### Question 52. What is the Discrete Logarithm Problem?

The discrete logarithm problem applies to groups. Given an element g in a group G of order t, and another element y of G, the problem is find x , where 0 x t - 1, such that y is the result of composing g with itself x times. The element g can typically generate all the elements of G or at least a large subset by exponentiating (i.e., applying the group operation repeatedly) with all the integers from 0 to t - 1. The element g is called a generator if it can generate all the elements in the group.

Like the factoring problem, the discrete logarithm problem is believed to be difficult and also to be the hard direction of a one-way function. For this reason, it has been the basis of several public-key cryptosystems, including the ElGamal system and DSS (see Question 29 and Question 26). The discrete logarithm problem bears the same relation to these systems as factoring does to RSA: the security of these systems rests on the assumption that discrete logarithms are difficult to compute.

The discrete logarithm problem has received much attention in recent years; descriptions of some of the most efficient algorithms for discrete logarithms over finite fields can be found in [Odl84] [LL90] [COS86] [Gor93] [GM93]. The best discrete logarithm problems have expected running times similar to those of the best factoring algorithms. Rivest [Riv92a] has analyzed the expected time to solve the discrete logarithm problem both in terms of computing power and cost. The discrete logarithm problem appears to be much harder over arbitrary groups than over finite fields; this is the motivation for cryptosystems based on elliptic curves (see Question 31). In general, the running time for computing discrete logarithms in arbitrary groups is , where p is the order of the group [Pol74].