## Math 5410 Discrete Logarithm Problem

Let **F** = GF(q) and take µ as a primitive element of **F**. Any c in **F*** has a unique
representation as c = µ^{m}, for 0 <= m <= q-1. c can be computed from µ and m with only
2[ log_{2} q ] multiplications. The binary representation of m gives the order of the needed
multiplications, which consist only of squaring and multiplying by µ. For instance, if m = 171
then 171 = 128 + 32 + 8 + 2 + 1 = (10101011)_{2} and the computation of µ^{171} is carried out by
starting with 1, then, working from the most significant bit down, we square the current value
and if there is a 1 in the binary representation we also multiply by µ. Thus,

µ^{171} = ((((((((1)^{2}µ)^{2})^{2}µ)^{2})^{2}µ)^{2})^{2}µ)^{2}µ.
On the other hand, given c and µ, finding m is a more difficult proposition and is called the
*discrete logarithm problem*.

If taking a power is of O(t) time, then finding a logarithm is of O(2^{t/2}) time. And this can be
made prohibitively large if t = log_{2} q is large.

**Diffie-Hellman Key Exchange**

The difficulty of taking logarithms makes exponentiation in a finite field a one-way function
(not a trapdoor function however). This can be used in a public key exchange protocol. Public
knowledge is q, and µ^{mU} for each user U, while each user keeps secret their value of m_{U}.
To exchange keys without transmission, A looks up B's public key and exponentiates it with
his own secret exponent. B does the same to A's public key. Thus, each of them calculates
the same key value µ^{mBmA} = µ^{mAmB}. There does not appear to be any means of obtaining
this value without first finding one of the secret exponents ... i.e., solving the discrete
logarithm problem for this q. Diffie & Hellman suggest using a value of q which is at least
100 bits long.

**El-Gamal Cryptosystem**

For a prime p which is intractible (i.e., very large), let µ be a generator of **Z**_{p}*. Each user
selects a secret element a in **Z**_{p-1} and makes public the value ß = µ^{a} mod p. Thus, µ,ß, and p
are publicly known. To send a message, Alice randomly selects a secret k in **Z**_{p-1} and if x is
the message, sends the ordered pair (µ^{k}, x ß^{k}) mod p, where ß is Bob's ß . To decrypt, Bob
raises the first component to his secret exponent a, finds the inverse mod p of this number,
and multiplies the second component by this inverse to get the message back. This
computation is,

(x ß^{k}) (µ^{ka})^{-1} = x ß^{k} (ß^{k})^{-1} = x mod p.

**Shank's Algorithm for Solving the Discrete Logarithm Problem**

This algorithm is known as a *Time-Memory Trade Off*, that is, if you have enough memory at
your disposal you can use it to cut down the amount of time it would normally take to solve
the problem.
Let p be a prime, µ a generator of **Z**_{p}*. We wish to find a, given ß where ß = µ^{a} mod p.
Let m = [(p-1)^{1/2}] .

- Step 1: Compute µ
^{mj} mod p for 0 <= j <= m-1.
- Step 2: Sort the pairs (j, µ
^{mj} mod p ) by second coordinate in a list L_{1}.
- Step 3: Compute ß µ
^{-i} mod p for 0 <= i <= m-1.
- Step 4: Sort the pairs (i, ß µ
^{-i} mod p ) by second coordinate in a list L_{2}.
- Step 5: Find a pair in each list with the same second coordinate, i.e.,
(j, y) in L
_{1} and (i, y) in L_{2}.
- Step 6: a = mj + i mod (p-1).

**Pohlig-Hellman Algorithm**

There are certain cases in which the discrete logarithm problem can be solved in less than
O(q^{1/2}) time, for instance when q-1 has only small prime divisors. An algorithm for dealing
with this special case was developed in 1978. We first look at a special case:
Suppose that q - 1 = 2^{n}.

Let µ be a primitive element in GF(q). Noting that in this case, q is odd, we have µ^{(q-1)/2} = -1.
Let m, 0 <= m <= q-2, be the exponent of µ that we wish to find, i.e. c = µ^{m} , and write m in
its binary representation: m = m_{0} + m_{1}2 + m_{2}2^{2} + ... + m_{n-1}2^{n-1}. Now,

So the evaluation of c^{(q-1)/2} which costs at most 2 [ log_{2} q ] operations, yields m_{0}. We then
determine c_{1} = cµ^{-m0}, and repeat the basic computation again to obtain m_{1}.

This procedure can then be repeated until each of the m_{i} are obtained. The total number of
operations is thus n (2[ log_{2} q ] + 2) ~ O ( (log_{2} q)^{2}).

**Chinese Remainder Theorem**

The general case is dealt with by repeating the analogue of the special case for each of the
prime factors of q-1 and then combining the results using the Chinese Remainder Theorem.

**Example**