Discrete Logarithms

Carl Pomerance, Dartmouth College

Suppose that G is a group and g ∈ G has finite order m. Then
for each t ∈ hgi the integers n with g n = t form a residue class
mod m. Denote it by
logg t.
The discrete logarithm problem is the computational task of
finding a representative of this residue class; that is, finding an
integer n with g n = t.

1
Finding a discrete logarithm can be very easy. For example, say
G = Z/mZ and g = 1. More specifically, say m = 100 and
t = 17. Then logg t = 17 (or more precisely 17 mod 100).

Lets make it harder: take g as some other generator of Z/mZ.

But then computing logg t is really solving the congruence

ng ≡ t mod m
for n, which we’ve known how to do easily essentially since
Euclid.

2
The cyclic group of order m:

What does this title mean, especially the key word “The”?

Take G1 = Z/100Z and G2 = (Z/101Z)× . Both are cyclic

groups of order 100. Both are generated by 3. And 17 is in
both groups.

So, there are two versions of computing log3 17, one in G1 and
one in G2.

In G1, we are solving 3n ≡ 17 mod 100. The inverse of 3 is 67,

so n ≡ 17 · 67 ≡ 39 mod 100.

In G2, we are solving 3n ≡ 17 mod 101. And this seems much

harder.
3
The moral: when someone talks about the cyclic group of a
given order, they are not concerned with computational issues.

Well, how can we solve 3n ≡ 17 mod 101?

Clearly, one way is trial and error, where we compute each

power of 3 mod 101 till we find our target 17. The complexity
of doing this in a cyclic group of order m is O(m) (and this
upper bound stands as a lower bound as well for most target
elements t).

Note that the group order is 100, which is 22 · 52. Can we

reduce it to smaller problems?
In solving 3n ≡ 17 mod 101, we might ask the gentler question:
is n even?

17 ?
 
That is, is 17 a square? That is, what is 101

By the reciprocity law (for Jacobi symbols),

17 101 2
     
= = = 1,
101 17 17
so yes, log3 17 is even.

Even without Jacobi symbols, we could have answered this by

computing 1750 mod 101. It is 1 if and only if 17 is a square if
and only if log3 17 is even. (Recall: powering is easy via
repeated squaring.)
4
Can we also easily see whether log3 17 is 0 or 2 mod 4? Yes,
compute 1725 mod 101. If it is 1, then log3 17 is 0 mod 4 and
if it is −1, then 2 mod 4.

If its supposed to be easy, lets try it: In binary, 25 is 11001. So

we consider the sequence 1, 11, 110, 1100, 11001 as follows:

171 ≡ 17, 172 ≡ 87 ≡ −14, 173 ≡ −36

176 ≡ −17, 1712 ≡ −14, 1724 ≡ −6
1725 ≡ −1
Thus, log3 17 is 2 mod 4.

And what about mod 5 and mod 25?

5
From the prior calculations, if we were observant, we noticed
that 175 ≡ −1 mod 101. Thus, 1720 ≡ 1 mod 101, so that
log3 17 is 0 mod 5.

So, log3 17 is one of 5 possibilities: 10, 30, 50, 70, 90. Now
35 ≡ 41 mod 101, so 310 ≡ −36 mod 101.

Thus, 10 is out. We have 320 ≡ −17 mod 101, so we see that

the answer is 70, since 350 ≡ −1 mod 101 (true for any cyclic
generator in an even order group).

6
There are two thoughts/questions suggested by these
calculations:

• Are there strategies of reducing a bigger discrete log

problem to a smaller one?

• Are there special strategies for the family of groups

(Z/pZ)× , where p is prime?

7
If g has order m, t ∈ hgi, and d | m, then write

logg t = n = n1d + n2, 0 ≤ n2 < d.

If we can find n1, n2, we can find n. Note that

t = g n = g n1d+n2 ,
so that

tm/d = g n1m+n2m/d = g n2m/d = (g m/d)n2 .

Thus, n2 is the solution of a dl problem in the group hg m/di of
order d. And if we solve it, then

(g d)n1 = tg −n2 ,
so n1 is a solution of a dl problem in the group hg di of order
m/d.
8
This kind of reduction is attributed to Pohlig and Hellman and
because of it, cryptographers prefer groups of large prime
order, or of an order divisible by a large prime.

Cryptographers?

9
The Diffie–Hellman key-exchange protocol:

Say we have a cyclic group generated by g, which everyone

knows. Alice has a secret integer a and “publishes” g a.
Similarly, Bob has a secret integer b and publishes g b.

Alice and Bob want to set up a secure session with a secret key
that only they know, yet they want to set this up over a pubic
line. Here’s how they do it: Alice takes Bob’s group element g b
and raises it to her secret exponent a, getting (g b)a = g ab. Bob
arrives at the same group element via a different method,
namely (g a)b = g ab.

Eve (an eavesdropper) knows something’s afoot and knows g a

and g b, but apparently cannot easily compute g ab without
finding either a or b, that is without solving the dl problem.
10
The second question: Can we exploit any special structure in
(Z/pZ)× to compute dl’s there? Yes, we can.

