I was wondering why some groups provide more security to cryptosystems relying on DL-Problem.
It is not clear to me wether it is just due to the known attacks or if there are some other reasons. So why do some elliptic curves provide the highest security and the group $(\mathbb{Z}/n\mathbb{Z},+)$ is considered as not being a good choice.
Thank you for your answers!
Generally the more structure there is the easier it is to solve.
Over $F_p^+$, the discrete log problem is just $a=kb\pmod p$. We can compute $\frac1b\pmod p$ easily with the extended Euclidean algorithm and then compute $k=\frac ab\pmod p$. This can be done in polynomial time in $\log p$, which is extremely bad as to compute $kb\pmod p$, it is also polynomial in $\log p$.
$F_p^*$ is harder since it is solving $a=b^k\pmod p$ for $k$ and there is no known fast algorithms, in fact this problem is equivalent to factoring of a number. Currently number sieves algorithms are the fastest known for this, but still runs in polynomial in $p$
Elliptic curves are even harder as the group operation takes longer to compute and more importantly there's not really a analogous number field sieve algorithm for it. Some recent progress for solving the ECDLP is can be found at Recent progress on the elliptic curve discrete logarithm problem
Now assume that we know nothing about the group structure and only have a multiplication oracle for the group, there is a lower bound for how many queries must be sent to the oracle on average to solve the discrete log problem, found in the paper Lower Bounds for Discrete Logarithms and Related Problems, which is also worse than ECDLP.
Finally as a small note, the discrete log problems and factoring are part of hidden subgroup problems for finite abelian groups, which can be solved easily by quantum computers with Shor's algorithm. Similarly if a analogous algorithm is found for classical computers that is feasible to run, the discrete log problem is broken.