an:03882551
Zbl 0554.12012
Brickell, E. F.; Moore, J. H.
Some remarks on the Herlestam-Johannesson algorithm for computing logarithms over \(GF(2^ P)\)
EN
Advances in cryptology, Proc. Workshop, Santa Barbara/Calif. 1982, 15-19 (1983).
1983
a
11T06 94B35 68Q25
cryptosystem; logarithms over finite fields; Hamming weight; cryptanalysis; Pohlig-Hellman algorithm
[For the entire collection see Zbl 0511.00040.]
Let t be a primitive element in \(GF(2^ p)\) and let \(\alpha\) be expressed as \(\sum^{n-1}_{i=0}a_ it^ i\), where \(a_ i\) is 0 or 1. Define the Hamming weight, HWT(\(\alpha)\), as the number of non-zero \(a_ i\), and define MINHJ(\(\alpha)\) as min HWT(\(\beta)\), where \(\beta\) belongs to the set \(t^{-2^ r}\alpha^{2^ s}\) (0\(\leq r,s\leq p-1)\). \textit{T. Herlestam} and \textit{R. Johannesson} [BIT 21, 326-334 (1981; Zbl 0493.12023)], with a view to cryptanalysis of the Pohlig-Hellman algorithm [cf. \textit{S. C. Pohling} and \textit{M. E. Hellman}, IEEE Trans. Inf. Theory IT-24, 106-110 (1978; Zbl 0375.68023)], proposed an heuristic method of finding logarithms over \(GF(2^ p)\) that took fewer steps in practice than one would expect if HWT(\(\alpha)\) and MINHJ(\(\alpha)\) were independent.
In the present paper, to test this hypothesis of independence, the authors compute the probability that \(MINHJ(\alpha)=1\), given that \(HWT(\alpha)=i\), for various polynomials that implement \(GF(2^{31})\). Only for some polynomials does the assumption of independence appear to be supported. They report also that the assumption that the probability that \(MINJ(\alpha)=j\) depends only on HWT(\(\alpha)\) is somewhat suspect.
H.J.Godwin
Zbl 0511.00040; Zbl 0493.12023; Zbl 0375.68023