DLP in semigroups: Algorithms and lower bounds

Jiao Han; Jincheng Zhuang

doi:10.1515/jmc-2021-0049

Article Open Access

DLP in semigroups: Algorithms and lower bounds

Jiao Han and Jincheng Zhuang

Published/Copyright: October 17, 2022

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 16 Issue 1

Abstract

The discrete logarithm problem (DLP) in semigroups has attracted some interests and serves as the foundation of many cryptographic schemes. In this work, we study algorithms and lower bounds for DLP in semigroups. First, we propose a variant of the deterministic algorithm for solving the cycle length of torsion elements and show the lower bound of computing the DLP in a semigroup. Then, we propose an algorithm for solving the multiple discrete logarithm (MDL) problem in the semigroup and give the lower bound for solving the MDL problem by considering the MDL problem in the generic semigroup model. Besides, we solve the multidimensional DLP and product DLP in the semigroup.

Keywords: discrete logarithm problem; semigroups; Torsion elements; cycle length; lower bounds

MSC 2010: 11T71; 11Y16

1 Introduction

The discrete logarithm problem (DLP) in finite groups is widely used in cryptography. It furnishes the foundation for the security of diverse schemes such as the Diffie–Hellman cryptographic protocol [1]. There exist many general purpose algorithms to solve DLP in the finite group G of order N , for instance, Shank’s baby-step-giant-step algorithm [2] and Pollard’s Rho algorithm [3], which perform O ( N ) group operations. On the other hand, Shoup [4] established that the lower bound of algorithms for solving the DLP in finite groups in the generic group model is Ω ( p ) , where p is the largest prime factor of N . Moreover, for the multiple discrete logarithm (MDL) problem with n instances, Kuhn and Struik [5] designed an algorithm by extending the Rho method with n p complexity. Later, Yun [6] analyzed the generic hardness of the MDL problem and proved that any generic algorithm to solve the MDL problem should at least make Ω ( n p ) oracle queries by studying hardness of the search-by-hyperplane-queries (SHQ) problem.

Besides, researchers have considered other variants of the DLP problem for the sake of enabling new cryptographic functionalities or generating hard instances of the DLP faster than previous methods. For example, Brands [7] first proposed the multidimensional DLP (also called representation problem). Given x 1 , x 2 , … , x n , y ∈ G and S 1 , S 2 , … , S n ⊆ Z , the multidimensional DLP is to determine m i ∈ S i such that y = x 1 m 1 x 2 m 2 ⋯ x n m n . Knuth [8] proposed the product DLP. Given x , y ∈ G and S 1 , S 2 , … , S n ⊆ Z , the product DLP is to compute m i ∈ S i such that y = x m 1 m 2 ⋯ m n .

In recent years, many researchers have studied cryptographic schemes in the environment of semigroups and semirings. Monico [9] generalized the original DLP to the DLP in semigroups and semirings, and proposed the semigroup action problem (SAP). At the same time, he explained that the DLP can be extended to the SAP and used the SAP to define a new Diffie–Hellman key exchange protocol and ElGamal cryptosystem. Monico et al. [10] proposed to use the finite Abelian semigroup as the platform for the Diffie–Hellman key exchange protocol. Kahrobaei et al. [11] studied the Diffie–Hellman protocol in the semigroup of matrices over a group ring and discussed the computational Diffie–Hellman and decisional Diffie–Hellman problem in this setting. Habeeb et al. [12] described a new key exchange protocol based on a noncommutative semigroup. In addition, Sakalauskas [13,14,15] also introduced some signature schemes based on the problem in monoids and semirings. Goel et al. [16] introduced several cryptographic schemes in semigroups and semirings in detail. Thus, it is of importance to study DLP in semigroups. In this article, we focus on studying the DLP in semigroups.

Researchers have developed some algorithms for solving DLP in semigroups by extending known algorithms for DLP in finite groups. One obstacle to this process is that inverse elements may not exist in semigroups. This makes the previous algorithm not directly applicable to semigroups. But when a special element called the torsion element is used as a base, many known algorithms can be effectively promoted. Let S be a semigroup, an element g ∈ S is a torsion element if the set ⟨ g ⟩ = { g m : m ∈ Z } is a finite subsemigroup. In other words, a certain part of ⟨ g ⟩ is cyclic. The smallest positive integer s such that g s = g m , for some m ∈ N , s < m is called the cycle start. The smallest positive integer L such that g s + L = g s is called the cycle length. The DLP problem in semigroup S is: given a torsion element g ∈ S and h ∈ ⟨ g ⟩ , where the order of ⟨ g ⟩ is N , find m ∈ [ 1 , N ] such that h = g m .

Utilizing the cyclic characteristics of the torsion element, Banin and Tsaban [17] proposed a technique to reduce the semigroup DLP to the DLP in a cycle group. They show that the cycle length of the torsion element plays an analogous significant role in the order of the finite group. In particular, as long as we find the cycle length of the torsion element, we can effectively solve the DLP in semigroups. A method for solving the cycle length of torsion elements was first proposed by Monico [9], which is a probabilistic algorithm. Later, Banin and Tsaban [17] gave another probabilistic algorithm, which used the DLP oracle. Recently, Tinani and Rosenthal [18] proposed a deterministic algorithm for solving the cycle length of a torsion element and a deterministic algorithm for computing the DLP in semigroups. In addition to the classical algorithm, Childs and Ivanyos [19] provided a quantum algorithm for solving DLP in semigroups.

