Abstract
The first practical public key cryptosystem to be published, the Diffie–Hellman key exchange algorithm, was based on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the presumed security of a variety of other public key schemes. While there have been substantial advances in discrete log algorithms in the last two decades, in general the discrete log still appears to be hard, especially for some groups, such as those from elliptic curves. Unfortunately no proofs of hardness are available in this area, so it is necessary to rely on experience and intuition in judging what parameters to use for cryptosystems. This paper presents a brief survey of the current state of the art in discrete logs.
Similar content being viewed by others
References
L. M. Adleman, The function field sieve, Algorithmic Number Theory: First Intern. Symp., ANTS-I (L. M. Adleman and M.-D. Huang, eds.), Lecture Notes in Math., Springer, 877 (1994) pp. 108–121.
L. M. Adleman, J. De Marrais, and M.-D. A. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields, Algorithmic Number Theory: First Intern. Symp., ANTS-I (L. M. Adleman and M.-D. Huang, eds.), Lecture Notes in Math., Springer, 877 (1994) pp. 28–40.
L. M. Adleman and M.-D. A. Huang, Function field sieve method for discrete logarithms over finite fields, Information and Computation (to appear).
H. R. Amirazizi and M. E. Hellman, Time-memory-processor trade-offs, IEEE Trans. Inform. Theory, Vol. 34 (1988) pp. 505–512.
L. Babai and E. Szemeredi, On the complexity of matrix group problems I, Proc. 25–th Found. Computer Sci. Symp., IEEE Press (1984) pp. 229–240.
E. Bach and J. Shallit, Algorithmic Number Theory. Vol. I: Efficient Algorithms, MIT Press (1996).
D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology-CRYPTO '96 (N. Koblitz, ed.), Lecture Notes in Computer Science, Springer, 1109 (1996) pp. 129–142.
R. P. Brent, Some parallel algorithms for integer factorization, Proc. Euro-Par '99, Lecture Notes in Computer Sci., Springer(1999, to appear). Available at <ftp://ftp.comlab.ox.ac.uk/pub/Documents/techpapers/ Richard.Brent/rpb193.ps.gz>.
J. A. Buchmann and C. S. Hollinger, On smooth ideals in number fields, J. Number Theory, Vol. 59 (1996) pp. 82–87.
S. Cavallar, W. Lioen, H. te Riele, B. Dodson, A. Lenstra, P. Leyland, P. Montgomery, B. Murphy, and P. Zimmermann, Factorization of RSA-140 using the number field sieve, to be published.
Certicom elliptic curve challenge. Details and current status available at 〈http://www.certicom.com〉.
D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Trans. Inform. Theory, Vol. 30 (1984) pp. 587–594.
D. Coppersmith, Solving linear equations over GF(2): block Lanczos algorithm, Linear Algebra Appl., Vol. 192 (1993) pp. 33–60.
D. Coppersmith, Solving homogeneous linear equations overGF(2) via block Wiedemann algorithm, Math. Comp., Vol. 62 (1994) pp. 333–350.
D. Coppersmith, A. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica, Vol. 1 (1986) pp. 1–15.
W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, Vol. 22 (1976) pp. 644–654.
distributed.net, "The largest computer on Earth," 〈http://www.distributed.net/〉.
T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, Vol. 31 (1985) pp. 469–472.
A. Enge, Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time, to be published. Available at 〈http://www.cacr.math.uwaterloo.ca〉.
Entropia.com, Inc. software for massive distributed computations. See 〈http://entropia.com〉.
A. E. Escot, J. C. Sager, A. P. L. Selkirk, and D. Tsapakidis, Attacking elliptic curve cryptosystems using the parallel Pollard rho method, CryptoBytes (The technical newsletter of RSA Laboratories), Vol. 4, No. 2 (1998) pp. 15–19. Available at 〈http://www.rsa.com/rsalabs/pubs/cryptobytes/〉.
T. Garefalakis and D. Panario, Polynomials over finite fields free from large and small degree irreducible factors, to be published.
T. Garefalakis and D. Panario, The index calculus method using non-smooth polynomials, to be published.
Several reports on GCHQ's secret discovery of non-secret (public key) cryptography by C. Cocks, J. H. Ellis, and M. Williamson, available at 〈http://www.cesg.gov.uk/pkc.htm〉.
D. M. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM J. Discr. Math., Vol. 6 (1993) pp. 124–138.
D. M. Gordon and K. McCurley, Massively parallel computation of discrete logarithms, Advances in Cryptology-CRYPTO '92 (E. F. Brickell, ed.), Lecture Notes in Computer Science, Springer, 740 (1992) pp. 312–323.
J. Håstad and M. Näslund, The security of individual RSA bits, Proc. 39–th Found. Comp. Sci. Symp., IEEE (1998) pp. 510–519.
A. Hildebrand and G. Tenenbaum, Integers without large prime factors, J. Theor. Nombres Bordeaux, Vol. 5 (1993) pp. 411–484.
M. J. Jacobson, Jr., Applying sieving to the computation of quadratic class groups, Math. Comp., Vol. 68 (1999) pp. 859–867.
M. J. Jacobson, Jr., N. Koblitz, J. H. Silverman, A. Stein, and E. Teske, Analysis of the Xedni calculus attack, Designs, Codes and Cryptography, Vol. 19 (2000). Available at 〈http://www.cacr.math.uwaterloo.ca〉.
E. Kaltofen, Analysis of Coppersmith's block Wiedemann algorithm for the parallel solution of sparse linear systems, Math. Comp., Vol. 64 (1995) pp. 777–806.
N. Koblitz, A. J. Menezes, and S. Vanstone, The state of elliptic curve cryptography, Designs, Codes, and Cryptography, Vol. 19 (2000) pp. 173–194.
B. A. LaMacchia and A. M. Odlyzko, Solving large sparse linear systems over finite fields, Advances in Cryptology: CRYPTO '90 (A. Menezes and S. Vanstone, eds.), Lecture Notes in Computer Science, Springer, 537 (1991) pp. 109–133. Available at 〈http://www.research.att.com/»amo〉.
B. A. LaMacchia and A. M. Odlyzko, Computation of discrete logarithms in prime fields, Designs, Codes, and Cryptography, Vol. 1 (1991) pp. 46–62. Available at 〈http://www.research.att.com/»amo〉.
R. Lambert, Computational aspects of discrete logarithms, Ph.D. thesis, Dept. Electrical Comp. Eng., Univ. of Waterloo (1996).
Quantum Physics e-print archive, 〈http://xxx.lanl.gov/archive/quant-ph〉.
A. Lebedev, The discrete logarithm problem, manuscript in preparation.
A. K. Lenstra, Integer factoring, Designs, Codes, and Cryptography, Vol. 19 (2000) pp. 101–128.
A. K. Lenstra and H. W. Lenstra, Jr., eds., The development of the number field sieve, Lecture Notes in Mathematics, Springer, 1554 (1993).
R. Lovorn Bender and C. Pomerance, Rigorous discrete logarithm computations in finite fields via smooth polynomials, Computational Perspectives on Number Theory (Chicago, 1995), AMS/IS Stud. Adv. Math., Amer. Math. Soc., 7 (1998) pp. 221–232.
K. S. McCurley, The discrete logarithm problem, Cryptography and Computational Number Theory (C. Pomerance, ed.), Proc. Symp. Appl. Math., Amer. Math. Soc., 42 (1990) pp. 49–74.
E. Manstavicius, Semigroup elements free of large prime factors, New Trends in Probability and Statistics, Vol. 2 (Palanga, 1991), VSP, Utrecht (1992) pp. 135–153. MR 93m:11091.
E. Manstavicius, Remarks on elements of semigroups that are free of large prime factors, Liet. Mat. Rink., Vol. 32 (1992) pp. 512–525 (Russian). English translation in Lithuanian Math. J., Vol. 32 (1992) pp. 400–409. MR 94j:11093.
U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, Advances in Cryptology-EUROCRYPT '98 (K. Nyberg, ed.), Lecture Notes in Computer Science, Springer, 1403 (1998) pp. 72–84.
A. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press (1996).
V. Müller, A. Stein, and C. Thiel, Computing discrete logarithms in real quadratic congruence function fields of large genus, Math. Comp., Vol. 68 (1999) pp. 807–822.
V. I. Nechaev, On the complexity of a deterministic algorithm for a discrete logarithm, Math. Zametki, Vol. 55 (1994) pp. 91–101. English translation in Math. Notes, Vol. 55 (1994) pp. 165–172.
Victor Miller's number theory mailing list archive, available at 〈http://www.listserv.nodak.edu〉.
P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology-EUROCRYPT '95 (L. C. Guillou and J.-J. Quisquater, eds.), Lecture Notes in Computer Science, Springer, 921 (1995) pp. 106–120.
A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, Advances in Cryptology: Proceedings of Eurocrypt '84 (T. Beth, N. Cot, and I. Ingemarsson, eds.), Lecture Notes in Computer Science, Springer-Verlag, 209 (1985) pp. 224–314. Available at 〈http://www.research.att.com/»amo〉.
A. M. Odlyzko, Discrete logarithms and smooth polynomials, Finite Fields: Theory, Applications and Algorithms (G. L. Mullen and P. Shiue, eds.), Contemporary Math., Amer. Math. Soc., 168 (1994) pp. 269–278. Available at 〈http://www.research.att.com/»amo〉
A. M. Odlyzko, The future of integer factorization, CryptoBytes (The technical newsletter of RSA Laboratories), Vol. 1, No. 2 (1995) pp. 5–12. Available at 〈http://www.rsa.com/rsalabs/pubs/cryptobytes/〉 and 〈http://www.research.att.com/»amo〉.
