# Shanks' algorithm for discrete logarithms


This program was made for an assignment of the class ”Cryptography” of my master’s program:  
"Use Shanks algorithm to calculate the discrete logarithm $x$ inside $\mathbb{Z}_N=\mathbb{Z}_{1693}$, where $17^x \equiv 101 \, mod \, 1693$."

<u>**Shanks' algorithm**</u>  
$\cdot$ Input: A cyclic group $G=<g>$ with $|G|=n>1$ and $a \in G$  
$\cdot$ Output: $x=\log_g a$
1. Set $m= \lfloor \sqrt{n} \rfloor + 1$.
2. Calculate the elements of the set $B=\{(ag^{-r},r)/r=0,\dots,m-1\}$.  
   If we can find an index $r$, such that $r$ is the smallest integer of the the set $\{0, \dots, m-1\}$ with $ag^{-r}=1$, then $r=x$ is outputted.
3. If we cannot find such an $r$, then we compute $d=g^m$.
4. For $q=1,2,\dots$ we compute the powers $d^q$ until we find $d^q=ag^{-r}$, for some $r \in \{0, \dots, m-1\}$.
5. The integer $x=qm+r$ is returned.

Author: Florias Papadopoulos

## Importing modules

We start by importing the modules that we will use

In [1]:
import math
import itertools

## Defining the functions

#### (a) shanksAlgorithm

For this algorithm, we do not need any starter functions.  
As mentioned before, our goal is to find $x=\log_g a$, given a cyclic group $G=<g>$ with $|G|=n$ and $g^x \equiv a \, mod \, N$.  
Therefore, we will create a script that has as input the values $N, n, g, a$ and returns $x$, along with the other values that were computed in each step of the algorithm.

In [8]:
def shanksAlgorithm(N,n,g,a):

    #step1
    m = math.floor(math.sqrt(n))+1

    #step2
    B_list = []

    for r in range(0,m):
        g_inv = pow(g, -1, N)
        agr = a*((g_inv**r) % N) % N
        B_list.append(agr)

        if agr == 1:
            r_end = r
            return r_end ,0, 0, 0, 0, m, B_list

    #step3
    d = (g**m) % N

    for q in itertools.count(start=1):
        dq = (d**q) % N
        if dq in B_list:
            r = B_list.index(dq)
            x = q*m + r
            break
  
    return x, d, dq, q, r, m, B_list

## Solving the problem

We create a script that uses the above function to return us a text that elaborates on all the values that were computed in each step of the algorithm.  
In our problem $N=1693$, $n=1962$, $g=17$ and $a=101$.

In [13]:
N, n, g, a =1693, 1692, 17, 101

(discr_log, d_or_zero, dq_or_zero, q_or_zero, r_or_zero, m, B_list) = shanksAlgorithm(N,n,g,a)
print("The discrete logarithm that you were looking for is x=" + str(discr_log) + ".")
print("In step 1, we found m=" + str(m) + ".")
print("In step 2, we calculated the set B=", B_list)
if q_or_zero == 0:
    print("Calculating a*(g**-r), for r=0,1,...,m-1 we found the discrete log when r=" + str(discr_log) + ".")
else:
    print("We didn't find any r such that a*(g**-r) = 1.")
    print("In step 3, we calculated d=g**m=" + str(d_or_zero) + ".")
    print("In step 4, we calculated d**q for q=1,2,... until we found q=" + str(q_or_zero) + " with d**q=" + str(dq_or_zero) \
          + " which is equal to a*(g**-r) for r=" + str(r_or_zero) + ".")
    print("In step 5, we found the discrete logarithm x=q*m+r=" + str(discr_log) + ".")

The discrete logarithm that you were looking for is x=1060.
In step 1, we found m=42.
In step 2, we calculated the set B= [101, 1201, 469, 1621, 1390, 1476, 286, 216, 909, 651, 835, 1045, 659, 1433, 881, 251, 1409, 780, 743, 940, 852, 1046, 1157, 566, 830, 248, 1608, 1688, 896, 949, 255, 15, 698, 539, 928, 1648, 1292, 76, 602, 135, 1203, 1465]
We didn't find any r such that a*(g**-r) = 1.
In step 3, we calculated d=g**m=89.
In step 4, we calculated d**q for q=1,2,... until we found q=25 with d**q=835 which is equal to a*(g**-r) for r=10.
In step 5, we found the discrete logarithm x=q*m+r=1060.
