Skip to main content
SpringerLink
Log in

Discrete Logarithms: The Past and the Future

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

The first practical public key cryptosystem to be published, the Diffie–Hellman key exchange algorithm, was based on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the presumed security of a variety of other public key schemes. While there have been substantial advances in discrete log algorithms in the last two decades, in general the discrete log still appears to be hard, especially for some groups, such as those from elliptic curves. Unfortunately no proofs of hardness are available in this area, so it is necessary to rely on experience and intuition in judging what parameters to use for cryptosystems. This paper presents a brief survey of the current state of the art in discrete logs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. L. M. Adleman, The function field sieve, Algorithmic Number Theory: First Intern. Symp., ANTS-I (L. M. Adleman and M.-D. Huang, eds.), Lecture Notes in Math., Springer, 877 (1994) pp. 108–121.

  2. L. M. Adleman, J. De Marrais, and M.-D. A. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields, Algorithmic Number Theory: First Intern. Symp., ANTS-I (L. M. Adleman and M.-D. Huang, eds.), Lecture Notes in Math., Springer, 877 (1994) pp. 28–40.

  3. L. M. Adleman and M.-D. A. Huang, Function field sieve method for discrete logarithms over finite fields, Information and Computation (to appear).

  4. H. R. Amirazizi and M. E. Hellman, Time-memory-processor trade-offs, IEEE Trans. Inform. Theory, Vol. 34 (1988) pp. 505–512.

    Google Scholar 

  5. L. Babai and E. Szemeredi, On the complexity of matrix group problems I, Proc. 25–th Found. Computer Sci. Symp., IEEE Press (1984) pp. 229–240.

  6. E. Bach and J. Shallit, Algorithmic Number Theory. Vol. I: Efficient Algorithms, MIT Press (1996).

  7. D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology-CRYPTO '96 (N. Koblitz, ed.), Lecture Notes in Computer Science, Springer, 1109 (1996) pp. 129–142.

  8. R. P. Brent, Some parallel algorithms for integer factorization, Proc. Euro-Par '99, Lecture Notes in Computer Sci., Springer(1999, to appear). Available at <ftp://ftp.comlab.ox.ac.uk/pub/Documents/techpapers/ Richard.Brent/rpb193.ps.gz>.

  9. J. A. Buchmann and C. S. Hollinger, On smooth ideals in number fields, J. Number Theory, Vol. 59 (1996) pp. 82–87.

    Google Scholar 

  10. S. Cavallar, W. Lioen, H. te Riele, B. Dodson, A. Lenstra, P. Leyland, P. Montgomery, B. Murphy, and P. Zimmermann, Factorization of RSA-140 using the number field sieve, to be published.

  11. Certicom elliptic curve challenge. Details and current status available at 〈http://www.certicom.com〉.

  12. D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Trans. Inform. Theory, Vol. 30 (1984) pp. 587–594.

    Google Scholar 

  13. D. Coppersmith, Solving linear equations over GF(2): block Lanczos algorithm, Linear Algebra Appl., Vol. 192 (1993) pp. 33–60.

    Google Scholar 

  14. D. Coppersmith, Solving homogeneous linear equations overGF(2) via block Wiedemann algorithm, Math. Comp., Vol. 62 (1994) pp. 333–350.

    Google Scholar 

  15. D. Coppersmith, A. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica, Vol. 1 (1986) pp. 1–15.

    Google Scholar 

  16. W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, Vol. 22 (1976) pp. 644–654.

    Google Scholar 

  17. distributed.net, "The largest computer on Earth," 〈http://www.distributed.net/〉.

  18. T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, Vol. 31 (1985) pp. 469–472.

    Google Scholar 

  19. A. Enge, Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time, to be published. Available at 〈http://www.cacr.math.uwaterloo.ca〉.

  20. Entropia.com, Inc. software for massive distributed computations. See 〈http://entropia.com〉.

  21. A. E. Escot, J. C. Sager, A. P. L. Selkirk, and D. Tsapakidis, Attacking elliptic curve cryptosystems using the parallel Pollard rho method, CryptoBytes (The technical newsletter of RSA Laboratories), Vol. 4, No. 2 (1998) pp. 15–19. Available at 〈http://www.rsa.com/rsalabs/pubs/cryptobytes/〉.

