Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative

Discrete Logarithm Problem over Prime Fields,
Non-canonical Lifts and
Logarithmic Derivatives
H. Gopalakrishna Gadiyar and R. Padma
Department of Mathematics
School of Advanced Sciences
Vellore Institute of Technology, Vellore
Chandrasekharan Centenary Symposium in Number
Theory - 19 December 2020
Indian Mathematical Society
86th Annual Conference
VIT, 17 - 20 December 2020
Gadiyar, Padma Discrete Logarithm Problem

K. Chandrasekharan
(21 November 1920 - 13 April 2017)

Definition of Discrete Logarithm
Let a0 be a primitive root of a prime number p > 2.
Then for every b0 ∈ {1, 2, · · · , p − 1} mod p there exists a
unique integer np modulo p − 1 satisfying
a
np
0 ≡ b0 (mod p) . (1)
np is called the discrete logarithm or index of b0 to the base
a0 modulo p.
Given a0 and b0 modulo p finding np modulo (p − 1) is
called the discrete logarithm problem (DLP) over the prime
field Fp.

Example
Let us take p = 11
a0 = 2 is a primitive root of 11
Consider the powers of 2 mod 11
k 0 1 2 3 4 5 6 7 8 9
2k mod 11 1 2 4 8 5 10 9 7 3 6
Ritt called the finite fields as Monkey fields as the points
jump around when you multiply.
Hence they are used to generate randomness
One cannot use continuity argument to get the discrete
logarithm.

The DLP is believed to be computationally difﬁcult if p is a
randomly chosen large prime.
There are various algorithms to compute the DLP like the
baby step - giant step method, Pollard’s ρ-method, Pohlig -
Hellman attack and the index calculus method.
Pohlig - Hellman algorithm works in polynomial time if all
the prime factors of p − 1 are ‘small’.
The other algorithms are exponential or sub-exponential
time algorithms
All these attacks are algebraic in nature
There are no known polynomial time algorithms to
compute the discrete logarithm for a large prime p.

Why is this problem important?
The computational intractability of the DLP is the basis of
the famous Diffie - Hellman key exchange protocol which is
the first published (1976) public key cryptographic
algorithm.
The Diffie - Hellman Key exchange protocol allows two
users to exchange a secret key over an insecure network.
Let p be a large prime number say at least 512 bits.
Let a0 be a primitive root of p.
Both p and a0 are publicly available.
The two users Alice and Bob generate the common secret
key as follows.
Alice and Bob both choose two private numbers a and b
respectively.

Alice computes X = aa
0 mod p and Bob computes
Y = ab
0 mod p
X and Y are exchanged over an insecure network
Alice computes kA = Ya mod p
Bob computes kB = Xb mod p
Now kA = Ya mod p = aab
0 mod p
kB = Xbmod p = aab
0 mod p
kA = kB is the common key for symmetric encryption.

Difﬁe - Hellman Key Exchange Protocol
Alice Bob
,
( ) = ( ) =
Secret Secret
Common Key

An evesdropper can compute this key, if he can ﬁnd out
either a or b.
Finding a from X is the DLP
Finding b from Y is the DLP

Variants of this protocol are used in the Internet security
standards provided by IEEE P1363, RFC 2631, ANSI
X9.42, NIST etc.
Some of the protocols are:
Secure Socket Layer (SSL), Transport Layer Security
(TLS), Secure Shell (SSH), Internet Protocol Security
(IPSec), Public Key Infrastructure (PKI)

Generalizations
The DLP can be generalized to
Multiplicative group of a finite field.
Elliptic curves over a finite field.
Hyperelliptic curves over a finite field.

Elliptic curves
An elliptic curve over Fp is given by
y2
= x3
+ ax + b mod p (2)
with 4a3 + 27b2 ≡ 0 mod p. (p > 3)
The set of points on this curve along with a point called ‘O
is a ﬁnite group under a certain addition law.
It is denoted by E(Fp).
If P and Q are points on the curve such that Q = nP then
‘n is called the discrete logarithm of Q w.r.t. P
Finding n given P and Q is called the elliptic curve discrete
logarithm problem (ECDLP)

Anomalous Elliptic curves
When the number of points on the curve is p, then the
elliptic curve is called anomalous.
The anomalous curves should not be used for
cryptographic purpose as
Nigel P Smart
I. A. Semaev
T. Satoh and K. Araki
independently found a linear time algorithm to compute the
discrete logarithm on such curves.

