Method, software and apparatus for computing discrete logarithms modulo a prime

Abstract

A decoding apparatus having a non-transient memory in which is stored an electromagnetic signal representative of data which were encrypted relying on the difficulty of computing discrete logarithms. The decoding apparatus has a computer in communication with the memory that decodes the encrypted data in the memory by computing the data's discrete logarithm. The decoding apparatus has a display on which the decoded encrypted data are displayed by the computer. A method for decoding.

Claims

1. A decoding apparatus comprising: a network port in communication with a communication network which receives from the connection network an electromagnetic signal representative of encrypted data which were produced with a first computer relying on a difficulty of computing discrete logarithms; a non-transient memory in which is stored the electromagnetic signal representative of encrypted data which were encrypted by the first computer relying on the difficulty of computing discrete logarithms, the data having a discrete logarithm; a second computer in communication with the memory that decodes the encrypted data in the memory in a time of an order of log log p.Math.log.sup.2 p by computing the data's discrete logarithm, the second computer reduces the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000, and executes a sequence of reversible transformations supported by the non-transient memory in such a way that the exponential congruence module p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1; and a display on which the decoded encrypted data are displayed by the second computer.

2. A method for processing an electromagnetic signal representative of encrypted data which were produced relying on a difficulty of computing discrete logarithms, the data having a discrete logarithm, with a first computer comprising the steps of: receiving the encrypted data at a network port of a second computer from a communication network, the second computer in communication with the communication network; storing the encrypted data in a non-transient memory of the second computer; performing with the second computer in communication with the memory the computer-generated steps of decoding the encrypted data in the memory in a time of an order of log log p.Math.log.sup.2p by computing the data's discrete logarithms, the performing step includes the steps of reducing the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000; and executing with the second computer a sequence of reversible transformations supported by a non-transient memory in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1; and displaying on a display the decoded data.

3. A computer program stored in a non-transient memory in communication with a second computer for decoding with the second computer an electromagnetic signal representative of encrypted data which is encrypted by a first computer relying on a difficulty of computing discrete logarithms, the data having a discrete logarithm, the computer program having the second computer-generated steps of: receiving the encrypted data by the first computer at a network port of the second computer from a communication network; storing the encrypted data in the non-transient memory; decoding the encrypted data in the memory with the second computer in a time of an order of log log p.Math.log.sup.2 p by computing the data's discrete logarithms, the decoding step includes the steps of reducing the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000; and executing with the second computer a sequence of reversible transformations supported by the non-transient memory in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1; and displaying on a display the decoded data.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

(1) In the accompanying drawings, the preferred embodiment of the invention and preferred methods of practicing the invention are illustrated in which:

(2) FIG. 1 is a block diagram of the apparatus of the claimed invention.

(3) FIG. 2 is a representation of .sub.1.sup.x.sup.1.Math..sub.2.sup.x.sup.2(mod 70) using orthogonal primitives.

DETAILED DESCRIPTION OF THE INVENTION

(4) Referring now to the drawings wherein like reference numerals refer to similar or identical parts throughout the several views, and more specifically to FIG. 1 thereof, there is shown a decoding apparatus 10. The decoding apparatus 10 comprises a non-transient memory 14 in which is stored an electromagnetic signal representative of data which were encrypted relying on the difficulty of computing discrete logarithms. The decoding apparatus 10 comprises a computer 12 in communication with the memory 14 that decodes the encrypted data in the memory 14 by computing the data's discrete logarithm. The decoding apparatus 10 comprises a display 18 on which the decoded encrypted data are displayed by the computer 12.

(5) The computer 12 may reduce the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000, and executes a sequence of reversible transformations supported by the non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1. The computer 12 may select primitives of sub-groups of a group stored in the non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product.

(6) The present invention pertains to a method for processing an electromagnetic signal representative of encrypted data which were produced relying on the difficulty of computing discrete logarithms. The method comprises the steps of producing the electromagnetic signal by a first computer 12. There is the step of providing the signal to a second computer 22 through an input 20 of the second computer 22. The input 20 can be a keyboard in communication with the second computer 22 or a memory port, such as a USB port that receives a flash drive or a CD reader that receives a CD with the signal; or the input 20 can be a network interface card in communication with the second computer 22 having a network port which is in communication with a network 24 over which the signal is transmitted from the first computer 12. The second computer 22 obtains the signal from the network 24 through the input 20 of the second computer 22. There is the step of storing the encrypted data in a non-transient memory 14 of a second computer 22. There is the step of performing with the second computer 22 in communication with the memory 14 the computer-generated steps of decoding the encrypted data in the memory 14 by computing the data's discrete logarithms, and displaying on a display 18 the decoded data.

(7) The performing step may include the steps of reducing the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000. There may be the step of executing with the computer a sequence of reversible transformations supported by a non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1. There may be the step of reporting the restated problem on a display 18. The performing step may include the step of selecting with the computer primitives of sub-groups of a group stored in the non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product.

(8) The present invention pertains to a computer program 16 stored in a non-transient memory 14 for decoding an electromagnetic signal which is encrypted relying on the difficulty of computing discrete logarithms. The program has the computer-generated steps of storing the encrypted data in a non-transient memory 14. There is the step of decoding the encrypted data in the memory 14 by computing the data's discrete logarithms. There is the step of displaying on a display 18 the decoded data.

(9) The decoding step may include the steps of reducing the complexity of an exponential congruence which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000. There may be the step of executing with the computer a sequence of reversible transformations supported by a non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1.

(10) The decoding step may include the steps of selecting with the computer primitives of sub-groups of a group stored in the non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product.

(11) The present invention pertains to a method for reducing the complexity of an exponential congruence, preferably for decoding, which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000. The method comprises the steps of executing with a computer a sequence of reversible transformations supported by a non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1. There is the step of reporting the restated problem on a display 18.

(12) The present invention pertains to an apparatus 10 for reducing the complexity of an exponential congruence, preferably for decoding, which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000. The apparatus 10 comprises a non-transient memory 14. The apparatus 10 comprises a computer in communication with the non-transient memory 14 which executes a sequence of reversible transformations supported by the non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1. The apparatus 10 comprises a display 18 on which the restated problem is reported.

(13) The present invention pertains to a computer program 16 stored in a non-transient memory 14 for reducing the complexity of an exponential congruence, preferably for decoding, which is defined modulo p, where p=2.Math.p+1, p is also a prime and p1 contains only factors which are smaller than 100,000. The program comprises the computer generated steps of executing a sequence of reversible transformations supported by a non-transient memory 14 in such a way that the exponential congruence modulo p is restated as a problem involving new relationships modulo p and a concurrent independent congruence modulo p1. There is the step of reporting the restated problem on a display 18.

(14) The present invention pertains to a method for decoding. The method comprises the steps of selecting with a computer primitives of sub-groups of a group stored in a non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product. There is the step of reporting the exponents on a display 18.

(15) The present invention pertains to a computer program 16 stored in a non-transient memory 14 for decoding. The program comprises the computer generated steps of selecting primitives of sub-groups of a group stored in a non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product. There is the step of reporting the exponents on a display 18.

