Discrete logarithm. Discrete logarithm

Example 13.13

For what value of n does the group have primitive roots: 17, 20, 38 and 50?

Solution

a. has primitive roots because 17 is a prime number (p t, where t is 1).

b. has no primitive roots.

c. and 19 is a prime number.

d. has primitive roots because , and 5 is a prime number.

If a group has a primitive root, it usually has several such roots. The number of primitive roots can be calculated as - . For example, the number of primitive roots - This - . Please note that you must first check whether the group has any primitive root before finding the number of roots.

If group G =< Z n* , x > has at least one primitive root, then the number of primitive roots is ((n))

Let's consider three questions:

1. Given an element a and a group, how can one determine whether a is a primitive root of G? This is not such an easy task.

A. We must find - this task is similar in complexity to the task of factoring the number n.

b. We must find .

2. Given a group, how to find all primitive roots? This problem is more difficult than the first problem because we must repeat the calculations in step 1.b for the entire group.

3. If a group is given, then how to choose a primitive root G? In cryptography, we must find at least one primitive root in a group. However, in this case, the value of n is chosen by the user, and the user knows . The user tries several elements in succession until he finds the first one.

Cyclic group. Cyclic groups have already been discussed in lectures 5-6. Please note that if a group has primitive roots, then they repeat cyclically. Each primitive root is a generator and can be used to create an entire set. In other words, if g is a primitive root in a group, we can generate the set Zn* as

Example 13.14

Group has two primitive roots, because and . You can find primitive roots - these are 3 and 7. Below is how you can create an entire set of Z 10* using each primitive root.

g = 3 -> g 1 mod 10 = 3 g 2 mod 10 = 9 g 3 mod 10 = 7 g 4 mod 10 = 1 g = 7 -> g 1 mod 10 = 7 g 2 mod 10 = 9 g 3 mod 10 = 3 g 4 mod 10 = 1

Please note that the group always cyclic because p is prime.

Group G =< Z n * , x >is a cyclic group if it has primitive roots. Group G =< Z p * , x >is always cyclic.

The idea of a discrete logarithm. Group has several interesting properties.

Solving modular logarithm using discrete logarithms

Now let's look at how problems like y = a x (mod n) are solved, i.e. given y, and we must find x.

Tabulating discrete logarithms. One way to solve the above problem is to use a table for each Z p* and the various bases. This type of table can be pre-calculated and saved. For example, Table 13.4 shows the values discrete logarithm for Z 7*. We know that we have two primitive roots or bases in this set.

Table 13.4. Discrete logarithm for G =

y	1	2	3	4	5	6
x = L 3 y	6	2	1	4	5	3
x = L 5 y	6	4	5	2	1	3

Making tables for others discrete logarithms for all groups and all possible bases, we can solve any discrete logarithmic problem. This approach is similar to the traditional logarithms studied in the past. Before the advent of calculators and computers, tables were used to calculate logarithms to base 10.

Example 13.15

Find x in each of the following cases:

We can easily use Table 13.4 discrete logarithm.

A team of researchers from EPFL and the University of Leipzig were able to calculate the logarithm to the base of a prime number of size 768 bit. To do this, they needed 200 cores and time since February 2015. They used a variant of the digital sieve. Thus, logarithmization is equal to factorization, where the record for ordinary numbers is also 768 bits

By the way, after tomorrow's update it will be possible to attach free TLS to dyndns hosts! This is super cool, all hamsters will now have certificates.

Protecting against Side channel attacks

It’s no secret that nowadays information about encryption keys can be remotely retrieved almost through a fan. Therefore, constant-time algorithms that do not depend on input data are becoming increasingly popular. The Germans have released minimum requirements for implementations that will make it more difficult to obtain sensitive data through data side channels. , I advise you to read it.

That's all for me, see you next time!

So, we have powers of two. If you take the number from the bottom line, you can easily find the power to which you will have to raise two to get this number. For example, to get 16, you need to raise two to the fourth power. And to get 64, you need to raise two to the sixth power. This can be seen from the table.

And now - actually, the definition of the logarithm:

The base a logarithm of x is the power to which a must be raised to get x.

