Pollard RHO Algorithm Implemented To Discrete Log With Lucas Sequences

International Journal on Recent and Innovation Trends in Computing and Communication
Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
Pollard RHO algorithm implemented to Discrete Log with Lucas sequences

P. Anuradha Kameswari*,
T. Surendra
Department of Mathematics,
Andhra University,
Visakhapatnam 530 003, India
panuradhakameswari@yahoo.in,
Department of Mathematics, GIT

GITAM University,
Visakhapatnam 530 045, India
surendrat@gitam.edu
*
*
Abstract - The Diffie - Hellman problem may be used securely over the multiplicative group Fp, (Z/nZ) and the group of rational points on an
elliptic curve over a finite field. These groups involve large key sizes or expensive arithmetic operations. In the paper [17] paper we considered
the group of Lucas sequences and described the generalization of discrete log problem with the group of Lucas sequences and adapted the babystep giant-step algorithm to the generalization and for the computations we gave an algorithm to fast computing methods for lucas sequences
based on the idea proposed by P.J.Smith. In this paper we consider the group of Lucas sequences and implement the pollard rho algorithm to the
generalization of discrete log problem to the group of Lucas sequences. For the computations we implement with fast computing algorithm.
Key words - Discrete Log Problem, Lucas Sequences, Pollard rho algorithm.
__________________________________________________*****_________________________________________________
I.
INTRODUCTION
The development of public key cryptography due to

Diffie and Hellman is based on using discrete logarithm as
one way function. The discrete logarithm problem in finite
*
fields F is based on the fact that Fp is cyclic and if g is any
p
*
a
generator every element of Fp is g for some non negative
*
integer a. For the discrete log problem in (Z/nZ) we
consider the generator g of a cyclic subgroup or a primitive
root g mod n. More generally the discrete log problem may
be discussed in any group with the group law in place of
multiplication. In the paper [17] we described the
generalisation of the discrete log problem in the finite
*
*
groups of the form Fp or (Z/nZ) to the discrete log in group
L(, N) of Lucas sequences and look at the possible
extension of the Baby-Giant extension. In this paper we
consider the group of Lucas sequences and implement the
pollard rho algorithm to the generalization of discrete log
problem to the group of Lucas sequences. For the
computations we implement with the algorithm for fast
computing method proposed in our paper [17] which is
based on idea in [11] by P.J.Smith.
A. Discrete Log Problem
Public key cryptography based on the difficulty of
discrete log problem due to Diffie- Hellman is a protocol
used for key exchange in a classical cryptosystem and also
used in public key cryptosystems like ElGamal
cryptosystem.
*
Definition 1. Let G be a finite group of the form (Z/nZ) or
*
Fq and b be a fixed element of G, if y is any element of G of
x
the form y=b for some x. Then the problem of finding the x
given y is called the discrete logarithm problem. We write
y
x=logb and x is called discrete logarithm of y to the base
b.[9]
*
*
Example 1. Let G=Z17and take b=3 the generator of Z17
*
then the discrete log of 13 to base 3 in Z17 is x such
that3x13(mod17), note for x=4, 3413(mod17).
*
Example 2. Let G=Zp for p=1999 and take b=3 the
generator of G then the discrete log of 1452 to base 3 is x
such that 3x1452(mod1999). Note in this example
computing that x=789 is difficult but computing
37891452(mod1999) is easy by adapting the modular
exponentiation method.
Diffie-Hellman key exchange: The Diffie-Hellman
protocol works as follows. A and B wish to agree on a
common secret key to communicate over an insecure
channel. A chooses a large prime p and an integer g such
that 2pp-2 and an integer a{0,1, p-2} randomly, then
a
he computes g mod p and makes (p,g,ga) public. B chooses
b
an integer b{0,1, p-2} randomly, then he computes g
mod p and makes (p,g,gb) public. Then they agree upon the
ab
k=g modp as the common shared secret key.
226
IJRITCC | March 2016, Available @ http://www.ijritcc.org
_______________________________________________________________________________________

Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
To compute the discrete log there are algorithms likes Trial
exponentiation, Shanks Baby -Step Gaint-Step Method,
Pollards rho method, Pohlig- hellman method, Index
calculus method etc. The earliest method for finding the
discrete logarithm x from =gx(DLP) is to check whether
x=0,1,2,3, satisfy DLP. If one of these x values satisfy
then Discrete Logarithm is found. This is the Trial
exponentiation. It needs enumeration of x-1 multiplications
and x comparisons in the group and the three elements x, g
x
and g need to be stored. [2, 4]
Example 3. The Discrete Logarithm of 3 to the base 5 in
*
(Z/2017Z)
with
enumeration
of
1029 multiplications modulo 2017 yields x=1030.
To compute the discrete log there are algorithms likes
Trial exponentiation, Shanks Baby -Step Gaint-Step
Method, Pollards method, Pohlig-hellman method, Index
calculus method etc. In this section we recall the Pollard rho
*
*
method for discrete log in Fp or (Z/nZ) . Shanks Baby-step
Giant-step method require more storage approximately |G|
group elements for finding solution of discrete log Problem
where as Pollard rho method requires less storage than the
storage required in Shanks Baby-step Giant-step method.
The running time of both the methods is same, namely
O |G|. The pollard rho method is based on the following
theorem on groups.
Theorem 1. Let G be a group and g be any element of G of
order
n
then
for
any
integers
k,
l
l
k
g =g iff lk mod n.
The Pollard rho algorithm : To determine discrete log to
the base in the group G with generator . Divide the group
G into three pairwise disjoint subsets G1, G2 and G3 with G
= G1G2G3. Let f:GG be defined by
if G1
f ( ) 2 if G2
if G
3
Select a random number x0 in the set {1,2,...n} and calculate

the group element
0 x .Then calculate the sequence

0
{i} by the recursion formula i+1=f(i). Then note the

above sequence elements can be written as
i x y
i
i0. Note y =0 and

0
xi 1
xi 1 mod n if G1
2 xi mod n if G2
x
if G3
i
and
yi 1
yi
2 y i
mod n
y 1 mod n
i
if G1
if G2
if G3
Since the group G is a finite group and as {i}G, there

exist repetitions in {i} i.e. two elements in the sequence
{i} must be equal. i.e. for i0 and k1 with i+k={i}. This
implies that
xy x y
i
x x
i
ik
ik
ik
yi k yi
x x
x ( yi k yi )
( xi xi k ) x( yi k yi ) mod n
i
ik
by the above corollary.

If gcd (yi+k - yi, n) =1 then yi+k - yi is invertible, the above
congruence
has
unique
solution.
If
gcd (yi+k - yi, n)1 then the congruence solution is not
unique, the discrete logarithm can be found by testing the
different possibilities, then the algorithm is applied again
with a different initial x0.
To estimate the number of elements i that should be
calculated before a match is found (i.e. a pair (i, i+k) of
indices for which i+k=i, for this purpose, we use the
birthday paradox. Here O( |G|) sequence elements are
sufficient to make the probability for a match greater than
1/2.
In Shanks baby-step giant -step algorithm, the number
of elements of the sequence is the order of the magnitude
|G| where as in Pollard rho algorithm it is sufficient to
store a simple triple (i, xi, yi) and if at a certain point in the
algorithm (i, xi, yi) is stored, after that (j, xj, yj) is
calculated for j=i+1,i+2,... till either a match is found. Hence
Pollard rho algorithm is more space efficient than the Babystep Giant Step algorithm.
Example 4: To determine the discrete log of 26 to the base
3 in (Z/227)*, =3 is the generator of G=(Z/227)* to find x
x
such that 26=3 mod 227.
Select a random x {1,2,...26}. Let x =79;

0
0
x
0 =g 0=379186 mod 227.
G=G1G2G3={1,2,3,...75}
{76,77,78,...150}
{150,151,152,...226}.
The stored triplets are given as

227
_______________________________________________________________________________________

Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
TABLE I
II. LUCAS SEQUENCES
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
186
69
207
161
100
12
36
108
87
78
182
192
225
175
10
30
90
79
79
80
80
80
160
161
162
98
196
166
166
166
166
166
167
168
0
1
1
2
3
6
6
6
12
24
48
49
50
51
52
52
52
17
155
110
104
18
171
110
105
19
133
110
106
20
210
220
212
21
12
220
213
Here collisions are found for 5=21 with gcd (y21y5,
226)=1=gcd (207, 226)=1. To compute x we must solve the
congruence (x5 x21) (y21 y5)x (mod 226), substitute the
collision value we have
(160-220)(213-6)x (mod 226).
-60207x (mod 226)
166(207)-1x (mod 226)
166X107x (mod 226)
17762x (mod 226)
x=134
Therefore x=134 is the discrete log of 3 to the base 26 in
(Z/227Z)*.
Observation: Here if we continue to find iterations for
i=0,1,2,... we found collision for 5=21 with
(y21 y5, 226)=1 and solution exist for DLP, where as if we
check for collision for i=2j, j=0,1,2,3,..., collision exist for
16=32. So we can reduce the number of iterations and we
can reduce time to find solution. For the first match if
solution does not exit for the discrete log problem, we can
find the solution, instead of choosing another initial x 0 if
there occurs one more collision provided that the y s
i
difference of corresponding collisions must be coprime.
Lucas sequences are widely used in cryptography.

There are RSA like Elgamal like cryptosystems based on
Lucas sequences. Lucas sequences are also used in the
cryptanalytic study. In this section we introduce the group of
lucas sequences and some basic properties of the group and
the fast computation algorithm for the lucas sequences then
describe the implementation of Pollard rho method to
discrete log with Lucas sequences. This gives a wider
crossectional view in the study of attacks on extended
discrete logarithms.[11]
Definition 2 Let a and b be two integers and a root of the
polynomial x2-ax+b in Q(
writing
) for =a2-4b a non square,
a
a
and its conjugate
we
2
2
have +=a, =b, -= and the Lucas sequences

{Vn(a,b)}and {Un(a,b)}, n0 are defined as
Vn (a, b) n n
n n
U n (a, b)
Lucas sequences satisfy the following relations:

1. V2n(a,b) = (Vn(a,b))2 2bn
2. V2n-1(a,b) = Vn(a,b)Vn-1(a,b) abn-1
3. V2n+1(a,b) = a(Vn(a,b))2-bVn(a,b)Vn-1(a,b) abn
4. (Vn(a,b))2= (Un(a,b))2+4bn
5. Vkm(a,b) = Vk(Vm(a,b), bk)
6. Ukm(a,b) = Uk(Vm(a,b), bk)Um(a,b)
7. Vk+m(a,b) = 1 (Vk(a,b)Vm(a,b)+ Uk(a,b)Um(a,b))
2
1
8. Uk+m(a,b) = (Uk(a,b)Vm(a,b)+ Um(a,b) Vk(a,b))
2
A. Modular Computations with the Lucas sequences
Let
N p1e1 ... prer , pis odd primes and define the function
r
e 1

S(N)=lcm pi i ( pi ( )) .[8, 11]
pi i 1
Theorem 2 For
N p1e1 ... prer and pi does not divide ,
then
U S ( N ) t (a,1) U 0 (a,1) 0 mod N
VS ( N ) t (a,1) V0 (a,1) 2 mod N for some
int eger t and pi does not divide 2.
228
_______________________________________________________________________________________

Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
B. Group Structure on Lucas sequence
Let N be an integer, and a be an an integer such that for
=a2-4 the gcd (, N)=1. Denote the pair (Vk(a,1) mod N,
Uk(a,1) mod N) by (V K,Uk) and consider the set L(,N) =
{( Vk, Uk) mod N: k0} then for all (Vk,Uk), (Vm,Um)
L(,N) we define an operation on L(,N) as follows :
Step 3: For i from 0 to t do