(16) The present invention pertains to an apparatus 10 for decoding. The apparatus 10 comprises a non-transient memory 14. The apparatus 10 comprises a computer in communication with the memory 14 which selects primitives of sub-groups of a group stored in the non-transient memory 14, where the group is defined modulo (p1) in such a way that an exponent of any one primitive is independent on an exponent of any other primitive, thus reducing the complexity of a search for such exponents to a number of operations of the order of a sum of such exponents as opposed to their product. The apparatus 10 comprises a display 18 in communication with the computer on which the exponents are reported.

(17) In the operation of the invention, the following is a description of the solution of (1).

II. THE CASE WHEN 01. A RESTATEMENT

1) Step One. Definition of Superprimitives

(18) In general in (1) a.sub.0 is not a primitive root of X modulo p1. It is convenient to restate (1) in such a way that on the LHS of (1) a.sub.0 be replaced by a primitive of X modulo p1.

(19) If denotes a primitive of X modulo p1, consider the process of raising both sides of (1) by .sub.l. As l increases, a.sub.0.sup..sup.l modulo p traces an orbit of primitives modulo p.

(20) If p is large, and if p=2.Math.p+1, where p is also prime, approximately half of the elements of G are elements of this orbit [2, p. 269].

(21) For some integer {tilde over (l)}, a.sub.0.sup.p.sup.{tilde over (l)} is also a primitive of X modulo p1. In this case, define

(22) $\begin{matrix} {\begin{matrix} a_{0}^{^{\overline{l}}} a (\mod p) \\ y_{0}^{^{\overline{l}}} y (\mod p) \end{matrix} . & (5) \end{matrix}$
Then
a.sup.xy(mod p).(6)

(23) An integer which is a primitive root of p and also a primitive of X modulo p1 will be referred to as a superprimitive of p.

(24) Table I shows the superprimitives of a set of small primes (.sub.02).

(25) Table II shows some relevant variables for such primes.

(26) TABLE-US-00001 TABLE I p Superprimitives of p 11 7 23 7, 17, 19 47 5, 11, 15, 19, 33, 43 59 11, 31, 37, 39, 43, 47, 55 107 5, 21, 31, 45, 51, 55, 65, 67, 71, 73, 103 167 5, 13, 15, 35, 39, 43, 45, 53, 55, 67, 71, 73, 79, 91, 101, 103, 105, 117, 125, 129, 135, 139, 143, 145, 149, 155, 159, 163 263 29, 57, 67, 85, 87, 97, 115, 119, 127, 130, 139, 141, 161, 171, 185, 197, 213, 219, 227, 229, 237, 241, 247, 251, 255, 257, 259 347 5, 7, 17, 19, 45, 63, 65, 69, 79, 91, 97, 101, 103, 111, 123, 125, 141, 145, 153, 155, 165, 171, 175, 191, 193, 203, 215, 217, 221, 223, 231, 239, 245, 247, 283, 301, 307, 335, 343, 359 7, 21, 35, 53, 63, 71, 97, 103, 105, 109, 113, 119, 137, 143, 157, 159, 163, 167, 175, 189, 197, 209, 211, 213, 223, 251, 257, 263, 265, 269, 271, 277, 291, 293, 299, 309, 311, 313, 315, 319, 327, 329, 339, 341, 343, 349, 353, 355 383 33, 35, 47, 53, 61, 83, 89, 91, 95, 99, 105, 111, 123, 127, 131, 141, 145, 151, 157, 167, 179, 181, 183, 187, 233, 247, 249, 253, 267, 285, 297, 307, 315, 337, 355, 359, 365, 367, 369, 379 479 13, 19, 37, 39, 41, 43, 47, 53, 57, 59, 65, 79, 95, 117, 119, 123, 129, 143, 149, 159, 171, 177, 179, 185, 191, 205, 209, 223, 227, 235, 237, 265, 281, 285, 295, 317, 325, 333, 351, 353, 357, 369, 379, 387, 391, 395, 423, 429, 433, 447, 449, 451, 461, 463, 467, 469, 473, 475 503 19, 29, 37, 53, 55, 57, 71, 87, 107, 109, 111, 127, 133, 137, 139, 159, 163, 165, 167, 191, 193, 203, 213, 215, 239, 269, 277, 295, 305, 307, 313, 321, 327, 333, 341, 347, 349, 371, 381, 385, 399, 409, 417, 419, 437, 453, 457, 461, 467, 471, 475, 479, 481, 485, 487, 489, 495, 499 587 5, 11, 13, 19, 23, 41, 45, 85, 99, 103, 105, 111, 117, 125, 127, 131, 139, 157, 171, 173, 183, 187, 207, 213, 215, 221, 227, 231, 241, 245, 251, 259, 265, 263, 273, 275, 291, 295, 321, 323, 325, 327, 335, 337, 341, 365, 367, 369, 373, 391, 399, 403, 405, 415, 427, 435, 467, 473, 475, 483, 487, 497, 523, 539, 541, 557, 559, 583

(27) TABLE-US-00002 TABLE II p |A| = |X| |Y| |A Y| |A|/(A Y) 11 4 2 1 4.0000 23 10 4 3 3.3333 47 22 10 6 3.6666 59 28 12 7 4.0000 107 52 24 11 4.7273 167 82 40 28 2.9286 263 130 48 26 5.0000 347 172 84 39 4.4103 359 178 88 48 3.7083 383 190 72 40 4.7500 479 238 96 58 4.1034 503 250 100 58 4.3103 587 292 144 68 4.2941
NOTE 1: If .sub.02, X is cyclic and there exist an integer which is a primitive root of X modulo p1. If p is large, to determine it is sufficient to select any random integer and to verify that a) is an element of X, which means that it is relatively prime to p1, and b) is an element of Y, which means that it is relatively prime to (p1)=p1. The process of producing should not be long, because, if p is large, the probability that two integers be prime to one another is 6/.sup.2 [2, p. 269]. Thus, the probability that an integer chosen at random be prime to p1 and p1 is approximately (6/.sup.2).sup.2 or 1/2.7055.
NOTE 2: The ratio |A|/|(AY)| is relevant because it is related to the number of trials which should be expected when is employed in the search for a.
NOTE 3: The ratio |A|/|(AY)| may grow when p increases. As an example, when p=6466463=2.Math.p+1 and p=2.Math.5.Math.7.Math.11.Math.13.Math.17.Math.19+1, |A|/|AY|=7.7931.
NOTE 4: Comparing the data for p.sub.2=6466463 and p.sub.1=587, observe that, when p is replaced by p.sub.2, the ratio |A|/|AY| is multiplied by a factor of 7.7931/4.2941, which is less than 2, while 6466463 is greater than 587.sup.2.

2) Step Two

(28) In general in (6) y is not a primitive root modulo p. It is convenient to restate (6) in such a way that the RHS of (6) be a primitive modulo p. This can be accomplished by multiplying both sides of (6) by a, a sufficient number of times until the desired condition is satisfied. If after 7-iterations this condition is satisfied, let

(29) $\begin{matrix} {\begin{matrix} b a^{\tilde{r}} .Math. y (\mod p) \\ s x + \tilde{r} (\mod (p - 1)) \end{matrix} . & (7) \end{matrix}$
Then
a.sup.sb(mod p).(8)

(30) After this restatement the search for x is conducted in a smaller, more structured environment. Since b is a primitive modulo p and a is a primitive of X modulo p1, s is relative prime to p1 and can be represented as follows

(31) $\begin{matrix} {\begin{matrix} s a^{t} (\mod (p - 1)) \\ a^{a^{t}} b (\mod p) \end{matrix}, & (9) \end{matrix}$
where t denotes an integer and 0t<(p1).

