In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in ${\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{*}}$ where ${\displaystyle q}$ is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.

Roughly speaking, the discrete log problem asks us to find an x such that ${\displaystyle g^{x}\equiv h{\pmod {n}}}$, where g, h, and the modulus n are given.

The algorithm (described in detail below) applies to the group ${\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{*}}$ where q is prime. It requires a factor base as input. This factor base is usually chosen to be the number −1 and the first r primes starting with 2. From the point of view of efficiency, we want this factor base to be small, but in order to solve the discrete log for a large group we require the factor base to be (relatively) large. In practical implementations of the algorithm, those conflicting objectives are compromised one way or another.

The algorithm is performed in three stages. The first two stages depend only on the generator g and prime modulus q, and find the discrete logarithms of a factor base of r small primes. The third stage finds the discrete log of the desired number h in terms of the discrete logs of the factor base.

The first stage consists of searching for a set of r linearly independent relations between the factor base and power of the generator g. Each relation contributes one equation to a system of linear equations in r unknowns, namely the discrete logarithms of the r primes in the factor base. This stage is embarrassingly parallel and easy to divide among many computers.

The second stage solves the system of linear equations to compute the discrete logs of the factor base. A system of hundreds of thousands or millions of equations is a significant computation requiring large amounts of memory, and it is not embarrassingly parallel, so a supercomputer is typically used. This was considered a minor step compared to the others for smaller discrete log computations. However, larger discrete logarithm records^[1][2] were made possible only by shifting the work away from the linear algebra and onto the sieve (i.e., increasing the number of equations while reducing the number of variables).

The third stage searches for a power s of the generator g which, when multiplied by the argument h, may be factored in terms of the factor base g^sh = (−1)^f₀ 2^f₁ 3^f₂···p_r^f_r.

Finally, in an operation too simple to really be called a fourth stage, the results of the second and third stages can be rearranged by simple algebraic manipulation to work out the desired discrete logarithm x = f₀log_g(−1) + f₁log_g2 + f₂log_g3 + ··· + f_rlog_gp_r − s.

The first and third stages are both embarrassingly parallel, and in fact the third stage does not depend on the results of the first two stages, so it may be done in parallel with them.

The choice of the factor base size r is critical, and the details are too intricate to explain here. The larger the factor base, the easier it is to find relations in stage 1, and the easier it is to complete stage 3, but the more relations you need before you can proceed to stage 2, and the more difficult stage 2 is. The relative availability of computers suitable for the different types of computation required for stages 1 and 2 is also important.

The lack of the notion of prime elements in the group of points on elliptic curves makes it impossible to find an efficient factor base to run index calculus method as presented here in these groups. Therefore this algorithm is incapable of solving discrete logarithms efficiently in elliptic curve groups. However: For special kinds of curves (so called supersingular elliptic curves) there are specialized algorithms for solving the problem faster than with generic methods. While the use of these special curves can easily be avoided, in 2009 it has been proven that for certain fields the discrete logarithm problem in the group of points on general elliptic curves over these fields can be solved faster than with generic methods. The algorithms are indeed adaptations of the index calculus method.^[3]

Input: Discrete logarithm generator ${\displaystyle g}$, modulus ${\displaystyle q}$ and argument ${\displaystyle h}$. Factor base ${\displaystyle \{-1,2,3,5,7,11,\ldots ,p_{r}\}}$, of length ${\displaystyle r+1}$.
Output: ${\displaystyle x}$ such that ${\displaystyle g^{x}=h\mod q}$.

• relations ← empty_list
• for ${\displaystyle k=1,2,\ldots }$
  • Using an integer factorization algorithm optimized for smooth numbers, try to factor ${\displaystyle g^{k}{\bmod {q}}}$ (Euclidean residue) using the factor base, i.e. find ${\displaystyle e_{i}}$'s such that ${\displaystyle g^{k}{\bmod {q}}=(-1)^{e_{0}}2^{e_{1}}3^{e_{2}}\cdots p_{r}^{e_{r}}}$
  • Each time a factorization is found:
    • Store ${\displaystyle k}$ and the computed ${\displaystyle e_{i}}$'s as a vector ${\displaystyle (e_{0},e_{1},e_{2},\ldots ,e_{r},k)}$ (this is a called a relation)
    • If this relation is linearly independent to the other relations:
      • Add it to the list of relations
      • If there are at least ${\displaystyle r+1}$ relations, exit loop
• Form a matrix whose rows are the relations
• Obtain the reduced echelon form of the matrix
  • The first element in the last column is the discrete log of ${\displaystyle -1}$ and the second element is the discrete log of ${\displaystyle 2}$ and so on
• for ${\displaystyle s=1,2,\ldots }$
  • Try to factor ${\displaystyle g^{s}h{\bmod {q}}=(-1)^{f_{0}}2^{f_{1}}3^{f_{2}}\cdots p_{r}^{f_{r}}}$ over the factor base
  • When a factorization is found:
    • Output ${\displaystyle x=f_{0}\log _{g}(-1)+f_{1}\log _{g}2+\cdots +f_{r}\log _{g}p_{r}-s.}$

Assuming an optimal selection of the factor base, the expected running time (using L-notation) of the index-calculus algorithm can be stated as ${\displaystyle L_{n}[1/2,{\sqrt {2}}+o(1)]}$.

The basic idea of the algorithm is due to Western and Miller (1968),^[4] which ultimately relies on ideas from Kraitchik (1922).^[5] The first practical implementations followed the 1976 introduction of the Diffie-Hellman cryptosystem which relies on the discrete logarithm. Merkle's Stanford University dissertation (1979) was credited by Pohlig (1977) and Hellman and Reyneri (1983), who also made improvements to the implementation.^[6][7] Adleman optimized the algorithm and presented it in the present form.^[8]

Index Calculus inspired a large family of algorithms. In finite fields ${\displaystyle \mathbb {F} _{q}}$ with ${\displaystyle q=p^{n}}$ for some prime ${\displaystyle p}$, the state-of-art algorithms are the Number Field Sieve for Discrete Logarithms, ${\textstyle L_{q}\left[1/3,{\sqrt[{3}]{64/9}}\,\right]}$, when ${\displaystyle p}$ is large compared to ${\displaystyle q}$,^[9] the function field sieve, ${\textstyle L_{q}\left[1/3,{\sqrt[{3}]{32/9}}\,\right]}$,^[9] and Joux,^[10] ${\displaystyle L_{q}\left[1/4+\varepsilon ,c\right]}$ for ${\displaystyle c>0}$, when ${\displaystyle p}$ is small compared to ${\displaystyle q}$ and the Number Field Sieve in High Degree, ${\displaystyle L_{q}[1/3,c]}$ for ${\displaystyle c>0}$ when ${\displaystyle p}$ is middle-sided. Discrete logarithm in some families of elliptic curves can be solved in time ${\displaystyle L_{q}\left[1/3,c\right]}$ for ${\displaystyle c>0}$, but the general case remains exponential.

• Discrete logarithms in finite fields and their cryptographic significance, by Andrew Odlyzko
• Discrete Logarithm Problem, by Chris Studholme, including the June 21, 2002 paper "The Discrete Log Problem".
• A. Menezes; P. van Oorschot; S. Vanstone (1997). Handbook of Applied Cryptography. CRC Press. pp. 107–109. ISBN 0-8493-8523-7.