106 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. m24, NO. 1, JANUARY 19% 8ince~e=P&i-Q$-i=l-l-O~O=1,0nehasIk=(-l)k. a fast transform technique,” Systems Engineering Technical Me- It follows that morandum No. 52, Electronic Systems Group, Eastern Division GTE Sylvania, Waltham, MA, Aug. 19’75. pk pk-I (-Ilk [31 D. Mandelbaum, “On decoding’Ree;d-Solomon codes,” IEEE Trans. Sk-Sk-l=Qlr-~=QkQk-l> k>l Inform. Theory, vol. IT-17, pp. 707-712, Nov. 1971. [41 W. W. Peterson, Error-Correcting Codes. Cambridge, MA: M.I.T. Or Press, 1961, pp. 1688169. bl C. M. Rader, “Discrete convolution via mersenne transforms,” IEEE PkQk-1 - %8--l = (-Ilk, k > 1. (lOA) Trans. Comput., vol. C-21, pp. 1269-1273, Dec. 1972. @IR. C. Agarwal and C. S. Burrus, “Number theoretic transform to If GCD (Pk,Qk) = dk, then, by (IOA), dk ] (-l)k. This implies that implement fast digital convolution,” in Proc. IEEE, vol. 63, pp. dk = 1. Hence, GCD (Pk,Qk) = 1. 550-560, Apr. 1975. A simple example showing how to compute the rational ap- 171 I. S. Reed and T. K. Truong, “Convolutions over residue classes of quadratic integers,” IEEE Trans. Inform. Theory, vol. IT-22, pp. proximations to an irreducible rational number is presented in 468-475, July 1976. tabular form in Table II. For this example, S is the fraction PI J. H. MacClellan, “Hardware realization of a Fermat number 38/105. From the tabular form, when k = n = 6, one observes Rg transform,” IEEE Trans. on Acoustics Speech, and Signal Pro- = 0. By (?‘A), S = Ss = Ps/Q6 = 38/105. For a more detailed dis- cessing, vol. ASSP-24, pp. 216-225, June 1976. @IJ. Justesen, “On the complexity of decoding of Reed-Solomon cussion of the relation of Euclid’s algorithm to the continued codes,” IEEE Trans. Inform Theory, vol. IT-22, pp. 237-238, Mar. fraction associated with a rational element in the field of real 1976. numbers, see [la]. [a I. S. Reed, T. K. Truong, and L. R. Welch, “The fast decoding of Reed-Solomon codes using number theoretic transforms,” in the REFERENCES Deep Space Network Progress Report 42-35, Jet Propulsion Lab- oratory, Pasadena, CA, July 1976, pp. 64-78. [I] W. C. Gore, “Transmitting binary symbols with Reed-Solomon [Ill E. R. Berlekamp, Algebraic Coding Theory. New York: code,” Johns Hopkins Univ. EE Report No. 73-5, Baltimore, MD, McGraw-Hill, 1968, Ch. 7. Apr. 19’73. [I21 I. M. Vinogrodov, Elements of Number Theory. New York: Dover, [2] A. Michelson, “A new decoder for the Reed-Solomon codes using 1954, Ch. 1. Correspondence An Improved Algorithm for Computing Logarithms over one-to-one correspondencefor integer values in the range 1 I xy GP(p) and Its Cryptographic Significance <p-l. It is well-known [l, p. 3991 that exponentiation mod p is pl p, STEPHEN C. POHLIG AND MARTIN E. HELLMAN, computable with at most 2rlogs multiplications mod and MEMBER, IEEE with only three words of memory, each [logs pl bits long, where r-1 denotes the smallest integer equal to or greater than the en- Abstract-A cryptographic system is described which is secure closed number. (All logarithms not expressly mod p are over the if and only if computing logarithms over GF(p) is infeasible. Pre- reals and are to the base 2.) To give the flavor of the algorithm, viously published algorithms for computing this function require note that O(P’/~) complexity in both time and space. An improved algorithm is derived which requires O(log2 p) complexity if p - 1 has only cd8 = (((a2)2)2)2 - c?. (3) small prime factors. Such values of p must be avoided in the cryp- The inverse problem of computing logarithms mod p is be- tosystem. Constructive uses for the new algorithm are also de- lieved to be much harder, and the best previously published al- scribed. gorithm [2, p. 91 requires 2[~‘/~1 multiplications mod p, in ad- I. INTRODUCTION dition to other operations of comparable complexity. This algo- rithm also requires 2rfi] words of memory, each [logs pl bits This note considers the pair of inverse functions long. Exponentiation mod p might thus be a one-way function. An y = ax (mod p) (1) invertible function f is said to be one-way if it is easy to compute x = log, y over GF(p) (2) y = f (zc)for all x: in the domain, but it is computationally infea- sible to compute f-l(y) for almost all y in the range off. which are referred to as the exponential and logarithmic functions We have deliberately not given a precise definition of a com- to the base CX,modulo p, where p is prime, and (Yis a fixed prim- putation being “easy” or “infeasible.” In 1950, a computation itive element of GF(p). Since a is primitive, x and y are in a requiring one million instructions and 10 000 words of memory Manuscript received June 