A Deterministic Algorithm for the Discrete Logarithm Problem in a Semigroup
aa r X i v : . [ c s . CC ] J a n A Deterministic Algorithm forthe Discrete Logarithm Problem in a Semigroup
Simran Tinani Joachim RosenthalJanuary 28, 2021
Abstract
The discrete logarithm problem in a finite group is the basis for many protocols in cryptog-raphy. The best general algorithms which solve this problem have time complexity of O ( √ N ),where N is the order of the group. If the order N is unknown, an easy modification of suchalgorithms gives a complexity of O ( √ N log N ). These algorithms require the inversion of someof the group elements, and so are not directly applicable to a semigroup, where inverses arenot available. For semigroups, probabilistic algorithms with similar time complexity have beenproposed. The main result of this paper is a deterministic algorithm for solving the discrete loga-rithm problem in a semigroup. Specifically let x be an element in a semigroup having finite order N x . If y ∈ h x i is given the paper provides an algorithm having time complexity O ( √ N x log N x )to find all natural numbers m with x m = y . The paper also give an analysis of the success ratesof the existing probabilistic algorithms, which were so far only conjectured or stated loosely. Let G be a group and assume x, y ∈ G are two elements of the group. We refer to x as the baseelement. The discrete logarithm problem (referred to henceforth as DLP) asks for the computation ofall integers m ∈ Z (assuming such integers exist) such that x m = y . The DLP plays an important rolein a multitude of algebraic and number theoretic cryptographic systems. Its use became prominentthrough the Diffie-Hellman protocol for public key exchange [6] and has since seen a tremendousamount of development, generalisations and extensions [11]. Many modern-day systems for publickey exchange use the discrete logarithm problem in a suitable platform group. The most commonlyused platform groups have been the multiplicative group of finite fields and the group of points onan elliptic curve. The DLP in Jacobians of hyperelliptic curves and more general abelian varietieshas also been studied extensively [5].For a general finite group of order N , there exist algorithms that solve the DLP in O ( √ N ) steps.Such algorithms are said to produce a square root attack. The most well-known examples areShank’s Baby Step-Giant Step algorithm [18] and the Pollard-Rho algorithm [16]. Note that Shank’salgorithm is a deterministic algorithm having time complexity O ( √ N ) group multiplications and1pace complexity O ( √ N ) as well. In contrast Pollard’s algorithm is a probabilistic algorithm havingtime complexity O ( √ N ) group multiplications and space complexity O (1).Elliptic curve groups have been widely implemented in practice since for a carefully selected ellipticcurve group the best known classical algorithm for solving DLP has running time O ( √ N ), where N is the group order. This is in contrast to many other finite groups such as the multiplicativegroup of a finite field and the group of invertible matrices over a finite field where algorithms withsubexponential running time are known [1].In cryptography the Diffie-Hellman protocol using a finite group has been generalized to situationswhere the underlying problem is a discrete logarithm problem in a semigroup or even to situationswhere a semigroup acts on a set [9, 10]. The interested reader will find more material in a recentsurvey by Goel et al. [7].It is naturally interesting to ask whether the DLP also has a square root attack in more generalizedstructures such as semigroups. Here, we define a semigroup as any set of elements with an associativebinary operation. Since the best algorithms for the DLP all make use of the existence of inverses,it is unclear whether they can be generalized to a semigroup. However, when a special type ofsemigroup element, called a torsion element, is used as the base, it turns out that the DLP isreducible in polynomial time to the DLP in a finite group. A torsion element is one whose powerseventually repeat to form a cycle, and will be defined more precisely in Section 2. A semigroup inwhich every element is torsion is called a torsion semigroup.The DLP in semigroups with a torsion base element, in a classical setting, was first discussed byChris Monico [13] in 2002, and later in a paper by Banin and Tsaban [3] in 2016. While thediscussion in the present paper is entirely on classical algorithms, it is also worth mentioning thepaper [4], where the authors independently provide a quantum algorithm that solves the DLP in atorsion semigroup.Both the algorithm of Monico and the one of Banin and Tsaban are probabilistic and might fail withvery low probability. It is therefore of interest to come up with an algorithm which deterministicallycomputes the discrete logarithm in a semigroup. In this regard we like to make some analogy to theproblem of determing if an integer is a prime number, a problem of great importance in cryptography.Nowadays in practice the algorithm of Miller and Rabin [12, 17] has been implemented for manyyears. Still it was a great result when Agrawal, Kayal and Saxena [2] came up with a deterministicpolynomial time algorithm to achieve this goal.The main contribution of this paper will be a deterministic algorithm for computing the discretelogarithm of an element y in some semigroup S with respect to some torsion base element x ∈ S .A key step in finding the discrete logarithm in a semigroup is computing the cycle length of anelement. Both the above-mentioned papers [13] and [3] provide probabilistic algorithms to addressthis problem. Once the cycle length value is obtained, the discrete logarithm may easily be computedwith a few more simple steps. While Monico does not provide further elaboration on how this isdone, the paper by Banin and Tsaban bridges this knowledge gap by showing how the problem is2educed to a DLP in a group once the cycle length and start values are known.The paper is structured as follows: After providing preliminaries and basic definitions in Section2, we will analyse in Section 3 the success rates and expected number of steps involved in theprobabilistic algorithms for cycle length by Banin and Tsaban (Algorithm 1) and Monico (Algorithm3). Neither of the original papers explicitly computes these respective quantities, or bounds forthem. In fact, the arguments given in both the papers for the algorithms’ success rates and timecomplexities are loose and/or conjectural in nature. With regard to Algorithm 1, our analysissuggests that the claim by the authors about the complexity may, in fact, be untrue. For Algorithm3, we are able to show that the probability of success is very high for practical values of the boundused, as conjectured by the author.In Section 4, which is the main section of this paper, we provide a deterministic algorithm tocalculate the cycle length L x of a torsion element x of a semigroup and thus to also solve the DLP,without the use of an oracle. This algorithm has complexity O (cid:0) √ N x · log N x (cid:1) , where N x denotesthe order of x (which will be defined in Section 2). For completeness, we will also demonstrate theuse of Pohlig-Hellman algorithm [15] for a semigroup. A semigroup S is a set together with an associative binary operation. Like in group theory wherea torsion group consists of elements of finite order only we define: Definition 1 (Torsion Element) . Let S be a semigroup. An element x ∈ S is called a torsionelement if the sub-semigroup h x i := { x k | k ∈ N } generated by x , is finite. S is called a torsionsemigroup if every x ∈ S is a torsion element.Throughout the paper the following definitions will be assumed: Definition 2 (Cycle Start) . Let x ∈ S . The cycle start s x of x is defined as the smallest positiveinteger such that x s x = x b for some b ∈ N , b > s x . Definition 3 (Cycle Length) . Let x ∈ S . The cycle length L x of x is defined as the smallestpositive integer such that x s x + L x = x s x . Definition 4 (Element order) . Let x ∈ S . With notation as above, we define the order N x of x asthe cardinality of the sub-semigroup h x i . Note that N x = s x + L x − . Definition 5 (Semigroup DLP) . Let S be a semigroup and x ∈ S . The semigroup DLP is definedas follows. Given y ∈ h x i := { x k | k ∈ N } , find all m ∈ N such that x m = y .We state below a key result first proved in [3]. Lemma 1 ([3]) . Let S be a semigroup and x ∈ S be an element with cycle start s x . The set ofpowers G x = { x s x + k , k ≥ } of x forms a finite cyclic group. The identity element of G x is givenby x tL x , where t is the minimum positive integer such that x tL x ∈ G x . G x . Lemma 2 ([13]) . Let x ∈ S have cycle start s x and cycle length L x . For all integers n, m ≥ s x , wehave x m = x n ⇐⇒ n ≡ m mod L x .Proof. We can assume without loss of generality that n ≥ m , and so we can write n = m + kL x + u ,with k ≥ ≤ u < L x . First suppose that n ≡ m mod L x , i.e. u = 0. Since m, n ≥ s x , wehave x n = x m + kL x = x m .Conversely, if x n = x m , write n = n − s x ≥
0, and m = m − s x ≥
0. We have x s x + m = x s x + n = x s x + m + kL x + u = x s x + m + u . Now, without loss of generality, m ≥ s x , because if not, one can always increment m and n bymultiples of L x until this happens. So, we can assume that x m lies in G x and is thus invertible.We multiply by the inverse on both sides to finally get x s x = x s x + u . Thus, we must have u = 0 or n ≡ m mod L x , as required.This concludes the prerequisite knowledge on torsion elements in semigroups. In the next section,we study the existing probabalistic algorithms for cycle lengths, and analyse their assumptions,working and complexities. In this section, we study the probabalistic algorithm described in [3] for computing the cycle length ofa torsion element in a semigroup. While the authors of the original paper describe their theory onlyfor torsion semigroups, it will become clear that the same discussion holds true for any semigroupwhen the base element chosen is torsion.Let S be a semigroup and x be a torsion element of S . Let s x denote the cycle start of x and L x its cycle length. Then, recall from Lemma 1 that