Birthday attack to discrete logarithm

The discrete logarithm in a finite group of large order has been widely applied in public key cryptosystem. In this paper, we will present a probabilistic algorithm for discrete logarithm.

💡 Research Summary

The paper proposes a probabilistic algorithm for solving the discrete logarithm problem (DLP) by exploiting the birthday paradox. The setting is a cyclic group G of order N with generator g, and m public keys y₁,…,y_m. For each public key the authors randomly select n exponents r_{i,1},…,r_{i,n} and construct two families of group elements: S_i = { g^{r_{i,j}}·y_i^{r_{i,j}} } and T_i = { g^{r_{i,j}} }. The union Ω = ⋃_{i=1}^m (S_i ∪ T_i) is then examined for collisions, i.e., pairs of equal elements. A collision of the form g^{a}·y_i^{b} = g^{c}·y_j^{d} yields the linear relation (a−c) ≡ x_i·b − x_j·d (mod N), where x_i and x_j are the secret exponents satisfying y_i = g^{x_i}. If enough collisions are found, a system of linear equations in the unknowns x₁,…,x_m is obtained; solving this system recovers all secret keys provided the equations are linearly independent.

The authors present a probability bound (Proposition 1) stating that the chance of at least k collisions in Ω is at least 2·(2m)^k / k! · e^{−2m}, and claim that when 2m ≥ √N the collision probability exceeds 0.99. They further argue that the probability that the resulting k equations are independent is roughly 1 − 1/N, which they treat as essentially certain.

Complexity analysis focuses on two costs. First, detecting collisions requires sorting or hashing the |Ω| ≈ 2mn elements, which costs O(|Ω| log |Ω|) ≈ O(√N log N) group comparisons – comparable to the baby‑step‑giant‑step (BSGS) algorithm. Second, generating the sets S_i and T_i needs m·n group multiplications. By choosing n ≈ √N / m, the total number of multiplications also becomes O(√N), matching BSGS. The authors claim that when m is large the multiplication count can be reduced below that of BSGS, but this advantage comes at the price of increased memory (Ω must be stored) and relies on the optimistic independence assumption.

The paper also suggests combining the method with the Pohlig‑Hellman decomposition: factor the group order, solve DLP in each prime‑power subgroup using the same birthday‑collision technique, and then recombine the results. While theoretically sound, this hybrid approach offers no clear benefit over standard Pohlig‑Hellman or index‑calculus methods for finite‑field groups.

Critically, the manuscript suffers from several deficiencies. The definition of a “collision” and its translation into a linear equation assumes that g is a primitive root and that the exponents are taken modulo N, but these conditions are not explicitly stated. The independence of the resulting equations is taken for granted without rigorous justification; in practice, collisions may be highly correlated, reducing the effective rank of the system. The probability analysis, while reminiscent of the classic birthday bound, is applied to a multi‑set setting without accounting for dependencies between the S_i and T_i families. Moreover, the paper provides no experimental data to substantiate the claimed 0.99 success probability or the claimed reduction in multiplications. Without concrete benchmarks against BSGS, Pollard‑Rho, or existing index‑calculus implementations, the practical relevance remains unclear.

In summary, the work introduces an interesting conceptual link between the birthday paradox and discrete logarithms, but the algorithmic contribution is essentially a re‑phrasing of known collision‑based techniques. The lack of rigorous proofs, missing implementation results, and optimistic assumptions about equation independence limit its impact. Future work would need to address these gaps, provide detailed performance measurements, and clarify under which parameter regimes the proposed method truly outperforms established DLP solvers.