Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pohlig-hellman]

In group theory, the Pohlig–Hellman algorithm sometimes is a special-purpose algorithm for computing discrete logarithms in a multiplicative group whose order is a smooth integer.

In group theory, The Pohlig–Hellman algorithm sometimes is a special-purpose algorithm for computing discrete logarithms in a multiplicative group whose order is a smooth integer.

40 questions
9
votes
0 answers

Parity of the order of a element

Given an element $g$ in a cyclic group $G$ of known order $m$ its easy to test if $g$ has even or odd order. In other words $\textrm{ord}(g) \bmod 2$ can be computed easily. In some cases where the order of the group is unknown it is also easy to…
duckstar
  • 269
  • 1
  • 6
6
votes
0 answers

Cryptographically Secure Elliptic Curve

What are the properties a cryptographically secure Elliptic Curve must have? I have started to create a list and wanted to know if I forgot some important points, and if it is correct so far: A curve $E$ over a finite field $\mathbb{F}_q$ with…
Luca
  • 211
  • 1
  • 6
5
votes
2 answers

iterated discrete log problem

Consider the following problem: given $g_1 \ldots g_i,h_1 \ldots h_i \in G$, $\forall i$ find $x_i$ such that $g_i^{x_i}=h_i$ For $i=1$ this is the discrete log problem and is assumed to to have some level of security based on the order of $G$…
imichaelmiers
  • 1,644
  • 10
  • 13
5
votes
1 answer

Discrete logarithm modulo a smooth number

I am solving the discrete logarithm problem modulo $N$. $N$ is a composite number, I found its factors — lots of small primes and two big primes ($> 2^{50}$). Does the factorization of $N$ somehow help me? I think I could compute the logarithm…
Ding
  • 51
  • 1
  • 2
4
votes
3 answers

Pohlig-Hellman: While solving in a subgrp, why is multiplication done mod the parent group's $p$ while the exponent is expanded as per $p_i$ of subgrp

In the Pohlig-Hellman algorithm, we take a Discrete Log Problem (DLP) in a group & solve it in subgroups $p_1^{n_1}$, $p_2^{n_2}$, $p_3^{n_3}$ etc & then combine it with the Chinese Remainder Theorem (CRT). The original DLP is $\bmod p$ & the order…
user93353
  • 2,348
  • 3
  • 28
  • 49
4
votes
1 answer

Pohlig Hellman and small subgroup attacks

While studying Curve25519 I read about the small subgroup attack in chapter 3. So far i know, that you need a point with a small subgroup to do such an attack. Curve25519 has a basepoint with prime order, therefore it is resistent. My question is:…
Titanlord
  • 2,812
  • 13
  • 37
4
votes
1 answer

Discrete logarithm weak group

I'm looking for weak groups in discrete logarithm, that $x$ can be extracted from $Y$ in polynomial time where $Y \equiv g^x \pmod{p}$ . I thought one way is to produce a prime $p$ that $p-1$ is an smooth integer which then makes discrete logarithm…
Mehran Torki
  • 302
  • 2
  • 13
4
votes
1 answer

Pollard's Lambda algorithm ecdlp with Pohlig Hellman

I'm trying to solve the ECDLP problem given an elliptic curve defined over a prime field. This prime is large (about 256 bits). I managed to factor the order of the curve, and most of the prime factors were smooth, but two of the factors weren't,…
user45694
  • 41
  • 2
4
votes
1 answer

32-bit or 16-bits elliptic curves

I would like test vectors for 32-bit or 16-bits elliptic curves like $[p, a, b, G, n, h]$ , to test the Pohlig-Hellman algorithm in order to attack ECDLP over a finite prime field $F_p$. Does anybody know a method to generate small $F_p$…
YIdirm
  • 53
  • 4
3
votes
1 answer

How to factorize the group order in Pohlig-Hellman algorithm

The Pohlig-Hellman algorithm is for computing discrete logarithms in a group whose order is a smooth integer. This algorithm requires the factorization of the group order. However we know that factorization of big number is a hard problem. So how…
Liang Chen
  • 41
  • 1
3
votes
1 answer

Excluding specific factors for Pohlig-Hellman

I want to use Pohlig-Hellman and BSGS to solve the discrete log of an Elliptic Curve which has a composite order generator. The tricky part is, one of the composite factor groups is large (99bits), so I want to exclude it from the…
Woodstock
  • 1,454
  • 1
  • 15
  • 26
3
votes
1 answer

Encryption and decryption example using the Pohlig-Hellman Exponentiation Cipher

Let $n=11, d=3, e=7$ and $M=3$. Encryption: M = BSK B -> 1 , S -> 18 -> k -> 10 M1 => C1 = 1^7 mod 11 = 1 M2 => C2 = 18^7 mod 11 = 6 M3 => C3 = 10^7 mod 11 = 10 C = 1 6 10 <=> 1=>B, 6=>G 10=>K Decryption: C1 => M1 = 1^3…
user48610
  • 31
  • 1
  • 2
3
votes
1 answer

RSA Duplicate-Signature Attack

I'm trying to duplicate an RSA signature, and am having trouble at the last couple of steps. I'll detail what I've tried. I used OpenSSL to generate some 128-bit RSA parameters. Here are my public modulus and exponent: N =…
user47922
3
votes
1 answer

Combining Hellman Pohlig with Sieve

Suppose integer $m$ has $\phi(m)=2pq^5r^2$ where $p,q,r$ are primes. Hellman-Pohlig says that finding discrete log $z\bmod p$, $z\bmod q^5$, $z\bmod r^2$ and $z\bmod 2$ suffices to find $z\bmod\phi(m)$ in $g^z=h\bmod m$. It could be that $p,q^5,r^2$…
Turbo
  • 1,045
  • 6
  • 15
3
votes
1 answer

How to protect from Silver–Pohlig–Hellman algorithm

I read that Silver–Pohlig–Hellman algorithm solves the discrete logarithm with prime module $p$ in $O(\log^2(p))$ if $p-1$ is a smooth number. This seems pretty fatal for cryptography, since it is a polynomial over the key length, right? So my…
jederik
  • 165
  • 4
1
2 3