Cycle length Conclude 249847♥ ✑ 388795♥ ♣ so ♥ ✑ 160788 ♣ ❂ Only 6 p ♥ Try each Find that

♥

♣ for ♥ = 160788 ♣ ❂ for ♥ = 660789.

rage d: Define ①0 = 1; ①✐ ①✐ ♣ if ①✐ ✷ 3Z; ①✐ ①✐ ♣ if ①✐ ✷ 2 + 3Z; ①✐

♥①✐

d ♣ otherwise. ①✐

❛✐♥ ❜✐ mod ♣

❛ ❀ ❜ (0❀ 0) and ❛✐ ❀ ❜✐ ❛✐❀ ❜✐ + 1), or ❛✐ ❀ ❜✐ (2❛✐❀ 2❜✐), or ❛✐ ❀ ❜✐ ❛✐ + 1❀ ❜✐). collision in ①✐: ① ① ① ①4? ①3 = ①6? ① ① ① ①10? etc. equation for ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc. ①1785 = 5249847♥+759123 ①3570 = 5388795♥+632781 (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 ♣ so ♥ ✑ 160788 (mo ♣ ❂ Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ for ♥ = 160788 + ♣ ❂ for ♥ = 660789.

①0 = 1; ①✐ ①✐ ♣ ①✐ ✷ 3Z; ①✐ ①✐ ♣ ①✐ ✷ + 3Z; ①✐

♥①✐

♣ otherwise. ①✐

❛✐♥ ❜✐

♣ ❛ ❀ ❜ ❀ and ❛✐ ❀ ❜✐ ❛✐❀ ❜✐ 1), or ❛✐ ❀ ❜✐ ❛✐❀ ❜✐

• r

❛✐ ❀ ❜✐ ❛✐ ❀ ❜✐). ①✐: ① ① ① ① ① ①6? ① ① ① ① ♥. The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc. ①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ so ♥ ✑ 160788 (mod (♣ ❂ Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, for ♥ = 660789.

The ①✐’s enter a cycle, typically within ✙ ♣♣ steps. Example: 1000003, 262682. Modulo 1000003: ①1 = 5♥ = 262682. ①2 = 52♥ = 2626822 = 626121. ①3 = 52♥+1 = 5✁626121 = 130596. ①4 = 52♥+2 = 5✁130596 = 652980. ①5 = 52♥+3 = 5✁652980 = 264891. ①6 = 52♥+4 = 5✁264891 = 324452. ①7 = 54♥+8 = 3244522 = 784500. ①8 = 54♥+9 = 5✁784500 = 922491. etc. ①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), so ♥ ✑ 160788 (mod (♣ 1)❂6). Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, i.e., for ♥ = 660789.

①✐’s enter a cycle, ypically within ✙ ♣♣ steps. Example: 1000003, 262682. dulo 1000003: ①

♥ = 262682.

①

2♥ = 2626822 = 626121.

①

2♥+1 = 5✁626121 = 130596.

①

2♥+2 = 5✁130596 = 652980.

①

2♥+3 = 5✁652980 = 264891.

①

2♥+4 = 5✁264891 = 324452.

①

4♥+8 = 3244522 = 784500.

①

4♥+9 = 5✁784500 = 922491.

①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), so ♥ ✑ 160788 (mod (♣ 1)❂6). Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, i.e., for ♥ = 660789. This is “P Optimized: ✙ ♣♣ Another “Pollard’s Can parallelize “van Oo DL using Bottom ❝ distributed have chance ✙ ❝ ❂♣

• f finding ♥

♥

♣ With 290 have chance ✙ ❂♣ Negligible ♣ ✙

①✐ cycle, ✙ ♣♣ steps. 1000003, 262682. 1000003: ①

♥

262682. ①

♥

2626822 = 626121. ①

♥

✁626121 = 130596. ①

♥

✁130596 = 652980. ①

♥

✁652980 = 264891. ①

♥

✁264891 = 324452. ①

♥

3244522 = 784500. ①

♥

✁784500 = 922491. ①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), so ♥ ✑ 160788 (mod (♣ 1)❂6). Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, i.e., for ♥ = 660789. This is “Pollard’s rho Optimized: ✙ ♣♣ Another method, simila “Pollard’s kangaro Can parallelize both “van Oorschot/Wi DL using distinguished Bottom line: With ❝ distributed across many have chance ✙ ❝2❂♣

• f finding ♥ from 5♥

♣ With 290 mults (a have chance ✙ 2180❂♣ Negligible if, e.g., ♣ ✙

①✐ ✙ ♣♣ steps. 262682. ①

♥

①

♥

626121. ①

♥

✁ 130596. ①

♥

✁ 652980. ①

♥

✁ 264891. ①

♥

✁ 324452. ①

♥

784500. ①

♥

✁ 922491. ①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), so ♥ ✑ 160788 (mod (♣ 1)❂6). Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, i.e., for ♥ = 660789. This is “Pollard’s rho metho Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256.