D. Panario, X. Gourdon, and P. Flajolet, An analytic approach to smooth polynomials over finite fields, Algorithmic Number Theory: Third Intern. Symp., ANTS-III, (J. P. Buhler, ed.), Lecture Notes in Math., Springer, 1423 (1998) pp. 226–236.
J. M. Pollard, Monte Carlo methods for index computations mod p, Math. Comp., Vol. 32 (1978) pp. 918–924.
J. M. Pollard, Kangaroos, Monopoly and discrete logarithms, J. Cryptology (to appear).
C. Pomerance and J. W. Smith, Reduction of huge, sparse matrices over finite fields via created catastrophes, Experimental Math., Vol. 1 (1992) pp. 89–94.
C. Pomerance, J. W. Smith, and R. Tuler, A pipeline architecture for factoring large integers with the quadratic sieve algorithm, SIAM J. Comput., Vol. 17 (1988) pp. 387–403.
RSAData Security factoring challenge. Details and current status available at 〈http://www.rsadsi.com»amo〉.
O. Schirokauer, Discrete logarithms and local units, Phil. Trans. Royal Soc. London, Vol. A405 (1993) pp. 409–423.
O. Schirokauer, Using number fields to compute logarithms in finite fields, Math. Comp. (1999, to appear).
O. Schirokauer, manuscript in preparation.
O. Schirokauer, D. Weber, and T. Denny, Discrete logarithms: The effectiveness of the index calculus method, Algorithmic Number Theory: Second Intern. Symp., ANTS-II (H. Cohen, ed.), Lecture Notes in Math., Springer, 1122 (1996) pp. 337–362.
B. Schneier, Applied Cryptography, 2nd ed., Wiley (1995).
C. P. Schnorr, Efficient signature generation by smart cards, J. Cryptology, Vol. 4 (1991) pp. 161–174.
C. P. Schnorr and M. Jakobsson, Security of discrete log cryptosystems in the random oracle + generic model, to be published.
I. A. Semaev, An algorithm for discrete logarithms over an arbitrary finite field, Diskret. Mat., Vol. 7 (1995) pp. 99–109 (Russian). English translation in Discrete Math. Appl., Vol. 5 (1995) pp. 107–116.
I. A. Semaev, A generalization of the number field sieve, Probabilistic Methods in Discrete Mathematics (Petrozavodsk, 1996), VSP (1997) pp. 45–63.
I. A. Semaev, An algorithm for evaluation of discrete logarithms in some nonprime finite fields, Math. Comp., Vol. 67 (1998) pp. 1679–1689.
I. A. Semaev, Special prime numbers and discrete logs in prime finite fields, to be published.
SETI@home distributed computing project. See 〈http://setiathome.ssl.berkeley.edu〉.
A. Shamir, Factoring large numbers with the TWINKLE device, to be published. Available at 〈http://jya.com/twinkle.eps〉 72. P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput., Vol. 26 (1997) pp. 1484–1509. Available at 〈http://www.research.att.com/»shor〉.
V. Shoup, Lower bounds for discrete logarithms and related problems, Advances in Cryptology-EUROCRYPT '97 (W. Fumy, ed.), Lecture Notes in Computer Science Springer, 1233 (1997) pp. 256–266.
J. H. Silverman and J. Suzuki, Advances in Cryptology-ASIACRYPT '98 (K. Ohta and D. Pei, eds.), Lecture Notes in Computer Science, Springer, 1514 (1998) pp. 110–125.
K. Soundararajan, Asymptotic formulae for the counting function of smooth polynomials, unpublished manuscript.
J. Teitelbaum, Euclid's algorithm and the Lanczos method over finite fields, Math. Comp., Vol. 67 (1998) pp. 1665–1678.
E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory: Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Math., Springer, 1423 (1998) pp. 541–554.
P. C. Van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, J. Cryptology, Vol. 12 (1999) pp. 1–28.
G. Villard, Further analysis of Coppersmith's block Wiedemann algorithm for the solution of sparse linear systems, Proc. ISSAC'97.
D. Weber, Computing discrete logarithms with quadratic number rings, Advances in Cryptology-EUROCRYPT '98 (K. Nyberg, ed.), Lecture Notes in Computer Science, Springer, 1403 (1998) pp. 171–183.
D. Weber and T. F. Denny, The solution of McCurley's discrete log challenge, Advances in Cryptology-CRYPTO '98 (H. Krawczyk, ed.), Lecture Notes in Computer Science, Springer, 1462 (1998) pp. 458–471.
D. H. Wiedemann, Solving sparse linear equations over finite fields, IEEE Trans. Inform. Theory, Vol. 32 (1986) pp. 54–62.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Odlyzko, A. Discrete Logarithms: The Past and the Future. Designs, Codes and Cryptography 19, 129–145 (2000). https://doi.org/10.1023/A:1008350005447
Issue Date:
DOI: https://doi.org/10.1023/A:1008350005447