Designation: log a x = b, where a is the base, x is the argument, b is what the logarithm is actually equal to.

For example, 2 3 = 8 ⇒ log 2 8 = 3 (the base 2 logarithm of 8 is three because 2 3 = 8). With the same success log 2 64 = 6, since 2 6 = 64.

The operation of finding the logarithm of a number to a given base is called logarithmization. So, let's add a new line to our table:

2 1	2 2	2 3	2 4	2 5	2 6
2	4	8	16	32	64
log 2 2 = 1	log 2 4 = 2	log 2 8 = 3	log 2 16 = 4	log 2 32 = 5	log 2 64 = 6

Unfortunately, not all logarithms are calculated so easily. For example, try finding log 2 5 . The number 5 is not in the table, but logic dictates that the logarithm will lie somewhere on the segment. Because 2 2< 5 < 2 3 , а чем больше степень двойки, тем больше получится число.

Such numbers are called irrational: the numbers after the decimal point can be written ad infinitum, and they are never repeated. If the logarithm turns out to be irrational, it is better to leave it that way: log 2 5, log 3 8, log 5 100.

It is important to understand that a logarithm is an expression with two variables (the base and the argument). At first, many people confuse where the basis is and where the argument is. To avoid annoying misunderstandings, just look at the picture:

Before us is nothing more than the definition of a logarithm. Remember: logarithm is a power, into which the base must be built in order to obtain an argument. It is the base that is raised to a power - it is highlighted in red in the picture. It turns out that the base is always at the bottom! I tell my students this wonderful rule at the very first lesson - and no confusion arises.

We've figured out the definition - all that remains is to learn how to count logarithms, i.e. get rid of the "log" sign. To begin with, we note that two important facts follow from the definition:

The argument and the base must always be greater than zero. This follows from the definition of a degree by a rational exponent, to which the definition of a logarithm is reduced.
The base must be different from one, since one to any degree still remains one. Because of this, the question “to what power must one be raised to get two” is meaningless. There is no such degree!

Such restrictions are called range of acceptable values(ODZ). It turns out that the ODZ of the logarithm looks like this: log a x = b ⇒ x > 0, a > 0, a ≠ 1.

Note that there are no restrictions on the number b (the value of the logarithm). For example, the logarithm may well be negative: log 2 0.5 = −1, because 0.5 = 2 −1.

However, now we are considering only numerical expressions, where it is not required to know the VA of the logarithm. All restrictions have already been taken into account by the authors of the problems. But when logarithmic equations and inequalities come into play, DL requirements will become mandatory. After all, the basis and argument may contain very strong constructions that do not necessarily correspond to the above restrictions.

Now let's look at the general scheme for calculating logarithms. It consists of three steps:

Express the base a and the argument x as a power with the minimum possible base greater than one. Along the way, it’s better to get rid of decimals;
Solve the equation for variable b: x = a b ;
The resulting number b will be the answer.

That's all! If the logarithm turns out to be irrational, this will be visible already in the first step. The requirement that the base be greater than one is very important: this reduces the likelihood of error and greatly simplifies the calculations. It’s the same with decimal fractions: if you immediately convert them into ordinary ones, there will be many fewer errors.

Let's see how this scheme works using specific examples:

Task. Calculate the logarithm: log 5 25

Let's imagine the base and argument as a power of five: 5 = 5 1 ; 25 = 5 2 ;

Let's create and solve the equation:
log 5 25 = b ⇒ (5 1) b = 5 2 ⇒ 5 b = 5 2 ⇒ b = 2 ;

We received the answer: 2.

Task. Calculate the logarithm:

Task. Calculate the logarithm: log 4 64

Let's imagine the base and argument as a power of two: 4 = 2 2 ; 64 = 2 6 ;
Let's create and solve the equation:
log 4 64 = b ⇒ (2 2) b = 2 6 ⇒ 2 2b = 2 6 ⇒ 2b = 6 ⇒ b = 3 ;
We received the answer: 3.

