Two Approaches to the

Discrete Logarithm Problem

R. Padma

AU-KBC Research Centre

M. I. T. Campus of Anna University

Chennai, INDIA

First Indo-French Workshop on

Cryptography and Related Topics11-13 June 2007, Paris

1

Discrete Logarithm

Let p > 2 be a prime number.

(Z/pZ)∗ = {1,2, · · · , p − 1} is a cyclic

group under multiplication.

Let a be a generator of (Z/pZ)∗.

Any b ∈ (Z/pZ)∗ can be expressed as a

power of a.

b ≡ an mod p ,

for a unique n, 0 ≤ n ≤ p− 2.

n is called the discrete logarithm of b

to the base a modulo p.

2

The Two Approaches

1. A couple of probabilistic algorithms

2. p-adic approach

3

Track 1

A Couple of Probabilistic

Algorithms

H. Gopalkrishna Gadiyar, K M Sangeeta

Maini, R. Padma and Mario Romsy,

What is the Inverse of Repeated Square

and Multiply Algorithm?,

http://www.arXiv.math.NT/0602154v3

4

Discrete Logarithm Problem

Finding b ≡ an mod p given a, n and p

is called modular exponentiation.

Finding n given a, b and p is the inverse

of modular exponentiation and is called

the discrete logarithm problem.

5

Repeated Square and Multiply

Method

We know that this method performs

modular exponentiation efficiently.

Let us quickly recall this algorithm.

Given a, n and p, to compute an mod

p.

Let us write n in its binary representa-

tion

n = n0 + 2n1 + 22n2 + · · ·+ 2k−1nk−1 ,

where each ni is 0 or 1.6

Let a0 = a, b = 1

For j = 1 to k − 1 compute

aj = a2j−1 mod p = a2j

mod p and

for j = 0 to k − 1

b =

b.aj mod p, if nj = 1 ,b mod p, if nj = 0 .

The final value of b is the value of

an mod p. That is,

b ≡ an mod p

≡(a2k

mod p)nk

(a2k−1

mod p)nk−1 · · ·(

a21mod p

)n1(a20

mod p)n0

mod p

≡k∏

j=0a

njj mod p .

7

What is the Inverse of this

algorithm?

What if we divide and repeatedly ex-

tract square root?

If n0 = 1, divide by a and take square

root.

If n0 = 0, then just take square root.

Do the same for n1, n2, · · · , nk−1.

How do we determine the bits ni?

8

Note that knowing the bits ni’s is equiv-

alent to knowing the value of n.

There are two square roots modulo p.

The ‘correct’ square root will fix the

correct value of the bit ni and hence n

can be calculated in polynomial time.

The difficulty is in fixing the correct

square root.

First of all, how do we decide whether

we should just extract square root or

divide and extract square root?9

Legendre Symbol

Definition: The Legendre symbol(

xp

),

for any integer x, with (x, p) = 1 is de-

fined as follows.

x

p

=

1 , if x

p−12 ≡ 1 mod p

−1 , if xp−12 ≡ −1 mod p .

Since a is a primitive root,a

p

≡ ap−12 ≡ −1 mod p .

10

Using the property of the Legendre sym-

bol xy

p

=

x

p

y

p

,

one hasb

p

=

an

p

=

a

p

n

= (−1)n.

Thus the Legendre symbol of b deter-

mines whether n is odd or even.

In other words, the Legendre symbol

of b determines the least significant bit

n0.

11

It is well known that if

p− 1 = 2rs, where r ≥ 1 and s is odd ,

then the last r significant bits of n can

be unambiguously determined.

This is because the Legendre symbol

of both the square roots will give the

same value.

The problem starts from the (r + 1)th

bit onwards.

12

Main Algorithm to Compute

Discrete Logarithm

Input: a, b, p, where an ≡ b mod p .

Output: n

13

Step 1. Choose an integer B and cre-

ate Table I consisting of sorted (akj

mod p, kj) where j ≤ B. Here {kj} is

any subsequence of integers. For ex-

ample, kj = j or kj = 2j.