3) Step Three

(32) Consider the process of raising the second of (9) to a.sup.u modulo p. Let d denote the least positive residue modulo p of the corresponding RHS of (9). As u increases, the integer d describes an orbit of primitives modulo p. It is desired that d be also a primitive of X modulo p1. If, after L operations this condition is satisfied, define

(33) $\begin{matrix} a^{a^{}} d (\mod p) & (10) \end{matrix}$
where

(34) $\begin{matrix} {\begin{matrix} t + \tilde{u} (\mod (p - 1)) \\ d b^{a^{\overline{}}} (\mod p) \end{matrix} . & (11) \end{matrix}$

(35) Consider the integer d.sup.d.sup.w, where w denotes an integer. Since d is a primitive modulo p and a primitive of X modulo p1, when w varies d.sup.d.sup.w traces an orbit which contains all the primitives modulo p, including a.

(36) Therefore, there does exist an integer w such that

(37) $\begin{matrix} a d^{d^{w}} (\mod p) . & (12) \end{matrix}$

4) Conclusion

(38) The exponential congruence (1) is referred to as a one-way transaction, meaning that, when x is known, it is easy to compute a.sub.0.sup.x modulo p, while, when y.sub.0 is known, the computation of x may be untractable. The restatement introduced by this section produces the congruences (10) and (12), which have similar structure and comparable complexity.

(39) In order to determine the relationship between and w, raise (12) to a.sup. modulo p. It will be

(40) $\begin{matrix} a^{a^{}} d^{a^{} .Math. d^{w}} (\mod p) . & (13) \end{matrix}$
whence, by (10),
a.sup..Math.d.sup.w=1(mod p1)(14)
or
a.sup.d.sup.w(mod p1).(14)
As a conclusion: and w are exponents of known superprimitives of p, a and d, respectively. The integers a.sup. and d.sup.w are related in a congruence which is defined modulo p1.
NOTE 1: In general, given (1), the integers a and d which result from the proposed restatements are not unique.
NOTE 2: In principle, it would be possible to explore the case when a is a superprimitive of p and p1. As an example, 19 is a superprimitive of 47 and 23. However, not all primes have superprimitives modulo p and modulo p1.

III. ORTHOGONAL PRIMITIVES WHEN 0=1

(41) Refer to (15). Let V denote the set of integers and w (1, wp1) which are candidate solutions of (10), (12), and (15) and let |V| denote their number.

(42) A) It is desired to represent Vas the direct product of distinct subsets of T; each one associated with one of the factors (q.sub.i.sup..sup.1 or 2.sup..sup.0) of p1.

(43) B) It is desired to partition and process independently the corresponding sets of candidate solutions.

(44) To reach these aims:

(45) A) The number of significant candidate elements associated with each of such sets is (q.sub.i.sup..sup.i). Then the total number of candidate elements, say |V|, would be

(46) $\begin{matrix} \begin{matrix} .Math. V .Math. = (p^{} - 1) \\ = 2^{{.Math.}_{0} - 1} .Math. {.Math.}_{i = 1}^{h} (q_{i}^{{.Math.}_{.Math.}}) . \end{matrix} & (16) \end{matrix}$

(47) The candidate elements associated to (q.sub.i.sup..sup.i), say .sub.i.sup..sup.i, are relatively prime to q.sub.i and can be represented as the elements of a cyclic group having .sub.i as its generator. Notice that, thus far, nothing has been stated concerning the divisibility of .sub.i by q.sub.j when ij. B) Consider the case when and w are represented as the direct product of their component subgroups. In the case when .sub.0=1, .sub.01=0. In order to process independently the cyclic subsets of V, consider the case when the primitive of the cycle i is defined as follows:

(48) $\begin{matrix} \begin{matrix} _{i} = 1 +_{i} .Math. (p - 1) / q_{i}^{{.Math.}_{.Math.}} \\ =_{i} +_{i} .Math. q_{i}^{{.Math.}_{.Math.}}, \end{matrix} & (17) \end{matrix}$
where .sub.i denotes any primitive modulo q.sub.i and (.sub.i, .sub.i) denotes a pair of integers. Given .sub.i, the pair (.sub.i,.sub.i) can be any one of the solution pairs of the following:
.sub.i1+.sub.i.Math.q.sub.i.sup..sup.i=.sub.i.Math.(p1)/q.sub.i.sup..sup.i.(18)
Given any solution pair ({tilde over ()}.sub.i, {tilde over ()}.sub.i), its substitution into (17) produces .sub.i modulo (p1).
After this restatement, .sub.i is relatively prime to (p1).

(49) Consider the case when p1 has a structure of the form (2) or (3), that is

(50) a) 5 is the smallest odd prime divisor of p1, and

(51) b) each divisor q.sub.i is the smallest odd prime greater than q.sub.i1.

(52) Under these conditions, all the odd prime divisors of (p1), with the exception of 3, are also divisors of (p1). It is possible to select .sub.i in such a way that .sub.i is not a multiple of 3. In this case, p.sub.i.sup..sup.i is relatively prime with (p1) and (p1).

(53) Thus, when p1 has the structure of (8) and (10) and is relatively prime with (p1) and 3, it is possible to represent and w as follows

(54) 0 $\begin{matrix} {\begin{matrix} {.Math.}_{i = 1}^{h}_{i}^{_{.Math.}} (\mod (p - 1)) \\ \dot{w} {.Math.}_{i = 1}^{h}_{i}^{w_{.Math.}} (\mod (p - 1)) \end{matrix}, & (19) \end{matrix}$
where .sub.i and w.sub.i denote integers defined modulo (e).
It will be

(55) $\begin{matrix} {\begin{matrix} \frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}} .Math._{j} \frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}} (\mod (p - 1)) & for i j \\ \frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}} .Math._{j} \frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}} .Math._{j} (\mod (p - 1)) & for i = j \end{matrix} . & (20) \end{matrix}$

(56) The congruences (20) define the orthogonality between .sub.i and .sub.j, for ij, and validate the definition of .sub.i offered by (17).

(57) Notice that the definitions (17) imply that

(58) $_{i}^{(q_{i}^{{.Math.}_{i}})} 1 (\mod (p - 1)) .$

(59) In fact,

(60) $\begin{matrix} \begin{matrix} _{i}^{(q_{i}^{{.Math.}_{}})} = {(_{i} +_{i} .Math. q_{i}^{{.Math.}_{.Math.}})}^{(q_{i}^{{.Math.}_{.Math.}})} \\ 1 +_{i} .Math. q_{i}^{{.Math.}_{.Math.}} (\mod q_{i}^{{.Math.}_{.Math.}}) \end{matrix} & (22) \end{matrix}$
and also, for all positive integers n,

(61) $\begin{matrix} \begin{matrix} _{i}^{n} = {(1 +_{i} .Math. (p - 1) / q_{i}^{{.Math.}_{.Math.}})}^{n} \\ = 1 +_{i} .Math. (p - 1) / q_{i}^{{.Math.}_{.Math.}} \end{matrix} & (23) \end{matrix}$
for some .sub.i and .sub.i integers. Combining (22) and (23), (21) follows. Refer to Section I of the Appendix.