①1785 = 5249847♥+759123 = 555013. ①3570 = 5388795♥+632781 = 555013. (Cycle length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), so ♥ ✑ 160788 (mod (♣ 1)❂6). Only 6 possible ♥’s. Try each of them. Find that 5♥ mod ♣ = 262682 for ♥ = 160788 + 3(♣ 1)❂6, i.e., for ♥ = 660789. This is “Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256.

① = 5249847♥+759123 = 555013. ① = 5388795♥+632781 = 555013. length is 357.) Conclude that 249847♥ + 759123 ✑ 388795♥ + 632781 (mod ♣ 1), ♥ ✑ 160788 (mod (♣ 1)❂6). possible ♥’s. each of them. that 5♥ mod ♣ = 262682 ♥ 160788 + 3(♣ 1)❂6, i.e., ♥ 660789. This is “Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256. Factors of Assume ❛❜ Given ①, 5❛ has o ❜ ①❛ is a p

❛

Compute ❵

❛ ①❛

5❜ has order ❛ ①❂5❵ is a

❜

Compute ♠

❜ ①❂ ❵

Then ① =

❵ ♠❜

①

♥+759123 = 555013.

①

♥+632781 = 555013.

357.) ♥ 759123 ✑ ♥ 632781 (mod ♣ 1), ♥ ✑ (mod (♣ 1)❂6). ♥’s. them.

♥

d ♣ = 262682 ♥ + 3(♣ 1)❂6, i.e., ♥ This is “Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256. Factors of the group Assume 5 has order ❛❜ Given ①, a power of 5❛ has order ❜, and ①❛ is a power of 5❛ Compute ❵ = log5❛ ①❛ 5❜ has order ❛, and ①❂5❵ is a power of

❜

Compute ♠ = log5❜ ①❂ ❵ Then ① = 5❵+♠❜.

①

♥

555013. ①

♥

555013. ♥ ✑ ♥ ♣ 1), ♥ ✑ ♣ 1)❂6). ♥

♥

♣ 262682 ♥ ♣ 1)❂6, i.e., ♥ This is “Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256. Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜.

This is “Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: “Pollard’s kangaroo method.” Can parallelize both methods. “van Oorschot/Wiener parallel DL using distinguished points.” Bottom line: With ❝ mults, distributed across many cores, have chance ✙ ❝2❂♣

• f finding ♥ from 5♥ mod ♣.

With 290 mults (a few years?), have chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256. Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜.

“Pollard’s rho method.” Optimized: ✙ ♣♣ mults. Another method, similar speed: rd’s kangaroo method.” parallelize both methods. Oorschot/Wiener parallel using distinguished points.” line: With ❝ mults, distributed across many cores, chance ✙ ❝2❂♣ finding ♥ from 5♥ mod ♣.

90 mults (a few years?),

chance ✙ 2180❂♣. Negligible if, e.g., ♣ ✙ 2256. Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜. This “Poh converts ❛❜ an order-❛ ❜ and a few e.g. ♣ = ① ♣ 1 = ❜ ❜ Compute ① Compute ①❂ Compute

❜

Then ① =

❜

Use rho: ✙ ♣❛ ♣ ❜ Better if ❛❜ apply Pohlig-He

rd’s rho method.” ✙ ♣♣ mults. d, similar speed: roo method.”

• th methods.

chot/Wiener parallel distinguished points.” With ❝ mults, across many cores, ✙ ❝2❂♣ ♥ 5♥ mod ♣. (a few years?), ✙

180❂♣.

e.g., ♣ ✙ 2256. Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜. This “Pohlig-Hellman converts an order-❛❜ an order-❛ DL, an ❜ and a few exponentiations. e.g. ♣ = 1000003, ① ♣ 1 = 6❜ where ❜ Compute log56(①6) Compute ①❂5160788 Compute log5❜ 1000002 Then ① = 5160788+3❜ Use rho: ✙ ♣❛ + ♣ ❜ Better if ❛❜ factors apply Pohlig-Hellman

ethod.” ✙ ♣♣ speed: d.” methods. rallel

• ints.”

❝ mults, res, ✙ ❝ ❂♣ ♥

♥

♣. rs?), ✙ ❂♣ ♣ ✙ . Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜. This “Pohlig-Hellman metho converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789 Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively

Factors of the group order Assume 5 has order ❛❜. Given ①, a power of 5: 5❛ has order ❜, and ①❛ is a power of 5❛. Compute ❵ = log5❛ ①❛. 5❜ has order ❛, and ①❂5❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). Then ① = 5❵+♠❜. This “Pohlig-Hellman method” converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789. Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively.

rs of the group order Assume 5 has order ❛❜. ①, a power of 5:

❛

• rder ❜, and

①❛ power of 5❛. Compute ❵ = log5❛ ①❛.

❜

• rder ❛, and

①❂ ❵ is a power of 5❜. Compute ♠ = log5❜(①❂5❵). ① = 5❵+♠❜. This “Pohlig-Hellman method” converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789. Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively. All of the apply to An elliptic

q

has ✙ q + so can compute ✙ ♣q elliptic-curve Need quite q If largest

• f numb

is much q then Pohlig-Hellman computes Need larger q

• r change

group order rder ❛❜. ① er of 5:

❛

❜ and ①❛ 5❛. ❵ log5❛ ①❛.

❜

❛ and ①❂ ❵

• f 5❜.

♠ log5❜(①❂5❵). ①

❵ ♠❜.

This “Pohlig-Hellman method” converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789. Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively. All of the techniques apply to elliptic curves. An elliptic curve over

q

has ✙ q + 1 points so can compute ECDL ✙ ♣q elliptic-curve Need quite large q If largest prime diviso

• f number of points

is much smaller than q then Pohlig-Hellman computes ECDL mo Need larger q;

• r change choice of

❛❜ ①

❛

❜ ①❛

❛

❵

❛ ①❛

❜

❛ ①❂ ❵

❜

♠

❜ ①❂ ❵).

①

❵ ♠❜

This “Pohlig-Hellman method” converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789. Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively. All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly Need larger q;

• r change choice of curve.

This “Pohlig-Hellman method” converts an order-❛❜ DL into an order-❛ DL, an order-❜ DL, and a few exponentiations. e.g. ♣ = 1000003, ① = 262682: ♣ 1 = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. Then ① = 5160788+3❜ = 5660789. Use rho: ✙ ♣❛ + ♣ ❜ mults. Better if ❛❜ factors further: apply Pohlig-Hellman recursively. All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly. Need larger q;

• r change choice of curve.

“Pohlig-Hellman method” converts an order-❛❜ DL into rder-❛ DL, an order-❜ DL, few exponentiations. ♣ = 1000003, ① = 262682: ♣ = 6❜ where ❜ = 166667. Compute log56(①6) = 160788. Compute ①❂5160788 = 1000002. Compute log5❜ 1000002 = 3. ① = 5160788+3❜ = 5660789. rho: ✙ ♣❛ + ♣ ❜ mults. if ❛❜ factors further: Pohlig-Hellman recursively. All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly. Need larger q;

• r change choice of curve.

Index calculus Have generated group elements

❛♥ ❜

♣ Deduced ♥ from random Index calculus discrete-loga in a different Example ♣ Can completely 3❂(♣

• ❂

so 31 ✑ ♣ so log5( ✑ 6 log5 2 + ♣

ellman method” rder-❛❜ DL into ❛ an order-❜ DL,

• nentiations.

♣ 1000003, ① = 262682: ♣ ❜ where ❜ = 166667. ①6) = 160788. ①❂ 160788 = 1000002.

❜ 1000002 = 3.

①

160788+3❜ = 5660789.

✙ ♣❛ + ♣ ❜ mults. ❛❜ factors further: llman recursively. All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly. Need larger q;

• r change choice of curve.

Index calculus Have generated many group elements 5❛♥ ❜ ♣ Deduced equations ♥ from random collisions. Index calculus obtains discrete-logarithm in a different way. Example for ♣ = 1000003: Can completely facto 3❂(♣ 3) as 31❂ so 31 ✑ 2656 (mo ♣ so log5(1) + log5 ✑ 6 log5 2 + 6 log5 5 ♣

method” ❛❜ into ❛ ❜ DL,

• nentiations.

♣ ① 262682: ♣ ❜ ❜ 166667. ① 160788. ①❂ 1000002.

❜

3. ①

❜ 660789.

✙ ♣❛ ♣ ❜ mults. ❛❜ urther: recursively. All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly. Need larger q;

• r change choice of curve.

