Editing Discrete logarithm

{{Short description|The problem of inverting exponentiation in groups}}
{{Use dmy dates|date=August 2023|cs1-dates=y}}
In [[mathematics]], for given [[real number]]s <math>a</math> and <math>b</math>, the [[logarithm]] <math>\log_b(a)</math> is a number <math>x</math> such that <math>b^x=a</math>. Analogously, in any [[group (mathematics)|group]] <math>G</math>, powers <math>b^k</math> can be defined for all [[integer]]s <math>k</math>, and the '''discrete logarithm''' <math>\log_b(a)</math> is an integer <math>k</math> such that <math>b^k=a</math>. In [[modular arithmetic|arithmetic modulo]] an integer <math>m</math>, the more commonly used term is '''index''': One can write <math>k=\mathbb{ind}_b a \pmod{m}</math> (read "the index of <math>a</math> to the base <math>b</math> modulo <math>m</math>") for <math>b^k \equiv a \pmod{m}</math> if <math>b</math> is a [[primitive root modulo n|primitive root]] of <math>m</math> and <math>\gcd(a,m)=1</math>.

Discrete logarithms are quickly computable in a few special cases. However, no efficient method is known for computing them in general. In cryptography, the computational complexity of the discrete logarithm problem, along with its application, was first proposed in the [[Diffie–Hellman problem]]. Several important [[algorithm]]s in [[public-key cryptography]], such as [[ElGamal cryptosystem|ElGamal]], base their security on the [[computational hardness assumption|hardness assumption]] that the discrete logarithm problem (DLP) over carefully chosen groups has no efficient solution.<ref>{{Cite book |author-first1=A. J. |author-last1=Menezes |title=Handbook of Applied Cryptography |author-first2=P. C. |author-last2=van Oorschot |author-first3=S. A. |author-last3=Vanstone |publisher=[[CRC Press]] |chapter=Chapter 8.4 ElGamal public-key encryption |chapter-url=https://cacr.uwaterloo.ca/hac/about/chap8.pdf}}</ref>

== Definition ==
Let <math>G</math> be any group. Denote its [[group operation]] by multiplication and its [[identity element]] by <math>1</math>. Let <math>b</math> be any element of <math>G</math>. For any positive integer <math>k</math>, the expression <math>b^k</math> denotes the product of <math>b</math> with itself <math>k</math> times:<ref name=":0">{{Cite book |author-last1=Lam |url=https://link.springer.com/book/10.1007/978-3-0348-8295-8 |title=Cryptography and Computational Number Theory |author-last2=Shparlinski |author-last3=Wang |author-last4=Xing |editor-first1=Kwok-Yan |editor-first2=Igor |editor-first3=Huaxiong |editor-first4=Chaoping |editor-last1=Lam |editor-last2=Shparlinski |editor-last3=Wang |editor-last4=Xing |publisher=[[Birkhäuser Basel]] |isbn=978-3-7643-6510-3 |edition=1 |series=Progress in Computer Science and Applied Logic |date=2001 |pages=54–56 |language=en |doi=10.1007/978-3-0348-8295-8 |eissn=2297-0584 |issn=2297-0576}}</ref>
:<math>b^k = \underbrace{b \cdot b \cdot \ldots \cdot b}_{k \; \text{factors}}.</math>
Similarly, let <math>b^{-k}</math> denote the product of <math>b^{-1}</math> with itself <math>k</math> times. For <math>k=0</math>, the <math>k</math><sup>th</sup> power is the identity: <math>b^0=1</math>.

Let <math>a</math> also be an element of <math>G</math>. An integer <math>k</math> that solves the equation <math>b^k=a</math> is termed a '''discrete logarithm''' (or simply '''logarithm''', in this context) of <math>a</math> to the base <math>b</math>. One writes <math>k=\log_b a</math>.

==Examples==
=== Powers of 10 ===
The [[power of 10|powers of 10]] are
:<math>\ldots, 0.001, 0.01, 0.1, 1, 10, 100, 1000, \ldots.</math>
For any number <math>a</math> in this list, one can compute <math>\log_{10}a</math>. For example, <math>\log_{10}{10000}=4</math>, and <math>\log_{10}{0.001}=-3</math>. These are instances of the discrete logarithm problem.

Other base-10 logarithms in the real numbers are not instances of the discrete logarithm problem, because they involve non-integer exponents. For example, the equation <math>\log_{10}{53}=1.724276\ldots</math> means that <math>10^{1.724276\ldots}</math>. While integer exponents can be defined in any group using products and inverses, arbitrary real exponents, such as this 1.724276…, require other concepts such as the [[exponential function]].