IV. THE RELATIONSHIP BETWEEN i AND wi MODULO (qii) WHEN 0=1

(62) Using orthogonal primitives (17), consider raising (15) to

(63) $\frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}}$
modulo p1.
It will be

(64) $\begin{matrix} {(a^{\frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}}})}^{_{i}^{_{i}}} {(d^{\frac{(p - 1)}{q_{i}^{{.Math.}_{.Math.}}}})}^{-_{i}^{w_{i}}} (\mod (p - 1)) . & (24) \end{matrix}$
Let

(65) $\begin{matrix} {\begin{matrix} _{i} a^{\frac{(p - 1)}{q_{i}^{{.Math.}_{i}}}} (\mod (p - 1)) \\ _{i} d^{\frac{(p - 1)}{q_{i}^{{.Math.}_{i}}}} (\mod (p - 1)) \end{matrix} . & (25) \end{matrix}$
Then

(66) $\begin{matrix} _{i}^{_{i}^{_{i}}}_{i}^{-_{i}^{w_{i}}} (\mod (p - 1)) . & (26) \end{matrix}$

(67) This congruence establishes a relationship between .sub.i and w.sub.i which does not depend on any of the values of .sub.i and w.sub.j, for ij. However, this relationship does not identify the value of v which is consistent with (6).

(68) NOTE 1: a and d are primitives modulo p1. Therefore, they are relatively prime with (p1). When a or d are raised to a divisor of (p1), such as (p1)/q.sub.i.sup..sup.i, they produce primitives modulo (p1) for the sets

(69) ${_{i}^{v_{i}}} and {_{i}^{w_{i}}},$
respectively.

V. INVERTIBLE SUPERPRIMITIVE

1) Definition

(70) A superprimitive of p is defined as invertible if its inverse modulo p is also a superprimitive of p. In general, only some of the superprimitives are invertible. Table III shows the invertible superprimitives of the set of primes which are included in Tables I and II.

(71) TABLE-US-00003 TABLE III Number of Invertible Number of Invertible p Superprimitives of p Superprimitives Superprimitives Superprimitives Ratio 11 7 1 0 0 23 7, 17, 19 17, 19 3 2 0.666667 47 5, 11, 15, 19, 33, 43 5, 19 6 2 0.333333 59 11, 31, 37, 39, 43, 47, 55 11, 43 7 2 0.285714 107 5, 21, 31, 45, 51, 55, 65, 67, 71, 73, 103 21, 51 11 2 0.181818 167 5, 13, 15, 35, 39, 43, 45, 53, 55, 67, 71, 73, 79, 5, 35, 43, 67, 101, 105, 28 10 0.357143 91, 101, 103, 105, 117, 125, 129, 135, 139, 143, 125, 129, 145, 163 145, 149, 155, 159, 163 263 29, 57, 67, 85, 87, 97, 115, 119, 127, 130, 139, 29, 97, 115, 127, 141, 26 12 0.461538 141, 161, 171, 185, 197, 213, 219, 227, 229, 197, 219, 241, 247, 237, 241, 247, 251, 255, 257, 259 251, 257, 259 347 5, 7, 17, 19, 45, 63, 65, 69, 79, 91, 97, 101, 103, 17, 69, 79, 103, 39 8 0.205128 111, 123, 125, 141, 145, 153, 155, 165, 171, 123, 171, 245, 283 175, 191, 193, 203, 215, 217, 221, 223, 231, 239, 245, 247, 283, 301, 307, 335, 343, 359 7, 21, 35, 53, 63, 71, 97, 103, 105, 109, 113, 157, 197, 209, 213, 48 16 0.333333 119, 137, 143, 157, 159, 163, 167, 175, 189, 223, 257, 269, 271, 197, 209, 211, 213, 223, 251, 257, 263, 265, 277, 293, 299, 339, 269, 271, 277, 291, 293, 299, 309, 311, 313, 341, 343, 353, 355 315, 319, 327, 329, 339, 341, 343, 149, 353, 355 383 33, 35, 47, 53, 61, 83, 89, 91, 95, 99, 105, 111, 359, 367 40 2 0.05 123, 127, 131, 141, 145, 151, 157, 167, 179, 181, 183, 187, 233, 247, 249, 253, 267, 285, 297, 307, 315, 337, 355, 359, 365, 367, 369, 379 479 13, 19, 37, 39, 41, 43, 47, 53, 57, 59, 65, 79, 95, 19, 47, 53, 177, 235, 58 12 0.206897 117, 119, 123, 129, 143, 149, 159, 171, 177, 265, 325, 353, 433, 179, 185, 191, 205, 209, 223, 227, 235, 237, 449, 451, 463 265, 281, 285, 295, 317, 325, 333, 351, 353, 357, 369, 379, 387, 391, 395, 423, 429, 433, 447, 449, 451, 461, 463, 467, 469, 473, 475 503 19, 29, 37, 53, 55, 57, 71, 87, 107, 109, 111, 19, 53, 133, 193, 213, 58 14 0.241379 127, 133, 137, 139, 159, 163, 165, 167, 191, 295, 305, 307, 409, 193, 203, 213, 215, 239, 269, 277, 295, 305, 417, 467, 475, 485, 307, 313, 321, 327, 333, 341, 347, 349, 371, 489 381, 385, 399, 409, 417, 419, 437, 453, 457, 461, 467, 471, 475, 479, 481, 485, 487, 489, 495, 499 587 5, 11, 13, 19, 23, 41, 45, 85, 99, 103, 105, 111, 11, 85, 111, 117, 215, 69 16 0.231884 117, 125, 127, 131, 139, 157, 171, 173, 183, 221, 241, 275, 291, 187, 207, 213, 215, 221, 227, 231, 241, 245, 321, 341, 415, 427, 251, 259, 265, 263, 273, 275, 291, 295, 321, 435, 475, 523 323, 325, 327, 335, 337, 341, 365, 367, 369, 373, 391, 399, 403, 405, 415, 427, 435, 467, 473, 475, 483, 487, 497, 523, 539, 541, 557, 559, 583

(72) Consider the case when a denotes an invertible superprimitive, and let g denote its inverse modulo p. Then, for some integers and w, the conditions (10) and (12) take the following forms:

(73) 0 $\begin{matrix} a^{a^{}} a^{- 1} (\mod p) & (27) \end{matrix}$
and

(74) $\begin{matrix} g^{- 1} g^{g^{w}} (\mod p) . & (28) \end{matrix}$
Therefore,

(75) $\begin{matrix} a^{a^{v} + 1} 1 (\mod p) & (29) \end{matrix}$
whence
a.sup.1(mod(p1))(30)
or
a.sup.2.Math.1(mod(p1)).(31)
Similarly,
g.sup.2.Math.w1(mod(p1)).(32)
Then
2.Math.0(mod (p1))(33)
and
2.Math.w0(mod (p1)).(34)
Thus,

(76) $\begin{matrix} w (\mod \frac{(p - 1)}{2}) . & (35) \end{matrix}$

VI. THE DETERMINATION OF AND w WHEN 0=1

1) The Selection of a and d

(77) Section II.1 describes how to select a superprimitive a. The algorithm proposed herein will require that a be an invertible superprimitive of p. This can be accomplished by raising a.sub.0 to an increasing integer p.sup.l>p.sup.{tilde over (l)}, until the desired condition is satisfied. (Step One).