Index calculus Have generated many group elements 5❛♥+❜ mod ♣ Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣

All of the techniques so far apply to elliptic curves. An elliptic curve over Fq has ✙ q + 1 points so can compute ECDL using ✙ ♣q elliptic-curve adds. Need quite large q. If largest prime divisor

• f number of points

is much smaller than q then Pohlig-Hellman method computes ECDL more quickly. Need larger q;

• r change choice of curve.

Index calculus Have generated many group elements 5❛♥+❜ mod ♣. Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in Q so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣ 1).

the techniques so far to elliptic curves. elliptic curve over Fq ✙ q + 1 points compute ECDL using ✙ ♣q elliptic-curve adds. quite large q. rgest prime divisor number of points much smaller than q

• hlig-Hellman method

computes ECDL more quickly. larger q; change choice of curve. Index calculus Have generated many group elements 5❛♥+❜ mod ♣. Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in Q so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣ 1). Can completely ❂ ♣ as 21311❂ so log5 2 ✑ log5 3 + log5 19 + ♣ Try to completely 1❂(♣ + 1), ❂ ♣ Find facto ❛❂ ♣ ❛ as product ❀ 2❀ 3❀ 5❀ 7❀ ❀ ❀ ❀ ❀ ❀ ❀ for each ❛ 5100,

• 403,
• 62, 957,

techniques so far curves.

• ver Fq

✙ q

• ints

ECDL using ✙ ♣q elliptic-curve adds. q. divisor

• ints

than q

• hlig-Hellman method

more quickly. q

• f curve.

Index calculus Have generated many group elements 5❛♥+❜ mod ♣. Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in Q so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣ 1). Can completely facto ❂ ♣ as 21311❂315111219 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 19 + log5 29 ♣ Try to completely 1❂(♣ + 1), 2❂(♣ + Find factorization ❛❂ ♣ ❛ as product of powers ❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ ❀ ❀ ❀ for each of the follo ❛ 5100, 4675, 3128, 403, 368, 147, 62, 957, 2912, 3857,

r

q

✙ q using ✙ ♣q q q method quickly. q Index calculus Have generated many group elements 5❛♥+❜ mod ♣. Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in Q so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣ 1). Can completely factor 62❂(♣ as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛ as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877.

Index calculus Have generated many group elements 5❛♥+❜ mod ♣. Deduced equations for ♥ from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for ♣ = 1000003: Can completely factor 3❂(♣ 3) as 31❂2656 in Q so 31 ✑ 2656 (mod ♣) so log5(1) + log5 3 ✑ 6 log5 2 + 6 log5 5 (mod ♣ 1). Can completely factor 62❂(♣ + 62) as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ 1). Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛) as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877.

calculus generated many elements 5❛♥+❜ mod ♣. Deduced equations for ♥ random collisions. calculus obtains discrete-logarithm equations different way. Example for ♣ = 1000003: completely factor ❂ ♣ 3) as 31❂2656 in Q

• ✑ 2656

(mod ♣) (1) + log5 3 ✑ 2 + 6 log5 5 (mod ♣ 1). Can completely factor 62❂(♣ + 62) as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ 1). Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛) as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877. Each complete produces Now have for log5 2❀ ❀ ✿ ✿ ✿ ❀ Free equations: log5(1) ♣ ❂ By linear log5 2❀ log ❀ ✿ ✿ ✿ ❀ (If this ha could have ❛ By simila discrete

many 5❛♥+❜ mod ♣. equations for ♥ collisions.

• btains

rithm equations y. ♣ 1000003: factor ❂ ♣ 31❂2656 in Q

• ✑

(mod ♣)

• log5 3 ✑

5 (mod ♣ 1). Can completely factor 62❂(♣ + 62) as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ 1). Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛) as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877. Each complete facto produces a log equation. Now have 12 linea for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ Free equations: log log5(1) = (♣ 1)❂ By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log (If this hadn’t been could have searched ❛ By similar technique discrete log of any

❛♥ ❜

d ♣. ♥ equations ♣ ❂ ♣

• ❂

in Q

• ✑

♣

• ✑

♣ 1). Can completely factor 62❂(♣ + 62) as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ 1). Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛) as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877. Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target.

