18.783 Elliptic Curves: Lecture Notes 10

We now consider generic algorithms for the discrete logarithm problem. We shall assume throughout that N = |α| is known. This is a reasonable assumption, since there is a generic algorithm to compute N using o( √ N) group operations [9], which is strictly less than the complexity of any generic algorithm for this problem (we will prove an Ω( √ N) lower bound). The cyclic group 〈α〉 is isomorphic to the additive group Z/NZ. In the context of generic group algorithms, we may as well assume 〈α〉 is Z/NZ, generated by α = 1, since every cyclic group of order N looks the same when it is hidden in a black box. Of course with the black box picking arbitrary group identifiers in {0, 1}m, we cannot actually tell which integer x in Z/NZ corresponds to a particular group element β; indeed, x is precisely the discrete logarithm of β that we wish to compute! Thus computing discrete logarithms amounts to explicitly computing the isomorphism from 〈α〉 to Z/NZ that sends α to 1. Computing the isomorphism in the reverse direction is easy: this is just exponentiation. Thus we have (in multiplicative notation):