(78) After the definition of a, it will be necessary to transform (6) in such a way that the RHS be an invertible superprimitive of p, namely d. (Step Two and Three).

(79) Thus, the proposed algorithm will operate on two invertible superprimitives of p, namely

(80) 1) a (invertible superprimitive)

(81) 2) d (invertible superprimitive)

2) The Problem

(82) Given the pair (a, d), to determine there are two conditions which must be satisfied.

(83) A) The first condition is equation (14), which is defined modulo p1.

(84) B) A second condition on the pair (, w) is placed by the congruences (10) and (12), which are defined modulo p.

(85) Consider the problem of solving the system of (10) and (12)

(86) $\begin{matrix} {\begin{matrix} a^{a^{}} = d (\mod p) \\ a = d^{d^{w}} (\mod p) \end{matrix} & (36) \end{matrix}$
under the condition (14).

(87) Define

(88) $\begin{matrix} {\begin{matrix} a^{U} .Math. d 1 (\mod p - 1) \\ a .Math. d^{W} 1 (\mod p - 1) \end{matrix} . & (37) \end{matrix}$
Refer to Appendix II.

(89) Substitute the second of (37) into (14). It will be

(90) $\begin{matrix} d^{- W .Math.} .Math. d^{w} 1 (\mod p - 1), & (38) \end{matrix}$
or
w=W.Math. modulo (p1).

(91) Then the second of (37) becomes

(92) $\begin{matrix} \begin{matrix} a = d^{d^{W .Math.}} (\mod p) \\ = d^{- a .Math. v} (\mod p) . \end{matrix} & (40) \end{matrix}$

(93) Thus, the system (36) becomes

(94) $\begin{matrix} {\begin{matrix} a^{a^{}} d (\mod p) \\ a d^{a^{-}} (\mod p) \end{matrix} . & (41) \end{matrix}$

(95) The original problem requires finding the solution of the first of (41).

3) The Solution

(96) 1) a and d are two physical numbers and are independent on any modular transactions of which they may become a part. Specifically, if we say d=317, we mean that d denotes the number 317, not 317 modulo anything.

(97) 2) If were known, the transition from a to d could be executed by raising a to a.sup. modulo p.

(98) 3) Also, the transition from a to d can be executed by computing the discrete logarithm of d module p1 in base a. To this end, define
a.sup.U(a,d)d(mod p1).(42)

(99) Refer to Section II of the Appendix.

(100) 4) The two bridges from a to d are defined modulo p1 and produce the same transition.

(101) They can be compared operating modulo p1.

(102) 5) A different approach consists of considering the following integers:

(103) $\begin{matrix} {\begin{matrix} A_{i} = a^{\frac{(p - 1)}{q_{i}^{{.Math.}_{i}}}} \\ D_{i} = d^{\frac{(p - 1)}{q_{i}^{{.Math.}_{i}}}} \end{matrix} . & (43) \end{matrix}$

(104) These integers can be very large. In principle, their definition is independent of any modular transaction of which they may become a part. It is possible to substitute the pair (A.sub.i, D.sub.i) into (41). It will be

(105) 0 $\begin{matrix} A_{i}^{_{i}^{_{i}^{_{i}}}} D_{i} (\mod p) . & (44) \end{matrix}$

(106) The solution {tilde over ()}.sub.i of this congruence is unique.

(107) NOTE 1: After the solution {tilde over ()}.sub.1 of (44) has been produced, the process must be repeated for all ji. Then can be computed using (19). The integer x follows, using (11) (9), (8) and (7).

VII. THE CASE WHEN 0=2

(108) Refer to (16) and (19). If .sub.0=2, the set of generators {p.sub.i|1ih} must be expanded to include the generator .sub.0, 0 of a subgroup of V consisting of two elements. In this case (19) must be replaced by the following

(109) $\begin{matrix} {\begin{matrix} _{0, 0} .Math. {.Math.}_{i = 1}^{h}_{i}^{_{i}} (\mod (p - 1)) \\ w_{0, 0} .Math. {.Math.}_{i = 1}^{h}_{i}^{w_{i}} (\mod (p - 1)) \end{matrix} . & (45) \end{matrix}$
Let .sub.0, 0 denote the primitive of a cycle of two elements modulo 2.sup..sup.0. It will be
.sub.0,03(mod 2.sup.2).(46)
Then, by (17),

(110) $\begin{matrix} \begin{matrix} _{0, 0} = 1 +_{0, 0} .Math. \frac{(p - 1)}{4} \\ = - 1 +_{0, 0} .Math. 4. \end{matrix} & (47) \end{matrix}$
Let

(111) $\begin{matrix} _{0, 0} .Math. 4 = 2 +_{0, 0} .Math. \frac{(p - 1)}{4} . & (48) \end{matrix}$

(112) Given a solution pair ({tilde over ()}.sub.0, 0, {tilde over ()}.sub.0, 0) of (48), after substitution into (47),

(113) .sub.0, 0 modulo (p1) follows.

(114) It will be:

(115) $\begin{matrix} {\begin{matrix} g c d (_{0, 0}, p - 1) = 1 \\ g c d (_{0, 0}, (p - 1)) = 1 \end{matrix} . & (49) \end{matrix}$

(116) To determine the pair (.sub.0,0, w.sub.0,0), define

(117) $\begin{matrix} {\begin{matrix} _{0, 0} a^{\frac{(p - 1)}{4}} (\mod p - 1) \\ A_{0, 0} a^{\frac{(p - 1)}{4}} (\mod p) . \end{matrix} & (50) \end{matrix}$
and

(118) $\begin{matrix} D_{0, 0} d^{\frac{(p - 1)}{4}} (\mod p) . & (51) \end{matrix}$

(119) Then .sub.0, 0 is a solution of the following:

(120) $\begin{matrix} A_{0, 0}^{_{0, 0}^{_{0, 0}^{_{0, 0}}}} D_{0, 0} (\mod p), & (52) \end{matrix}$
where .sub.0, 0 is either 0 or 1.

VIII. THE CASE WHEN 0>2

1) The Problem

(121) If .sub.0>2, X is not a cyclic group and there does not exist an integer .sub.0, 0 which generates a subgroup of V containing 2.sup..sup.0.sup.1 elements modulo 2.sup..sup.0 [1, p. 206]. However, there exist integers .sub.0 such that

(122) $\begin{matrix} {\begin{matrix} _{0}^{2^{{.Math.}_{0} - 3}} 1 (\mod 2^{{.Math.}_{0}}) \\ _{0}^{2^{{.Math.}_{0} - 2}} 1 (\mod 2^{{.Math.}_{0}}) \end{matrix} . & (53) \end{matrix}$
As an example, if .sub.0=5, for any integer of the form .sub.0=4.Math.ODD+1 it is

(123) $\begin{matrix} {\begin{matrix} _{0}^{4} 1 (\mod 2^{5}) \\ _{0}^{8} 1 (\mod 2^{5}) \end{matrix} . & (54) \end{matrix}$
Refer to Section III of the Appendix.

