2

Is there a special case for the discrete logarithm problem with a base of 2?

For example, is it possible to solve for $a$ in the following problem without brute forcing $a$?

(2^a) mod $p$ = $x$

Where $p$ is a large prime, and I have the answer $x$.

If this question has been asked before, please point me in the right direction, I was having trouble searching google for this problem.

Thanks in advance!

user2448592
  • 23

2 Answers2

2

In general, $2$ is not easier than any other base. But there are better algorithms than brute force: see here for example.

Robert Israel
  • 470,583
2

Since your assumption is that p is prime, then you could look for the exponent a using an algorithm that calculates the square root under mod p.

This website explains how to calculate the square root for a modulo that is prime.

As Jyrki pointed out such an algorithm is still exponential, because each square has 2 square roots and you have to consider both of them to find the exponent. This results in a binary search tree that grows exponentially when the search depth increases. Therefore the algorithm is not polynomial.

The following algorithm illustrates the main idea, but can not be implemented as is, because it assumes that the base has no square root. If the base has a square root, the algorithm has to be adapted to take this into account.

Base Algorithm to Convert the Discrete Logarithm Problem to Finding the Square Root under Modulo

  1. base = 2 //or any other base, the assumption is that base has no square root!
  2. power = x
  3. baseInverse = the multiplicative inverse of base under modulo p
  4. exponent = 0
  5. exponentMultiple = 1
  6. while power is not equal to base
    1. alternativePower = power*baseInverse
    2. if power has a square root
      • power = sqrt(power)
    3. else //either power or alternativePower has a square root
      • exponent = exponent + exponentMultiple
      • power = sqrt(alternativePower)
    4. exponentMultiple = exponentMultiple*2
  7. exponent = exponent + exponentMultiple
  8. return exponent

Converting a Base to a non Quadratic Residue for a Prime Modulo

For a prime modulo p

  • if p mod 4 is equal to 1, then base is a square if and only if p - base is a square. In this case if base is a square, you have to replace base by one of its square roots (not equal to 1) and keep repeating this until both roots are non square. Most of the time, taking any square root would be fine, but sometimes you may encounter a cycle, e.g. in modulo 41:

    • sqrt(16) = 37
    • sqrt(37) = 18
    • sqrt(18) = 10
    • sqrt(10) = 16

    when you encounter a cycle, take the other square root instead. Squares are connected to each other in a pseudoforest. This implies that if a square root is on a cycle, then the additive inverse of the square root cannot be on a cycle, because both square roots belong to the same graph and each graph in the forest has only a single cycle.

  • if p mod 4 is equal to 3, then base is a square if and only if p - base is not a square. In this case if base is a square, one of its roots is also a square and the other is not a square. You have to replace base by its non square root.

The General Case when the Modulo is not Prime

More generally, when p is not a prime, no efficient way to find the square root under modulo p is known.

toongeorges
  • 121
  • 1
    This fails because the square root is not unique. If $x=y^2$ and $x\equiv 2^{2t}$, then $y\equiv2^{t}$ OR $-y\equiv 2^{t}$. Given that $-1\equiv 2^{(p-1)/2}$ (assuming $2$ is primitive), the latter case says that $y\equiv 2^{t+(p-1)/2}$. And you cannot tell which is which. – Jyrki Lahtonen Apr 26 '20 at 17:00
  • For example, when $p=11$ we easily see that $2$ is primitive. If we want to solve the discrete logarithm of $x=9$, we happily start by observing that $9=3^2$, so it suffices to find the logarithm of $3$. Also $3\equiv 5^2$, so it suffices to find the logarithm of $5$. As it happens, $5$ is also a square, namely $5\equiv 4^2$, so it suffices to find the logarithm of $4$. It is our lucky day, because $4\equiv 9^2$, so it suffices to find the logarithm of $9$. Oops! After taking a number of square roots we are back to the number we started with. – Jyrki Lahtonen Apr 26 '20 at 17:14
  • The problem: when you select a square root among $y$ or $-y\equiv p-y$, you have no way of knowing which of the square roots is the one with the "smaller" discrete logarithm. Mind you, the discrete logarithm takes values in the additive group $G=\Bbb{Z}/(p-1)\Bbb{Z}$, and that group has no ordering, so there is no concept of "smaller" in $G$. – Jyrki Lahtonen Apr 26 '20 at 17:18
  • Confession time. A friend in crypto once asked me why this idea fails. So we worked it out together. – Jyrki Lahtonen Apr 26 '20 at 17:21
  • A thread with a related answer of mine explaining how to find cases, where squaring runs in circles. Correspondingly, we run in circles if we pick square roots in such a way that the square root is always another square. – Jyrki Lahtonen Apr 26 '20 at 17:31
  • if p mod 4 is equal to 1, there is indeed the problem of squares running in cycles. When you invert the squaring to the square root, you have square roots running in cycles. Though for any square root on such a cycle the additive inverse is also a root and cannot be on a cycle? – toongeorges Apr 26 '20 at 18:22
  • It appears to me that when you connect a value with its square, you get a https://en.wikipedia.org/wiki/Pseudoforest . Each graph will have exactly 1 cycle where the trivial cycle is 1 -> 1. If you detect you are on a cycle (by checking if the new root is equal to the initial base), then the additive inverse of the initial base cannot be on a cycle – toongeorges Apr 26 '20 at 18:34
  • @JyrkiLahtonen To reply to your comment with p = 11. Since p mod 4 = 3, either 3 or 11 - 3 = 8 is not a square. Since you know that 3 = 5², then you know that 8 cannot be a square and you can take 8 as base. – toongeorges Apr 26 '20 at 18:43
  • $8$ and $2$ are both ok bases modulo $11$. But I'm afraid changing a base won't save your proposed algorithm. Every time you take a square root there is the $(p-1)/2$ ambiguity in the discrete logarithm coming from the choice of sign of the square root. – Jyrki Lahtonen Apr 26 '20 at 19:19
  • @JyrkiLahtonen you mean that because each square has 2 roots, the algorithm results in a binary search tree for which the cases that have to be checked grow exponentially whenever the depth of the search tree increases. You are right, this is not solvable in a practical way, I will update the answer to reflect this. – toongeorges Apr 26 '20 at 20:23