Discrete logarithms in finite fields and their cryptographic significance
 A. M. Odlyzko
 … show all 1 hide
Abstract
Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u ∈ GF(q) is that integer k, 1 ≤ k ≤ q−1, for which u = g ^{k}. The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2^{n}). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2^{n}) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2^{n}) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2^{n}) ought to be avoided in all cryptographic applications. On the other hand, the fields GF(p) with p prime appear to offer relatively high levels of security.
 L. M. Adleman, A subexponential algorithm for the discrete logarithm problem with applications to cryptography, Proc. 20th IEEE Found. Comp. Sci. Symp. (1979), 55–60.
 L. M. Adleman, C. Pomerance and R. S. Rumely, On distinguishing prime numbers from composite numbers, Annals Math. 117 (1983), 173–206. CrossRef
 B. Arazi, Sequences constructed by operations modulo 2^{n}−1 or modulo 2^{n} and their application in evaluating the complexity of a log operation over GF(2^{n}), preprint.
 C. P. Arnold, M. I. Parr, and M. B. Dewe, An efficient parallel algorithm for the solution of large sparse linear matrix equations, IEEE Trans. on Computers, C32 (1983), 265–272. CrossRef
 E. Bach, Discrete logarithms and factoring, to be published.
 V. A. Barker, ed., Sparse Matrix Techniques, Lecture Notes in Mathematics #572, SpringerVerlag, 1977.
 E. R. Berlekamp, Factoring polynomials over large finite fields, Math. Comp. 24 (1970), 713–735. CrossRef
 I. F. Blake, R. FujiHara, R. C. Mullin, and S. A. Vanstone, Computing logarithms in finite fields of characteristic two, SIAM J. Alg. Disc. Methods, 5 (1984), 276–285. CrossRef
 M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo random bits, SIAM J. Comp., to appear.
 A. Borodin and I. Munro, The Computational Complexity of Algebraic and Numeric Problems, American Elsevier, 1975.
 A. Brameller, R. N. Allan, and Y. M. Hamam, Sparsity, Pitman 1976.
 E. F. Brickell, A fast modular multiplication algorithm with applications to two key crytography, pp. 51–60 in Advances in Cryptology: Proceedings of CRYPTO’ 82, D. Chaum, R. Rivest, and A. Sherman, eds., Plenum Press, 1983.
 E. F. Brickell and J. H. Moore, Some remarks on the HerlestamJohannesson algorithm for computing logarithms over GF(2^{n}), pp. 15–20, in Advances in Cryptology: Proceedings of CRYPTO’ 82, D. Chaum, R. Rivest and A. Sherman, eds., Plenum Press, 1983.
 J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, and S. S. Wagstaff, Jr., Factorizations of b ^{n} ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 up to High Powers, Am. Math. Society, 1983.
 N. G. de Bruijn, Asymptotic Methods in Analysis, NorthHolland. 1958
 D. G. Cantor and H. Zassenhaus, A new algorithm for factoring polynomials over finite fields, Math. Comp. 36 (1981), 587–592. CrossRef
 H. Cohen and H. W. Lenstra, Jr., Primality testing and Jacobi sums, Math. Comp., 42 (1984), 297–330. CrossRef
 D. Coppersmith, Evaluating logarithms in GF(2^{n}), pp. 201–207 in Proc. 16th ACM Symp. Theory of Computing, 1984.
 D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Trans. Inform. Theory IT30 (1984), 587–594. CrossRef
 D. Coppersmith and A. M. Odlyzko, manuscript in preparation.
 D. Coppersmith and S. Winograd, On the asymptotic complexity of matrix multiplication, SIAM J. Comp. 11 (1982), 472–492. CrossRef
 J. A. Davis, D. B. Holdridge, and G. J. Simmons, Status report on factoring (at the Sandia National Laboratories), to appear in Proc. EUROCRYPT 84.
 W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, IT22 (1976), 644–654. CrossRef
 W. Diffie and M. E. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard, Computer 10 (1977), 74–84. CrossRef
 T. ElGamal, A subexponentialtime algorithm for computing discrete logarithms over GF(p ^{2}), IEEE Trans. Inform. Theory, to appear.
