how to solve discrete logarithm problem

Discrete Logarithm

The term "discrete logarithm" is most commonly used in cryptography, although the term "generalized multiplicative order" is sometimes used as well (Schneier 1996, p. 501). In number theory, the term "index" is generally used instead (Gauss 1801; Nagell 1951, p. 112).

Discrete logarithms were mentioned by Charlie the math genius in the Season 2 episode " In Plain Sight " of the television crime drama NUMB3RS .

Explore with Wolfram|Alpha

More things to try:

• discrete logarithm
• 1250th decagonal number

Referenced on Wolfram|Alpha

Cite this as:.

Weisstein, Eric W. "Discrete Logarithm." From MathWorld --A Wolfram Web Resource. https://mathworld.wolfram.com/DiscreteLogarithm.html

Subject classifications

Discrete Logarithm Problem

• Reference work entry
• Cite this reference work entry

• Dan Gordon Dr. 3  

567 Accesses

2 Citations

Related Concepts

Computational Diffie–Hellman Problem ; Elliptic Curve Discrete Logarithm Problem ; Function Field Sieve ; Generic Attacks Against DLP ; Number Field Sieve for the DLP

Let G be a cyclic group of order n , and g be a generator for G . Given an element \(y \in G\) , the discrete logarithm problem is to find an integer x such that

The discrete logarithm problem has been of particular interest since Diffie and Hellman ( Diffie-Hellman Key Agreement ) invented a cryptographic system based on the difficulty of finding discrete logarithms (a similar system was created around the same time by Malcolm Williamson at the Government Communications Headquarters (GCHQ) in the UK, but not revealed until years later).

Any finite group may be used for a Diffie-Hellman system, but some are more secure than others. The main groups used are:

The multiplicative subgroup of a finite field GF( q ), with q a prime or a power of 2

The points on an...

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Durable hardcover edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Recommended Reading

McCurley KS (1990) The discrete logarithm problem. In: Cryptology and Computational Number Theory, pp. 49–74, AMS, Providence

Google Scholar  

Odlyzko AM (2000) Discrete logarithms: the past and the future. Design Code Cryptogr 19:129–145

MATH   MathSciNet   Google Scholar  

Download references

Author information

Authors and affiliations.

IDA Center for Communications Research, 4320 Westerra Court, 92121, San Diego, CA, USA

Dan Gordon Dr.

You can also search for this author in PubMed   Google Scholar

Editor information

Editors and affiliations.

Department of Mathematics and Computing Science, Eindhoven University of Technology, 5600 MB, Eindhoven, The Netherlands

Henk C. A. van Tilborg

Center for Secure Information Systems, George Mason University, Fairfax, VA, 22030-4422, USA

Sushil Jajodia

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer Science+Business Media, LLC

About this entry

Cite this entry.

Gordon, D. (2011). Discrete Logarithm Problem. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_445

Download citation

DOI : https://doi.org/10.1007/978-1-4419-5906-5_445

Publisher Name : Springer, Boston, MA

Print ISBN : 978-1-4419-5905-8

Online ISBN : 978-1-4419-5906-5

eBook Packages : Computer Science Reference Module Computer Science and Engineering

Share this entry

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Practice Mathematical Algorithm
• Mathematical Algorithms
• Pythagorean Triplet
• Fibonacci Number
• Euclidean Algorithm
• LCM of Array
• GCD of Array
• Binomial Coefficient
• Catalan Numbers
• Sieve of Eratosthenes
• Euler Totient Function
• Modular Exponentiation
• Modular Multiplicative Inverse
• Stein's Algorithm
• Juggler Sequence
• Chinese Remainder Theorem
• Quiz on Fibonacci Numbers
• Cyber Security Tutorial

Introduction

• OSI Security Architecture
• Active and Passive attacks in Information Security
• Types of Security Mechanism
• A Model for Network Security

Cyber Technology

• Basics of Wi-Fi
• The Internet and the Web
• What is a Website ?
• Cryptography and Network Security Principles
• Public Key Infrastructure
• What is Electronic Signature?
• Identity and Access Management
• What Is Cloud Computing ?

Cyber Ethics

• Intellectual Property Rights
• Fundamental Rights (Articles 12-35): A Comprehensive Guide
• Introduction to Ethical Hacking
• What is a Scam?

Cyber Crimes

• Psychological Profiling in Cybersecurity
• Social Engineering - The Art of Virtual Exploitation
• Cyber Stalking
• How to Defend Against Botnets ?
• Emerging Attack Vectors in Cyber Security
• Malware and its types
• What is Phishing?
• Cyber Crime - Identity Theft
• What is Cyber Terrorism?
• What is Proxy Server?

Cyber Crime Techniques

• Worms, Viruses and beyond !!
• Trojan Horse in Information Security

Keyloggers and Spyware

• Types of SQL Injection (SQLi)
• Buffer Overflow Attack with Example
• Reverse Engineering - Software Engineering
• Difference Between Vulnerability and Exploit
• Basic Network Attacks in Computer Network
• Kali Linux - Hacking Wi-Fi
• Web Server and its Types of Attacks
• Types of VoIP Hacking and Countermeasures
• How to Spoof SMS Message in Linux ?
• Difference between Backup and Recovery
• Manual Code Review : Security Assessment
• Penetration Testing - Software Engineering

Prevention and Protection

• What is Vulnerability Assessment?
• Secure coding - What is it all about?
• Chain of Custody - Digital Forensics
• Digital Forensics in Information Security
• Introduction of Computer Forensics
• What is Network Forensics?

Cyber Forensics

• Cybercrime Causes And Measures To Prevent It
• Digital Evidence Collection in Cybersecurity
• Digital Evidence Preservation - Digital Forensics
• Computer Forensic Report Format
• How to Stop Phishing?

Cyber Crime Investigation

• Intellectual Property in Cyberspace
• Cyber Security Policy
• History of Cyber Security
• What is Internet? Definition, Uses, Working, Advantages and Disadvantages
• Cyber Security Metrics
• What is Cybersecurity Framework?
• Cyber Security, Types and Importance

Cyber security Evolution

• Substitution Cipher
• Difference between Substitution Cipher Technique and Transposition Cipher Technique
• Difference between Block Cipher and Transposition Cipher

Cyber security Objectives

• Data encryption standard (DES) | Set 1
• Strength of Data encryption standard (DES)
• Differential and Linear Cryptanalysis

Classical Encryption Techniques

• Difference between AES and DES ciphers
• Advanced Encryption Standard (AES)

Block Ciphers and the Data Encryption Standard

• Implementation of RC4 algorithm
• Introduction to Chinese Remainder Theorem

Discrete logarithm (Find an integer k such that a^k is congruent modulo b)

• Public Key Encryption

Advanced Encryption Standard

• Key Management in Cryptography
• Implementation of Diffie-Hellman Algorithm

Moreon Symmetric Ciphers

• Message Authentication Requirements
• How message authentication code works?
• Hash Functions in System Security

Introduction to Number Theory

• Whirlpool Hash Function in Python
• HMAC Algorithm in Computer Network

Public-Key Cryptography and RSA

• Types of Authentication Protocols
• Digital Signature Standard (DSS)

Key Management:OtherPublic-Key Cryptosystems

• X.509 Authentication Service
• PGP - Authentication and Confidentiality

Message Authentication and Hash Functions

• IP security (IPSec)
• IPSec Architecture
• Internet Protocol Authentication Header

Hashand MAC Algorithms

• Web Security Considerations
• Secure Socket Layer (SSL)
• Transport Layer Security (TLS)

Digital Signatures and Authentication Protocols

• Intruders in Network Security
• Password Management in Cyber Security

Authentication Applications

Electronic mail security, ip security, web security, malicious software.

A Naive approach is to run a loop from 0 to m to cover all possible values of k and check for which value of k, the above relation satisfies. If all the values of k exhausted, print -1. Time complexity of this approach is O(m)  An efficient approach is to use baby-step, giant-step algorithm by using meet in the middle trick .  

Baby-step giant-step algorithm

• Suppose we have stored all values of LHS. Now iterate over all possible terms on the RHS for different values of j and check which value satisfies the LHS equality.
• If no value satisfies in above step for any candidate of j, print -1.   

Output:   

Time complexity: O(sqrt(m)*log(b))  Auxiliary space: O(sqrt(m)) A possible improvement is to get rid of binary exponentiation or log(b) factor in the second phase of the algorithm. This can be done by keeping a variable that multiplies by ‘a’ each time as ‘an’. Let’s see the program to understand more.  

Time complexity: O(sqrt(m))  Auxiliary space: O(sqrt(m)) Reference:   http://e-maxx-eng.appspot.com/algebra/discrete-log.html   https://en.wikipedia.org/wiki/Baby-step_giant-step  

Please Login to comment...

Similar reads.

• Modular Arithmetic
• number-theory
• Mathematical

Improve your Coding Skills with Practice

What kind of Experience do you want to share?

• Improved implementation
• When a and m are not coprime
• Practice Problems
• Primitive Root
• Discrete Root
• Montgomery Multiplication

Discrete Logarithm ¶

The discrete logarithm is an integer $x$ satisfying the equation

for given integers $a$ , $b$ and $m$ .

The discrete logarithm does not always exist, for instance there is no solution to $2^x \equiv 3 \pmod 7$ . There is no simple condition to determine if the discrete logarithm exists.

In this article, we describe the Baby-step giant-step algorithm, an algorithm to compute the discrete logarithm proposed by Shanks in 1971, which has the time complexity $O(\sqrt{m})$ . This is a meet-in-the-middle algorithm because it uses the technique of separating tasks in half.

