Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [discrete-logarithm]

In cryptography, a discrete logarithm is the number of times a generator of a group must be multiplied by itself to produce a known number. By choosing certain groups, the task of finding a discrete logarithm can be made intractable.

In cryptography, a discrete logarithm is the number of times a generator of a group must be multiplied by itself to produce a known number. By choosing certain groups, the task of finding a discrete logarithm can be made intractable. Many cryptographic primitives and protocols have security reductions to the discrete logarithm or related problems.

While finding discrete logarithms is hard on a classical computer, quantum computers can find them efficiently.

713 questions
35
votes
4 answers

What is so special about elliptic curves?

There seems to be sources like this, this also, and some introductions that discuss elliptic curves in general and how they're used. But what I'd like to know is why these particular curves are so important in cryptography as opposed to, let's say,…
stackuser
  • 583
  • 4
  • 7
34
votes
2 answers

Hardness of finding mutual discrete logarithms of small generators in $\mathbb{Z}_p$

Suppose you want to select a prime $p$ such that finding e.g. $\log_2(3)$ in $\mathbb{Z}_p$ is expected to be either at least as hard as the general Discrete Logarithm Problem in $\mathbb{Z}_p$, or at least both problems infeasible, e.g. because you…
Henrick Hellström
  • 10,556
  • 1
  • 32
  • 59
28
votes
3 answers

Are safe primes $p=2^k \pm s$ with $s$ small less recommandable than others as a discrete log modulus?

I take the definition of safe prime as: a prime $p$ is safe when $(p-1)/2$ is prime. Safe primes of appropriate size are the standard choice for the modulus of cryptosystems related to the discrete logarithm problem, such as Diffie-Hellman. A…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
25
votes
3 answers

How robust is discrete logarithm in $GF(2^n)$?

"Normal" discrete logarithm based cryptosystems (DSA, Diffie-Hellman, ElGamal) work in the finite field of integers modulo a big prime $p$. However, there exist other finite fields out there, in particular binary fields $GF(2^n)$. There is a…
Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
23
votes
3 answers

Would the ability to efficiently find Discrete Logs have any impact on the security of RSA?

This answer makes the claim that the Discrete Log problem and RSA are independent from a security perspective. RSA labs makes a similar statement: The discrete logarithm problem bears the same relation to these systems as factoring does to the RSA…
Ethan Heilman
  • 2,326
  • 2
  • 20
  • 40
23
votes
4 answers

What is the relation between Discrete Log, Computational Diffie-Hellman and Decisional Diffie-Hellman?

How are the three problems Discrete Logarithm, Computational Diffie-Hellman and Decisional Diffie-Hellman related? From my understanding, since the Discrete Log (DL) Problem is considered hard, then so is CDH. And since CDH is considered hard, then…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
21
votes
2 answers

Security of Schnorr signature versus DSA and DLP

The Schnorr signature scheme is a randomized signature scheme with appendix. The signature is $3t$-bit for conjectured $t$-bit security in a chosen-messages setup, with at most $2^{t/2}$ queries to a signer; a description faithful to the reference…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
19
votes
1 answer

Why is the Pedersen commitment computationally binding?

This is how the Pedersen commitment seems to work: Let $p$ and $q$ be large primes such that $q \mid (p-1)$, let $g$ be a generator of the order-$q$ subgroup of $Z_p^{\star}$. Let $a$ be a random secret from $Z_q$, and $h=g^a \bmod p$. The values…
LRM
  • 1,406
  • 12
  • 24
19
votes
1 answer

Why are elliptic curve variants of RSA "chiefly of academic interest"?

Yesterday I was thinking about elliptic curve variants of popular protocols/algorithms (ECDH, ECES[1], etc) and the thought occured that I had never seen an elliptic curve variant of RSA. My understanding of RSA and elliptic curves told me that it…
mikeazo
  • 39,117
  • 9
  • 118
  • 183
19
votes
2 answers

Why is the discrete logarithm problem assumed to be hard?

This might be a quite stupid question: since a naive brute force algorithm to solve the discrete logarithm problem will only take O(n) time for a group G with order n, why is it assumed to be hard to solve? Doesn't hard mean no polynomial algorithm…
Boyu Fang
  • 457
  • 1
  • 5
  • 13
18
votes
1 answer

Do recent announcements about solving the DLP in $GF(2^{6120})$ apply to schemes proposed for cryptographic use?

A recent paper by Göloğlu, Granger, McGuire, and Zumbrägel: Solving a 6120-bit DLP on a Desktop Computer seems to "demonstrate a practical DLP break in the finite field of $2^{6120}$ elements, using just a single core-month". They credit a 2012…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
18
votes
0 answers

The aftermath and considerations of the new record of 30750-Bit Binary Field Discrete Logarithm - 2020

Granger et al. recently published a paper about breaking a record for discrete logarithm on the Binary field Computation of a 30 750-Bit Binary Field Discrete Logarithm, Robert Granger and Thorsten Kleinjung and Arjen K. Lenstra and Benjamin…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
17
votes
0 answers

Fewest qubits required for the discrete logarithm problem and integer factorization

According to a paper from 2002, the most efficient circuit to factor an $n$-bit integer requires $2n+3$ qubits and $O(n^{3}\lg(n))$ elementary quantum gates, assuming ideal qubits. Later on, according to a paper from 2008, it is shown that it…
forest
  • 15,626
  • 2
  • 49
  • 103
17
votes
2 answers

What is the key size currently used by RSA and Diffie-Hellman for secure communication over Internet?

What is the key size that RSA and Diffie-Hellman are using now that can guarantee secure communication over Internet and will not be able to break by the best available algorithms (NFS & FFS or any others) in feasible time?
Tanmay Sharma
  • 193
  • 1
  • 1
  • 6
1
2 3
47 48