Score:6

Crypto

Why is the discrete logarithm problem hard?

LinusK

8/2/23, 12:20 PM

Why is the discrete logarithm problem assumed to be hard?

Someone else asked the same question but the answers only explain that exponentiation is in $O(\log(n))$ while the fastest known algorithms to compute discrete logarithms is in $O(n)$. (I'm glossing over details like the runtime of index calculus here.)

Somewhere else I read: "We assume discrete logarithms to be hard because for over 40 years very smart people failed to find a fast algorithm."

Now, I wonder if there are any better arguments. Can you actually explain why discrete logarithms are hard?

1417

0 + 0

discrete-logarithm

group-theory

hardness-assumptions

kelalaka

8/2/23, 7:33 PM

[Discrete Logarithm: Given a p, what does it mean to find the discrete logarithm of x to base y?](https://crypto.stackexchange.com/q/76230/18298)

WizardOfMenlo

8/3/23, 8:31 PM

Just a quick note, in fact you can compute the discrete log (in a general group) in $O(\sqrt{n})$ group operations (using, for example, Pollard Rho). See for example 'An Introduction to Mathematical Cryptography' section 5.5

Score:15

Crypto

poncho

8/2/23, 12:53 PM

Now, I wonder if there are any better arguments.

Ultimately, no, not really.

We don't have any proof that computing discrete logs is hard. For that matter, we don't have any proof that any problem within $NP$ (that is, any problem where, if the answer is "yes", there is a quickly checkable proof of that) is hard.

We do have some partial proofs, for example, that in the "black-box" model, a discrete log on a prime-order group is hard. On the other hand, the assumptions that makes is known to be false for finite-fields, and so that's less useful than one would hope.

0 + 0

LinusK

8/2/23, 1:38 PM

Can't you argue, for example, along the lines that during exponentiation each of the $\log(n)$ squarings deletes a bit of information because $x \cdot x == -x \cdot -x$?

poncho

8/2/23, 2:10 PM

@LinusK: not really; if $g$ has order $q$, then $g^x$ for $x \in \{0, ..., q-1\}$ is injective - that is, it doesn't lose *any* information. And so, while a common implementation substep (squaring) may lose information, overall there is no information loss.

LinusK

8/2/23, 2:31 PM

But if $\mathbb{F}_p$ with $p=2q+1$ and $g$ has order $q$, then $g^x$ for $\{0,...,p-1\}$ is not injective. And if $g^{x_1} == g^{x_2}$ for some $x_1 \neq x_2$ then both the lowest bit of $x_1$ and $x_2$ (the hardcore bits) must be different. That's why I thought there must be some information loss.

poncho

8/2/23, 2:33 PM

@LinusK: however, in that case, $x_1 \equiv x_2 \pmod q$; hence there is essentially only one solution (knowing that immediately gives you all the others)

Paŭlo Ebermann

8/3/23, 7:35 PM

What is a "hard group"?

poncho

8/3/23, 7:38 PM

@PaŭloEbermann: sorry, my changed how I wanted to express this as I wrote it, and an additional 'hard' stayed in. Does the edit make more sense?

K.G.

8/3/23, 7:58 PM

Also, the generic group model does not capture quantum computation, which also seems to make it less useful than desired.

poncho

8/3/23, 8:32 PM

@K.G.: true enough - even though (I believe) Shor's algorithm can work in an entangled black-box group implementation, that is a different computational model...