\documentclass[11pt]{article} \usepackage{amsmath} \usepackage{epsfig} %\usepackage{fullpage} %\usepackage{epic} %\usepackage{eepic} %\usepackage{psfig} %\newcommand{\proof}[1]{ %{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip} %} %\newtheorem{lemma}{Lemma}[section] %\newtheorem{theorem}[lemma]{Theorem} %\newtheorem{claim}[lemma]{Claim} %\newtheorem{definition}[lemma]{Definition} %\newtheorem{corollary}[lemma]{Corollary} %Theorems and likes \newtheorem{assumption}{Assumption}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{fact}{Fact}[section] \newtheorem{claim}{Claim}[section] \newtheorem{lemma}{Lemma}[section] \newtheorem{example}{Example}[section] \newtheorem{definition}{Definition}[section] \newtheorem{corollary}{Corollary}[section] \newtheorem{exercise}{Exercise}[section] \newtheorem{observation}{Observation}[section] \newcommand{\bproof}{\noindent{\it Proof}} %\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip} \newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip} \newenvironment{proof}{\bproof: }{\eproof} % symbols and notation \newcommand{\defeq}{\stackrel{\rm def}{=}} \setlength{\oddsidemargin}{0in} \setlength{\topmargin}{0in} \setlength{\textwidth}{6in} \setlength{\textheight}{8in} \begin{document} \setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm} \newlength{\boxlength}\setlength{\boxlength}{\textwidth} \addtolength{\boxlength}{-4mm} \begin{center}\framebox{\parbox{\boxlength}{\bf CS 681: Computational Number Theory and Algebra \hfill Lecture 26 \\\\ Analysis of Discrete Log Problem using Index Calculus and Number Field Sieve \\\\ Lecturer: Manindra Agrawal \hfill Scribe: Sudeepa Roy %\\ \begin{flushright} %date October 10, 2005 \end{flushright} }}\end{center} \vspace{5mm} \section{Introduction } In this lecture we will first do the analysis of the algorithm to solve discrete log problem using index calculus stated in the last lecture. Next we will briefly discuss \textit{Number Field Sieve}. \section{Analysis of Discrete Log Problem} Here we use the same notations as in the previous lecture. To recapitulate, the problem was to compute $m$ from the equation $e = g^m$ given $g$ and $e$, and the idea was to find $r$ and $s$, such that \begin{enumerate} \item $g^re^s = 1$ \item $\gcd(s, order(g)) = 1$ \end{enumerate} After the step 4 of the algorithm, we have $k$ triples $(r_i, s_i, u_i)$ with $u_i = \prod\limits_{j=1}^t {p_j}^{\alpha_{ij}}$, where $p_1, \cdots, p_t$ are all the primes $\leq k$.\\\\ We know $\vec{\beta}$ is such that $\sum\limits_{i=1}^k \beta_i\alpha_{ij} = 0~ (\mod p - 1~)$\\\\ $r = \sum\limits_{i = 1}^k \beta_ir_i$ and $s = \sum\limits_{i = 1}^k \beta_is_i$\\\\ Then\\\\ $g^re^s$\\\\ $= g^{\sum\limits_i \beta_ir_i}e^{\sum\limits_i\beta_is_i}$\\ $= \prod\limits_{i=1}^k(g^{r_i}e^{s_i})^{\beta_i}$ \\ $= \prod\limits_{i=1}^k u_i^{\beta_i}$\\ $= \prod\limits_{i=1}^k \prod\limits_{j=1}^t{p_j}^{\alpha_{ij}\beta_i}$\\ $= \prod\limits_{j=1}^t \prod\limits_{i=1}^k{p_j}^{\alpha_{ij}\beta_i}$\\ $= \prod\limits_{j=1}^t {p_j}^{\sum\limits_{i=1}^k\alpha_{ij}\beta_i}$\\ $= 1~ (\mod p~)$\\\\ We also need $\gcd(s, p-1)=1$. $\\Pr[\gcd(s, p-1) = 1] = \frac{\phi(p-1)}{p-1} \geq \frac{1}{2}$.\\\\ Time complexity of the algorithm is \\ $O(e^{2(\ln p)^{\frac{1}{2}}(\ln\ln p)^{\frac{1}{2}})}$. \section{Number Field Sieve} Number Field Sieve is a very fast method to factor integer $n$ and improvement over quadratic sieve reducing the exponent. The time complexity is $O(e^{c(\ln n)^{\frac{1}{3}}(\ln\ln n)^{\frac{2}{3}})}$ where $c \approx 1.93$. \end{document}