Lower Bounds for Discrete Logarithms and Related Problems

  • Victor Shoup
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1233)


This paper considers the computational complexity of the discrete logarithm and related problems in the context of “generic algorithms”—that is, algorithms which do not exploit any special properties of the encodings of group elements, other than the property that each group element is encoded as a unique binary string. Lower bounds on the complexity of these problems are proved that match the known upper bounds: any generic algorithm must perform Ω(p 1/2) group operations, where p is the largest prime dividing the order of the group. Also, a new method for correcting a faulty Diffie-Hellman oracle is presented.


  1. 1.
    L. Babai and E. Szemerédi. On the complexity of matrix group problems I. In 25th Annual Symposium on Foundations of Computer Science, pages 229–240, 1984.Google Scholar
  2. 2.
    D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application to cryptography. In Advances in Cryptology—Crypto’ 96, pages 283–297, 1996.Google Scholar
  3. 3.
    J. Buchmann, 1995. Personal communication.Google Scholar
  4. 4.
    O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions. In 21st Annual ACM Symposium on Theory of Computing, pages 25–32, 1989.Google Scholar
  5. 5.
    U. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Advances in Cryptology—Crypto’ 94, pages 271–281, 1994.Google Scholar
  6. 6.
    U. Maurer and S. Wolf. Diffie-Hellman oracles. In Advances in Cryptology—Crypto’ 96, pages 268–282, 1996.Google Scholar
  7. 7.
    V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165–172, 1994. Translated from Matematicheskie Zametki, 55(2):91–101, 1994.CrossRefMathSciNetGoogle Scholar
  8. 8.
    S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory, 24:106–110, 1978.CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    J. M. Pollard. Monte Carlo methods for index computation mod p. Mathematics of Computation, 32:918–924, 1978.CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    C. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4:161–174, 1991.CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    J. T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. J. ACM, 27(4):701–717, 1980.CrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1997

Authors and Affiliations

  • Victor Shoup
    • 1
  1. 1.IBM Research-ZürichRüschlikonSwitzerland

Personalised recommendations