(124) As a result, if .sub.0>2, in order to produce 2.sup..sup.0.sup.1 elements modulo 2.sup..sup.0, it is necessary to employ the direct product of two subgroups of V, one containing 2.sup..sup.0.sup.2 elements and one containing 2 elements. Let .sub.0,0 and .sub.0 denote the generators of the two subgroups having 2 and 2.sup..sup.0.sup.2 elements, respectively. Of course, .sub.0,0 should be an integer which cannot be produced by computing .sub.0.sup..sup.0(mod 2.sup..sup.0.sup.2), for any integer .sub.0. This can be accomplished by defining

(125) 0 $\begin{matrix} {\begin{matrix} _{0} = 4 .Math. O D D + 1 \\ _{0, 0} = - 1 + 2^{{.Math.}_{0} - 1} \end{matrix} . & (55) \end{matrix}$

(126) With this selection of .sub.0 and .sub.0,0 the product .sub.0,0.sup..sup.0,0.Math..sub.0.sup..sup.0(mod 2.sup..sup.0) generates all the odd integers from 1 to 2.sup..sup.01.

(127) The integer .sub.0 can be determined by letting

(128) $\begin{matrix} \begin{matrix} _{0} = 1 +_{0} .Math. \frac{(p - 1)}{2^{{.Math.}_{0}}} \\ =_{0} +_{0} .Math. 2^{{.Math.}_{0} - 2} . \end{matrix} & (56) \end{matrix}$
Since gcd

(129) $(2^{{.Math.}_{0} - 2}, \frac{(p - 1)}{2^{{.Math.}_{0}}}) = 1,$
the integers .sub.0 and .sub.0 exist, and so does .sub.0.

(130) Likewise, p.sub.0,0 can be defined by letting

(131) $\begin{matrix} \begin{matrix} _{0, 0} = 1 +_{0, 0} .Math. \frac{(p - 1)}{2^{{.Math.}_{0}}} \\ = - 1 +_{0, 0} .Math. 2^{{.Math.}_{0} - 2} . \end{matrix} & (57) \end{matrix}$

(132) Then the general expression (17) of the integers and w must be restated as follows:

(133) $\begin{matrix} {\begin{matrix} _{0, 0}^{_{0, 0}} .Math._{0}^{_{0}} .Math. {.Math.}_{i = 1}^{h}_{i}^{_{i}} (\mod (p - 1)) \\ w_{0, 0}^{w_{0, 0}} .Math._{0}^{w_{0}} .Math. {.Math.}_{i = 1}^{h}_{i}^{w_{i}} (\mod (p - 1)) \end{matrix} . & (58) \end{matrix}$

(134) For 1ih it is still possible to produce primitives .sub.i which are orthogonal to each other and to .sub.0. However, it is not possible to identify two values of .sub.0,0 and .sub.0 which are orthogonal to each other. In other words, there does not exist a primitive of X modulo 1 which enables the restatement described in Section II. Therefore, after the determination of all p.sub.i, for 1ih, it is necessary to explore all the possibilities produced by .sub.0,0 and .sub.0. Since the order of .sub.0,0 is 2, two sets of circumstances must be considered.

(135) In general, the elements of X can be grouped into two sets, namely X.sub.0 and X.sub.1, which correspond to the cases when .sub.0, 0=0 and .sub.0, 0=1, respectively.

2) The Case when 0, 0=0

(136) If .sub.0,0=0, the number of elements in V is

(137) $\begin{matrix} {\begin{matrix} _{0, 0} = 0 \\ .Math. V .Math. = 2^{{.Math.}_{0} - 2} .Math. {.Math.}_{i = 1}^{h} (q_{i}^{{.Math.}_{i}}) \end{matrix} . & (59) \end{matrix}$
Compare with (16).
In this case X.sub.0 is a cyclic group and there exist integers p which are primitive roots of X.sub.0 modulo p1. Let Y.sub.0 denote the set of primitive roots of X.sub.0 modulo p1. If pY.sub.0, let A.sub.0 denote the set of primitive roots of p which are produced by letting

(138) $\begin{matrix} a_{0}^{^{i}} a (\mod p) . & (60) \end{matrix}$

(139) For some integers , a will also be an element of Y.sub.0. In these cases

(140) $\begin{matrix} {.Math.}_{0} > 2 .Math. X .Math. = .Math. A .Math. .Math. X .Math. = .Math. X_{0} .Math. X_{1} .Math. .Math. X_{0} .Math. = .Math. X_{1} .Math. .Math. A .Math. = .Math. A_{0} .Math. A_{1} .Math. .Math. A_{0} .Math. = .Math. A_{1} .Math. .Math. X_{0} .Math. = .Math. A_{0} .Math. \frac{.Math. X_{0} .Math.}{.Math. A .Math.} = 1 / 2. & (61) \end{matrix}$

(141) Let .sub.0 denote a primitive root of X.sub.0 modulo 2.sup..sup.0.sup.2. Assume that .sub.0=4.Math.ODD+1.

(142) In this case, define

(143) $\begin{matrix} {\begin{matrix} _{0} a^{\frac{(p - 1)}{2^{{.Math.}_{0} - 1}}} (\mod p - 1) \\ A_{0} a^{\frac{(p - 1)}{2^{{.Math.}_{0} - 1}}} (\mod p - 1) \end{matrix} & (62) \end{matrix}$
and

(144) $\begin{matrix} D_{0} d^{^{\frac{(p - 1)}{2^{{.Math.}_{0} - 1}}}} (\mod p - 1) . & (63) \end{matrix}$
Then

(145) 0 $\begin{matrix} A_{0}^{_{0}^{_{0}^{_{0}}}} D_{0} (\mod p) . & (64) \end{matrix}$

3) An Example

(146) As an example, if .sub.0=6 and 2.sup..sup.0=64, let .sub.0=5 and .sub.0, 0=31. The elements of X are 2.sup..sup.0.sup.1=32. When .sub.0, 0=0, the elements of X.sub.0 are 2.sup..sup.0.sup.2=16. When .sub.0, 0=1, the elements of X.sub.1 are 16. Thus, when the elements of X are reduced modulo 64, it will be

(147) $\begin{matrix} \begin{matrix} X_{0} = {1, 5, 25, 61, 49, 53, 9, 45, 33, 37, 57, 29, 17, 21, 41, 13} \\ X_{1} = {31, 27, 7, 35, 47, 43, 23, 51, 63, 59, 39, 3, 15, 11, 55, 19} \\ = {31 .Math. each one of the elements of X_{0}} . \end{matrix} & (65) \end{matrix}$

(148) Since X.sub.0 is a cyclic group, let Y.sub.0 denote the set of primitive roots of X.sub.0 modulo 2.sup..sup.0. In the example,
Y.sub.0={5,61,53,45,37,29,21,13}.(66)

