# Shanks' baby-step giant-step

* [Alef Pinto Keuffer](https://github.com/Alef-Keuffer), a91683
* [Beatriz Fernandes Oliveira](https://github.com/BeatrizOliveira16), a91640
* [Catarina Martins Sá Quintas](https://github.com/CatarinaQuintas), a91650



## Baby-step giant-step algorithm for computing discrete logarithms

As described (slightly paraphrased) at [[1]](#menezes)<a name="menezes-a"></a>:

> Let $m = ⌈\sqrt{n}⌉$, where $n$ is the order of $α$. The baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search and is based on the following observation. If $β = α^x$, then one can write $x = im+j$, where $0 ≤ i,j < m$. Hence, $α^x$ = $α^{im}α^j$, which implies $β(α^{−m})^i = α^j$. This suggests the following algorithm for computing $x$.
>
> ---
>
> __INPUT__: a generator $α$ of a cyclic group $G$ of order $n$, and an element $β ∈ G$.
>
> __OUTPUT__: the discrete logarithm $x = \log_αβ$.
>
> 1. Set $m ← ⌈\sqrt{n}⌉$.
> 2. Construct a table with entries $(j,α^j)$ for $0≤j<m$. Sort this table by second component. (Alternatively, use conventional hashing on the second component to store the entries in a hash table; placing an entry, and searching for an entry in the table takes constant time.)
> 3. Compute $α^{−m}$ and set $γ←β$.
> 4. For $i$ from $0$ to $m − 1$ do the following:
>     <ol>
>     <li>Check if $γ$ is the second component of some entry in the table.</li>
>     <li>If $γ = α^j$ then return $(x = im + j)$.</li>
>     <li>Set $γ ← γ · α^{−m}$.</li>
>     </ol>
>
> ---

The above description gives us the following python implementation:



In [25]:
def shanks_baby_step_giant_step(a,b,n):
    """
    Implements baby-step giant-step algorithm for computing discrete logarithms as described at
    A. J. Menezes, S. A. Vanstone, and P. C. Van Oorschot, Handbook of applied cryptography, 5th ed. CRC Press, 2001. p. 105.

    Parameters:
    a,b ∈ G where G is a multiplicative group
    n is the order of G

    Returns: log_a(b)

    Complexity:
    Under the assumption that a group multiplication takes no more time than lg n comparisons,
    the running time is O(√n).

    Requires storage for O(√n) group elements.
    """
    m = ceil(sqrt(n))
    table = {a^j:j for j in range(0,m)}
    y = b
    for i in range(0,m):
        if y in table:
            return i*m + table[y]
        y *= a^(-m)

### Examples

#### With multiplicative groups $ℤ_p^*$

In [31]:
from sage.misc.html import MathJax
mj = MathJax()
from IPython.display import display, Math
from random import randrange

In [30]:
n = 113
Zn = IntegerModRing(n)
α = Zn(3)
β = Zn(57)
log_αβ = shanks_baby_step_giant_step(α,β,Zn.unit_group().order())
display(Math(rf"\left({α = },{β = },G = Z_{{{n}}}^*\right):\quad \log_{{{α}}}{β} = {log_αβ}"))

<IPython.core.display.Math object>

In [62]:
def generate_example(max_prime=10000):
    n = random_prime(max_prime)
    Zn = IntegerModRing(n)
    α = Zn.multiplicative_generator()
    β = Zn(randrange(1,n))
    log_αβ = shanks_baby_step_giant_step(α,β,Zn.unit_group().order())
    display(Math(rf"\left({α = },{β = },G = Z_{{{n}}}^*\right):\quad \log_{{{α}}}{β} = {log_αβ} ⟺ {α}^{{{log_αβ}}} = {β}"))

In [63]:
generate_example()

<IPython.core.display.Math object>

In [49]:
generate_example()

<IPython.core.display.Math object>

# References

<a name="menezes"></a>[1] A. J. Menezes, S. A. Vanstone, and P. C. Van Oorschot, Handbook of applied cryptography, 5th ed. CRC Press, 2001. p. 105. [ᵃ](#menezes-a)