Computing Low-Weight Discrete Logarithms

  • Bailey Kacsmar
  • Sarah Plosker
  • Ryan HenryEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10719)


We propose some new baby-step giant-step algorithms for computing “low-weight” discrete logarithms; that is, for computing discrete logarithms in which the radix-b representation of the exponent is known to have only a small number of nonzero digits. Prior to this work, such algorithms had been proposed for the case where the exponent is known to have low Hamming weight (i.e., the radix-2 case). Our new algorithms (i) improve the best-known deterministic complexity for the radix-2 case, and then (ii) generalize from radix-2 to arbitrary radixes \(b>1\). We also discuss how our new algorithms can be used to attack several recent Verifier-based Password Authenticated Key Exchange (VPAKE) protocols from the cryptographic literature with the conclusion that the new algorithms render those constructions completely insecure in practice.


Discrete logarithms Baby-step giant-step Meet-in-the-middle Cryptanalysis Verifier-based Password Authenticated Key Exchange (VPAKE) 



We thank Doug Stinson, Itai Dinur, and the anonymous referees for their valuable feedback. Sarah Plosker is supported by the Natural Sciences and Engineering Research Council of Canada, the Canada Foundation for Innovation, and the Canada Research Chairs Program. Ryan Henry is supported by the National Science Foundation under Grant No. 1565375.

Supplementary material


  1. 1.
    Agnew, G.B., Mullin, R.C., Onyszchuk, M.I., Vanstone, S.A.: An implementation for a fast public-key cryptosystem. J. Cryptol. 3(2), 63–79 (1991). MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR Cryptology ePrint Archive, Report 2013/833, October 2013.
  3. 3.
    Cheon, J.H., Kim, H.T.: Analysis of low Hamming weight products. Discrete Appl. Mathe. 156(12), 2264–2269 (2008). MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Coppersmith, D.: Personal communication to Scott Vanstone, July 1997. See [Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, p. 128 Chapter 3]Google Scholar
  5. 5.
    Coppersmith, D., Seroussi, G.: On the minimum distance of some quadratic residue codes. IEEE Trans. Inf. Theory 30(2), 407–411 (1984). MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Coron, J.S., Lefranc, D., Poupard, G.: A new baby-step giant-step algorithm and some applications to cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 47–60. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  7. 7.
    Girault, M., Lefranc, D.: Public key authentication with one (online) single addition. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 413–427. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  8. 8.
    Heiman, R.: A note on discrete logarithms with special structure. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 454–457. Springer, Heidelberg (1993). CrossRefGoogle Scholar
  9. 9.
    Hoffstein, J., Silverman, J.H.: Random small Hamming weight products with applications to cryptography. Discrete Appl. Mathe. 130(1), 37–49 (2003). MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  11. 11.
    Kacsmar, B., Plosker, S., Henry, R.: Computing low-weight discrete logarithms. IACR Cryptology ePrint Archive, Report 2017/720, July 2017.
  12. 12.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 295–312. Springer, Cham (2014). Google Scholar
  13. 13.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. IACR Cryptology ePrint Archive, Report 2014/242, April 2014.
  14. 14.
    Kiefer, F., Manulis, M.: Blind password registration for two-server password authenticated key exchange and secret sharing protocols. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 95–114. Springer, Cham (2016). CrossRefGoogle Scholar
  15. 15.
    Kiefer, F., Manulis, M.: Blind password registration for verifier-based PAKE. In: Proceedings of AsiaPKC@AsiaCCS 2016, Xi’an, China, pp. 39–48, May 2016.
  16. 16.
    Kim, S., Cheon, J.H.: A parameterized splitting system and its application to the discrete logarithm problem with low hamming weight product exponents. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 328–343. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  17. 17.
    Kim, S., Cheon, J.H.: Parameterized splitting systems for the discrete logarithm. IEEE Trans. Inf. Theory Parameterized Splitting Syst. Discrete Logarithm 56(5), 2528–2535 (2010). MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992). Google Scholar
  19. 19.
    Kreher, D.L., Stinson, D.R.: Combinatorial Algorithms: Generation, Enumeration, and Search. CRC Press, New York (1998)zbMATHGoogle Scholar
  20. 20.
    May, A., Ozerov, I.: A generic algorithm for small weight discrete logarithms in composite groups. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 278–289. Springer, Cham (2014). CrossRefGoogle Scholar
  21. 21.
    Menezes, A., Vanstone, S.: The implementation of elliptic curve cryptosystems. In: Seberry, J., Pieprzyk, J. (eds.) AUSCRYPT 1990. LNCS, vol. 453, pp. 1–13. Springer, Heidelberg (1990). CrossRefGoogle Scholar
  22. 22.
    Montenegro, R., Tetali, P.: How long does it take to catch a wild kangaroo? In: Proceedings of STOC 2009, Bethesda, MD, USA, pp. 553–560, May–June 2009.
  23. 23.
    Muir, J.A., Stinson, D.R.: On the low Hamming weight discrete logarithm problem for nonadjacent representations. Appl. Algebra Eng. Commun. Comput. (AAECC) 16(6), 461–472 (2006). MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Odlyzko, A.: Personal communication to Rafi Heiman, July 1992. See [8; Page 1 and Reference [Odl]]Google Scholar
  25. 25.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). Google Scholar
  26. 26.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1), 106–110 (1978). MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000). MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposium of Pure Mathematics, vol. 20, Providence, RI, USA, pp. 415–440, July–August 1969Google Scholar
  29. 29.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem. Mathe. Comput. 71(237), 379–391 (2002). MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Teske, E.: Square-root algorithms for the discrete logarithm problem (a survey). In: Proceedings of the International Conference on Public Key Cryptography and Computational Number Theory, De Gruyter Proceedings in Mathematics, Warsaw, Poland, pp. 283–301, September 2000.
  31. 31.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Proceedings of CCS 1994, Fairfax, VA, USA, pp. 210–218, November 1994.
  32. 32.
    van Oorschot, P.C., Wiener, M.J.: On Diffie-Hellman key agreement with short exponents. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996). CrossRefGoogle Scholar
  33. 33.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Yang, X., Jiang, H., Xu, Q., Hou, M., Wei, X., Zhao, M., Choo, K.-K.R.: A provably-secure and efficient verifier-based anonymous password-authenticated key exchange protocol. In: Proceedings of TrustCom/BigDataSE/ISPA 2016, pp. 670–677, Tianjin, China, August 2016.

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.University of WaterlooWaterlooCanada
  2. 2.Brandon UniversityBrandonCanada
  3. 3.Indiana UniversityBloomingtonUSA

Personalised recommendations