Algorithm ¶

Consider the equation:

where $a$ and $m$ are relatively prime.

Let $x = np - q$ , where $n$ is some pre-selected constant (we will describe how to select $n$ later). $p$ is known as giant step , since increasing it by one increases $x$ by $n$ . Similarly, $q$ is known as baby step .

Obviously, any number $x$ in the interval $[0; m)$ can be represented in this form, where $p \in [1; \lceil \frac{m}{n} \rceil ]$ and $q \in [0; n]$ .

Then, the equation becomes:

Using the fact that $a$ and $m$ are relatively prime, we obtain:

This new equation can be rewritten in a simplified form:

This problem can be solved using the meet-in-the-middle method as follows:

• Calculate $f_1$ for all possible arguments $p$ . Sort the array of value-argument pairs.
• For all possible arguments $q$ , calculate $f_2$ and look for the corresponding $p$ in the sorted array using binary search.

Complexity ¶

We can calculate $f_1(p)$ in $O(\log m)$ using the binary exponentiation algorithm . Similarly for $f_2(q)$ .

In the first step of the algorithm, we need to calculate $f_1$ for every possible argument $p$ and then sort the values. Thus, this step has complexity:

In the second step of the algorithm, we need to calculate $f_2(q)$ for every possible argument $q$ and then do a binary search on the array of values of $f_1$ , thus this step has complexity:

Now, when we add these two complexities, we get $\log m$ multiplied by the sum of $n$ and $m/n$ , which is minimal when $n = m/n$ , which means, to achieve optimal performance, $n$ should be chosen such that:

Then, the complexity of the algorithm becomes:

Implementation ¶

The simplest implementation ¶.

In the following code, the function powmod calculates $a^b \pmod m$ and the function solve produces a proper solution to the problem. It returns $-1$ if there is no solution and returns one of the possible solutions otherwise.

In this code, we used map from the C++ standard library to store the values of $f_1$ . Internally, map uses a red-black tree to store values. Thus this code is a little bit slower than if we had used an array and binary searched, but is much easier to write.

Notice that our code assumes $0^0 = 1$ , i.e. the code will compute $0$ as solution for the equation $0^x \equiv 1 \pmod m$ and also as solution for $0^x \equiv 0 \pmod 1$ . This is an often used convention in algebra, but it's also not universally accepted in all areas. Sometimes $0^0$ is simply undefined. If you don't like our convention, then you need to handle the case $a=0$ separately:

Another thing to note is that, if there are multiple arguments $p$ that map to the same value of $f_1$ , we only store one such argument. This works in this case because we only want to return one possible solution. If we need to return all possible solutions, we need to change map<int, int> to, say, map<int, vector<int>> . We also need to change the second step accordingly.

Improved implementation ¶

A possible improvement is to get rid of binary exponentiation. This can be done by keeping a variable that is multiplied by $a$ each time we increase $q$ and a variable that is multiplied by $a^n$ each time we increase $p$ . With this change, the complexity of the algorithm is still the same, but now the $\log$ factor is only for the map . Instead of a map , we can also use a hash table ( unordered_map in C++) which has the average time complexity $O(1)$ for inserting and searching.

Problems often ask for the minimum $x$ which satisfies the solution. It is possible to get all answers and take the minimum, or reduce the first found answer using Euler's theorem , but we can be smart about the order in which we calculate values and ensure the first answer we find is the minimum.

The complexity is $O(\sqrt{m})$ using unordered_map .

When $a$ and $m$ are not coprime ¶

Let $g = \gcd(a, m)$ , and $g > 1$ . Clearly $a^x \bmod m$ for every $x \ge 1$ will be divisible by $g$ .

If $g \nmid b$ , there is no solution for $x$ .

If $g \mid b$ , let $a = g \alpha, b = g \beta, m = g \nu$ .

The baby-step giant-step algorithm can be easily extended to solve $ka^{x} \equiv b \pmod m$ for $x$ .

The time complexity remains $O(\sqrt{m})$ as before since the initial reduction to coprime $a$ and $m$ is done in $O(\log^2 m)$ .

Practice Problems ¶

• Spoj - Power Modulo Inverted
• Topcoder - SplittingFoxes3
• CodeChef - Inverse of a Function
• Hard Equation (assume that $0^0$ is undefined)
• CodeChef - Chef and Modular Sequence

References ¶

• Wikipedia - Baby-step giant-step
• Answer by Zander on Mathematics StackExchange
• akashbhalotia (36.56%)
• thanhtnguyen (23.79%)
• meooow25 (16.74%)
• wikku (14.98%)
• jakobkogler (2.64%)
• adamant-pwn (2.64%)
• hieplpvip (0.88%)
• tcNickolas (0.88%)
• likecs (0.88%)