Use the following facts about this group: It is a homomorphic

image of semigroup Z under times. A factorization of an
element of Z coprime to p then maps to a “relation” among
group elements.

For example, in (Z/101Z)× , we have

53 ≡ 125 ≡ 24 ≡ 23 · 3 mod 101, 27 ≡ 128 ≡ 27 ≡ 33 mod 101.
Thus,
3 log3 5 ≡ 3 log3 2 + 1 mod 100, 7 log3 2 ≡ 3 mod 100,
from which it may be deduced that
log3 2 ≡ 43 · 3 ≡ 29 mod 100, log3 5 ≡ 96 mod 100.
11
For example, just using log3 2 ≡ 29 mod 100 and using
17 · 6 ≡ 1 mod 101, we have

log3 17 + log3 2 + 1 ≡ 0 mod 100,

so
log3 17 ≡ 70 mod 100.

12
This kind of thing can be formalized into the “index calculus”
algorithm:

• Choose random numbers r, each time compute g r mod p,

and save any that happen to factor into small primes.

• After enough of these have been saved, we can use linear

algebra over the ring Z/(p − 1)Z to solve for the dl’s of the
small primes.

• Assuming this is accomplished, again choose random

numbers r until one is found where g r t factors into small
primes.

13
If
a a
g r t ≡ p11 . . . pkk mod p,
then using the pre-computed numbers logg pi, we get

logg t ≡ −r + a1 logg p1 + · · · + ak logg pk mod (p − 1).

This kind of idea can be copied for any group which is a

homomorphic image of a multiplicative structure where we
have factorization into “small” elements. (The set of small
elements used is called the “factor base”.)

14
So, for example, the index calculus method can be used in
many cases for finding dl’s in F× a
q . Eg, say q = p , with p prime
and a large. We can view Fq as Fp[x]/(f (x)) where f is
irreducible of degree a. And Fp[x] is a Euclidean domain.

If a is small, we can view Fq as OK /(p) where K is an algebraic

number field of degree a over Q in which p is inert. Even
though OK may not be a Euclidean domain, and perhaps not
even a PID, we do have unique factorization of ideals and we
do have a sense of size afforded by the norm. Problems remain,
but in many cases the index calculus method is useful.

And there are very important improved versions that employ

ideas from the number field sieve for factoring integers.
15
Thus, cryptographers tend to shy away from the groups F×
q.

What generic algorithms might exist other than listing all of

the powers of g?

Well, there’s “baby steps, giant steps” (known in the CS world

as “meet in the middle”):

√
• Have g of order m and t ∈ hgi. Find k = ⌈ m ⌉ and g −1.

• Compute the baby steps tg 0, tg −1, . . . , tg −(k−1) and the giant

steps g 0, g k , . . . , g (k−1)k .

• Sort both lists and find a coincidence between them, say

tg −i = g jk . Then t = g i+jk and logg t = i + jk.

16
Why must there be a coincidence between the two lists?

Well, since t ∈ hgi, there is some n ∈ [0, m − 1] with g n = t.

Write n in base k, so that since k2 > m − 1, we have n = i + jk
for some integers i, j ∈ [0, k − 1]. And thus, tg −i = g jk .

The algorithm presupposes labels for group elements that

allows them to be sorted. Sorting can be done in time not
much larger than the size of the set to be sorted, and after
this, finding the match between the two parts takes only
√
O(k) = O( m ) comparisons.

√
In all, baby steps, giant steps takes O( m log m) group
operations. It is essentially a universal algorithm, so
cryptographers can’t avoid it.
17
A downside of baby steps, giant steps is that it is not so easy
to distribute the work to many computers. Another algorithm
due to Pollard can be distributed and is what’s used in practice
to benchmark cryptosystems. It’s interesting that Pollard’s
method is heuristic while baby steps, giant steps is rigorous.
Of course, if an answer is found, it is easily checked, so the
heuristic part deals with whether the algorithm will terminate
√
within the supposed time bound (which is also about m).

18
So, can we find a family of convenient groups for which the
only dl algorithms take exponential time?

It’s hard to prove that it is so, but many people feel that
elliptic curve groups over finite fields fit this bill.

What are they? If F is a field (of characteristic not 2 nor 3)

and a, b are elements with 4a3 − 27b2 6= 0, then the solutions to
the equation y 2z = x3 + axz 2 + bz 3 in F 3 (viewed projectively)
can be endowed with a natural commutative group operation.
The identity is the projective point (0 : 1 : 0) and all other
points have z 6= 0, so may be viewed as solutions to
y 2 = x3 + ax + b in F 2.

The group operation will be illustrated on the board . . . .

19
The group is denoted E(F ) = Ea,b(F ). We can do it as well in
characteristics 2 and 3, but the formulas work out a little
differently.

What can we say about the order of the group E(F )? If F = Q,

then it is possible for the group to be finite (but then always of
order at most 12) and also possible for it to be infinite. If
F = C, then there is a natural way to make the group
isomorphic to C/Λ where Λ is the Z module generated by a
basis of C over R.

