The Discrete Logarithm Problem
Learn about the discrete logarithm problem (DLP) and generalized discrete logarithm problem (GDLP) in this lesson.
The DLP in
As discussed in the previous sections, the first published public-key system by Diffie and Hellman is based on the discrete logarithm problem in the multiplicative group of a finite field, with prime. According to the primitive root theorem
Discrete logarithm problem (DLP) in
Definition:
Let be a primitive element (i.e., a generator) of the cyclic group and . The DLP is the problem of finding an exponent such that
is said to be the discrete logarithm of to the base .
However, if there exists a solution for , then there’s an infinite number of solutions to this problem. Due to Fermat’s little theorem
and hence
Thus, we conclude that if is a solution to the problem , then is also a solution for every .
Computing the DLP in is a very hard computational problem if is sufficiently large. Since can be computed efficiently if is known, this serves as a one-way function. However, there are several well-known attacks against the DLP, which we introduce in this section.
The generalized discrete logarithm problem
So far, we just considered the DLP in the multiplicative group . However, the DLP isn’t restricted to only this group, but rather can generally be defined over any cyclic group.
Generalized DLP
Definition:
Let be a cyclic group with group operation *, a primitive element and any given . Then, the discrete logarithm problem for is to find an integer that satisfies
Every group has its own discrete logarithm problem, whereas the difficulty of the DLP depends on the structure of . We consider the DLP for the following three cyclic groups: the additive group , the multiplicative group , and the elliptic curve .
-
For , the DLP is to find an integer for two given such that . This problem can be solved very easily since it works by using the Euclidean algorithm that takes steps and hence works in polynomial time.
-
For , the DLP is according to this definition. The solution is hard. For example, there exists the index calculus method that works in sub-exponential time. The best-known algorithm is the generalized number field sieve, which also has a sub-exponential running time.
-
For , the DLP (known as ECDLP) is to find an integer for two given points such that However, the problem is very hard to solve since the fastest known algorithm takes steps and hence needs fully exponential time.
In conclusion, the ECDLP is harder than the DLP in , provided that the orders of the groups are about the same.
Get hands-on with 1200+ tech skills courses.