Transcript Document

Lecture 7 Discrete Logarithms
In the RSA algorithm, we saw how the
difficulty of factoring yields useful
cryptosystem. There is another number
theory problem, namely discrete logarithms,
that has similar applications. According to
Diffie, the discrete logarithm problem was
suggested by Gill. The discrete logarithm
problem is a major open question in publickey cryptography.
Outline
 Discrete Logarithms
 Computing Discrete Logs
 The ElGamal Public Key Cryptosystem
 Bit Commitment
1 Discrete Logarithms
De fin ition
1 T hediscretelogarithmproblem(DLP )is
thefollowing: given a prime p, a generator of Z *p ,
and an element β  Z *p , find theinteger x, 0  x  p  2,
such that x   (mod p ). Writex  log (  ).
Fact 1 Let  be a generatorof Z *p , and let  ,   Z *p . Let
s be an integer.T henlog (    )  (log  + log  ) mod ( p  1)
and log (  s )  s  log (  ) mod ( p  1).
*
Exam ple1 Let p = 11. A generatorof Z11
is  = 2.Since 26 
*
9 (mod11), log2 9 = 6 in Z11
. Of Course, 26  216  2 26 
9 (mod11).
Fact 2 Difficultyof theDLP is independent of generator.
Let  and  be two generatorsin Z *p , and let   G. Let
x = log  , y = log  , and z = log  . T hen x     y
= ( ) . Consequently x  z  y (mod p  1), and log  
z y
(log  ) (log  ) 1 (mod p  1).
T hismeans thatany algorithmwhich computeslogarithms
t o thebase  can be used to computelogarithmsto any other
base  thatis also a generatorin Z *p .
De fin iti on2 T hegeneralized discretelogarithmproblem(GDLP )
is thefollowing: given a finit ecyclicgroup G of order n, a generat or
 of G, and an element  G, find theinteger x, 0  x  n  1, such
that x =  .
A moregeneralformulation of theGDLP is thefollowing:
C om m e n t.
given a finit egroup G and elements ,   G, find an integer x such
that  x =  , providedthatsuch an integerexists.In thisformulation,
it is not required thatG be a cyclicgroup, and, even if it is, it is not
required that be a generat orof G. T hisproblemmay be harder to
solve,in general, thanGDLP .
2 Computing Discrete Logs
2.1 Exhaustive Search
T hemost obvious algorit hmfor DLP is t o successively
comput e 0 ,  1 ,  2 , . . . unt il  is obt ained.T hismet hod
t akesO( p  1) mult iplicat ions,where p  1 is t heorder
of  , and is t hereforeinefficient if p is large (i.e.in cases
of crypt ographic int erest ).
2.2 Baby-Step Giant-Step Algorithm


Let m = p  1 , where p  1 is theorder of  . T hebaby - step
giant - step algorithmis a timememor
y trade- off of the
methodof exhaustivesearch and is based on t hefollowing
observation. If  =  x , thenone can writex=i  m +j,
where 0  i, j  m. Hence, x   im   j , which implies
 ( m )i   j . T hissuggests thefollowingalgorithm
for computingx.
2.2 Baby-Step Giant-Step Algorithm (Continued)
Al gori th m1 Baby - st ep giant - st ep algorit hm
INP UT: a generat or of order p  1, and an element .
OUT P UT: t hediscret elogarit hmx= log  .
(1) Set m 


p 1 .
(2) Const ructa t able wit h ent ries( j ,  j ) for 0  j  m. Sort
t hist able by secondcomponent .
(3) Comput e m and set    .
(4) For i from 0 t o m  1 do t hefollowing:
(4.1) Check if  is t hesecondcomponentof some ent ry
in t het able.
(4.2) If    j t henret urn( x = i  m + j).
(4.3) Set
   ·  m .
