3

Let's try to solve a discrete logarithm:

$\beta \equiv \alpha ^{x} \bmod \,\, p$

using the Pohlig-Hellman algorithm. Let's suppose that $p-1=tq$, where $q$ is a large prime number. This means that the resolution is probable infeasible, however, if $t$ is factorizable with small prime numbers the algorithm can determine the discrete logs $\bmod t$ in an efficient way. But at this point, what i do with the discrete logs $\bmod t$?

I am also having trouble understanding this passage:

Note that even if $p - 1 = tq$ has a large prime factor $q$, the algorithm can determine discrete logs mod $t$ if $t$ is composed of small prime factors. For this reason, often $\beta$ is chosen to be a power of $\alpha^t$. Then the discrete log is automatically $0$ mod $t$, so the discrete log hides only mod $q$ information, which the algorithm cannot find. If the discrete log $x$ represents a secret (or better, $t$ times a secret), this means that an attacker does not obtain partial information by determining $x \bmod t$, since there is no information hidden this way. This idea is used in the Digital Signature Algorithm, which we discuss in Chapter 9.

enter image description here

kelalaka
  • 49,797
  • 12
  • 123
  • 211
AleWolf
  • 461
  • 3
  • 10

1 Answers1

2

The point is that even though $p - 1 = tq$ may be large, the discrete log security of $(\mathbb Z/p\mathbb Z)^\times$ against Pohlig–Hellman depends on the size of $q$, not on the (possibly much larger) size of $p$ or $tq$. If $q$ is the largest prime factor, then the cost of computing discrete logs modulo $p$ is essentially at most the cost of computing order-$q$ discrete logs in Pohlig–Hellman. This is why, e.g., Schnorr groups are chosen to have an order with a large prime factor.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230