Task. Calculate the logarithm: log 16 1

Let's imagine the base and argument as a power of two: 16 = 2 4 ; 1 = 2 0 ;
Let's create and solve the equation:
log 16 1 = b ⇒ (2 4) b = 2 0 ⇒ 2 4b = 2 0 ⇒ 4b = 0 ⇒ b = 0 ;
We received the answer: 0.

Task. Calculate the logarithm: log 7 14

Let's imagine the base and argument as a power of seven: 7 = 7 1 ; 14 cannot be represented as a power of seven, since 7 1< 14 < 7 2 ;
From the previous paragraph it follows that the logarithm does not count;
The answer is no change: log 7 14.

A small note on the last example. How can you be sure that a number is not an exact power of another number? It’s very simple - just factor it into prime factors. If the expansion has at least two different factors, the number is not an exact power.

Task. Find out whether the numbers are exact powers: 8; 48; 81; 35; 14 .

8 = 2 · 2 · 2 = 2 3 - exact degree, because there is only one multiplier;
48 = 6 · 8 = 3 · 2 · 2 · 2 · 2 = 3 · 2 4 - is not an exact power, since there are two factors: 3 and 2;
81 = 9 · 9 = 3 · 3 · 3 · 3 = 3 4 - exact degree;
35 = 7 · 5 - again not an exact power;
14 = 7 · 2 - again not an exact degree;

Note also that the prime numbers themselves are always exact powers of themselves.

Decimal logarithm

Some logarithms are so common that they have a special name and symbol.

The decimal logarithm of x is the logarithm to base 10, i.e. The power to which the number 10 must be raised to obtain the number x. Designation: lg x.

For example, log 10 = 1; log 100 = 2; lg 1000 = 3 - etc.

From now on, when a phrase like “Find lg 0.01” appears in a textbook, know that this is not a typo. This is a decimal logarithm. However, if you are unfamiliar with this notation, you can always rewrite it:
log x = log 10 x

Everything that is true for ordinary logarithms is also true for decimal logarithms.

Natural logarithm

There is another logarithm that has its own designation. In some ways, it's even more important than decimal. We are talking about the natural logarithm.

The natural logarithm of x is the logarithm to base e, i.e. the power to which the number e must be raised to obtain the number x. Designation: ln x .

Many will ask: what is the number e? This is an irrational number; its exact value cannot be found and written down. I will give only the first figures:
e = 2.718281828459...

We will not go into detail about what this number is and why it is needed. Just remember that e is the base of the natural logarithm:
ln x = log e x

Thus ln e = 1 ; ln e 2 = 2; ln e 16 = 16 - etc. On the other hand, ln 2 is an irrational number. In general, the natural logarithm of any rational number is irrational. Except, of course, for one: ln 1 = 0.

For natural logarithms, all the rules that are true for ordinary logarithms are valid.

Discrete logarithm

Discrete logarithm(DLOG) – function inversion task g x in some finite multiplicative group G .

Most often, the floppy logarithm problem is considered in the group of invertible elements of the residue ring, in the multiplicative group of a finite field, or in the group of points on an elliptic curve over a finite field. Efficient algorithms for solving the floppy logarithm problem are generally unknown.

For given g And a solution x equations g x = a called discrete logarithm element a based on g. In case G is the group of invertible elements of the residue ring modulo m, the solution is also called index numbers a based on g. Number index a based on g is guaranteed to exist if g is a primitive root modulo m.

The solution to the discrete logarithm problem is to find some non-negative integer x, satisfying equation (1). If it is solvable, it must have at least one natural solution not exceeding the order of the group. This immediately gives a rough estimate of the complexity of the solution search algorithm from above - the exhaustive search algorithm would find a solution in a number of steps no higher than the order of the given group.

Most often the case is considered when , that is, the group is cyclic generated by the element g. In this case, the equation always has a solution. In the case of an arbitrary group, the question of the solvability of the discrete logarithm problem, that is, the question of the existence of solutions to equation (1), requires separate consideration.

Example

The easiest way is to consider the problem of discrete logarithm in the residue ring modulo a prime number.