    Google Scholar 

  22. T. Garefalakis and D. Panario, Polynomials over finite fields free from large and small degree irreducible factors, to be published.

  23. T. Garefalakis and D. Panario, The index calculus method using non-smooth polynomials, to be published.

  24. Several reports on GCHQ's secret discovery of non-secret (public key) cryptography by C. Cocks, J. H. Ellis, and M. Williamson, available at 〈http://www.cesg.gov.uk/pkc.htm〉.

  25. D. M. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM J. Discr. Math., Vol. 6 (1993) pp. 124–138.

    Google Scholar 

  26. D. M. Gordon and K. McCurley, Massively parallel computation of discrete logarithms, Advances in Cryptology-CRYPTO '92 (E. F. Brickell, ed.), Lecture Notes in Computer Science, Springer, 740 (1992) pp. 312–323.

  27. J. Håstad and M. Näslund, The security of individual RSA bits, Proc. 39–th Found. Comp. Sci. Symp., IEEE (1998) pp. 510–519.

  28. A. Hildebrand and G. Tenenbaum, Integers without large prime factors, J. Theor. Nombres Bordeaux, Vol. 5 (1993) pp. 411–484.

    Google Scholar 

  29. M. J. Jacobson, Jr., Applying sieving to the computation of quadratic class groups, Math. Comp., Vol. 68 (1999) pp. 859–867.

    Google Scholar 

  30. M. J. Jacobson, Jr., N. Koblitz, J. H. Silverman, A. Stein, and E. Teske, Analysis of the Xedni calculus attack, Designs, Codes and Cryptography, Vol. 19 (2000). Available at 〈http://www.cacr.math.uwaterloo.ca〉.

  31. E. Kaltofen, Analysis of Coppersmith's block Wiedemann algorithm for the parallel solution of sparse linear systems, Math. Comp., Vol. 64 (1995) pp. 777–806.

    Google Scholar 

  32. N. Koblitz, A. J. Menezes, and S. Vanstone, The state of elliptic curve cryptography, Designs, Codes, and Cryptography, Vol. 19 (2000) pp. 173–194.

    Google Scholar 

  33. B. A. LaMacchia and A. M. Odlyzko, Solving large sparse linear systems over finite fields, Advances in Cryptology: CRYPTO '90 (A. Menezes and S. Vanstone, eds.), Lecture Notes in Computer Science, Springer, 537 (1991) pp. 109–133. Available at 〈http://www.research.att.com/»amo〉.

  34. B. A. LaMacchia and A. M. Odlyzko, Computation of discrete logarithms in prime fields, Designs, Codes, and Cryptography, Vol. 1 (1991) pp. 46–62. Available at 〈http://www.research.att.com/»amo〉.

    Google Scholar 

  35. R. Lambert, Computational aspects of discrete logarithms, Ph.D. thesis, Dept. Electrical Comp. Eng., Univ. of Waterloo (1996).

  36. Quantum Physics e-print archive, 〈http://xxx.lanl.gov/archive/quant-ph〉.

  37. A. Lebedev, The discrete logarithm problem, manuscript in preparation.

  38. A. K. Lenstra, Integer factoring, Designs, Codes, and Cryptography, Vol. 19 (2000) pp. 101–128.

    Google Scholar 

  39. A. K. Lenstra and H. W. Lenstra, Jr., eds., The development of the number field sieve, Lecture Notes in Mathematics, Springer, 1554 (1993).

  40. R. Lovorn Bender and C. Pomerance, Rigorous discrete logarithm computations in finite fields via smooth polynomials, Computational Perspectives on Number Theory (Chicago, 1995), AMS/IS Stud. Adv. Math., Amer. Math. Soc., 7 (1998) pp. 221–232.

