art of problem solving pre calculus

• SPECIAL EDITION ABACUS
• Current RS2 User
• Individual Items
• Online Classes
• RightStart™ E-Books
• Art of Problem Solving
• Jacob's
• Homeschool Planet Lesson Plans
• Tutor Topics
• Supplements & Games
• Placement Test
• Central African CFA Franc
• West African CFA Franc
• Compare ( )
• Sign in or Register

• Home School
• High School

Art of Problem Solving Precalculus

Write a review.

• Create New Wish List
• Description

Precalculus   is part of the acclaimed Art of Problem Solving curriculum designed to challenge high-performing middle and high school students.   Precalculus   covers trigonometry, complex numbers, vectors, and matrices. It includes nearly 1000 problems, ranging from routine exercises to extremely challenging problems drawn from major mathematics competitions such as the American Invitational Mathematics Exam and the USA Mathematical Olympiad. Almost half of the problems have full, detailed solutions in the text, and the rest have full solutions in the accompanying Solutions Manual.

As with all of the books in Art of Problem Solving's Introduction and Intermediate series,   Precalculus   is structured to inspire the reader to explore and develop new ideas. Each section starts with problems, so the student has a chance to solve them without help before proceeding. The text then includes solutions to these problems, through which new techniques are taught. Important facts and powerful problem solving approaches are highlighted throughout the text.

This set includes both the lessons and solutions manuals.

Related Products

Art of Problem Solving Calculus

Art of Problem Solving Introduction to Algebra

Art of Problem Solving Introduction to Geometry

Honors Math 10 covers a full year of Precalculus for advanced tenth graders and above (ages 15+).

Live instructors guide students in engaging Precalculus lessons by teaching problem-solving techniques that help them succeed beyond the classroom.

View the course syllabus for full class information and a list of topics.

Students who complete Honors Math 9 are ready for Honors Math 10. To determine if your student is ready for this course or others at the Virtual Campus, learn more here .

Our expert instructors use Art of Problem Solving curriculum to teach Honors Math 10: Precalculus. AoPS curriculum is a much broader and deeper exploration of challenging mathematics than a typical math curriculum, preparing students for success at top universities and in competitive careers.

This course covers the Art of Problem Solving Precalculus book.

Honors Math 10 In this course, students gain a full mastery of trigonometric functions, identities, and applications, as well as an understanding of parametric equations, complex numbers, the Fundamental Theorem of Algebra, vector geometry, and matrices.

Our instructors hold classes virtually, in a small-sized (10-16 students) videoconferencing classroom.

There are about 2 to 3 hours of homework each week. There are two timed exams in the course — one at the midpoint of the course, and one at the end.

Visit our tuition page to learn more about our drop and refund policies.

The course runs for 36 weeks with one 105-minute lesson per week.

Snapsolve any problem by taking a picture. Try it in the Numerade app?

Solutions for Art of Problem Solving Precalculus Solutions 1st

Naoki sato, richard rusczyk, get access to all of the answers and step-by-step video explanations to this book and 5,000+ more. try numerade free., functions review, introduction to trigonometric functions, trigonometric identities, applications to geometry, parameterization and trigonometric coordinate systems, basics of complex numbers, trigonometry and complex numbers, geometry of complex numbers, vectors in two dimensions, matrices in two dimensions, vectors and matrices in three dimensions, part 1, vectors and matrices in three dimensions, part 2, vector geometry.

What our students say

97% of Numerade Students Report Better Grades

Create an account to get free access

A free answer just for you

Watch the video solution with this free unlock.

Log in to watch this video ...and 100,000,000 more!

Ask the publishers to restore access to 500,000+ books.

Internet Archive Audio

• This Just In
• Grateful Dead
• Old Time Radio
• 78 RPMs and Cylinder Recordings
• Audio Books & Poetry
• Computers, Technology and Science
• Music, Arts & Culture
• News & Public Affairs
• Spirituality & Religion
• Radio News Archive

• Flickr Commons
• Occupy Wall Street Flickr
• NASA Images
• Solar System Collection
• Ames Research Center

• All Software
• Old School Emulation
• MS-DOS Games
• Historical Software
• Classic PC Games
• Software Library
• Kodi Archive and Support File
• Vintage Software
• CD-ROM Software
• CD-ROM Software Library
• Software Sites
• Tucows Software Library
• Shareware CD-ROMs
• Software Capsules Compilation
• CD-ROM Images
• ZX Spectrum
• DOOM Level CD

• Smithsonian Libraries
• FEDLINK (US)
• Lincoln Collection
• American Libraries
• Canadian Libraries
• Universal Library
• Project Gutenberg
• Children's Library
• Biodiversity Heritage Library
• Books by Language
• Additional Collections

• Prelinger Archives
• Democracy Now!
• Occupy Wall Street
• TV NSA Clip Library
• Animation & Cartoons
• Arts & Music
• Computers & Technology
• Cultural & Academic Films
• Ephemeral Films
• Sports Videos
• Videogame Videos
• Youth Media

Search the history of over 866 billion web pages on the Internet.

Mobile Apps

• Wayback Machine (iOS)
• Wayback Machine (Android)

Browser Extensions

Archive-it subscription.

• Explore the Collections
• Build Collections

Save Page Now

Capture a web page as it appears now for use as a trusted citation in the future.

Please enter a valid web address

• Donate Donate icon An illustration of a heart shape

Calculus The Art of Problem Solving.pdf

Bookreader item preview, share or embed this item, flag this item for.

• Graphic Violence
• Explicit Sexual Content
• Hate Speech
• Misinformation/Disinformation
• Marketing/Phishing/Advertising
• Misleading/Inaccurate/Missing Metadata

A comprehensive textbook covering single-variable calculus. Specific topics covered include limits, continuity, derivatives, integrals, power series, plane curves, and differential equations.

Calculus David Patrick Paperback (2nd edition) Text: 336 pages. A comprehensive textbook covering single-variable calculus. Specific topics covered include limits, continuity, derivatives, integrals, power series, plane curves, and differential equations.

plus-circle Add Review comment Reviews

2,030 Views

25 Favorites

DOWNLOAD OPTIONS

For users with print-disabilities

IN COLLECTIONS

Uploaded by Who Am I704 on November 2, 2022

SIMILAR ITEMS (based on metadata)

Double Index Calculus Algorithm: Faster Solving Discrete Logarithm Problem in Finite Prime Field

Solving the discrete logarithm problem in a finite prime field is an extremely important computing problem in modern cryptography. The hardness of solving the discrete logarithm problem in a finite prime field is the security foundation of numerous cryptography schemes. In this paper, we propose the double index calculus algorithm to solve the discrete logarithm problem in a finite prime field. Our algorithm is faster than the index calculus algorithm, which is the state-of-the-art algorithm for solving the discrete logarithm problem in a finite prime field. Empirical experiment results indicate that our algorithm could be more than a 30-fold increase in computing speed than the index calculus algorithm when the bit length of the order of prime field is 70 bits. In addition, our algorithm is more general than the index calculus algorithm. Specifically, when the base of the target discrete logarithm problem is not the multiplication generator, the index calculus algorithm may fail to solve the discrete logarithm problem while our algorithm still can work.

Index Terms:

I introduction.

The discrete logarithm problem in a finite prime field is an important computing problem in modern cryptography. In 1976, Diffie and Hellman built the first key exchange protocol on the discrete logarithm problem [ 1 ] . After that, massive cryptography schemes based their security on the hardness of solving the discrete logarithm problem in a finite prime field such as public-key encryption schemes [ 2 , 3 ] , digital signature schemes [ 4 ] , deniable authenticated encryption schemes [ 5 ] , and so on.

Several algorithms have been proposed to solve the discrete logarithm problem, including the baby-step giant-step algorithm [ 6 ] , the PohligHellman algorithm [ 7 ] , the rho together with kangaroo algorithm [ 8 ] , and index calculus algorithm (which first appeared in [ 9 , 10 , 11 ] , and which was rediscovered and analyzed by [ 12 , 13 , 8 ] ). The index calculus algorithm is the state-of-the-art algorithm to solve the discrete logarithm problem in the finite prime field [ 14 , 15 ] .