In [[group-theoretic]] terms, the powers of 10 form a [[cyclic group]] <math>G</math> under multiplication, and 10 is a [[cyclic group|generator]] for this group. The discrete logarithm <math>\log_{10}a</math> is defined for any <math>a</math> in <math>G</math>.

=== Powers of a fixed real number ===
A similar example holds for any non-zero real number <math>b</math>. The powers form a multiplicative [[subgroup]] <math>G = \{\ldots , b^{-2}, b^{-1}, 1, b^{1}, b^{2}, \ldots \}</math> of the non-zero real numbers. For any element <math>a</math> of <math>G</math>, one can compute <math>\log_b a</math>.

=== Modular arithmetic ===
One of the simplest settings for discrete logarithms is the group [[multiplicative group of integers modulo n|'''Z'''<sub>''p''</sub><sup>×</sup>]]. This is the group of multiplication [[modular arithmetic|modulo]] the [[prime number|prime]] <math>p</math>. Its elements are non-zero [[Modular arithmetic#Congruence class|congruence classes]] modulo <math>p</math>, and the group product of two elements may be obtained by ordinary integer multiplication of the elements followed by reduction modulo&nbsp;<math>p</math>.

The <math>k</math><sup>th</sup> [[exponentiation|power]] of one of the numbers in this group may be computed by finding its '<math>k</math><sup>th</sup> power as an integer and then finding the remainder after division by <math>p</math>. When the numbers involved are large, it is more efficient to reduce modulo <math>p</math> multiple times during the computation. Regardless of the specific algorithm used, this operation is called [[modular exponentiation]]. For example, consider '''Z'''<sub>17</sub><sup>×</sup>. To compute <math>3^4</math> in this group, compute <math>3^4=81</math>, and then divide <math>81</math> by <math>17</math>, obtaining a remainder of <math>13</math>. Thus <math>3^4=13</math> in the group '''Z'''<sub>17</sub><sup>×</sup>.

The discrete logarithm is just the inverse operation. For example, consider the equation <math>3^k \equiv 13 \pmod{17}</math>. From the example above, one solution is <math>k=4</math>, but it is not the only solution. Since <math>3^{16}\equiv 1 \pmod{17}</math> —as follows from [[Fermat's little theorem]]— it also follows that if <math>n</math> is an integer then <math>3^{4+16n}\equiv 3^4\cdot (3^{16})^n \equiv 3^4 \cdot 1^n \equiv 3^4 \equiv 13 \pmod{17}</math>. Hence the equation has infinitely many solutions of the form <math>4+16n</math>. Moreover, because <math>16</math> is the smallest positive integer <math>m</math> satisfying <math>3^m\equiv 1 \pmod{17}</math>, these are the only solutions. Equivalently, the set of all possible solutions can be expressed by the constraint that <math>k\equiv 4 \pmod{16}</math>.

=== Powers of the identity ===
In the special case where <math>b</math> is the identity element <math>1</math> of the group <math>G</math>, the discrete logarithm <math>\log_ba</math> is undefined for <math>a</math> other than <math>1</math>, and every integer <math>k</math> is a discrete logarithm for <math>a=1</math>.

== Properties ==
Powers obey the usual algebraic identity <math>b^{k+l}=b^k\cdot b^l</math>.<ref name=":0" /> In other words, the [[function (mathematics)|function]]
:<math>f \colon \mathbf{Z} \to G</math>
defined by <math>f(k)=b^k</math> is a [[group homomorphism]] from the group of integers <math>\mathbf{Z}</math> under addition [[Surjection|onto]] the [[subgroup]] <math>H</math> of <math>G</math> [[generating set of a group|generated]] by <math>b</math>. For all <math>a</math> in <math>H</math>, <math>\log_b a</math> exists. [[Converse (logic)|Converse]]ly, <math>\log_b a</math> does not exist for <math>a</math> that are not in <math>H</math>.

If <math>H</math> is [[infinite group|infinite]], then <math>\log_b a</math> is also unique, and the discrete logarithm amounts to a [[group isomorphism]]

:<math>\log_b \colon H \to \mathbf{Z}.</math>

On the other hand, if <math>H</math> is [[finite group|finite]] of [[order of a group|order]] <math>n</math>, then <math>\log_b a</math> is 0 unique only up to [[modular arithmetic|congruence modulo]] <math>n</math>, and the discrete logarithm amounts to a group isomorphism
:<math>\log_b\colon H \to \mathbf{Z}_n,</math>
where <math>\mathbf{Z}_n</math> denotes the additive group of integers modulo <math>n</math>.

