Discrete Log Problem - Applied Cryptography

00:00

The hard problem that is closely related

00:02

to the Diffie-Hellman security property

00:04

is the discrete log problem.

00:06

Discrete logs are like continuous logs

00:08

but over a discrete group.

00:10

So continuous log if we have a to the x equals b,

00:13

and we know a and b, we can solve for x.

00:16

That's the log base a of b,

00:19

and they're well know efficient ways to compute these logarithms.

00:22

One of the earliest use of computers

00:24

was to compute these tables of logarithms.

00:27

With discrete numbers, this gets much more interesting.

00:30

So now we have a to the x equals b,

00:32

modulo sum value n,

00:34

and our goal is to solve for x,

00:36

which is the discrete log base a of b,

00:39

and this turns out to be, as far as everyone can tell,

00:42

a very hard problem when n is a large prime number.

00:45

It's not clear that discrete log always exists,

00:47

and for certain choices of a, b, and n, it would not exists,

00:51

but if we choose n as a large

00:53

prime number and a as a generator,

00:55

well then by definition, it must exist.

00:57

What it means for our number to be a generator

00:59

is that if we raise g to each power,

01:03

what we get is the permutation of the numbers in the group Zn.

01:06

So as a little demonstration, certainly not a proof,

01:09

here's a code that produces the permutation

01:12

for given some generator and some modulus,

01:16

raises the generator to every power

01:19

between 1 and the modulus minus 1.

01:21

So we can try that with a fairly

01:23

small prime number so you can see the results.

01:26

We'll use 277 as our prime number

01:29

and 5 as a generator for 277.

01:32

One could check that in a root force way

01:34

just to show that it all produces all the numbers,

01:37

and we'll see that in the output for generator permutation.

01:40

These are the results and

01:42

you can see the first 1 is 5, that's 5 to the 1;

01:45

25 is 5 to the 2; 125 is 5 to the 3.

01:49

The next one is 71 because 5 to the 4 mod to 77 is 71,

01:54

and if we look at all the numbers here,

01:56

it would be a permutation on the numbers from 1 to 276.

02:00

Other than the early ones,

02:02

it would be fairly hard to predict where

02:04

a number is in this sequence.

02:06

You could certainly compute the whole sequence to find it.

02:08

The question the discrete log is asking

02:11

is given a number, can you figure out

02:13

where it would be in this sequence

02:15

or can you figure out the power that you need

02:17

to raise the generator to find it,

02:19

and the claim is that that's hard to do.

02:21

Showing this sequence really is not enough

02:23

to convince you that that's hard to do,

02:25

and there's no proof that it's hard.

02:27

The reason people believe it's hard

02:29

is that many smart people have tried to find

02:31

good ways of doing this, and none of the

02:33

solutions rendered polynomial time

02:35

that the fastest known solutions are exponential.

02:38

That means essentially that the only way to solve

02:41

this is to try all possible powers

02:44

until you find the one that works.

02:46

You can do a little better than that by trying

02:48

powers in a clever way, and you can

02:50

exclude some of the powers more quickly,

02:52

but you can't do any better than doing this exponential search,

02:55

which is exponential in the size of n

02:58

so this is something we have to be careful about when we

03:00

talk about hard problems.

03:02

When we say it's exponential, well it's not exponential in the value of n.

03:05

It's linear in the value of n.

03:07

We just need to try n operations,

03:10

but the magnitude of n

03:12

grows as 2 to the number of bits needed to break down n.

03:17

So as long as that's the best solution to discrete log,

03:20

then for very large n,

03:22

it is intractable no matter how many computer resources you have,

03:25

you can't do this exponential search.

03:27

You can't find the value of x that's the

03:29

discrete log of b, base a, mod n.

03:32

So as long as no one can find a

03:34

fast way to solve the discrete log problem,

03:37

as long as n is large and is an

03:39

arbitrary instance of this problem,

03:41

we think that it should be hard to

03:43

compute x given a and b and the modulus.

03:46

So for this quiz, we will assume that we have

03:48

and advisory that's passive

03:50

so all it can do is ease drop on the messages,

03:53

but they also have access to a powerful computer resource,

03:55

they have a procedure dlog that is

03:58

a fast procedure for computing discrete

04:00

logs that works on any inputs,

04:02

and they have modular exponentiation,

04:04

a fast procedure that outputs

04:06

base to the power mod modules.

04:08

And now the question is can they break a Diffie-Hellman key?

04:11

So we're assuming that they're passive attackers,

04:14

so they've eased dropped on all the

04:17

messages between Alice and Bob,

04:19

so they have all these values that were sent over the secure channel,

04:22

and the possible answers are no

04:24

that it's impossible with no

04:26

more resources or information,

04:29

or yes there is a way to do it,

04:31

and here's the way that she would compute that.