An Improved Algorithm for Computing Logarithms Over GF(P)

106 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. m24, NO. 1, JANUARY 19%

8ince~e=P&i-Q$-i=l-l-O~O=1,0nehasIk=(-l)k. a fast transform technique,” Systems Engineering Technical Me- It follows that morandum No. 52, Electronic Systems Group, Eastern Division GTE Sylvania, Waltham, MA, Aug. 19’75. pk pk-I (-Ilk [31 D. Mandelbaum, “On decoding’Ree;d-Solomon codes,” IEEE Trans. Sk-Sk-l=Qlr-~=QkQk-l> k>l Inform. Theory, vol. IT-17, pp. 707-712, Nov. 1971. [41 W. W. Peterson, Error-Correcting Codes. Cambridge, MA: M.I.T. Or Press, 1961, pp. 1688169. bl C. M. Rader, “Discrete convolution via mersenne transforms,” IEEE PkQk-1 - %8--l = (-Ilk, k > 1. (lOA) Trans. Comput., vol. C-21, pp. 1269-1273, Dec. 1972. @IR. C. Agarwal and C. S. Burrus, “Number theoretic transform to If GCD (Pk,Qk) = dk, then, by (IOA), dk ] (-l)k. This implies that implement fast digital convolution,” in Proc. IEEE, vol. 63, pp. dk = 1. Hence, GCD (Pk,Qk) = 1. 550-560, Apr. 1975. A simple example showing how to compute the rational ap- 171 I. S. Reed and T. K. Truong, “Convolutions over residue classes of quadratic integers,” IEEE Trans. Inform. Theory, vol. IT-22, pp. proximations to an irreducible rational number is presented in 468-475, July 1976. tabular form in Table II. For this example, S is the fraction PI J. H. MacClellan, “Hardware realization of a Fermat number 38/105. From the tabular form, when k = n = 6, one observes Rg transform,” IEEE Trans. on Acoustics Speech, and Signal Pro- = 0. By (?‘A), S = Ss = Ps/Q6 = 38/105. For a more detailed dis- cessing, vol. ASSP-24, pp. 216-225, June 1976. @IJ. Justesen, “On the complexity of decoding of Reed-Solomon cussion of the relation of Euclid’s algorithm to the continued codes,” IEEE Trans. Inform Theory, vol. IT-22, pp. 237-238, Mar. fraction associated with a rational element in the field of real 1976. numbers, see [la]. [a I. S. Reed, T. K. Truong, and L. R. Welch, “The fast decoding of Reed-Solomon codes using number theoretic transforms,” in the REFERENCES Deep Space Network Progress Report 42-35, Jet Propulsion Lab- oratory, Pasadena, CA, July 1976, pp. 64-78. [I] W. C. Gore, “Transmitting binary symbols with Reed-Solomon [Ill E. R. Berlekamp, Algebraic Coding Theory. New York: code,” Johns Hopkins Univ. EE Report No. 73-5, Baltimore, MD, McGraw-Hill, 1968, Ch. 7. Apr. 19’73. [I21 I. M. Vinogrodov, Elements of Number Theory. New York: Dover, [2] A. Michelson, “A new decoder for the Reed-Solomon codes using 1954, Ch. 1.

Correspondence

An Improved Algorithm for Computing Logarithms over one-to-one correspondencefor integer values in the range 1 I xy GP(p) and Its Cryptographic Significance key through cryptanalysis, on the other hand, is not much greater than that required for exponentiation mod p, equivalent to computing a logarithm over GF(p) and is thus when p - 1 has only small prime factors, but is infeasible to impossible if and only if exponentiation mod p is a one-way compute when p - 1 has a large prime factor. Although not pre- function. This is because viously published, the new algorithm was discovered indepen- dently by Roland Silver some years ago, and more recently by K = 1ogMC over GF(p) (14) Richard Schroeppel and H. Block. so that, even if the cryptanalyst has the advantage of knowing The improved algorithm dictates that p - 1 must have a large a plaintext-ciphertext pair, it is as hard to find the key as to find prime factor if exponentiation mod p is to be used as a one-way a logarithm over GF(p). Such a known plaintext cryptanalytic function or in a cryptosystem. Of course, just because Knuth’s attack [9] is a standard test applied to certify a system as secure. algorithm and the new one are not computable in practice for It and variations of it occur in practice as well. certain values of p doesnot mean that there are not more efficient Note that M must be a primitive element of GF(p) for M and algorithms for these values of p that are as yet undiscovered. C to uniquely determine K. We now show that if M is not prim- A second use of the improved algorithm is in problems where itive, or if the cryptanalyst has a number of randomly chosen M it would be useful to rapidly compute logarithms over GF(p) for - C pairs all related by the same key, then his task is not light- arbitrary but large values of p. By choosing p to obtain the full ened. To seethis, observe that if M and C are related by K, that benefit of the improved algorithm, very large primes can be used. is, Scholtz and Welch [lo] devised a multiple accesscode which required the computation of logarithms over GF(p), and Merkle C = MK (mod p), (15) and Hellman [ll] have devised a public-key distribution system which utilizes our algorithm for computing logarithms over then so are M’ and C’, where GF(p). M’ = M” (mod p) (16) Section V gives examples of primes at both extremes. A 137 digit prime is given for which the new algorithm is easily imple- and mented, and a 60 digit prime is given for which no known algo- C’ = C” (mod p) rithm can be implemented. (17) for any integer n. Possession of a single M - C pair with M primitive thus allows the cryptanalyst easily to generate a large II. USE IN CRYPTOGRAPHY number of M’ - C’ pairs also related by K. Building a table is precluded by using values of p on the order of 2lOOor larger. It is well-known [la, p. 371that if p is prime then We have not been able to show that the above system can resist zP-l= 1 (mod p), llzlp-1. (4) a chosen plaintext attack [9] in which the cryptanalyst gets to chooseM and seethe corresponding C, but neither have we found Consequently, arithmetic in the exponent is done modulo p - a way for him to use this option to advantage over the known 1, not modulo p. That is, plaintext attack. zx szx(modP-l)(modp) There is a minor problem with the above cryptosystem in that (5) the most natural representation of K is as an integer between 1 and p - 1, but not all such integers are allowable keys because for all integers X. of the restriction that GCD (K,p - 1) = 1. Fortunately, the Based on this observation, we can construct a cryptosystem. fraction p of usable keys is not too small. From the definition of Let M, K, and C denote the plaintext message,key, and cipher- 4(n), the Euler totient function, text (cryptogram) with the restrictions P = dP - 1MP - 11, (18) IIMlp-1, (6) where 4(n) is the number of positive integers not exceeding and lIClp-1, (7) relatively prime to n. It is known [13, p. 8261that 11KIp-2, (8) P = rI (1 -p;‘), (19) GCD(K,p - 1) = 1. (9) PiI(P--1) 108 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-24, NO. 1, JANUARY 1978 where (pi] are the prime divisors of p - 1. As noted in Section V, primes of the form p = 2~’ + 1, with p’ prime, are the most promising candidates for yielding a secure cryptosystem. Then, with p large, p = (1/2)[1- (l/p’)] = l/2. cm Even if p # 2~’ + 1, a reasonable fraction of keys is usable because, for allp < 1.6 X 10103,p is greater than 0.1. For this range of p, at most ten tries are needed on the averageto find a suitable key. The test involves Euclid’s algorithm and is therefore no more complex than computing D from K. The effective loss in key size is less than 4 bits, which is also quite negligible. The real question concerning the utility of this cryptosystem is the difficulty of computing logarithms over GF(p). Rivest, Shamir, and Adleman [14] have noted that it can be advantageous to perform the enciphering and deciphering operations (12) and (13) modulo n, where n is the product of two large primes. Then, instead of (lo), one usesD = K-l (mod 4(n)). By keeping the factorization of n secret, it is possible to generate a public key cryptosystem as defined in [9]. The enciphering key (K,n) can be made public without compromising the deciphering key (D,n), and yet it is easy for anyone to generate a pair of enciphering and deciphering keys. Public key cryptosystems eliminate the key distribution problem and allow the generation of true digital signatures [9]. See [14] for details. Another application of exponentiation modulo p to cryptography is given in [9]. There it is shown how these functions can be used to securely “transmit” a key over an insecure channel with no previous exchange of secret information. This capability is a direct result of the commutivity of enciphering under two Fig. 1. Flowchartforalgorithm whenp = 2" + 1. different keys K1 and Kz, i.e., (MC)Kz = (MK2)Kl. (20) The reader is referred to [9] for details. obtain