The familiar base change formula for ordinary logarithms remains valid: If <math>c</math> is another generator of <math>H</math>, then

:<math>\log_c a = \log_c b \cdot \log_b a.</math>

== Algorithms ==
{{See also|Discrete logarithm records}}
{{unsolved|computer science|Can the discrete logarithm be computed in polynomial time on a classical computer?}}
The discrete logarithm problem is considered to be computationally intractable. That is, no efficient classical algorithm is known for computing discrete logarithms in general.

A general algorithm for computing <math>\log_b a</math> in finite groups <math>G</math> is to raise <math>b</math> to larger and larger powers <math>k</math> until the desired <math>a</math> is found. This algorithm is sometimes called ''trial multiplication''. It requires [[running time]] [[linear time|linear]] in the size of the group <math>G</math> and thus [[exponential time|exponential]] in the number of digits in the size of the group. Therefore, it is an exponential-time algorithm, practical only for small groups <math>G</math>.

More sophisticated algorithms exist, usually inspired by similar algorithms for [[integer factorization]]. These algorithms run faster than the naïve algorithm, some of them proportional to the [[square root]] of the size of the group, and thus exponential in half the number of digits in the size of the group. However, none of them runs in [[polynomial time]] (in the number of digits in the size of the group).

* [[Baby-step giant-step]]
* [[Function field sieve]]
* [[Index calculus algorithm]]
* [[General number field sieve|Number field sieve]]
* [[Pohlig–Hellman algorithm]]
* [[Pollard's rho algorithm for logarithms]]
* [[Pollard's kangaroo algorithm]] (aka Pollard's lambda algorithm)

There is an efficient [[Shor's algorithm|quantum algorithm]] due to [[Peter Shor]].<ref>{{cite journal |arxiv=quant-ph/9508027 |title=Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer |author-first=Peter |author-last=Shor |journal=SIAM Journal on Computing |volume=26 |issue=5 |date=1997 |pages=1484–1509 |doi=10.1137/s0097539795293172 |mr=1471990 |s2cid=2337707}}</ref>

Efficient classical algorithms also exist in certain special cases. For example, in the group of the integers modulo <math>p</math> under addition, the power <math>b^k</math> becomes a product <math>b \cdot k</math>, and equality means congruence modulo <math>p</math> in the integers. The [[extended Euclidean algorithm]] finds <math>k</math> quickly.

With [[Diffie–Hellman_key_exchange|Diffie–Hellman]], a cyclic group modulo a prime <math>p</math> is used, allowing an efficient computation of the discrete logarithm with Pohlig–Hellman if the order of the group (being <math>p-1</math>) is sufficiently [[smooth number|smooth]], i.e. has no large [[prime factor]]s.

== Comparison with integer factorization ==
While computing discrete logarithms and integer factorization are distinct problems, they share some properties:
* both are special cases of the [[hidden subgroup problem]] for [[finite abelian group]]s,
* both problems seem to be difficult (no efficient algorithms are known for non-[[quantum computer]]s),
* for both problems efficient algorithms on quantum computers are known,
* algorithms from one problem are often adapted to the other, and
* the difficulty of both problems has been used to construct various [[cryptographic]] systems.

== Cryptography ==
There exist groups for which computing discrete logarithms is apparently difficult.  In some cases (e.g. large prime order subgroups of  groups <math>\mathbf{Z}_p^\times</math>) there is not only no efficient algorithm known for the worst case, but the [[average-case complexity]] can be shown to be about as hard as the worst case using [[random self-reducibility]].<ref>{{Cite journal |author-last1=Blake |author-first1=Ian F. |author-last2=Garefalakis |author-first2=Theo |date=2004-04-01 |title=On the complexity of the discrete logarithm and Diffie–Hellman problems |journal=Journal of Complexity |series=Festschrift for Harald Niederreiter, Special Issue on Coding and Cryptography |language=en |volume=20 |issue=2 |pages=148–170 |doi=10.1016/j.jco.2004.01.002 |issn=0885-064X |doi-access=free}}</ref>

At the same time, the inverse problem of discrete exponentiation is not difficult (it can be computed efficiently using [[exponentiation by squaring]], for example).  This asymmetry is analogous to the one between integer factorization and integer multiplication. Both asymmetries (and other possibly [[one-way function]]s) have been exploited in the construction of cryptographic systems.