Let the comparison be given

We will solve the problem using the brute force method. Let's write out a table of all powers of the number 3. Each time we calculate the remainder of division by 17 (for example, 3 3 ≡27 - the remainder of division by 17 is 10).

3 1 ≡ 3	3 2 ≡ 9	3 3 ≡ 10	3 4 ≡ 13	3 5 ≡ 5	3 6 ≡ 15	3 7 ≡ 11	3 8 ≡ 16
3 9 ≡ 14	3 10 ≡ 8	3 11 ≡ 7	3 12 ≡ 4	3 13 ≡ 12	3 14 ≡ 2	3 15 ≡ 6	3 16 ≡ 1

Now it is easy to see that the solution to the comparison in question is x=4, since 3 4 ≡13.

In practice, the modulus is usually a large enough number that the brute force method is too slow, so there is a need for faster algorithms.

Solution algorithms

In an arbitrary multiplicative group

The article is devoted to the solvability and solution of the discrete logarithm problem in an arbitrary finite Abelian group BuchmannJ., Jacobson M.J., Teske E. On some computational problems in finite abelian groups. The algorithm uses a table consisting of pairs of elements and performs multiplications. This algorithm is slow and not suitable for practical use. Specific groups have their own, more effective, algorithms.

Another possibility for efficiently solving the problem of computing a discrete logarithm involves quantum computing. It has been theoretically proven that, using them, the discrete logarithm can be calculated in polynomial time. In any case, if the polynomial algorithm for calculating the discrete logarithm is implemented, this will mean the practical unsuitability of cryptosystems based on it.

Classic cryptographic schemes based on the complexity of the discrete logarithm problem are the Diffie-Hellman public key generation scheme, the El-Gamal electronic signature scheme, and the Massey-Omura cryptosystem for message transmission.

Links

Vasilenko O. N. Number Theoretic Algorithms in Cryptography. - Moscow: MTsNMO, 2003. - 328 p. - ISBN 5-94057-103-4
Koblitz N. Number theory and cryptography course. - Moscow: TVPb, 2001. - 254 p. - ISBN 5-85484-014-6
Odlyzko A. M. Discrete logarithms in finite fields and their cryptographic significance // LNCS. - 1984. - T. 209. - P. 224-316.
Buchmann J., Jacobson M.J., Teske E. On some computational problems in finite abelian groups // Mathematics of Computation. - 1997. - T. 66. - No. 220. - P. 1663-1687.
Article Discrete logarithm on the Scientific Network website
Review of methods for calculating discrete logarithms (in English)
Nechaev V.I. On the question of the complexity of a deterministic algorithm for a discrete logarithm // Math Notes. - 1994. - V. 2. - T. 55. - P. 91-101.

Wikimedia Foundation. 2010.

See what “Discrete logarithm” is in other dictionaries:

discrete logarithm- There are two elements d in the group; g are such that there is an integer r satisfying the condition gr = d; r is called the discrete logarithm of d to base g. Topics information technology in general EN discrete logarithm ... Technical Translator's Guide

Polig's Hellman algorithm (also called Silver Polig's Hellman algorithm) is a deterministic discrete logarithm algorithm in the residue ring modulo a prime number. One of the features of the algorithm is that... ... Wikipedia

- (English: Baby step giant step; also called the algorithm of large and small steps) in group theory, a deterministic algorithm for discrete logarithm in the residue ring modulo a prime number. For modules of a special type this ... ... Wikipedia

Plan:

1 Formulation of the problem
2 Example
3 Solution algorithms
- 3.1 In an arbitrary multiplicative group
- 3.2 In the ring of residues modulo prime
  - 3.2.1 Algorithms with exponential complexity
  - 3.2.2 Subexponential algorithms
- 3.3 In an arbitrary finite field
- 3.4 In a group of points on an elliptic curve
4 Computational complexity and applications in cryptography

Introduction

Discrete logarithm(DLOG) – function inversion task g x in some finite multiplicative group G .

Most often, the discrete logarithm problem is considered in the multiplicative group of a residue ring or a finite field, as well as in the group of points of an elliptic curve over a finite field. Efficient algorithms for solving the discrete logarithm problem are generally unknown.

