10.2 Computing Discrete Logs

In this section, we present some methods for computing discrete logarithms. A method based on the birthday attack is discussed in Subsection 12.1.1.

For simplicity, take $α$ to be a primitive root mod $p$ , so $p - 1$ is the smallest positive exponent $n$ such that $α^{n} \equiv 1 (mod p)$ . This implies that

α^{m_{1}} \equiv \begin{matrix} α^{m_{2}} & (mod p) \end{matrix} ⟺ m_{1} \equiv \begin{matrix} m_{2} & (mod p - 1) . \end{matrix}

Assume that

β \equiv α^{x}, 0 \leq x < p - 1.

We want to find $x$ .

First, it’s easy to determine $x (mod 2)$ . Note that

(α^{(p - 1) / 2})^{2} \equiv α^{p - 1} \equiv \begin{matrix} 1 & (mod p), \end{matrix}

so $α^{(p - 1) / 2} \equiv \pm 1 (mod p)$ (see Exercise 15 in Chapter 3). However, $p - 1$ is assumed to be the smallest exponent to yield $+ 1$ , so we must have

\begin{matrix} α^{(p - 1) / 2} \equiv - 1 & (mod p) . \end{matrix}

Starting with $β \equiv α^{x} (mod p)$ , raise both sides to the $(p - 1) / 2$ power to obtain

\begin{matrix} β^{(p - 1) / 2} \equiv α^{x (p - 1) / 2} \equiv (- 1)^{x} & (mod p) . \end{matrix}

Therefore, if ...

Get Introduction to Cryptography with Coding Theory, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Introduction to Cryptography with Coding Theory, 3rd Edition by Wade Trappe, Lawrence C. Washington

10.2 Computing Discrete Logs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly