The discrete logarithm problem over prime fields: the safe prime case. The Smart attack, non-canonical lifts and logarithmic derivatives
H. Gopalakrishna Gadiyar, R. Padma

TL;DR
This paper explores the discrete logarithm problem over prime fields in the safe prime case, linking it to the concept of logarithmic derivatives to potentially inform cryptographic analysis.
Contribution
It introduces a novel connection between the discrete logarithm problem and logarithmic derivatives specifically for safe prime fields.
Findings
Establishes a theoretical link between discrete logs and logarithmic derivatives.
Provides insights into the structure of safe prime fields in cryptography.
Suggests new avenues for cryptanalysis based on this connection.
Abstract
In this brief note we connect the discrete logarithm problem over prime fields in the safe prime case to the logarithmic derivative.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Residue Arithmetic · Cryptography and Data Security · Coding theory and cryptography
The discrete logarithm problem over prime fields: the safe prime case. The Smart attack, non-canonical lifts and logarithmic derivatives
H. Gopalakrishna Gadiyar and R. Padma
Department of Mathematics
School of Advanced Sciences
V.I.T. University, Vellore 632014 INDIA
E-mail: [email protected], [email protected]
( )
Abstract
In this brief note we connect the discrete logarithm problem over prime fields in the safe prime case to the logarithmic derivative.
Key words: Discrete logarithm, Hensel lift, Group extension
MSC2010: 11A07, 11T71, 11Y16, 14G50, 68Q25, 94A60
1 Introduction and the Main Idea
Let be a primitive root of a prime number . We know that for every there exists a unique integer modulo satisfying
[TABLE]
is called the discrete logarithm or index of to the base modulo . In [4] the authors got the Teichmüller expansion using Hensel lifting of the discrete logarithm problem (1). This is got by raising both sides to the power :
[TABLE]
which can be written as
[TABLE]
The Iwasawa logarithm of a -adic number is defined as . As this vanishes for a Teichmüller character the solution could not be found out, but a formula
[TABLE]
was obtained where is the carry
[TABLE]
Kontsevich [7] and Riesel [10] point out that the difficulty arises because the problem is stated modulo and the solution is needed modulo . Hence we go to the discrete logarithm problem modulo the composite modulus . In this connection, see Bach [1].
In this paper we consider primes of the form where is a prime number. is called a safe prime as it is believed that the discrete logarithm problem is computationally difficult in this case when is ‘large’.
From (1) we can go to the discrete logarithm problem
[TABLE]
(See Lemma 1.) From the assumptions made in Lemma 1 generates a subgroup of order modulo . Hensel lifting the problem modulo we get
[TABLE]
The order of the group generated by remains as modulo . Also
[TABLE]
(See Lemma 2.) Expanding (7) using the binomial theorem, we get
[TABLE]
Writing
[TABLE]
will give
[TABLE]
Here is the carry of modulo and note that and are the two unknowns in the above linear congruence.
The summary of what we have done so far is that there are three problems when we try to solve the discrete logarithm problem modulo :
The problem is given modulo and the solution is needed modulo . 2. 2.
The Iwasawa logarithm of the Teichmüller expansion modulo is 0 3. 3.
The binomial theorem on the Teichmüller expansion modulo gives ’carry’.
We overcome the first problem by going modulo . The fact that we cannot get arises from two possibilities being blocked as in the modulo case. The analogue of the Teichmüller expansion does not have a non-zero logarithm (see (8)) and if the binomial theorem is used, a carry occurs as in the case of mod , see (11).
However if we can construct a non-canonical lift modulo then the problems dissolve. Thus solving the discrete logarithm problem is equivalent to the construction of a non-canonical lift.
The non-canonical lifts exist and can be written in the form
[TABLE]
When for some mod , then for some mod . In this case the order of the group is . For the other and modulo the order of the group will be . On expanding (12) using the binomial theorem, one gets
[TABLE]
and using (7)
[TABLE]
in the first case and
[TABLE]
in the second case.
If we use the notation for and for then
[TABLE]
and if we use the notation for and for then
[TABLE]
Thus can be thought of as the logarithmic derivative. The non-canonical extensions (modulo ) of the subgroup generated by mod are labeled by . As , once we get mod , mod would be either or mod .
Note that we can get (16) and (17) by raising (12) to the powers and respectively. In the second case we get
[TABLE]
which on expanding and using the notation in Section 2 will give
[TABLE]
Using the formula for and one gets (17). This way of getting is analogous to the attack on anomalous elliptic curves by Smart [13], Semaev [12], Satoh and Araki [11].
