The hard problem that is closely related
to the Diffie-Hellman security property
is the discrete log problem.
Discrete logs are like continuous logs
but over a discrete group.
So continuous log if we have a to the x equals b,
and we know a and b, we can solve for x.
That's the log base a of b,
and they're well know efficient ways to compute these logarithms.
One of the earliest use of computers
was to compute these tables of logarithms.
With discrete numbers, this gets much more interesting.
So now we have a to the x equals b,
modulo sum value n,
and our goal is to solve for x,
which is the discrete log base a of b,
and this turns out to be, as far as everyone can tell,
a very hard problem when n is a large prime number.
It's not clear that discrete log always exists,
and for certain choices of a, b, and n, it would not exists,
but if we choose n as a large
prime number and a as a generator,
well then by definition, it must exist.
What it means for our number to be a generator
is that if we raise g to each power,
what we get is the permutation of the numbers in the group Zn.
So as a little demonstration, certainly not a proof,
here's a code that produces the permutation
for given some generator and some modulus,
raises the generator to every power
between 1 and the modulus minus 1.
So we can try that with a fairly
small prime number so you can see the results.
We'll use 277 as our prime number
and 5 as a generator for 277.
One could check that in a root force way
just to show that it all produces all the numbers,
and we'll see that in the output for generator permutation.
These are the results and
you can see the first 1 is 5, that's 5 to the 1;
25 is 5 to the 2; 125 is 5 to the 3.
The next one is 71 because 5 to the 4 mod to 77 is 71,
and if we look at all the numbers here,
it would be a permutation on the numbers from 1 to 276.
Other than the early ones,
it would be fairly hard to predict where
a number is in this sequence.
You could certainly compute the whole sequence to find it.
The question the discrete log is asking
is given a number, can you figure out
where it would be in this sequence
or can you figure out the power that you need
to raise the generator to find it,
and the claim is that that's hard to do.
Showing this sequence really is not enough
to convince you that that's hard to do,
and there's no proof that it's hard.
The reason people believe it's hard
is that many smart people have tried to find
good ways of doing this, and none of the
solutions rendered polynomial time
that the fastest known solutions are exponential.
That means essentially that the only way to solve
this is to try all possible powers
until you find the one that works.
You can do a little better than that by trying
powers in a clever way, and you can
exclude some of the powers more quickly,
but you can't do any better than doing this exponential search,
which is exponential in the size of n
so this is something we have to be careful about when we
talk about hard problems.
When we say it's exponential, well it's not exponential in the value of n.
It's linear in the value of n.
We just need to try n operations,
but the magnitude of n
grows as 2 to the number of bits needed to break down n.
So as long as that's the best solution to discrete log,
then for very large n,
it is intractable no matter how many computer resources you have,
you can't do this exponential search.
You can't find the value of x that's the
discrete log of b, base a, mod n.
So as long as no one can find a
fast way to solve the discrete log problem,
as long as n is large and is an
arbitrary instance of this problem,
we think that it should be hard to
compute x given a and b and the modulus.
So for this quiz, we will assume that we have
and advisory that's passive
so all it can do is ease drop on the messages,
but they also have access to a powerful computer resource,
they have a procedure dlog that is
a fast procedure for computing discrete
logs that works on any inputs,
and they have modular exponentiation,
a fast procedure that outputs
base to the power mod modules.
And now the question is can they break a Diffie-Hellman key?
So we're assuming that they're passive attackers,
so they've eased dropped on all the
messages between Alice and Bob,
so they have all these values that were sent over the secure channel,
and the possible answers are no
that it's impossible with no
more resources or information,
or yes there is a way to do it,
and here's the way that she would compute that.