17,1976; revised April 14,1977. This work was sup- could not have been called “easy,” while today it can be accom- ported in part by the National ScienceFoundation under Grant ENG 10173,and plished in a few seconds on a small computer. Similarly, a com- in part by the Fannie and John Hertz Foundation. putation which requires 1030operations is infeasible today, but S. C. Pohlig was with the Department of Electrical Engineering, Stanford Uni- will probably not even be difficult a hundred years hence. A versity, Stanford, CA. He is now with the M.I.T. Lincoln Laboratory, Lexington, MA 02173. precise definition of a one-way function would therefore vary with M. E. Hellman is with the Department of Electrical Engineering, Stanford time and technology. It may be possible to avoid this problem by University, Stanford, CA 94305. using a currently acceptable definition of easy and a physics- OOlS-9448/78/0100-0106$00.75 0 1978 IEEE CORRESPONDENCE 107 limited definition of infeasible. Any computation that is easy In practice, M would probably be limited to be an 1 bit integer today will be no harder in the future, and a 1060bit memory will where 1 = Llogz (p - l)]. Also, restrictions might be imposed on always be unattainable because its construction requires more K (e.g.,K # 1) to avoid simple but improbable transformations. mass than exists in the solar system, even if only one molecule Condition (9) guarantees that is needed per bit of memory. Thermodynamics places a limit of approximately 1070on the number of operations which can be D=K-l(modp-1) (10) performed even if the entire energy output of the sun could be is well-defined with harnessed forever [3], [4]. We prefer to avoid such conservative definitions, however, because they may exclude practically 11DIp-2. (11) valuable one-way functions. It will be seen, however, that expo- Now let nentiation mod p may be able to satisfy even the most conser- vative definition of a one-way function. C q MK (mod p) (12) Currently, the primary use for one-way functions is in pro- tecting the password file in a time-shared computer system [5]- be the enciphering operation. Then [7]. They have other related uses [8], [9]. Their existence is also M = CD (mod p) (13) necessaryto the existence of secure cryptographic systems, be- causeany securecryptosystem can be used to produce a one-way is the deciphering operation. Both operations are easily computed function [9]; while the converse is not true in general, Section II and involve only one exponentiation mod p (equivalently 2 [log2 of this paper describes a cryptographic system which is secure pj multiplications mod p). Computing D from K need be done if and only if exponentiation mod p is one-way. only once and also requires on the order of logz p operations using Sections III and IV develop an improved algorithm for com- Euclid’s algorithm [l, Section 4.5.21. puting logarithms over GF(p). This algorithm has complexity Finding the key through cryptanalysis, on the other hand, is not much greater than that required for exponentiation mod p, equivalent to computing a logarithm over GF(p) and is thus when p - 1 has only small prime factors, but is infeasible to impossible if and only if exponentiation mod p is a one-way compute when p - 1 has a large prime factor. Although not pre- function. This is because viously published, the new algorithm was discovered indepen- dently by Roland Silver some years ago, and more recently by K = 1ogMC over GF(p) (14) Richard Schroeppel and H. Block. so that, even if the cryptanalyst has the advantage of knowing The improved algorithm dictates that p - 1 must have a large a plaintext-ciphertext pair, it is as hard to find the key as to find prime factor if exponentiation mod p is to be used as a one-way a logarithm over GF(p). Such a known plaintext cryptanalytic function or in a cryptosystem. Of course, just because Knuth’s attack [9] is a standard test applied to certify a system as secure. algorithm and the new one are not computable in practice for It and variations of it occur in practice as well. certain values of p doesnot mean that there are not more efficient Note that M must be a primitive element of GF(p) for M and algorithms for these values of p that are as yet undiscovered. C to uniquely determine K. We now show that if M is not prim- A second use of the improved algorithm is in problems where itive, or if the cryptanalyst has a number of randomly chosen M it would be useful to rapidly compute logarithms over GF(p) for - C pairs all related by the same key, then his task is not light- arbitrary but large values of p.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages5 Page
-
File Size-