RSA Laboratories

2.3.7 What is the discrete logarithm problem?

The discrete logarithm problem applies to mathematical structures called groups; see Section A.3 for the definition of a group. A group is a collection of elements together with a binary operation which we will refer to as group multiplication. For a group element g and a number n, let gn denote the element obtained by multiplying g by itself n times; g2 = g*g, g3 = g*g*g, and so on. The discrete logarithm problem is as follows: given an element g in a finite group G and another element h Î G, find an integer x such that gx = h. For example, the solution to the problem 3x º 13 (mod 17) is 4, because 34 = 81 º 13 (mod 17).

Like the factoring problem, the discrete logarithm problem is believed to be difficult and also to be the hard direction of a one-way function. For this reason, it has been the basis of several public-key cryptosystems, including the ElGamal system and DSS (see Question 3.6.8 and Section 3.4). The discrete logarithm problem bears the same relation to these systems as factoring does to the RSA system: the security of these systems rests on the assumption that discrete logarithms are difficult to compute. Although the discrete logarithm problem exists in any group, when used for cryptographic purposes the group is usually Zn* (see Section A.2).

The discrete logarithm problem has received much attention in recent years; descriptions of some of the most efficient algorithms for discrete logarithms over finite fields can be found in [Odl84] [LL90] [COS86] [Gor93] [GM93]. The best discrete logarithm algorithms have expected running times similar to those of the best factoring algorithms. Rivest [Riv92a] has analyzed the expected time to solve the discrete logarithm problem both in terms of computing power and cost.

In general, the discrete logarithm in an arbitrary group of size n can be computed in running time O(Ön) [Pol74], though in many groups it can be done faster.

Top of the page