6

Why is the discrete logarithm problem assumed to be hard?

Someone else asked the same question but the answers only explain that exponentiation is in $O(\log(n))$ while the fastest known algorithms to compute discrete logarithms is in $O(n)$. (I'm glossing over details like the runtime of index calculus here.)

Somewhere else I read: "We assume discrete logarithms to be hard because for over 40 years very smart people failed to find a fast algorithm."

Now, I wonder if there are any better arguments. Can you actually explain why discrete logarithms are hard?

LinusK
  • 217
  • 1
  • 5

1 Answers1

15

Now, I wonder if there are any better arguments.

Ultimately, no, not really.

We don't have any proof that computing discrete logs is hard. For that matter, we don't have any proof that any problem within $NP$ (that is, any problem where, if the answer is "yes", there is a quickly checkable proof of that) is hard.

We do have some partial proofs, for example, that in the "black-box" model, a discrete log on a prime-order group is hard. On the other hand, the assumptions that makes is known to be false for finite-fields, and so that's less useful than one would hope.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • Can't you argue, for example, along the lines that during exponentiation each of the $\log(n)$ squarings deletes a bit of information because $x \cdot x == -x \cdot -x$? – LinusK Apr 02 '22 at 13:38
  • 4
    @LinusK: not really; if $g$ has order $q$, then $g^x$ for $x \in {0, ..., q-1}$ is injective - that is, it doesn't lose any information. And so, while a common implementation substep (squaring) may lose information, overall there is no information loss. – poncho Apr 02 '22 at 14:10
  • But if $\mathbb{F}_p$ with $p=2q+1$ and $g$ has order $q$, then $g^x$ for ${0,...,p-1}$ is not injective. And if $g^{x_1} == g^{x_2}$ for some $x_1 \neq x_2$ then both the lowest bit of $x_1$ and $x_2$ (the hardcore bits) must be different. That's why I thought there must be some information loss. – LinusK Apr 02 '22 at 14:31
  • 3
    @LinusK: however, in that case, $x_1 \equiv x_2 \pmod q$; hence there is essentially only one solution (knowing that immediately gives you all the others) – poncho Apr 02 '22 at 14:33
  • What is a "hard group"? – Paŭlo Ebermann Apr 03 '22 at 19:35
  • @PaŭloEbermann: sorry, my changed how I wanted to express this as I wrote it, and an additional 'hard' stayed in. Does the edit make more sense? – poncho Apr 03 '22 at 19:38
  • Also, the generic group model does not capture quantum computation, which also seems to make it less useful than desired. – K.G. Apr 03 '22 at 19:58
  • @K.G.: true enough - even though (I believe) Shor's algorithm can work in an entangled black-box group implementation, that is a different computational model... – poncho Apr 03 '22 at 20:32