Baby-Step Giant-Step: The Elegance of Trading βn for βn
Zinan Huang / 2026-04-06
Given $g$, $h$, $p$, find $x$ such that $g^x \equiv h \pmod{p}$. Brute force costs $O(p)$, but there’s a beautiful trick that brings it down to $O(\sqrt{p})$. The price? $O(\sqrt{p})$ space. This is Baby-Step Giant-Step.
The Discrete Logarithm Problem
Let me set up the problem precisely. We’re given a prime $p$, a generator $g$ (meaning the powers of $g$ hit every nonzero element of $\mathbb{Z}/p\mathbb{Z}$), and a target value $h$. We want to find an integer $x$ satisfying:
$$g^x \equiv h \pmod{p}.$$This is the discrete logarithm problem (DLP). It’s called a “logarithm” because it’s the inverse of exponentiation in modular arithmetic β just like $\log$ inverts $\exp$ over the reals.
Why does this matter? Because Diffie-Hellman key exchange, ElGamal encryption, DSA signatures β the entire edifice of classical public-key cryptography β rests on one belief: DLP has no efficient algorithm. If you could solve DLP fast, all of these systems collapse.
Brute Force: $O(p)$
The most straightforward approach: try $x = 0, 1, 2, \ldots$ one at a time.
$$g^0, \; g^1, \; g^2, \; \ldots$$Stop when you hit some $x$ with $g^x \equiv h$. Since $g$ is a generator, such an $x$ always exists and lies in $[0, p-2]$. But in the worst case you need $p - 1$ trials.
When $p$ has a few hundred decimal digits, $O(p)$ is indistinguishable from “never finishes.”
The Key Idea: Split $x$ in Two
The core observation behind Baby-Step Giant-Step (BSGS) is disarmingly simple. Set $m = \lceil\sqrt{p}\rceil$ and write $x$ as:
$$x = im + j, \quad 0 \leq i < m, \quad 0 \leq j < m.$$Here $i$ is the “quotient” and $j$ is the “remainder.” Since $im + j$ covers $[0, m^2 - 1] \supseteq [0, p-2]$, no valid $x$ is missed.
Substitute into the original equation:
$$g^{im+j} \equiv h \pmod{p}.$$Multiply both sides by $g^{-im} = (g^m)^{-i}$:
$$g^j \equiv h \cdot (g^{-m})^i \pmod{p}.$$Pause and look at this for a second. The left side depends only on $j$. The right side depends only on $i$. That means we can enumerate each side independently and look for a collision.
Baby Steps: Build the Table
First, precompute the left side. For $j = 0, 1, \ldots, m-1$, compute $g^j \bmod p$ and store it in a hash table:
$$\text{table}[g^j \bmod p] = j.$$This takes $m$ modular multiplications and $O(m)$ space. Each step just multiplies the previous result by $g$ β small, incremental steps. That’s why they’re called baby steps.
Giant Steps: Search the Table
Now enumerate the right side. First compute $g^{-m} \bmod p$ (using Fermat’s little theorem: $g^{-m} \equiv g^{p-1-m} \pmod{p}$, or the extended Euclidean algorithm). Then compute successively:
$$h, \quad h \cdot g^{-m}, \quad h \cdot g^{-2m}, \quad \ldots$$Each multiplication by $g^{-m}$ jumps $m$ positions in exponent space β giant steps.
For each $i = 0, 1, \ldots, m-1$, compute $h \cdot (g^{-m})^i \bmod p$ and look it up in the hash table. If there’s a match, then:
$$g^j \equiv h \cdot (g^{-m})^i \pmod{p},$$which means $g^{im+j} \equiv h$, so $x = im + j$.
Complexity
- Baby steps: $m = O(\sqrt{p})$ modular multiplications + $O(\sqrt{p})$ space for the hash table.
- Giant steps: at most $m = O(\sqrt{p})$ modular multiplications + $O(1)$ hash lookups per step.
- Total: $O(\sqrt{p})$ time, $O(\sqrt{p})$ space.
From $O(p)$ down to $O(\sqrt{p})$ β a square-root speedup. If $p$ has $n$ digits, brute force needs $O(10^n)$ operations; BSGS needs only $O(10^{n/2})$.
At its heart, this is a time-space tradeoff. We spend $O(\sqrt{p})$ extra storage to save $O(\sqrt{p})$ in time. Without the space, you’re stuck with brute force. With it, you unlock a meet-in-the-middle strategy: build a table, then search it.
A Worked Example
Take $p = 29$, $g = 2$, $h = 5$. Find $x$ such that $2^x \equiv 5 \pmod{29}$.
Set $m = \lceil\sqrt{29}\rceil = 6$.
