\documentclass[11pt]{article}

\usepackage{fullpage}
\usepackage{epic}
\usepackage{eepic}
\usepackage{psfig}

%\newcommand{\proof}[1]{
%{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip}
%}


%\newtheorem{lemma}{Lemma}[section]
%\newtheorem{theorem}[lemma]{Theorem}
%\newtheorem{claim}[lemma]{Claim}
%\newtheorem{definition}[lemma]{Definition}
%\newtheorem{corollary}[lemma]{Corollary}

%Theorems and likes 
\newtheorem{assumption}{Assumption}[section]
\newtheorem{theorem}{Theorem}[section]
\newtheorem{fact}{Fact}[section]
\newtheorem{claim}{Claim}[section]
\newtheorem{lemma}{Lemma}[section]
\newtheorem{definition}{Definition}[section]
\newtheorem{corollary}{Corollary}[section]


\newcommand{\bproof}{\noindent{\it Proof}}
%\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip}
\newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip}
\newenvironment{proof}{\bproof: }{\eproof}

% symbols and notation
\newcommand{\defeq}{\stackrel{\rm def}{=}}

% Additional Math Notations (Arun Iyer)
\newcommand{\nchoosek}[2]{\left(\begin{array}{c}#1\\#2\end{array}\right)}
\DeclareSymbolFont{AMSb}{U}{msb}{m}{n}
\DeclareMathSymbol{\N}{\mathbin}{AMSb}{"4E}
\DeclareMathSymbol{\Z}{\mathbin}{AMSb}{"5A}
\DeclareMathSymbol{\R}{\mathbin}{AMSb}{"52}
\DeclareMathSymbol{\Q}{\mathbin}{AMSb}{"51}
\DeclareMathSymbol{\I}{\mathbin}{AMSb}{"49}
\DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\setlength{\oddsidemargin}{0in}
\setlength{\topmargin}{0in}
\setlength{\textwidth}{6in}
\setlength{\textheight}{8in}

\begin{document}

\setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm}
\newlength{\boxlength}\setlength{\boxlength}{\textwidth}
\addtolength{\boxlength}{-4mm}
\begin{center}\framebox{\parbox{\boxlength}{\bf
CS 681: Computational Number Theory and Algebra \hfill 
Lecture 25: Discrete Log Problem
\\
Lecturer: Manindra Agrawal
\hfill
Notes by: Arun Iyer
%\\
\begin{flushright}
%date
October 18, 2005.
\end{flushright}
}}\end{center}
\vspace{5mm}

\section{Discrete Log Problem}
\begin{definition}
Given a finite group G, and g,e $\in$ G, find m (if it exists) such that $g^m = e$. This problem is known as the Discrete Log Problem.
\end{definition}
Examples :\begin{enumerate}
\item Given $G = \Z_n \; under \; +$, find an m such that $mg = e(mod \; n)$.
\item Given $G = \Z_n^* \; under \; *$, find an m such that $g^m = e(mod \; n)$.
\item Given $G = P_n \; under \; composition$ and g and e be two permutations, find an m such that $g^m = e$.
\item Given $G = F_{p^r} \; under \; +$, find an m such that $mg(x) = e(x)$.
\item Given $G = F_{p^r} \; under \; +$, find an m such that $g^m(x) = e(x)(mod \; p,h(x))$.
\end{enumerate}

\section{Application : El Gamal Public Key Encryption}
Given a group $G$ and $g \in G$ of large order, randomly choose an $m \in \Z$ and let $e = g^m$. Then,\\Public Key : (g,e)\\Private Key : m

\subsection{Encryption Method}
Input : message s ($s \in G$)
\begin{enumerate}
\item Randomly choose $k \in \Z$
\item Compute $r = g^k$
\item Output $se^k,r$
\end{enumerate}

\subsection{Decryption Method}
Input : $se^k,r$
\begin{enumerate}
\item Compute $r^m$
\item Compute inverse of $r^m$ i.e $(r^m)^{-1}$
\item Output $se^k(r^m)^{-1}$
\end{enumerate}

\section{Slight Improvement in Special Case}
Normally for encryption purposes we use the group $G = F_p^*$ under *. However, this encryption can fall weak if $p-1$ turns out to be smooth. To avoid this circumstance, a large prime $p$ is chosen such that $p-1 = 2q$ where q is a large prime as well.

\section{Solving Discrete Log using Index Calculus}
Basic Idea : Find $r$ and $s$ such that $g^re^s = 1$ and $(s,order(g)) = 1$. (Note that : If $m$ is the message, then $g^re^s = g^rg^{ms} = g^{r+ms}$. This implies $m = - rs^{-1}(mod \; order(g))$)
\begin{enumerate}
\item Randomly choose $r$ and $s$ and compute $g^re^s = u$
\item Check if $u$ is $k-smooth$
\item If yes, collect the triple ($r$,$s$,$u$)
\item Repeat until $k$ tuples are collected, let ($r_i$,$s_i$,$u_i$), $1 \leq i \leq k$ be these triples
\item Let $u_i = \prod_{j=1}^{k} p_j^{\alpha_{i,j}}$, [$p_j$'s are primes]
\item Find vector $\overrightarrow{\beta}$ such that
\begin{displaymath}
\sum_{j=1}^{k} \beta_i \alpha_{i,j} = 0 (mod \; p-1) \forall i
\end{displaymath}
\item Compute $r = \sum_{i=1}^{k} \beta_i r_i$ and $s = \sum_{i=1}^{k} \beta_i s_i$
\item Compute $m = - rs^{-1}(mod \; p-1)$
\end{enumerate}
\end{document}