2.2 Baby-Step Giant-Step Algorithm (Continued)
C om m e n t.Algorith m1 requires storagefor O( p  1) group
element s.T he table takesO( p  1) multiplicationsto construct,
and O( p  1 lg p  1) comparisons to sort.Havingconstructed
this table,step (4) takesO( p  1) multiplicationsand O( p  1)
table look - ups. Under theassumpt ionthata multiplication takes
more timethanlg p  1 comparisons, therunning timeof Algorith m1
can be statedmoreconciselyas follows.T herunning timeof the
baby - step giant - step algorit hmis O( p  1) multiplications.
2.2 Baby-Step Giant-Step Algorithm (Continued)
Exam ple2 Let p=113. T heelement = 3 is a generatorof order
p  1 = 112.Consider  = 57.T henlog3 57 is computedas follows.
(1) Set m 
 112 = 11.
(2) Constructa table whose entriesare ( j , α j (mod p )) for
0  j  11,and sort thetable by secondcomponent:
j
0 1 8 2 5 9 3
7
6 10 4
3 j (mod113) 1 3 7 9 17 21 27 40 51 63 81
(3) Compute 1  31 (mod113)  38 and thencompute  m 
3811 (mod113) 58.
(4)  =     mi (mod113)for i = 0,1, 2, . . . is computeduntil a
valuein thesecond row of the tableis obtained.T his yields :
i
0 1
2
3
4
5 6 7 8 9
57 · 58i (mod113) 57 29 100 37 112 55 26 39 2 3
Finally,since     mi  3   1 ,    100, and, therefore, log3 57 = 100.
2.3 Pollard’s Rho Algorithm
T hegroup (mod p) is partitioned into threesets S1 , S 2 , and S3 of
roughly equal size based on some easily testable property.Some
care must be exercisedin selectingthepartition,for example,1 S 2 .
Definea sequence of group elementsx0 , x1 , x2 , . . . by x0 = 1 and
  xi , if xi  S1
 2
xi+1  f ( xi )   xi , if xi  S 2
  x , if x  S
i
i
3

for i  0. T hissequence of group elementsin turndefines two
sequences of integersa0 , a1 , a2 , . . . and b0 , b1 , b2 , . . . satisfying
xi   ai  bi for i  0.So, a0  0, b0  0, and for i  0,
2.3 Pollard’s Rho Algorithm (Continued)
ai , if xi  S1
bi  1,if xi  S1


ai+1  2  ai , if xi  S 2 and bi+1  2  bi , if xi  S 2 .
a  1,if x  S
b , if x  S
i
3
i
3
 i
 i
We can find two group elementsxi and x2i such thatxi  x2i .
Hence ai   bi   a2i   b2i , and so  bi b2i   a2i ai . T aking
logarithmsto thebase  of both sides of thislast equation yields
(bi  b2i ) · log  ≡(a2i  ai ) (mod p  1).
P rovidedbi  b2i (mod p  1), thisequation can t henbe
efficiently solved to det erminelog  .
2.3 Pollard’s Rho Algorithm (Continued)
Al gori th m2 P ollard's rho algorit hm
INP UT: a generat or of primeorder p  1, and an element .
OUT P UT: t hediscret elogarit hmx= log  .
(1) Set x0  1, a0  0, b0  0.
(2) For i  1, 2, . . . do t hefollowing:
(2.1) Using t hequant it iesxi 1 , ai 1 , bi 1 , and x2i  2 , a2i  2 , b2i 2
comput edpreviously, comput exi , ai , bi , and x2i , a2i , b2i using
previousequat ions.
(2.2)If xi  x2i , t hendo t hefollowing:
Set r  bi  b2i (mod p  1).
If r  0 , t hen t erm
inat e t healgorit hmwit h failure;ot herwise,
comput ex  r 1  (a2i  ai ) (mod p  1) and ret urn(x).
2.3 Pollard’s Rho Algorithm (Continued)
C om m e n t.
(1) P ollard's rho algorit hm for computingdiscret elogarit hmsis
a randomizedalgorit hmwit h t hesame expectedrunning timeas
the baby - st ep giant - st ep algorit hm,but which requires a negligible
amountof st orage.