c2c
c-2c1
V2c Vc2 2
V2c1 Vc Vc V1
Vc V2c
Vc- V2c1
if x =1
i
then c2c+1
c-2c
(V ,U )(V ,U )=(V
,U
)
k k
m m
k+m k+m
Theorem 3 L(,N) forms an abelian group with respect to
operation defined as (V ,U )(V ,U )=(V
,U
)
k k
m m
k+m k+m
with (V ,U ) as the identity and for any (V k,,Uk)L(,N),
0 0
(V(S(N)-1)k, U(S(N)-1)k ) is the inverse of (V ,U ).
k k
III. FAST COMPUTATION METHOD FOR V
Theorem 4 For any integer m, with the binary expression

given as e
x 2
t 0
ek xi 2
t 0
k i
t i
V2c Vc 2
2
Vc V2c+1
Vc V2c
else c2c
c 2c1
For the computations we use the algorithm for fast

computing method proposed in our paper [17] which is
based on idea in [11] by P.J.Smith. This fast computation
method to compute the lucas sequences V , leads to the
e
computation of V with no ambiguity of adding or doubling
m
at each stage right from V by using the above recursive
1
formulas [8,12]. The algorithm for this fast computation is
as follows:
V2c+1 V1 Vc VcVc V1
IV. DISCRETE LOG WITH LUCAS SEQUENCES

Let L(, N) be the group of Lucas sequences with =a24 mod N, then for any (V,U) L(,N) if
V=Vm(a,1) given V and a to find m is the discrete log
problem of Lucas sequences and m may be called the
discrete log of V to the base a in L(,N).[13]
4.1 Diffie Hellmann protocol with Lucas sequences
L(,N) be
=a2-4 mod N.
group
of
Lucas
sequences
for
, x0=1, xi=0 or 1, for i0. If
, for 0kt, such that et=e,e0=1
then
if x k 1 0
2ek
2ek 1 if x k 1 1.
ek+1 =
The algorithm for fast computation method for computing

the Lucas sequences V (a,1)modN is as follows: Let a
e
be an integer modulo N, we initialize with V (a,1)=a to
1
obtain the result Ve(a,1).
1. A and B generate m, nZS(N) the secret keys

respectively and calculate their respective public
keys PA and PB as PA=Vm(a,1) and PB=Vn(a,1).
2. A and B exchange their public keys (a, P A) and (b,
PB).
3. A receives P from B and calculates K = Vm(PB, 1)=
B
Vn(Vn(a,1), 1)= Vmn(a,1))..
4. B receives P from A and calculates K = Vn(PA,
A
1)=Vn(Vm(a,1),1)= Vnm(a,1)= Vnm(a,1).
5. Then A and B agree upon K=Vmn(a,1) as the shared
secret key.
Pollard rho algorithm on Discrete Log Problem with
Lucas Sequences:
Algorithm:
Step 1: Write the binary expression of e as
e xi 2 t i , x0=1
To employ Pollard rho method to the discrete log

problem with Lucas sequences :
Step 2: Initialize the values V =V (a,1)

c 1
To solve the discrete log of V to the base a in the group

L(,N). We take =(V1(a, 1),U1(a, 1))= (a,1) then note
L(,N) is generated by . Divide the group L(,N) into three
pairwise subsets G , G and G . Define Select a random
1 2
3
t 0
Vc V12 2Vc 2
229
_______________________________________________________________________________________

Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
x {1,2,...S(N)}
0
2
Example 5: Let N=17, a=5 and b=1 then =a -
(Vx0 (a,1), U x0 ( a,1)) which is an element in the group
4=21(mod17)=4, = 2 or 15, -1 = 13 and S(N)=171=16. In G=L(, N) given =(a,1)=(5,1), (V,U)=(8,7). In the
number
and
calculate
L(,N) and given V= Vm(a,1) and we calculate U from the

