11 KiB
| title | chunk | source | category | tags | date_saved | instance |
|---|---|---|---|---|---|---|
| Discrete logarithm | 2/3 | https://en.wikipedia.org/wiki/Discrete_logarithm | reference | science, encyclopedia | 2026-05-05T11:02:07.615506+00:00 | kb-cron |
=== Modular arithmetic === One of the simplest settings for discrete logarithms is the group Zp×. This is the group of multiplication modulo the prime
p
{\displaystyle p}
. Its elements are non-zero congruence classes modulo
p
{\displaystyle p}
, and the group product of two elements may be obtained by ordinary integer multiplication of the elements followed by reduction modulo
p
{\displaystyle p}
. The
k
{\displaystyle k}
th power of one of the numbers in this group may be computed by finding its '
k
{\displaystyle k}
th power as an integer and then finding the remainder after division by
p
{\displaystyle p}
. When the numbers involved are large, it is more efficient to reduce modulo
p
{\displaystyle p}
multiple times during the computation. Regardless of the specific algorithm used, this operation is called modular exponentiation. For example, consider Z17×. To compute
3
4
{\displaystyle 3^{4}}
in this group, compute
3
4
=
81
{\displaystyle 3^{4}=81}
, and then divide
81
{\displaystyle 81}
by
17
{\displaystyle 17}
, obtaining a remainder of
13
{\displaystyle 13}
. Thus
3
4
=
13
{\displaystyle 3^{4}=13}
in the group Z17×. The discrete logarithm is just the inverse operation. For example, consider the equation
3
k
≡
13
(
mod
17
)
{\displaystyle 3^{k}\equiv 13{\pmod {17}}}
. From the example above, one solution is
k
=
4
{\displaystyle k=4}
, but it is not the only solution. Since
3
16
≡
1
(
mod
17
)
{\displaystyle 3^{16}\equiv 1{\pmod {17}}}
—as follows from Fermat's little theorem— it also follows that if
n
{\displaystyle n}
is an integer then
3
4
+
16
n
≡
3
4
⋅
(
3
16
)
n
≡
3
4
⋅
1
n
≡
3
4
≡
13
(
mod
17
)
{\displaystyle 3^{4+16n}\equiv 3^{4}\cdot (3^{16})^{n}\equiv 3^{4}\cdot 1^{n}\equiv 3^{4}\equiv 13{\pmod {17}}}
. Hence the equation has infinitely many solutions of the form
4
+
16
n
{\displaystyle 4+16n}
. Moreover, because
16
{\displaystyle 16}
is the smallest positive integer
m
{\displaystyle m}
satisfying
3
m
≡
1
(
mod
17
)
{\displaystyle 3^{m}\equiv 1{\pmod {17}}}
, these are the only solutions. Equivalently, the set of all possible solutions can be expressed by the constraint that
k
≡
4
(
mod
16
)
{\displaystyle k\equiv 4{\pmod {16}}}
.
=== Powers of the identity === In the special case where
b
{\displaystyle b}
is the identity element
1
{\displaystyle 1}
of the group
G
{\displaystyle G}
, the discrete logarithm
log
b
a
{\displaystyle \log _{b}a}
is undefined for
a
{\displaystyle a}
other than
1
{\displaystyle 1}
, and every integer
k
{\displaystyle k}
is a discrete logarithm for
a
=
1
{\displaystyle a=1}
.
== Properties == Powers obey the usual algebraic identity
b
k
+
l
=
b
k
⋅
b
l
{\displaystyle b^{k+l}=b^{k}\cdot b^{l}}
. In other words, the function
f
:
Z
→
G
{\displaystyle f\colon \mathbf {Z} \to G}
defined by
f
(
k
)
=
b
k
{\displaystyle f(k)=b^{k}}
is a group homomorphism from the group of integers
Z
{\displaystyle \mathbf {Z} }
under addition onto the subgroup
H
{\displaystyle H}
of
G
{\displaystyle G}
generated by
b
{\displaystyle b}
. For all
a
{\displaystyle a}
in
H
{\displaystyle H}
,
log
b
a
{\displaystyle \log _{b}a}
exists. Conversely,
log
b
a
{\displaystyle \log _{b}a}
does not exist for
a
{\displaystyle a}
that are not in
H
{\displaystyle H}
. If
H
{\displaystyle H}
is infinite, then
log
b
a
{\displaystyle \log _{b}a}
is also unique, and the discrete logarithm amounts to a group isomorphism
log
b
:
H
→
Z
.
{\displaystyle \log _{b}\colon H\to \mathbf {Z} .}
On the other hand, if
H
{\displaystyle H}
is finite of order
n
{\displaystyle n}
, then
log
b
a
{\displaystyle \log _{b}a}
is 0 unique only up to congruence modulo
n
{\displaystyle n}
, and the discrete logarithm amounts to a group isomorphism
log
b
:
H
→
Z
n
,
{\displaystyle \log _{b}\colon H\to \mathbf {Z} _{n},}
where
Z
n
{\displaystyle \mathbf {Z} _{n}}
denotes the additive group of integers modulo
n
{\displaystyle n}
. The familiar base change formula for ordinary logarithms remains valid: If
c
{\displaystyle c}
is another generator of
H
{\displaystyle H}
, then
log
c
a
=
log
c
b
⋅
log
b
a
.
{\displaystyle \log _{c}a=\log _{c}b\cdot \log _{b}a.}
== Algorithms ==
The discrete logarithm problem is considered to be computationally intractable. For a classical (e.g., non-quantum) computer, no efficient (polynomial-time) algorithm is yet known for computing discrete logarithms in general. A general algorithm for computing
log
b
a
{\displaystyle \log _{b}a}
in finite groups
G
{\displaystyle G}
is to raise
b
{\displaystyle b}
to larger and larger powers
k
{\displaystyle k}
until the desired
a
{\displaystyle a}
is found. This algorithm is sometimes called trial multiplication. It requires running time linear in the size of the group
G
{\displaystyle G}
and thus exponential in the number of digits in the size of the group. Therefore, it is an exponential-time algorithm, practical only for small groups
G
{\displaystyle G}
. More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naïve algorithm, some of them proportional to the square root of the size of the group, and thus exponential in half the number of digits in the size of the group. However, none of them runs in polynomial time (in the number of digits in the size of the group).