(2) In therare case thatAlgori th m2 terminat se wit h failure, the
procedurecan be repeatedby selectingrandomintegersa0 , b0 in
theinterval[1, p  2], and st art ingwit h x0 =  a0   b0 .
2.3 Pollard’s Rho Algorithm (Continued)
Exam pl e3 T heelement  2 is a generatorof thesubgroup
*
of Z 383
of order n = 191.Suppose   228.P artitiontheelements
*
of Z 383
into threesubsets accordingto therule x  S1 if x  1 (mod3),
x  S 2 if x  0 (mod3), and x  S3 if x  2 (mod3). Weshows the
values of xi , ai , bi , x2i , a2i , and b2i at theend of each iterat ionof
step 2 of Al gorith m2.
Note that x14 = x28 = 144.Finally,comput er  (b14  b28 ) (mod191)
 125,r 1  1251 (mod191)= 136,and r 1  (a28  a14 ) (mod191)
 110.Hence,log2 228  110.
2.3 Pollard’s Rho Algorithm (Continued)
i
xi
ai
bi
x2i
a2i
b2i
1
228
0
1
279
0
2
2
279
0
2
184
1
4
3
92
0
4
14
1
6
4
184
1
4
256
2
7
5
205
1
5
304
3
8
6
14
1
6
121
6
18
7
28
2
6
144
12
38
8
256
2
7
235
48
152
9
152
2
8
72
48
154
10
304
3
8
14
96
118
11 372
3
9
256
97
119
12
121
61
8
304
98
120
13
12
6
19
121
5
51
14
144
12
10
104
38 144
2.4 Pohlig-Hellman Algorithm
Fact 3 Let  be a generatorof Z *p , and assume that
   x , 0  x  p  1.
We can easily find thelast bit of x.
Note that(
( p 1)/2 2
)   ( p 1)  1(mod p ), so  ( p 1)/2 
 1(mod p ). However, p  1 is assumed to be thesmallest
exponent ot yield1, so we have
 ( p 1)/2  1(mod p).
Hence
 ( p 1)/2   x( p 1) / 2  (1) x (mod p).
If  ( p 1)/2  1, then x is even;ot herwise,x is odd.
Exam ple4 Suppose we want tosolve 2 x  9(mod11). Since
 ( p 1)/2  95  1(mod11) ,
we must have x even.In fact,x  6.
2.4 Pohlig-Hellman Algorithm (Continued)
Al gorith m3 P ohlig- Hellmanalgorithm
INP UT: a generator of order p  1, and an element .
OUT P UT: thediscretelogarithmx = log  .
(1) Find theprimefact orization of p  1 = p1e1 p2e2  prer , whereei  1.
(2) For i from1 to r do thefollowing:
(Comput exi = l0 + l1  pi    lei1  piei 1 , where xi  x (mod piei ))
(2.1) (Simplify the notat ion)Set q  pi and e  ei .
(2.2) Set   1 and l1  0.
(2.3) Compute   ( p 1) /q .
(2.4) (Comput ethel j ) For j from0 to e  1 do thefollowing:
Compute    
l j 1 q j 1
(modp ) and   (    1 ) ( p 1) /q (modp ) .
j+ 1
Computel j  log  .
(2.5) Set xi  l0+l1  q ++ le1  q e1.
(3) Use theChinese remaindertheoremto computetheinteger x,
0  x  p  2, such thatx  xi (mod piei ) for1  i  r.
(4) Return(x).
2.4 Pohlig-Hellman Algorithm (Continued)
Let p  1 = p1e1 p2e2  prer be t heprimefact orization. If x  log  , t hen t he
approachis t o det erminexi  x (mod piei ) for1  i  r , and t henuse t he
Chinese remaindert heoremt o comput et heint eger x(mod p ). Each int eger
xi is det erminedby comput ingt hedigit s l0 , l1 ,  , lei1 in t urnof it s pi - ary
represent at ion xi = l0 + l1  pi    lei1  piei 1 , where 0  l j  pi  1.
