AMS Contributed Paper Sessions: Combinatorics and Graph Theory, I
Y. Kim, Cycle-saturated graphs with minimum number of edges.
D. Pragel, Algebraic and Graph-Theoretic Properties of the Box Product of Two Paths.
A. Barghi, Firefighting on Random Geometric Graphs.
J. Ellis-Monaghan, Ribbon Graphs and Twisted Duality.
J. Fierson, Some graph theoretical results for the task mapping problem for parallel computers.
S. Raval, Complex Contagions on Graph Dynamical Systems.

Although I’m officially a number theorist (honest, it says so right there in the sidebar!) much of my thesis topic and subsequent work has been more concerned with graphs, and there was plenty of interest on offer here.

From a research perspective the box product construction particularly caught my attention: in the presented work, products of paths were considered, which yield grids that can be sliced vertically into copies of one factor, and horizontally into the other. This carries over into some nice structural properties of the adjacency matrix, and they were able to come up with a particularly neat characterisation of its determinant based on the length of the paths. The obvious next step would be to try something more complicated than paths, and I wonder if some candidates from my own studies of cyclotomic graphs might be suitable.

On the other hand, the firefighting problem is something I’d have no idea how to solve, but it seems like I could make an undergrad project out of it – or a web game! Given a graph, some vertices are specified as being on fire. Each round, firefighters may be placed at any vertices that aren’t on fire, then the fire spreads to any neighbouring vertices that haven’t been protected in this way. On an infinite graph, the question is whether such a fire can be contained or could burn indefinitely.

AMS Colloquium Lectures
A. Lubotzky, Expander graphs in pure and applied mathematics, I.

More in the graph-theory line: unfortunately I was only able to attend this, the first of a series of three talks by Alex Lubotzky on the subject, but at least I now know what expander graphs are and why I might care! The original motivation was practical: in designing a communications network (be it mobile phones or multicore processors) you want short routes between nodes for speed and reliability, but as few connections between nodes as possible to minimise cost. Expander graphs are those which (remarkably) manage to balance these opposing properties, but they also find application in a surprising range of abstract mathematical topics.

MAA Contributed Paper Sessions: Cryptology for Undergraduates
D. Cabarcas, Algebraic Cryptanalysis as a tool for teaching Cryptology.
D. Spickler, Cryptography Tools: A Teaching Tool for the Investigation of Classical Cryptography and Cryptanalysis. (Cryptography Tools)
C. Beaver, Group Signature Schemes: How to share a secret without telling it.
A. Li, Cryptography, a Great Topic for Undergraduate Mathematics Courses.
T. Feil, A Cryptology Course for the Non-Mathematician.
R. Talbert, A Brief Fly-Through of Cryptology for First-Semester Students using Active Learning and Common Technology.
R. Beezer, A first-year seminar in cryptology. (slides).
S. Boersma, Student Codebooks: An in-depth writing assignment.
K. Smith, Codes in History, the Arts, and Literature.
K. Meyer, Making Cryptography Come Alive.
M. May, Using Cryptography to Show Students that Math is Everywhere.

This session was one of my reasons for making the long trip, and was definitely worth it. Based on the enthuiasm of the speakers, the feedback they’ve received from their students, and the sheer number of people who turned up for this session, I think it’s safe to say that cryptography is definitely worth offering in the undergraduate syllabus. The American undergraduate experience is rather different to the English one I had, or the Scottish one I tutored for, and in particular there’s a need for mathematics courses for non-mathematics students. Several speakers were able to provide a cryptology course for such an audience, as the mathematical prerequisites can be made fairly modest and supplemented by the history of the subject, or its relevance today to topics like privacy and security online. One even managed to assess it through written projects, despite the protests of the more mathematically inclined students! The consensus seems to be that if you’re going to teach such a course, your starting point should be Cryptography by Trappe and Washington, and -despite my love of the discrete log problem – it’s probably best to stick to symmetric crypto and a bit of RSA. Various speakers had developed software to remove some of the computational grind (such as crypto tools, linked above), but the coolest contribution was probably instructions (PDF) on how to make an Enigma machine out of a pringles can!