Popular choices for the group <math>G</math> in discrete logarithm cryptography (DLC) are the cyclic groups <math>\mathbf{Z}_p^\times</math> (e.g. [[ElGamal encryption]], [[Diffie–Hellman key exchange]], and the [[Digital Signature Algorithm]]) and cyclic subgroups of [[elliptic curve]]s over [[finite field]]s (''see'' [[Elliptic curve cryptography]]).

While there is no publicly known algorithm for solving the discrete logarithm problem in general, the first three steps of the [[General number field sieve|number field sieve]] algorithm only depend on the group <math>G</math>, not on the specific elements of <math>G</math> whose finite <math>\log</math> is desired. By [[precomputing]] these three steps for a specific group, one need only carry out the last step, which is much less computationally expensive than the first three, to obtain a specific logarithm in that group.<ref name=imperfectfs/>

It turns out that much [[internet]] traffic uses one of a handful of groups that are of order 1024 bits or less, e.g. cyclic groups with order of the Oakley primes specified in <nowiki>RFC 2409</nowiki>.<ref>{{Cite journal |author-last1=Harkins |author-first1=D. |author-last2=Carrel |author-first2=D. |date=November 1998 |title=The Internet Key Exchange (IKE) |url=https://www.rfc-editor.org/rfc/rfc2409 |journal=Network Working Group |language=en |doi=10.17487/RFC2409 |issn=2070-1721}}</ref> The [[Logjam (computer security)|Logjam]] attack used this vulnerability to compromise a variety of internet services that allowed the use of groups whose order was a 512-bit prime number, so called [[export of cryptography|export grade]].<ref name=imperfectfs/>

The authors of the Logjam attack estimate that the much more difficult precomputation needed to solve the discrete log problem for a 1024-bit prime would be within the budget of a large national [[intelligence agency]] such as the U.S. [[National Security Agency]] (NSA). The Logjam authors speculate that precomputation against widely reused 1024 DH primes is behind claims in [[Global surveillance disclosures (2013–present)|leaked NSA documents]] that NSA is able to break much of current cryptography.<ref name=imperfectfs>{{cite web |author-last1=Adrian |author-first1=David |author-last2=Bhargavan |author-first2=Karthikeyan |author-last3=Durumeric |author-first3=Zakir |author-last4=Gaudry |author-first4=Pierrick |author-last5=Green |author-first5=Matthew |author-last6=Halderman |author-first6=J. Alex |author-last7=Heninger |author-first7=Nadia |author-link7=Nadia Heninger |author-last8=Springall |author-first8=Drew |author-last9=Thomé |author-first9=Emmanuel |author-last10=Valenta |author-first10=Luke |author-last11=VanderSloot |author-first11=Benjamin |author-last12=Wustrow |author-first12=Eric |author-last13=Zanella-Béguelin |author-first13=Santiago |author-last14=Zimmermann |author-first14=Paul |title=Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice |url=https://weakdh.org/imperfect-forward-secrecy.pdf |date=October 2015}}</ref>

== See also ==
* [[A. W. Faber Model 366]]
* [[Percy Ludgate]] and [[Irish logarithm]]

== References ==
{{Reflist}}
{{Refbegin}}
* {{cite book |author-last1=Rosen |author-first1=Kenneth H. |title=Elementary Number Theory and Its Application |date=2011 |publisher=Pearson |isbn=978-0321500311 |page=368 |edition=6}}
* {{cite web |author-last=Weisstein |author-first=Eric W. |title=Discrete Logarithm |url=http://mathworld.wolfram.com/DiscreteLogarithm.html |website=MathWorld |publisher=Wolfram Web |access-date=1 January 2019}}
{{Refend}}

== Further reading ==
* [[Richard Crandall]]; [[Carl Pomerance]]. Chapter 5, ''Prime Numbers: A computational perspective'', 2nd ed., Springer.
* {{Cite book |author-last1=Stinson |author-first1=Douglas Robert |title=Cryptography: Theory and Practice |publisher=[[CRC Press]] |location=London, UK |edition=3 |isbn=978-1-58488-508-5 |date=2006}}

{{Number theoretic algorithms}}
{{Cryptography public-key}}
{{Computational hardness assumptions}}

{{DEFAULTSORT:Discrete Logarithm}}
[[Category:Modular arithmetic]]
[[Category:Group theory]]
[[Category:Cryptography]]
[[Category:Logarithms]]
[[Category:Finite fields]]
[[Category:Computational hardness assumptions]]
[[Category:Unsolved problems in computer science]]