Attack on Anomalous Elliptic curves
There are two steps in their attack
1. Lift the points P and Q to points P and Q over Qp.
2. p-adic elliptic logarithm.

pQ, pP ∈ E1(Qp) as p is the cardinality of the group
Q − nP ∈ E1(Qp) as the ECDLP is given by Q = nP .
p(Q − nP) ∈ E2(Qp)
p-adic elliptic logarithm of pQ and pP will be a multiple of p
but
the p-adic elliptic logarithm of p(Q − nP) will be a multiple
of p2
ϑ(pQ) − nϑ(pP) ≡ 0 mod p2
(3)
n ≡
ϑ(pQ)
ϑ(pP)
mod p. (4)

Smart attack for the DLP over Prime Fields
It turns out that a lot of elementary number theory is
involved unlike the case of anomalous elliptic curves.
Did extensive calculations in Maple to arrive at the results
presented here.
The tools we use are:
1. Lift -Teichmüller lift
2. Logarithm - Iwasawa logarithm
We use two approaches both of which fail.
This forces us to use more abstract tools.

Tool 1. Teichmüller lift
By Fermat’s little theorem we have
xp−1
0 ≡ 1 + q(x0)p (mod p2
) (5)
for any integer x0 ∈ {1, 2, · · · , p − 1 mod p}.
q(x0) is called the Fermat quotient of x0 modulo p.
We can write this as
xp
0 ≡ x0 + x1p (mod p2
) . (6)
where x1 = x0q(x0) mod p.
By Euler’s theorem of congruences
(x0 + x1p)p−1
≡ 1 (mod p2
) , (7)
x0 + x1p is the Teichmüller expansion of x0 modulo p2.
As x1 =
x
p
0 −x0
p (mod p), and xp
0 (mod p2) can be computed
in polynomial time using the repeated square and multiply
algorithm, one can compute x1 in polynomial time.

Teichmüller lift Contd.
Similarly xp2
0 ≡ x0 + x1p + x2p2 (mod p3) is the Teichmüller
expansion of x0 modulo p3 and
(x0 + x1p + x2p2)p−1 ≡ 1 (mod p3)
Thus one gets the Teichmüller representative T(x0) of x0
as a p-adic integer which is represented by
T(x0) = lim
k→∞
xpk
0 . (8)
Note that
T(x0)p−1
= 1 (9)
for any x0 ≡ 0 (mod p).

Teichmüller Expansion as Hensel Lift
Hensel Lift is the p-adic Newton - Raphson method.
Use the polynomial f(x) = xp − x.
Then f (x) = p xp−1 − 1
f (x0) ≡ −1 (mod p)
By Fermat’s little theorem f(x0) ≡ xp
0 − x0 ≡ 0 (mod p)
Thus the Hensel lifting x0 − f(x0)
f (x0) of x0 gives precisely
x0 + x1p (mod p2).

Tool 2. Iwasawa Logarithm
For a p-adic integer x = x0 + x1p + x2p2 + · · · with
gcd(x0, p) = 1, the Iwasawa logarithm of x is denoted by
Log x and is deﬁned as
1
p − 1
log xp−1
(10)
log xp−1
= log(1 + 1p + 2p2
+ · · · )
= 1p + 2p2
+ · · · −
1
2
1p + 2p2
+ · · ·
2
+ · · ·
Note that the Iwasawa logarithm of the Teichmüller
representative Log T(x) = 0.

Applying to DLP
a
np
0 ≡ b0 (mod p) . (11)
Raising both sides to power p, we get
a
pnp
0 ≡ bp
0 (mod p2
) . (12)
(a0 + a1p)np
≡ b0 + b1p mod p2
. (13)
If we raise both sides by the power (p − 1) , the equation
becomes 1 ≡ 1 mod p2

βnp
- Carry
Expanding the l.h.s. using the binomial theorem
a
np
0 + na
np−1
0 a1p ≡ b0 + b1p mod p2
. (14)
Writing
a
np
0 ≡ b0 + βnp p mod p2
, (15)
where βnp is the carry, we get
b0 + βnp p + npa
np−1
0 a1p ≡ b0 + b1p mod p2
. (16)
βnp + np
b0
a0
a1 ≡ b1 mod p . (17)
np ≡
(b1 − βnp )/b0
a1/a0
(mod p) (18)
This is a linear congruence in two unknowns np and βnp
Hence the method fails.

