In [1]:
# generates a random safe prime (p=2*q+1 with q prime)
# we use these to make Fp^times as close to a cyclic group of prime order as possible
# this means a Pohlig-Hellman attack on Fp^* will have very little benefit
def random_sg_prime(bits):
    while true:
        p=random_prime(2^bits,2^(bits-1))
        if is_prime(2*p+1): break
    return p

def L(a,c,N):
    z = ceil(exp(c*log(N)^a*log(log(N))^(1-a)))
    if z%2: z+=1
    return ceil(z)

def trial_factor(x,B):
    f=[]
    lastp=0
    while x > 1:
        p=x.trial_division(B)
        if p > B: return []
        if p == lastp: f[-1][1] += 1
        else: f.append([p,1])
        x = x.divide_knowing_divisible_by(p)
        lastp = p
    return f

def dlog(a,b,p):
    B=ceil(2*L(1/2,1/2,p))
    print("smoothness bound is %d" % B)
    pi=[q for q in primes(B)]
    pimap=[0 for i in range(0,B)]
    i=0
    for q in primes(B):
        pimap[q] = i
        i += 1
    n=len(pi)
    print("factor base has %d elements, searching for %d relations..."%(n,n+2))

    M=matrix(ZZ,n+2,n+2,sparse=true)
    t = cputime()
    bi = 1/b
    i = 0
    while i < M.nrows():
        e = randint(1,p-1)
        f=trial_factor(ZZ(a^e*bi),B)
        if f and f[-1][0] < B:
            for q in f:
                M[i,pimap[q[0]]]=q[1]
            M[i,n]=1; M[i,n+1]=e
            i += 1
            print("%d (%.3fs/relation)\r"%(i,(cputime()-t)/i),end="")
    print("Found %d relations in %.2f s, attempting to solve system"%(i,cputime()-t))
    q = ZZ((p-1)/2)
    #print(M)
    Mq=M.change_ring(GF(q)).echelon_form()
    M2=M.change_ring(GF(2)).echelon_form()
    #print(Mq)
    #print(M2)
    i = n; j = n
    while not Mq[i,n]: i-=1
    while not M2[j,n]: j-=1
    print(i,j,n)
    return ((q+1)*ZZ(Mq[i,n+1])+q*ZZ(M2[j,n+1]))%(2*q)

In [3]:
p=2*random_sg_prime(60)+1
print(p)
F=GF(p)
a=F.random_element()
while a.multiplicative_order() != p-1: a=F.random_element()
x=randint(1,p-1)
b=a^x
print("%d=%d^%d"%(b,a,x))
%time y=dlog(a,b,p)
print("log_%d(%d) = %d"%(a,b,y))
assert x==y

1879055274587749607
1579477268926581873=594094448555897090^1655887796368705526
smoothness bound is 1060
factor base has 177 elements, searching for 179 relations...
1 (0.105s/relation)2 (0.082s/relation)

3 (0.086s/relation)4 (0.076s/relation)

5 (0.208s/relation)6 (0.180s/relation)

7 (0.255s/relation)

8 (0.254s/relation)9 (0.236s/relation)10 (0.224s/relation)

11 (0.248s/relation)12 (0.240s/relation)

13 (0.266s/relation)14 (0.249s/relation)

15 (0.251s/relation)16 (0.245s/relation)

17 (0.241s/relation)18 (0.236s/relation)

19 (0.239s/relation)20 (0.236s/relation)

21 (0.242s/relation)22 (0.231s/relation)

23 (0.268s/relation)

24 (0.267s/relation)

25 (0.305s/relation)26 (0.298s/relation)

27 (0.299s/relation)

28 (0.297s/relation)29 (0.287s/relation)30 (0.283s/relation)

31 (0.278s/relation)32 (0.271s/relation)

33 (0.291s/relation)

34 (0.294s/relation)

35 (0.292s/relation)36 (0.286s/relation)

37 (0.283s/relation)

38 (0.298s/relation)

39 (0.301s/relation)

40 (0.308s/relation)

41 (0.310s/relation)42 (0.306s/relation)

43 (0.306s/relation)

44 (0.306s/relation)

45 (0.306s/relation)46 (0.303s/relation)47 (0.297s/relation)