+1, bl = 0 z@-1)/4(mod p)z -1 I , bl = 1. III. AN ALGORITHMFOR~ = 2n+1 I ne remaming bits of n are determined in a similar manner. This The improved algorithm for computing logarithms mod p is algorithm is summarized in the flowchart of Fig. 1. To aid in best understood by first considering the special casep = 2n + 1. understanding this flowchart, note that, at the start of the ith We are given (Y,p, and y, with (Ya primitive element of GF(p), loop, and must find x such that y = ox (mod p). We can assume 0 I 3c I p - 2, since x = p - 1 is indistinguishable from x: = 0. m = (p - 1)/2i+1 (28) When p = 2 n + 1, x is easily determined by finding the binary and expansion (bo, . . . , b,-i] of x, i.e., n-1 z = axi (mod p), (2% (21) where The least significant bit bc of x is determined by raising y to the n-l xi = C bj2i (30) (p - I)/2 = 2n-1 power and applying the rule j-i +1, b,, = 0 Thus raising z to the mth power gives y@-1)/2(modp)~ (22) -1, b. = 1. Zm I akim) E a[(P-1)/214xi/2i) This fact is established by noting that, since (Yis primitive, c(-~)x/~'s (-I)& (modp), (31) (~(~-1)/2 E -1 (modp), C-3 sothatzm~l(modp)ifandonlyifbi=O,andzm~-l(modp) and therefore if and only if bi = 1. y(P-l)b s (ax)(P-1)/2 E (-1)x (modp). (24 IV. AN ALGORITHMFORARBITRARYPRIMES The next bit in the expansion of x is then determined by let- ting We now generalize the above algorithm to arbitrary primes p; this generalization is necessary because 216 + 1 is the largest z = yamb’o = ax1 (mod p), (25) known prime of the form 2n + 1. Let where p - 1 ~pi"~;"...~k"k, Pi < Pi+1 (32) ~1 = “x’ bi2i. (26) be the prime factorization of p - 1, where the pi are distinct i=l primes and the ni are positive integers. The value of x (mod p?) Clearly, xi is a multiple of four if and only if bl = 0. If bl = 1, then will be determined for i = 1, . . . ,k, and the results will then be xi is divisible by two but not by four. Reasoning as before, we combined via the Chinese remainder theorem [12, p. 481 to ob- CORRkPONDENCE 109 tain

x mod fi pri =x(modp-1)=x (33) i=l > since 0 I x: I p - 2. The Chinese remainder theorem can be implemented in O(k logz p) operations and O(k log2 p) bits of memory. (We count a multiplication mod p as one operation.) Consider the following expansion of x (mod p?):

