4
$\begingroup$

I have been using lifted ElGamal for my binary choice encryption into an exponent $g^m$, where m=0 or m=1. After ciphertext aggregation and decryption I got a message as $g^{m1+m2+m3+...+mn}$ and I want the most efficient way that could solve that kind of a discrete log. For prime p and g I use values from RFC3526, more specifically, 3072-bit MODP Group.

The algorithms I have been searching for so far are:

  • baby-step giant-step
  • number field sieve
  • Pohlig-Hellman
  • Pollard's kangaroo
  • Pollard's rho
  • Regular discrete logarithm solving (i.e. trivial solution)

All of these, as I understand works for my case, but which of them is more efficient and what's more important is it even worth using any of them or it is just fine to continue using the trivial one?

Improve this question
$\endgroup$
3
  • $\begingroup$ @fgrieu, they are executing aggregated encryption, for which they already had the trivial one. They look for a possible faster one in their not mentioned range. Therefore, this question is not clearly answerable due to the lack of the metrics. Well, one can argue that if they can use the trivial, then the range can be this or that; well, good luck. $\endgroup$ Commented Nov 24 at 17:30
  • $\begingroup$ I've cast the need for details as the question is unclear about what to achieve. I guess that they are working on aggregated voting schemes, and they should be clear about this for a proper answer. $\endgroup$ Commented Nov 24 at 19:43
  • $\begingroup$ @kelalaka: I has missed the "after ciphertext aggregation and decryption" part of the Q. $\endgroup$ Commented Nov 24 at 20:59

1 Answer 1

Reset to default
5
$\begingroup$

The problem at hand is to solve for $x$ the equation $g^x\bmod p=v$, with $x$ in a small interval $[a,a+n]$, for some given $a$ (perhaps $a=0$), small $n$, $g$, $p$, and $v$; with $p$ a 3072-bit prime, here such that $q=(p-1)/2$ is prime, $g^q\bmod p=1$; specifically $g=2$ and $p=2^{3072}-2^{3008}-1+2^{64}(\lfloor2^{2942}\pi\rfloor+1690314)$.

Algorithms that do not make use of $x$ being in a small interval are doomed, because the current academic record in this case is 795-bit $p$ and we are ways above that. This rules out Number Field Sieve, Pollard's rho, other completely generic methods for the Discrete Logarithm Problem; and Pohlig-Hellman, because $p-1$ has a large factor, the 3071-bit $q$.

Because $g=2$, for $n<\lceil\log_2p\rceil=3072$ we can simply compute $w=2^{-a}\;\!v$ (for $a=0$, just $w=v$) which is going to be a power of two, thus $x=\log_2(w)$, which will be an easily found integer (the number of low-order bits at 0 before the single bit at 1 in the binary expression of $w$).

For small $n$ above that threshold, or arbitrary $g$, we can compute $v_0=g^a\bmod p$ then until $v_i=v$ compute $v_{i+1}=g\;\!v_i\bmod p$ for incremental $i$. Now $x=a+i$. Expected cost is dominated by about $n/2$ modular multiplications. This is fast for $n$ up to millions ($2^{20+}$) on a standard CPU.

The above takes some advantage of $g=2$ because doubling modulo $p$ is faster than multiplication by a general $g$ modulo $p$. But there's a better way to do so: compute $w=2^{3072}\bmod p$, $w_0=v^{-1}\;\!2^{a+3071}\bmod p$, then until $w_i$ is a power of two compute $w_{i+1}=w\;\!w_i\bmod p$. Now $x=a+3071+3072\;\!i-\log_2(w_i)$. Expected cost is dominated by about $n/2/\log_2 p$ modular multiplications. This is fast for $n$ up to billions ($2^{30+}$) on a standard CPU, and due to it's simplicity likely the fastest up to many thousands.

For larger $n$ or faster operation, Baby-Step/Giant-Step and Pollard's kangaroo are better algorithms, because they allow taking advantage of the small interval. Both require in the order of $2\sqrt n$ modular multiplications modulo $p$.

Baby-Step/Giant-Step is guaranteed to find the solution in some fixed number of steps, and for $g=2$ half of its modular multiplications can be doublings. But it requires a lot of memory and memory accesses, in the order of $\sqrt n\log_2 p$ bits of memory (plus overhead for fast search) in it's standard form. We can reduce that to $\sqrt n\log_2 n$ by storing hashes or lower-order bits of the values to search. It's practicable for $n$ up to $2^{50+}$ on a standard CPU. We can distribute the necessary memory on multiple independent CPUs, or the work, but not both.

Pollard's kangaroo is randomized, but uses little memory, and is easy to parallelize on multiple CPUs. This makes it practicable for $n$ to $2^{80+}$.

Note: this answer does not condone the question's protocol, which is not fully described.

Improve this answer
$\endgroup$
5
  • $\begingroup$ I want to ensure I understand. For what value of $v$ is $\sqrt{2^{80+v}} (80+v)$ parallelized memory feasible for BSGS? And did you mean $\sqrt{N} \log n$ bits of memory in the last paragraph? $\endgroup$ Commented Nov 22 at 17:04
  • 1
    $\begingroup$ I fixed what I thought was a typing error ($\sqrt{n}\log_2 n$ instead of $\sqrt{n}\log_n$) in the last paragraph. Feel free to undo if I'm wrong. $\endgroup$ Commented Nov 23 at 3:33
  • $\begingroup$ @fgrieu if my $x$ is expected to be 1000+, i.e. solving discrete log for $2^{1000+}$, so you advise using Pollard's kangaroo for that case? $\endgroup$ Commented Nov 24 at 9:49
  • 1
    $\begingroup$ @ojacomarket: if $x$ is less than $\lceil\log_2p\rceil=3072$ and $g=2$, there's a direct method, that I now describe. For $g=2$ and larger $x$ up to many thousands, the method after "better way to do so" is simple and near instantaneous. For some larger $n$ Baby-Step/Giant-Step will be faster, then a little above Pollard's kangaroo will be the faster. $\endgroup$ Commented Nov 24 at 12:47
  • $\begingroup$ @ojacomarket: I had missed the "after ciphertext aggregation and decryption" part of the Q, so I now toned down the caution to a note. $\endgroup$ Commented Nov 24 at 21:00

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.