Step 2. Initialize i ← 1, l ← 1, b[1] ←

b, m1[1] ← n, c1[1] ← b, c2[1] ← b and

m2[1] ← n. Table II will consist of

(b[i], m1[i]) and Table III will consist

of (c1[l], c2[l], m2[l]).

Also initialize k ← 0, m← n.

14

Step 3. i) If(

bp

)= −1 then goto Step 4.

ii) If(

bp

)= 1 then goto Step 6

Step 4. i) b← ba mod p and m← m− 1.

ii) Goto Step 5.

iii) If Step 5 does not solve for n,i← i + 1.store b[i]← b and m1[i]← min Table II.

iv) Goto Step 6.

15

Step 5. i) If b ≡ akj mod p for any j ≤ B

in Table I, Solve(m, kj, k).

ii) If b ≡ b[j] mod p for any j in

Table II, Solve(m, m1[j], k).

iii) If b ≡ c1[j] or c2[j] mod p

for any j in Table III,

Solve(m, m2[j], k).

16

Step 6. i) b← b12 mod p and

m← m2 . k ← k + 1.

Goto Step 5.

ii) If Step 5 does not solve for n,

b← p− b mod p. Goto Step 5.

iii) If Step 5 does not solve for n,

l← l + 1,

store c1[l]← b, c2[l]← p− b

and m2[l]← m in Table III.

iv) b← c1[l] or c2[l] randomly.

v) Goto Step 3.

17

Solve()

Solve(x, y, t): Solve the linear congru-

ence:

2tx ≡ 2ty mod p− 1 .

Return n

18

Explanation of the Algorithm

Since m is replaced by m − 1 or m2 , m

is always a linear function of n.

The current value of b in the loop equals

am mod p up to some signs and/or

roots of unity of order 2k.

The algorithm is probabilistic as we se-

lect one of the square roots randomly

in Step 6.

19

k counts the number of times we take

square roots modulo p.

Note that while solving the linear con-

gruence, we multiply both sides by 2k,

so that the denominator of m gets cleared

(as 2 is not invertible modulo p− 1.)

This also takes care of the fact that in

Table III, though we store two square

roots, the exponent m is taken to be

m2 , as whether we take m

2 or m2 + p−1

2 ,

in Solve(), multiplication by 2k would

remove this ambiguity.

20

Example

Let p = 103. a = 5 is a primitive root

of p.

This is an example of collision with an

element in Table I. Let b = 84. Let

B = 7 and kj = 2j−1 mod p for j =

1, · · ·7.

Table Ij 0 1 2 3 4 5 6

52jmod p 5 25 7 49 32 97 36

21

Discrete Logarithm Calculation for

b = 84

b(

b103

)ba b

12, − b

12 random m

sqrt84 -1 58 – – n− 158 1 – 26,77 77 n−1

277 -1 36 – – n−1

2 − 1

Now

36 ≡ 526mod 103

k = 1 as we have taken square root

only once.

22

Hence multiplying both sides by 2 we

get the congruence

2(n− 1

2− 1) ≡ 27 mod 102 .

That is,

n− 3 ≡ 27 mod 102

and thus n ≡ 29 mod 102.

23

Discrete Logarithm over Finite

Fields

The algorithm given above is as it is

extendable to finite fields of character-

istic p > 2 as the analogue of Legen-

dre symbol and efficient computation

of square roots exist in these fields.

When the characteristic of the finite

field is 2, every element in the field is

a square and every element has exactly

one square root. Hence the algorithm

should be modified here a bit.24

3x + 1 Problem and the

Discrete Logarithm Problem

The 3x + 1 problem was posed by L.

Collatz.

It states that if

T (x) =

3x + 1 , if x ≡ 1 mod 2x2 , if x ≡ 0 mod 2 ,

then T k(x) = 1 for some positive inte-

ger k, for every positive integer x.

This problem remains outstanding since

1937.25

If x is odd, the function T converts it

into an even integer by multiplying x

by 3 and then adding 1.