The index calculus algorithm comprises two phases. In the first phase, discrete logarithms of all primes in factor base (which consists of all primes smaller than a bound named smoothness bound) are calculated. Specifically, assume that the target discrete logarithm problem is to find x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b , where p 𝑝 p italic_p is a large prime (the order of finite prime field) and g 𝑔 g italic_g is the multiplication generator of field. Discrete logarithms of all primes in factor base are calculated by the equations system ( 2 ). To construct the equations system ( 2 ), massive integers are randomly generated to find n ⁢ ( n > k ) 𝑛 𝑛 𝑘 n\ (n>k) italic_n ( italic_n > italic_k ) integers t i ⁢ ( 1 ≤ i ≤ n ) subscript 𝑡 𝑖 1 𝑖 𝑛 t_{i}\ (1\leq i\leq n) italic_t start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ( 1 ≤ italic_i ≤ italic_n ) such that

Here, log g ⁡ p i ⁢ ( 1 ≤ i ≤ k ) subscript 𝑔 subscript 𝑝 𝑖 1 𝑖 𝑘 \log_{g}p_{i}\ (1\leq i\leq k) roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ( 1 ≤ italic_i ≤ italic_k ) represents the discrete logarithm of prime p i subscript 𝑝 𝑖 p_{i} italic_p start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT base g 𝑔 g italic_g modulo p 𝑝 p italic_p . In the second phase, the discrete logarithm of the given integer b 𝑏 b italic_b is calculated by finding another random integer t 𝑡 t italic_t such that b ⁢ g t mod p ≡ p 1 e 1 ⁢ p 2 e 2 ⁢ ⋯ ⁢ p k e k modulo 𝑏 superscript 𝑔 𝑡 𝑝 superscript subscript 𝑝 1 subscript 𝑒 1 superscript subscript 𝑝 2 subscript 𝑒 2 ⋯ superscript subscript 𝑝 𝑘 subscript 𝑒 𝑘 bg^{t}\mod p\equiv p_{1}^{e_{1}}p_{2}^{e_{2}}\cdots p_{k}^{e_{k}} italic_b italic_g start_POSTSUPERSCRIPT italic_t end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUPERSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT end_POSTSUPERSCRIPT ⋯ italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT end_POSTSUPERSCRIPT . Specifically, the target discrete logarithm is calculated by the following equation ( 3 ), namely

Continuous efforts are dedicated to improving the index calculus algorithm and many variants of index calculus algorithm are proposed. The number field sieve [ 16 ] and the function field sieve [ 17 ] are famous variants of the index calculus algorithm and they are both sub-exponential time algorithms for solving the discrete logarithm problem in a finite prime field. Sieve methods improve the index calculus algorithm a lot because sieve methods can find random integers t 1 subscript 𝑡 1 t_{1} italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , t 2 subscript 𝑡 2 t_{2} italic_t start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , t n subscript 𝑡 𝑛 t_{n} italic_t start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT , t 𝑡 t italic_t mentioned above much faster. In brief, the all famous successful variants of index calculus algorithm achieve faster solving discrete logarithm problem by constructing methods to find t 1 subscript 𝑡 1 t_{1} italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , t 2 subscript 𝑡 2 t_{2} italic_t start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , t n subscript 𝑡 𝑛 t_{n} italic_t start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT , t 𝑡 t italic_t mentioned above faster.

𝑘 1 k+1 italic_k + 1 . Due to the decrease in the number of discrete logarithms that need to be obtained before solving the target discrete logarithm, our algorithm can solve the discrete logarithm problem much faster.

I-A Our Contribution

𝑘 1 k+1 italic_k + 1 . Due to the decrease in the number of discrete logarithms that have to be obtained, calculation speed of our algorithm increase a lot.

I-B Advantages of Our Algorithm

Our algorithm has three advantages, namely fast calculation speed, high generality, and compatibility with tricks which other variants of index calculus algorithm utilize to speed up finding smooth integers (namely, integers satisfying equation ( 1 )).

First, our algorithm outperforms the state-of-the-art index calculus algorithm significantly in computing speed when solving the discrete logarithm problem in a finite prime field. We compare our algorithm with the index calculus algorithm theoretically in TABLE II and prove that our algorithm is faster. Through empirical experiments, we observe that our algorithm achieves a speed advantage exceeding 30 times (75426/2211 ≈ \approx ≈ 34, these data are referenced in TABLE IV ) in some cases over the fastest index calculus algorithm when the bit length of the order of prime field is relatively large 70 bits. Empirical experiment results also imply that our algorithm may be faster than the fastest index calculus algorithm more than 30 times as the bit length continues to increase from 70 bits.

Our algorithm is more general than the index calculus algorithm. Specifically, when the base of the discrete logarithm problem is not the multiplication generator of the finite prime field, the discrete logarithms of some primes in factor base may not exist, which may cause the index calculus algorithm to fail. However, our algorithm still can work even if the discrete logarithms of some primes do not exist. Thus, our algorithm is more general in terms of whether or not the base of the discrete logarithm problem needs to be a multiplication generator.

Our algorithm also can utilize tricks of speeding up finding smooth integers to speed up solving the discrete logarithm problem further. In particular, our algorithm can utilize all tricks (which speed up solving the discrete logarithm problem by speeding up finding smooth integer first) of other variants of index calculus algorithm to find smooth integers first. And then, the tricks constructed in this paper can be utilized to reduce the number of needed smooth integers further. This advantage makes our algorithm faster than the index calculus algorithm together with its all famous variants.

I-C Technical Overview

New way solving discrete logarithm problem . Each different algorithm to solve the discrete logarithm problem builds its own unique equation related to the target discrete logarithm problem and the target discrete logarithm is obtained by the build equation. For example, the index calculus algorithm utilizes the equation ( 4 ), namely

to calculate the target discrete logarithm after the discrete logarithms of all primes in factor base are obtained. In the baby step giant step algorithm, the target discrete logarithm is obtained by fining a 1 subscript 𝑎 1 a_{1} italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , a 2 subscript 𝑎 2 a_{2} italic_a start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , and a 3 subscript 𝑎 3 a_{3} italic_a start_POSTSUBSCRIPT 3 end_POSTSUBSCRIPT such that

when the target discrete logarithm problem is to find x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b . In this paper, we utilize a new equations system to calculate the target discrete logarithm. Specifically, find α 𝛼 \alpha italic_α , β 𝛽 \beta italic_β , and γ 𝛾 \gamma italic_γ such that

The target discrete logarithm is calculated by the equation ( 7 )

discrete logarithms of some primes could be obtained although not discrete logarithms of all primes in factor base are obtained when i 𝑖 i italic_i is less than the number of primes in factor base. Similarly, by building the equations system

discrete logarithms of some primes base b 𝑏 b italic_b could be obtained although not discrete logarithms of all primes in factor base are obtained. By comparing solutions of two equations systems, the prime whose discrete logarithms base g 𝑔 g italic_g and b 𝑏 b italic_b are both obtained can be identified.

𝑘 1 k+1 italic_k + 1 discrete logarithms of primes in factor base.

𝑘 1 k+1 italic_k + 1 discrete logarithms in total. Our algorithm can solve the target discrete logarithm problem when discrete logarithms of some primes not all primes in factor base are obtained. For example, as long as log g ⁡ p 1 subscript 𝑔 subscript 𝑝 1 \log_{g}p_{1} roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT and log b ⁡ p 1 subscript 𝑏 subscript 𝑝 1 \log_{b}p_{1} roman_log start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT are both obtained the target discrete logarithm problem can be solved. In this extremely nice case, only two discrete logarithms are needed to solve the target discrete logarithm problem through our algorithm.

𝑘 1 k+1 italic_k + 1 discrete logarithms of primes in factor. That is, our algorithm can solve the discrete logarithm problem faster than index calculus algorithm which is the fastest algorithm to solve the discrete logarithm problem.

II Preliminaries

In this section, preliminaries are introduced, including the definition of discrete logarithm problem and the concept of smooth integer. At the last, the notations used in this paper are summarized in a table.