G x := { x s x , x s x +1 , . . . , x s x + L x − } is a cyclicgroup, and that it has order L x . The authors of [3] assume the availability of a ‘Discrete LogarithmOracle’ for the group G x , which returns values log x h for h ∈ G x . They state that these values neednot be smaller than the group order but are polynomial in the size of G x and the element x . Therepresentation of the identity in G x is unknown, and a method to compute inverses is not available.4he authors claim that the well-known algorithms for discrete logarithm computations in groupsdo not explicitly require inverses, or can easily be modified to work without the use of inverses.While it is true that these algorithms make use of mainly the existence of inverses rather than theirexplicit computation, we believe that the fact that easy modification is possible is not immediatewithout some justification. In fact, it will become clear in the later sections that the modified Baby-Step-Giant-Step algorithm devised by Monico [13] (and also the deterministic algorithm presentedin Section 4) is a crucial and non-trivial part of any such modification.We make the following observation from the proof of Lemma 1 found in [3]. For any k ≥
0, denoteby v k the smallest positive integer such that v k L x ≥ s x + k. We then have x v k L x − s x − k ∈ G x and x s x + k x v k L x − s x − k = x v k L x = x tL x , (1)so the inverse of the element x s x + k of G x is given by x v k ( L x ) − s x − k . In particular, the computation ofinverses requires prior knowledge of the cycle start. As will be explained below, the cycle start maybe computed only once the value of the cycle length is known, using a binary search. This explainswhy the authors insist that their Discrete Logarithm Oracle does not need to use the computationof inverses.Below, we describe Algorithm 1, which is the algorithm suggested in [3] to compute the order ofthe group G x , i.e. the cycle length L x of x . Algorithm 1:
Banin-Tsaban Algorithm for Cycle Length
Input
A finite semigroup S with | S | = N and an element x ∈ S Output
The cycle length L x of x Initialize i ← g ←
1. Fix a bound r > while i < r do (a) Choose a random number k i > k ′ i = log x ( x k i ).(c) Set g ← gcd j ≤ i ( k j − k ′ j ) = gcd gcd j
1. So, N ′ = N/L x = O ( L xu − ). Thus, the quantity N ′ cannot be treated as a constant in the cycle length L x unless u is known to be 1.From the lower bound (3), it is also apparent that for u >
1, the expected number of calls to theoracle is, in fact, not constant in L x , contrary to the claim of the authors. Note that since N depends on the oracle being used, it is fixed and cannot be modified to instead be systematicallyincreased. Thus, the authors’ claim that any DLP oracle that returns exponents polynomial in thecycle length (group size) yields a constant-time cycle length calculator, is not true.Finally, in Algorithm 2, we present the binary search algorithm to find the cycle start once L x isknown. This algorithm has been given in [3], though the idea to use a binary search is also originallymentioned in [13]. Lemma 3.
Let N x be the order of the element x . Then Algorithm 2 requires O (cid:0) (log N x ) (cid:1) . semigroup multiplications.Proof. Computing x s x + L x requires O (log N x ) semigroup multiplications and the number of loops inthe algorithm is of the order O (log N x ). In his PhD thesis [13], Chris Monico provides a probabilistic algorithm (described below as Algo-rithm 3) that calculates the cycle length of an element in a finite ring of order N . This algorithmmakes use of the multiplicative semigroup structure of the finite ring, and of the availability of theexplicit bound N for every cycle length, and is in fact applicable to any semigroup where such abound N is available. In this subsection, we analyse this algorithm, provide a more concrete bound7 lgorithm 2: Calculating Cycle Start (Binary Search)
Input
A semigroup element x with cycle length L x Output
Cycle start s x of x Initialize s x ← while x s x + L x = x s x do s x ← s x a ← s x / end while while | a − s x | ≥ c ← ( a + s x ) / if x c + L x = x c then a ← c else s x ← c end while on its success rate, and compute its complexity in terms of N . We will discuss this algorithm interms of torsion semigroups, as opposed to finite rings.In the original work, Monico states that the bound B of Algorithm 3 can always be chosen so that B < √ a m − b . We remark that this claim is, in fact, wrong. For example, with a cycle lengthvalue of 4, and a m − b = 104, a m − b = 52, we get g = 52. If B < √ a m − b = √ < d below 11, and would never factor out 13 to obtain the true cyclelength.Further, Monico suggests a modification to the above algorithm, viz. to find several such a i and b i and compute all the gcd’s. It is clear that this suggestion is exactly the method used in Banin andTsaban’s algorithm as discussed in Section 3.1.We now analyze the probability of success. The algorithm first looks for a collisions of the form x N + a m = x N + b . The working principle is that in this case, the cycle length L x divides a m − b .Similarly, if also x N + a m = x N + b then g = gcd( a m − b , a m − b ) is a multiple of L x .So far, the process is essentially the same in both Algorithms 1 and 3: while the former uses a discretelogarithm oracle to obtain multiples of the cycle length, the latter directly finds these multiples byfinding collisions. However, in Algorithm 3, we do not proceed with computing multiple factors of L x , but work with the fixed multiple g of L x , whereas in Algorithm 1 this multiple shrinks severaltimes.Algorithm 3 then proceeds by fixing a bound B and iterating over every number d below B tocheck if d | g . If yes, it executes the next part, i.e. checks if x N + D/d = x N , and if this holds, itsets D ← D/d . Note that if the number g can be factored easily, then we do not need this fixedbound B , and can instead iterate over every prime factor d of g . It is well-known that the number8 lgorithm 3: Monico’s Baby-Step Giant-Step for Cycle Length
Input
A finite semigroup S with | S | = N and an element x ∈ S Output
The cycle length L x of x Set m = ⌈√ N ⌉ . Choose a prime q > N . For 0 ≤ i ≤ m , compute and store in a table the pairs ( i ; x q + im ).Sort the table by the second component. Find the least positive integer b such that x q + b is in the table: x q + b = x q + a m . (Note:0 < b < m ). Find the least positive integer b such that x q + b is in the table: x q + b = x q + a m . (Again,0 < b < m ). Compute g = gcd( a m − b , a m − b − q ). For each divisor d of g below some bound B , do the following: if x N + g/d = x N then set g ← g/d ; end if Output L x = g and stop.of prime factors of g counted with multiplicity is O (log g ), so step 5 of the algorithm can find L x in O (log N ) steps. However, in general, factoring g may be difficult, so we assume from here on thatthe algorithm proceeds by fixing a bound B for the divisors of g . Below we analyse the probabilityof the algorithm succeeding in terms of B and g . Lemma 4.
The probability that Algorithm 3 succeeds is bounded below by (cid:0) − B (cid:1) log g .Proof. We write g = L x · F for some number F and suppose that the algorithm fails. This meansthat there is a divisor, and hence also a prime power divisor of F , which the algorithm fails to factorout. Let p be a prime dividing F , α p denote its largest power dividing F , and β p be its largestpower below the fixed bound B . So, we have p α p | F , p α p +1 ∤ F , p β p < B , p β p +1 > B .Since the number of times the algorithm divides g by p is β p X i =1 i = β p · ( β p + 1) / , we must have β p · ( β p + 1) / < α p if the algorithm fails. So, the algorithm succeeds as long as β p · ( β p + 1) / ≥ α p for every prime divisor p of F . Thus, the probability of success for thealgorithm can be bounded below by Y p | g Prob (cid:18) β p · ( β p + 1)2 ≥ α p (cid:19) . B is fixed, so is β . Write v p = β p ( β p +1)2 for simplicity. We may assume that g is arandom multiple of L x below the bound B , so F is a random number in { , . . . , BL x } . We have,Prob( α p ≤ v p ) =1 − Prob( p v p +1 | F )=1 − (cid:18) B/L x p v p +1 ( B/L x ) (cid:19) =1 − /p v p +1 = 1 − p βp ( βp +1)2 +1 . Hence, a lower bound for the probability of the algorithm’s success is Y p | F − p βp · ( βp +1)2 +1 ! . Now, we have, p β p +1 > B ⇐⇒ p β p +1 < B = ⇒ − p βp ( βp +1)2 +1 > − B βp +1 > − B .
We further make the following observation. Let ω ( n ) denote the number of distinct prime divisorsof integer n (note, however, that the same statement also holds if counted with multiplicity). Thenclearly, 2 ω ( n ) ≤ n, and so, taking logarithms, ω ( n ) ≤ log n. Collecting all the above results, we conclude that the probability of success Prob (success) of Algo-rithm 3 is bounded below as follows.Prob (success) ≥ Y p | F (cid:18) − B (cid:19) = (cid:18) − B (cid:19) ω ( F ) ≥ (cid:18) − B (cid:19) log F ≥ (cid:18) − B (cid:19) log g . Note that this bound shows that Algorithm 3 is indeed successful with overwhelming probability,as conjectured by the author. For example, with B = 10 , even when g is extremely large, say g = 2 , the probability of success is greater than 99.6 percent, by the bound derived in Lemma4. 10inally, note that the complexity is dependent entirely on step (2), as step (5) has constant com-plexity, and the time for steps (3) and (4) are negligible. Therefore, the algorithm requires O ( √ N )exponentiation operations, where N is the size of the semigroup (or the available bound on thecycle length). The algorithm can also be modified to update the value of N step-by-step until alarge enough value is found. This is precisely the technique we use in our deterministic algorthm,Algorithm 4.1, and would make the complexity of Algorithm 3 identical to that of ours. The solution of the DLP in a semigroup involves two parts: the calculation of the cycle length andstart of the base element x , and the use of this value to find the discrete log. We now present our deterministic algorithm for the computation of the cycle length. It works byfinding a suitable collision, and also guarantees finding the actual cycle length rather than just amultiple of it, in a fixed number of steps.