U 2=
relation
V 2 4b 2
.
Then
take
(V,U)=
(Vm(a,1),Um(a,1)) L(,N) and define
Pollard rho method, to find m such that Vm (a,1)
have to find the pairs ( Vi (a,1), U i (a,1) (mod p) for

i=1,2,...S(N) in the group G. We find the group elements
(Vi,Ui), by using the following recursion formulas
if G1
f ( ) if G2
V if G
3
1.
2.
3.
Now we compute the sequence {i} by the recursion

x
y
formula i+1 =f() and then note i i i in L(,N)
4.
with
xi 1
xi 1 mod S ( N ) if G1
2 xi mod S ( N ) if G2
x
if G3
i
and
yi 1
yi
2 yi
mod S ( N )
y 1 mod S ( N )
i
if G1
if G3
(Vx0 (a,1), U x0 ( a,1)) (Vx0 (a,1), U x0 ( a,1)) (x times)

i
= (Vm (a,1), U m (a,1)) (Vm (a,1), U m (a,1)) (y times)

i
(Vx0 (a,1), U x0 ( a,1)) ...
(Vx0 (a,1), U x0 ( a,1)) (x times)
i
= (Vmy (a,1), U my (a,1)) (Vx (a,1), U x ( a,1))
i
= (Vx my (a,1), U x my (a,1))

i
i
i
i
Now as the group L(,N) is a finite group of order S(N) and
{i}L(,N) there are repetitions in the sequence {i}
therefore we have {i+K}={i} for some k, then i+k = i
(Vx
i k myi k
(a,1), U x
i k myi k
(a,1)) )
= (Vx my (a,1), U x my (a,1))

i
i
i
i
x +my mod S(N)
i+k
i+k
i
i
(xi+k - xi)m(yi yi+k) mod S(N)
From this relation we find m, where m is the discrete log of
V to the base a.
x
+my
V2n(a,b) = (Vn(a,b))2 2bn

V2n-1(a,b) = Vn(a,b)Vn-1(a,b) abn-1
V2n+1(a,b)
=
a(Vn(a,b))2-bVn(a,b)
Vn-1 (a,b) abn
2
(Vn(a,b)) = (Un(a,b))2+4bn and the operation
on L(, N).

0
0
0=(V2,U2)=(6,5).
G=G1G2G3={(2,0),(5,1),(6,5),(8,7),(0,13),
(9,7),(11,5)}{(12,1),(5,0),(12,16),(11,12),
(9,10)}{(0,4),(8,10),(6,12),(5,16)}.
if G2
i.e.,I=(V,U)...(V,U)(y times)
i
V , we
TABLE II
i
i=(Vi,Ui)
0
1
2
3
4
5
6
7
8
(6,5)
(8,7)
(0,13)
(9,7)
(11,5)
(12,1)
(6,12)
(5,1)
(6,5)
i
2
3
4
5
6
7
14
14
15
i
0
0
0
0
0
0
0
1
1
Here collisions are found for 0=8 with gcd(y8-y0, 16) =1.
To compute m value we have to solve the congruence (x0x8) (y8-y0)m(mod 16)
(2-15)(1-0)m(mod 16)
-13m(mod 16)
m=3.
Therefore (Vm,Um) =(V3,U3) =(8,7)= (V,U).
2
Example 6: Let N=7X11=77, a=8 and b=1 then =a -4=60,
= 26 or 37 or 40 or 51, -1 = 9 and S(N)=lcm {7-1, 11-1

}=30. In G=L(, N) given =(a,1)=(8,1), (V,U)=(15,8). In the
Pollard rho method, to find m such that Vm ( a,1) V , we have
to find the pairs (Vi (a,1), U i ( a,1)) (mod p) for i=1,2,...S(N) in
230
_______________________________________________________________________________________

Volume: 4 Issue: 3
ISSN: 2321-8169
226 - 231
______________________________________________________________________________________
the group G. We find the group elements (Vi,Ui), by using the
following recursion formulas
1. V2n(a,b) = (Vn(a,b))2 2bn
2. V2n-1(a,b) = Vn(a,b)Vn-1(a,b) abn-1
3. V2n+1(a,b) = a(Vn(a,b))2bVn(a,b)Vn-1(a,b) abn
4. (Vn(a,b))2= (Un(a,b))2+4bn and the operation on
L(, N).
0
0
0=(V ,U )=(15,36).
7 7
G=G1G2G3={(2,0),(8,1),(62,8),(26,63),(69,34),
(64,55),(58,21),(15,36),(62,36),(19,21)}
{(13,55),(8,34),(51,63),(15,8),(69,1),(75,0),
(69,76), (15,69), (51,14), (8,43)}{(13,22),
(62,41),(15,41),(58,56),(64,22),(69,43),(26,14),
(62,69),(8,76)}.
paper [17] which is based on idea in [11] by P.J.Smith. This