AMS-SIAM Special Session on Mathematics of Computation: Algebra and Number Theory, I & II
M. O’Sullivan, The sum-product algorithm for binary codes having check nodes of degree two.
D. Harm, Complexity of the Graph Isomorphism Problem.
N. Boston, Combining Group Theory and Number Theory Computations.
M. Jacobson, Class Group and Regulator Computation in Quadratic Fields.
A. Sutherland, Genus 1 point counting in quadratic space and essentially quartic time.
A. Silverberg, Finding the rational points on a certain genus 12 curve.
R. Scheidler, Efficient Divisor Reduction on Hyperelliptic Curves.
D. Moulton, Finding small sets whose subset sums include a given set.
J. Silverman, Lehmer’s Conjecture and points on elliptic curves that are congruent to torsion points.
C. Smyth, Minimal polynomials of algebraic numbers with rational parameters.
K. Hare, Pisot and Salem polynomials dividing Newman polynomials.

This session was the other reason for my attendance – Mahler measure is quite a niche topic, so with two talks on the agenda here I felt I should turn up, but they weren’t the only draw. If you dig deep enough in this blog, you’ll find that I spent the start of my PhD thinking about point counting problems and hyperelliptic curve arithmetic, which both featured here. A particular highlight was Andrew Sutherland’s talk, which presented improvements to SEA which have led to a substantially larger record for point counting on elliptic curves.

MAA Session on New and Continuing Connections between Math and the Arts, I

Fractal Tree No. 3 by R. Fathauer

`Mathematical Art’ usually conjures up images of fractals, but there’s a lot more to it than that and several themes emerged from this session and the attached exhibition.

The Alhambra in Spain gets another bump up my list of potential mathematical tourism sites: although it seems that debate continues over whether all seventeen wallpaper tilings can be found there, it seems to have the best (and best known) collection. But other talks mentioned their appearance in everything from Tibetan sand mandalas to Norwegian rosemaling. I discovered that there’s such a thing as ethnomathematics, which aims to go beyond cataloguing such connections between mathematics and culture and attempt to explain them.

Also finding its way to the travel list is the Museum of Mathematics, although I’ll have to wait a bit as it doesn’t exist yet… hopefully it’ll open in 2012. Rather than focus on dry historical exhibits, their vision is for installation pieces like a race circuit for square-wheel tricycles, large geometric sculptures, and interactive digital art. The target audience might be schoolkids, but I suspect I’d walk around with a big smile on my face too!

Another exciting project I was oblivious to is the Bridges series of conferences on connections between maths and art: these combine invited talks and papers (with peer-reviewed proceedings) with hands-on activities, an art exhibition, film screenings, all in a location chosen to inspire! The next one is at the University of Coimbra, Portugal, in July.

AMS Special Session on Self-Organization in Human, Biological, and Artificial Systems, II
R. Niemeyer, Graphs, Dynamical Systems, Fractals: A Heuristic Framework for Modeling the Structure and Dynamics of Complex Interactions Across Multiple levels of Analysis.
L. Smith, An Agent-Based Approach to Modeling Gang Rivalries.

Although it’s a long way from my research activities, emergent systems is one of the topics that first steered me towards mathematics and computer science. So with a spare hour to fill, I decided to indulge an old interest by sampling a couple of talks from this session. Laura Smith’s was particularly intriguing: based partly on geographic constraints, her team of mathematicians and criminologists was able to build a model of the (violent) interactions of LA’s numerous gangs. The hope is that such a model would be accurate enough to predict where best to focus police efforts to reduce conflict, although because I’ve been watching too much Castle lately I found myself dreaming up scenarios of mathematically-savvy gang bosses using optimization theory to maximise their territory instead…

MAA Invited Addresses
M. Matchett Wood, Binary quadratic forms: From Gauss to algebraic geometry
R. Bell, Lessons from the Netflix Prize

Melanie Matchett Wood’s talk was in the rare category of those from which I felt I’d gained some insight into abstract algebra. Whilst modern terminology is probably the best working language, I think there’s a lot to be said for tracing the historical roots of a topic, rather than simply overwriting it with what can be opaque notation. Gauss may have essentially being doing group theory, but he didn’t know that, and the motivation and inspiration is perhaps easier to understand without that abstraction.