Algorithm 4:
Deterministic Algorithm for Cycle Length
Input
A semigroup S and a torsion element x ∈ S . Assume N x is the order of x . Output
Cycle length L x of x Initialize N ← Set q ← ⌈√ N ⌉ . Compute, one by one, x N , x N +1 , . . . , x N + q and check for the equality x N = x N + j at each step j ≥
1. Store these values in a table as pairs ( N + j, x N + j ), 0 ≤ j < q . If x N = x N + j for any j < q , then set L x ← j and end the process. If no match is found, sort the table by the second components and go to the next step. For 0 ≤ i ≤ q , compute, one by one, the values x N + q , x N +2 q , . . . , x N + iq and at each step i , lookfor a match in the table of values calculated in step 3. Suppose that a match x N + iq = x N + j is found, and i is the smallest integer such that thishappens. Set L x ← iq − j and end the process. If no match is found in steps 3 or 5, set N ← · N and go back to step 1. Theorem 1.
Let S be a semigroup and x ∈ S a torsion element. Algorithm 4.1 returns the correctvalue of the cycle length L x with O (cid:16)p N x · log N x (cid:17) semigroup multiplications. The total space complexity is O (cid:0) √ N x (cid:1) semigroup elements.Proof. We first assume
N > max( L x , s x ) and show that steps 1 to 5 succeed in finding L x . We have q = ⌈√ N ⌉ . If L x < q , then the equality x N = x N + L x is found in the first step and the statement of11he theorem follows. Else if L x ≥ q , we can write uniquely L x = iq − j, for some positive integers i >
0, 0 ≤ j < q . Now, we must have i ≤ q , because otherwise if i ≥ q + 1,we would have L x ≥ ( q + 1) q − j > q + q − q = q ≥ N, a contradiction.We have L x = iq − j, < i ≤ q, ≤ j < q = ⇒ N + j + L x = N + iq = ⇒ x N + j = x N + j + L x = x N + iq , where the last step follows because N > s x by assumption. So, such a collision always occursbetween elements of the two lists in the algorithm.We now claim that for the smallest such integer i computed in step (5) of Algorithm 4.1, L x = iq − j .To see this, let i be the smallest positive integer such that x N + j = x N + iq . Also let L x = i ′ q − j ′ , 0 < i ′ ≤ q , 0 ≤ j ′ < q . We have already shown above that such integers i ′ and j ′ exist for our choice of N . By the definition of L x , we must have L x | iq − j . Now supposethat i ′ > i . Then, i ′ q − j ′ ≥ ( i + 1) q − j ′ = iq + ( q − j ′ ) > iq ≥ iq − j. But, L x = i ′ q − j ′ | iq − j , so we must have iq − j = i ′ q − j ′ . Since i ′ > i , this means that q ≤ ( i ′ − i ) q = ( j ′ − j ) < j ′ , which is a contradiction because 0 ≤ j ′ < q . So, we must have i ′ = i , j ′ = j . This proves the claim.We have shown above that the algorithm finds the correct cycle length when N > max( s x , L x ).Since the algorithm doubles the value of N until a match is found, it always terminates and outputsthe correct cycle length. We now look at the time complexity. Since efficient algorithms existfor finding matches (for instance, with hashing), we may safely ignore their contribution to thecomplexity. Now note that both steps 3 and 6 involve at most q = O ( √ N ) multiplications. Thus,clearly, for a fixed value of N , steps 1 to 5 in algorithm 4.1 require O ( √ N ) multiplications in thesemigroup S . 12oreover, the algorithm starts at N = 1 and doubles N until the cycle length is found, i.e. until N > max( s x , L x ). Thus, the number of times steps 1 to 7 are performed is ⌈ log (max ( L x , s x )) ⌉ = O (max (log ( L x ) , log( s x ))) = O (log N x )Thus, the total number of steps is O (cid:16)(cid:16)p N x (cid:17) · log N x (cid:17) . Clearly, step (3) involves the storage of q = ⌈√ N ⌉ = O (cid:16)p max( s x , L x ) (cid:17) = O (cid:0) √ N x (cid:1) elements, sothis value gives the total space complexity. This completes the proof. We used Algorithm 4.1 to compute cycle length values in several common semigroups, such as matrixsemigroups over finite fields, matrix semigroups over the finite simple semiring S (see [19] for aconstruction and [10] for the addition and multiplication tables), and the symmetric and alternatinggroups (where the cycle length is precisely the order of the element). We further used the obtainedcycle lengths to compute the cycle start values using Algorithm 2. The working code may be foundat https://github.com/simran-tinani/semigroup-cycle-length. In this section, we demonstrate the solution of the DLP for a torsion element x in the semigroup S once the cycle length is known. As before let N x be the order of the sub-semigroup h x i , let L x bethe cycle length of the torsion element x (which we assume is already computed) and let y ∈ h x i bean element.In [3], the authors demonstrate the next steps in solving for log x ( y ), via a reduction to a DLP inthe group G x , once L x and s x are known. The procedure is described in Algorithm 5 below, whichhas been adapted from the original formulation in [3].The authors of [3] do not provide a justification of why the key step in their algorithm, whichappears as step (5) in Algorithm 5, works. In Theorem 2 we will prove the correctness of this step,or in other words, that the value returned is indeed the desired discrete logarithm value. Beforethis, we will need the following technical result. Lemma 5.
Let L x be the cycle length of x ∈ S , and n , a , and a ′ be fixed positive integers. Supposethat x bL x + n = x a ∈ G x , where b is the minimum such number such that x bL x + n ∈ G x , and x n − cL x = x a ′ ∈ G x , where c the maximum number such that x n − cL x ∈ G x . Then bL x + n ≤ a, and n − cL x ≤ a ′ . lgorithm 5: Algorithm for Discrete Logarithm
Input
A semigroup S , a torsion element x ∈ S , with cycle length L x and cycle start s x ,and y ∈ S with y = x m Output
The discrete logarithm m of y with base x Compute t = l s x L x m and define x ′ = x tL x +1 ∈ G x . Find the minimum number 0 ≤ b ≤ t such that y ′ = y · x bL x ∈ G x using binary search. Use Shank’s Baby-Step Giant-Step algorithm for the group h x ′ i ⊆ G x to compute m ′ ∈ { , , . . . , L x − } such that ( x ′ ) m ′ = y ′ . Find the maximum number c ≥ x ( tL x +1) m ′ − cL x ∈ G x using binary search. Return m = m ′ ( tL x + 1) − ( b + c ) L x . Proof.
First let x bL x + n = x a with b minimal such that x bL x + n ∈ G x . Suppose, to the contrary, that bL x + n > a . We must have, by the minimality of b , x ( b − L x + n G x , so ( b − L x + n < a .But , x bL x + n = x a ∈ G x = ⇒ bL x + n − a = kL x , k ≥ ⇒ ( b − k ) L x + n = a = ⇒ x ( b − k ) L x + n = x a ∈ G x , k ≥ . This is a contradiction to the minimality of b . So, bL x + n ≤ a . Now suppose that x x − cL x = x a ∈ G x ,with c maximal, and suppose that n − cL x > a ′ . We argue as above: L x | n − cL x − a ′ = ⇒ n − ( k + c ) L x = a ′ , for some k ≥ ⇒ x n − ( k + c ) L x = x a ′ ∈ G x , which is a contradiction to the maximality of c . Thus n − cL x ≤ a ′ . Theorem 2.