Observefirst t hatin st ep (2.3) t heorder of  is q. Next ,at it erat ion j of
st ep (2.4),  
l0 + l1 q l j 1 q j 1
1 ( p 1) /q j+1
  (   )
 (
(mod p ). Hence,
x ( l0 + l1 q  l j 1 q j 1 ) ( p 1) /q j+1
)
 (
j
j 1
e1
( p 1) /q j+1 l j q + lj 1 q  le1 q
 (
1
e1 j
( p 1) /q l j + l j 1 q  le1 q
)
)
 ( ) j .
l
T helast equalit y being t rue because Fermat s' t heorom.Hence,log  is indeed
equal t o l j .
2.4 Pohlig-Hellman Algorithm (Continued)
C om m e n t.
(1) Given t hefact orization of p  1, t herunning t imeof t heP ohlig- Hellman
algorit hmis O (ir1 ei  (lg ( p  1) + pi ) ) mult iplicat ions.
(2) (1) implies t hat t heP ohlig- Hellmanalgorit hmis efficientonlyif each
primedivisor pi of n is relat ivelysmall. Consider Z *p where p is t he107- digit
prime:
p = 2270882319
8678103974
3145181950
2910215852
5052496759
28
5596453269
1897983114
2747515977
6411276642
2771396508
33937.
T heorder is p  1  2 4 1047298  2247378  3503774. Since t helargest prime
divisor of p  1 is only350377,it is relat ivelyeasy t ocomput elogarit hms
using t heP ohlig- Hellmanalgorit hm.
(3) If t heorder p  1 is not a smoot hint eger,t hen Al gori th m3 is inefficient
anyway.
2.4 Pohlig-Hellman Algorithm (Continued)
Exam ple5 Let p  251. T heelement = 71is a generator.Consider  = 210.T hen
x= log71 210is computedas follows.
(1) T heprimefactorization of n  250 = 2 · 53.
(2) (2.1) (Comput ex1  x (mod 2))
Compute   n/ 2 (mod p )  250 and    n/ 2 (mod p)  250.T hen x1 = log250 250 = 1.
(2.2) (Comput ex2  x (mod 53 )  l0 + l1  5 + l2  52 )
(2.2.1)
Compute   n/ 5 (mod p)  20.
(2.2.2)
Compute = 1 and   (    1 ) n/ 5 (mod p)  149.Using exhaustivesearch,compute
l0  log20 149  2.
(2.2.3)
Compute     2 (mod p )  21and   (    1 ) n/ 25 (mod p)  113.Using
exhaustivesearch,computel1  log20 113= 4.
(2.2.4)
Compute     45 (mod p )  115and   (    1 ) n/125 (mod p )  149.Using
exhaustivesearch,computel2  log20 149  2.
Hence, x2 = 2 + 4  5 + 2  52 = 72.
(3) Finally,solve thepair of congruences x  1 (mod 2), x  72 (mod125) to get
x  log71 210  197.
2.5 The Index-Calculus Algorithm
T heindex - calculus algorithmis themost powerfulmethod
known for computingdiscretelogarithms. T he technique
employeddoes not apply toall groups, but when it does, it
oftengives a sub - exponentia
l timealgorithm.Here, the
algorithmworksin Z *p .
T heindex - calculus algorithmrequires theselectionof a
relativelysmall subset S of elementsof Z *p , called thefactor
base, in such a way thata significant fractionof elementsof
Z *p can be efficiently expressedas productsof elementsfrom S .
2.5 The Index-Calculus Algorithm (Continued)
Algorithm4 Index - Calculus Algorithm
INP UT: a generator of Z *p , and an element .
OUT PUT: thediscretelogarithmx = log  .
