Skip to main content.

The Discrete Logarithm Problem and Generalizations.

.

Let G be a group and g \in G. Using square-and-multiply techniques, one can rapidly compute g^n for n \in \N – in fact, \calO(\log n) group operations suffice.

On the other side, the inverse question, given g^n and g, how to find n, is in general hard. In fact, a result by Victor Shoup says that for a black box group, there exists no deterministic algorithm which can find the n in time less than \calO(\sqrt{p}) steps in any case, provided the prime p is the order of g. In other words: the Discrete Logarithm Problem (DLP) is hard in general: given g, h with h \in \ggen{g}, find n \in \N with g^n = h.

Consider the subgroup \ggen{g} generated by g. It is of the form \{ g^n \mid n \in \Z \}, and the map \varphi : \Z \to \ggen{g}, n \mapsto g^n is an epimorphism. Let \ker \varphi = m \Z with m \ge 0; then \varphi induces an isomorphism \psi : \Z/m\Z \to \ggen{g}. The inverse map \psi^{-1} : \ggen{g} \to \Z/m\Z, g^n \mapsto n + m\Z is called the discrete logarithm with base g, denoted by \log_g. Hence, the DLP is the problem of computing the function \log_g.

In 1976, Whitfield Diffie and Martin Hellman came up with a key exchange protocol based on the fact that, given g, g^a and g^b, one probably needs to solve at least one DLP (to obtain a or b) to be able to compute g^{a b} = (g^a)^b = (g^b)^a. And nine years later, Taher ElGamal presented an encryption scheme which is also based on the DLP.

First, these systems were originally used with G = \F_p^* or \F_q^*, the multiplicative groups of finite (prime) fields, but can in fact be used with any group. In 1985, Neal Koblitz and Victor Miller independently proposed to use elliptic curves over finite fields \F_q, which yield abelian groups of size q + 1 + \calO(\sqrt{q}). Later, groups obtained from hyperelliptic curves or curves were proposed.

There have also been proposals to replace groups by weaker structures, for example semigroups or certain loops. In general, one can use any algebraic structure A which allows to define a^n for a \in A, n \in \N_{>0} such that a^n can be computed efficiently. As for that, one usually wants a^n a^m = a^{n+m}, we merely require the operation to be power associative.

Now one can ask if it is possible to drop this requirement and replace exponentiation and discrete logarithms by something similar. So far, the only such algebraic structure which has a huge class of instances which can be easily obtained from algebraic objects and in which one can efficiently compute are infrastructures. In the following articles I first want to explain and discuss the definition of infrastructures and show how finite abelian groups can be interpreted as infrastructures. Then I want to explain how infrastructures can be obtained from global fields.

In case you want to read up more details, please consult the preprint of my paper The Infrastructure of a Global Field of Arbitrary Unit Rank or my PhD thesis (click Volltext).

Categories: Algebra Cryptography
Tags:

Comments.

No comments.