Felix' Math Place » DLP http://math.fontein.de Focussed on, but not limited to Computational Number Theory Sat, 30 Jul 2011 12:35:49 +0000 en hourly 1 http://wordpress.org/?v=3.1 One-dimensional Infrastructures. http://math.fontein.de/2009/07/20/one-dimensional-infrastructures/ http://math.fontein.de/2009/07/20/one-dimensional-infrastructures/#comments Mon, 20 Jul 2009 03:45:16 +0000 Felix Fontein http://math.fontein.de/?p=100 One-dimensional infrastructures first appeared in the 1970′s in Daniel Shanks‘ work on real quadratic number fields \Q(\sqrt{D}), D > 1 a squarefree integer, when he tried to fasten regulator computations. The previous algorithms used continued fraction expansion to obtain the regulator in \calO(D^{1/2 + \varepsilon}) binary operation, \varepsilon > 0 arbitrary. Shanks found out that one can obtain a multiplication like operation, which he dubbed giant steps, as opposed to the baby steps taken by one step in the continued fraction expansion. He described a baby step-giant step method to compute the regulator in \calO(D^{1/4 + \varepsilon}) binary operations, requiring \calO(D^{1/4 + \varepsilon}) bytes of storage. His methods were analysed, written up more clearly and extended by various people, including Hendrik Lenstra, Hugh Williams, Johannes Buchmann, Rene Schoof, and many others. Extensions of the method to function fields exist as well, most notably due to the work of Andreas Stein and Renate Scheidler.

I begin with giving an abstract definition of a one-dimensional infrastructure.

Definition (One-dimensional infrastructure).
Let R > 0 be a real number. A one-dimensional infrastructure of circumference R is a pair (X, d), where X \neq \emptyset is a finite set and d : X \to \R/R\Z is an injective map.

If you interpret \R/R\Z as a circle of circumference R (think of it as folding up the real line, such that two numbers whose difference is an integer multiple of R are identified), a one-dimensional infrastructure can be seen as a circle with a finite number of dots on it. The map d gives the distance between 0 \in \R/R\Z and some element x \in X on the circle, whence d is called the distance map.

Now one can define two operations on a one-dimensional infrastructure. Due to Shanks’ nomenclature, these are called baby steps and giant steps. To define a baby step, let x \in X. Then consider the set F_x := \{ f \in \R \mid f > 0, \; d(x) + f \in d(X) \}. It is non-empty as R \in F_x and bounded from below. Moreover, it is discrete as X is finite; therefore, f := \min F_x exists and d(x) + f \in d(X), say d(x) + f = d(x') with x' \in X. In that case, we define \bs(x) := x'. This gives a bijective map \bs : X \to X which, in case \abs{X} > 1, has no fixed points. If \R/R\Z is interpreted as a circle and X identified with d(X), \bs will send each point to the “next one” in positive direction on the circle.

To define giant steps, let x, x' \in X. For that, note that \R/R\Z is naturally a group, whence we can add d(x) and d(x'). Now d(x) + d(x') \in \R/R\Z, but in general d(x) + d(x') \not\in d(X). But we can use a similar trick as in the baby step case: we jump back to the previous point of d(X). For that, define F_{x,x'} := \{ f \in \R \mid f \ge 0, \; d(x) + d(x') - f \in d(X) \}. It is bounded from above, non-empty and discrete, whence f := \max F_{x,x'} exists with d(x) + d(x') - f' \in d(X), say d(x) + d(x') - f = d(y) for y \in X; then we define \gs(x, x') := y. This gives a binary operation \gs : X \times X \to X which is in general not associative.

But even though, we have \displaystyle d(\gs(x, x')) \approx d(x) + d(x') in general, assuming that D := \max\{ d(\bs(x)) - d(x) \mid x \in X \} is small (here, we identify d(\bs(x)) - d(x) \in \R/R\Z with its smallest non-negative representant). More precisely, we have d(\gs(x, x')) + f = d(x) + d(x') with 0 \le f < D, whence the giant step operation is “almost” associative.

Finite Cyclic Groups as One-dimensional Infrastructures.

Let G = \ggen{g} be a finite cyclic group of order R. For h \in G, one can write h = g^n with n \in \Z; note that n = \log_g h \in \Z/R\Z is the discrete logarithm of h with respect to g. Hence, we get the isomorphism G \cong \Z/R\Z induced by \log_g : G \to \Z/R\Z. As \Z/R\Z \subseteq \R/R\Z, we get the injective map d : G \to \R/R\Z, h \mapsto \log_g h, turning (G, d) into a one-dimensional infrastructure.

Let h, h' \in G; then we get \bs(h) = g h and \gs(h, h') = h h', i.e. baby steps are multiplications by the generator g and the giant steps equals the group operation. In particular, this provides an example for giant steps being associative.

Therefore, one-dimensional infrastructures can be seen as generalizations of finite cyclic groups.

Remarks.

