A logarithm is the inverse of an exponential, and so we can generalize the idea of a logarithm wherever we can generalize the idea of an exponential. In particular, we can raise elements to exponents in a discrete group, and that leads to the definition of a **discrete logarithm**.

Diffie-Hellman public key cryptography is based on the assumption that discrete logarithms are hard to compute. There are algorithms to compute discrete logarithms that are much faster than brute force. For example, baby-step giant-step is a fairly simple algorithm. There are more efficient algorithms as well, but the best known algorithms are still much slower than raising numbers to powers. Whenever you find something that is much harder to undo than to do, it might be useful in cryptography, and that is the case with discrete logs.

Diffie-Hellman encryption requires users to compute exponentials and presumably requires attackers to compute discrete logs. I say “presumably” because it’s a fatal error in cryptography to assume an attacker has to solve the problem you think he’d have to solve. For example, you can create a simple encryption scheme by permuting the alphabet and encrypting each letter to its counterpart in the permutation. Someone might naively think “No one can break this because they’d have to try 26! permutations of the alphabet, over 400 million million million million possibilities!” Except that’s not how anyone approaches a substitution cipher. If it were, you wouldn’t see cryptograms in puzzle books.

As far as we know, discrete logarithms are hard to compute when working over integers mod *p* where *p* is a large prime, except for primes that have certain properties. We’ll look at what those properties are below and how to avoid them.

For a prime *p*, the integers mod *p* form a finite field. They are a group under addition, and the non-zero elements form a group under multiplication. It’s the multiplicative group we care about here. This group has order *p* − 1, i.e. it has *p − *1 elements.

A group of prime order has no proper subgroups. But a group of composite order does. And our multiplicative group has order *p − *1, which is composite. (Except for *p* = 3, and cryptography depends on primes far, far bigger than 3.)

Sylow’s theorems tell us something about what kinds of subgroups a group must have. If *s* is prime and *s*^{k} is a factor of the order of our group, then the group has a subgroup of order *s*^{k}. We don’t want our multiplicative group to have any small-order subgroups because these would make it easier to compute discrete logarithms.

A **safe prime** *p* has the form 2*q* + 1 where *q* is also prime [1]. Diffie-Hellman chooses safe primes for moduli because this means the multiplicative group of order *p* − 1 = 2*q* has no small subgroups. (It has two small subgroups, {1} and {1, -1}, but these can easily be avoided. The algorithm requires picking a generator *g*, and as long as you don’t pick *g* to be 1 or −1 mod *p*, then *g* generates a group of order *q*, and if *p* is gigantic, so is *q*.) Because *q* is prime, the subgroup of order *q* does not have any further subgroups.

**Related post**: Probability that a number is prime

[1] If *q* and *p* = 2*q* + 1 are both prime, *q* is called a **Sophie Germain prime** and *p* is a **safe prime**.

Casual, elegant, and brief. Thank you!

Very useful blog!

(Picking nits….as long as you don’t pick g to be 1 or -1 mod p, then g either generates a group of order q or 2q)?

(apparently q is sometimes preferred in practice in order to avoid a Legendre symbol exploit)