x (mod pr’) = ygol bjpf, (34) W-Z”(mod p) bi-gi(W) where 0 I bj I pi - 1. The least significant coefficient, bo, is z -z-phi (mod p) determined by raising y to the (p - l)/pi power, p--p” (mod p) -7n --n/Pi y(P-*)/Pi z a(P-*)xlPi G yf z (yi)h (mod p) (35) where yi = o((P-1)IPi (36) is a primitive pith root of unity. There are therefore only pi possible values for y(p-l)‘pi(mod p), and the resultant value uniquely determines bo. The next digit bl in the base pi expansion of x (mod p?) is determined in a manner similar to that of Section III. Let Fig. 2. Flowchart for algorithm when p = &pi” + 1. z=y*a -by = (~~1(mod p), (37) and bits of memory [2, p. 91.Let where m = fptl. (4% X1 = ygll bjpf. (38) Then there exist integers c and d such that Now, raising z to the (p - 1)/p: power yields g = cm + d, (43) z(P-~)/P? E ~(P-l).xilP? I yfllPi I (n)bl (mod p). (39) with Again, there are only pi possible values of z @--l)lp?,and this value 0 I c < [pi/ml = p,!-’ (44) determines bl. This process is continued to determine all the coefficients bj. and The flowchart of Fig. 2 summarizes the algorithm for com- OId l/z, precomputation pf-“(I + loga p?)]) operations with O(logz pZf=i(l + ~7)) bits requiring O(p[ log2p[) operations is unimportant when compared of memory. Precomputation requires O(ZF=,(pF log2 pt’ + log2 to the number of w-dependent operations. A multiplication or p)) operations and is unimportant when rk < I/.. addition mod p is counted as a single operation. Remark: If p is such that all pi are small, then the required Proof: The proof usesa generalization of Knuth’s algorithm computational effort is approximately log2 p times as great as for computing logarithms over GF(p) in O(p112 log2p) operations that required to evaluate one exponential. Becausecryptanalytic 110 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. n-24, NO. 1, JANUARY 1978 effort should be at least log times as great as enciphering and of field for the cryptosystem of Section II also has the advantage deciphering effort, the cryptosystem of Section II must avoid thatallkeys11K<2m- 2 are usable, and that the plaintext using such values of p. However, whenpk, the largest prime factor message contains an integral number of bits. In GF(2521) [15, p. of p, is comparable in size top (e.g., p - 1 = 2pk), then the new 501,enciphering and deciphering require at most 1042 multipli- algorithm is almost no better than previously known algo- cations (in the field), while cryptanalysis using the new algorithm rithms. requires at least 252112= 2.6 X 1O78times as much computation. Proof: The proof follows from the lemma and the observa- If the new algorithm is at all close to optimal, it follows that tion that the Chinese remainder theorem requires O(k) opera- values of p exist for which exponentiation mod p would be a tions, O(k logs p) bits of memory, and O(k logs p) precomputa- one-way function, even under the most restrictive of definitions. tion operations. The term XF=ini logs p in the number of opera- By implication, the cryptosystem of Section II would be secure tions accounts for w - .zn (mod p) and fl+- /3pi (mod p) in the under the most conservative of definitions. The real question is loop of Fig. 2. The loop is executed Z t=ini times. whether there are as yet undiscovered algorithms which are vastly more efficient when p - 1 has a large prime factor. V. DISCUSSION We encourage research oriented toward finding such an algo- The new algorithm is most efficient when p - 1 has only small rithm or toward establishing a large lower bound on the computational effort for finding logarithms mod p. Because the security prime factors. For example, p = (P . 2448+ 1) is prime [15, p. 511 and requires 2 + 448 = 450 iterations of the loop shown in Fig. of this cryptosystem is equivalent to such an easily stated prob- 2. The dominant computational requirement is for the 450 ex- lem, there is more than the usual hope that its security can be ponentiations mod p involved in computing w. Computing a established through mathematical proof, if indeed it is secure. logarithm mod p is thus only 450 times as hard as computing an Success in this endeavor would have a revolutionary impact on exponential mod p, and the latter function is not one-way for this cryptography. choice of p. In consequence,the cryptosystem and method of key exchange described in Section II are not secure for this choice of REFERENCES p. By comparison, previous algorithms [2, p. 9] require over 1O65 [l] D. E. Knuth, The Art of Computer Programming, Vol. II: Seminumerical operations and bits of memory to compute one logarithm over Algorithms. Reading, MA: Addison-Wesley, 1969. GF(p) for this particular p. [z] D. E. Knuth, The Art of Computer Programming, Vol. III: Sorting and

Reading. MA: Addison-Weslev. “_ 1973. The new algorithm is least efficient when p = 2~’ + 1, where Searching. II (31 R. W. Keyes, “Physical limits in digital electronics,” in Proc. IEEE, vol. 63, p’ is also prime. In this case, the dominant computational re- pp. 740-767, May 1975. quirement is to compute g(w) when pi = ps = p’. Indeed, once [4] R. W. Landauer, “Irreversibility and heat generation in the computing pro- g(w) is known, x = log, y over GF(p) is easily found since either cess,” IBM J. Res. Deuelop., vol. 5, pp. 183-191,1961. x = g(w), or x = g(w) + p’. Whenp = 2~’ + 1, the new algorithm [5] M. V. Wilkes, Time-Sharing Computer Systems. New York: American El- sevier. 1968. r ~~ ~~ is essentially the same as Knuth’s, the exception being that need [6] A. Evans, W. Kantrowitz, and E. Weiss, “A user authentication scheme not not be l/s.A computer program was used to search for large primes requiring secrecy in the computer,” Comm. ACM, vol. 17, pp. 437-442, Aug. of this form. One such prime wasp = 2~’ + 1, with 1974. [7] G. B. Purdy, “A high security log-in procedure,” Comm. of ACM, vol. 17, pp. p’ = (2121 - 52. 72 - 112. 13.17.19.23.29.31.37 442-445. Aua. 1974. [8] R. Merkie, “gecure communication over an insecure channel,” submitted to - 41.43.47 a53 - 59) + 1. (48) Comm. of ACM. 191 W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Both p and p’ require 60 decimal digits, i.e., are about 200 bits Inform Theory, vol. IT-22, pp. 644-654, Nov. 19761 long. A pair p and p’ of 25 digit primes of this form was also [lo] R. A. Scholtz and L. R. Welch, “Generalized residue sequence,” in Proc. Int. found, namely Conf. Comm.. Seattle. I WA. I June 1973. [ll] R. Merkle and M. E. Hellman, “Hiding information and receipts in trap door p’ = (213 - 5 * 7 - 11.13.. f 47 * 53 * 59) + 1. knapsacks,” presented at 1977 IEEE Int. Symp. Information Theory, Ithaca, (49) NY, Oct. 1977; also to appear in IEEE Trans. Inform. Theory. Note that three cannot be a factor of (p’ - l), since otherwise 2~’ [12] R. G. Archibald, An Introduction to the Theory of Numbers. Columbus, OH: Merrill, 1970. + 1 would be divisible by three and hence not prime. (One can (131 Handbook of Mathematical Functiona, M. Abramowitz and I. A. Stegun, Eds. prove that the first p and p’ are primes by checking that six and New York: Dover, 1965. two are primitive elements of GF(p’) and GF(p), respectively. [14] R. L. Rive&, A. Shamir, L. Adleman, “On digital signatures and public-key For the second pair, three and two are the corresponding primi- crvptosystems,” Dep. Elec. Enplr. and Camp Sci., M.I.T., Cambridge, MA, T&h. Rep. MIT/L&/TM-82, Apr. 1977; also, to appear in Comm of ACM as tive elements. In both cases,these are the smallest primitive el- “A method for obtaining digital signatures and public-key cryptosystems.” ements.) [15] N. J. A. Sloane, A Handbook of Integer Sequences. New York: Academic, When p = 2~’ + 1 with the p’ of (48) and r = l/s, computing 1973. g(w) by the method used in the lemma requires more than 1030 operations and more than 1030bits of memory. By choosing another value of r, one or the other of these requirements can be reduced, but both cannot be done simultaneously. Since both Optimal Source Coding for a Class of Integer Alphabets requirements are infeasible today (and will be for the next 50 years even if current cost trends continue) the new algorithm for computing logarithms mod p is infeasible for this value of p and PIERRE A. HUMBLET any choice of r. By going to a 200 digit prime of the form 2~’ + 1, one could invoke the previously mentioned physical arguments Abstract-Let p(i) be a probability measure on the set of non- to preclude use of the new algorithm forever. In contrast, expo- negative integers. The Huffman optimum encoding technique is nentiation requires only about 400 multiplications mod p and extended to a class of p(i) including those whose tail decreases three 200 bit words of memory for the 60 digit value of p, and only 1330 multiplications mod p and three 665 bit words of memory Manuscript received August 5, 1976; revised May 2, 1977. This research was when p is 200 digits long. supported by the Advanced Research Projects Agency of the U.S. Department of The new algorithm directly extends to all finite fields GF(pm) Defense and was monitored by ONR, under Contract N00014-75-C-1183. The author is with the Electronic Systems Laboratory, Department of Electrical and, in particular, is infeasible for computing logarithms over Engineering and Computer Science, Massachusetts Institute of Technology, GF(2m) when 2m - 1 is a large Mersenne prime. Using this choice Cambridge, MA 02139.

00189448/78/0100-0110$00.75 0 1978 IEEE