Documentos de Académico
Documentos de Profesional
Documentos de Cultura
0
= 0
i +1
= {
i
if 0 < x
i
s p 3
2
i
if p 3 < x
i
s 2 p 3
i
+ 1 if 2 p 3 < x
i
< p
0
= 0
i +1
= {
i
+ 1 if 0 < x
i
s p 3
2
i
if p 3 < x
i
s 2 p 3
i
if 2 p 3 < x
i
< p
The algorithm needs not store all the numbers to find an equal pair. The algorithm run through the sets
| x
i
,
i
,
i
, x
2 i
,
2 i
,
2 i
] , i = 1, 2 , ... ,
generating each one from the previous one, until the one with x
i
= x
2 i
is generated. Then we have
a
u
b
v
| mod p ] , where
u =
2 i
i
| mod p 1]
v =
2 i
i
| mod p 1]
Note that the sequence x
i
can be regarded as a random sequence. It is estimated that the period of the
random sequence is
5
p
288
~ 1.0308 p
That is, the algorithm may need to try O_ p iterations to obtain the right pair x
i
and x
2 i
The second step is to find x . If v 0 | mod p 1] , then the algorithms fails. Assume that
v 0 | mod p 1] . The algorithm then finds d , the greatest common divisor of v and p 1, by the
Extended Euclid algorithm.
That is,
d = | v , p 1] = u v + | p 1]
Raising both sides of a
u
b
v
| mod p ] to the power v gives
a
u . v
b
u . v
b
d ( p 1)
b
d
| a
x
]
d
| mod p ]
Therefore, x - d u - v | mod p 1] , which implies that
x - d = u - v + w | p 1]
Since d | p 1] , hence d n - v . We obtain
x = | u - v + w | p 1] ] d (4)
The value of w is between 0 and d . In the case that d is small, we can do an exhaustive search. If d is large,
then the search will take a long time to finish.
If d =1, that is | v , p 1] = 1, then equation 4 can be reduced to
x = u - v = u - v
1
| mod p 1]
The above algorithm can also be adapted to work on the factors of p 1. This is called the multistage
method. Let p 1 = s - t . The method is to use a
s
and b
s
to replace a and b . This leads to find u and v
such that
| a
s
]
u
| b
s
]
s
| mod p ]
2 Pol l ards. nb
The other steps are similar.
Algorithm
Algorithm: Pollards rho for computing discrete logarithms
input: A generator of a cyclic group G of prime order n, and an
element G
output: the discrete logarithm x log
1.Set x
o
1, a
0
0, b
o
0
2.For i 1, 2, ... do the following:
2.1 Using the quantities x
i1
, a
i1
, b
i1
and x
2 i1
, a
2 i1
, b
2 i1
computed
previously, compute x
i
, a
i
, b
i
and x
2 i
, a
2 i,
b
2 i
using equations
(2),(3)
2.2 If x
i
x
2 i
then do the following:
Set r b
i
b
2 i
mod n.
If r 0 then
Set a
0
, b
0
in the inverval 1, n 1 and x
0
a0
b0
and
go step 2
else
x r
1
a
2 i
a
i
mod n and return x.
Running time
Let Gbe a group of order n , a prime. Assume that the function f : G G defined by equation (2) and (3)
behavies like a random function. Then the expected running time of Pollards rho algorithm for discrete
logarithms in G is O(
_
n ) group operations. Moreover, the algorithm requires negligible storage.
Implementation
PollardRhog_Integer, a_Integer, p_Integer :=
Modulex1 = 1, x2 = 1, s1 = 0, s2 = 0, t1 = 0, t2 = 0, u, h,
d, k, l, r, i, j = 1, q, n = EulerPhip, Ifa = g, r = 1,
Whilex1 , x2 j = 1, Ifx1 < p3, x1 = Moda + x1, p; s1 = Mods1 + 1, n;
Ifx1 z p3 && x1 < 2 p3, x1 = Modx1 + x1, p;
s1 = Mod2 + s1, n; t1 = Mod2 + t1, n;
Ifx1 z 2 + p3, x1 = Modg + x1, p; t1 = Modt1 + 1, n;
DoIfx2 < p3, x2 = Moda + x2, p; s2 = Mods2 + 1, n;
Ifx2 z p3 && x2 < 2 p3,
x2 = Modx2 + x2, p; s2 = Mod2 + s2, n; t2 = Mod2 + t2, n;
Ifx2 z 2 + p3, x2 = Modg + x2, p; t2 = Modt2 + 1, n, i, 2;
j = j + 1;;
s = Mods2 - s1, n; t = Modt1 - t2, n;
h = ExtendedGCDs, n;
d = h1; u = h2, 1;
Ifd = 1, r = ModPowerMods, -1, n + t, n,
k = u + t d; l = n d; i = 1; q = PowerModg, k + l, p;
o = PowerModg, l, p;
Whilea , Modq, p && i s d, q = Modq + o, p; i = i + 1;
r = Modk + i + l, n;;;
Returnr;;
Pol l ards. nb 3
Test
In order to get an experimentation area, let us calculate Z
p
-
, and its list of generators. The main
definition of the used procedure is in the notebook 01ModularArithmetic.
mulgr md_ := Modulex, ls, gcd,
x = 1; ls = x;
Whilex < md - 1,
x++; gcd = GCDx, md;
Ifgcd = 1, AppendTols, x;
ls
genr md_ := Modulegrm, or, lg, k, fmd, gel, flg, i, g, bi, bii, j,
grm = mulgr md;
or = Lengthgrm;
fmd = FactorInteger md;
If! Lengthfmd = 1 && ! Lengthfmd = 2 && fmd1 = 2, 1,
gel = ,
flg = True;
i = 1;
Whileflg, i++;
g = grmi;
bi = orbitg, md;
flg = ! Lengthbi = or
;
bii = mulgror;
gel = SortTablebibiij + 1, j, Lengthbii
;
or, grm, gel