Kontsevich and Riesel point out that the difﬁculty arises
because
the problem is stated modulo p but
the solution is needed modulo p − 1.
Hence we convert the DLP modulo p to the DLP modulo
the composite p(p − 1)

DLP mod p → DLP mod p(p − 1)
We consider primes p of the form 2q + 1 where q is a
prime number.
Examples
11 = 2 ∗ 5 + 1
23 = 2 ∗ 11 + 1
47 = 2 ∗ 23 + 1

DLP mod p to DLP mod pq
Lemma
Let a0 be a primitive root of p and q. Let gcd(b0, q) = 1. Then
the congruence a
np
0 ≡ b0 mod p can be extended to
an
0 ≡ b0 (mod pq) . (19)
if and only if the Legendre symbols
b0
p
=
b0
q
. (20)

Proof.
an
0 ≡ b0 (mod pq) if and only if
an
0 ≡ a
np
0 ≡ b0 (mod p) and
an
0 ≡ a
nq
0 ≡ b0 (mod q) .
This happens if and only if
n ≡ np (mod p − 1) and (21)
n ≡ nq (mod q − 1) . (22)
This is possible if and only if
2 = gcd(p − 1, q − 1)|(np − nq) . (23)
np ≡ nq (mod 2) . (24)

In other words b0 is a quadratic residue or nonresidue
modulo p and q simultaneously.
b0
p = b0
q .
Here we have used the Chinese Remainder theorem when
the moduli are not relatively prime.

Fermat Quotient for Composite Modulus
Deﬁnition
(Lerch) Let x be such that gcd(x, n) = 1. Then q(x) deﬁned by
xφ(n)
≡ 1 + q(x)n (mod n2
) . (25)
is called the Fermat quotient of x modulo n. Here φ(n) is the
Euler totient function.
φ(1) = 1,
φ(pr
) = pr−1
,
φ(pr1
1 pr2
2 ...prk
k ) = pr1−1
1 (p1 − 1)pr2−1
2 (p2 − 1) · · · prk −1
k (pk − 1) .

Properties of q(x)
1. q(xy) ≡ q(x) + q(y) mod n
2. q(x + zn) ≡ q(x) + z
x φ(n) mod n

Carmichael’s Function λ(n)
Deﬁnition
λ(1) = 1, λ(2) = 1, λ(4) = 2 and
λ(n) =



φ(Pr ), if n = Pr
2r−2, if n = 2r , r ≥ 3
lcm(λ(pr1
1 ), λ(pr2
2 ), · · · , λ(prk
k )), if n = pr1
1 pr2
2 · · · prk
k
,
(26)
where P > 2, p1, · · · pk are primes.
When p = 2q + 1, where p and q are both odd primes ,
φ(p2q2) = φ(p2)φ(q2) = p(p − 1)q(q − 1) = 2pq2φ(q)
and
λ(p2q2) = lcm(λ(p2), λ(q2)) = lcm(p(p − 1), q(q − 1)) =
lcm(2pq, q(q − 1)) = pqφ(q).

In other words the order of the group of units modulo p2q2
is φ(p2q2)
whereas λ(p2q2) is the order of the largest cyclic group
modulo p2q2.
Hence we deﬁne Q(x) by the congruence
xλ(p2q2)
≡ xpqφ(q)
≡ 1 + Q(x)p2
q2
(mod p3
q3
) . (27)

Teichmüller Lift Modulo p2
q2
Lemma
Let an
0 ≡ b0 (mod pq).
a1 = −
Q(a0)a0
φ(q)
(mod pq) and b1 = −
Q(b0)b0
φ(q)
(mod pq) . (28)
Then the Teichmüller lifts of a0 and b0 modulo p2q2 are
a0 + a1pq and b0 + b1pq modulo p2q2 respectively and satisfy
(a0 + a1pq)n
≡ b0 + b1pq (mod p2
q2
) , (29)