  41. K. S. McCurley, The discrete logarithm problem, Cryptography and Computational Number Theory (C. Pomerance, ed.), Proc. Symp. Appl. Math., Amer. Math. Soc., 42 (1990) pp. 49–74.

  42. E. Manstavicius, Semigroup elements free of large prime factors, New Trends in Probability and Statistics, Vol. 2 (Palanga, 1991), VSP, Utrecht (1992) pp. 135–153. MR 93m:11091.

    Google Scholar 

  43. E. Manstavicius, Remarks on elements of semigroups that are free of large prime factors, Liet. Mat. Rink., Vol. 32 (1992) pp. 512–525 (Russian). English translation in Lithuanian Math. J., Vol. 32 (1992) pp. 400–409. MR 94j:11093.

    Google Scholar 

  44. U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, Advances in Cryptology-EUROCRYPT '98 (K. Nyberg, ed.), Lecture Notes in Computer Science, Springer, 1403 (1998) pp. 72–84.

  45. A. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press (1996).

  46. V. Müller, A. Stein, and C. Thiel, Computing discrete logarithms in real quadratic congruence function fields of large genus, Math. Comp., Vol. 68 (1999) pp. 807–822.

    Google Scholar 

  47. V. I. Nechaev, On the complexity of a deterministic algorithm for a discrete logarithm, Math. Zametki, Vol. 55 (1994) pp. 91–101. English translation in Math. Notes, Vol. 55 (1994) pp. 165–172.

    Google Scholar 

  48. Victor Miller's number theory mailing list archive, available at 〈http://www.listserv.nodak.edu〉.

  49. P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology-EUROCRYPT '95 (L. C. Guillou and J.-J. Quisquater, eds.), Lecture Notes in Computer Science, Springer, 921 (1995) pp. 106–120.

  50. A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, Advances in Cryptology: Proceedings of Eurocrypt '84 (T. Beth, N. Cot, and I. Ingemarsson, eds.), Lecture Notes in Computer Science, Springer-Verlag, 209 (1985) pp. 224–314. Available at 〈http://www.research.att.com/»amo〉.

  51. A. M. Odlyzko, Discrete logarithms and smooth polynomials, Finite Fields: Theory, Applications and Algorithms (G. L. Mullen and P. Shiue, eds.), Contemporary Math., Amer. Math. Soc., 168 (1994) pp. 269–278. Available at 〈http://www.research.att.com/»amo〉

  52. A. M. Odlyzko, The future of integer factorization, CryptoBytes (The technical newsletter of RSA Laboratories), Vol. 1, No. 2 (1995) pp. 5–12. Available at 〈http://www.rsa.com/rsalabs/pubs/cryptobytes/〉 and 〈http://www.research.att.com/»amo〉.

    Google Scholar 

  53. D. Panario, X. Gourdon, and P. Flajolet, An analytic approach to smooth polynomials over finite fields, Algorithmic Number Theory: Third Intern. Symp., ANTS-III, (J. P. Buhler, ed.), Lecture Notes in Math., Springer, 1423 (1998) pp. 226–236.

  54. J. M. Pollard, Monte Carlo methods for index computations mod p, Math. Comp., Vol. 32 (1978) pp. 918–924.

    Google Scholar 

  55. J. M. Pollard, Kangaroos, Monopoly and discrete logarithms, J. Cryptology (to appear).

  56. C. Pomerance and J. W. Smith, Reduction of huge, sparse matrices over finite fields via created catastrophes, Experimental Math., Vol. 1 (1992) pp. 89–94.

    Google Scholar 

  57. C. Pomerance, J. W. Smith, and R. Tuler, A pipeline architecture for factoring large integers with the quadratic sieve algorithm, SIAM J. Comput., Vol. 17 (1988) pp. 387–403.