(149) Also, define Y.sub.1 as the set of elements produced when all the elements of Y.sub.0 are multiplied by .sub.0, 0. In the example, it will be

(150) $\begin{matrix} \begin{matrix} Y_{1} = {27, 35, 43, 51, 59, 3, 11, 19} \\ = {31 .Math. each one of the elements Y_{0}} . \end{matrix} & (67) \end{matrix}$
NOTE 1: In the example, 31 and 63 are the only elements of X.sub.1 for which 31.sup.2 1(mod 64) and 63.sup.21(mod 64).
NOTE 2: In the example, any element of Y.sub.0, when raised to 31 modulo 64, produces another elements of Y.sub.0. In fact, gcd (31, 32)=1 and gcd (31, 64)=1. Thus,

(151) $\begin{matrix} {\begin{matrix} 5^{31} 13 (\mod 64) \\ 61^{31} 21 (\mod 64) \\ .Math. \\ 45^{31} 37 (\mod 64) \end{matrix} . & (68) \end{matrix}$

4) The Algorithm when 0, 0=0

(152) The solution .sub.0 can be determined using the procedure defined by (64).

(153) After the determination of .sub.0, the algorithm should proceed to the determination of the candidate values of .sub.i, for 1ih.

(154) If the resulting value of is not consistent with (6), the assumption .sub.0, 0=0 must be discarded and the case .sub.0, 0=1 must be considered.

5) The Case when 0,0=1

(155) Consider first the case when aA.sub.0. Then

(156) $a^{a^{}} d (\mod p)$
and dA.sub.0.

(157) Define A.sub.1 as the set of primitives modulo p which are not elements of A.sub.0. One example is

(158) $\begin{matrix} \overline{a} a^{_{0, 0}} (\mod p), & (69) \end{matrix}$
which implies that

(159) $\begin{matrix} a {\overline{a}}^{_{0, 0}} (\mod p) . & (70) \end{matrix}$
Notice that is a primitive modulo p because gcd (.sub.0, 0, p1)=1.

(160) Given , all the elements of A.sub.1 can be produced by raising to the elements of X.sub.0. Notice that, after the introduction of A.sub.1, operating in A.sub.1 follows the same procedures which were used operating in A.sub.0 using aA.sub.0. Thus the definition of given a can be used to produce all of the elements of A.sub.i by raising to any element of X.sub.0. In particular, consider the case when is raised to modulo p. Since a is an element of X.sub.0 and Y.sub.0, is an element of Y.sub.0A.sub.1.

(161) $\begin{matrix} {.Math.}_{0} > 2 a A_{0} a X_{0} a Y_{0} \overline{a} A_{1} \overline{a} Y_{0} \overline{a} Y_{0} .Math. A_{1} & (71) \end{matrix}$
Refer to NOTE 2 in Section 4 above.

(162) The same observation can be made about d. Therefore, for some integers and w, it is

(163) $\begin{matrix} {\begin{matrix} {\overline{a}}^{{\overline{a}}^{}} \overline{d} (\mod p) \\ \overline{a} {\overline{d}}^{{\overline{d}}^{w}} (\mod p) \end{matrix}, & (72) \end{matrix}$
whence

(164) $\begin{matrix} a^{_{0, 0} .Math.} d^{-_{0, 0} .Math. w} (\mod p - 1) . & (73) \end{matrix}$

(165) Raising a and d to (p1)/2.sup..sup.0 modulo p1 produces

(166) 0 $\begin{matrix} _{0}^{_{0, 0} .Math._{0}^{_{0}}}_{0}^{-_{0, 0} .Math._{0}^{w_{0}}} (\mod p - 1) . & (74) \end{matrix}$
Compare with (26).

(167) The procedures which were used to produce .sub.0 and v, can be repeated.

IX. CONCLUSION

(168) The procedures described in Sections III through VII above were designed to determine v given p and the pair (a, d). The integer is related to x through (11), (9), (8) and (7) that is through , t, s, and r.

(169) To determine the execution time of the proposed algorithm, note that each one of such operations as multiplication, exponentiation, calculation of inverses and solution of linear congruences has an execution time not exceeding log.sup.2 m, where m is the modulus of the operation. Also, the number of operations to be executed modulo p or modulo p is of the order of log log p. Therefore, the total execution time is of an order which does not exceed log log p.Math.log.sup.2 p.

APPENDIX

Notes on Orthogonal Primitives

I. An Example

(170) Let
a.sup.xb(mod 71),(A.1)
where a and b are primitive roots modulo 71.
Then x is an element of the set X, containing all the integers which are relatively prime to p1=70=2.Math.5.Math.7.

(171) The order of X is (70)=(5).Math.(7)=24. The exponent of X is e(X)=1 cm (4, 6)=12. Then X can be described as the direct product of a cyclic subgroup of order 2 and a cyclic subgroup of order 12 as follows:
X=C.sub.1(2)C.sub.2(12).(A.2)

(172) Also, the elements of X can be represented by using orthogonal primitives. In this case, given a selection of .sub.1(mod 7) and .sub.2(mod 5), .sub.1(mod 70) and .sub.2(mod 70) can be computed by letting

(173) $\begin{matrix} \begin{matrix} _{1} = I +_{1} .Math. \frac{p - 1}{7} \\ =_{1} +_{1} .Math. 7 \end{matrix} & (A .3) \end{matrix}$
and

(174) $\begin{matrix} \begin{matrix} _{2} = 1 +_{2} .Math. \frac{p - 1}{5} \\ =_{2} +_{2} .Math. 5. \end{matrix} & (A .4) \end{matrix}$

(175) For .sub.15(mod 7) and .sub.23(mod 5), it will be .sub.161(mod 70) and .sub.243(mod 70). Then
x61.sup.x.sup.1.Math.43.sup.x.sup.2(mod 70).(A.5)

(176) FIG. 2 shows the elements of X as intersections of vertical and horizontal straight lines through 61.sup.x.sup.1(mod 70) and 43.sup.x.sup.2(mod 70), respectively.

(177) It is apparent that the elements on a vertical line (constant x.sub.1) are congruent to one another modulo 14=2.Math.7. Likewise, the elements on a horizontal line are congruent to one another modulo 2.Math.5=10.

(178) Also, each elements of X is a product of its horizontal and vertical components. Thus, 6711.Math.57(mod 70).

(179) Different selections of the primitives .sub.1 and .sub.2 would cause appropriate permutations of the vertical and horizontal lines, respectively.

(180) Observe that, by (A.3) and (A.4),

(181) $\begin{matrix} {\begin{matrix} \frac{70}{7} .Math._{1} \frac{70}{7} .Math._{1} .Math. (mod70) \\ \frac{70}{7} .Math._{2} \frac{70}{7} (mod70) \end{matrix} . & (A .6) \end{matrix}$

(182) Therefore, raising (A.1) to 10 (modulo 71) yields

(183) $\begin{matrix} {(a^{10})}^{5^{x_{1}}} b^{10} (\mod 71) . & (A .7) \end{matrix}$

(184) Likewise, raising (A.1) to 14 (modulo 71) yields

(185) $\begin{matrix} {(a^{14})}^{3^{x_{2}}} b^{14} (\mod 71) . & (A .8) \end{matrix}$
Therefore, in the example, x.sub.2 and x.sub.1 can be determined independently of each other.