Proof.
We want a1 and b1 to satisfy (??). Expanding (??) using the
binomial theorem and using the carry notation
an
0 ≡ b0 + βnpq (mod p2
q2
) , (30)
we get the equation
βn + n
b0
a0
a1 ≡ b1 (mod pq) . (31)
Taking the power λ(p2q2) = pqφ(q) on both sides of (??)
a
npqφ(q)
0 ≡ (b0 + βnpq)pqφ(q)
(mod p3
q3
) (32)
This can be written as
(1 + Q(a0)p2
q2
)n
≡ 1 + Q(b0)p2
q2
+b
pqφ(q)−1
0 βnφ(q)p2
q2
(mod p3
q3
)

Proof Continued...
Proof.
1+nQ(a0)p2
q2
≡ 1+Q(b0)p2
q2
+
βn
b0
φ(q)p2
q2
(mod p3
q3
) (33)
So we get
nQ(a0) ≡ Q(b0) +
βn
b0
φ(q) (mod pq) . (34)
Comparing (??) and (??) will give the desired values of a1 and
b1.

Analog of Iwasawa Logarithm Fails
From (??) and with the assumptions made in Lemma 1 we
can go to the discrete logarithm problem
an
0 ≡ b0 (mod pq) (35)
Here a0 generates a subgroup of order qφ(q) modulo pq.
From Lemma 2 we get
(a0 + a1pq)n
≡ b0 + b1pq (mod p2
q2
) . (36)
The order of the group generated by a0 + a1pq modulo
p2q2 is again qφ(q). Also
(a0 + a1pq)qφ(q)
≡ 1 (mod p2
q3
) . (37)

Carry Problem Persists
Expanding (??) using the binomial theorem, we get
an
0 + nan−1
0 a1pq ≡ b0 + b1pq (mod p2
q2
) . (38)
Writing
an
0 ≡ b0 + βnpq (mod p2
q2
) (39)
will give
βn + n
b0
a0
a1 ≡ b1 (mod pq) . (40)
Here βn is the carry of an
0 modulo p2q2 and
Note that n and βn are the two unknowns in the above
linear congruence.

Summary
The ﬁrst constrant is that the problem is given modulo p
and the solution is needed modulo p − 1.
We overcame this problem by going to a DLP modulo pq.
The fact that we cannot get n arises from two possibilities
being blocked as in the modulo p case.
The analogue of the Teichmüller lift modulo p2q2 gives
1 ≡ 1 (see (??))
If the binomial theorem is used, a carry occurs as in the
case of mod p, see (??).

To summarise · · ·
Two Lifts
𝑎 ≡ 𝑏 𝑚𝑜𝑑 𝑝
𝑎 + 𝑎 𝑝 ≡ 𝑏 + 𝑏 𝑝 𝑚𝑜𝑑 𝑝 𝑎 ≡ 𝑏 𝑚𝑜𝑑 𝑝𝑞
Lift
𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑝𝑞
𝑎 + 𝑎 𝑝𝑞 ≡ 𝑏 + 𝑏 𝑝𝑞 𝑚𝑜𝑑 𝑝 𝑞
𝑚𝑜𝑑 𝑝 𝑞

Teichmüller Expansion Mod p2Fails

𝑎 ≡ 𝑏 𝑚𝑜𝑑 𝑝𝑞
𝑎 + 𝑎 𝑝𝑞 ≡ 𝑏 + 𝑏 𝑝𝑞 𝑚𝑜𝑑 𝑝 𝑞
1=1 Carry
FAILS
Lift
^(𝑞 𝜙 𝑞 ) Binomial Expansion

Main Idea: Non-canonical Lifts
If we can construct a non-canonical lift modulo p2q2 then
the problems dissolve.
Thus solving the discrete logarithm problem is equivalent
to the construction of a non-canonical lift.

Non-canonical Lifts
Non-canonical lifts exist and can be written in the form
(a0 + (a1 + k)pq)n
≡ b0 + (b1 + l)pq (mod p2
q2
) . (41)
When k = k1p for some k1 ≡ 0 mod q, then l = l1p for
some l1mod q.
In this case the order of the group is qφ(q).
On expanding (??) using the binomial theorem, one gets
(a0+a1pq)n
+n(a0+a1pq)n−1
k pq ≡ (b0+b1pq) +l pq (mod p2
q2
)
(42)
Using (??) we get
n ≡
l1/b0
k1/a0
(mod q) (43)
If we use the notation da0 for k1 and db0 for l1 then
n ≡
db0/b0
da0/a0
(mod q) (44)
Thus n can be thought of as the logarithmic derivative.