Let S be a semigroup, x ∈ S a torsion element and y ∈ h x i any element. Assumethe cycle length L x and cycle start s x of x are known. Then Algorithm 5 returns the correct valuesof the discrete logarithm m = log x ( y ) in O (cid:0) √ L x + (log N x ) (cid:1) semigroup multiplications, with arequired storage of O (cid:0) √ L x (cid:1) semigroup elements.Proof. We use the notations of Algorithm 5, and also write n = log x y . We will show that the output m is equal to the correct discrete logarithm value n . Recall that we have a group G x , generated by x ′ := x tL x +1 , and with identity x tL x . The parameter t is given by the formula t = l s x L x m . Inversesin G x can be computed in polynomial time using the formula (1). There are now two cases:1. When y ∈ G x , we have b = 0. Here, it is possible to use Shank’s Baby Step-Giant Stepalgorithm [18] which is a deterministic algorithm and which requires O (cid:0) √ L x (cid:1) semigroup14ultiplications and storage space O (cid:0) √ L x (cid:1) , in order to compute log x ′ ( y ). This is done in step(3). From this value, n = log x ( y ) is readily computed, as shown below. Note that in this case,log x ( y ) is determined modulo L x .2. When y G x , Algorithm 5 first computes, using binary search, the smallest power b of x L x such that the product y · x bL x lies in the group G x , and then proceeds as in case 1 via theBaby Step-Giant Step algorithm to find the discrete logarithm m ′ of y · x bL x with base x ′ (i.e.( x ′ ) m ′ = y · x bL x ). Note that in this case, the value of log x ( y ) is less than s x , and is thusdetermined uniquely in N . Again, the time and space complexity are both O (cid:0) √ L x (cid:1) .In both cases above, we have the maximal value c such that x m ′ ( tL x +1) − cL x ∈ G x , and so c ≤ L x + s x + 1 = N x + 1, since m ′ ≤ L x and tL x ≤ L x + s x . We also clearly have b ≤ t ≤ N x . Sincethe computations of both b and c are done via binary searches, they contribute O ((log N x ) ) stepsto the overall time complexity. Now, x m ′ ( tL x +1) − cL x = x m ′ ( tL x +1) = ( x ′ ) m ′ = x bL x + n . Applying Lemma 5 to the above equation, we must have m ′ ( tL x + 1) − cL x ≤ bL x + n, and bL x + n ≤ m ′ ( tL x + 1) − cL x . Therefore, bL x + n = m ′ ( tL x + 1) − cL x , or n = m ′ ( tL x + 1) − ( b + c ) L x , which is precisely equalto m , the value returned by the Algorithm 5. Thus, m = n . This completes the proof.Combining Theorem 1, Lemma 3 and Theorem 2 we arrive at the main proposition of the paper: Proposition 1.
Let S be a semigroup, x ∈ S a torsion element and y ∈ h x i any element. Thediscrete logarithm m = log x ( y ) can be computed deterministically in O (cid:16)p N x · log N x (cid:17) semigroup multiplications, with a required storage of O (cid:0) √ N x (cid:1) semigroup elements.Proof. For the solution, one begins by finding L x . This can be done using Algorithm 4.1 andaccording to Theorem 1 this requires O (cid:0) √ N x · log N x (cid:1) semigroup multiplications.By Lemma 3 the computation of the cycle start s x is achieved in O ((log N x ) ) semigroup operations,which does not contribute to the overall cost of the algorithm.By Theorem 2, the discrete logarithm m can then be retrieved using Algorithm 5, in O (cid:0) log N x + √ L x (cid:1) semigroup multiplications, with a required storage of O (cid:0) √ L x (cid:1) semigroup elements.As L x ≤ N x , the overall complexity is dominated by the computation of the cycle length, and theproof of the result is now clear. 15 .3 Solving the DLP once the Factorization of the Cycle Length is known We mentioned in the introduction that for a general group of order N the best general knownalgorithms for solving the discrete logarithm problem have complexity O ( √ N ).In case the order N has a prime factorization into small primes there is the famous Pohlig-Hellmanalgorithm [15] for solving the DLP whose complexity is dominated by the largest prime factor inthe integer factorization of N .In case that we have available the integer factorization of the cycle length L x we can adapt the Pohlig-Hellman algorithm for groups to a Pohlig-Hellman algorithm for solving the DLP in a semigroup.Algorithm 6 represents this adapted Pohlig-Hellman algorithm. Algorithm 6:
Pohlig-Hellman Algorithm for solving the Discrete Logarithm Problem ina Semigroup
Input
A semigroup S , a torsion element x ∈ S , with cycle length L x = Q ri =1 p e i i andcycle start s x , and y ∈ S with y = x m Output
The discrete logarithm m of y with base x Compute t = l s x L x m and define x ′ = x tL x +1 ∈ G x . Find the minimum number 0 ≤ b ≤ t such that y ′ = y · x bL x ∈ G x using binary search. for i ∈ { , . . . , r }
1. Compute the values x ′ i = ( x ′ ) L x /p eii , y ′ i = ( y ′ ) L x /p eii , and γ i := ( x ′ i ) p ei − .2. Calculate the inverse z i of x i ′ in G x using (1).3. Set k ← n ← while k < e i do (a) Compute y ′ k = ( y ′ i z n k i ) p ei − − k ∈ h γ i i .(b) Use Shank’s Baby-Step Giant-Step algorithm for the group h γ i i ⊆ G x to compute d k ∈ { , , . . . , p i − } such that γ id k = y k ′ .(c) Set n k +1 ← n k + p ki d k , and k ← k + 1.5. end while
6. Set m i := n e i . end for Use the Chinese Remainder Theorem to solve the congruence equations m ′ ≡ m i (mod p e i i ) , ∀ i ∈ { , . . . , r } uniquely for m ′ mod L x . This gives the discrete logarithm of y ′ with respect to the base x ′ inthe group G x . Find the maximum number c ≥ x ( tL x +1) m ′ − cL x ∈ G x using binary search. Return m = m ′ ( tL x + 1) − ( b + c ) L x . Theorem 3.