    Google Scholar 

  58. RSAData Security factoring challenge. Details and current status available at 〈http://www.rsadsi.com»amo〉.

  59. O. Schirokauer, Discrete logarithms and local units, Phil. Trans. Royal Soc. London, Vol. A405 (1993) pp. 409–423.

    Google Scholar 

  60. O. Schirokauer, Using number fields to compute logarithms in finite fields, Math. Comp. (1999, to appear).

  61. O. Schirokauer, manuscript in preparation.

  62. O. Schirokauer, D. Weber, and T. Denny, Discrete logarithms: The effectiveness of the index calculus method, Algorithmic Number Theory: Second Intern. Symp., ANTS-II (H. Cohen, ed.), Lecture Notes in Math., Springer, 1122 (1996) pp. 337–362.

  63. B. Schneier, Applied Cryptography, 2nd ed., Wiley (1995).

  64. C. P. Schnorr, Efficient signature generation by smart cards, J. Cryptology, Vol. 4 (1991) pp. 161–174.

    Google Scholar 

  65. C. P. Schnorr and M. Jakobsson, Security of discrete log cryptosystems in the random oracle + generic model, to be published.

  66. I. A. Semaev, An algorithm for discrete logarithms over an arbitrary finite field, Diskret. Mat., Vol. 7 (1995) pp. 99–109 (Russian). English translation in Discrete Math. Appl., Vol. 5 (1995) pp. 107–116.

    Google Scholar 

  67. I. A. Semaev, A generalization of the number field sieve, Probabilistic Methods in Discrete Mathematics (Petrozavodsk, 1996), VSP (1997) pp. 45–63.

  68. I. A. Semaev, An algorithm for evaluation of discrete logarithms in some nonprime finite fields, Math. Comp., Vol. 67 (1998) pp. 1679–1689.

    Google Scholar 

  69. I. A. Semaev, Special prime numbers and discrete logs in prime finite fields, to be published.

  70. SETI@home distributed computing project. See 〈http://setiathome.ssl.berkeley.edu〉.

  71. A. Shamir, Factoring large numbers with the TWINKLE device, to be published. Available at 〈http://jya.com/twinkle.eps〉 72. P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput., Vol. 26 (1997) pp. 1484–1509. Available at 〈http://www.research.att.com/»shor〉.

  72. V. Shoup, Lower bounds for discrete logarithms and related problems, Advances in Cryptology-EUROCRYPT '97 (W. Fumy, ed.), Lecture Notes in Computer Science Springer, 1233 (1997) pp. 256–266.

  73. J. H. Silverman and J. Suzuki, Advances in Cryptology-ASIACRYPT '98 (K. Ohta and D. Pei, eds.), Lecture Notes in Computer Science, Springer, 1514 (1998) pp. 110–125.

  74. K. Soundararajan, Asymptotic formulae for the counting function of smooth polynomials, unpublished manuscript.

  75. J. Teitelbaum, Euclid's algorithm and the Lanczos method over finite fields, Math. Comp., Vol. 67 (1998) pp. 1665–1678.

    Google Scholar 

  76. E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory: Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Math., Springer, 1423 (1998) pp. 541–554.

  77. P. C. Van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, J. Cryptology, Vol. 12 (1999) pp. 1–28.

    Google Scholar 

  78. G. Villard, Further analysis of Coppersmith's block Wiedemann algorithm for the solution of sparse linear systems, Proc. ISSAC'97.

  79. D. Weber, Computing discrete logarithms with quadratic number rings, Advances in Cryptology-EUROCRYPT '98 (K. Nyberg, ed.), Lecture Notes in Computer Science, Springer, 1403 (1998) pp. 171–183.

  80. D. Weber and T. F. Denny, The solution of McCurley's discrete log challenge, Advances in Cryptology-CRYPTO '98 (H. Krawczyk, ed.), Lecture Notes in Computer Science, Springer, 1462 (1998) pp. 458–471.

  81. D. H. Wiedemann, Solving sparse linear equations over finite fields, IEEE Trans. Inform. Theory, Vol. 32 (1986) pp. 54–62.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AT&T Labs - Research, USA

    Andrew Odlyzko

Authors
  1. Andrew Odlyzko
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Odlyzko, A. Discrete Logarithms: The Past and the Future. Designs, Codes and Cryptography 19, 129–145 (2000). https://doi.org/10.1023/A:1008350005447

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1008350005447

Search

Navigation