(1) (Select a factorbase S ) Choosea subset S = { p1 , p2 ,  , pt } of Z *p such thata
" significant proportion
" of all elementsin Z *p can be efficiently expressed as
a product of elementsfrom S .
(2) (Collectlinear relationsinvolvinglogarithmsof elementsin S )
(2.1) Select a randomintegerk , 0  k  n  1, and compute α k .
(2.2) T ry towrite α k as a product of elementsin S :
t
α   pici (mod p),
k
i 1
ci  0.
If successful, takelogarithmsof both sides of equation to obtain a linear relation
t
k   ci log pi mod ( p  1).
i 1
(2.3)Repeat steps(2.1)and (2.2)untilt + c relationsare obtained(c is a small positive
integer, such thatthesystemof equationsgiven has a unique solution).
2.5 The Index-Calculus Algorithm (Continued)
Algorith m4 Index - Calculus Algorithm(Continued)
(3) (Find thelogarithmsof elementsin S ) Workingmodulo p  1,
solve thelinear systemof t + c equationscollectedin step 2 to obtain
thevaluesof log pi , 1  i  t.
(4) (Computey )
(4.1) Select a randomintegerk , 0  k  n  1, and compute   k .
(4.2) T ry towrite   k as a product of elementsin S :
t
     pid (mod p),
k
i
i 1
di  0.
If theattemptis unsuccessful thenrepeatstep 4.1.Otherwise,taking
logarithmsof both sides of equation yields
log  = (ti 1 d i  log pi  k )mod(p  1)  x.
Return(x).
2.5 The Index-Calculus Algorithm (Continued)
C om m e n t.
(1) It proceedsto precomputea database containingthelogarithms
of all theelementsin S , and thenreuses thisdatabase each timethe
logarithmof a particulargroup elementis required.
(2) T hedescription of Algorith m4 is incompletefor tworeasons.
Firstly,a techniquefor selectingthefactorbase S is not specified.
Secondly,a methodfor efficiently generat ingrelationsis not
specified.
(3) For thefield Z *p , thefactorbase S can be chosen as thefirst t
primenumbers.
2.5 The Index-Calculus Algorithm (Continued)
Exam ple6 Let p=229. T heelement = 6 is a generat orof Z *p .
Consider   13.T henlog613 is computedas follows, using the
index - calculus technique.
(1) T hefactorbase is chosen tobe thefirst 5 primes: S  {2, 3, 5, 7,11}.
(2) T hefollowingsix relationsinvolvingelementsof thefactor
base are obtained(unsuccessful at temptsare not shown):
6100(mod229)  180  2 2  32  5
618 (mod229 )  176  2 4 11
612 (mod229) 165  3  5 11
662 (mod229) 154  2  7  11
6143(mod229) 198  2  32  11
6 206(mod229 )  210  2  3  5  7.
2.5 The Index-Calculus Algorithm (Continued)
Exam ple6 (Continued) T heserelationsyield thefollowingsix
equat ionsinvolvingthelogarithmsof elementsin thefactorbase :
100  2  log6 2 + 2  log6 3 + log6 5 (mod228)
18  4  log6 2 + log611(mod228)
12  log6 3 + log6 5 + log6 11(mod228)
62  log6 2 + log6 7 + log611(mod228)
143 log6 2 + 2  log6 3 + log611(mod228)
206  log6 2 + log6 3 + log6 5 + log6 7 (mod228).
(3) Solving thelinear systemof six equat ionsin five unknowns
(thelogarithmsxi = log6 pi ) yields thesolutionslog6 2 = 21,
log6 3 = 208,log6 5 = 98, log6 7 = 107,and log6 11 = 162.
(4) Suppose that theint eger k = 77 is selected.Since    k 
13  677 (mod229) 147  3  7 2 , it follows thatlog613 
(log6 3 + 2  log6 7  77) (mod228)= 117.