48 (0.300s/relation)49 (0.298s/relation)

50 (0.294s/relation)

51 (0.292s/relation)

52 (0.296s/relation)

53 (0.300s/relation)54 (0.295s/relation)55 (0.292s/relation)

56 (0.304s/relation)

57 (0.305s/relation)

58 (0.317s/relation)

59 (0.317s/relation)

60 (0.317s/relation)

61 (0.319s/relation)

62 (0.320s/relation)63 (0.316s/relation)64 (0.313s/relation)

65 (0.313s/relation)

66 (0.313s/relation)

67 (0.312s/relation)

68 (0.316s/relation)

69 (0.316s/relation)70 (0.311s/relation)

71 (0.326s/relation)72 (0.321s/relation)

73 (0.322s/relation)

74 (0.325s/relation)

75 (0.327s/relation)

76 (0.329s/relation)77 (0.327s/relation)

78 (0.324s/relation)

79 (0.326s/relation)

80 (0.327s/relation)

81 (0.329s/relation)

82 (0.331s/relation)

83 (0.332s/relation)

84 (0.331s/relation)85 (0.329s/relation)86 (0.326s/relation)

87 (0.324s/relation)

88 (0.330s/relation)

89 (0.333s/relation)90 (0.330s/relation)

91 (0.338s/relation)

92 (0.343s/relation)

93 (0.342s/relation)

94 (0.341s/relation)

95 (0.345s/relation)96 (0.342s/relation)97 (0.339s/relation)

98 (0.338s/relation)99 (0.336s/relation)

100 (0.335s/relation)101 (0.333s/relation)

102 (0.334s/relation)

103 (0.335s/relation)

104 (0.337s/relation)

105 (0.339s/relation)

106 (0.339s/relation)

107 (0.338s/relation)108 (0.335s/relation)109 (0.333s/relation)

110 (0.332s/relation)

111 (0.335s/relation)

112 (0.345s/relation)

113 (0.344s/relation)114 (0.342s/relation)

115 (0.341s/relation)

116 (0.341s/relation)

117 (0.340s/relation)

118 (0.349s/relation)

119 (0.353s/relation)

120 (0.365s/relation)121 (0.364s/relation)

122 (0.365s/relation)

123 (0.372s/relation)124 (0.370s/relation)

125 (0.371s/relation)126 (0.368s/relation)

127 (0.369s/relation)128 (0.366s/relation)129 (0.364s/relation)

130 (0.364s/relation)

131 (0.364s/relation)132 (0.363s/relation)

133 (0.361s/relation)134 (0.359s/relation)

135 (0.360s/relation)

136 (0.360s/relation)

137 (0.364s/relation)

138 (0.369s/relation)139 (0.367s/relation)

140 (0.375s/relation)

141 (0.376s/relation)

142 (0.390s/relation)143 (0.389s/relation)

144 (0.387s/relation)

145 (0.388s/relation)

146 (0.387s/relation)147 (0.385s/relation)

148 (0.390s/relation)149 (0.387s/relation)150 (0.386s/relation)

151 (0.385s/relation)

152 (0.386s/relation)

153 (0.385s/relation)154 (0.383s/relation)

155 (0.385s/relation)

156 (0.391s/relation)

157 (0.390s/relation)158 (0.389s/relation)

159 (0.389s/relation)

160 (0.388s/relation)

161 (0.391s/relation)

162 (0.395s/relation)163 (0.394s/relation)

164 (0.398s/relation)

165 (0.401s/relation)166 (0.399s/relation)

167 (0.398s/relation)168 (0.395s/relation)

169 (0.396s/relation)

170 (0.398s/relation)171 (0.397s/relation)

172 (0.399s/relation)

173 (0.399s/relation)174 (0.397s/relation)175 (0.395s/relation)

176 (0.395s/relation)177 (0.393s/relation)

178 (0.396s/relation)

179 (0.398s/relation)Found 179 relations in 71.33 s, attempting to solve system


174 174 177
CPU times: user 1min 13s, sys: 628 ms, total: 1min 13s
Wall time: 1min 14s
log_594094448555897090(1579477268926581873) = 1655887796368705526