 T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, to appear.
 A. George and J. W.H. Liu, Computer Solution of Large Sparse Positive Definite Systems, PrenticeHall, 1981.
 S. Golomb, Shiftregister Sequences, HoldenDay, 1967.
 F. G. Gustavson, Analysis of the BerlekampMassey feedback shiftregister synthesis algorithm, IBM J. Res. Dev. 20 (1976), 204–212. CrossRef
 M. E. Hellman and J. M. Reyneri, Fast computation of discrete logarithms in GF(q), pp. 3–13 in Advances in Cryptography: Proceedings of CRYPTO’ 82, D. Chaum, R. Rivest, and A. Sherman, eds., Plenum Press, 1983.
 D. Hensley, The number of positive integers ⩽ x and free of prime factors > y, preprint.
 T. Herlestam and R. Johannesson, On computing logarithms over GF(2^{p}), BIT 21 (1981), 326–334. CrossRef
 M. R. Hestenes and E. Stiefel, Methods of conjugate gradients for solving linear systems, J. Res. Nat. Bureau of Standards 49 (1952), 409–436.
 A. Hildebrand, On the number of positive integers ⩽ x and free of prime factors > y, to be published.
 J. Ja’ Ja’ and S. Venkatesan, On the complexity of a parity problem related to coding theory, Pennsylvania State Univ. Computer Sci. Report CS815 (1981).
 D. E. Knuth, The Art of Computer Programming: Vol. 2, Seminumerical Algorithms, 2nd ed., AddisonWesley 1981.
 A. G. Konheim, Cryptography: A Primer, Wiley, 19981.
 J. Kowalchuk, B. P. Schanning, and S. Powers, Communication privacy: Integration of public and secret key cryptography, NTC Conference Record, Vol. 3, pp. 49.1.1–49.1.5, Dec. 1980.
 C. Lanczos, Solution of systems of linear equations by minimized iterations, J. Res. Nat. Bureau of Standards 49 (1952), 33–53.
 D. L. Long, Random equivalence of factorization and computation of orders, Theoretical Comp. Sci., to appear.
 D. L. Long and A. Wigderson, How discreet is the discrete log?, pp. 413–420 in Proc. 15th ACM Symp. Theory of Computing, 1983.
 F. J. MacWilliams and N. J. A. Sloane, The Theory of ErrorCorrecting Codes, NorthHolland, 1977.
 H. Maier, On integers free of large prime divisors, to be published.
 J. L. Massey, Shiftregister synthesis and BCH decoding, IEEE Trans. Inform. Theory IT15 (1969), 122–127.
 J. L. Massey, Logarithms in finite cyclic groups — cryptographic issues, pp. 17–25 in Proc. 4th Benelux Symp. on Inform. Theory, Leuven, Belgium, May 1983.
 R. Merkle, Secrecy, authentication, and public key systems, Ph.D. dissertation, Dept. of Electrical Engineering, Stanford Univ., 1979.
 J. C. P. Miller, On factorization, with a suggested new approach, Math. Comp. 29 (1975), 155–172. CrossRef
 R. C. Mullin and S. A. Vanstone, manuscript in preparation.
 R. W. K. Odoni, V. Varadharajan, and P. W. Sanders, Public key distribution in matrix rings, Electronics Letters 20 (1984), 386–387. CrossRef
 H. Ong, C. P. Schnorr, and A. Shamir, An efficient signature scheme based on quadratic forms, pp. 208–216 in Proc. 16th ACM Symp. Theory of Comp., 1984.
 S. C. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Trans. Inform. Theory IT24 (1978), 106–110. CrossRef
 J. Pollard, Monte Carlo methods for index computations (mod p), Math. Comp. 32 (1978), 918–924. CrossRef
 C. Pomerance, Analysis and comparison of some integer factoring algorithms, pp. 89–139 in Computational Methods in Number Theory: Part 1, H. W. Lenstra, Jr., and R. Tijdeman, eds., Math. Centre Tract 154, Math. Centre Amsterdam, 1982.
 G. B. Purdy, A high security login procedure, Comm. ACM 17 (1974), 442–445. CrossRef
 M. O. Rabin, Probabilistic algorithms in finite fields, SIAM J. Comp. 9 (1980), 273–280. CrossRef
 J. A. Reeds and N. J. A. Sloane, Shiftregister synthesis (modulo m), SIAM J. Comp., to appear.
 J. E. Sachs and S. Berkovits, Probabilistic analysis and performance modelling of the “Swedish” algorithm and modifications, to be published.
 J. Sattler and C. P. Schnorr, Generating random walks in groups, preprint.
 B. P. Schanning, Data encryption with public key distribution, EASCON Conf. Rec., Washington, D.C., Oct. 1979, pp. 653–660.
 C. P. Schnorr and H. W. Lenstra, Jr., A Monte Carlo factoring algorithm with linear storage, Math. Comp. 43 (1984), 289–311. CrossRef
 R. Schreiber, A new implementation of sparse gaussian elimination, ACM Trans. Math. Software 8 (1982), 256–276. CrossRef
 J. W. Smith and S. S. Wagstaff, Jr., An extended precision operand computer, pp. 209–216 in Proc. 21st Southeast Region. ACM Conference, 1983.
 P. K. S. Wah and M. Z. Wang, Realization and application of the MasseyOmura lock, pp. 175–182 in Proc. Intern. Zurich Seminar, March 6–8, 1984.
 A. L. Wells, Jr., A polynomial form for logarithms modulo a prime, IEEE Trans. Inform. Theory, to appear.
 A. E. Western and J. C. P. Miller, Tables of Indices and Primitive Roots, Royal Society Mathematical Tables, vol. 9, Cambridge Univ. Press, 1968.
 D. Wiedemann, Solving sparse linear equations over finite fields, manuscript in preparation.
 R. M. Willett, Finding logarithms over large finite fields, in preparation.
 H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. publickey system, BIT 19 (1979), 525–538. CrossRef
 K. Yiu and K. Peterson, A singlechip VLSI implementation of the discrete exponential public key distribution system, Proc. GLOBCOM82, IEEE 1982, pp. 173–179.
 N. Zierler, A conversion algorithm for logarithms on GF(2^{n}), J. Pure Appl. Algebra 4 (1974), 353–356. CrossRef
 N. Zierler and J. Brillhart, On primitive trinomials (mod 2), Inform. Control 13 (1968), 541–554. CrossRef
 N. Zierler and J. Brillhart, On primitive trinomials (mod 2), II., Inform. Control 14 (1969), 566–569. CrossRef
 Title
 Discrete logarithms in finite fields and their cryptographic significance
 Book Title
 Advances in Cryptology
 Book Subtitle
 Proceedings of EUROCRYPT 84 A Workshop on the Theory and Application of Cryptographic Techniques Paris, France, April 9– 11, 1984
 Book Part
 Section III:
 Pages
 pp 224314
 Copyright
 1985
 DOI
 10.1007/3540397574_20
 Print ISBN
 9783540160762
 Online ISBN
 9783540397571
 Series Title
 Lecture Notes in Computer Science
 Series Volume
 209
 Series ISSN
 03029743
 Publisher
 Springer Berlin Heidelberg
 Copyright Holder
 SpringerVerlag Berlin Heidelberg
 Additional Links
 Topics
 Industry Sectors
 eBook Packages
 Editors

 Thomas Beth ^{(1)}
 Norbert Cot ^{(2)}
 Ingemar Ingemarsson ^{(3)}
 Editor Affiliations

 1. Department of Statistics and Computer Science Royal Holloway College, University of London Egham
 2. U.E.R. Mathématiques, Logique Formelle, Informatique, Université Paris5 Sorbonne
 3. Department of Electrical Engineering, Linköping University
 Authors

 A. M. Odlyzko ^{(4)}
 Author Affiliations

 4. AT&T Bell Laboratories, Murray Hill, New Jersey, 07974
Continue reading...
To view the rest of this content please follow the download PDF link above.