4

It is not easy to understand why this becomes a hard problem.

The discrete logarithm problem as defined here:
“any integer k that solves $b^k = \{g\mod{n}\}$ is termed a discrete logarithm” i.e.:
Finding an integer $k$ for $b$ and $g$ known in $b^k=\{g\mod{n}\}$

I wonder. Is the reverse, that is:
Finding an integer $b$ for $k$ and $g$ known in $b^k=\{g\mod{n}\}$
equally difficult (equivalent), or there are easy ways to solve the later, and if so, how?

Edit: Here is a detailed analysis of “roots”. And here a related answer for n composite.

Edit:
A special case of the discrete logarithm problem is: “Discrete logarithms are perhaps simplest to understand in the group $( \mathbb{Z}_p)^x$. This is the group of multiplication modulo the prime p.”

That was the initial intent of the question. But I realize that a general answer may be more apropiate.

Community
  • 1
  • 1
    Here is a related question that deals with computing roots when the modulus is composite. – mikeazo Apr 23 '15 at 01:56
  • Typically dlog is defined in a group mod p, but it doesn't have to be. I think that other question contains your answer, though not explicitly, so I'd leave this one open. It says "Yes, the problem of finding... is believed hard unless the factorization of $N$ can be determined". Well, you know the factorization of $p$, it is $p$ :) – mikeazo Apr 23 '15 at 02:15
  • For $k=2$ you use Tonelli-Shanks. – mikeazo Apr 23 '15 at 02:22
  • 1
    You need the factorisation of $p-1$ (which is the order of the group) not of $p$. Then, $b = g^{k^{-1} \bmod {p-1}}$. This is essentially the RSA problem, except that in RSA, the order of the group is $(p-1)(q-1)$. – fkraiem Apr 23 '15 at 02:29
  • @fkraiem: The question lacks the modulus one is working with, so I'm a bit confused which modulus you use. You can invert a number (your $k$) modulo another number (your $p-1$) without knowing the factorization of the latter by using the extended Euclidian algorithm. However, your statement that the question is (not just essentially, but exactly) the RSA problem is correct (for the modulus missing in the question). – j.p. Apr 23 '15 at 08:48
  • @j.p. Sorry, I assumed we were modulo a prime since the question talked of the dlog problem. In general, if the modulus is $N$, then the exponents are modulo $\phi(N)$. RSA is the special case $N=pq$. – fkraiem Apr 23 '15 at 10:43
  • @j.p. Obviously, you need to be able to invert modulo $\phi(n)$. If this is hard, then the problem is (supposedly) hard. – fkraiem Apr 23 '15 at 10:46
  • The op had a comment (now deleted) suggesting modulo a prime. – mikeazo Apr 23 '15 at 11:35
  • I linked to a question dealing with composite modulus, here is one dealing with prime modulus. – mikeazo Apr 23 '15 at 12:23
  • @fkraiem: It's never hard to invert modulo a number. It's just had to find that number ($\phi$) ;-). – j.p. Apr 23 '15 at 12:53
  • @j.p. It's (supposedly) hard to invert modulo $\phi(n)$ when you know only $n$. Either by finding $\phi(n)$ or otherwise. – fkraiem Apr 23 '15 at 13:08
  • @fkraiem: With "when you know only n" in the sentence, I agree. It would be interesting to know a way to find the inverse mod $\phi$ without knowing the number $\phi$. – j.p. Apr 23 '15 at 13:16
  • Sorry people, yes, I made a comment (erased latter) to state a n prime. However, a general answer seems better. –  Apr 23 '15 at 18:10
  • 1
    @fkraiem It seems to me that there is no reason to need the factorization of (p-1) if n=p (is prime). The Extended Euclidean algorithm is used (provided k and (p-1) are coprime) to find an inverse. It does not seem to require the pre-factorization of (p-1) (N in the algorithm) https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm. –  Apr 23 '15 at 18:23
  • I am working on an answer. It is an interesting point of view in my opinion. More detail later. Thanks everyone. I promise to include all the relevant comments in the answer. –  Apr 23 '15 at 18:25

0 Answers0