For given g And a solution x equations g x = a called discrete logarithm element a based on g. In case G is the multiplicative group of the residue ring modulo m, the solution is also called index numbers a based on g. Number index a based on g is guaranteed to exist if g is a primitive root modulo m.

1. Statement of the problem

Let in some finite multiplicative Abelian group G the equation is given

The solution to the discrete logarithm problem is to find some non-negative integer x, satisfying equation (1). If it is solvable, it must have at least one natural solution not exceeding the order of the group. This immediately gives a rough estimate of the complexity of the algorithm for finding solutions from above - an exhaustive search algorithm would find a solution in a number of steps no higher than the order of the given group.

2. Example

The easiest way is to consider the problem of discrete logarithm in the residue ring modulo a prime number.

Let the comparison be given

Now it is easy to see that the solution to the comparison in question is x=4, since 3 4 ≡13.

In practice, the modulus is usually a large enough number that the brute force method is too slow, so there is a need for faster algorithms.

3. Solution algorithms

3.1. In an arbitrary multiplicative group

The article by J. Buchmann, M. J. Jacobson and E. Teske is devoted to the solvability and solution of the discrete logarithm problem in an arbitrary finite Abelian group. The algorithm uses a table consisting of pairs of elements and performs multiplications. This algorithm is slow and not suitable for practical use. Specific groups have their own, more effective, algorithms.

3.2. In the ring of residues modulo prime

Consider the equation

Where p- simple, b not divisible by p. If a is a generating element of the group, then equation (2) has a solution for any b. Such numbers a are also called primitive roots, and their number is equal to φ( p− 1) , where φ is the Euler function. The solution to equation (2) can be found using the formula:

However, the complexity of calculating this formula is worse than the complexity of enumeration.

The following algorithm has complexity

Algorithm

End of the algorithm

There are also many other algorithms for solving the discrete logarithm problem in the residue field. They are usually divided into exponential and subexponential. There is no polynomial algorithm for solving this problem yet.

3.2.1. Algorithms with exponential complexity

3.2.2. Subexponential algorithms

These algorithms have the complexity of arithmetic operations, where and are some constants. The effectiveness of the algorithm largely depends on the proximity c to 1 and d- to 0.

The best parameters for assessing complexity at the moment are , .

For numbers of a special type, the result can be improved. In some cases, it is possible to construct an algorithm for which the constants will be , . Due to the fact that the constant c is close enough to 1, similar algorithms can outperform the algorithm with .

3.3. In an arbitrary finite field

The problem is considered in the field GF(q), Where q = p n , p- simple.

3.4. In a group of points on an elliptic curve

We consider a group of points of an elliptic curve over a finite field. This group defines the operation of adding two points. Then mP- This . The solution to the discrete logarithm problem on an elliptic curve is to find such a natural number m, What

for given points P And A.

Until 1990, there were no discrete logarithm algorithms that took into account the structural features of a group of points on an elliptic curve. Subsequently, Alfred J. Menezes, Tatsuaki Okamoto, and Scott A. Vanstone proposed an algorithm using Weyl pairing. For an elliptic curve defined over a field GF(q) , this algorithm reduces the problem of discrete logarithm to a similar problem in the field GF(q k) . However, this information is only useful if the degree k small This condition is satisfied mainly for supersingular elliptic curves. In other cases, such a reduction almost never leads to subexponential algorithms.

4. Computational complexity and applications in cryptography

The discrete logarithm problem is one of the main problems on which public key cryptography is based. The idea behind such systems relies on the high computational complexity of inverting certain numerical functions. In this case, the discrete logarithm operation is the inverse of the exponential function. The latter is calculated quite simply, while even the most modern algorithms for calculating the discrete logarithm have a very high complexity, which is comparable to the complexity of the fastest algorithms for factoring numbers.

Another possibility for effectively solving the problem of calculating a discrete logarithm is related to quantum computing. It has been theoretically proven that, using them, the discrete logarithm can be calculated in polynomial time. In any case, if the polynomial algorithm for calculating the discrete logarithm is implemented, this will mean the practical unsuitability of cryptosystems based on it.