Bug in `discrete_log(...,bounds=(1,p.isqrt()))`
44 views
Skip to first unread message
Georgi Guninski
Jun 30, 2024, 11:10:34 AMJun 30
to sage-...@googlegroups.com
I think this is bug:
p=2**61-1;Kp=GF(p);g=Kp(3);X=p//3;a=g**X
dl=discrete_log(a,g,bounds=(1,p.isqrt()),algorithm="lambda",operation="*")
dl2=discrete_log(a,g,bounds=(1,p),algorithm="lambda",operation="*")
(g**dl==a,g**dl2==a)
#(False, True)
p=2**61-1;Kp=GF(p);g=Kp(3);X=p//3;a=g**X
dl=discrete_log(a,g,bounds=(1,p.isqrt()),algorithm="lambda",operation="*")
dl2=discrete_log(a,g,bounds=(1,p),algorithm="lambda",operation="*")
(g**dl==a,g**dl2==a)
#(False, True)
Gareth Ma
Jun 30, 2024, 11:29:47 AMJun 30
to sage-...@googlegroups.com
I think so too. Here's a more minimal version (note a == 1 in your example):
p = 31
g = GF(31)(3)
discrete_log(1, g, bounds=(1, 6), algorithm="lambda", operation="*")
# 6
g^6
# 16
It seems there's some serious bugs going on, as the return value isn't in the
bounds:
K = GF(2^61 - 1)
d = discrete_log(K(1), K(3), bounds=(1,2^30), algorithm="lambda", operation="*")
d <= 2^30
# False
Instead, the algorithm should error out, since number theory shows there's no
non-zero (mod 2^61 - 2) solution to 3^a = 1 mod (2^61 - 1)
p = 31
g = GF(31)(3)
discrete_log(1, g, bounds=(1, 6), algorithm="lambda", operation="*")
# 6
g^6
# 16
It seems there's some serious bugs going on, as the return value isn't in the
bounds:
K = GF(2^61 - 1)
d = discrete_log(K(1), K(3), bounds=(1,2^30), algorithm="lambda", operation="*")
d <= 2^30
# False
Instead, the algorithm should error out, since number theory shows there's no
non-zero (mod 2^61 - 2) solution to 3^a = 1 mod (2^61 - 1)
Georgi Guninski
Jun 30, 2024, 11:51:56 AMJun 30
to sage-...@googlegroups.com
> Instead, the algorithm should error out, since number theory shows there's no
> non-zero (mod 2^61 - 2) solution to 3^a = 1 mod (2^61 - 1)
Why do you reduce (mod p-1)?
> non-zero (mod 2^61 - 2) solution to 3^a = 1 mod (2^61 - 1)
(p-1) is valid integer solution by Euler's theorem.
Georgi Guninski
Jun 30, 2024, 12:09:48 PMJun 30
to sage-...@googlegroups.com
I think the problem is abusing the factorization of the group order
and later doing CRT.
The following code correctly raises exception:
dl3=discrete_log_lambda(a,g,bounds=(1,p.isqrt()))
ValueError: Pollard Lambda failed to find a log
and later doing CRT.
The following code correctly raises exception:
dl3=discrete_log_lambda(a,g,bounds=(1,p.isqrt()))
ValueError: Pollard Lambda failed to find a log
dmo...@deductivepress.ca
Jun 30, 2024, 12:14:27 PMJun 30
to sage-devel
I opened an issue at github #38316. Let's continue the discussion there.
Georgi Guninski
Jun 30, 2024, 1:32:11 PMJun 30
to sage-...@googlegroups.com
I don't want to log to github, but the expected behavior of raising
exception if there is no solution in the bound is entirely correct
despite the doubtful comment.
The running times of some of the algorithms heavily depend on the
bounds and it is significantly faster if the bound is small.
> --
> You received this message because you are subscribed to the Google Groups "sage-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/cd319d22-e0ac-45fe-963e-5d6e481615f9n%40googlegroups.com.
exception if there is no solution in the bound is entirely correct
despite the doubtful comment.
The running times of some of the algorithms heavily depend on the
bounds and it is significantly faster if the bound is small.
> You received this message because you are subscribed to the Google Groups "sage-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/cd319d22-e0ac-45fe-963e-5d6e481615f9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages