from wikipedia
In group theory, a branch of mathematics, the baby-step giant-step is a meet-in-the-middle algorithm for computing the discrete logarithm or order of an element in a finite abelian group due to Daniel Shanks. The discrete log problem is of fundamental importance to the area of public key cryptography.
The baby-step giant-step algorithm can solve the problem of finding discrete logorithms in
O
(
n
)
O(\sqrt{n}\space)
O(n
)time, significantly faster than the
O
(
n
)
O(n)
O(n) time complexity of the naive trial-and-error approach.
Catalog
BSGS
The problem we are aiming to solve using BSGS can be properly framed as follow:
Given a cyclic group G \mathbb{G} G of order n \mathbb{n} n, a generator a a a of the group and a group element b b b, we are to find an integer x x x such that a x = b a^x=b ax=b.
In the form of modular arithmetic, this is essentially solving a x ≡ b ( m o d p ) a^x\equiv b\pmod{p} ax≡b(modp), where gcd ( a , p ) = 1 \gcd(a,p)=1 gcd(a,p)=1.
We let x = c ⌈ p ⌉ − d x = c\lceil \sqrt p \rceil - d x=c⌈p ⌉−d ( 0 ≤ c , d ≤ ⌈ p ⌉ 0\le c,d \le \lceil \sqrt p\rceil 0≤c,d≤⌈p ⌉).
Substitute back to the original equation, we have
a
c
⌈
p
⌉
−
d
≡
b
(
m
o
d
p
)
a
c
⌈
p
⌉
≡
b
a
d
(
m
o
d
p
)
\begin{aligned} a^{c\lceil \sqrt p\rceil -d} &\equiv b \pmod p\\ a^{c\lceil \sqrt p\rceil} &\equiv ba^d \pmod p \end{aligned}
ac⌈p
⌉−dac⌈p
⌉≡b(modp)≡bad(modp)
Next, we compute all possible
⌈
p
⌉
{\lceil \sqrt p\rceil}
⌈p
⌉ values of
b
a
d
ba^d
bad and store them in a hash table. Then, we compute all possible
⌈
p
⌉
{\lceil \sqrt p\rceil}
⌈p
⌉ values of
(
a
⌈
p
⌉
)
c
(a^{\lceil \sqrt p\rceil})^c
(a⌈p
⌉)c and find if there is any
b
a
d
ba^d
bad with equal value in
O
(
1
)
O(1)
O(1) time, and corresponding value of
x
x
x can thus be found. The overall time complexity is therefore
O
(
p
)
O(\sqrt p)
O(p
).
The idea of BSGS is rather simple, and it is based on a space-time trade-off.
Extension: Finding a discrete root
Next up, we want to find all x x x which satisfies the equation x a ≡ b ( m o d p ) x^a\equiv b\pmod p xa≡b(modp), where p p p is a prime number.
It would require a few steps and some preliminary knowledge about order and primitive root to convert the problem to the typical problem we solve with BSGS.
Suppose prime number p p p has a primitive root g g g, we can solve the equation ( g a ) c ≡ b ( m o d p ) (g^a)^c\equiv b\pmod p (ga)c≡b(modp) for x ≡ g c ( m o d p ) x\equiv g^c\pmod p x≡gc(modp) instead in O ( p ) O(\sqrt p) O(p ) time using BSGS. We can always find such c c c since the cyclic group generated by g g g, { g , g 2 , ⋯ , g ϵ p ( g ) − 1 , 1 } \lbrace g,g^2,\cdots,g^{\epsilon_p(g)-1},1 \rbrace {g,g2,⋯,gϵp(g)−1,1} has an order of φ ( p ) = p − 1 \varphi(p)=p-1 φ(p)=p−1 and hence should cover every possible remainder of p p p, unless b = 0 b=0 b=0 which would have made the problem trivial to begin with. Now we have one solution determined which is x 0 = g c x_0=g^c x0=gc.
To obtain all the solutions, since we have g p − 1 ≡ 1 ( m o d p ) g^{p-1}\equiv1\pmod p gp−1≡1(modp) by Fermat’s Little Theorem, we have g c × ( g p − 1 ) n ≡ b ( m o d p ) g^c\times(g^{p-1})^n\equiv b\pmod p gc×(gp−1)n≡b(modp), and x c + n ( p − 1 ) a = b ( m o d p ) x^{c+\frac{n(p-1)}{a}}=b\pmod p xc+an(p−1)=b(modp), where a ∣ n ( p − 1 ) a|n(p-1) a∣n(p−1).
To find all such n n n, we factor out g c d ( a , p − 1 ) gcd(a,p-1) gcd(a,p−1),and since gcd ( a gcd ( a , p − 1 ) , p − 1 gcd ( a , p − 1 ) ) = 1 , \gcd(\frac{a}{\gcd(a,p-1)},\frac{p-1}{\gcd(a,p-1)})=1, gcd(gcd(a,p−1)a,gcd(a,p−1)p−1)=1, we are left with a gcd ( a , p − 1 ) ∣ n \frac{a}{\gcd(a,p-1)}|n gcd(a,p−1)a∣n. We can thus let n = m × a gcd ( a , p − 1 ) n=m\times\frac{a}{\gcd(a,p-1)} n=m×gcd(a,p−1)a, where m ∈ Z . m\in\mathbb{Z}. m∈Z. Hence, all solutions x x x to the equations are x = g c + m a gcd ( a , p − 1 ) x=g^{c+\frac{ma}{\gcd(a,p-1)}} x=gc+gcd(a,p−1)ma, where m ∈ Z . m\in\mathbb{Z}. m∈Z.