The Netflix prize offered US$1million for a 10% improvement to their film recommendation algorithm. That might seem a lot easier than other million dollar prize problems, compared to the ferociously difficult millenium problems, for instance. But it also meant a lot more viable competition, especially as when Robert Bell’s team hit the required 10%, they didn’t simply win but triggered a 30 day endgame which saw alliances form and the leadership change hands repeatedly: in the end, “BellKor’s Pragmatic Chaos” triumphed by just a fraction of a percent and a twenty minute earlier submission time than their closest rivals. His talk captured this drama, entertained with some of the sub-problems encountered (Why is it so hard to tell who’ll like Napoleon Dynamite? What happens if a user gets a girlfriend? and just who has the time to rate 99% of the netflix database?), and also described plenty of the mathematics behind their algorithm. There’s a documentary film in there somewhere…

AMS-MAA-SIAM Gerald and Judith Porter Public Lecture and Special Film Presentation
R. Lang, From flapping birds to space telescopes: The mathematics of origami.
Film: Between the Folds.

…which leads me neatly to the final events. Robert Lang seems to have been central to the revolution in Origami caused by the mathematisation of the discipline. The ability to algorithmically create folding patterns of stick-figure skeletons has pushed forward the level of detail that can be achieved with a single sheet; but as with other media, the possibility of greater realism has led also to a reaction in the form of abstract works, from mathematically-inspired patterns to ‘single crease’ sculptures. But it’s not just about art: origami folding lends itself to the design of airbags and heart stents, or to the problem of getting large structures into space.

All of which appears in the film Between the Folds, that I’m going to recommend regardless of the contents of your netflix queue. Here’s the trailer:

So all in all I had an excellent time at the JMM; I’m certainly planning to attend the next one, which it seems will be held in Boston even earlier in January. Hopefully I’ll be able to give a talk too- the question is, in which session?

• A brief overview of public-key cryptography: my notes from last year’s talk cover technical details in the context of (EC)DLP, or there’s this friendlier article on Diffie-Hellman key exchange and man-in-the-middle attacks.
• The problems of Authentication and Mutual Authentication at a protocol level.
• The undecidability of the secrecy problem via Post’s Correspondence Problem.
• Lattice-based cryptography- which hopefully I can summarise in a later post.

Mathematical study is often thought of as ‘purer’ than scientific research- instead of labs full of chemicals, fruit flies or lasers, our work could in theory proceed with nothing more than a chalkboard; rather than believing theories through weight of evidence and an absence of counterexamples, we prove theorems as undeniable consequences of our base assumptions.

But theorems rarely spring into our minds fully formed, simply awaiting proof. Instead mathematical research can often mimic the scientific method- experimenting with ideas, following promising leads, looking for tests that would break or support hunches, until they look convincing enough to attempt a proof.

This has very much been the nature of my work over the past few months- and although the actual proofs have mostly been worked out by pen and paper, with supporting calculations on a MacBook laptop, the exploratory phase requires something rather more powerful. One of the perks of being a University of Edinburgh researcher is access to the ECDF – a cluster of over 1400 processors, as illustrated above. Provided a problem can be split up into many independent sub-problems, such a resource can offer staggering reductions in computation time, by farming them out to multiple machines and running them in parallel.

