Baby-step Giant-step and its extension

from wikipedia

In group theory, a branch of mathematics, the baby-step giant-step is a meet-in-the-middle algorithm for computing the discrete logarithm or order of an element in a finite abelian group due to Daniel Shanks. The discrete log problem is of fundamental importance to the area of public key cryptography.

The baby-step giant-step algorithm can solve the problem of finding discrete logorithms in $O(\sqrt{n})$time, significantly faster than the $O(n)$ time complexity of the naive trial-and-error approach.

BSGS

The problem we are aiming to solve using BSGS can be properly framed as follow:

Given a cyclic group $\mathbb{G}$ of order $n$, a generator $a$ of the group and a group element $b$, we are to find an integer $x$ such that $a^x=b$.

In the form of modular arithmetic, this is essentially solving $a^x\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)$, where $\gcd (a,p)=1$.

We let $x=c\lceil \sqrt{p}\rceil -d$ ($0\le c,d\le \lceil \sqrt{p}\rceil$).

Substitute back to the original equation, we have
$$\begin{array}{rl}{a}^{c\lceil \sqrt{p}\rceil -d}& \equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)\\ a^{c\lceil \sqrt{p}\rceil }& \equiv b{a}^d(\mathrm{m}\mathrm{o}\mathrm{d}p)\end{array}$$
Next, we compute all possible $\lceil \sqrt{p}\rceil$ values of $b{a}^d$ and store them in a hash table. Then, we compute all possible $\lceil \sqrt{p}\rceil$ values of $(a^{\lceil \sqrt{p}\rceil }{)}^c$ and find if there is any $b{a}^d$ with equal value in $O(1)$ time, and corresponding value of $x$ can thus be found. The overall time complexity is therefore $O(\sqrt{p})$.

The idea of BSGS is rather simple, and it is based on a space-time trade-off.

Extension: Finding a discrete root

Next up, we want to find all $x$ which satisfies the equation $x^a\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)$, where $p$ is a prime number.

It would require a few steps and some preliminary knowledge about order and primitive root to convert the problem to the typical problem we solve with BSGS.

Primitive Root(Part1)
Primitive Root(Part2)

Suppose prime number $p$ has a primitive root $g$, we can solve the equation $(g^a{)}^c\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)$ for $x\equiv g^c(\mathrm{m}\mathrm{o}\mathrm{d}p)$ instead in $O(\sqrt{p})$ time using BSGS. We can always find such $c$ since the cyclic group generated by $g$, { g , g 2 , ⋯   , g ϵ p ( g ) − 1 , 1 } \lbrace g,g^2,\cdots,g^{\epsilon_p(g)-1},1 \rbrace {g,g2,⋯,gϵp​(g)−1,1} has an order of $\phi (p)=p-1$ and hence should cover every possible remainder of $p$, unless $b=0$ which would have made the problem trivial to begin with. Now we have one solution determined which is $x_0=g^c$.

To obtain all the solutions, since we have $g^{p-1}\equiv 1(\mathrm{m}\mathrm{o}\mathrm{d}p)$ by Fermat’s Little Theorem, we have $g^c\times (g^{p-1}{)}^n\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)$, and $x^{c+\frac{n(p-1)}{a}}=b(\mathrm{m}\mathrm{o}\mathrm{d}p)$, where $a|n(p-1)$.

To find all such $n$, we factor out $gcd(a,p-1)$,and since $\gcd (\frac{a}{\gcd (a,p-1)},\frac{p-1}{\gcd (a,p-1)})=1,$ we are left with $\frac{a}{\gcd (a,p-1)}|n$. We can thus let $n=m\times \frac{a}{\gcd (a,p-1)}$, where $m\in \mathbb{Z}.$ Hence, all solutions $x$ to the equations are $x=g^{c+\frac{ma}{\gcd (a,p-1)}}$, where $m\in \mathbb{Z}.$

Extension: a more general case

Through a little tweak, we can use BSGS to solve $a^x\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}p)$ with no restriction on $a$ and $p$.

Factor out $gcd(a,p)=f_1$ from the origianl equation, we have
$\frac{a}{f_1}\times a^{x-1}\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}\frac{b}{f1})$.

We carry out this process for $k$ times, after which $\gcd (a,\frac{p}{{\prod }_{i=1}^k{f}_i})=1.$
Notice that this process will be carried out for at most $lo{g}_2(p)$ times.

Now we have$\frac{a^k}{{\prod }_{i=1}^k{f}_i}\times a^{x-k}\equiv b(\mathrm{m}\mathrm{o}\mathrm{d}\frac{p}{{\prod }_{i=1}^k{f}_i})$, and we can find the multiplicative inverse of $\frac{a^k}{{\prod }_{i=1}^k{f}_i}$ modulo $\frac{p}{{\prod }_{i=1}^k{f}_i}$ using the extended euclidean algorithm since $\gcd (a,\frac{p}{{\prod }_{i=1}^k{f}_i})=1.$

The equation can then be reduced to the simple case
$a^{x-k}\equiv b\times (\frac{a^k}{{\prod }_{i=1}^k{f}_i}{)}^{-1}(\mathrm{m}\mathrm{o}\mathrm{d}\frac{p}{{\prod }_{i=1}^k{f}_i})$ which we can solve by BSGS. Notice that we might end up with a solution for $x-k<k$, in this case we only need to add multiple copies of ${ϵ}_{\frac{p}{{\prod }_{i=1}^k{f}_i}}(a)$ to the answer until it is no longer negative.

Implementation

Below is a short implementation of the extended BSGS algorithm in C++

int exgcd(int a, int b, int& x, int& y)//extended euclidean algorithm to find the multiplicative inverse
{
    if (!b)
    {
        x = 1, y = 0;
        return a;
    }
    int d = exgcd(b, a % b, y, x);
    y -= a / b * x;
    return d;
}

int bsgs(int a, int b, int p)//the basic BSGS algorithm
{
    if (1 % p == b % p) return 0;//special case
    int k = sqrt(p) + 1;//meet in the middle approach
    unordered_map<int, int> hash;//hash map
    for (int i = 0, j = b % p; i < k; i ++ )
    {
        hash[j] = i;
        j = (LL)j * a % p;
    }
    int ak = 1;
    for (int i = 0; i < k; i ++ ) ak = (LL)ak * a % p;
    for (int i = 1, j = ak; i <= k; i ++ )
    {
        if (hash.count(j)) return i * k - hash[j];
        j = (LL)j * ak % p;
    }
    return -inf;//no answer
}

int exbsgs(int a, int b, int p)//extended BSGS
{
    b = (b % p + p) % p;
    if (1 % p == b % p) return 0;
    int x, y;
    int d = exgcd(a, p, x, y);
    if (d > 1)
    {
        if (b % d) return -inf;
        exgcd(a / d, p / d, x, y);
        return exbsgs(a, (LL)b / d * x % (p / d), p / d) + 1;
    }
    return bsgs(a, b, p);
}