3 The ElGamal Public Key Cryptosystem
The security of the ElGamal public-key
encryption scheme is relies on the
intractability of the discrete logarithm
problem and the Diffie-Hellman problem. The
basic ElGamal encryption scheme is done by
ElGamal in 1985.
3.1 Description
Algori th m5 Key generationfor ElGamalpublic - key encryption
SUMMARY : each entitycreat esa public key and a corresponding
privatekey.
Each entityA should do thefollowing:
(1) Generatea large randomprime p and a generator of the
multiplicativegroup Z *p of theintegersmodulo p .
(2) Select a randomintegera, 1  a  p  2, and compute a (mod p ).
(3) A' s public key is ( p,  ,  a ); A' s privatekey is a.
3.1 Description (Continued)
Algorith m6 ElGamal public - key encryption
SUMMARY : B encryptsa message m for A, which A decrypts.
Encryption. B should do thefollowing:
(1) Obtain A' s authenticpublic key ( p,  ,  a ).
(2) Representthe message as an integerm in therange[0, p  1].
(3) Select a randomintegerk , 1  k  p  2.
(4) Compute   k (mod p) and   m  ( a ) k (mod p).
(5) Send theciphertextc = ( ,  ) to A.
Decryption. T o recoverplaint extm fromc, A should do thefollowing:
(1) Use theprivatekey a to compute
p 1 a
(mod p) (not e: 
 α  ak ).
(2) Recoverm by computing  a   (mod p).
p 1 a
  a
3.1 Description (Continued)
P roof thatdecryptionworks . T hedecryptionof Algorithm6
allows recoveryof originalplaintextbecause
γ a     ak  m   ak  m (mod p).
C om m e nt.All entitiesmay elect touse thesame prime p and
generator , in which case p and  need not be published as
part of thepublic key.T hisresultsin public keysof smaller
sizes. A potentialdisadvantage of commonsystem- wide
parametersis thatlarger moduli p may be warranted.
3.2 Example
Exam ple7
Key generation. EntityA selects theprime p = 2357and a generator
 = 2 of Z*2357. A choosestheprivatekey a = 1751and computes
 a (mod p)  21751(mod2357) 1185.
A' s public key is ( p  2357,  2,  a  1185).
Encryption. T o encrypta message m  2035,B selectsa random
integer k = 1520and computes
  21520 (mod2357) 1430
and
  2035 11851520(mod2357) 697.
B sends   1430and  = 697 to A.
Decryption. T o decrypt,A computes
 p 1a  1430605(mod 2357)  872,
and recoversm by computing
m  872 697(mod2357) 2035.
3.3 Efficiency of ElGamal Encryption
(1) T heencryptionprocessrequires two modular exponentia
tions,
namely k (mod p) and ( a ) k (mod p). T heseexponentia
tionscan
be sped up by selectingrandomexponentsk havingsome additional
structure,for example,havinglow Hammingweights.Care must be
taken thatthepossible number of exponentsis large enough to
precludea search viaa baby - step giant - step algorithm.
(2) A disadvantage of ElGamalencryptionis that ther
e is message
expansionby a factorof 2. T hatis, theciphertextis twice as long as
thecorresponding plaintext.
3.4 Security of ElGamal Encryption
(1) It is crit icalt hatdifferentrandomint egersk be used t o encrypt
differentmessages.Suppose t hesame k is used t o encrypt t w
o
messages m1 and m2 and t heresult ingciphert extpairs are ( 1 , 1 )
and ( 2 ,  2 ). T hen1/  2  m1/m2 , and m2 could be easily comput ed
if m1 were known.
(2) T heproblemof breaking t heElGamalencrypt ionscheme,i.e.,
recoveringm given p,  , α a ,  , and  , always is said t o be based on
t hediscret elogarit hmproblemin Z *p , alt houghsuch an equivalence
has not been proven.
