The Past, Evolving Present, and Future of the Discrete Logarithm

  • Antoine Joux
  • Andrew Odlyzko
  • Cécile Pierrot


The first practical public key cryptosystem ever published, the Diffie–Hellman key exchange algorithm, relies for its security on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the security of a large variety of other public key systems and protocols.

Since the introduction of the Diffie–Hellman key exchange more than three decades ago, there have been substantial algorithmic advances in the computation of discrete logarithms. However, in general the discrete logarithm problem is still considered to be hard. In particular, this is the case for the multiplicative groups of finite fields with medium to large characteristic and for the additive group of a general elliptic curve.

This chapter presents a survey of the state of the art concerning discrete logarithms and their computation.


  1. [Adl79]
    L.M. Adleman, A subexponential algorithm for the discrete logarithm problem with applications to cryptography (abstract), in FOCS (1979), pp. 55–60Google Scholar
  2. [AFK89]
    M. Abadi, J. Feigenbaum, J. Kilian, On hiding information from an oracle. J. Comput. Syst. Sci. 39(1), 21–50 (1989)CrossRefMATHMathSciNetGoogle Scholar
  3. [AH99]
    L.M. Adleman, M.-D.A. Huang, Function field sieve method for discrete logarithms over finite fields. Inf. Comput. 151(1–2), 5–16 (1999)CrossRefMATHMathSciNetGoogle Scholar
  4. [BBG05]
    D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in EUROCRYPT (2005), pp. 440–456Google Scholar
  5. [BD94]
    M. Burmester, Y. Desmedt, A secure and efficient conference key distribution system (extended abstract), in EUROCRYPT (1994), pp. 275–286Google Scholar
  6. [BF03]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)CrossRefMATHMathSciNetGoogle Scholar
  7. [BGJT13]
    R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. CoRR (2013). abs/1306.4244Google Scholar
  8. [BLS04]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)MATHMathSciNetGoogle Scholar
  9. [BLS11]
    D.J. Bernstein, T. Lange, P. Schwabe, On the correct use of the negation map in the Pollard Rho method, in Public Key Cryptography (2011), pp. 128–146Google Scholar
  10. [BP14]
    R. Barbulescu, C. Pierrot, The multiple number field sieve for medium and high characteristic finite fields. IACR Cryptol. ePrint Arch. 2014, 147 (2014)Google Scholar
  11. [CEP83]
    E.R. Canfield, P. Erdös, C. Pomerance, On a problem of Oppenheim concerning factorisatio numerorum. J. Number Theory 17, 1–28 (1983)CrossRefMATHMathSciNetGoogle Scholar
  12. [CGH00]
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. CoRR (2000). cs.CR/0010019Google Scholar
  13. [CHK12]
    J.H. Cheon, J. Hong, M. Kim, Accelerating Pollard’s Rho algorithm on finite fields. J. Cryptol. 25(2), 195–242 (2012)CrossRefMATHMathSciNetGoogle Scholar
  14. [Cop84]
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30(4), 587–593 (1984)CrossRefMATHMathSciNetGoogle Scholar
  15. [COS86]
    D. Coppersmith, A.M. Odlyzko, R. Schroeppel, Discrete logarithms in GF(p). Algorithmica 1(1), 1–15 (1986)CrossRefMATHMathSciNetGoogle Scholar
  16. [Den82]
    D.E. Denning, Cryptography and Data Security (Addison-Wesley, Reading, 1982)MATHGoogle Scholar
  17. [Den02]
    A.W. Dent, Adapting the weaknesses of the random oracle model to the generic group model, in ASIACRYPT (2002), pp. 100–109Google Scholar
  18. [DH76]
    W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)CrossRefMATHMathSciNetGoogle Scholar
  19. [DK13]
    C. Diem, S. Kochinke, Computing discrete logarithms with special linear systems. Preprint (2013)Google Scholar