II. Discrete Logarithms Modulo p1

(186) The congruence (14) defines the relationship between a.sup. and d.sup.w which is repeated here:
a.sup..Math.d.sup.w1(mod p1).(75)

(187) It is convenient to develop a simple relationship between the integers a and d which does not refer to the variations of the pair (, w). Specifically, when =1 or w=1, such a relationship can be stated as

(188) $\begin{matrix} {\begin{matrix} v = 1 \\ a .Math. d^{W} 1 (\mod (p - 1)) \end{matrix} & (76) \end{matrix}$
or

(189) $\begin{matrix} {\begin{matrix} w = 1 \\ a^{U} .Math. d 1 (\mod (p - 1)) \end{matrix} . & (77) \end{matrix}$
Notice that
U.Math.W1(mod (p1)).(78)

(190) To develop U and W, it is convenient to represent and w using (19) and to partition the problem as in (26), which is repeated here:

(191) $\begin{matrix} _{i}^{_{i}^{v_{i}}}_{i}^{-_{i}^{w_{i}}} (modp - 1) . & (79) \end{matrix}$
Let w.sub.i, m denote the value of w.sub.i when .sub.i=0(mod (q.sub.i.sup..sup.i)). Then

(192) $\begin{matrix} _{i}_{i}^{-_{i}^{w_{i, m}}} (\mod p - 1) . & (A .9) \end{matrix}$
Likewise, let .sub.i, m denote the value of .sub.i when w.sub.i 0(mod (q.sub.i.sup..sup.i)). Then

(193) 0 $\begin{matrix} _{i}^{{_{i}}^{v_{i, m}}}_{i}^{- 1} (\mod p - 1) . & (A .10) \end{matrix}$
Consider the case when all the .sub.j's are congruent to zero modulo (q.sub.i.sup..sup.i). In this case, from (19),

(194) $\begin{matrix} a d^{- {.Math.}_{j = 1}^{h}_{j}^{w_{j, m}}} (\mod p - 1) . & (A .11) \end{matrix}$
Let

(195) $\begin{matrix} W = {.Math.}_{j = I}^{h}_{j}^{w_{j, m}} . & (A .12) \end{matrix}$
Then
ad.sup.W(mod p1).(A.13)

(196) Likewise, consider the case when all the w.sub.j's are congruent to zero modulo (q.sub.j.sup..sup.j). In this case

(197) $\begin{matrix} a^{{.Math.}_{j = 1}^{h}_{j}^{v_{j, m}}} d^{- 1} (\mod p - 1) . & (A .14) \end{matrix}$
Let

(198) $\begin{matrix} U = {.Math.}_{j = 1}^{h}_{j}^{v_{j, m}} . & (A .15) \end{matrix}$
Then
a.sup.Ud.sup.1(mod p1).(A.16)

III. THE ORDER OF 0=4.Math.ODD+1 MODULO 20

(199) When .sub.0=4.Math.ODD+1, the order of .sub.0 modulo 2.sup..sup.0 equals 2.sup..sup.0.sup.2:

(200) $\begin{matrix} _{0}^{2^{{.Math.}_{0} - 2}} 1 (\mod 2^{{.Math.}_{0}}) . & (A .17) \end{matrix}$

(201) Consider the case when .sub.0=4.Math.ODD+1. Then

(202) $\begin{matrix} {\begin{matrix} _{0} & 4 .Math. (2 .Math. k + 1) + 1 (\mod 2^{{.Math.}_{0}}) \\ 1 + 2^{2} + 8 .Math. k (\mod 2^{{.Math.}_{0}}) \\ _{0}^{2} & 1 + 2^{3} + 16 .Math. k_{1} (\mod 2^{{.Math.}_{0}}) \\ _{0}^{4} & 1 + 2^{4} + 32 .Math. k_{2} (\mod 2^{{.Math.}_{0}}) \\ .Math. \\ _{0}^{2^{{.Math.}_{0} - 3}} & 1 + 2^{{.Math.}_{0} - 1} (\mod 2^{{.Math.}_{0}}) \\ _{0}^{2^{{.Math.}_{0} - 2}} & 1 (\mod 2^{{.Math.}_{0}}) \end{matrix} . & (A .18) \end{matrix}$
(k, k.sub.1, k.sub.2 integers).

(203) Notice that the integer .sub.0,0 1+2.sup..sup.0.sup.1 cannot be produced as a power of .sub.0.

III. ATTACHMENT

(204) There exist several variations of encryption systems based on the difficulty of computing discrete logarithms modulo a prime. In the core system the participants share the knowledge of a prime p and one of its primitives, usually denoted as a. All the participants publish their own address c.sub.P, which they compute as c.sub.P=a.sup.m.sup.p, where m.sub.p is a random integer which is known to the addressee only.

(205) Any participant who wishes to communicate confidentially with any other participant, say with participant B, transmits to the addressee B a pair of integers denoted as (R, S), where

(206) ${\begin{matrix} R = a^{r} \\ S = message .Math. c_{B}^{r} \end{matrix},$
where r is a random number selected by the sender.
The receiver retrieves the message by computing

(207) $\begin{matrix} \frac{S}{R^{m_{B}}} = message .Math. \frac{a^{r .Math. m_{B}}}{a^{r .Math. m_{B}}} \\ = message \end{matrix} .$

(208) The only other persons who can retrieve the message are the persons who know m.sub.B or can compute m.sub.B as the discrete logarithm of c.sub.B in base a.

(209) Although the invention has been described in detail in the foregoing embodiments for the purpose of illustration, it is to be understood that such detail is solely for that purpose and that variations can be made therein by those skilled in the art without departing from the spirit and scope of the invention except as it may be described by the following claims.

REFERENCES, ALL OF WHICH ARE INCORPORATED BY REFERENCE HEREIN

(210) [1] T. M. Apostol, Introduction to Analytic Number Theory, New York, N.Y.: Springer-Verlag, 1976. [2] G H. Hardy, E. M. Wright, An Introduction to the Theory of Numbers, Oxford, UK: Clarendon Press, 1979. [3] S. C. Pohlig, M. E. Hellman, An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance, IEEE Trans, Inform. Theory, Vol IT-24, pp. 106-110, 1978.

Method, software and apparatus for computing discrete logarithms modulo a prime

Assignee

Inventors

Cpc classification

Classification Explorer

G06F17/11

PHYSICS

Classification Explorer

G06F7/4833

PHYSICS

Classification Explorer

G06F7/72

PHYSICS

Classification Explorer

G06F7/556

PHYSICS

Classification Explorer

G06F7/552

PHYSICS

International classification

Classification Explorer

H04L9/12

ELECTRICITY

Classification Explorer

H04L9/28

ELECTRICITY

Classification Explorer

G06F7/556

PHYSICS

Classification Explorer

G06F7/552

PHYSICS

Classification Explorer

G06F7/72

PHYSICS

Classification Explorer

G06F7/483

PHYSICS

Abstract

Claims

Description