Let S be a semigroup, x ∈ S a torsion element and y ∈ h x i any element. As- ume the cycle start s x of x is known and assume the integer factorization of the cycle length L x is known to be L x = Q ri =1 p e i i . Then Algorithm 6 computes the discrete logarithm log x y requir-ing O (cid:18) r P i =1 e i (cid:0) log L x + √ p i (cid:1) + (log N x ) (cid:19) semigroup multiplications. The space complexity of thealgorithm consists in O (cid:18) r P i =1 e i √ p i (cid:19) semigroup elements.Proof. Step 1. and 2. are in analogy to the corresponding steps of Algorith 5. Steps 3. to 5. repre-sent the Pohlig-Hellman algorithm for groups with the implied complexity dominated by the largestprime factor p i of the integer factorization of L x (for a reference on Pohlig-Hellman in groups, see in[8, Theorem 2.32]). It follows that the running time of the algorithm is O (cid:18) r P i =1 e i (cid:0) log L x + √ p i (cid:1)(cid:19) semigroup multiplications. The computation of b and c require in addition (log N x ) semigroup mul-tiplications. The total space complexity is O (cid:18) r P i =1 e i √ p i (cid:19) semigroup elements and that completesthe proof. References [1] L. M. Adleman and J. DeMarrais. A subexponential algorithm for discrete logarithms over allfinite fields.
Math. Comp. , 61(203):1–15, 1993.[2] M. Agrawal, N. Kayal, and N. Saxena. PRIMES is in P.
Ann. of Math. (2) , 160(2):781–793,2004.[3] M. Banin and B. Tsaban. A reduction of semigroup DLP to classic DLP.
Des. Codes Cryp-tography , 81(1):75–82, October 2016.[4] A.M. Childs and G. Ivanyos. Quantum computation of discrete logarithms in semigroups.
Journal of Mathematical Cryptology , 8(4):405 – 416, 01 Dec. 2014.[5] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren, editors.
Handbook of Elliptic and Hyperelliptic Curve Cryptography . Discrete Mathematics and itsApplications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2006.[6] W. Diffie and M. E. Hellman. New directions in cryptography.
IEEE Trans. Inform. Theory ,IT-22(6):644–654, 1976.[7] N. Goel, I. Gupta, and B. K. Dass. Survey on SAP and its application in public-key cryptog-raphy.
J. Math. Cryptol. , 14(1):144–152, 2020.[8] Jeffrey Hoffstein, Jill Pipher, Joseph H Silverman, and Joseph H Silverman.
An introductionto mathematical cryptography , volume 1. Springer, 2008.179] D. Kahrobaei, C. Koupparis, and V. Shpilrain. Public key exchange using matrices over grouprings.
Groups Complex. Cryptol. , 5(1):97–115, 2013.[10] G. Maze, C. Monico, and J. Rosenthal. Public key cryptography based on semigroup actions.
Adv. in Math. of Communications , 1(4):489–507, 2007.[11] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone.
Handbook of applied cryptography .CRC Press Series on Discrete Mathematics and its Applications. CRC Press, Boca Raton, FL,1997.[12] G. L. Miller. Riemann’s hypothesis and tests for primality.
J. Comput. System Sci. , 13(3):300–317, 1976.[13] C. Monico.
Semirings and semigroup actions in public-key cryptography . PhD thesis, Universityof Notre Dame Notre Dame, 2002.[14] J.E. Nymann. On the probability that k positive integers are relatively prime.
Journal ofNumber Theory , 4(5):469 – 473, 1972.[15] S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF(p) andits cryptographic significance (corresp.).
IEEE Transactions on information Theory , 24(1):106–110, 1978.[16] J. M. Pollard. Monte Carlo methods for index computation.
Mathematics of computation ,32(143):918–924, 1978.[17] M. O. Rabin. Probabilistic algorithm for testing primality.
J. Number Theory , 12(1):128–138,1980.[18] D. Shanks. Class number, a theory of factorization, and genera. In
Proc. of Symp. Math. Soc.,1971 , volume 20, pages 41–440, 1971.[19] J. Zumbr¨agel. Classification of finite congruence-simple semirings with zero.