2

Here is a DLP exercice

$g = 51234,\; h = 90403 ,\; N = 311 \cdot 359 = 111649$.

Define $r$ as the smallest positive integer with $g^r \equiv h \pmod N$.

Define $s$ as the smallest positive integer with $h^s \equiv g \pmod N$.

(Here, $r=33497$ and $s=27663$ ).

Questions:

If one looses some bits of $(r,s)$ can they be recovered? (do not use brute-force attack)

In other words: with the following information:

$\quad g=51234,\; h=90403,\; N=311 \cdot 359 = 111649\\ \quad r=3@497,\; s=276@3$

how can one recover the missing digits '$@$' ?

Editor's note: It emerged this is part of a complete problem.
The original statement is ambiguous about the minimality of $s$, has a typo in the value of $N$, and uses $\mathrm{gr}$ and $\mathrm{hr}$ where there is now $r$ and $s$, per the notation in this answer.

fgrieu
  • 149,326
  • 13
  • 324
  • 622

1 Answers1

2

I suppose (for simplicity but it can be generalized I think) that the missings bits of $r$ and $s$ are the least significant bits. So, we have: $$ \begin{array}{lll} r = r_12^u + r_0&\text{with}&g^r \equiv h \pmod N \\ s = s_12^v + s_0&\text{with}&h^s \equiv g \pmod N, \end{array} $$ with $r_0 < 2^u$ and $s_0 < 2^v$ unknown.

Using the relation between $g$ and $h$, we can get the following relation: $$ h^{rs-1} = 1 \mod N. $$ The order of the multiplicative group $\mathbb Z/N\mathbb Z$ is $\varphi(N)$. Given the factorization of $N$, as in your example, this value is known and there exists $k\in\mathbb Z$ such that: $$ rs - 1 = k \varphi(N). $$ Let's call $x$ and $y$ the unknown part of $r$ and $s$ and we look at the precedent equation mod $\varphi(N)$ to get rid of $k$ and we have an equation in two variables: $$ (r_12^u +x)(s_12^v + y) - 1\equiv 0 \mod \varphi(N). $$ If the size of the unknwown part of $r$ and $s$ are not too big, then the Coppersmith technique in two variables (using lattice) may be used to recover those part. Lot of information here.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
corpsfini
  • 36
  • 1