For instance, I usually wish to generate very, very long lists of matrices and test them for a certain property, keeping only the much smaller subset of those with the property. A typical calculation of this type might take five days on my little Mac, assuming it doesn’t simply run out of memory in the process. But by splitting it into ten smaller calculations (each exploring a subset of the matrices), I can have the answer from the grid in 12 hours- or, splitting to 20 jobs, I can load it up overnight, and collect the answer the next morning just in time for a supervisor meeting!

Of course, a twenty-fold reduction in calculation time only hints at the power of the cluster; another 70 users could also get such a job done that night. Running all-out on a single task, ECDF could complete four years worth of calculation in a day!

Not all researchers have access to systems like Eddie, but there is one network almost everyone has access to- the internet. The idea of harnessing the power of idle home computers is nothing new: over ten years ago, I was contributing spare cycles of my (then powerful) Pentium 200 to a distributed.net project that succeeded in demonstrating the insecurity of 56-bit encryption keys, which at the time was the maximum allowed by the US government in software exports. Other famous distributed efforts include the alien-seeking SETI and the biological research project folding@home.

The potential for highly parallelised computing has surged as processor counts have grown and always-on internet connectivity becomes increasingly ubiquitous. Modern PCs often have multiple processor cores (and many homes have multiple PCs), and there has been work on exploiting highly powerful (yet specialised) graphics card technology for general purpose computation too: you can even contribute to folding@home with a PlayStation3!

However, except for a few long-range ‘big ticket’ schemes such as the ones I’ve mentioned, setting up, managing and publicising your own distributed computing project might be more daunting than solving your original problem! Fortunately, there is an increasing range of ways to connect researchers to resources. At ANTS (in connection with another cryptographic challenge) I learnt of BOINC, a general platform that has grown out of SETI: you can submit a project to the volunteer community, or manage a grid within your own organisation. All modern Apple computers include the Xgrid feature, allowing again for local grid computing with your own machines or harnessing donated cycles through the openmacgrid project. Recently, Fedora Nightlife was announced, to create a community grid from machines running the popular linux distribution.

There are limitations, of course. Not all calculations fall in to the ‘embarassingly parallel’ category that lends itself so well to distributed computing. There are also concerns about the other costs of such schemes – home PCs are not necessarily cut out for 24/7 running, and those that are will probably add a bit to their owner’s power bill. However, Bryan’s blog makes a good case for the environmental merits of distributed computing over data centres, assuming that the calculations are worthwhile and thus going to be done somewhere anyway – a claim that is perhaps easier to defend for cancer studies than the search for alien signals. Or you can think of it as a very direct form of charity in support of science- donating some electricity, processing power and wear-and-tear rather than cash. So, if like me your home features more computers than people, why not devote some of their time to volunteer computing?

The topics covered are: Diffie-Hellman and one-way functions for key exchange; the generic Discrete Logarithm Problem and BSGS algorithm; scalar multiplication- addition chains, fast exponentiation, m-ary methods and windowing; group law implementations, Side-channel attacks and the Edwards form.

I’ve discussed several of these ideas elsewhere on this blog, as well as the cryptanalysis ideas I mentioned on the day but which are not in the notes. I also refered to a recent real-world example of a side-channel attack; see this story from The Register for details.

For centuries, cryptography – literally, `secret writing’ – has been used to securely send and receive messages. But although the sophistication of these systems increased, the core idea remained the same: combining a secret encryption rule with the plaintext message yields a ciphertext, from which the message is recovered by a corresponding decryption rule. Thus the secrecy of messages depended on preserving the secrecy of the cryptographic system (or at least certain parameters).

While this might be feasible for governments or armies, it leads to a fatal flaw when trying to communicate securely with a stranger, a task that underpins the millions of ecommerce transactions that take place every day, for instance. To share secrets, you must first share a secret, the particulars of the cryptographic system you wish to protect the message with. This presents a seemingly impossible hurdle: how can you share that first secret with a previously-uncontacted individual, if any instructions you give will also be available to your adversaries?