For the other k ≡ 0 and l modulo pq the order of the group
will be pqφ(q).
n ≡
l/b0
k/a0
(mod pq) (45)
If we use the notation da0 for k and db0 for l then
n ≡
db0/b0
da0/a0
(mod pq) . (46)
The non-canonical extensions (modulo p2q2) of the
subgroup generated by a0 mod pq are labeled by da0.
As p = 2q + 1 once we get n mod q, n mod p − 1 would be
either n or n + q mod p − 1 which can be checked in
polynomial time.

Note that we can get (??) and (??) by raising (??) to the
powers qφ(q) and pqφ(q) respectively.
In the second case we get
(a0 + (a1 + k)pq)pqφ(q)
n
≡ (b0 + (b1 + l)pq)pqφ(q)
(mod p3
q3
) ,
(47)
On expanding this and using the earlier notation we get
1 + n q(a0) +
(a1 + k)
a0
φ(q) p2
q2
≡
1 + q(b0) +
(b1 + l)
b0
φ(q) p2
q2
(mod p3
q3
) .(48)
Using the formula for a1 and b1 one gets (??).
This way of getting n is analogous to the attack on
anomalous elliptic curves by Smart , Semaev , Satoh and
Araki.

Historically derivatives of numbers have been studied for a
long time starting from Kummer , A. Weil (expanded by
Kawada) and more recently by A. Buium.
Hence the problem which is standing in isolation studied
only by cryptologists gets connected to mainstream
algebra and number theory.

Key Idea - Noncanonical Lift-1
+ ≡ + mod
+ + ≡ + + mod
≡

Key Idea - Noncanonical Lift-2
+ ≡ + mod
+ + ≡ + + mod
≡

What we were looking for...
If you have two functions f(x) and g(x) satisfying the
relation
f(x)n
= g(x) (49)
the logarithmic differentiation gives
n =
g (x)
g(x)
/
f (x)
f(x)
(50)

Conclusion
We speculate a little philosophically.
Like in Godel’s theorem it is possible that this is a case of a
difﬁcult problem within a system of axioms becoming easy
when the system of axioms is enlarged.
The problem may be hard mod p but going out of the
system of axioms of modular arithmetic
mod p → mod pq → mod q
is forced on us because of the discrete logarithm problem
is given mod p but the value of the index n is given mod
p − 1.
We are not experts in mathematical logic.
We leave this topic to logicians and theoretical computer
scientists.

Acknowledgements
Gadiyar remembers with gratitude being taught advanced
topics like the extension of groups in a very simple way by
the Late Prof. E.C.G. Sudarshan
The all pervasive culture of Bourbaki style mathematics
was imbibed by us thanks to the presence of the late Prof.
C. S. Seshadri in Chennai.
The late Prof. K. Ramachandra’s philosophy is used in this
work: Use elementary methods and analyse the simplest
case.
We would like to thank Prof. M. S. Rangachari for
encouragement.
We would like to thank Prof. R. Balasubramanian and Prof.
Bimal Roy who encouraged academic research in
cryptography through the CRSI
We would like to thank Prof. M. Ram Murty for
encouragement.

Acknowledgements
We would also like to thank Prof. A. Sankaranarayanan,
Prof. K. Srinivas and Prof. Arul Lakshminarayan for getting
relevant papers from the libraries of TIFR, IMSc and IITM
This work was started at the AU-KBC Research Centre
and brought to a ﬁnal form at VIT, Vellore
We thank both the organisations for supporting us.

Papers
1. H. Gopalkrishna Gadiyar, K M Sangeeta Maini, R. Padma:
Cryptography, Connections, Cocycles and Crystals: A
p-adic Exploration of the Discrete Logarithm Problem.
Progress in Cryptology - INDOCRYPT 2004, 305-314,
Lecture Notes in Comput. Sci., 3348. Zbl 1115.94008,
MR2147933 (Edlyn Teske)
2. H. Gopalakrishna Gadiyar, R. Padma: The discrete
logarithm problem over prime ﬁelds: the safe prime case.
The Smart attack, non-canonical lifts and logarithmic
derivatives. Czech Math J 68, 1115-1124 (2018).
https://doi.org/10.21136/CMJ.2018.0128-17 MR3881901
(Cunsheng Ding)

Thank You

Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative

Similar to Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative (20)

Recently uploaded

Recently uploaded (20)

Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative