A subexponential algorithm for the discrete logarithm problem with applications to cryptography

Abstract

In 1870 Bouniakowsky [2 J publ ished an algorithm to solve the congruence aX _ bMOD (q). While his algorithm contained several clever ideas useful for small numbers, its asymptotic complexity was O(q). Despite its long history, no fast algorithm has ever emerged for the Discrete Logarithm Problem and the best published method, due to Shanks [lOJ requires O(ql/2) in time and space. The problem has attracted renewed interest in recent years because of its use in cryptography [7 ], [15J,[19J. In particular, the security of the Diffie-Hellman Public Key Distribution Sy s t em [7 J II de pen d s c r ucia 11yon the d iff i c u1t Y 0 f com put i ng log a r i t hms MOD q II • We present a new algorithm for this problem which runs in RTIME better than O(qE) for all E > O.t While no effort is made to present the most efficient incarnation of tActually our algorithm runs in RTIME O(2(O(/10g(q)loglog(q))). RTIME denotes Random Time and refers to algorithms which may use random numbers in their processing. For example, the well known composite testing algorithms of Solovay &Strassen [21J, Miller [11J and Rabin [16J run in RTIME (0(log3(q))). For precise definitions see [1], [llJ and [9J.