Discrete logarithm

The discrete logarithm (DLOG) assumption is used throughout cryptography. It is a natural strengthening of the CDH assumption. In other words, an adversary which can solve the DLOG problem can also solve CDH in the same group.

Assumption

Informally, the CDH assumption concerns a cyclic group $G$ and a generator $g$ . The assumption is that given any group element $g^{x}$ (where $x$ was chosen uniformly from ${0, \dots, ∣ G - 1∣}$ ), it is hard to compute $x$ .

Formally, consider a family of cyclic groups ${G_{λ}}_{λ \in N}$ . Define the DLOG-advantage of an adversary $A$ as $Adv_{A}^{dlog} (λ) = Pr [A (1^{λ}, g, g^{x}) = x],$ where $g$ is the generator for $G_{λ}$ and $x$ is selected uniformly at random from the set ${0, 1, \dots, ∣ G_{λ} ∣ - 1}$ .

We say that DLOG is hard for some group family ${G_{λ}}_{λ \in N}$ if there exists a negligible function $ν$ such that for all efficient adversaries $A$ , $Adv_{A}^{dlog} (λ) \leq ν (λ) .$

Variations

In the above definition, we implicitly assume that $G_{λ}$ has a fixed generator. However, BMZ19 has explored technical differences between this model and one where $g$ is selected among many random generators.

It is easy to see that if $A$ can compute $x$ for a random $g^{x}$ , then $A$ can compute both $x$ and $y$ from $g^{x}$ and $g^{y}$ and find $g^{x y}$ easily. This establishes that DLOG is not easier than CDH.
In the Generic Group Model, $Adv_{A}^{dlog} (λ) \leq \frac{q ^{2}}{∣ G _{λ} ∣}$ , where $q$ is the number of queries that $A$ issues — Shoup97

Attacks

The Baby-step Giant-step is a generic attack which works in all groups and requires space $S$ and time $T$ with $S \cdot T \geq ∣ G_{λ} ∣$ . Therefore, this is optimal in the GGM — TODO citation

Cryptology City

Explorer

Discrete logarithm

Assumption

Variations

Attacks

Graph View

Table of Contents

Backlinks

Cryptology City

Explorer

Discrete logarithm

Assumption

Variations

Related results

Attacks

Graph View

Table of Contents

Backlinks