3.4 Security of ElGamal Encryption (Continued)
(3) Given thelatest progresson thediscretelogarithmproblemin Z *p ,
1024- bit or larger moduli should be used. For commonsystem- wide
parameterseven larger key sizes may be warranted. T hisis because
thedominantstage in theindex - calculus algorithmfor discretelogarithms
in Z *p is theprecomputation of a database of factorbase logarithms,
following which individual logarithmscan be computedrelativelyquickly.
T huscomputingthedatabase of logarithmsfor one particularmodulus p
will compromisethesecrecyof all privatekeysderived using p.
4 Bit Commitment
4.1 Scenarios
(1) Alice claims that she has a method to
predict the outcome of football games. She
wants to sell her method to Bob. Bob asks
her method works by predicting the results
of the games that will be played this
weekend. “No way,” says Alice. “Then you
will simply make your bets and not pay me.
Why don’t I show you my predictions for
last week’s game?”
4.2 Requirements of Bit Commitment
Alice can send a bit b, which is either 0 or 1, to
Bob. It require that
(1) Bob cannot determine the value of the bit
without Alice’s help.
(2) Alice cannot change the bit once she send it.
Now, for each game, Alice sends a symbol b=1
if she predicts the team will win, a symbol b=0
if she predicts it will lose. After the game has
been played, Alice reveals the bit to Bob.
4.3 Computing Discrete Logs Modulo 4
When p  1(mod4), theP ohlig- Hellmanalgorithmcomputes
discretelogs (mod4) quite quickly.Whathappenswhen
p  3(mod4)? theP ohlig- Hellmanalgorithmwon't work,
since it would require us to raise numbers to the( p  1)/4 power,
which would yield theambigutiy of a factionalexponent.In fact,
thisquestion is possible only because we normalizedthediscrete
logs to be an integerbetween 0 and p  2. For example,
26  216  9(mod11). We define log2 9  6 in thiscase. If we had
allowed it also to be 16, we would have two values 6 and16, that
are not congruentmodulo 4.
4.3 Computing Discrete Logs Modulo 4 (Continued)
Le m m a1 Let p  3(mod4) be prime,let r  2, and let y be an
integer.Suppose  and  are two nonzeronumbersmodulo p
such that  

2r  y
( p 1) / 4
(mod p). T hen

2 r 1  y
(mod p).
P roof.

( p 1) / 4

( p 1)2 r 2  y

2 r 1  y
 (
p 1 2 r 2  y
)

2 r 1  y
(mod p).
4.3 Computing Discrete Logs Modulo 4 (Continued)
Fact 4 If we havean algorithmthatquickly computesdiscretelogs modulo 4
for a prime p  3(mod4), then wecan use it tocomputediscretelogs
modulo p  1 quickly.
Fix a prime p  3(mod4) and let  be a generator.Assume we havea machine
that,give an input  gives theoutput log  (mod4).In fact,we can easily
computelog  (mod2).So thenew information supplied by themachineis
really only thesecond bit of thediscretelog. Now assume  x   (mod p )
and let x  x0  2  x1    2 n  xn be thebinary expansionof x. Using the
machine,we determinedx0 and x1. Suppose we havedeterminedx0 , x1 , ,
xr 1 with r  2. Let
r   
( x0  2 r 1  xr 1 )

2 r ( xr  2 xr 1 )
.
Using theLe m m a1 r  1 times,we find
(( p 1) / 4 ) r 1
r
  2( xr  2 xr 1 ) (mod p ).
Applyingthemachineto thisequation yields the value of xr . P roceeding
inductively, we obtain all the values x0 , x1 , , xn .
4.4 A Bit Commitment Scheme
Alice and Bob agree on a large prime p  3(mod4) and a
generator .
(1) Alice choosesa randomnumber x  p  1 whose second
bit x1 is b. As pointedout in theFact 4, Bob cannotdetermine
the value of b  x1.
(2) Alice computes   x (mod p ) and send  to Bob.
(3) WhenBob wants to know the value of b, Alice sends him
thefull value of x, and by checking ?   x (mod p ) and
lookingat x(mod4), he finds b.
Thank You!