II-A Discrete Logarithm Problem

The discrete logarithm problem in the finite prime field holds significant importance in modern cryptography. Numerous cryptographic schemes rely on the assumption that solving the discrete logarithm problem in the finite prime field is computationally difficult. The definition of the discrete logarithm problem is as follows:

Discrete logarithm problem: In a finite prime field with p 𝑝 p italic_p elements, for given integers b 𝑏 b italic_b and g 𝑔 g italic_g , find the smallest non-negative integer x 𝑥 x italic_x such that g x ≡ b mod p superscript 𝑔 𝑥 modulo 𝑏 𝑝 g^{x}\equiv b\mod p italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT ≡ italic_b roman_mod italic_p , where p 𝑝 p italic_p usually is a large prime integer.

II-B smooth Integer

The smooth integer is an important concept in cryptography and it relies on factorization of integers. The definition of smooth integer is as follows:

B-smooth integer: An integer is B 𝐵 B italic_B -smooth if its all prime factors are less than or equal to B 𝐵 B italic_B .

For example, 77=7*11 is an 11-smooth integer. Main notations used in this paper are summarized in TABLE I .

III Double Index Calculus Algorithm

In this section, we begin by elaborating on our idea, followed by a formal presentation of our algorithm. At last, we verify the correctness of our algorithm and compare our algorithm with the state-of-the-art index calculus algorithm in terms of time complexity.

Assume that the target is to find the discrete logarithm x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b , where p 𝑝 p italic_p is a large prime integer. We find that the target discrete logarithm x 𝑥 x italic_x can be obtained if we find three integers α 𝛼 \alpha italic_α , β 𝛽 \beta italic_β , γ 𝛾 \gamma italic_γ such that the next two equations ( 11 ) and ( 12 ) hold, namely

Therefore, we have

Here, α 𝛼 \alpha italic_α , β 𝛽 \beta italic_β , and γ 𝛾 \gamma italic_γ could be any integers in the above equations. How to find three integers satisfying equations ( 11 ) and ( 12 ) ? Inspired by the index calculus algorithm, we find that α 𝛼 \alpha italic_α , β 𝛽 \beta italic_β , and γ 𝛾 \gamma italic_γ can be found by constructing equations systems through smooth integers if γ 𝛾 \gamma italic_γ is restricted to be the prime only.

Choose a random integer t 1 subscript 𝑡 1 t_{1} italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT .

Factorize g t 1 mod p modulo superscript 𝑔 subscript 𝑡 1 𝑝 g^{t_{1}}\mod p italic_g start_POSTSUPERSCRIPT italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUPERSCRIPT roman_mod italic_p into the form of p 1 e 1 1 ⁢ p 2 e 2 1 ⁢ ⋯ ⁢ p k e k 1 superscript subscript 𝑝 1 superscript subscript 𝑒 1 1 superscript subscript 𝑝 2 superscript subscript 𝑒 2 1 ⋯ superscript subscript 𝑝 𝑘 superscript subscript 𝑒 𝑘 1 p_{1}^{e_{1}^{1}}p_{2}^{e_{2}^{1}}\cdots p_{k}^{e_{k}^{1}} italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ⋯ italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT .

When g t 1 mod p modulo superscript 𝑔 subscript 𝑡 1 𝑝 g^{t_{1}}\mod p italic_g start_POSTSUPERSCRIPT italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUPERSCRIPT roman_mod italic_p can not be factorized into the form of p 1 e 1 1 ⁢ p 2 e 2 1 ⁢ ⋯ ⁢ p k e k 1 superscript subscript 𝑝 1 superscript subscript 𝑒 1 1 superscript subscript 𝑝 2 superscript subscript 𝑒 2 1 ⋯ superscript subscript 𝑝 𝑘 superscript subscript 𝑒 𝑘 1 p_{1}^{e_{1}^{1}}p_{2}^{e_{2}^{1}}\cdots p_{k}^{e_{k}^{1}} italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ⋯ italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT , then choose another integer as the value of t 1 subscript 𝑡 1 t_{1} italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT and factorize g t 1 mod p modulo superscript 𝑔 subscript 𝑡 1 𝑝 g^{t_{1}}\mod p italic_g start_POSTSUPERSCRIPT italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUPERSCRIPT roman_mod italic_p until a suitable value of t 1 subscript 𝑡 1 t_{1} italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT is found.

An equations system is established after the set { t 1 \{t_{1} { italic_t start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , t 2 subscript 𝑡 2 t_{2} italic_t start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , t k } t_{k}\} italic_t start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT } is found, namely

{ log g ⁡ p 1 , log g ⁡ p 2 , ⋯ , log g ⁡ p k } subscript 𝑔 subscript 𝑝 1 subscript 𝑔 subscript 𝑝 2 ⋯ subscript 𝑔 subscript 𝑝 𝑘 \{\log_{g}p_{1},\log_{g}p_{2},\cdots,\log_{g}p_{k}\} { roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT } can be calculated by solving the equation system ( 13 ). Assume that

Then, we have

To find β 𝛽 \beta italic_β such that b β mod p ≡ p 1 modulo superscript 𝑏 𝛽 𝑝 subscript 𝑝 1 b^{\beta}\mod p\equiv p_{1} italic_b start_POSTSUPERSCRIPT italic_β end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , we could replace g 𝑔 g italic_g with b 𝑏 b italic_b and then perform the above calculation process once again to calculate the discrete logarithm of p 1 subscript 𝑝 1 p_{1} italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT base b 𝑏 b italic_b .

Notably, although our algorithm and the index calculus algorithm both establish an equations system through smooth integers, there is a significant difference between our algorithm and the index calculus algorithm. Specifically, our algorithm only requires discrete logarithms of some primes in factor base while the index calculus algorithm requires discrete logarithms of all primes in factor base.

For example, given base g = 17 𝑔 17 g=17 italic_g = 17 , module p = 227 𝑝 227 p=227 italic_p = 227 , smoothness bound B = 15 𝐵 15 B=15 italic_B = 15 , and an integer b = 103 𝑏 103 b=103 italic_b = 103 , find x 𝑥 x italic_x such that 17 x = 103 mod 227 superscript 17 𝑥 modulo 103 227 17^{x}=103\mod 227 17 start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT = 103 roman_mod 227 . Let factor base Ω Ω \Omega roman_Ω be

For the index calculus algorithm, six 15-smooth integers are needed to compute discrete logarithms of all primes in factor base Ω Ω \Omega roman_Ω . Assume that found smooth integers are 37 37 37 37 , 179 179 179 179 , 96 96 96 96 , 18 18 18 18 , 199 199 199 199 , and 65 65 65 65 . Then established equations system is

Discrete logarithms of all primes in factor base are all obtained by solving the above equations system after six 15-smooth integers are found.

However, log 17 ⁡ 2 subscript 17 2 \log_{17}2 roman_log start_POSTSUBSCRIPT 17 end_POSTSUBSCRIPT 2 and log 17 ⁡ 3 subscript 17 3 \log_{17}3 roman_log start_POSTSUBSCRIPT 17 end_POSTSUBSCRIPT 3 can be calculated without the equations ( 16 ) 16 (\ref{eqsystem3}) ( ) , ( 17 ) 17 (\ref{eqsystem4}) ( ) , ( 18 ) 18 (\ref{eqsystem5}) ( ) , ( 19 (\ref{eqsystem6} ( ). Thus, obtaining the equation ( 11 ) our algorithm desires only needs two 15-smooth integers, not six 15-smooth integers. If the next random integer is 4, we have

Then, we have log 15 ⁡ 2 mod 227 ≡ 2 modulo subscript 15 2 227 2 \log_{15}2\mod 227\equiv 2 roman_log start_POSTSUBSCRIPT 15 end_POSTSUBSCRIPT 2 roman_mod 227 ≡ 2 . In total, our algorithm solves the target discrete logarithm problem by calculating 3 discrete logarithms. The significant difference between our algorithm and index calculus algorithm is that: to solve the target discrete logarithm problem, our algorithm needs to calculate less discrete logarithms than the index calculus algorithm.

Although the above example is intentionally created, we will prove that the number of calculating discrete logarithms required by our algorithm is less than the number of calculating discrete logarithms required by the index calculus algorithm later.

In a word, our idea can be summarized as follows: to solve the target discrete logarithm problem, some discrete logarithms base g 𝑔 g italic_g are calculated, which are denoted by { { \{ { log g ⁡ p 1 subscript 𝑔 subscript 𝑝 1 \log_{g}p_{1} roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , log g ⁡ p 2 subscript 𝑔 subscript 𝑝 2 \log_{g}p_{2} roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , log g ⁡ p i subscript 𝑔 subscript 𝑝 𝑖 \log_{g}p_{i} roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT italic_p start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT } } \} } . Meanwhile, some discrete logarithms base b 𝑏 b italic_b are also calculated, which are denoted by { { \{ { log b ⁡ p ¯ 1 subscript 𝑏 subscript ¯ 𝑝 1 \log_{b}\bar{p}_{1} roman_log start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , log b ⁡ p ¯ 2 subscript 𝑏 subscript ¯ 𝑝 2 \log_{b}\bar{p}_{2} roman_log start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , log b ⁡ p ¯ j subscript 𝑏 subscript ¯ 𝑝 𝑗 \log_{b}\bar{p}_{j} roman_log start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT } } \} } . The target discrete logarithm problem can be solved as long as { p 1 , p 2 , ⋯ , p i } ∩ { p ¯ 1 , p ¯ 2 , ⋯ , p ¯ j } ≠ ∅ subscript 𝑝 1 subscript 𝑝 2 ⋯ subscript 𝑝 𝑖 subscript ¯ 𝑝 1 subscript ¯ 𝑝 2 ⋯ subscript ¯ 𝑝 𝑗 \{p_{1},p_{2},\cdots,p_{i}\}\cap\{\bar{p}_{1},\bar{p}_{2},\cdots,\bar{p}_{j}\}\neq\emptyset { italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , italic_p start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT } ∩ { over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT } ≠ ∅ . Without loss of generality, assume p ¯ ∈ { p 1 , p 2 , ⋯ , p i } ∩ { p ¯ 1 , p ¯ 2 , ⋯ , p ¯ j } ¯ 𝑝 subscript 𝑝 1 subscript 𝑝 2 ⋯ subscript 𝑝 𝑖 subscript ¯ 𝑝 1 subscript ¯ 𝑝 2 ⋯ subscript ¯ 𝑝 𝑗 \bar{p}\in\{p_{1},p_{2},\cdots,p_{i}\}\cap\{\bar{p}_{1},\bar{p}_{2},\cdots,% \bar{p}_{j}\} over¯ start_ARG italic_p end_ARG ∈ { italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , italic_p start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT } ∩ { over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT } such that log g ⁡ p ¯ mod p ≡ α modulo subscript 𝑔 ¯ 𝑝 𝑝 𝛼 \log_{g}\bar{p}\mod p\equiv\alpha roman_log start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT over¯ start_ARG italic_p end_ARG roman_mod italic_p ≡ italic_α and log b ⁡ p ¯ mod p ≡ β modulo subscript 𝑏 ¯ 𝑝 𝑝 𝛽 \log_{b}\bar{p}\mod p\equiv\beta roman_log start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT over¯ start_ARG italic_p end_ARG roman_mod italic_p ≡ italic_β . Then, the target discrete logarithm is α ⁢ β − 1 mod ( p − 1 ) modulo 𝛼 superscript 𝛽 1 𝑝 1 \alpha\beta^{-1}\mod(p-1) italic_α italic_β start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT roman_mod ( italic_p - 1 ) .

III-B Our Algorithm

Based on the above idea, we propose the double index calculus algorithm. The schematic diagram of our algorithm is in Figure 1 . In brief, massive random integers are generated to construct two equations systems first, and then discrete logarithms of some primes in factor base are obtained through solving the two equations systems. At last, the target discrete logarithm is obtained when one prime’s discrete logarithms base g 𝑔 g italic_g and base b 𝑏 b italic_b are both obtained. Our algorithm is formally presented in Algorithm 1 .

III-C Correctness

In this subsection, we prove that our algorithm can output the target discrete logarithm first. And then, in the next subsection we compare our algorithm with the index calculus algorithm in terms of time complexity.

Theorem 1: For the finite prime field formed by modulo a large prime p 𝑝 p italic_p with multiplication generator g 𝑔 g italic_g and any given number b 𝑏 b italic_b , the double index calculus algorithm can find x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b .

proof: Steps from 6 to 14 in the double index calculus algorithm obtain the vector X g subscript 𝑋 𝑔 X_{g} italic_X start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT and matrix M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT . Assume that there are i 𝑖 i italic_i components in vector X g subscript 𝑋 𝑔 X_{g} italic_X start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT and i 𝑖 i italic_i rows in matrix M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT . We add subscripts to distinguish different components in X g subscript 𝑋 𝑔 X_{g} italic_X start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT and superscripts to distinguish different rows in M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT . Then, we have

We know that ∀ i for-all 𝑖 \forall i ∀ italic_i the equation g t i mod p ≡ p 1 e 1 i ⁢ p 2 e 2 i ⁢ ⋯ ⁢ p k e k i modulo superscript 𝑔 subscript 𝑡 𝑖 𝑝 superscript subscript 𝑝 1 superscript subscript 𝑒 1 𝑖 superscript subscript 𝑝 2 superscript subscript 𝑒 2 𝑖 ⋯ superscript subscript 𝑝 𝑘 superscript subscript 𝑒 𝑘 𝑖 g^{t_{i}}\mod p\equiv p_{1}^{e_{1}^{i}}p_{2}^{e_{2}^{i}}\cdots p_{k}^{e_{k}^{i}} italic_g start_POSTSUPERSCRIPT italic_t start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_i end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_i end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ⋯ italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_e start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_i end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT holds. Therefore, we have the following equations system

When the rank of M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT is smaller than k 𝑘 k italic_k , discrete logarithms of some primes in factor base may be obtained while discrete logarithms of the rest primes in factor base may not be obtained through equations system ( 25 ). As i 𝑖 i italic_i increases, the rank of M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT becomes larger and will exceed k 𝑘 k italic_k . Discrete logarithms of all primes in factor base can be calculated through the equations system ( 25 ) when the rank of M g subscript 𝑀 𝑔 M_{g} italic_M start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT becomes k 𝑘 k italic_k . Thus, we can get

Notably, when computing L g subscript 𝐿 𝑔 L_{g} italic_L start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT , it is likely to encounter non-invertible elements. For example, 2 is never invertible because p − 1 𝑝 1 p-1 italic_p - 1 is even. Whenever this happens we can use a greatest common divisor algorithm to obtain a non-trivial factorization p − 1 = p ^ 1 ⁢ p ^ 2 𝑝 1 subscript ^ 𝑝 1 subscript ^ 𝑝 2 p-1=\hat{p}_{1}\hat{p}_{2} italic_p - 1 = over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT with p ^ 1 subscript ^ 𝑝 1 \hat{p}_{1} over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT and p ^ 2 subscript ^ 𝑝 2 \hat{p}_{2} over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT relatively prime. Then, we process to work in Z p ^ 1 × Z p ^ 2 subscript 𝑍 subscript ^ 𝑝 1 subscript 𝑍 subscript ^ 𝑝 2 Z_{\hat{p}_{1}}\times Z_{\hat{p}_{2}} italic_Z start_POSTSUBSCRIPT over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUBSCRIPT × italic_Z start_POSTSUBSCRIPT over^ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT end_POSTSUBSCRIPT , and use Chinese Remainder Theorem to get the target value [ 18 ] .

Similarly, we get L b subscript 𝐿 𝑏 L_{b} italic_L start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT through steps from 15 to 23.

Let α ∈ L g 𝛼 subscript 𝐿 𝑔 \alpha\in L_{g} italic_α ∈ italic_L start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT and p ¯ ∈ Ω ¯ 𝑝 Ω \bar{p}\in\Omega over¯ start_ARG italic_p end_ARG ∈ roman_Ω such that g α mod p ≡ p ¯ modulo superscript 𝑔 𝛼 𝑝 ¯ 𝑝 g^{\alpha}\mod p\equiv\bar{p} italic_g start_POSTSUPERSCRIPT italic_α end_POSTSUPERSCRIPT roman_mod italic_p ≡ over¯ start_ARG italic_p end_ARG . Let β ∈ L b 𝛽 subscript 𝐿 𝑏 \beta\in L_{b} italic_β ∈ italic_L start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT such that b β mod p ≡ p ¯ modulo superscript 𝑏 𝛽 𝑝 ¯ 𝑝 b^{\beta}\mod p\equiv\bar{p} italic_b start_POSTSUPERSCRIPT italic_β end_POSTSUPERSCRIPT roman_mod italic_p ≡ over¯ start_ARG italic_p end_ARG . Then, we have

Thus, the target discrete logarithm x 𝑥 x italic_x is

□ □ \hfill\Box □

III-D Time Complexity

Above, the correctness of the proposed double index calculus algorithm is proved. Next, the proposed algorithm is compared with the state-of-the-art index calculus algorithm in terms of time complexity.

In both index calculus algorithm and double index calculus algorithm, equations systems are constructed to compute discrete logarithms of primes in factor base, and then computing the target discrete logarithm is achieved through the obtained discrete logarithms. Assume that the time complexity of calculating discrete logarithm of one prime is the same in both algorithms, and the time complexity of the two algorithms can be compared with each other.

Theorem 2: The time complexity of double index calculus algorithm is lower than index calculus algorithm if calculating discrete logarithm of one prime is assumed to be the same.

Proof: Let T 𝑇 T italic_T be the time complexity of calculating discrete logarithm of one prime. Assume that there are k 𝑘 k italic_k primes in factor base, and the target discrete logarithm problem is to find x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b , where p 𝑝 p italic_p is a large prime (the order of finite prime field) and g 𝑔 g italic_g is a multiplication generator of field.

𝑘 1 𝑇 (k+1)T ( italic_k + 1 ) italic_T in total.

𝑘 1 𝑇 (k+1)T ( italic_k + 1 ) italic_T . In other words, the time complexity of double index calculus algorithm is lower than that of index calculus algorithm.

k 𝑘 k italic_k is the number of primes in the factor base Ω = { p 1 \Omega=\{p_{1} roman_Ω = { italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , p 2 subscript 𝑝 2 p_{2} italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ ⋯ \cdots ⋯ , p k } p_{k}\} italic_p start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT } .

T 𝑇 T italic_T is the time of obtaining discrete logarithm of one prime.

In brief, the double index calculus algorithm reduces its time complexity by only computing discrete logarithms of some primes in the factor base instead of discrete logarithms of all primes in the factor base.

𝑘 1 k+1 italic_k + 1 discrete logarithms in total.

𝑘 1 k+1 italic_k + 1 .

To further reduce the running time of our algorithm, we introduce another trick: parallel computing. Specifically, computing discrete logarithms of primes base g 𝑔 g italic_g and computing discrete logarithms of primes base b 𝑏 b italic_b are independent of each other. Thus, these two computing processes can be performed simultaneously. The running time of our algorithm is the greater running time between the running time of computing discrete logarithms base g 𝑔 g italic_g and the running time of computing discrete logarithms base b 𝑏 b italic_b , instead of the sum running time of them. The comparison of the index calculus algorithm and the double index calculus algorithm is demonstrated in Figure 2 and the time complexity comparison is summarized in TABLE II .

Notably, the time complexity of solving equations systems in step 13 and step 22 in our algorithm is polynomial. When the bit length of the order of finite prime field is large, the running time of solving equations systems is negligible so we do not take it into consideration in TABLE II . Similarly, we do not take time of solving equations systems into consideration when analyzing time complexity of the index calculus algorithm in TABLE II .

Notably, the target discrete logarithm can be obtained in our algorithm under the condition that both discrete logarithms base g 𝑔 g italic_g and base b 𝑏 b italic_b of one prime are obtained. The condition is satisfied with a high probability and we will prove this claim in the next Theorem 4.

Theorem 3: If u 𝑢 u italic_u primes’ discrete logarithms base g 𝑔 g italic_g and v 𝑣 v italic_v primes’ discrete logarithms base b 𝑏 b italic_b are obtained in the first phase, the double index calculus algorithm obtains the target discrete logarithm with the probability

Proof: Assume that u 𝑢 u italic_u primes whose discrete logarithms base g 𝑔 g italic_g are obtained form the set Ω g = { p 1 , p 2 , ⋯ , p u } subscript Ω 𝑔 subscript 𝑝 1 subscript 𝑝 2 ⋯ subscript 𝑝 𝑢 \Omega_{g}=\{p_{1},p_{2},\cdots,p_{u}\} roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT = { italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_p start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT } , and v 𝑣 v italic_v primes whose discrete logarithms base b 𝑏 b italic_b are obtained form set Ω b = { p ¯ 1 , p ¯ 2 , ⋯ , p ¯ v } subscript Ω 𝑏 subscript ¯ 𝑝 1 subscript ¯ 𝑝 2 ⋯ subscript ¯ 𝑝 𝑣 \Omega_{b}=\{\bar{p}_{1},\bar{p}_{2},\cdots,\bar{p}_{v}\} roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT = { over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , ⋯ , over¯ start_ARG italic_p end_ARG start_POSTSUBSCRIPT italic_v end_POSTSUBSCRIPT } . As long as Ω g ∩ Ω b ≠ ∅ subscript Ω 𝑔 subscript Ω 𝑏 \Omega_{g}\cap\Omega_{b}\neq\emptyset roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT ∩ roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT ≠ ∅ , the double index calculus algorithm can obtain the target discrete logarithm. We have

The “other cases” refers to the cases where Ω g ∩ Ω b ≠ ∅ subscript Ω 𝑔 subscript Ω 𝑏 \Omega_{g}\cap\Omega_{b}\neq\emptyset roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT ∩ roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT ≠ ∅ while Ω g ∩ Ω b ≠ { 2 } subscript Ω 𝑔 subscript Ω 𝑏 2 \Omega_{g}\cap\Omega_{b}\neq\{2\} roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT ∩ roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT ≠ { 2 } , for example Ω g ∩ Ω b = { 3 } subscript Ω 𝑔 subscript Ω 𝑏 3 \Omega_{g}\cap\Omega_{b}=\{3\} roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT ∩ roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT = { 3 } , Ω g ∩ Ω b = { 2 , 3 } subscript Ω 𝑔 subscript Ω 𝑏 2 3 \Omega_{g}\cap\Omega_{b}=\{2,3\} roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT ∩ roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT = { 2 , 3 } , and so on. Whether 2 belongs to Ω g subscript Ω 𝑔 \Omega_{g} roman_Ω start_POSTSUBSCRIPT italic_g end_POSTSUBSCRIPT is independent of whether it belongs to Ω b subscript Ω 𝑏 \Omega_{b} roman_Ω start_POSTSUBSCRIPT italic_b end_POSTSUBSCRIPT . Therefore, we have

To compute u 𝑢 u italic_u prime integers’ discrete logarithms, at least u 𝑢 u italic_u smooth integers are needed. Each found smooth integer is odd with probability 1 / 2 1 2 1/2 1 / 2 . That is, each found smooth integer does not have factor 2 with probability 1 / 2 1 2 1/2 1 / 2 . Thus, all found smooth integers do not have factor 2 with probability 1 / 2 u 1 superscript 2 𝑢 1/2^{u} 1 / 2 start_POSTSUPERSCRIPT italic_u end_POSTSUPERSCRIPT . Thus,

Similarly, we have

Thus, we have

1 1 superscript 2 25 1 superscript 2 5 1 superscript 2 5 0.94 1+\frac{1}{2^{25}}-\frac{1}{2^{5}}-\frac{1}{2^{5}}\approx 0.94 1 + divide start_ARG 1 end_ARG start_ARG 2 start_POSTSUPERSCRIPT 25 end_POSTSUPERSCRIPT end_ARG - divide start_ARG 1 end_ARG start_ARG 2 start_POSTSUPERSCRIPT 5 end_POSTSUPERSCRIPT end_ARG - divide start_ARG 1 end_ARG start_ARG 2 start_POSTSUPERSCRIPT 5 end_POSTSUPERSCRIPT end_ARG ≈ 0.94 .

IV Discussion

In this section, we compare our algorithm with the index calculus algorithm in terms of generality. Then, we discuss the differences together with connections between our algorithm and the variants of index calculus algorithm.

IV-A Generality Comparison

The index calculus algorithm has a minor limitation when it is directly used to solve the discrete logarithm problem in the case where the base of the discrete logarithm is not the multiplication generator. Specifically, the index calculus algorithm chooses a set of primes as its factor base and computes discrete logarithms of all chosen primes first. But, the discrete logarithms of some primes may not exist when the base of discrete logarithm is not the multiplication generator of the target finite prime field. For example, find x 𝑥 x italic_x such that g x mod p ≡ b modulo superscript 𝑔 𝑥 𝑝 𝑏 g^{x}\mod p\equiv b italic_g start_POSTSUPERSCRIPT italic_x end_POSTSUPERSCRIPT roman_mod italic_p ≡ italic_b by the index calculus algorithm, when g = 340003 𝑔 340003 g=340003 italic_g = 340003 , b = 50064 𝑏 50064 b=50064 italic_b = 50064 , p = 1040483 𝑝 1040483 p=1040483 italic_p = 1040483 . If prime 2 is in the chosen factor base, then the index calculus algorithm can not work because the log p ⁡ 2 subscript 𝑝 2 \log_{p}2 roman_log start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT 2 does not exist in the given setting.

The key point is: the given g 𝑔 g italic_g is not a multiplication generator in the given finite prime field so some primes’ discrete logarithms do not exist. In addition, there is no fast way to determine whether the discrete logarithm of a given prime exists or not. Thus, only choosing the prime with discrete logarithm into the factor base is difficult to achieve. In a word, if the given base g 𝑔 g italic_g is not a multiplication generator of the given finite prime field, directly computing discrete logarithms of some integers by the index calculus algorithm may fail.

Our algorithm can work even if the given base g 𝑔 g italic_g is not a multiplication generator of the given finite prime field. Our algorithm also chooses a set of primes as its factor base and computes discrete logarithms of chosen primes first. However, our algorithm does not require that discrete logarithms of all primes in the factor base exist. In the above example, the equation g 321790 mod p ≡ 3 modulo superscript 𝑔 321790 𝑝 3 g^{321790}\mod p\equiv 3 italic_g start_POSTSUPERSCRIPT 321790 end_POSTSUPERSCRIPT roman_mod italic_p ≡ 3 together with b 400459 mod p ≡ 3 modulo superscript 𝑏 400459 𝑝 3 b^{400459}\mod p\equiv 3 italic_b start_POSTSUPERSCRIPT 400459 end_POSTSUPERSCRIPT roman_mod italic_p ≡ 3 hold. Thus, our algorithm can find out x = 6 𝑥 6 x=6 italic_x = 6 even if prime 2 is in the factor base as long as prime 3 is also in the factor base. The key point is: our algorithm only uses the discrete logarithms of one same prime. In a word, our algorithm only requires the existence of some primes’ discrete logarithms instead of the existence of all primes’ discrete logarithms.

In brief, in the case where discrete logarithms of some primes in the factor base do not exist, the index calculus algorithm may fail while our algorithm still can work. From the perspective of whether the base needs to be a multiplication generator of the target field, our algorithm is more general.

IV-B Differences

There are many variants of the index calculus algorithm. In this subsection, we discuss the key differences between our algorithm and these variant algorithms.

There are several cases for computing the discrete logarithm: a > 2 / 3 𝑎 2 3 a>2/3 italic_a > 2 / 3 is called the large characteristic case, a = 2 / 3 𝑎 2 3 a=2/3 italic_a = 2 / 3 is called the boundary case, 1 / 3 ≤ a < 2 / 3 1 3 𝑎 2 3 1/3\leq a<2/3 1 / 3 ≤ italic_a < 2 / 3 is called the medium prime case while a < 1 / 3 𝑎 1 3 a<1/3 italic_a < 1 / 3 is called the small characteristic case.

The number field sieve [ 16 ] and the function field sieve [ 17 ] are two important variants of the index calculus algorithm and they are both sub-exponential time algorithms for solving the discrete logarithm problem in a finite prime field. Sieve methods improve the computing speed of index calculus algorithm a lot. Coppersmith [ 19 ] gave an estimation of time complexity of a sieve method when Q = p n 𝑄 superscript 𝑝 𝑛 Q=p^{n} italic_Q = italic_p start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT (here p 𝑝 p italic_p is a prime integer) as follows

Where, the C varied slightly, depending on the distance from n 𝑛 n italic_n to the nearest power of p 𝑝 p italic_p , and in the limit as n → ∞ → 𝑛 n\rightarrow\infty italic_n → ∞ it oscillated between two bounds [ 20 ] . To our best knowledge, the number field sieve is used for large characteristic cases while the function field sieve is used for the rest cases.

There is a lot of progress in the number field sieve method and the function field sieve method such as [ 21 , 22 , 23 , 24 , 25 ] . The reason why sieve methods can speed up solving the discrete logarithm problem is that they can obtain smooth integers faster. In particular, obtaining enough smooth integers to compute discrete logarithms of all primes in factor base is the most time-consuming part of the index calculus algorithm. Roughly speaking, the “enough” means the number of smooth integers needs to be more than the number of primes in the factor base. The sieve methods can reduce the time of obtaining one smooth integer so the whole time complexity of index calculus algorithm is reduced.

What sets our algorithm apart from the sieve methods is that: our algorithm reduces the whole time complexity of solving the discrete logarithm problem by reducing the number of discrete logarithms needed, which can be seen from TABLE II . In particular, the number of needed discrete logarithms could be less than the number of primes in the factor base in our algorithm.

Another key difference between our algorithm and the sieve methods is that: the sieve methods work for special cases while our algorithm can work on all cases. Specifically, as mentioned before, the number field sieve is used for the large characteristic case while the function field sieve is used for the rest cases.

IV-C Connections

The connection between our algorithm and the sieve methods is that: our method can be combined with the sieve methods to improve the computing speed further. In particular, step 6 and step 16 in our algorithm is to find smooth integers. The sieve methods can replace these two steps so that the time complexity of our algorithm can be reduced further through finding smooth integers fast.

V Experiments

To demonstrate the efficiency of our algorithm, we comprehensively compare our algorithm with the state-of-the-art and classical algorithms through extensive experiments.

The first experiment focuses on the influences of smoothness bound on the time complexity of our algorithm and the index calculus algorithm. In the index calculus algorithm, smoothness bound B 𝐵 B italic_B significantly influences its computing speed because the smoothness bound B 𝐵 B italic_B determines the size of factor base. As smoothness bound B 𝐵 B italic_B increases, the factor base becomes larger, and the computation speed of index calculus algorithm increases first and then decreases. In previous work of Andrew [ 18 ] , it is proved that the optimal value of B 𝐵 B italic_B is

here p 𝑝 p italic_p is the order of finite prime field. That is, the index calculus algorithm achieves its maximal computation speed when B 𝐵 B italic_B is set according to ( 29 ).

To explore the influences of smoothness bound on time complexity of algorithms, many random discrete logarithm problems are generated and then different smoothness bound is used to solve these discrete logarithm problems. In particular, the bits length of order of finite prime field is from 30 bits to 50 bits with step size 2 and the smoothness bound is set { 0.1 ⁢ B i , 0.5 ⁢ B i , 1 ⁢ B i , 1.5 ⁢ B i , 2 ⁢ B i } 0.1 subscript 𝐵 𝑖 0.5 subscript 𝐵 𝑖 1 subscript 𝐵 𝑖 1.5 subscript 𝐵 𝑖 2 subscript 𝐵 𝑖 \{0.1B_{i},0.5B_{i},1B_{i},1.5B_{i},2B_{i}\} { 0.1 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.5 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 1 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 1.5 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 2 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT } where

and p 𝑝 p italic_p is the order of finite prime field. The average running time of solving these discrete logarithm problems are calculated and shown in Table III .

According to the experiment results in Table III , the average running time increases as the bits length increases in both our double index calculus algorithm and the index calculus algorithm. The experiment results also indicate that the running time decreases first and then increases as the smoothness bound increases for each bits length. When the smoothness bound is

the average running time of all algorithms achieves the minimal value. To demonstrate the comparison among algorithms more clearly, the average running time of all algorithms with smoothness bound 0.5 ⁢ e log ⁡ p ⁢ log ⁡ log ⁡ p 2 0.5 superscript 𝑒 𝑝 𝑝 2 0.5e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} 0.5 italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT is shown in Figure 3 .

According to the experiment results in Figure 3 , our algorithm is much fast than the index calculus algorithm. In particular, our algorithm is about three times ( 29.6083 / 9.9497 ≈ 3 29.6083 9.9497 3 29.6083/9.9497\approx 3 29.6083 / 9.9497 ≈ 3 ) faster than the index calculus algorithm.

In the second experiment, we compare our algorithm with other classic and state-of-the-art algorithms, including index calculus algorithm, baby step giant step algorithm, PohligHellman algorithm and Rho algorithm. The bits length of order of the finite prime field is from 30 bits to 50 bits with step size of 2. The smoothness bound is 0.5 ⁢ e log ⁡ p ⁢ log ⁡ log ⁡ p 2 0.5 superscript 𝑒 𝑝 𝑝 2 0.5e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} 0.5 italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT . Many random discrete logarithm problems are generated and the average running times of solving these discrete logarithm problems are shown in Figure 4 .

The experiment results in Figure 4 indicate that our algorithm is the most efficient algorithm to solve discrete logarithm problems. In particular, the running time of index calculus algorithm, baby step giant step algorithm, and PohligHellman algorithm are about 3 times, 7 times and 12 times that of our algorithms. The average running time of rho algorithm is far more than 20 times that of our algorithm.

The third experiment focuses on the minimum of average running time. According to the experiment results in the first experiment, the average running time may be minimal when the smoothness bound is 0.5 ⁢ e log ⁡ p ⁢ log ⁡ log ⁡ p 2 0.5 superscript 𝑒 𝑝 𝑝 2 0.5e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} 0.5 italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT . To explore the minimum of the average running time, the smooth bounds are set to be 0.25 ⁢ B i 0.25 subscript 𝐵 𝑖 0.25B_{i} 0.25 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.30 ⁢ B i 0.30 subscript 𝐵 𝑖 0.30B_{i} 0.30 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.35 ⁢ B i 0.35 subscript 𝐵 𝑖 0.35B_{i} 0.35 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.40 ⁢ B i 0.40 subscript 𝐵 𝑖 0.40B_{i} 0.40 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.45 ⁢ B i 0.45 subscript 𝐵 𝑖 0.45B_{i} 0.45 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.50 ⁢ B i 0.50 subscript 𝐵 𝑖 0.50B_{i} 0.50 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.55 ⁢ B i 0.55 subscript 𝐵 𝑖 0.55B_{i} 0.55 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.60 ⁢ B i 0.60 subscript 𝐵 𝑖 0.60B_{i} 0.60 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.65 ⁢ B i 0.65 subscript 𝐵 𝑖 0.65B_{i} 0.65 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , 0.70 ⁢ B i 0.70 subscript 𝐵 𝑖 0.70B_{i} 0.70 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , where B i = e log ⁡ p ⁢ log ⁡ log ⁡ p 2 subscript 𝐵 𝑖 superscript 𝑒 𝑝 𝑝 2 B_{i}=e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT . The bit length is from 40 to 55 with step size 5. Many random discrete logarithm problems are generated and average running time of solving these discrete logarithm problems are shown in Fig 6 .

The experiment results in Fig. 6 demonstrate obvious trends. First, the average running time decreases and then increases after a specific value as the smoothness bound increases from 0.25 ⁢ B i 0.25 subscript 𝐵 𝑖 0.25B_{i} 0.25 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT to 0.75 ⁢ B i 0.75 subscript 𝐵 𝑖 0.75B_{i} 0.75 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , where B i = e log ⁡ p ⁢ log ⁡ log ⁡ p 2 subscript 𝐵 𝑖 superscript 𝑒 𝑝 𝑝 2 B_{i}=e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT . For example, the average running time of index calculus algorithm decreases when smoothness bound is smaller than 0.45 ⁢ B i 0.45 subscript 𝐵 𝑖 0.45B_{i} 0.45 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT . And then, the average running time of index calculus algorithm increases when smoothness bound is larger than 0.45 ⁢ B i 0.45 subscript 𝐵 𝑖 0.45B_{i} 0.45 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT . Second, our algorithm is faster than index calculus algorithm. In particular, when solving random discrete logarithm problems, the minimal average running time of index calculus algorithm is three times that of our algorithm. For example, the minimal average running time of index calculus algorithm is about 105s when the bit length is 55 bits. The minimal average running time of our algorithm is only about 1/3 (105/35.3) that of index calculus algorithm when the bit length is 55 bits. Third, the value of smoothness bound that makes the average running time minimal is become larger as the bit length increase. For example, the average running time is minimal of all algorithms when smoothness bounds is 0.45 ⁢ B i 0.45 subscript 𝐵 𝑖 0.45B_{i} 0.45 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT if the bit length is 40. However, the average running time is minimal of our algorithm and index calculus algorithm when smoothness bounds is 0.65 ⁢ B i 0.65 subscript 𝐵 𝑖 0.65B_{i} 0.65 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and 0.50 ⁢ B i 0.50 subscript 𝐵 𝑖 0.50B_{i} 0.50 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT respectively if the bit length is 55.

The fourth experiment compares the average running time when the bit length is large. In particular, bit length is from 50 bits to 75 bits with step size 5. As demonstrated in the third experiment, the smoothness bound has large influence on the average running time. For the index calculus algorithm, the average running time is minimal when smoothness bound is 0.5 ⁢ B i 0.5 subscript 𝐵 𝑖 0.5B_{i} 0.5 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , where B i = e log ⁡ p ⁢ log ⁡ log ⁡ p 2 subscript 𝐵 𝑖 superscript 𝑒 𝑝 𝑝 2 B_{i}=e^{\sqrt{\frac{\log{p}\log{\log{p}}}{2}}} italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = italic_e start_POSTSUPERSCRIPT square-root start_ARG divide start_ARG roman_log italic_p roman_log roman_log italic_p end_ARG start_ARG 2 end_ARG end_ARG end_POSTSUPERSCRIPT . And for our algorithm, the average running time is minimal when smoothness bound is 0.65 ⁢ B i 0.65 subscript 𝐵 𝑖 0.65B_{i} 0.65 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT . Thus, in the fourth experiment, smoothness bounds of index calculus algorithm and our algorithm are 0.5 ⁢ B i 0.5 subscript 𝐵 𝑖 0.5B_{i} 0.5 italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and B i subscript 𝐵 𝑖 B_{i} italic_B start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , respectively. Many random discrete logarithm problems are generated and the average running time of solving these problems is shown in Fig. 5 .

According to the experiment results in Fig. 5 , the computing speed of our algorithm is higher than that of index calculus algorithm. As the bit length becomes large, the difference on average running time becomes large too, which indicates that the performance of our algorithm becomes more better than the performance of the state-of-the-art index calculus algorithm.

(a) Index Calculus Algorithm

(b) Ours without Parallel Computing

(c) Ours with Parallel Computing

To demonstrate that our algorithm could be much faster than the state-of-the-art index calculus algorithm, we randomly set smooth bound to be

for index calculus algorithm and our algorithm. The comparison of average running time is shown in Table IV and the comparison indicates that our algorithm could be 30 times faster than the state-of-the-art index calculus algorithm.

In brief, our algorithm is compared with classical and state-of-the-art algorithms comprehensively, and the comparison indicates that our algorithm is better than existing algorithms.

VI Conclusion

In this paper, we propose the double index calculus algorithm to solve the discrete logarithm problem in the finite prime field. Our algorithm is faster than the fastest algorithm available. We give theoretical analyses and perform experiments to back up our claims. Empirical experiment results indicate that our algorithm could be more than 30 times faster than the fastest algorithm available when the bit length of the size of the prime field is large. Our improvement in solving the discrete logarithm problem in the finite prime field may influence how researchers choose security parameters of cryptography schemes whose security is based on the discrete logarithm problem.