Public Key encryption is the solution to this problem; to get a feel for how this is achieved, we’ll consider a non-mathematical formulation in terms of mixing paint, before abstracting to the properties that make it work.

Secret Sharing with Paint

Suppose, then, that our protagonists, Alice and Bob, wish to share a secret: but all their communication is intercepted by an eavesdropper, Eve. How can Alice and Bob arrive at a colour without Eve also knowing it?

Alice and Bob are assumed to know a public base colour- and there’s no problem with Eve knowing this too. They then choose a private colour of their own, and combine some of that with the base colour to create a public mix. They can then send these mixtures to each other: Eve sees both public colours, but (since it’s a lot harder to unmix paint), has no idea what private colours were used to produce them.

Having received each others’ mix, Alice and Bob can then mix in their own private colour again, to produce a blend of three colours. But, each of them will have the same colour, since the order in which we mix paint is irrelevant. Eve, however, has no idea what this new mixture looks like.

The following table summarises who sees what, for a particular set of chosen private colours.

Useful Properties

What are the key ideas that make the example above work? and how can we mimic them mathematically?

Unmixing is necessary…

No combination of the colours Eve has seen will mix to give the fetching shade of mustard yellow that Alice and Bob know. Since they had to agree on the procedure, Eve would be able to recreate the desired shade if she knew either of the private colours, since then she could mix it with the corresponding public colour just like Alice and Bob. Unfortunately, the private colours are never disclosed, only their combination with the base colour. So Eve must analyse the public colours in the hope of extracting a private colour.

…but unmixing is hard!

Without an encyclopaedic knowledge of all combinations of paint, Eve cannot know what private colours have been used to generate the public ones. So her only apparent option is to keep trying candidates, mixing each of them with the base coat until she arrives at one of the public colours by sheer luck. This brute force approach will obviously take a very long time!

Fortunately, Alice and Bob don’t need to unmix.

For Alice and Bob, this is irrelevant- they’re only ever required to mix, which is much easier than unmixing. However, it’s vital that their two routes through the colours lead to the same result: that is, that Blue+Red+Green is the same as Blue+Green+Red.

Secret Sharing with Maths

This leads us in search of a ‘one-way function’: roughly speaking, a mathematical function with the property that it’s much more difficult to recover the inputs from the outputs (reverse the function) than it is to compute those outputs in the first place, thus satisfying the second property above. Moreover, we need a procedure by which Alice and Bob can make use of such functions to independently arrive at a mutual secret which cannot be obtained by Eve. To do so, we therefore require that the only way to deduce a shared secret is indeed to reverse the function (the first property). Finally, to make the whole thing work as described above, we require that two applications of the function can be performed in either order to give the same result. This is the third property, described mathematically as commutativity.

Unfortunately, no-one has been able to demonstrate a genuinely one-way function. Fortunately, there are a few candidates, for which even the best publically-known techniques for the reversal are painfully slow. But there remains a risk that someone, somewhere, will devise a smarter way to perform this mathematical unmixing, rendering the function useless for cryptographic application.

A candidate One-Way Function: Modular Exponentiation

For a number x, we say x is congruent to y modulo N (written x=y mod N) if y is the remainder after dividing x by N. This might seem a strange idea, but it’s something we do every day: a clock face works “mod 12″, so that if you add 6 to 7 you get 1, as 13 = 12*1 +1 = 1 mod 12.

So, for a fixed base g and modulus N (our equivalent of the base colour), we can compute the modular exponent of any x, defined as g^x mod N (that is, multiply g by itselfx times, subtracting lots of N until the answer is at most N-1).

For instance, with a base of 2 and a modulus of 11, the modular exponent of x=6 is 2⁶ mod 11. Working that out, we get 2*2*2*2*2*2 mod 11 = 64 mod 11 = 9 mod 11 since 64 = 5*11 +9.

