Cryptology ePrint Archive: Report 2012/458

Computing small discrete logarithms faster

Daniel J. Bernstein and Tanja Lange

Abstract: Computations of small discrete logarithms are feasible even in "secure" groups, and are used as subroutines in several cryptographic protocols in the literature. For example, the Boneh--Goh--Nissim degree-2-homomorphic public-key encryption system uses generic square-root discrete-logarithm methods for decryption. This paper shows how to use a small group-specific table to accelerate these subroutines. The cost of setting up the table grows with the table size, but the acceleration also grows with the table size. This paper shows experimentally that computing a discrete logarithm in an interval of order l takes only 1.93*l^{1/3} multiplications on average using a table of size l^{1/3} precomputed with 1.21*l^{2/3} multiplications, and computing a discrete logarithm in a group of order l takes only 1.77*l^{1/3} multiplications on average using a table of size l^{1/3} precomputed with 1.24*l^{2/3} multiplications.

Category / Keywords: public-key cryptography / discrete logarithms, random walks, precomputation

Date: received 12 Aug 2012, last revised 20 Sep 2012

Contact author: tanja at hyperelliptic org

Available format(s): PDF | BibTeX Citation

Version: 20120920:125951 (All versions of this report)

Short URL: ia.cr/2012/458

Discussion forum: Show discussion | Start new discussion