We would like to comment that derivatives of numbers have been studied historically for a long time starting from Kummer [6], [15], A. Weil (expanded by Kawada) [8] and more recently by A. Buium [2]. Hence the problem which is standing in isolation studied only by cryptologists gets connected to mainstream algebra and number theory. This was a complete surprise to the authors which is why we have written this brief note to bring it to the attention of experts in these areas.
2 Lemmas
We need some definitions and notations before we prove our lemmas. In [9] Lerch defined the Fermat quotient for a composite modulus. Let be such that Then defined by
[TABLE]
is called the Fermat quotient of modulo . We do not use the Euler’s -function but we use Carmichael’s function. is defined as follows [3]. , and
[TABLE]
When where is a prime, and . In other words the order of the group of units modulo is whereas the order of the largest cyclic group modulo is . Hence we define by the congruence
[TABLE]
Lemma 1
Let be a primitive root of and . Let . Then the congruence can be extended to
[TABLE]
if and only if the Legendre symbols
[TABLE]
Proof. if and only if
[TABLE]
This happens if and only if
[TABLE]
This is possible if and only if
[TABLE]
by Chinese Remainder theorem. That is
[TABLE]
In other words is a quadratic residue or nonresidue modulo and simultaneously. That is
Lemma 2
If holds then
[TABLE]
where
[TABLE]
Proof We want and to satisfy (30). Using the carry notation
[TABLE]
we get the equation
[TABLE]
Taking the power on both sides of (31)
[TABLE]
and using (22) we get
[TABLE]
Comparing (32) and (34) will give the desired values of and .
Remark 1. Note that and can be calculated in polynomial time and the order of is modulo .
Remark 2. Note that the Legendre symbols in (24) can be calculated in polynomial time.
Remark 3. We are given mod . If (24) fails for the given we can check the same for for until the condition is satisfied or we can multiply by for some and check the condition. In the first case does not change and in the second case becomes modulo or
Remark 4. We can take mod and consider the new discrete logarithm problem
[TABLE]
or
Remark 5. We can even relax the conditions in Lemma 1 as in our earlier preprint [5] as follows. Let and . Let be a primitive root of and let and satisfy . Then
[TABLE]
In this case the formulae corresponding to (16) and (17) would be
[TABLE]
and
[TABLE]
3 Conclusion
For the composites the Euler function and the Carmichael function are not equal. Also and hence many non-canonical lifts exist. As is well known this would involve a suitable choice of polynomial for lifting. Recall that the polynomials are and in the cases of Teichmüller lifting modulo and respectively. This attack can be generalized to elliptic curve discrete logarithm problem over prime fields where will be connected to the order of the group. See [14] for various ways of lifting the elliptic curve discrete logarithm problem.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] E. Bach, Discrete Logarithms and Factoring, University of California at Berkeley Computer Science Division, Report UCB/CSD/84/186, 1984.
- 2[2] A. Buium, Arithmetic analogues of derivations, J. Algebra, Vol. 198,(1997) 290-299.
- 3[3] Peter J. Cameron and D. A. Preece, Notes on primitive lambda-roots, https://cameroncounts.files.wordpress.com/2014/01/plr 1.pdf
- 4[4] H. Gopalkrishna Gadiyar, K M Sangeeta Maini and R. Padma, Cryptography, Connections, Cocycles and Crystals: A p 𝑝 p -adic Exploration of the Discrete Logarithm Problem, Progress in Cryptology - Indocrypt 2004 (LNCS 3348), 305-314.
- 5[5] H. Gopalakrishna Gadiyar and R. Padma, The Discrete Logarithm Problem over Prime Fields can be transformed to a Linear Multivariable Chinese Remainder Theorem, ar Xiv:1608.07032 [math.NT]
- 6[6] D. Hilbert, The theory of algebraic number fields, Springer, 1998.
- 7[7] M .Kontsevich, M. The 1 1/2 -logarithm (Appendix to Elbaz-Vincent, Ph. and Gangl, H.: On Poly(ana)logs I MATH. Compos.Math.,130,161-210). Compos.Math., 2002, Volume 130, 211-214
- 8[8] Kawada, Y, On the Derivations in Number Fields, Annals of Mathematics Second Series, Vol. 54, No. 2 (Sep., (1951), 302-314
