## Math 5410 Discrete Logarithm Problem

Let F = GF(q) and take µ as a primitive element of F. Any c in F* has a unique representation as c = µm, for 0 <= m <= q-1. c can be computed from µ and m with only 2[ log2 q ] multiplications. The binary representation of m gives the order of the needed multiplications, which consist only of squaring and multiplying by µ. For instance, if m = 171 then 171 = 128 + 32 + 8 + 2 + 1 = (10101011)2 and the computation of µ171 is carried out by starting with 1, then, working from the most significant bit down, we square the current value and if there is a 1 in the binary representation we also multiply by µ. Thus,
µ171 = ((((((((1)2µ)2)2µ)2)2µ)2)2µ)2µ.

On the other hand, given c and µ, finding m is a more difficult proposition and is called the discrete logarithm problem.

If taking a power is of O(t) time, then finding a logarithm is of O(2t/2) time. And this can be made prohibitively large if t = log2 q is large.

### Diffie-Hellman Key Exchange

The difficulty of taking logarithms makes exponentiation in a finite field a one-way function (not a trapdoor function however). This can be used in a public key exchange protocol. Public knowledge is q, and µmU for each user U, while each user keeps secret their value of mU. To exchange keys without transmission, A looks up B's public key and exponentiates it with his own secret exponent. B does the same to A's public key. Thus, each of them calculates the same key value µmBmA = µmAmB. There does not appear to be any means of obtaining this value without first finding one of the secret exponents ... i.e., solving the discrete logarithm problem for this q. Diffie & Hellman suggest using a value of q which is at least 100 bits long.

### El-Gamal Cryptosystem

For a prime p which is intractible (i.e., very large), let µ be a generator of Zp*. Each user selects a secret element a in Zp-1 and makes public the value ß = µa mod p. Thus, µ,ß, and p are publicly known. To send a message, Alice randomly selects a secret k in Zp-1 and if x is the message, sends the ordered pair (µk, x ßk) mod p, where ß is Bob's ß . To decrypt, Bob raises the first component to his secret exponent a, finds the inverse mod p of this number, and multiplies the second component by this inverse to get the message back. This computation is,
(x ßk) (µka)-1 = x ßkk)-1 = x mod p.

### Shank's Algorithm for Solving the Discrete Logarithm Problem

This algorithm is known as a Time-Memory Trade Off, that is, if you have enough memory at your disposal you can use it to cut down the amount of time it would normally take to solve the problem.

Let p be a prime, µ a generator of Zp*. We wish to find a, given ß where ß = µa mod p. Let m = [(p-1)1/2] .

• Step 1: Compute µmj mod p for 0 <= j <= m-1.
• Step 2: Sort the pairs (j, µmj mod p ) by second coordinate in a list L1.
• Step 3: Compute ß µ-i mod p for 0 <= i <= m-1.
• Step 4: Sort the pairs (i, ß µ-i mod p ) by second coordinate in a list L2.
• Step 5: Find a pair in each list with the same second coordinate, i.e., (j, y) in L1 and (i, y) in L2.
• Step 6: a = mj + i mod (p-1).

### Pohlig-Hellman Algorithm

There are certain cases in which the discrete logarithm problem can be solved in less than O(q1/2) time, for instance when q-1 has only small prime divisors. An algorithm for dealing with this special case was developed in 1978. We first look at a special case:

Suppose that q - 1 = 2n.

Let µ be a primitive element in GF(q). Noting that in this case, q is odd, we have µ(q-1)/2 = -1. Let m, 0 <= m <= q-2, be the exponent of µ that we wish to find, i.e. c = µm , and write m in its binary representation: m = m0 + m12 + m222 + ... + mn-12n-1. Now, So the evaluation of c(q-1)/2 which costs at most 2 [ log2 q ] operations, yields m0. We then determine c1 = cµ-m0, and repeat the basic computation again to obtain m1. This procedure can then be repeated until each of the mi are obtained. The total number of operations is thus n (2[ log2 q ] + 2) ~ O ( (log2 q)2).

The general case is dealt with by repeating the analogue of the special case for each of the prime factors of q-1 and then combining the results using the Chinese Remainder Theorem.

Example