If x is even, it divides x by 2.

The iteration will terminate once T k(x) =

2l for some integers k and l.

26

In the algorithm we just saw:

If the Legendre symbol is -1 (that is,

the index of b is odd), we divided b by

a so that the index of the new value of

b becomes even and

if the Legendre symbol is 1, (that is,

the index of b is even), we calculated

the square roots of b so that the index

is halved.

Now it is clear how we are going to

modify the algorithm.

27

We will assume for the sake of simplic-

ity that (3, p− 1) = 1.

If the Legendre symbol is −1, then com-

pute b3a mod p.

That is, in Step 4 (i), we do

b← b3a mod p and m← 3m + 1

and the rest of the algorithm goes as

it is.

28

Example

Let us take p = 101. a = 2 is a prim-

itive root of 101. Let b = 72. Let

B = 7 and kj = 2j, for j = 0 · · ·6.

Table Ij 0 1 2 3 4 5 6

22jmod p 2 4 16 54 88 68 79

29

DL Calculation for b = 72

b(

b101

)b3a b

12,−b

12 rand m

sqrt72 -1 5 – – 3n + 1

5 1 – 45,56 56 3n+12

56 1 – 37,64 37 3n+14

37 1 – 21,80 80 3n+18

80 1 – 22,79 – 3n+116

Since 79 ≡ 226mod 101, and k = 4,

we have

3n + 1 ≡ 1024 ≡ 24 mod 100 .

The solution of this linear congruence

is given by n ≡ 41 mod 100.

30

Time Complexity of the

Algorithms

Let ρ : N → {0,1} be the random

decision function.

Let Table I consist of B ∈ N pre com-

puted values and label them r−B, ..., r−1.

Since we need to keep track of the

exponents we store pairs of the form

(ak, k),

Write (r−B, k−B), ..., (r−1, k−1), where

the kj ∈ N are any chosen integers.

31

Starting with (r0, m0), m0 = n, we cal-

culate a random walk by

(ri, mi) =

(min(√

ri−1, p−√ri−1),mi−1

2 ),

if (ri−1

p ) = 1 and ρ(i) = 0 ,

(max(√

ri−1, p−√ri−1),mi−1

2 ),

if (ri−1

p ) = 1 and ρ(i) = 1 ,

(ri−1

a , mi−1 − 1),

if (ri−1

p ) = −1 .

Then we look for a collision ri = rj for

i 6= j.

Since ρ is a random walk, the expected

number of steps should be about O(√

p).

32

Future Directions -

Study of General Structure

Both the original algorithm and the 3x+

1 version might be subsumed into a

general scheme

n → qn + l, with (q, p− 1) = 1, if n is odd,

→n

2, if n is even .

It would be worthwhile to see if some

interesting algebra could be uncovered.

33

Track 2

p-adic Approach

H. Gopalkrishna Gadiyar, K M Sangeeta

Maini and R. Padma,

Cryptography, Connections, Cocycles

and Crystals: A p-adic Exploration of

the Discrete Logarithm Problem,

Progress in Cryptology - Indocrypt 2004

(LNCS 3348), 305-314.

34

General Strategy

The discrete logarithm problem is dif-

ficult because

1. We are working over finite fields where

points jump around. Recall that

Ritt called these fields as monkey

fields.

2. In the case of elliptic curves the non-

linearity of the addition law makes

the problem difficult.

35

1. The logical extension is to go from

finite fields to p-adic fields. (Lift-

ing)

36

Lifting

We are given a0 and b0 such that

an0 ≡ b0 mod p . (1)

Let us Hensel lift a0 to a0 + a1p

and b0 to b0 + b1p modulo p2 using the

polynomial xp − x.

37

We do this by finding

ap0 ≡ a0 + a1p mod p2

bp0 ≡ b0 + b1p mod p2

Then

anp0 ≡ b

p0 mod p2 .

That is,

(a0 + a1p)n ≡ b0 + b1p mod p2 . (2)

Let us write

an0 ≡ b0 + βnp mod p2 .

