With a
Given a primitive root
It is the modular analogue of an ordinary
It behaves like a logarithm in a second way too: it turns multiplication into addition. Modulo
Not strictly — but it has to be able to reach the target. If
Why call it "discrete"? An ordinary logarithm lives on a smooth number line — you could sketch
Solve
There it is at the fifth step:
Try a second one modulo
Six steps this time:
Nobody actually solves discrete logs by listing every power one at a time; there are cleverer
methods. The simplest is baby-step giant-step: instead of trudging through all
Real cryptographic attacks use even more sophisticated methods still (with names like the number field sieve), which shave the exponent down further without ever making it polynomial. That's the crucial detail: every known classical improvement makes the climb a little gentler, but none of them turn the mountain into a hill.
This lopsidedness — trivial one way, brutal the other — is exactly the kind of "one-way function" cryptography is built from: something anyone can compute, but that (almost) nobody can undo.
It's easy to slip into saying the discrete logarithm problem is proven impossible to solve quickly. It isn't — nobody has ever proved that a fast classical algorithm can't exist. All anyone can honestly say is that decades of trying, by very smart, very motivated people, haven't found one. That's strong evidence, not a mathematical guarantee. The entire security of Diffie–Hellman and its relatives rests on this unproven — if extensively battle-tested — assumption.
There's a sharper reason to stay humble about it, too: a large-scale quantum computer running Shor's algorithm could solve the discrete logarithm problem efficiently, collapsing the "hard" direction back down to easy. Such machines don't exist yet at the size needed to threaten real cryptographic primes, but the possibility is exactly why researchers are already building "post-quantum" alternatives that don't lean on this one assumption.
So how big a prime is actually safe? Researchers occasionally attack smaller discrete logs on purpose, just to measure how far the "hard" side has really been pushed. In 2019, a team of cryptographers solved a discrete logarithm modulo a carefully chosen 795-bit prime (about 240 decimal digits) — a new record at the time. It took the equivalent of roughly thousands of years of computing time on a single computer, spread across a cluster of machines running for months.
That sounds terrifying until you compare it with what's actually used in practice: modern systems favour primes of 2048 bits or more — not merely twice as big as the record, but astronomically harder, because the difficulty grows exponentially with the number of digits. The record-breaking effort is exactly the kind of evidence behind the word "believed" in "believed hard" — nobody has proven it, but the gap between what's crackable and what's actually deployed keeps getting checked, and it keeps holding.
This asymmetry lets two strangers agree on a shared secret over a public channel, in full view of
anyone listening. Alice and Bob publicly fix
a key only they share. An eavesdropper sees
Whitfield Diffie and Martin Hellman published this idea in 1976, in a paper called "New Directions in Cryptography" — with an important contribution from Ralph Merkle, whose earlier work on secure communication over insecure channels helped inspire it. At the time it felt like magic: for the entire history of cryptography, both sides of a conversation had needed to secretly share a key before they could talk. Diffie, Hellman and Merkle showed that strangers could build a shared secret live, in public, with no prior meeting at all.
Decades later, it emerged that British intelligence had gotten there first — and told no one. Between 1969 and 1974, mathematicians James Ellis, Clifford Cocks and Malcolm Williamson at GCHQ had independently worked out essentially the same idea (Cocks's version even anticipated what we now call RSA), but it was classified as a state secret and only declassified in 1997. The public world of cryptography had to reinvent it from scratch — a reminder that a beautiful piece of mathematics has a way of getting discovered more than once.
Every time your browser shows a little padlock icon, there's a good chance this exact hard problem is quietly at work behind the scenes. Diffie–Hellman key exchange (and its modern cousin, elliptic-curve Diffie–Hellman) is one of the handshakes that sets up an encrypted HTTPS connection, letting your laptop and a bank's server that have never met before agree on a secret key while an attacker watches every byte fly past.
Move the same idea onto elliptic curves instead of ordinary modular arithmetic, and you get the elliptic-curve discrete logarithm problem — believed even harder, for a given key size, than the version here. That's why elliptic-curve cryptography can use much shorter keys than classic Diffie–Hellman while staying just as hard to break. One unproven assumption, sitting quietly underneath nearly every secure connection on the internet today.