This article continues the study of DLP in semigroups. We present a variant algorithm for solving the cycle length of a torsion element and analyze the lower bound of the algorithm for computing DLP in a semigroup. Besides, we give the algorithm and complexity analysis of computing MDL, multidimensional DLP, and product DLP in a semigroup.

Article organization: This article is organized as follows. In Section 2, we provide some preliminaries. In Section 3, we give a variant of deterministic algorithm for solving the cycle length of a torsion element and show the lower bound of algorithms for solving DLP in semigroups. In Section 4, we analyze the generic hardness of the MDL problem in semigroups. In Section 5, we study several variants of DLP, including the multidimensional DLP and the product DLP. In Section 6, we conclude this article.

2 Preliminaries

Recall that the DLP problem in semigroup S is: given a torsion element g ∈ S and h ∈ ⟨ g ⟩ , where the order of ⟨ g ⟩ is N , find m ∈ [ 1 , N ] such that h = g m . The following lemmas are the properties of torsion elements, which will be used in the design of algorithms.

Lemma 1

[17] Let S be a semigroup and g ∈ S be a torsion element. Suppose L and s are cycle length and cycle start of g , respectively, and t is the minimal positive integer such that t L ≥ s . Then the set G = { g s + k : 0 ≤ k ≤ L } is a cyclic group whose order is L . Furthermore, the identity element of G is g t L and the generator of G is g t L + 1 .

Lemma 2

[9] Let S be a semigroup and g ∈ S be a torsion element with cycle length L and cycle start s . We have

g x = g y ⇔ x ≡ y ( mod L ) ,

where x and y are all integers that satisfy x and y ≥ s .

Lemma 3

[18] Let S be a semigroup, g ∈ G be a torsion element with cycle length L and cycle start s and G = { g s + k : k ≥ 0 } . For fixed positive integers a , b , b ′ , if g m L + a = g b ∈ G and g a − n L = g b ′ ∈ G , where m is the smallest integer such that g m L + a ∈ G and n is the largest integer such that g a − n L ∈ G , we have

m L + a ≤ b , a − n L ≤ b ′ .

Banin and Tsaban [17] proposed a method to reduce the DLP in the semigroup S to the DLP in the cyclic group. The premise of this reduction method is that the cycle length and the cycle start of the torsion element is known. Thus, by combining the algorithm for solving cycle length and cycle start with the reduction method, we can obtain a complete algorithm for solving the DLP in semigroups. So how to calculate the cycle length is of critical importance.

Let S be a semigroup and g ∈ S be a torsion element whose order is N . In 2002, Monico [9] first presented a probabilistic algorithm to solve the cycle length of g . Tinani and Rosenthal [18] analyzed the probability of the algorithm and concluded that the probability that this algorithm succeeds is bounded below by 1 − 1 B log a , where B is the fixed bound that satisfies a certain condition and a is the g greatest common divisor of the calculations in the algorithm. In 2016, Banin and Tsaban [17] gave another probabilistic algorithm that used DLP oracle in the process to compute the cycle length. Tinani and Rosenthal [18] showed that the algorithm requires O ( ( log N ) 2 ) semigroup operations. Recently, Tinani and Rosenthal [18] proposed a deterministic algorithm for solving cycle length, which is described as follows.

Initialize M = 1 , set p = ⌈ M ⌉ .
Compute g M , g M + 1 , … , g M + p − 1 and store these pairs ( M + i , g M + i ) . If there exist 0 ≤ i < p such that g M = g M + i , then L = i . Otherwise proceed to the next step.
For 0 ≤ j ≤ p , compute g M + p , g M + 2 p , … , g M + j p and look up whether there is a matching value in the table. If g M + i in the table such that g M + i = g M + j p , then L = j p − i . If the collision is not found, set M = 2 M and continue this process.

They showed that the time complexity is O ( N log N ) semigroup multiplications, and the space complexity is O ( N ) semigroup elements.

Next, we describe the definition of the SHQ problem proposed in [6], which will be used in Section 4 where we study the generic hardness of the MDL problem in semigroups.

Definition 1

[6] Let Z L n be the n -dimensional affine space in the finite field Z L . We also assume n = o ( L ) : consider a family of numbers, so that there is a main parameter λ , and both n and L are functions of λ , and n ( λ ) ∕ L ( λ ) → 0 , as λ → ∞ . The affine hyperplane H in Z L n can be written in the form of c 1 X 1 + c 2 X 2 + ⋯ + c n X n = b , where c 1 , c 2 , … , c n , b ∈ Z L with c i ≠ 0 for some i , and X 1 , X 2 , … , X n are the canonical coordinate functions in Z L n . For the point a → in affine space, we define

H ( a → , H ) = 1 a → ∈ H , 0 otherwise .

The SHQ problem is defined as follows: Choose uniform random point a → ∈ Z L n and guess the position of a correctly.