  20. [DOW92]
    W. Diffie, P.C. Oorschot, M.J. Wiener, Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  21. [EGT11]
    A. Enge, P. Gaudry, E. Thomé, An L(1∕3) discrete logarithm algorithm for low degree curves. J. Cryptol. 24(1), 24–41 (2011)CrossRefMATHGoogle Scholar
  22. [FJM13]
    P.-A. Fouque, A. Joux, C. Mavromati, Multi-user collisions: applications to discrete logs, Even-Mansour and prince. IACR Cryptol. ePrint Arch. 2013, 761 (2013)Google Scholar
  23. [FPPR12]
    J.-C. Faugère, L. Perret, C. Petit, G. Renault, Improving the complexity of index calculus algorithms in elliptic curves over binary fields, in EUROCRYPT (2012), pp. 27–44Google Scholar
  24. [FR94]
    G. Frey, H. Georg Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62, 865–874 (1994)MATHGoogle Scholar
  25. [FS86]
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in CRYPTO (1986), pp. 186–194Google Scholar
  26. [Gam85]
    T. El Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)CrossRefMATHGoogle Scholar
  27. [GGMZ13]
    F. Göloglu, R. Granger, G. McGuire, J. Zumbrägel, On the function field sieve and the impact of higher splitting probabilities—application to discrete logarithms in and, in CRYPTO (2) (2013), pp. 109–128Google Scholar
  28. [GHS02]
    P. Gaudry, F. Hess, N.P. Smart, Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)CrossRefMathSciNetGoogle Scholar
  29. [GKZ14]
    R. Granger, T. Kleinjung, J. Zumbrägel, On the powers of 2. Cryptology ePrint Archive, Report 2014/300 (2014)Google Scholar
  30. [Gor93]
    D.M. Gordon, Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993)CrossRefMATHMathSciNetGoogle Scholar
  31. [GTTD07]
    P. Gaudry, E. Thomé, N. Thériault, C. Diem, A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76(257), 475–492 (2007)CrossRefMATHGoogle Scholar
  32. [HR82]
    M.E. Hellman, J.M. Reyneri, Fast computation of discrete logarithms in GF(q), in CRYPTO (1982), pp. 3–13Google Scholar
  33. [JL02]
    A. Joux, R. Lercier, The function field sieve is quite special, in ANTS (2002), pp. 431–445Google Scholar
  34. [JL03]
    A. Joux, R. Lercier, Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Math. Comput. 72(242), 953–967 (2003)MATHMathSciNetGoogle Scholar
  35. [JL06]
    A. Joux, R. Lercier, The function field sieve in the medium prime case, in EUROCRYPT (2006), pp. 254–270Google Scholar
  36. [JLSV06]
    A. Joux, R. Lercier, N.P. Smart, F. Vercauteren, The number field sieve in the medium prime case, in CRYPTO (2006), pp. 326–344Google Scholar
  37. [JN03]
    A. Joux, K. Nguyen, Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003)CrossRefMATHMathSciNetGoogle Scholar
  38. [Jou04]
    A. Joux, A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17(4), 263–276 (2004)MATHMathSciNetGoogle Scholar
  39. [Jou13a]
    A. Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in EUROCRYPT (2013), pp. 177–193Google Scholar
  40. [Jou13b]
    A. Joux, A new index calculus algorithm with complexity \(L(1/4 + o(1))\) in very small characteristic. IACR Cryptol. ePrint Arch. 2013, 95 (2013)Google Scholar
  41. [JP13]
    A. Joux, C. Pierrot, The special number field sieve in finite fields - application to pairing-friendly constructions, in Pairing (2013), pp. 45–61Google Scholar
  42. [JV12]
    A. Joux, V. Vitse, Cover and decomposition index calculus on elliptic curves made practical—application to a previously unreachable curve over \(\mathbb{F}_{p^{6}}\), in EUROCRYPT (2012), pp. 9–26Google Scholar
  43. [Kra22]
    M. Kraïtchik, Théorie des nombres (Gauthier-Villars, Paris, 1922)MATHGoogle Scholar
  44. [KS01]
    F. Kuhn, R. Struik, Random walks revisited: extensions of Pollard’s Rho algorithm for computing multiple discrete logarithms, in Selected Areas in Cryptography (2001), pp. 212–229Google Scholar
  45. [LO90]
    B.A. LaMacchia, A.M. Odlyzko, Solving large sparse linear systems over finite fields, in CRYPTO (1990), pp. 109–133Google Scholar
  46. [MOV93]
    A. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar
  47. [MW96]
    U.M. Maurer, S. Wolf, Diffie-Hellman oracles, in CRYPTO (1996), pp. 268–282Google Scholar
  48. [Odl85]
    A.M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance. Adv. Cryptol. 209, 224–314 (1985)CrossRefMathSciNetGoogle Scholar
  49. [Pai99]
    P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in EUROCRYPT (1999), pp. 223–238Google Scholar
  50. [PGF98]
    D. Panario, X. Gourdon, P. Flajolet, An analytic approach to smooth polynomials over finite fields, in ANTS (1998), pp. 226–236Google Scholar
  51. [PH78]
    S.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over gf(p) and its cryptographic significance (corresp.). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)Google Scholar
  52. [Pol75]
    J. Pollard, A Monte Carlo method for factorization. BIT Numer. Math., 15, 331–334 (1975)CrossRefMATHMathSciNetGoogle Scholar
  53. [Pol78]
    J. Pollard, Monte Carlo methods for index computations mod p. Math. Comput., 32(143), 918–924 (1978)Google Scholar
  54. [Pom87]
    C. Pomerance, Discrete Algorithms and Complexity: Proceedings of the Japan-US Joint Seminar, June 4-6, 1986, Kyoto, Japan, D. S. Johnson, T. Nishizeki, A. Nozaki and H. S. Wilf (Editors), Academic Press, New York, (1987)Google Scholar
  55. [PQ12]
    C. Petit, J.-J. Quisquater, On polynomial systems arising from a Weil descent, in ASIACRYPT (2012), pp. 451–466Google Scholar
  56. [QD89]
    J.-J. Quisquater, J.-P. Delescaille, How easy is collision search. New results and applications to DES, in CRYPTO (1989), pp. 408–413Google Scholar
  57. [Sch89]
    C.-P. Schnorr, Efficient identification and signatures for smart cards, in CRYPTO (1989), pp. 239–252Google Scholar
  58. [Sch00]
    O. Schirokauer, Using number fields to compute logarithms in finite fields. Math. Comput. 69(231), 1267–1283 (2000)CrossRefMATHMathSciNetGoogle Scholar
  59. [Sem04]
    I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. IACR Cryptol. ePrint Arch. 2004, 31 (2004)Google Scholar
  60. [Sha71]
    D. Shanks, Class number, a theory of factorization and genera, in Proceedings of the Symposium on Pure Mathematics (1971), pp. 415–440Google Scholar
  61. [Sho97a]
    P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)CrossRefMATHMathSciNetGoogle Scholar
  62. [Sho97b]
    V. Shoup, Lower bounds for discrete logarithms and related problems, in EUROCRYPT (1997), pp. 256–266Google Scholar
  63. [SWD96]
    O. Schirokauer, D. Weber, T.F. Denny, Discrete logarithms: the effectiveness of the index calculus method, in ANTS (1996), pp. 337–361Google Scholar
  64. [Tes00]
    E. Teske, On random walks for Pollard’s Rho method. Math. Comput. 70, 809–825 (2000)CrossRefMathSciNetGoogle Scholar
  65. [vOW99]
    P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)CrossRefMATHGoogle Scholar
  66. [Wie86]
    D.H. Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Antoine Joux
    • 1
    • 2
    • 3
  • Andrew Odlyzko
    • 4
  • Cécile Pierrot
    • 5
  1. 1.CryptoExpertsParisFrance
  2. 2.Chaire de Cryptologie de la Fondation de l’UPMCParisFrance
  3. 3.Sorbonne Universités, LIP6, UMR 7606ParisFrance
  4. 4.School of MathematicsUniversity of MinnesotaMinneapolisUSA
  5. 5.DGA/CNRSSorbonne Universités, LIP6, UMR 7606ParisFrance

Personalised recommendations