But what about the situation with E(Fq )? Here we have the
√
theorem of Hasse–Weil: #E(Fq ) is within 2 q of q + 1,
√ √
that is, #E(Fq ) ∈ [( q − 1)2, ( q + 1)2].

Further, by a theorem of Deuring, each number in the interval

is the order of some elliptic curve over Fq .
20
Thus, “cryptographically interesting” elliptic curves over Fq are
those with #E(Fq ) a prime number in the interval
√ √
[( q − 1)2, ( q + 1)2], or with the order nearly prime, say twice
a prime.

An aside: We believe that for each prime power q there are

√
about 4 q/ log q primes in the above interval, but we don’t
have a proof that there is even one prime. For cryptography, it
doesn’t matter, since if you find one you find one, and it does
not matter that analytic number theorists are not smart
enough to prove that it must have existed.

Just like Fq , elliptic curves have lots of structure. Can any of

this be exploited to help with the dl problem?
21
The Weil pairing “attack” (also known as MOV):

A. Menezes, T. Okamoto, and S. Vanstone, Reducing elliptic

curve logarithms to logarithms in a finite field, IEEE Trans.
Inform. Theory 39 (1993), 1639–1646.

Weil proved that for each natural number n there is a map en

from E[n] × E[n] (ordered pairs of n-torsion points on E(Fq )) to
Fq that has various nice properties (alternating, bilinear, etc.).
In addition, Miller made it algorithmic, so it can be computed
at a given pair of points in the domain quickly. This is all quite
interesting in connection with the dl problem since if
E[n] ⊂ E(Fqk ) for some k, then the range of en is in Fqk , and via
en one can reduce a dl problem in a cyclic subgroup of E(Fq ) of
order n to a dl problem in F×k . So, if k is small, we’re in
q
business.
22
It is shown that the only cases with k ≤ 6 occur for a few
families of curves, with

#E(Fq ) = q + 1 − t,
√
and t, which is always at most 2 q in absolute value, satisfies
t2 = jq for j = 0, 1, 2, 3, 4. In the cases where t 6= 0, the group
is far from cyclic, it is of the form Ck × Ck . So, these would not
have been used for cryptography in any event. In the cases
when t = 0, the group is either Cq+1 or C(q+1)/2 × C2. So,
these so-called supersingular cases are off the table for
cryptographic purposes.

In addition, any curve where the multiplicative order of q

modulo q + 1 − t is small is also vulnerable.

23
There are more complicated attacks based on “Tate pairing”
and on “Tate–Lichtenbaum” pairing.

G. Frey and H.-G. Rück, A remark concerning m-divisibility and

the discrete logarithm in the divisor class group of curves,
Math. Comp. 62 (1994), 865–874.

G. Frey, M. Müller, and H.-G. Rück, The Tate pairing and

discrete logarithm applied to elliptic curve crypotosystems,
IEEE Trans. Inform. Theory 45 (1999), 1717–1719.

G. Frey, Applications of arithmetical geometry to cryptographic

constructions, Finite fields and applications (Augsburg, 1999),
128–161, Springer, Berlin, 2001.
24
Weil descent:

This idea is based on two concepts:

Weil showed that there is an explicit homomorphism from

E(Fq ) to the Jacobian variety of a certain hyperelliptic curve of
genus g.

Adleman, DeMarrais, and Huang showed that there is an

index-calculus attack on the dl problem for Jacobian varieties of
hyperelliptic curves of genus greater than 1.

Putting this together, Gaudry, Hess, and Smart showed that

certain elliptic curves (with characteristic 2) are vulnerable.
25
P. Gaudry, F. Hess, and N. Smart, Constructive and destructive
facets of Weil descent on elliptic curves, J. Cryptology 15
(2002), 19–46.

F. Hess, Generalising the GHS attack on the elliptic curve

discrete logarithm problem, LMS J. Comput. Math. 7 (2004),
167–192.
So, are elliptic curve cryptosystems sunk?

For the Weil descent attacks to be successful, the genus of the

curve found should not be too large. If Fq is a finite field of
characteristic 2 and we have an elliptic curve E(Fqn ), then the
Weil descent involves a curve over Fq of genus g where g
depends on the given elliptic curve. For the attack to be useful,
one needs at least g ≥ n, but g not too large, say
O(n2 log q/ log(n log q)).

26
In a new paper still being written
(K. Karabina, A. Menezes, C. Pomerance, and I. E. Shparlinski,
On the asymptotic effectiveness of Weil descent attacks)
we study the question statistically and ask what happens for a
typical elliptic curve. We show that in fact the genus g grows
exponentially with n and also obtain somewhat larger
exponential upper bounds. Something like
2(1/2+o(1))n ≤ g ≤ 2(2/3+o(1))n almost always.

Whew! We saved the system.

By the way, one of the ingredients in the argument is to study

the factorization of xn − 1 in F2[x].

27