I need some insight for the following problem in ElGamal encryption procedure. It is stated that ElGamal problem in a group $\mathbb{Z}_p^*$ becomes easier in subgroups. Assume I have a subgroup of index 2. Can you explain how is easier the discrete logarithm problem in this case?
Asked
Active
Viewed 463 times
1 Answers
1
As an example, algorithms, such as baby step giant step with time and memory complexity $$T=M=O(\sqrt{N})$$ or Pollard's rho with time and memory complexity $$T=O(\sqrt{N}),\quad M=O(1)$$have complexities that depend on the size $N$ of the group over which the DL is defined.
So $N=\mathbb{Z}_p^{\ast}=p-1,$ while a subgroup of index 2 has size $N'=(p-1)/2$ and the complexity improves accordingly.
kodlu
- 22,423
- 2
- 27
- 57
-
Complexity is only improving by a constant, is that so bad? – user1868607 Oct 31 '16 at 08:42
-
The subgroup used in El Gamal can have a much higher index, i.e., be much smaller. – kodlu Oct 31 '16 at 09:29