gives a wider crossectional view in the study of attacks on
extended discrete logarithms.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
TABLE III
i
i=(Vi,Ui)
0
1
2
3
4
5
6
7
8
9
(15,36)
(62,36)
(19,21)
(13,55)
(13,22)
(26,63)
(69,34)
(64,55)
(58,21)
(15,36)
i
7
8
9
10
20
20
21
22
23
24
i
0
0
0
0
0
1
1
1
1
1
Here collisions are found for 0=9 with gcd(y9-y0, 30) =1.
To compute m value we have to solve the congruence(x0
x9)(y9 y0) m(mod 30)
(7-24)(1-0)m(mod 30)
-17m(mod 30)
m=13.
Therefore (Vm, Um) =(V13,U13) =(15,8)= (V,U).
V CONCLUSION
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
J. Buchmann Introduction to cryptography", SpringerVerlag 2001.

Firas Layth Khaleel Al-ameen Data encryption using
multi-codes for one character, IJCNS journal VOL.10
No 9, September 2010.
Douglas R. Stinson Cryptography theory and practice
Second edition.
Gerhard Frey The arithmetic behind cryptography
AMS volume 57, Number 3.
Hans Delfs Helmut Knebl Introduction to
cryptography Principles and its Applications, second
edition.
Keith M.Martin,Rei Safavi-Naini, Huaxiong Wang and
Peter R.Wild Distributing the encryption and decryption
of a block cipher.
Neal Koblitz A course in number theory and
cryptography ISBN 3-578071-8,SPIN 10893308.
I.Niven,H.S. Zuckerman and J.H.Silverman An
Introduction to the Theory of Numbers, 5th ed., John
Wiley and Sons, New York, 1991.
Phillip Rogaway Mihir Bellare John Black Ted
KrovetzOCB: A block-cipher mode of operation for
efficient authenticated encryption.
P.Rogaway, M-Bellare,J.Black,T-Korvetz A Block
Cipher mode of operation for efficient authenticated
encryption Eighth ACM conference on computer and
communication security(CCS-8) ACM Press, 2001.
Peter J. Smith and Michael J.J. Lennon, A New Public
Key System LUC Partners, Auckland UniServices Ltd,
The University of Auckland, Private Bag92019m
Auckland, New Zealand.
K.H.RosenElementary number theory and its
applications Third eddition, Addison-Wesley.
Serge Vaudenay A classical introduction to
cryptography applications for commnication security
Springer International Edition.
William Stallings Cryptography and network security
principals and practice 5th ed..
Harry Yosh The key exchange cryptosystem used with
higher order Diophantine equations IJNSA VOL.3, 15.
No.2, March 2011.
Zuckerman, I.Niven and Hugh L.Montgomery An
Introduction to the Theory of Numbers, 5th ed., Wiley
Student Edition.
P.Anuradha Kameswari, T.Surendra and B.Ravitheja
Shanks Baby-Step Giant-Step Attack Extended To
Discrete Log with Lucas Sequences, IOSR Vol.12, 1st
version, PP 09-16, Jan.-Feb., 2016. .
In the paper [17] we described the generalisation of the

*
discrete log problem in the finite groups of the form Fp or
*
(Z/nZ) to the discrete log in group L(,N) of Lucas
sequences and look at the possible extension of the BabyGiant extension. In this paper we consider the group of
Lucas sequences and implement the pollard rho algorithm to
the generalization of discrete log problem to the group of
Lucas sequences. For the computations we implement with
the algorithm for fast computing method proposed in our
231
_______________________________________________________________________________________

Pollard RHO Algorithm Implemented To Discrete Log With Lucas Sequences

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Pollard RHO Algorithm Implemented To Discrete Log With Lucas Sequences

Caricato da

Copyright:

Formati disponibili

International Journal on Recent and Innovation Trends in Computing and Communication