Baby steps β compute $2^j \bmod 29$:
| $j$ | $2^j \bmod 29$ |
|---|---|
| 0 | 1 |
| 1 | 2 |
| 2 | 4 |
| 3 | 8 |
| 4 | 16 |
| 5 | 3 |
Store the table: $\\{1 \mapsto 0, \; 2 \mapsto 1, \; 4 \mapsto 2, \; 8 \mapsto 3, \; 16 \mapsto 4, \; 3 \mapsto 5\\}$.
Compute $g^{-m}$ β we need $2^{-6} \bmod 29$. First, $2^6 = 64 \equiv 6 \pmod{29}$, so $2^{-6} \equiv 6^{-1} \pmod{29}$. To find $6^{-1}$, use Fermat’s little theorem: for prime $p$, $a^{-1} \equiv a^{p-2} \pmod{p}$. So $6^{-1} \equiv 6^{27} \pmod{29}$. Fast exponentiation gives $6^{27} \bmod 29 = 5$. (Check: $6 \times 5 = 30 \equiv 1 \pmod{29}$. β) So $g^{-m} = 5$.
Giant steps β compute $h \cdot 5^i \bmod 29$:
| $i$ | $5 \cdot 5^i \bmod 29$ | In table? |
|---|---|---|
| 0 | $5$ | No |
| 1 | $5 \cdot 5 = 25$ | No |
| 2 | $25 \cdot 5 = 125 \equiv 9$ | No |
| 3 | $9 \cdot 5 = 45 \equiv 16$ | Yes! $j = 4$ |
Collision! $i = 3$, $j = 4$. So $x = im + j = 3 \times 6 + 4 = 22$.
Verification: $2^{22} = 4{,}194{,}304$. Dividing, $4{,}194{,}304 = 144{,}631 \times 29 + 5$. Indeed $2^{22} \equiv 5 \pmod{29}$. Done.
Total: $6 + 4 = 10$ modular operations. Brute force would have taken 22. At real-world scales, the gap is exponential.
Cryptographic Significance
BSGS is the baseline attack against DLP. It tells us: if the group has order $n$, anyone can solve the discrete logarithm in $O(\sqrt{n})$ time.
This directly dictates security parameter choices. If you want an attacker to need at least $2^{128}$ steps, and the best generic attack runs in $O(\sqrt{n})$, then you need $\sqrt{n} \geq 2^{128}$, i.e., $n \geq 2^{256}$. That’s why elliptic curve cryptography (ECC) typically uses 256-bit groups.
Of course, for DLP over $\mathbb{Z}/p\mathbb{Z}$ specifically, there are better algorithms than BSGS β Pollard’s rho ($O(\sqrt{p})$ time but only $O(1)$ space), index calculus (sub-exponential time). BSGS isn’t the strongest attack. Its value is that it’s the most transparent one: the idea is completely exposed, no probabilistic tricks, pure algebra plus data structures.
Baby Steps and Giant Steps: A Journey of a Thousand Miles
There’s a line from the Xunzi that I keep coming back to: δΈη§―θ·¬ζ₯οΌζ δ»₯θ³ει β “without accumulating small steps, you cannot reach a thousand miles.” Baby-Step Giant-Step is, in a way, a mathematical proof of this.
The baby steps are the daily grind: $g^0, g^1, g^2, \ldots$, one exponent at a time, building a comprehensive map of the territory. The giant steps are the leaps β each multiplication by $g^{-m}$ covers $\sqrt{p}$ positions at once, rapidly narrowing in on the answer.
Neither works alone. Baby steps without giant steps is brute force β thorough but slow. Giant steps without baby steps land blindly β you leap but can’t match. The two are not sequential but complementary: you need the table before you can search it. $\sqrt{n}$ baby steps + $\sqrt{n}$ giant steps = coverage of the entire space of $n$.
I think about this when I do my daily reflections and monthly reviews. The daily entries are baby steps β small, consistent, building a detailed record. The monthly synthesis is a giant step β zooming out, spotting patterns, making connections I couldn’t see day by day. One without the other misses the point. Together, they cover ground neither could alone.
Daniel Shanks probably wasn’t thinking about self-reflection when he invented this algorithm in 1971. But clean mathematical ideas have a way of traveling further than their inventors imagined.
Baby-Step Giant-Step was introduced by Daniel Shanks in 1971. It belongs to the family of generic group algorithms β it doesn’t exploit any special structure of the group and works for any cyclic group. Shoup (1997) proved that in the generic group model, $\Omega(\sqrt{p})$ is a lower bound for DLP, so BSGS is optimal in this sense.
References
- D. Shanks, “Class number, a theory of factorization, and genera,” Proc. Symp. Pure Math., vol. 20, pp. 415β440, AMS, 1971.
- V. Shoup, “Lower bounds for discrete logarithms and related problems,” EUROCRYPT ‘97, LNCS 1233, pp. 256β266, 1997.
- A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. Chapter 3.