Discrete logarithm

In mathematics, a discrete logarithm is an integer k solving the equation b^k = g, where b and g are elements of a finite group. Discrete logarithms are thus the finite-group-theoretic analogue of ordinary logarithms, which solve the same equation for real numbers b and g, where b is the base of the logarithm and g is the value whose logarithm is being taken.

Computing discrete logarithms is believed to be difficult. No efficient general method for computing discrete logarithms on conventional computers is known, and several important algorithms in public-key cryptography base their security on the assumption that the discrete logarithm problem has no efficient solution.

Example

Discrete logarithms are perhaps simplest to understand in the group (Z_p)^×. This is the group of multiplication modulo the prime p. Its elements are congruence classes modulo p, and the group product of two elements may be obtained by ordinary integer multiplication of the elements followed by reduction modulo p.

The kth power of one of the numbers in this group may be computed by finding its kth power as an integer and then finding the remainder after division by p. When the numbers involved are large, it is more efficient to reduce modulo p multiple times during the computation. Regardless of the specific algorithm used, this operation is called modular exponentiation. For example, consider (Z₁₇)^×. To compute 3⁴ in this group, compute 3⁴ = 81, and then divide 81 by 17, obtaining a remainder of 13. Thus 3⁴ = 13 in the group (Z₁₇)^×.

The discrete logarithm is just the inverse operation. For example, consider the equation 3^k ≡ 13 (mod 17) for k. From the example above, one solution is k = 4, but it is not the only solution. Since 3¹⁶ ≡ 1 (mod 17)—as follows from Fermat's little theorem—it also follows that if n is an integer then 3⁴⁺¹⁶ⁿ ≡ 3⁴ × (3¹⁶)ⁿ ≡ 13 × 1ⁿ ≡ 13 (mod 17). Hence the equation has infinitely many solutions of the form 4 + 16n. Moreover, since 16 is the smallest positive integer m satisfying 3^m ≡ 1 (mod 17), i.e. 16 is the order of 3 in (Z₁₇)^×, these are the only solutions. Equivalently, the set of all possible solutions can be expressed by the constraint that k ≡ 4 (mod 16).

Definition

In general, let G be any group, with its group operation denoted by multiplication. Let b and g be any elements of G. Then any integer k that solves b^k = g is termed a discrete logarithm (or simply logarithm, in this context) of g to the base b. We write k = log_b g. Depending on b and g, it is possible that no discrete logarithm exists, or that more than one discrete logarithm exists. Let H be the subgroup of G generated by b. Then H is a cyclic group, and integral log_b g exists for all g in H. If H is infinite, then log_b g is also unique, and the discrete logarithm amounts to a group isomorphism

On the other hand, if H is finite of size n, then log_b g is unique only up to congruence modulo n, and the discrete logarithm amounts to a group isomorphism

where Z_n denotes the ring of integers modulo n. The familiar base change formula for ordinary logarithms remains valid: If c is another generator of H, then

Algorithms

No efficient classical algorithm for computing general discrete logarithms log_b g is known. The naive algorithm is to raise b to higher and higher powers k until the desired g is found; this is sometimes called trial multiplication. This algorithm requires running time linear in the size of the group G and thus exponential in the number of digits in the size of the group. There exists an efficient quantum algorithm due to Peter Shor.^[1]

More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naive algorithm, some of them linear in the square root of the size of the group, and thus exponential in half the number of digits in the size of the group. However none of them runs in polynomial time (in the number of digits in the size of the group).

• Baby-step giant-step
• Function field sieve
• Index calculus algorithm
• Number field sieve
• Pohlig–Hellman algorithm
• Pollard's rho algorithm for logarithms
• Pollard's kangaroo algorithm (aka Pollard's lambda algorithm)

Comparison with integer factorization

While computing discrete logarithms and factoring integers are distinct problems, they share some properties:

• both problems are difficult (no efficient algorithms are known for non-quantum computers),
• for both problems efficient algorithms on quantum computers are known,
• algorithms from one problem are often adapted to the other, and
• the difficulty of both problems has been used to construct various cryptographic systems.

Cryptography

There exist groups for which computing discrete logarithms is apparently difficult. In some cases (e.g. large prime order subgroups of groups (Z_p)^×) there is not only no efficient algorithm known for the worst case, but the average-case complexity can be shown to be about as hard as the worst case using random self-reducibility.

At the same time, the inverse problem of discrete exponentiation is not difficult (it can be computed efficiently using exponentiation by squaring, for example). This asymmetry is analogous to the one between integer factorization and integer multiplication. Both asymmetries have been exploited in the construction of cryptographic systems.

Popular choices for the group G in discrete logarithm cryptography are the cyclic groups (Z_p)^× (e.g. ElGamal encryption, Diffie–Hellman key exchange, and the Digital Signature Algorithm) and cyclic subgroups of elliptic curves over finite fields (see elliptic curve cryptography).

References

• Richard Crandall; Carl Pomerance. Chapter 5, Prime Numbers: A computational perspective, 2nd ed., Springer.
• Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd ed.), London: CRC Press, ISBN 978-1-58488-508-5