Discrete logarithm
This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (October 2017) (Learn how and when to remove this template message) 
In the mathematics of the real numbers, the logarithm log_{b} a is a number x such that b^{x} = a, for given numbers a and b. Analogously, in any group G, powers b^{k} can be defined for all integers k, and the discrete logarithm log_{b} a is an integer k such that b^{k} = a. In number theory, the more commonly used term is index: we can write x = ind_{r} a (mod m) (read the index of a to the base r modulo m) for r^{x} ≡ a (mod m) if r is a primitive root of m and gcd(a,m)=1.
Discrete logarithms are quickly computable in a few special cases. However, no efficient method is known for computing them in general. Several important algorithms in publickey cryptography base their security on the assumption that the discrete logarithm problem over carefully chosen groups has no efficient solution.
Contents
Definition[edit]
Let G be any group. Denote its group operation by multiplication and its identity element by 1. Let b be any element of G. For any positive integer k, the expression b^{k} denotes the product of b with itself k times:
Similarly, let b^{k} denote the product of b^{−1} with itself k times. For k = 0, the kth power is the identity: b^{0} = 1.
Let a also be an element of G. An integer k that solves the equation b^{k} = a is termed a discrete logarithm (or simply logarithm, in this context) of a to the base b. One writes k = log_{b} a.
Examples[edit]
Powers of 10[edit]
The powers of 10 form an infinite subset G = {…, 0.001, 0.01, 0.1, 1, 10, 100, 1000, …} of the rational numbers. This set G is a cyclic group under multiplication, and 10 is a generator. For any element a of the group, one can compute log_{10} a. For example, log_{10} 10000 = 4, and log_{10} 0.001 = −3. These are instances of the discrete logarithm problem.
Other base10 logarithms in the real numbers are not instances of the discrete logarithm problem, because they involve noninteger exponents. For example, the equation log_{10} 53 = 1.724276… means that 10^{1.724276…} = 53. While integer exponents can be defined in any group using products and inverses, arbitrary real exponents in the real numbers require other concepts such as the exponential function.
Powers of a fixed real number[edit]
A similar example holds for any nonzero real number b. The powers form a multiplicative subgroup G = {…, b^{−3}, b^{−2}, b^{−1}, 1, b^{1}, b^{2}, b^{3}, …} of the nonzero real numbers. For any element a of G, one can compute log_{b} a.
Modular arithmetic[edit]
One of the simplest settings for discrete logarithms is the group (Z_{p})^{×}. This is the group of multiplication modulo the prime p. Its elements are congruence classes modulo p, and the group product of two elements may be obtained by ordinary integer multiplication of the elements followed by reduction modulo p.
The kth power of one of the numbers in this group may be computed by finding its kth power as an integer and then finding the remainder after division by p. When the numbers involved are large, it is more efficient to reduce modulo p multiple times during the computation. Regardless of the specific algorithm used, this operation is called modular exponentiation. For example, consider (Z_{17})^{×}. To compute 3^{4} in this group, compute 3^{4} = 81, and then divide 81 by 17, obtaining a remainder of 13. Thus 3^{4} = 13 in the group (Z_{17})^{×}.
The discrete logarithm is just the inverse operation. For example, consider the equation 3^{k} ≡ 13 (mod 17) for k. From the example above, one solution is k = 4, but it is not the only solution. Since 3^{16} ≡ 1 (mod 17)—as follows from Fermat's little theorem—it also follows that if n is an integer then 3^{4+16n} ≡ 3^{4} × (3^{16})^{n} ≡ 13 × 1^{n} ≡ 13 (mod 17). Hence the equation has infinitely many solutions of the form 4 + 16n. Moreover, because 16 is the smallest positive integer m satisfying 3^{m} ≡ 1 (mod 17), these are the only solutions. Equivalently, the set of all possible solutions can be expressed by the constraint that k ≡ 4 (mod 16).
Powers of the identity[edit]
In the special case where b is the identity element 1 of the group G, the discrete logarithm log_{b} a is undefined for a other than 1, and every integer k is a discrete logarithm for a = 1.
Properties[edit]
Powers obey the usual algebraic identity b^{k + l} = b^{k} b^{l}. In other words, the function
defined by f(k) = b^{k} is a group homomorphism from the integers Z under addition onto the subgroup H of G generated by b. For all a in H, log_{b} a exists. Conversely, log_{b} a does not exist for a that are not in H.
If H is infinite, then log_{b} a is also unique, and the discrete logarithm amounts to a group isomorphism
On the other hand, if H is finite of size n, then log_{b} a is unique only up to congruence modulo n, and the discrete logarithm amounts to a group isomorphism
where Z_{n} denotes the additive group of integers modulo n.
