What prevents the successful use of the Giant-step/Baby-step algorithm solving a discrete log problem implemented with modulo arithmetic?

Question

Does the size of base, exponent, and modulus thwart the Giant-step/Baby-step algorithm in solving DLP using modular arithmetic or is it the use of a property of a particular prime as the modulus, or something else?

fgrieu · Accepted Answer · 2018-12-20T06:41:33.853

The Discrete Logarithm Problem for a fixed public prime modulus $p$ and generator $g$ of multiplicative order $q$ in $\Bbb Z_p^*$ (that is, $q$ is the smallest positive integer with $g^q\bmod p=1$ ) asks, given $y$ obtained as $y\gets g^x\bmod p$ for a random unknown $x$ in $[0,q)$, to find that $x$ (which is unique).

The Baby Step/Giant Step algorithm solves that problem with $\mathcal O(\sqrt q)$ multiplications modulo $p$, ignoring the cost of memory and memory accesses. The cost of one multiplication modulo $p$ grows slightly slower than $\mathcal O((\log(p))^2)$.

Thus what "prevents the successful use of the Giant-step/Baby-step algorithm solving a discrete log problem implemented with modulo arithmetic" is mostly choosing $p$ and $g$ such that the multiplicative order $q$ of $g$ is large enough: at least twice the desired security level. Say, 256-bit for 128-bit resistance.

Update per comment: The Pohlig-Hellman DLP algorithm essentially attacks each prime factor of $q$ separately. Guarding against it is obtained by insuring that at least one prime factor of the multiplicative order $q$ is at least twice the desired security level.

Further, due to yet other DLP algorithms (GNFS in particular), $p$ must be considerably larger than twice the desired security level (2048-bit $p$ should be a bare minimum nowadays).

The multiplicative order of any element in $\Bbb Z_p^*$ is always a divisor of $p-1$. Hence one way to ensure that $q$ is large and has a large prime factor is to choose prime $p$ as large as required per the above, and such that $(p-1)/2$ is also prime (that is, choose $p$ as a safe prime). It ensures $q$ is among $\{1,2,(p-1)/2,p-1\}$, and allows to choose $g$ leading to one of the two later options (both used in practice), giving a huge security margin w.r.t. Baby Step/Giant Step (or Pollard's Rho) and Pohlig-Hellman combined.

Another option is to first choose $q$ (usually as a prime at least twice as wide as the security level), and build $p$ as a large enough (thus much larger) prime such that $q$ divides $p-1$; then construct $g$ of multiplicative order $q$. That builds a so-called Schnorr group. It is used in Schnorr signature and similar, including DSA, with the advantage of shortening the signatures.

score 2 · Answer 2 · answered Dec 19 '18 at 00:02

From the Wikipedia;

The baby-step giant-step algorithm is a generic algorithm. It works for every finite cyclic group.

Therefore, one has to consider the key size considering the time complexity of the algorithm; $\mathcal{O}(\sqrt(n))$

Note: Number Field Sieve has better complexity and the key length are calculated based on this.

What prevents the successful use of the Giant-step/Baby-step algorithm solving a discrete log problem implemented with modulo arithmetic?

2 Answers2