# [Crypto] Super basic questions to DLP and DH

Kudos for the question's critical thinking. Keep on with that attitude!

Eve wants to find $\log_g(g^x)$ which gives her $x$. Why is it a problem? She knows $g$ and she knows what the number $g^x$ is.

The problem as stated in this quote and with $g$ in the set $\mathbb Z$ (the integers) is the logarithm problem restricted to integers, and indeed is easy. Just by looking at the size of $g^x$ (the number of digits in decimal), it's easy to get an idea of how large $x$ is. For example if $g$ is $11$, $g^x$ will have a little over $x$ decimal digits. More generaly, $x$ is $\log(g^x)/\log(g)$, computed over the reals with the logarithm in any base.

In the *discrete* logarithm problem, $g^x$ is not computed by regular integer multiplications. It's computed in a *finite* set with group structure. $g^x$ is constrained to be in the same finite set as $g$ is, no matter how large $x$. That makes a huge difference, because Eve always gets a small value, thus techniques based on the size of $g^x$ will no longer work.

The simplest group usable is the multiplicative group modulo a safe prime $p$. In this group, $u*v$ is defined as the remainder of the Euclidean division of $u\cdot v$ by $p$, where $u\cdot v$ is the ordinary product. $g^x$ is defined as usual:$$g^x=\underbrace{g*g\ldots g*g}_{x\text{ terms}}$$ where each $*$ is an operation in the finite set. Note that $g^x$ can be computed with $\approx1.5\log_2(x)$ modular multiplications, rather than the obvious $x-1$.

To convince you things are hard, try with $p=31469$ (small enough that $u\cdot v$ fits 9 decimal digits), $g=3$, $g^x=11292$. How do you get $x$?

One simple method is to try all $x$ sequentially, that has cost $\Theta(p)$ (note that we can move to the next power of $g$ with a single modular multiplication). A better method is baby-step/giant-step, that has cost $\Theta(\sqrt p)$ in work and memory. Yet a better (probabilistic) method is Pollard's rho, which also requires $\Theta(\sqrt p)$ work but reduces memory requirements to $\Theta(1)$, and can largely be parallelized.

Because we use a particularly simple group, there are even better methods. However, with e.g. Elliptic Curve groups, we don't know a much better method that works on computers as we know them. Thus if we use a suitable group with enough elements (e.g. in the order of $2^{256}$), the best way we know to get $x$ requires in the order of $2^{128}$ group operations on computers as we know them.