Given access to a hyperplane query oracle H ( a → , H ) , the advantage of a solver A to solve SHQ is defined as follows:

Adv p , n s h q ( A ) = Pr [ A H ( a → , H ) ( p , n ) = a → ] .

If there is a constant c > 0 that satisfies Adv N , n m d l ( A ) ≥ c for any λ , we say that A has a constant advantage in solving SHQ.

3 Algorithm for DLP in a semigroup

3.1 Our algorithm for cycle length

In this section, we propose a variant of the deterministic algorithm based on [18], where semigroup is finite with known order, which is reasonable in the application. The key observation is that we can avoid some duplicated collision test by adjusting the starting point of the baby step. Our variant algorithm for cycle length is expressed as Algorithm 1.

Algorithm 1. A variant algorithm for cycle length
Input A semigroup S with ∣ S ∣ = H , a torsion element g ∈ S .
Output Cycle length L of g .
1: Initialize M = 1 , k = 0 , an empty table A , T = g H .
2: Let m = ⌈ M ⌉ ,
3: Compute T g k , T g k + 1 , … , T g m − 1 and add to table A .
4: if ∃ 1 ≤ i < j ≤ m such that T g i = T g j , L = j − i ; break.
5: else for 1 ≤ j ≤ m :
6: Compute T g j m , and test equality with the elements in table A .
7: if ∃ 1 ≤ i ≤ m − 1 such that T g j m = T g i , L = j m − k − i .
8: else let M = 2 ⋅ M , k = m and go back to step 2.

Next, we analyze the variant and compare it with the original algorithm of Tinani and Rosenthal [18]. Notice that the key difference is the setting of the starting point of the baby step. The original algorithm starts from 1, while the variant starts from a relatively larger point. The advantage is that the variant decreases both the time and space complexity and the number of collision test.

Suppose the order of g is N . When M = N , both algorithms must be able to find the cycle length. In other words, the two algorithms iterate at most log N times in the worst case. We compare the worst complexity of the two algorithms in Table 1. For example, in the baby step, the original algorithm need to perform

1 + 2 + 2 2 + ⋯ + N ≈ ( 2 + 2 ) N

semigroup element power operations. As a comparison, the variant needs to perform N semigroup element power operations.

Table 1

Time and space complexity of two deterministic algorithms for solving the cycle length. Suppose the order of the torsion element g is N . We call the first and second computational stages in the two algorithms the baby step and the giant step. The measurement units of time and space complexities are semigroup element power operation and semigroup elements, respectively

	Tinani and Rosenthal’s algorithm [18]	Our algorithm
The baby step	≈ ( 2 + 2 ) N	N
The giant step	≈ ( 2 + 2 ) N	≈ ( 2 + 2 ) N
Total time complexity	≈ ( 4 + 2 2 ) N	≈ ( 3 + 2 ) N
Space complexity	N	N

We illustrate the algorithm with the following toy example.

Example 1

Assuming S = ( Z 836 , × ) , compute the cycle length L of ⟨ 6 ⟩ ⊂ S .

Tinani and Rosenthal’s algorithm [18]:
1. M = 1 , q = 1 . The baby step: 6 M = 6 , store ( 6 , 1 ) . The giant step: 6 M + 1 = g 2 = 36 .
2. M = 2 , q = 2 . The baby step: 6 M = 6 2 = 36 , 6 M + 1 = 6 3 = 216 , store ( 36 , 2 ) , ( 216 , 3 ) . The giant step: 6 M + 2 = 6 4 = 460 , 6 M + 4 = 6 6 = 676 .
  ⋯
3. M = 128 , q = 12 . The baby step: 6 M = 6 128 = 796 , 6 M + 1 = 6 129 = 596 , … , 6 M + 11 = 6 139 = 156 , store (796, 128), ( 129 , 129 ) , … , ( 156 , 139 ) . The giant step: 6 M + 12 = 6 140 = 100 , 6 M + 24 = 6 152 = 168 , … 6 M + 96 = 6 224 = 548 .
  6 M + 6 = 6 M + 96 ⇒ L = 90 .
Our algorithm : T = g 836 = 16 .
1. M = 1 , m = 1 , k = 0 . The baby step: T = 6 836 = 16 , store ( 16 , 0 ) . The giant step: T 6 1 = 6 837 = 96 .
2. M = 2 , m = 2 , k = 1 . The baby step: T 6 1 = 6 837 = 96 , store ( 96 , 1 ) . The giant step: T 6 2 = 6 838 = 576 , T 6 4 = 6 840 = 672 .
3. M = 4 , m = 2 , k = 2 . The baby step: No calculation required. The giant step: No calculation required.
4. M = 8 , m = 3 , k = 2 . The baby step: T 6 2 = 6 838 = 576 , store ( 576 , 2 ) . The giant step: T 6 3 = 6 839 = 112 , T 6 6 = 6 842 = 784 , T 6 9 = 6 845 = 472 .
  ⋯
5. M = 128 , m = 12 , k = 8 . The baby step: T6⁸ = 6⁸⁴⁴ = 636, T6⁹ = 6⁸⁴⁵ = 472, T6⁰ = 6⁸⁴⁶ = 324, T6¹¹ = 6⁸⁴⁷ = 272, store ( 636 , 8 ) , ( 472 , 9 ) , ( 324 , 10 ) , ( 272 , 11 ) . The giant step: T6¹² = 6⁸⁴⁸ = 796, T6²⁴= 6⁸⁶⁰ = 100, … T6⁹⁶ = 6⁹³² = 784.
  6 836 + 6 = 6 836 + 96 ⇒ L = 90 .

