In mathematics, a discrete logarithm is
an integer k solving the equation bk =
g, where b and g are elements of a
finite group. Discrete logarithms are
thus the finite-group-theoretic analogue
of ordinary logarithms, which solve the
same equation for real numbers b and g,
where b is the base of the logarithm and
g is the value whose logarithm is being
taken.
No efficient general method for
computing discrete logarithms on
conventional computers is known. Several
important algorithms in public-key
cryptography base their security on the
assumption that the discrete logarithm
problem over carefully chosen groups has
no efficient solution.
Example
Discrete logarithms are perhaps simplest
to understand in the group×. This is the
group of multiplication modulo the prime
p. Its elements are congruence classes
modulo p, and the group product of two
elements may be obtained by ordinary
integer multiplication of the elements
followed by reduction modulo p.
The kth power of one of the numbers in
this group may be computed by finding
its kth power as an integer and then
finding the remainder after division by
p. When the numbers involved are large,
it is more efficient to reduce modulo p
multiple times during the computation.
Regardless of the specific algorithm
used, this operation is called modular
exponentiation. For example, consider×.
To compute 34 in this group, compute 34
= 81, and then divide 81 by 17,
obtaining a remainder of 13. Thus 34 =
13 in the group×.
The discrete logarithm is just the
inverse operation. For example, consider
the equation 3k ≡ 13 for k. From the
example above, one solution is k = 4,
but it is not the only solution. Since
316 ≡ 1—as follows from Fermat's little
theorem—it also follows that if n is an
integer then 34+16n ≡ 34 ×n ≡ 13 × 1n ≡
13. Hence the equation has infinitely
many solutions of the form 4 + 16n.
Moreover, since 16 is the smallest
positive integer m satisfying 3m ≡ 1,
i.e. 16 is the order of 3 in×, these are
the only solutions. Equivalently, the
set of all possible solutions can be
expressed by the constraint that k ≡ 4.
Definition
In general, let G be any group, with its
group operation denoted by
multiplication. Let b and g be any
elements of G. Then any integer k that
solves bk = g is termed a discrete
logarithm of g to the base b. We write k
= logb g. Depending on b and g, it is
possible that no discrete logarithm
exists, or that more than one discrete
logarithm exists. Let H be the subgroup
of G generated by b. Then H is a cyclic
group, and integral logb g exists for
all g in H. If H is infinite, then logb
g is also unique, and the discrete
logarithm amounts to a group isomorphism
On the other hand, if H is finite of
size n, then logb g is unique only up to
congruence modulo n, and the discrete
logarithm amounts to a group isomorphism
where Zn denotes the ring of integers
modulo n. The familiar base change
formula for ordinary logarithms remains
valid: If c is another generator of H,
then
Algorithms
No efficient classical algorithm for
computing general discrete logarithms
logb g is known. The naive algorithm is
to raise b to higher and higher powers k
until the desired g is found; this is
sometimes called trial multiplication.
This algorithm requires running time
linear in the size of the group G and
thus exponential in the number of digits
in the size of the group. There exists
an efficient quantum algorithm due to
Peter Shor.
More sophisticated algorithms exist,
usually inspired by similar algorithms
for integer factorization. These
algorithms run faster than the naive
algorithm, some of them linear in the
square root of the size of the group,
and thus exponential in half the number
of digits in the size of the group.
However none of them run in polynomial
time.
Baby-step giant-step
Function field sieve
Index calculus algorithm
Number field sieve
Pohlig–Hellman algorithm
Pollard's rho algorithm for logarithms
Pollard's kangaroo algorithm
Comparison with integer factorization
While computing discrete logarithms and
factoring integers are distinct
problems, they share some properties:
both problems are difficult,
for both problems efficient algorithms
on quantum computers are known,
algorithms from one problem are often
adapted to the other, and
the difficulty of both problems has been
used to construct various cryptographic
systems.
Cryptography
There exist groups for which computing
discrete logarithms is apparently
difficult. In some cases×) there is not
only no efficient algorithm known for
the worst case, but the average-case
complexity can be shown to be about as
hard as the worst case using random
self-reducibility.
At the same time, the inverse problem of
discrete exponentiation is not
difficult. This asymmetry is analogous
to the one between integer factorization
and integer multiplication. Both
asymmetries have been exploited in the
construction of cryptographic systems.
Popular choices for the group G in
discrete logarithm cryptography are the
cyclic groups× and cyclic subgroups of
elliptic curves over finite fields.
While there is no publicly known
algorithm for solving the discrete
logarithm problem in general, the first
three steps of the number field sieve
algorithm only depend on the group G,
not on the specific elements of G whose
finite log is desired. By precomputing
these three steps for a specific group,
one need only carry out the last step,
which is much less computationally
expensive than the first three, to
obtain a specific logarithm in that
group.
It turns out that much Internet traffic
uses one of a handful of groups that are
of order 1024-bits or less, e.g. cyclic
groups with order of the Oakley primes
specified in RFC 2049. The Logjam attack
used this vulnerability to compromise a
variety of Internet services that
allowed the use of groups whose order
was a 512-bit prime number, so called
export grade.
The authors of the Logjam attack
estimate that the much more difficult
precomputation needed to solve the
discrete log problem for a 1024-bit
prime would be within the budget of
large national intelligence agency such
as the U.S. National Security Agency.
The Logjam authors speculate that
precomputation against widely reused
1024 DH primes is behind claims in
leaked NSA documents that NSA is able
break much of current crypto.
References
Richard Crandall; Carl Pomerance.
Chapter 5, Prime Numbers: A
computational perspective, 2nd ed.,
Springer.
Stinson, Douglas Robert, Cryptography:
Theory and Practice, London: CRC Press,
ISBN 978-1-58488-508-5