• [1] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory , vol. 22, no. 6, pp. 644–654, 1976.
• [2] R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” in Advances in Cryptology — CRYPTO ’98 , H. Krawczyk, Ed.   Berlin, Heidelberg: Springer Berlin Heidelberg, 1998, pp. 13–25.
• [3] T. Elgamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory , vol. 31, no. 4, pp. 469–472, 1985.
• [4] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International journal of information security , vol. 1, no. 1, pp. 36–63, 2001.
• [5] F. Li, D. Zhong, and T. Takagi, “Efficient deniably authenticated encryption and its application to e-mail,” IEEE Transactions on Information Forensics and Security , vol. 11, no. 11, pp. 2477–2486, 2016.
• [6] D. Shanks, “Class number, a theory of factorization, and genera,” in Proc. of Symp. Math. Soc., 1971 , vol. 20, 1971, pp. 41–440. [Online]. Available: https://doi.org/10.1090/pspum/020/0316385
• [7] S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms overgf(p)and its cryptographic significance (corresp.),” IEEE Transactions on Information Theory , vol. 24, no. 1, pp. 106–110, 1978.
• [8] J. M. Pollard, “Monte carlo methods for index computation (mod) p,” Mathematics of Computation , vol. 32, no. 143, pp. 918–924, 1978.
• [9] M. Kraitchik, Théorie des nombres .   Gauthier-Villars, 1922, vol. 1.
• [10] ——, Recherches sur la théorie des nombres .   Gauthier-Villars, 1924, vol. 1.
• [11] E. Western Alfred and J. Miller, “Tables of indices and primitive roots,” the Royal Society Mathematical Tables , vol. 9, 1968.
• [12] L. Adleman, “A subexponential algorithm for the discrete logarithm problem with applications to cryptography,” in 2013 IEEE 54th Annual Symposium on Foundations of Computer Science .   Los Alamitos, CA, USA: IEEE Computer Society, oct 1979, pp. 55–60. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/SFCS.1979.2
• [13] R. C. Merkle, Secrecy, authentication, and public key systems.    Stanford university, 1979.
• [14] L. Adleman, “A subexponential algorithm for the discrete logarithm problem with applications to cryptography,” in 2013 IEEE 54th Annual Symposium on Foundations of Computer Science .   Los Alamitos, CA, USA: IEEE Computer Society, oct 1979, pp. 55–60. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/SFCS.1979.2
• [15] L. M. Adleman and J. DeMarrais, “A subexponential algorithm for discrete logarithms over all finite fields,” Mathematics of Computation , vol. 61, no. 203, pp. 1–15, 1993.
• [16] D. M. Gordon, “Discrete logarithms in $gf ( p )$ using the number field sieve,” SIAM Journal on Discrete Mathematics , vol. 6, no. 1, pp. 124–138, 1993. [Online]. Available: https://doi.org/10.1137/0406010
• [17] L. M. Adleman and M.-D. A. Huang, “Function field sieve method for discrete logarithms over finite fields,” Information and Computation , vol. 151, no. 1, pp. 5–16, 1999. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0890540198927614
• [18] A. Sutherland, “Index calculus, smooth numbers, and factoring integers,” Website, 2023, https://math.mit.edu/classes/18.783/2015/LectureNotes11.pdf .
• [19] D. Coppersmith, “Fast evaluation of logarithms in fields of characteristic two,” IEEE Transactions on Information Theory , vol. 30, no. 4, pp. 587–594, 1984.
• [20] A. Shuaibu Maianguwa, “A survey of discrete logarithm algorithms in finite fields,” vol. 5, pp. 215 – 224, 01 2019.
• [21] R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé, “A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic,” in Advances in Cryptology – EUROCRYPT 2014 , P. Q. Nguyen and E. Oswald, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2014, pp. 1–16.
• [22] G. Adj, A. Menezes, T. Oliveira, and F. Rodríguez-Henríquez, “Weakness of f 3 6149 subscript 𝑓 superscript 3 6149 f_{3^{6149}} italic_f start_POSTSUBSCRIPT 3 start_POSTSUPERSCRIPT 6149 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT and f 2 43041 subscript 𝑓 superscript 2 43041 f_{2^{43041}} italic_f start_POSTSUBSCRIPT 2 start_POSTSUPERSCRIPT 43041 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT for discrete logarithm cryptography,” Finite Fields and Their Applications , vol. 32, pp. 148–170, 2015, special Issue : Second Decade of FFA. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1071579714001294
• [23] J. Detrey, P. Gaudry, and M. Videau, “Relation collection for the function field sieve,” in 2013 IEEE 21st Symposium on Computer Arithmetic , 2013, pp. 201–210.
• [24] A. Joux, “Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields,” in Advances in Cryptology – EUROCRYPT 2013 , T. Johansson and P. Q. Nguyen, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 177–193.
• [25] M. Mukhopadhyay, P. Sarkar, S. Singh, and E. Thome, “New discrete logarithm computation for the medium prime case using the function field sieve,” Cryptology ePrint Archive, Paper 2020/113, 2020, https://eprint.iacr.org/2020/113 . [Online]. Available: https://eprint.iacr.org/2020/113

• Science & Math
• Mathematics

Sorry, there was a problem.

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required .

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

Image Unavailable

• To view this video download Flash Player

Follow the author

Calculus: Art of Problem Solving Paperback – January 1, 1600

• Part of series Art of Problem Solving
• Language English
• Publisher Aops Inc
• Publication date January 1, 1600
• Dimensions 8.25 x 0.5 x 10.5 inches
• ISBN-10 1934124249
• ISBN-13 978-1934124246
• See all details

Product details

• Publisher ‏ : ‎ Aops Inc; 2nd edition (January 1, 1600)
• Language ‏ : ‎ English
• ISBN-10 ‏ : ‎ 1934124249
• ISBN-13 ‏ : ‎ 978-1934124246
• Item Weight ‏ : ‎ 1.68 pounds
• Dimensions ‏ : ‎ 8.25 x 0.5 x 10.5 inches
• #453 in Calculus (Books)

About the author

David patrick.

David Patrick has been an author and curriculum developer at Art of Problem Solving since 2004. He is the author of Art of Problem Solving's Introduction to Counting & Probability, Intermediate Counting & Probability, and Calculus textbooks, and co-author of AoPS's new Prealgebra textbook. He is also an instructor in AoPS's widely-acclaimed online school for high performing middle and high school students.

Dave earned the sole perfect score on the American High School Mathematics Examination (AHSME) in 1988 and was a USA Mathematical Olympiad winner that year. He attended the Research Science Institute (RSI) in 1987, and the Math Olympiad Summer Program in 1988, where he first met fellow student Richard Rusczyk. He also finished in the top 10 on the Putnam exam in 1991. Dave graduated from Carnegie Mellon in 1992 with a BS in Mathematics/Computer Science and an MS in Mathematics. He went on to earn his Ph.D. in mathematics from MIT in 1997. He was an acting Assistant Professor at the University of Washington from 1997 to 2001. Dave is originally from Western New York and is an alumnus of the SUNY Buffalo Gifted Math Program.

Customer reviews

• 5 star 4 star 3 star 2 star 1 star 5 star 84% 0% 0% 0% 16% 84%
• 5 star 4 star 3 star 2 star 1 star 4 star 84% 0% 0% 0% 16% 0%
• 5 star 4 star 3 star 2 star 1 star 3 star 84% 0% 0% 0% 16% 0%
• 5 star 4 star 3 star 2 star 1 star 2 star 84% 0% 0% 0% 16% 0%
• 5 star 4 star 3 star 2 star 1 star 1 star 84% 0% 0% 0% 16% 16%

Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.

To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.

• Sort reviews by Top reviews Most recent Top reviews

Top reviews from the United States

There was a problem filtering reviews right now. please try again later..

• About Amazon
• Investor Relations
• Amazon Devices
• Amazon Science
• Sell products on Amazon
• Sell on Amazon Business
• Sell apps on Amazon
• Become an Affiliate
• Advertise Your Products
• Self-Publish with Us
• Host an Amazon Hub
• › See More Make Money with Us
• Amazon Business Card
• Shop with Points
• Reload Your Balance
• Amazon Currency Converter
• Amazon and COVID-19
• Your Account
• Your Orders
• Shipping Rates & Policies
• Returns & Replacements
• Manage Your Content and Devices

• Conditions of Use
• Privacy Notice
• Consumer Health Data Privacy Disclosure
• Your Ads Privacy Choices