International Journal of Science and Research (IJSR)
ISSN (Online): 2319-7064
Index Copernicus Value (2013): 6.14 | Impact Factor (2014): 5.611
The Discrete Logarithm and Square Roots in Finite
Fields
Anindya Shankar Bhandari
Indian Institute of Technology, Kharagpur
Abstract: The purpose of this paper is to make it a go-to paper for any doubts regarding attacking DLP using square roots. It is a
compendium of all the knowledge in both areas that are related to one another, and includes bits of original research as well. Hopefully,
it shall be able to attract bright minds who will manage to successfully use this information to solve the Discrete Logarithm in
polynomial time.
Keywords: Discrete Logarithm; DLP; Quadratic Residue; Finite Field; Square root; Number Theory
1. Introduction
previous section, with even powers returning 1 and odd
powers returning p-1. Hence, this gives us the last bit of x.
Discrete Logarithm: An integer x that solves the equation
gx=a, where both g and a are elements of a finite group, is
referred to as a discrete logarithm. It is the analogue of an
ordinary logarithm in finite groups. There is no known way
to efficiently compute the solution of the Discrete Logarithm
Problem (in polynomial time).
In this paper we deal with finite cyclic groups that are
modulo a prime, and the generator g is chosen to be a
primitive root modulo that prime.
A primitive root modulo a prime is an element that generates
a finite cyclic group (by exponentiation of the generator, in
multiplicative groups) in which all elements are distinct.
Quadratic Residues:An integer q is called a quadratic
residue modulo n if it is congruent to a perfect square
modulo n, that is, it satisfies the following property: x2 ≡ a
(mod p)
A simple way to check if a number is a quadratic residue in a
p−1
prime field is to raise it to the exponent
. A quadratic
2
residue would return the value 1, whereas a non-residue
returns N-1. Why? A residue can be represented as a square
of a non-residue (or another residue, in case of quartic
p−1
residues), let it be x2. On raising it to the exponent , you
2
get xp-1, and by Fermat's Little Theorem, we know that xp-1 ≡
1 (mod p).
In case of a non-residue, the answer comes out to be the
square root of 1 in the field, which returns p-1.
2. Reduction: DLP is no harder than obtaining
the `best square root' in a finite field
Let us now work with the Discrete Logarithm Problem in a
cyclic group created with a generator g in GF(p).
To start with, it is easy to find the last bit of x of g x, by
p−1
raising it to
. This works in the same way described in the
2
Paper ID: NOV161342
With this result, we can take the square root (assumed to be
easy, for the purpose of the reduction) of x (if even) or x-1 (if
odd), and once again checked for the last bit. In this way, it is
possible to reconstruct the discrete logarithm in O(log2p) ×
O(complexity of finding the best square root). Therefore it is
clear that if one can solve the problem of finding the best
square root in polynomial time, one can solve DLP in
polynomial time.
It should be noted that the `best square root' is not
equivalent to the `principal square root'. A number has
two square roots, even in finite fields. They are gx/2and g(p1+x)/2
.
The former refers in particular to gx/2. On the other hand, the
principal square root refers to the square root that is also a
quadratic residue. This is of particular importance in the
group p = 4k-1, as every quadratic residue is also a
quartic residue in this group, and has a principal square
root.
3. Square roots in finite fields and their
relation to the DLP
In this section we discuss how to obtain the square roots of
various prime families. There are 5 types of prime families
we shall discuss in this section :
1) p = 4k - 1
2) p = 8k + 5
3) p = 8k + 1
4) p = 2m + 1 (fermat prime), a special case of 4k+1
5) A brief note on p = 2 m - 1, a standard Galois Field
GF(2m)
3.1 Primes of the form 4k-1 - ‘Safe Primes'
It is very simple to obtain the principal square root in such a
field, as every quadratic residue is also a biquadratic
residue/quartic residue. To obtain it, one simply needs to
p+1
raise gx to the exponent
.
4
So have we solved DLP? No!
Volume 5 Issue 2, February 2016
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
1052
International Journal of Science and Research (IJSR)
ISSN (Online): 2319-7064
Index Copernicus Value (2013): 6.14 | Impact Factor (2014): 5.611
The problem here is that the principal square root is not the
best square root, it is only the square root that is also a
quadratic residue. What does this imply for the DLP? It
implies, if we could tell whether the x of gxat any step is a
multiple of 4 (thereby a quartic residue itself, as opposed to
N-1 + x being the multiple of 4), then DLP would be solved.
However, while checking if the x of gx is a multiple of 2 is
p−1
easy, (that is, to raise it to the power
), there is no
2
efficient oracle that can check if any exponent is a multiple
p−1
of 4 in a finite field of size 4k-1, as raising it to
is not
4
possible (as p-1 is not divisible by 4).
3.2 Primes of the form 8k + 5
The method for finding the square root in this field isn't as
simple. A certain methodology is followed to obtain those
roots.
p−1
We start with raising gx to the power
. If it gives the result
4
1 (implying that the exponent is of the form 4k(mod p))
(mod p), we obtain the square root by simply raising g x to the
power k+1.
Therefore, the square root (if x = 4k(mod p)) is (gx)k+1.
p−1
On the other hand, if raising gx to the power
returns -1
4
(mod p), then the square root can be obtained by raising gx to
the power k+1 and multiplying it with 22k+1.
Therefore, the square root (if x = 4k + 2(mod p)) is
22k+1×(gx)k+1.
When applying this knowledge to the DLP however, it could
be seen that several of the exponents within a field did not
return the best square root, but instead returned g( p-1+x)/2.
3.3 Primes of the form 8k + 1
The best method for obtaining the square roots for fields
modulo primes of this form would be to use the Tonelli
Shanks algorithm. The algorithm has been explained
properly in [2], so we shall not discuss this in detail. Once
again, this algorithm returns either of the square roots, hence
it is not possible to be sure of which one is the best square
root.
3.4 Fermat Primes
Let us begin this section by stating a fact, the DLP is easy in
modulo Fermat Primes groups.
This can be verified by doing the following:
We first check if x is even or odd by raising x to the
𝑝−1
exponent 𝑞 , maintaining two parameters a(initialized to 1)
2
and q (initialized to 1). If x is odd, a is subtracted from x,
hence x is now even. If x is even, a is multiplied by 2. We
have got the last bit of x. Now q is incremented by 1. We
proceed with this algorithm, performing the same actions at
each step to determine the last, second last, third last (and so
on) bits of x.
Paper ID: NOV161342
Therefore, within polynomial time (logarithmic in p,
polynomial in number of bits of p), we have obtained the
value of x.
The reason why this is possible is because it is possible to
continually divide p-1 by 2 and get an integer. It is also
possible to obtain m bits of x in groups of size p =
2n1+2n2+2n3+...+2nm+1, where nm is the smallest n.
Another method for doing this was explored in [1].
3.5 A note on GF(2m)
In a field modulo p = 2m-1, it is possible to obtain the nth root
(n = 2,4,8,16…) directly, as opposed to the iterative
procedure for general primes of the form 4k-1. This is done
𝑝−2 𝑛 +1
by raising gx to the power
. This is possible only in
2𝑛
this group, as such a fraction would not return an integer in
the standard p = 4k-1.
4. Conclusion
The paper has explored square roots in various prime
families and their relation with solving DLP in those groups.
It is clear that the hardness of DLP is entirely dependent on
the hardness of deciphering which of the two square roots is
the `best' one, i.e. the one that is analogous to the positive
square root for real numbers. The most important prime
group, i.e. the one typically used for DLP (for security
purposes) is the safe prime group p = 4k-1. It is our hope that
the content of this paper may shed some light to help prove
that the DLP is indeed easy in some of these groups.
References
The following references have been used in preparation of
this paper.
[1] Douglas L. Long, AviWigderson (1983). ``How discreet
is the discrete log?", The 15th annual ACM symposium
on Theory of computing.
[2] Jeremy Booher, ``SQUARE ROOTS IN FINITE FIELDS
AND QUADRATIC NONRESIDUES", available at
http://stanford.edu/~jbooher/expos/sqr_qnr.pdf
[3] Quadratic Residues as taught by Winona State
University.
http://course1.winona.edu/eerrthum/13Spring/SquareRoot
s.pdf
[4] Theory of
Quadratic
residues
Wikipedia.
https://en.wikipedia.org/wiki/Quadratic_residue
[5] Discrete
logarithm
Wikipedia.
https://en.wikipedia.org/wiki/Discrete_logarithm
Author Profile
Anindya Shankar Bhandari is currently a 3rd year
undergraduate student of the Electronics and
Electrical Communication Engineering department at
the Indian Institute of Technology, Kharagpur. His
research interests are in Cryptography, Number
Theory and Machine Learning.
Volume 5 Issue 2, February 2016
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
1053