The concrete complexity of calculating the example is summarized in Table 2

Table 2

Complexity of Example 1

	Tinani and Rosenthal’s algorithm [18]	Our algorithm
The baby step	38	12
The giant step	34	31
Total time complexity	72	43
Space complexity	12	12

In the original randomized algorithm [17], they computed collision based on DLP oracle. But the details are not presented. In Appendix A, we complement the details.

3.2 The lower bound

Shoup [4] proposed the generic algorithm and proved the lower bound of DLP in a group. Following Shoup, we can model a generic group using a random infective function σ : Z N → { 0 , 1 } ∗ = ℒ . We then write the elements of an order- N group as { σ ( 1 ) , σ ( 2 ) , … , σ ( N ) } , instead of the usual { g , g 2 , … , g N } . We often say i ∈ Z N is the “discrete log” of σ ( i ) . A generic algorithm takes input a list of ( σ ( x 1 ) , … , σ ( x L ) ) and has access to a group oracle O σ : O σ ( σ ( x i ) , σ ( x j ) ) = σ ( x i + x j ) . Generic discrete logarithm algorithm takes as input ( σ ( 1 ) , σ ( x ) ) , representing ( g , g x ) , make queries to O σ , outputs x . Utilize the generic algorithm and the polynomial zero-point theorem, and it can be shown that the lower bound for computing DLP in an N-order group is Ω ( N ) .

A group can be regarded as a special semigroup, so it is easier to calculate the DLP in a group than in a semigroup. In other words, the lower bound of algorithms for calculating the DLP in a semigroup will not be lower than the DLP in a group. Combining with the result of Shoup, we can draw the following conclusion.

Theorem 1

Suppose the order of semigroup G = ⟨ g ⟩ generated by g is N , the lower bound of algorithms for solving the DLP in this semigroup is Ω ( N ) .

4 The multiple DLP

4.1 The algorithm for multiple DLP

In this section, we will consider the multiple DLP in a semigroup. We propose an algorithm based on the method of [5]. Recall the definition of the MDL as follows.

Definition 2

Let S be a semigroup and g ∈ S be a torsion element with cycle length L and cycle start s , where the order of ⟨ g ⟩ is N . The MDL problem is: given h 1 , h 2 , … , h n ∈ ⟨ g ⟩ , find out a i ∈ [ 1 , N ] such that h i = g a i , 1 ≤ i ≤ n .

Note that there are algorithms for finding the cycle length L and the cycle start s as described in the previous section and Banin and Tsaban [17]. Hence, parameters L and s are included in the input, and the order of g satisfies N = s + L .

The main idea of the algorithm for n instances DLP in the semigroup is: First, reduce n instances to the MDL problem in the finite group G g . Then use the extended Pollard Rho algorithm to solve the MDL problem. Finally, return the result to the semigroup. The full algorithm is given in Algorithm 2.

Algorithm 2. Algorithm for MDL problem
Input A semigroup S, a torsion element g ∈ S , with cycle length L and cycle start s , and h 1 , h 2 , … , h n ∈ S with h i = g m i .
Output m i such that h i = g m i .
1: Compute t = ⌈ s L ⌉ and let g ′ = g t L + 1 ∈ G g .
2: Find the minimum integers 0 ≤ a i ≤ t such that h i ′ = h ⋅ g a i L ∈ G g using binary search.
3: Use extended Pollard Rho Algorithm for Computing Multiple Discrete Logarithms to compute m i ′ ∈ { 0 , 1 , … , L − 1 } such that ( g ′ ) m i ′ = h i ′ .
4: Find the minimum integers b i ≥ 0 such that g ( t L + 1 ) m i ′ − b i L ∈ G g using binary search.
5: Return m i = m i ′ ( t L + 1 ) − ( a i + b i ) L .

Theorem 2

Let S be a semigroup, g be a torsion element whose cycle start is s and cycle length is L, the order of subsemigroup ⟨ g ⟩ is N . Given h 1 , h 2 , … , h n ∈ ⟨ g ⟩ . Then Algorithm 2 solves n instances DLP based on g in the semigroup S using O ( n L + n ( l o g N ) 2 ) semigroup multiplications.

Proof

Recall that the group G g = { g s + k : k ≥ 0 } is a cycle group whose order is L and we have the conclusion that the G g is generated by g t L + 1 with identity g t L . We can define the parameter t by formula t = ⌈ s L ⌉ , and we can use formula g ′ = g t L + 1 to make g ′ ∈ G g . Evidently we can find suitable a i so that h i ′ = h i ⋅ g a i L belongs to the cycle group G g . So far we have reduced the DLP m i = l o g g h i in the semigroup S to the DLP m i ′ = l o g g ′ h i ′ in the group G g . Thus, we can use extended Pollard Rho Algorithm [5] for computing multiple discrete logarithms to compute m ′ in O ( n L ) semigroup multiplications.

For every m i ′ , we obtain

h i ′ = ( g ′ ) m ′ ⇒ h i ⋅ g a i L = ( g t L + 1 ) m ′ ⇒ g m i ⋅ g a i L = ( g t L + 1 ) m ′ ⇒ g m i + a i L = g ( t L + 1 ) m ′ .

We have the maximal integers b i such that g ( t L + 1 ) m i ′ − b i L ∈ G g . Now,

g ( t L + 1 ) m i ′ − b i L = g m i ′ ( t L + 1 ) = ( g ′ ) m i ′ = h i ′ = h i ⋅ g a i L = g m i ⋅ g a i L = g a i L + m i .

From Lemma 3, for minimum integers a i and maximal integers b i , we can see

m i ′ ( t L + 1 ) − b i L ≤ a i L + m i , a i L + m i ≤ m i ′ ( t L + 1 ) − b i L .

So m i = m i ′ ( t L + 1 ) − ( a i + b i ) L . Because m ′ ≤ L and t L ≤ L + s , b i ≤ L + s + 1 = N + 1 . Since we use binary search to find a i and b i that satisfy the conditions, they cost O ( ( log N ) 2 ) steps in the whole algorithm.

In summary, Algorithm 2 to solve the n instances DLP performs O ( n L + n ( log N ) 2 ) semigroup multiplications.□

4.2 Generic hardness of MDL

In a finite group with order L , Yun [6] obtained the generic hardness of the MDL problem in finite groups through analyzing the advantages of the SHQ problem solver and the relationship between the MDL problem and the SHQ problem. He proved if A is the solver of any generic MDL problem, then a solver B of the SHQ problem can be constructed through A, and satisfying Adv L , n m d l ( A ) ≤ Adv L , n s h q ( B ) . Besides, he showed that if A is a solver for any generic MDL problem with at most m queries, then Adv L , n m d l ( A ) ≤ 1 L + 1 2 ( e ( m + n + 1 ) 2 2 n L ) n . Afterward, through combining the analysis in the section 6.1 of [6], Yun concluded that if solver A solves the MDL problem in group G with a constant advantage, it should make Ω ( n L ) queries.

Let g ∈ S be a torsion with ∣ ⟨ g ⟩ ∣ = N and the cycle length of g be L . That is the order of the cycle group G = ⟨ g t L + 1 ⟩ ⊆ ⟨ g ⟩ is L . If we can calculate the DLP in ⟨ g ⟩ , we must be able to calculate the DLP in G . Then the generic hardness of the MDL problem in ⟨ g ⟩ must not be lower than that in G . Thus, the generic hardness of MDL in ⟨ g ⟩ is Ω ( n L ) .

5 Variants of the DLP

In this section, we consider some variants of the DLP over semigroups. Since there are algorithms for finding the cycle length L and the cycle start s as described in the previous section and in the study by Banin et al. [17], the parameters L and s are included in the input.

5.1 The multidimensional DLP

In the classical case, variants of the DLP can be used to design e-money protocols, etc. For example, Brands [7] designed an offline electronic cash system based on multidimensional DLP in a group. Experts also use such problems to design applications in different contexts. So we consider variants of the DLP in a semigroup. In this section, we propose the definition of the multidimensional DLP in a semigroup and give an effective algorithm to solve this problem.

Definition 3

Let S be a finite Abelian semigroup. The multidimensional DLP in S is: given g 1 , g 2 , … , g n with cycle start s i and cycle length L i , respectively, h ∈ S and S i ⊆ [ 1 , N i ] , where g 1 , g 2 , … , g n be torsion elements and N i is the order of ⟨ g i ⟩ . Find a i ∈ S i , if they exist, such that h = g 1 a 1 g 2 a 2 ⋯ g n a n .

Because inverse elements may not exist in semigroups, we cannot directly apply methods that are used in the finite group to solve this problem. Therefore, we consider how to reduce the DLP in a semigroup to a DLP in a finite group, so as to solve the multidimensional DLP in the semigroup. The main idea is as follows.

The order of subsemigroup ⟨ g i ⟩ that is generated by g i is N i . As for, we have known the set of G i = { g i s i + k : k ≥ 0 } is a cycle group and g i t i L i is the identity element of G i , where t i is the smallest positive integer that makes g i t i L i ∈ G i . Fixed t i = ⌈ s i L i ⌉ , define g i ′ = g i t i L i + 1 ∈ G i . In group G i , it has an inverse element ( g i t i L i + 1 ) − 1 such that g i ′ ( g i ′ ) − 1 = g i t i L i + 1 ⋅ ( g i t i L i + 1 ) − 1 = g i t i L i . Use binary search to find the minimum integers 0 ≤ b i ≤ t i such that h ′ = h g 1 b 1 L 1 g 2 b 2 L 2 ⋯ g n b n L n ∈ ⟨ ⋃ G i ⟩ , where ⟨ ⋃ G i ⟩ is a subsemigroup of S , which is generated by ⋃ G i . Next, we can reduce the multidimensional DLP to find a 1 ′ , a 2 ′ , … , a n ′ such that

h ′ = ( g 1 ′ ) a 1 ′ ( g 2 ′ ) a 2 ′ ⋯ ( g n ′ ) a n ′ .

Let m = ⌈ n 2 ⌉ . Because every g i ′ has an inverse element in G i , we can see

h ′ ( g m + 1 ′ a m + 1 ′ ) − 1 ⋯ ( g n ′ a n ′ ) − 1 = g 1 ′ a 1 ′ ⋯ g m ′ a m ′ [ g m + 1 ′ a m + 1 ′ ( g m + 1 ′ a m + 1 ′ ) − 1 ] ⋯ [ g n ′ a n ′ ( g n ′ a n ′ ) − 1 ] = g 1 ′ a 1 ′ ⋯ g m ′ a m ′ g m + 1 t m + 1 L m + 1 ⋯ g n t n L n ,

where a i ′ ∈ [ 0 , L i − 1 ] . Once we obtain a i ′ using Baby-Step-Giant-Step algorithm such that h ′ = ( g 1 ′ ) a 1 ′ ( g 2 ′ ) a 2 ′ ⋯ ( g n ′ ) a n ′ , the relationship between a i and a i ′ can be represented by

h ′ = h g 1 b 1 L 1 g 2 b 2 L 2 ⋯ g n b n L n = g 1 a 1 + b 1 L 1 g 2 a 2 + b 2 L 2 ⋯ g n a n + b n L n = g 1 ′ a 1 ′ g 2 ′ a 2 ′ ⋯ g n ′ a n ′ = g 1 a 1 ′ ( t 1 L 1 + 1 ) g 2 a 2 ′ ( t 2 L 2 + 1 ) ⋯ g n a n ′ ( t n L n + 1 ) .

Next, use binary search to find the maximal integers c i such that g i a i ′ ( t i L i + 1 ) − c i L i ∈ G i . Eventually, we come to the conclusion that

a i = a i ′ ( t i L i + 1 ) − ( b i + c i ) L i .

Theorem 3

Let S be an Abelian semigroup, g 1 , g 2 , … , g n , h ∈ S , and g 1 , g 2 , … , g n be torsion elements whose cycle start s 1 , s 2 , … , s n and cycle length L 1 , L 2 , … , L n are known and the order of subsemigroups ⟨ g 1 ⟩ , ⟨ g 2 ⟩ , … , ⟨ g n ⟩ , which are generated by g 1 , g 2 , … , g n are N 1 , N 2 , … , N n , respectively. According to the aforementioned method, we can find a i ∈ S i , 1 ≤ i ≤ n such that h = g 1 a 1 g 2 a 2 ⋯ g n a n using O ( L m ) semigroup multiplications and O ( L m ) semigroup elements of storage, where S i ⊆ Z , L = max { L 1 , L 2 , … , L n } , m = ⌈ n 2 ⌉ .

Proof

After the aforementioned series of operations, we reduce the DLP to find a i ′ such that h ′ = g 1 ′ a 1 ′ g 2 ′ a 2 ′ ⋯ g n ′ a n ′ and we can obtain the following equation:

h ′ ( g m + 1 ′ a m + 1 ′ ) − 1 ⋯ ( g n ′ a n ′ ) − 1 = g 1 ′ a 1 ′ ⋯ g m ′ a m ′ g m + 1 t m + 1 L m + 1 ⋯ g n t n L n ,

where g m + 1 t m + 1 L m + 1 , … , g n t n L n are fixed values and a i ′ ∈ [ 0 , L i − 1 ] . When we find a i ′ using the Baby-Step-Giant-Step algorithm, we can choose different a 1 ′ , a 2 ′ , … , a m ′ to calculate the right side of the equation and store them. Obviously, we need O ( L m ) semigroup multiplications and O ( L m ) semigroup elements of storage. Then we can choose different a m + 1 ′ , a ′ , … , a n ′ to calculate the left side of the equation and look for a collision. If a collision occurs, then we find suitable a 1 ′ , a 2 ′ , … , a n ′ to make h ′ = g 1 ′ a 1 ′ g 2 ′ a 2 ′ ⋯ g n ′ a n ′ hold and we need at most O ( L m ) semigroup multiplications. Finally, we can calculate a 1 , a 2 , … , a n through a i = a i ′ ( t i L i + 1 ) − ( b i + c i ) L i .

In a word, we can solve the multidimensional DLP in semigroup S using O ( L m ) semigroup multiplications and O ( L m ) semigroup elements of storage.□

5.2 The product DLP

In this section, we consider the product DLP in a semigroup. First, we give the concept of the product DLP in a semigroup. Then, we present how to solve this problem.

Definition 4

Let S be a semigroup, the product discrete logarithm in S is: given a torsion element g ∈ S cycle start s and cycle length L , h ∈ ⟨ g ⟩ and S i ⊆ [ 1 , N ] , where the order of ⟨ g ⟩ is N and i = 1 , 2 , … , n . Find a i ∈ S i , if they exist, such that h = g a 1 a 2 ⋯ a n .

The Baby-Step-Giant-Step algorithm [2], which compromises time and space complexity can be used to compute product DLP in a group. Naturally, we will consider whether we can use such a method to solve the product DLP in a semigroup. The main idea is as follows.

The order of subsemigroup ⟨ g ⟩ , which is generated by g is N . As for, we have known the set of G = { g s + k : k ≥ 0 } is a cycle group and g t L is the identity element of G , where t is the smallest positive integer that makes g t L ∈ G . Compute t = ⌈ s L ⌉ and let g ′ = g t L + 1 ∈ G . Use binary search to find the minimum integer 0 ≤ b ≤ t such that h ′ = h g b L ∈ G . Thus, we have reduced the DLP to find a ′ such that h ′ = g a ′ , where a ′ ∈ [ 0 , L − 1 ] , and we can use Baby-Step-Giant-Step algorithm to find a ′ . Then we obtain

h ′ = h g b L = g a 1 a 2 ⋯ a n g b L = g ′ a ′ = g ( t L + 1 ) a ′ .

Next, use binary search to find the maximal integer c such that g a ′ ( t L + 1 ) − c L ∈ G . We have a 1 a 2 ⋯ a n = ( t L + 1 ) a ′ − ( b + c ) L , where a i ∈ S i . Let m = ⌈ n 2 ⌉ , then the relation of a 1 , a 2 , … , a n can be obtained by

a 1 a 2 ⋯ a m = [ ( t L + 1 ) a ′ − ( b + c ) L ] 1 a m + 1 1 a m + 2 ⋯ 1 a n .

To obtain specific values, we can present distinct a 1 , a 2 , … , a m to calculate the left side of the equation and store them. Then we can present distinct a m + 1 , a m + 2 , … , a n to calculate the right side of the equation and look for a collision. If a collision occurs, then we seek out suitable a 1 , a 2 , … , a n such that h = g a 1 a 2 ⋯ ⋅ a n .

Theorem 4

Let S be a semigroup, g , h ∈ S , and g be a torsion element whose cycle start s and cycle length L are known and the order of the subsemigroup ⟨ g ⟩ , which is generated by g is N . Suppose that elements of G are represented using O ( log L ) bits and the group operations can be performed in O ( ( log L ) 2 ) . According to the aforementioned method, we can find a i ∈ S i , 1 ≤ i ≤ n such that h = g a 1 a 2 ⋯ a n using O ( ( log N ) m N m ) bits operations and O ( ( log N ) m N m ) bits of storage, where S i ⊆ [ 1 , N ] , m = ⌈ n 2 ⌉ .

Proof

When we reduce the product DLP to find a ′ such that h ′ = g ′ a ′ , where g ′ , h ′ ∈ G , a ′ ∈ [ 0 , L − 1 ] , and we can use Shank’s Baby-Step-Giant-Step algorithm to solve it with O ( L ( log L ) 2 ) bits operations and O ( L ( log L ) 2 ) bits of storage. In the same way, when using Baby-Step-Giant-Step algorithm to find a 1 , a 2 , … , a n , it is not difficult to discover that requires O ( ( log N ) m N m ) bits operations and O ( ( log N ) m N m ) bits of storage. So, the aforementioned algorithm for the product DLP in semigroup S needs O ( ( log N ) m N m ) bits operations and O ( ( log N ) m N m ) bits of storage.□

6 Conclusion

The security of many cryptographic schemes has been based on the DLP in semigroups. Algorithms for DLP in the finite group can be extended to the semigroup by appropriate adjust. In this work, we present algorithms and lower bounds of the DLP and MDL in the semigroup and consider other variants including the multidimensional DLP and the product DLP in the semigroup.

Acknowledgments

This work was partially supported by the National Key Research and Development Project of China (Grant No. 2018YFA0704702) and the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025). The authors thank the anonymous reviewers for very helpful suggestions which improved the paper.

Conflict of interest: Authors state no conflict of interest.

Appendix A The details of Banin and Tsaban’s algorithm

The original description of the algorithm of Banin and Tsaban [17] is based on the DLP oracle. Now we use a specific algorithm to complement the details.

Actually, the DLP oracle is used to look for l , l ′ such that g l = g l ′ in their algorithm. Given a bound d > 1 , for each i < d , the algorithm needs l such collisions. Then, the greatest common factor is calculated for the multiples obtained from each collision. At this point, we can use specific algorithms to find collisions, such as the rho method, in which the use of distinguished points to find collisions is a highly effective method. We introduce detailed methods to find collisions.

The complete algorithm is: Assuming that the order of the semigroup S is N . Rho method needs to use a pseudo-random function to specify the relationship between elements. The original pseudo-random function is applied to a finite group G of known order, and the exponents can be reduced modulo ∣ G ∣ at each step. However, the cycle length at this time is not known. Now, select random integer e 1 , e 2 , … e m ∈ [ 1 , N ] , and let β i = g e i . Then y i is uniformly distributed in ⟨ g ⟩ . Then select a random hash function h : { 0 , 1 } l → { 1 , 2 , … , m } to divide the subset I ⊆ { 0 , 1 } l of any size into m groups of the same size with a high probability. We define the function f : x ↦ x y h ( x ) , where h acts on x as a bit string instead of a semigroup element. The specific process is as follows:

For i = 1 to m , select random e 1 , e 2 , … , e m ∈ [ 1 , N ] , compute y i = g e i as distinguished points.
Select random a 1 ∈ [ 1 , N ] , y = g a 1 , k = a 1 .
y ← y ⋅ y i , k = a 1 + e i , where i = h ( y ) . If y is not a distinguished point, repeat. If y is a distinguished point, store ( y , k ) in a table.
Select random a 1 ≠ a 2 ∈ [ 1 , N ] , y = g a 2 , k = a 2 . Repeat 2 until y is a distinguished point. If y is not in the list, store the new ( y , k ) into the table, if ( y , k ′ ) is already in the table, then
E = k − k ′ .

We can use the aforementioned algorithm instead of the DLP oracle to find the multiple of the cycle length, and find the greatest common factor according to the boundary restrictions in the algorithm.

References

[1] Diffie W, Hellman ME, New directions in cryptography. IEEE Trans Inform Theory. 1976;22(6):644–54. 10.1145/3549993.3550007Search in Google Scholar

[2] Shanks D. Class number, a theory of factorization, and genera. Proc Symp Math Soc. 1971;20:41–440. 10.1090/pspum/020/0316385Search in Google Scholar

[3] Pollard J. Monte carlo methods for index computation. Math Comput. 1975;32(143):918–24. 10.1090/S0025-5718-1978-0491431-9Search in Google Scholar

[4] Shoup V. Lower bounds for discrete logarithms and related problems. In: International Conference on the Theory and Applications of Cryptographic Techniques. Springer; 1997. p. 256–66. 10.1007/3-540-69053-0_18Search in Google Scholar

[5] Kuhn F, Struik R. Random walks revisited: Extensions of pollardas rho algorithm for computing multiple discrete logarithms. In: Selected Areas in Cryptography. Berlin Heidelberg: Springer; 2001. p. 212–29. 10.1007/3-540-45537-X_17Search in Google Scholar

[6] Yun A. Generic hardness of the multiple discrete logarithm problem. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin Heidelberg: Springer; 2015. p. 817–36. 10.1007/978-3-662-46803-6_27Search in Google Scholar

[7] Brands S. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323. Amsterdam: CWI; 1993. Search in Google Scholar

[8] Knuth DE. Art of computer programming, volume 2: Seminumerical algorithms. 3rd ed. Addison-Wesley Professional; 1997. Search in Google Scholar

[9] Monico CJ. Semirings and semigroup actions in public-key cryptography. Ph.D. thesis. University of Notre Dame Notre Dame; 2002. Search in Google Scholar

[10] Maze G, Monico C, Rosenthal J. Public key cryptography based on semigroup actions. Adv Math Commun. 2007;1(4):489–507. 10.3934/amc.2007.1.489Search in Google Scholar

[11] Kahrobaei D, Koupparis C, Shpilrain V. Public key exchange using matrices over group rings. Groups-Complexity-Cryptology. 2013;5(1):97–11510.1515/gcc-2013-0007Search in Google Scholar

[12] Habeeb M, Kahrobaei D, Koupparis C, Shpilrain V. Public key exchange using semidirect product of (semi) groups. In: International Conference on Applied Cryptography and Network Security. Springer; 2013. p. 475–86. 10.1007/978-3-642-38980-1_30Search in Google Scholar

[13] Sakalauskas E. New digital signature scheme in gaussian monoid. Informatica. 2004;15(2):251–70. 10.15388/Informatica.2004.058Search in Google Scholar

[14] Sakalauskas E. One digital signature scheme in semimodule over semiring. Informatica. 2005;16(3):383–94. 10.15388/Informatica.2005.105Search in Google Scholar

[15] Sakalauskas E, Burba T. Digital signature scheme based on action of infinite ring. Inform Technol Control. 2004;31(2):60–4. Search in Google Scholar

[16] Goel N, Gupta I, Dass B. Survey on SAP and its application in public-key cryptography. J Math Cryptol. 2020;14(1):144–52. 10.1515/jmc-2016-0004Search in Google Scholar

[17] Banin M, Tsaban B. A reduction of semigroup DLP to classic DLP. Designs Codes Cryptography 2016;81(1):75–82. 10.1007/s10623-015-0130-2Search in Google Scholar

[18] Tinani S, Rosenthal J. A deterministic algorithm for the discrete logarithm problem in a semigroup. CoRR abs/2101.11500, 2021. Search in Google Scholar

[19] Childs AM, Ivanyos G. Quantum computation of discrete logarithms in semigroups. J Math Cryptol. 2014;8(4):405–16. 10.1515/jmc-2013-0038Search in Google Scholar

Received: 2021-11-17

Revised: 2022-05-23

Accepted: 2022-07-23

Published Online: 2022-10-17

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2021-0049

Keywords for this article

discrete logarithm problem; semigroups; Torsion elements; cycle length; lower bounds

Creative Commons

BY 4.0