Discrete logarithm

Discrete logarithms are defined in group theory in analogy to ordinary logarithms.

Let G be a finite cyclic group with n elements. We assume that the group is written multiplicatively. Let b be a generator of G. Then every element x of G can be written in the form x = b^k for some integer k; furthermore any two such integers representing x will be congruent modulo n. We can thus define a function

log_b : G → Z_n

(where Z_n denotes the ring of integers modulo n) by assigning to x the congruence class of k modulo n. This function is a group isomorphism, called the discrete logarithm to base b.

The familiar base change formula for ordinary logarithms remains valid: if c is another generator of G, then we have

log_c(x) = log_c(b) log_b(x).

For some groups, computing discrete logarithms is believed to be difficult, while the inverse problem of discrete exponentiation is not; this asymmetry is exploited in some applications in cryptography. Popular choices for G in cryptography are the cyclic groups (Z_p)^× (consisting of the number {1,...,p-1} under multiplication modulo the prime p); see ElGamal discrete log cryptosystem, Diffie-Hellman key exchange and the Digital Signature Algorithm.

The Pohlig-Hellman algorithm[?] can be used to compute discrete logarithms in these groups if p-1 is a product of small primes, so this should be avoided in those applications. The index calculus[?] is another method to compute discrete logarithms in these groups, as is the birthday attack.

Newer cryptography applications use discrete logarithms in cyclic subgroups of elliptic curves over finite fields. See Elliptic curve cryptography.