I need some insight for the following problem in ElGamal encryption procedure. It is stated that ElGamal problem in a group $\mathbb{Z}_p^*$ becomes easier in subgroups. Assume I have a subgroup of index 2. Can you explain how is easier the discrete logarithm problem in this case?
Asked
Active
Viewed 479 times
1 Answers
1
As an example, algorithms, such as baby step giant step with time and memory complexity $$T=M=O(\sqrt{N})$$ or Pollard's rho with time and memory complexity $$T=O(\sqrt{N}),\quad M=O(1)$$have complexities that depend on the size $N$ of the group over which the DL is defined.
So $N=\mathbb{Z}_p^{\ast}=p-1,$ while a subgroup of index 2 has size $N'=(p-1)/2$ and the complexity improves accordingly.
kodlu
- 25,146
- 2
- 30
- 63