Note that we are given b0 and βn is

unknown.38

Expanding 2 and using the above iden-

tity, we get

b0+βn p+n an−10 a1p ≡ b0+b1p mod p2

Solving for n, we get

n ≡b1 − βn

b0

/

a1

a0

mod p

So we have a linear congruence in two

unknowns, namely, n and βn.

39

Weak Keys

If the carry βn is small, n can be found

by trial and error

The corresponding (a0, b0) is a weak

key

Note that βn = 0 if an0 < p

These are trivial weak keys

40

A Nontrivial Weak Key

Let p = 11, a0=2

n = 1,2,3 give trivial weak keys

Let us consider the case n = 7. Then

b0=7. Also,

27 ≡ 128 ≡ 7+112 ≡ 7+0∗11 mod p2

We can compute a1=10 and b1=3.

Now computeb1b0

/

a1

a0

≡ (3

7

)/

(10

2

)≡ 7 mod 11

41

Hensel Lift and Teichmuller

Character

Let us now Hensel lift a0 and b0 mod

p3, p4, · · ·

That is, expand ap2

0 mod p3, ap3

0 mod

p4, and so on (similarly for b0)

Let

ap2

0 ≡ a0 + a1p + a2p2 mod p3

ap3

0 ≡ a0 + a1p + a2p2 + a3p3

mod p4

These are the Teichmuller representa-

tives mod p3 and p4

42

By Euler’s theorem

(a0 + a1p + a2p2)p−1 ≡ 1 mod p3

(a0 + a1p + a2p2 + a3p3)p−1 ≡ 1 mod p4

Also,

(a0 + a1p + a2p2)n ≡ b0 + b1p + b2p2

mod p3

(a0 + a1p + a2p2 + a3p3)n

≡ b0 + b1p + b2p2 + b3p3 mod p4

43

Teichmuller Representatives

Let T (a0) and T (b0) denote the Te-

ichmuller representatives of a0 and b0

respectively in Zp.

That is,

T (a0) = limk→∞

apk

0 = a0 + a1p + a2p2 + · · ·

T (b0) = limk→∞

bpk

0 = b0 + b1p + b2p2 + · · ·

By our construction

T (a0)p−1 = 1 and T (b0)

p−1 = 1

in Zp. Also,

T (a0)n = T (b0) in Zp. (3)

44

p-adic Logarithm

The logarithm function has a Taylor

expansion

log(1 + x) = x−x2

2+

x3

3− · · ·

if |x| < 1

For a p-adic integer the p-adic loga-

rithm has a Taylor expansion

log(1 + x) = x−x2

2+

x3

3− · · ·

if ordp(x) ≥ 1, that is, if

x ∈ pZp

45

Iwasawa Logarithm - Contd.

Iwasawa defined the logarithm for any

non-zero p-adic integer x as

logx =1

p− 1log(xp−1)

Note that

xp−1 ∈ 1 + pZp

by Fermat’s little theorem.

46

Iwasawa Logarithm

Applying Iwasawa logarithm to (3),

n logT (a0) = logT (b0)

But

logT (a0) =1

p− 1log(T (a0)

p−1)

=1

p− 1log1

= 0 .

Similarly logT (b0) = 0.

So we get no information about n.

Teichmuller representatives are the

(p−1)th roots of unity in Z∗p and they lie

in the kernel of the Iwasawa logarithm.47

p-adic Analogue of Complex

Logarithm

That is, T (a0) is like e2πikp−1 in C

Iwasawa logarithm corresponds to the

real part of the p-adic logarithm

Recall that for a complex number z,

log z = log |z|+ i arg(z)

and for a root of unity, |.| = 1 and so

the real part of the logarithm is zero

Hence we need a p-adic analogue of the

complex logarithm48

p-adic Logarithm and Crystals

Crystalline cohomology provides this.

There is a p-adic analogue of 2πi given

by Crystalline cohomology.

If there is an explicit and efficient con-

struction of (2πi)p, then the discrete

logarithm can be calculated.

49

Thank You

50