Finally, we want to sketch some ideas, which will allow generalizing infrastructures to higher dimensions. For that, let (X, d) be a one-dimensional infrastructure. First, define the map red : \R/R\Z \to X as follows. For r \in \R/R\Z, define F_r := \{ f \in \R \mid f \ge 0, \; r - f \in d(X) \}. Again, F_r is non-empty, bounded from below and discrete, whence f := \min F_r exists and r - f \in d(X), say r - f = d(x) for some x \in X. Define red(r) := x. Then red satisfies red \circ d = \id_X and \gs(x, x') = red(d(x) + d(x')) for all x, x' \in X.

If red' : \R/R\Z \to X would be any other map satisfying red' \circ d = \id_X, one would obtain another giant step function \gs' : X \times X \to X, (x, x') \mapsto red'(d(x) + d(x')). In case X comes from a finite cyclic group, as above, \gs' would again be the group operation. If this is not the case, \gs and \gs' could be two distinct binary operations on X. If red' satisfies d(red'(r)) \approx r for all r \in \R/R\Z, we would also have \displaystyle d(\gs'(x, x')) \approx d(x) + d(x') \text{ for all } x, x' \in X.

This shows that our choice of red is rather random; we could also define red(r) = d^{-1}(d(x) + f) with f = \min \{ f \in \R \mid f \ge 0, \; r + f \in d(X) \}, or chose f such that \abs{f} = \min\{ \abs{f} \mid r + f \in d(X) \}, with some additional condition to rule out ties. Any other arbitrary choice of red is also possible, as long as red \circ d = \id_X is satisfied. We will later see that our definition of red is exactly the one we obtain in a canonical way if we obtain infrastructures from global fields of unit rank one. We call such maps reduction maps.

]]> http://math.fontein.de/2009/07/20/one-dimensional-infrastructures/feed/ 0 The Discrete Logarithm Problem and Generalizations. http://math.fontein.de/2009/07/20/the-discrete-logarithm-problem-and-generalizations/ http://math.fontein.de/2009/07/20/the-discrete-logarithm-problem-and-generalizations/#comments Mon, 20 Jul 2009 03:44:15 +0000 Felix Fontein http://math.fontein.de/?p=95 Let G be a group and g \in G. Using square-and-multiply techniques, one can rapidly compute g^n for n \in \N – in fact, \calO(\log n) group operations suffice.

On the other side, the inverse question, given g^n and g, how to find n, is in general hard. In fact, a result by Victor Shoup says that for a black box group, there exists no deterministic algorithm which can find the n in time less than \calO(\sqrt{p}) steps in any case, provided the prime p is the order of g. In other words: the Discrete Logarithm Problem (DLP) is hard in general: given g, h with h \in \ggen{g}, find n \in \N with g^n = h.

Consider the subgroup \ggen{g} generated by g. It is of the form \{ g^n \mid n \in \Z \}, and the map \varphi : \Z \to \ggen{g}, n \mapsto g^n is an epimorphism. Let \ker \varphi = m \Z with m \ge 0; then \varphi induces an isomorphism \psi : \Z/m\Z \to \ggen{g}. The inverse map \psi^{-1} : \ggen{g} \to \Z/m\Z, g^n \mapsto n + m\Z is called the discrete logarithm with base g, denoted by \log_g. Hence, the DLP is the problem of computing the function \log_g.

In 1976, Whitfield Diffie and Martin Hellman came up with a key exchange protocol based on the fact that, given g, g^a and g^b, one probably needs to solve at least one DLP (to obtain a or b) to be able to compute g^{a b} = (g^a)^b = (g^b)^a. And nine years later, Taher ElGamal presented an encryption scheme which is also based on the DLP.

First, these systems were originally used with G = \F_p^* or \F_q^*, the multiplicative groups of finite (prime) fields, but can in fact be used with any group. In 1985, Neal Koblitz and Victor Miller independently proposed to use elliptic curves over finite fields \F_q, which yield abelian groups of size q + 1 + \calO(\sqrt{q}). Later, groups obtained from hyperelliptic curves or curves were proposed.

There have also been proposals to replace groups by weaker structures, for example semigroups or certain loops. In general, one can use any algebraic structure A which allows to define a^n for a \in A, n \in \N_{>0} such that a^n can be computed efficiently. As for that, one usually wants a^n a^m = a^{n+m}, we merely require the operation to be power associative.

Now one can ask if it is possible to drop this requirement and replace exponentiation and discrete logarithms by something similar. So far, the only such algebraic structure which has a huge class of instances which can be easily obtained from algebraic objects and in which one can efficiently compute are infrastructures. In the following articles I first want to explain and discuss the definition of infrastructures and show how finite abelian groups can be interpreted as infrastructures. Then I want to explain how infrastructures can be obtained from global fields.

In case you want to read up more details, please consult the preprint of my paper The Infrastructure of a Global Field of Arbitrary Unit Rank or my PhD thesis (click Volltext).

]]> http://math.fontein.de/2009/07/20/the-discrete-logarithm-problem-and-generalizations/feed/ 0