5.3 KiB
| title | chunk | source | category | tags | date_saved | instance |
|---|---|---|---|---|---|---|
| Discrete logarithm | 3/3 | https://en.wikipedia.org/wiki/Discrete_logarithm | reference | science, encyclopedia | 2026-05-05T11:02:07.615506+00:00 | kb-cron |
Baby-step giant-step Function field sieve Index calculus algorithm Number field sieve Pohlig–Hellman algorithm Pollard's rho algorithm for logarithms Pollard's kangaroo algorithm (aka Pollard's lambda algorithm) There is an efficient quantum algorithm due to Peter Shor. Efficient classical algorithms also exist in certain special cases. For example, in the group of the integers modulo
p
{\displaystyle p}
under addition, the power
b
k
{\displaystyle b^{k}}
becomes a product
b
⋅
k
{\displaystyle b\cdot k}
, and equality means congruence modulo
p
{\displaystyle p}
in the integers. The extended Euclidean algorithm finds
k
{\displaystyle k}
quickly. With Diffie–Hellman, a cyclic group modulo a prime
p
{\displaystyle p}
is used, allowing an efficient computation of the discrete logarithm with Pohlig–Hellman if the order of the group (being
p
−
1
{\displaystyle p-1}
) is sufficiently smooth, i.e. has no large prime factors.
== Comparison with integer factorization == While computing discrete logarithms and integer factorization are distinct problems, they share some properties:
both are special cases of the hidden subgroup problem for finite abelian groups, both problems seem to be difficult (no efficient algorithms are known for non-quantum computers), for both problems efficient algorithms on quantum computers are known, algorithms from one problem are often adapted to the other, and the difficulty of both problems has been used to construct various cryptographic systems.
== Cryptography == There exist groups for which computing discrete logarithms is apparently difficult. In some cases (e.g. large prime order subgroups of groups
Z
p
×
{\displaystyle \mathbf {Z} _{p}^{\times }}
) there is not only no efficient algorithm known for the worst case, but the average-case complexity can be shown to be about as hard as the worst case using random self-reducibility. At the same time, the inverse problem of discrete exponentiation is not difficult (it can be computed efficiently using exponentiation by squaring, for example). This asymmetry is analogous to the one between integer factorization and integer multiplication. Both asymmetries (and other possibly one-way functions) have been exploited in the construction of cryptographic systems. Popular choices for the group
G
{\displaystyle G}
in discrete logarithm cryptography (DLC) are the cyclic groups
Z
p
×
{\displaystyle \mathbf {Z} _{p}^{\times }}
(e.g. ElGamal encryption, Diffie–Hellman key exchange, and the Digital Signature Algorithm) and cyclic subgroups of elliptic curves over finite fields (see Elliptic curve cryptography). While there is no publicly known algorithm for solving the discrete logarithm problem in general, the first three steps of the number field sieve algorithm only depend on the group
G
{\displaystyle G}
, not on the specific elements of
G
{\displaystyle G}
whose finite
log
{\displaystyle \log }
is desired. By precomputing these three steps for a specific group, one need only carry out the last step, which is much less computationally expensive than the first three, to obtain a specific logarithm in that group. It turns out that much internet traffic uses one of a handful of groups that are of order 1024 bits or less, e.g. cyclic groups with order of the Oakley primes specified in RFC 2409. The Logjam attack used this vulnerability to compromise a variety of internet services that allowed the use of groups whose order was a 512-bit prime number, so called export grade. The authors of the Logjam attack estimate that the much more difficult precomputation needed to solve the discrete log problem for a 1024-bit prime would be within the budget of a large national intelligence agency such as the U.S. National Security Agency (NSA). The Logjam authors speculate that precomputation against widely reused 1024 DH primes is behind claims in leaked NSA documents that NSA is able to break much of current cryptography.
== See also == A. W. Faber Model 366 Percy Ludgate and Irish logarithm
== References ==
== Further reading == Richard Crandall; Carl Pomerance. Chapter 5, Prime Numbers: A computational perspective, 2nd ed., Springer. Stinson, Douglas Robert (2006). Cryptography: Theory and Practice (3 ed.). London, UK: CRC Press. ISBN 978-1-58488-508-5.