The possibly surprising (but desired) result is that going backwards- that is, given y, finding x such that g^x mod N =y mod N – is apparently hard for decently-sized N. This reversal is known as the Discrete Logarithm Problem, and generalises to some very abstract mathematical objects, known as finite groups, with varying difficulty.

For our example function, with N=2¹⁰²⁴+643 and assuming a computer capable of a billion tests per second, naively trying each possible private key in turn can take up to a staggering 3, 671743, 063000, 000000, 000000, 000000, 000000, 000000, 000000, 000000, 000000 years to match with a public key. This is significantly longer than the life of the universe so far – some 13700000000 years – and definitely longer than anyone is prepared to wait. Of course, there are smarter ways to try keys- and finding yet smarter ones for a given DLP is a very active area of research- but for such values of N none of the publically known ones fall within feasible time scales.

Further, we have the commutativity property we required: working out (g^a)^b is the same as (g^b)^a. So we should be able to share secret numbers via modular exponentiation just as we were able to share secret colours with paint mixing. This process is known as Diffie-Hellman Key Exchange.

Diffie-Hellman Key Exchange

• Alice and Bob agree (in public) on a modulus N and a base g (the public base colour)
• Each chooses a private key between 1 and N-1; a and b respectively (their private colour)
• They each construct a public key by computing A=g^a mod N and B=g^b mod N (mixing private with base)
• These can be safely exchanged, as it’s hard to get back a or b from the public keys A and B (unmixing hard)
• Each then performs another modular exponentiation on the public key received:
  • Alice computes B^a mod N = (g^b)^a mod N = (g^ab) mod N = S mod N for some S between 0 and N-1.
  • Bob computes A^b mod N = (g^a)^b mod N = (g^ab) mod N = S mod N, the same S.

Hence (assuming N is chosen for the DLP to be sufficiently hard) Alice and Bob know a secret,S, which Eve does not.

Man-in-the-Middle Attacks

But is Diffie-Hellman truly secure? If we alter the ‘intruder power’, replacing our eavesdropper Eve with a more powerful character, the malicious Mallory, then we can construct a scenario in which Alice and Bob think they share a secret with each other, but instead share one with Mallory.

To achieve this, Mallory must be able to not just listen in on messages, but replace them with messages of his own. Given that power, he can pick a private key of his own, m, and generate the corresponding public key M, since the choice of g and N must be made in the clear.

Then, when Alice attempts to retrieve Bob’s public key B, Mallory instead supplies her with M, keeping A; and when Bob asks for Alice’s key A, revealing B, he is given M as well. Alice then computes S=M^a mod N, but Mallory has seen A and thus can compute S as A^m mod N; Bob meanwhile computes T=M^{b mod N} which is also known to Mallory, being B^m mod N.

Thus, if Alice the tries to use a classical encryption system depending on the secrecy of S, then Mallory will be able to decode the ciphertext. Even more cleverly, he can re-encrypt it using T and forward it to Bob- who can decrypt it with the secret he thinks he shares with Alice, T. Thus no suspicion is raised, yet Mallory has also read the message, without ever having to reverse the one-way function.

Fortunately, this attack depends on near-total control of Alice and Bob’s communication. If Alice ever looks up Bob’s public key without Mallory intervening, then she’ll notice that it’s B, not M. Or, if she sends Bob a message encrypted with S that Mallory doesn’t intercept and repack, Bob will recieve a message that cannot be decrypted with the key he has, T: and knows that the Diffie-Hellman key exchange must have been compromised.

Conclusions

Identifying and preventing such attacks is part of cryptanalysis, and even with perfect cryptography, forms a vital part of designing secure communication systems. Since we don’t yet have a provably one-way function, cryptography itself remains an active field of mathematical research, drawing on a range of topics from both pure and applied areas to assess the difficulty of functions. Together, these two fields are known as cryptology; a subject which is becoming increasingly vital as computers and communication systems work themselves further into our everyday lives.

Discrete Logarithm Problem (DLP)
Let G be a cyclic group, with operation ⊕. Let [n] represent (n-1)-fold application of ⊕ i.e., [2]g=g⊕g, [3]g=g⊕g⊕g etc.

Given g,h from G, the discrete logarithm problem is to find t such that [t]g=h.

The baby-step, giant step (BSGS) algorithm is a generic algorithm for solving the DLP- that is to say, it makes no appeal to properties of the group involved, merely calculating abstractly with ⊕. There is a theoretical upper bound to the effectiveness of generic algorithms, and BSGS approaches are of that order of magnitude.

The simplest demonstration of BSGS (the original by Shanks) assumes that g generates G, with both of known order n: recall that the group order is simply the number of elements it contains, whereas the order of an element g is the least n such that [n]g=id_G, should such a value exist. The order n of an element always divides the order of the group N, with equality when g generates G. Between the two there is also the exponent, the least value e such that [e]g=id_G for all g in G; for cyclic groups this is N, but for products of cyclic groups (the structure of groups of rational points) it is the lowest common multiple of their respective orders, and thus, although a divisor of N, may be significantly smaller than it.

So, if we can find an order m rational point on a curve, we know that the cardinality of the group of rational points is zero modulo m. By testing random points and taking the lowest common multiple of their order we can usually find the exponent e of the group. With luck, but not always, this will be large enough that when combined with bounds on the cardinality the latter is established exactly (as with modular information in the SEA algorithm).

But it is no good attempting to do so using an algorithm that requires the order of the point! There are BSGS algorithms for the DLP which can handle unknown order, for a given g we can apply these to solve for h=id_G in the cyclic group generated by g. Provided the algorithm gives the minimal t such that [t]g=h=id_G in G=<g>, then t is the order of g.

One such algorithm, by Terr, is given in Cohen and Frey’s Handbook of Elliptic and Hyperelliptic curve cryptography (my current bible!) It relies on the following observation:

Let T_n be the nth triangular number: that is, defined by the recursion T₁=0, T_n+1=T_n+n.

Then any non-negative integer t, there are unique integers j and k with t=T_j+1-k with 0≤k<j.

To see how, notice that there is a unique j such that t lies in the interval (T_j , … , T_j+1]=(T_j+1-j , … , T_j+1-0] and that this interval has width j so there is an appropriate choice of k.

We then suppose that t satisfies [t]g=h. Then we have [T_j+1]g=h⊕[k]g. So, instead of testing each [t] in turn until we hit equality, for a given j we need only test the ‘giant step’ [T_j+1]g against the set of ‘baby steps’ β={β_i}={h⊕[0]g,…,h⊕[i]g,…,h⊕[j-1]g. If that j yields no matches, we move to j’=j+1: by keeping track of [j]g at each iteration, the new T_j’+1 and the extra h⊕[j'-1]g are found by a single group operation each. Hence this is attractive from both storage and time complexity perspectives: we need only record the baby steps β, [j]g and a single giant step at any given iteration j, whilst the time complexity is of order t^1/2.

Terr’s BSGS variant for the DLP
Finds t such that [t]g=h for g generating G of unknown order, h from G.

Initialise β={β₀=h}, γ=δ=id_G, j=0. ((For each iteration, we have γ=[T_j+1]g and δ=[j]g)
Then loop over j as follows:

• Increment j by 1, then update:
• Set δ=δ⊕g=[j-1]g⊕g=[j]g.
• Set γ=γ⊕δ=[T_j]g+[j]g=[T_j+1]g.
• If j≥2 then
  • For s from 0 to j, if γ=β_s then return T_j+1-s
• Add β_j=β_j-1⊕g to β

I’ve implemented this generic DLP algorithm and an order-finding version (which requires you to catch g=id_G) as Maple procedures for arbitrary groups- details on that will be in the next post! BSGS-based approaches become impractical at finite field sizes well within the grasp of SEA for counting on elliptic curves; but are of interest in the higher genus case which lacks an Elkies procedure.