Math 5410 Discrete Logarithm Problem
Let F = GF(q) and take µ as a primitive element of F. Any c in F* has a unique
representation as c = µm, for 0 <= m <= q-1. c can be computed from µ and m with only
2[ log2 q ] multiplications. The binary representation of m gives the order of the needed
multiplications, which consist only of squaring and multiplying by µ. For instance, if m = 171
then 171 = 128 + 32 + 8 + 2 + 1 = (10101011)2 and the computation of µ171 is carried out by
starting with 1, then, working from the most significant bit down, we square the current value
and if there is a 1 in the binary representation we also multiply by µ. Thus,
µ171 = ((((((((1)2µ)2)2µ)2)2µ)2)2µ)2µ.
On the other hand, given c and µ, finding m is a more difficult proposition and is called the
discrete logarithm problem.
If taking a power is of O(t) time, then finding a logarithm is of O(2t/2) time. And this can be
made prohibitively large if t = log2 q is large.
Diffie-Hellman Key Exchange
The difficulty of taking logarithms makes exponentiation in a finite field a one-way function
(not a trapdoor function however). This can be used in a public key exchange protocol. Public
knowledge is q, and µmU for each user U, while each user keeps secret their value of mU.
To exchange keys without transmission, A looks up B's public key and exponentiates it with
his own secret exponent. B does the same to A's public key. Thus, each of them calculates
the same key value µmBmA = µmAmB. There does not appear to be any means of obtaining
this value without first finding one of the secret exponents ... i.e., solving the discrete
logarithm problem for this q. Diffie & Hellman suggest using a value of q which is at least
100 bits long.
For a prime p which is intractible (i.e., very large), let µ be a generator of Zp*. Each user
selects a secret element a in Zp-1 and makes public the value ß = µa mod p. Thus, µ,ß, and p
are publicly known. To send a message, Alice randomly selects a secret k in Zp-1 and if x is
the message, sends the ordered pair (µk, x ßk) mod p, where ß is Bob's ß . To decrypt, Bob
raises the first component to his secret exponent a, finds the inverse mod p of this number,
and multiplies the second component by this inverse to get the message back. This
(x ßk) (µka)-1 = x ßk (ßk)-1 = x mod p.
Shank's Algorithm for Solving the Discrete Logarithm Problem
This algorithm is known as a Time-Memory Trade Off, that is, if you have enough memory at
your disposal you can use it to cut down the amount of time it would normally take to solve
Let p be a prime, µ a generator of Zp*. We wish to find a, given ß where ß = µa mod p.
Let m = [(p-1)1/2] .
- Step 1: Compute µmj mod p for 0 <= j <= m-1.
- Step 2: Sort the pairs (j, µmj mod p ) by second coordinate in a list L1.
- Step 3: Compute ß µ-i mod p for 0 <= i <= m-1.
- Step 4: Sort the pairs (i, ß µ-i mod p ) by second coordinate in a list L2.
- Step 5: Find a pair in each list with the same second coordinate, i.e.,
(j, y) in L1 and (i, y) in L2.
- Step 6: a = mj + i mod (p-1).
There are certain cases in which the discrete logarithm problem can be solved in less than
O(q1/2) time, for instance when q-1 has only small prime divisors. An algorithm for dealing
with this special case was developed in 1978. We first look at a special case:
Suppose that q - 1 = 2n.
Let µ be a primitive element in GF(q). Noting that in this case, q is odd, we have µ(q-1)/2 = -1.
Let m, 0 <= m <= q-2, be the exponent of µ that we wish to find, i.e. c = µm , and write m in
its binary representation: m = m0 + m12 + m222 + ... + mn-12n-1. Now,
So the evaluation of c(q-1)/2 which costs at most 2 [ log2 q ] operations, yields m0. We then
determine c1 = cµ-m0, and repeat the basic computation again to obtain m1.
This procedure can then be repeated until each of the mi are obtained. The total number of
operations is thus n (2[ log2 q ] + 2) ~ O ( (log2 q)2).
Chinese Remainder Theorem
The general case is dealt with by repeating the analogue of the special case for each of the
prime factors of q-1 and then combining the results using the Chinese Remainder Theorem.