The familiar base change formula for ordinary logarithms remains valid: If c is another generator of H, then
Algorithms[edit]
Unsolved problem in computer science: Can the discrete logarithm be computed in polynomial time on a classical computer? (more unsolved problems in computer science)

The discrete logarithm problem is considered to be computationally intractable. That is, no efficient classical algorithm is known for computing discrete logarithms in general.
A general algorithm for computing log_{b} a in finite groups G is to raise b to larger and larger powers k until the desired a is found. This algorithm is sometimes called trial multiplication. It requires running time linear in the size of the group G and thus exponential in the number of digits in the size of the group. Therefore, it is an exponentialtime algorithm, practical only for small groups G.
More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naïve algorithm, some of them linear in the square root of the size of the group, and thus exponential in half the number of digits in the size of the group. However none of them run in polynomial time (in the number of digits in the size of the group).
 Babystep giantstep
 Function field sieve
 Index calculus algorithm
 Number field sieve
 Pohlig–Hellman algorithm
 Pollard's rho algorithm for logarithms
 Pollard's kangaroo algorithm (aka Pollard's lambda algorithm)
There is an efficient quantum algorithm due to Peter Shor.^{[1]}
Efficient classical algorithms also exist in certain special cases. For example, in the group of the integers modulo p under addition, the power b^{k} becomes a product bk, and equality means congruence modulo p in the integers. The extended Euclidean algorithm finds k quickly.
Comparison with integer factorization[edit]
While computing discrete logarithms and factoring integers are distinct problems, they share some properties:
 both are special cases of the hidden subgroup problem for finite Abelian groups,
 both problems seem to be difficult (no efficient algorithms are known for nonquantum computers),
 for both problems efficient algorithms on quantum computers are known,
 algorithms from one problem are often adapted to the other, and
 the difficulty of both problems has been used to construct various cryptographic systems.
Cryptography[edit]
There exist groups for which computing discrete logarithms is apparently difficult. In some cases (e.g. large prime order subgroups of groups (Z_{p})^{×}) there is not only no efficient algorithm known for the worst case, but the averagecase complexity can be shown to be about as hard as the worst case using random selfreducibility.
At the same time, the inverse problem of discrete exponentiation is not difficult (it can be computed efficiently using exponentiation by squaring, for example). This asymmetry is analogous to the one between integer factorization and integer multiplication. Both asymmetries (and other possibly oneway functions) have been exploited in the construction of cryptographic systems.
Popular choices for the group G in discrete logarithm cryptography are the cyclic groups (Z_{p})^{×} (e.g. ElGamal encryption, Diffie–Hellman key exchange, and the Digital Signature Algorithm) and cyclic subgroups of elliptic curves over finite fields (see elliptic curve cryptography).
While there is no publicly known algorithm for solving the discrete logarithm problem in general, the first three steps of the number field sieve algorithm only depend on the group G, not on the specific elements of G whose finite log is desired. By precomputing these three steps for a specific group, one need only carry out the last step, which is much less computationally expensive than the first three, to obtain a specific logarithm in that group.^{[2]}
It turns out that much Internet traffic uses one of a handful of groups that are of order 1024 bits or less, e.g. cyclic groups with order of the Oakley primes specified in RFC 2409. The Logjam attack used this vulnerability to compromise a variety of Internet services that allowed the use of groups whose order was a 512bit prime number, so called export grade.^{[2]}
The authors of the Logjam attack estimate that the much more difficult precomputation needed to solve the discrete log problem for a 1024bit prime would be within the budget of a large national intelligence agency such as the U.S. National Security Agency (NSA). The Logjam authors speculate that precomputation against widely reused 1024 DH primes is behind claims in leaked NSA documents that NSA is able to break much of current cryptography.^{[2]}
References[edit]
 ^ Shor, Peter (1997). "PolynomialTime Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509. arXiv:quantph/9508027. doi:10.1137/s0097539795293172. MR 1471990.
 ^ ^{a} ^{b} ^{c} Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; ZanellaBéguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How DiffieHellman Fails in Practice" (PDF).
 Rosen, Kenneth H. Elementary Number Theory and Its Application (6th ed.). Pearson. p. 368. ISBN 9780321500311.
 Weisstein, Eric W. "Discrete Logarithm". MathWorld. Wolfram Web. Retrieved 1 January 2019.
Further reading[edit]
 Richard Crandall; Carl Pomerance. Chapter 5, Prime Numbers: A computational perspective, 2nd ed., Springer.
 Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd ed.), London: CRC Press, ISBN 9781584885085