52 Things: Number 36: Index Calculus Algorithm
52件事:数字36:指数演算算法
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We continue the mathematical attacks with a description of an index calculus attack...这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。我们继续数学攻击,描述一个指数演算攻击。。。
What is the objective? 目标是什么?
An index calculus attack is a method for trying to solve the discrete logarithm problem (DLP). Very briefly, it works by writing the target value as the product of powers of elements in a factor base, elements whose logarithm is already known, then extract the target value through laws of logarithms. We now proceed to explain what that means in a bit more detail.
指数演算攻击是一种试图解决离散对数问题(DLP)的方法。简单地说,它的工作原理是将目标值写成因子库中元素的幂的乘积,这些元素的对数是已知的,然后通过对数定律提取目标值。我们现在开始更详细地解释这意味着什么。
How does it work? 它是如何工作的?
The algorithm can be applied to calculating the discrete logarithm for an arbitrary element h any group G=⟨g⟩. We will rely on the fact that if xaybzc=1, then a∗logg(x)+b∗logg(y)+c∗logg(z)=logg(1)=0. So, if we can find some collection of xi who's logarithms are all known values Li=logg(xi) and somehow manage to write h=xa11…xarr, then we know that logg(h)=a1∗L1+⋯+ar∗Lr. The index calculus attack exploits this, and the efficiency (or inefficiency) of the attack comes down to how fast the various stages of this can be done. For context, alongside the generic technique, we will follow an example in terms of the discrete logarithm over the group Z/pZ with generator g, the most common application. Being a little lazy, we will use the terms "offline computation" and "precomputation" interchangeably to refer to work that need only be done once per group. Similarly "online" and "everytime" work corresponds to work that must be done for every DLP required.
该算法可以应用于计算任意元素 h 任意组 G=⟨g⟩ 的离散对数。我们将依赖这样一个事实:如果#2,那么#3。所以,如果我们能找到一些#4的集合,谁的对数都是已知值 Li=logg(xi) ,并以某种方式写 h=xa11…xarr ,那么我们就知道 logg(h)=a1∗L1+⋯+ar∗Lr 。索引演算攻击利用了这一点,攻击的效率(或低效率)取决于不同阶段的攻击速度。在上下文中,除了通用技术之外,我们还将以最常见的应用程序生成器 g 为例,以组 Z/pZ 上的离散对数为例。由于有点懒惰,我们将交替使用术语“离线计算”和“预计算”来指代每个组只需要完成一次的工作。类似地,“在线”和“每次”工作对应于每个DLP所需的必须完成的工作。
(Precomputation, basically free) Choose a Factor Base.
(预计算,基本免费)选择一个因子库。
The factor base is a collection of elements b0=g,b1,…,br∈G. How to pick them, and how many to pick, are dependant on the group we're working over and the running times of the later stages. Indeed, simply choice of r generally leads to a trade-off between expensive online (small r) and offline (large r) computation. Working within our example, one would generally pick −1 and the first r primes, since these tend to make the online calculations more efficient (see below).
因子库是 b0=g,b1,…,br∈G 元素的集合。如何挑选,以及挑选多少,取决于我们工作的团队以及后期的运行时间。事实上,简单地选择 r 通常会导致昂贵的在线(小#2)和离线(大#3)计算之间的权衡。在我们的例子中,人们通常会选择#4和前 r 素数,因为这些往往会使在线计算更高效(见下文)。
(Precomputation, expensive but very parallel) Find relations between the DLPs of the Factor Base
(预计算,昂贵但非常并行)查找因子库的DLP之间的关系 elements. 元素。
Using whatever techniques we can (generally just taking arbitrary products and hoping to get lucky!) we find equations in terms of the different factor base elements relating them to both each other. By taking logs, these translate into linear relations between their discrete logarithms. We continue searching for these until we have found r independent relations, which clearly takes longer the bigger we make r. That said, this can easily be done in parallel by simply asking each process to search independently and then merging the result sets. Our example works in exactly this way.
使用我们所能使用的任何技术(通常只是取任意乘积,希望运气好!),我们可以根据将它们相互关联的不同因子基元素找到方程。通过取对数,这些转化为离散对数之间的线性关系。我们继续寻找这些,直到我们找到 r 独立关系,这显然需要更长的时间,我们做得越大 r 。也就是说,这可以很容易地并行完成,只需要求每个进程独立搜索,然后合并结果集。我们的例子正是这样运作的。
(Precomputation, relatively cheap) Solve the Factor Base DLPs
(预计算,相对便宜)解决基于因素的DLP
From the previous step, we have a number of linear relationships between the DLs of the factor base elements. In particular, we have r+1 equations in r+1 variables (since logg(g)=1 is known a priori), and so can solve to find all their logarithms. Whilst this requires using a large matrix solver, it tends to be basically free compared to the previous and next steps, since solving linear equations is much more efficient than the almost exhaustive nature of searching for relations.
根据前面的步骤,我们在因子基元素的DL之间有许多线性关系。特别是,我们在 r+1 变量中有 r+1 方程(因为#2是先验已知的),因此可以求解以找到它们的所有对数。虽然这需要使用大型矩阵求解器,但与前一步和下一步相比,它往往基本上是免费的,因为求解线性方程组比搜索关系的几乎穷尽的性质更有效。
(Online 在线的, expensive but very parallel) Write h as a product of factor base elements
,昂贵但非常并行)将 h 写入因子基元素的乘积
We now try and find a value y and a list ai such that hgy=ba11…barr. This can easily be done in parallel, since each process tries a different collection of y values, stopping as soon as one of them. Once that's done, we simply take logs across each value, meaning:
我们现在尝试找到一个值 y 和一个列表 ai ,这样#2。这可以很容易地并行完成,因为每个进程都尝试不同的#3值集合,一旦其中一个值停止。完成后,我们只需对每个值进行日志记录,这意味着: logg(h)=−y+L1a1+⋯+Lrar Now, I've skimmed over a big issue in that previous paragraph: how do we find this y? Well, in the case of our example its not too bad. Because the factor base were all small primes, we simply try and factor hgy using traditional division-like techniques. However, in other groups this can be very difficult indeed, and computationally impractical.
现在,我已经浏览了上一段中的一个大问题:我们如何找到这个 y ?好吧,以我们的例子来说,这还不错。因为因子基都是小素数,所以我们简单地尝试使用传统的类似除法的技术来因子 hgy 。然而,在其他组中,这确实非常困难,并且在计算上不切实际。
A very brief conclusion 一个非常简短的结论
So, the Index Calculus algorithm uses the fact that taking logarithms transforms multiplications into sums to try and find the discrete logarithm of a particular point. It does this by building up a table of known results (the factor base), then finding an element related to the target that can be easily written in terms of these. As such, the algorithm is very generic, and by changing the size of the factor base r one recovers a number of obvious classical attacks. However, picking a value of r such that every stage of the computation can be done efficiently is generally not possible, since either the precomputation or online computation (or often both!) will be prohibitively expensive.
因此,指数演算算法利用对数将乘法转换为和的事实,试图找到特定点的离散对数。它通过建立一个已知结果表(因子库)来实现这一点,然后找到一个与目标相关的元素,该元素可以很容易地根据这些结果来编写。因此,该算法是非常通用的,并且通过改变因子基 r 的大小,可以恢复许多明显的经典攻击。然而,选择 r 的值以使计算的每个阶段都能有效地完成通常是不可能的,因为预计算或在线计算(或者通常两者都有!)将非常昂贵。 标签:Calculus,Index,Algorithm,logg,因子,base,done,factor,对数 From: https://www.cnblogs.com/3cH0-Nu1L/p/18107507