Can completely factor 62❂(♣ + 62) as 21311❂3151112191291 so log5 2 + log5 31 ✑ log5 3 + log5 5 + 2 log5 11 + log5 19 + log5 29 (mod ♣ 1). Try to completely factor 1❂(♣ + 1), 2❂(♣ + 2), etc. Find factorization of ❛❂(♣ + ❛) as product of powers of 1❀ 2❀ 3❀ 5❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 for each of the following ❛’s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877. Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target.

completely factor 62❂(♣ + 62) 311❂3151112191291 2 + log5 31 ✑ + log5 5 + 2 log5 11 + + log5 29 (mod ♣ 1). completely factor ❂ ♣ 1), 2❂(♣ + 2), etc. factorization of ❛❂(♣ + ❛) duct of powers of 1❀ ❀ ❀ ❀ 7❀ 11❀ 13❀ 17❀ 19❀ 23❀ 29❀ 31 each of the following ❛’s: 5100, 4675, 3128,

• 368, 147, 3,

957, 2912, 3857, 6877. Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target. For ♣ ✦ ✶ scales surp cost ♣✎ where ✎ ✦ Compare ✙ ♣ ❂ Specifically: ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ② ✠ lg ② ✷ ❖(♣ ♣ ♣ finds ② complete into prim ✔ ② and computes (Assuming Have exte

factor 62❂(♣ + 62) ❂

2191291

31 ✑ 2 log5 11 + (mod ♣ 1). completely factor ❂ ♣ ❂ ♣ + 2), etc. ization of ❛❂(♣ + ❛) wers of 1❀ ❀ ❀ ❀ ❀ ❀ ❀ 17❀ 19❀ 23❀ 29❀ 31 following ❛’s:

• 3128,
• 147, 3,

3857, 6877. Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target. For ♣ ✦ ✶, index scales surprisingly cost ♣✎ where ✎ ✦ Compare to rho: ✙ ♣ ❂ Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , lg ② ✷ ❖(♣lg ♣ lg lg ♣ finds ② complete facto into primes ✔ ②, and computes discrete (Assuming standard Have extensive evidence.)

❂(♣ + 62) ❂ ✑ + ♣ 1). ❂ ♣ ❂ ♣ ❛❂ ♣ + ❛) 1❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ 29❀ 31 ❛’s:

• 6877.

Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target. For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.)

Each complete factorization produces a log equation. Now have 12 linear equations for log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. Free equations: log5 5 = 1, log5(1) = (♣ 1)❂2. By linear algebra compute log5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. (If this hadn’t been enough, could have searched more ❛’s.) By similar technique obtain discrete log of any target. For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.)

complete factorization duces a log equation. have 12 linear equations

5 2❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31.

equations: log5 5 = 1, 1) = (♣ 1)❂2. linear algebra compute ❀ log5 3❀ ✿ ✿ ✿ ❀ log5 31. hadn’t been enough, have searched more ❛’s.) similar technique obtain discrete log of any target. For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.) Latest index-calculus use the “numb and the To compute

q

lg cost ✷ ❖((lg q)1❂ q

❂

For securit q ✙ 2256 q ✙ 22048 We don’ index-calculus ✿ ✿ ✿ except

factorization equation. linear equations ❀ ❀ ✿ ✿ ✿ ❀ log5 31. log5 5 = 1,

• ♣ 1)❂2.

compute ❀ ❀ ✿ ✿ ✿ ❀ log5 31. een enough, rched more ❛’s.) technique obtain any target. For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.) Latest index-calculus use the “number-fi and the “function- To compute discrete

q

lg cost ✷ ❖((lg q)1❂3(lg lg q) ❂ For security: q ✙ 2256 to stop rho; q ✙ 22048 to stop NFS. We don’t know any index-calculus metho ✿ ✿ ✿ except for some

rization equations ❀ ❀ ✿ ✿ ✿ ❀ 31. 1,

• ♣

❂ ❀ ❀ ✿ ✿ ✿ ❀ enough, ❛’s.)

• btain

For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.) Latest index-calculus variants use the “number-field sieve” and the “function-field sieve.” To compute discrete logs in

q

lg cost ✷ ❖((lg q)1❂3(lg lg q)2❂3). For security: q ✙ 2256 to stop rho; q ✙ 22048 to stop NFS. We don’t know any index-calculus methods for ECDL! ✿ ✿ ✿ except for some curves.

For ♣ ✦ ✶, index calculus scales surprisingly well: cost ♣✎ where ✎ ✦ 0. Compare to rho: ✙ ♣1❂2. Specifically: searching ❛ ✷ ✟ 1❀ 2❀ ✿ ✿ ✿ ❀ ②2✠ , with lg ② ✷ ❖(♣lg ♣ lg lg ♣), finds ② complete factorizations into primes ✔ ②, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.) Latest index-calculus variants use the “number-field sieve” and the “function-field sieve.” To compute discrete logs in Fq: lg cost ✷ ❖((lg q)1❂3(lg lg q)2❂3). For security: q ✙ 2256 to stop rho; q ✙ 22048 to stop NFS. We don’t know any index-calculus methods for ECDL! ✿ ✿ ✿ except for some curves.