Discrete logarithm
From Wikipedia, the free encyclopedia
In mathematics, specifically in abstract algebra and its applications, discrete logarithms are group-theoretic analogues of ordinary logarithms. The problem of computing discrete logarithms is a sort of sibling to the problem of integer factorization, in that both problems are difficult (no efficient algorithms are known for non-quantum computers), algorithms from one problem are often adapted to the other, and the difficulty of both problems has been exploited to construct various cryptographic (code) systems.
Contents |
[edit] Example
Discrete logarithms are perhaps simplest to understand in the group (Zp)×. This is the set of integers {1, …, p − 1} under multiplication modulo the prime p.
If we want to find the kth power of one of the numbers in this group, we can do so by finding its kth power as an integer and then finding the remainder after division by p. This process is called discrete exponentiation. For example, consider (Z17)×. To compute 34 in this group, we first compute 34 = 81, and then we divide 81 by 17, obtaining a remainder of 13. Thus 34 = 13 in the group (Z17)×.
Discrete logarithm is just the inverse operation: Given that 3k ≡ 13 (mod 17), what is the k that makes this true? Actually, there are infinitely many answers, due to the modular nature of the problem; we typically seek the least nonnegative answer, which is k = 4.
[edit] Definition
In general, let G be a finite cyclic group with n elements. We assume that the group is written multiplicatively. Let b be a generator of G; then every element g of G can be written in the form g = bk for some integer k. Furthermore, any two such integers representing g will be congruent modulo n. We can thus define a function
(where Zn denotes the ring of integers modulo n) by assigning to g the congruence class of k modulo n. This function is a group isomorphism, called the discrete logarithm to base b.
The familiar base change formula for ordinary logarithms remains valid: If c is another generator of G, then we have
[edit] Algorithms
No efficient algorithm for computing general discrete logarithms is known. The naive algorithm is to raise b to higher and higher powers k until the desired g is found; this is sometimes called trial multiplication. This algorithm requires running time linear in the size of the group G and thus exponential in the number of digits in the size of the group.
More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naive algorithm, but none of them runs in polynomial time.
- Baby-step giant-step (Also known as 'Little-Step Big-Step')
- Pollard's rho algorithm for logarithms
- Pohlig-Hellman algorithm
- Index calculus algorithm
- Number field sieve
- Function field sieve
[edit] Cryptography
Computing discrete logarithms is apparently difficult (no efficient algorithm is known), while the inverse problem of discrete exponentiation is not (it can be computed efficiently using exponentiation by squaring, for example). This asymmetry is analogous to the one between integer factorization and integer multiplication. Both asymmetries have been exploited in the construction of cryptographic systems.
Popular choices for the group G in discrete logarithm cryptography are the cyclic groups (Zp)×; see ElGamal encryption, Diffie-Hellman key exchange, and the Digital Signature Algorithm.
Newer cryptography applications use discrete logarithms in cyclic subgroups of elliptic curves over finite fields; see elliptic curve cryptography.