A Birthday Paradox for Markov Chains, with an Optimal Bound for Collision in the Pollard Rho Algorithm for Discrete Logarithm

We show a Birthday Paradox for self-intersections of Markovchains with uniform stationary distribution. As an application, we analyzePollard's Rho algorithm for finding the discrete logarithm in a cyclicgroup G and find that, if the partition in the algorithm is given by arandom oracle, then with high probability a collision occurs in Θ(√|G|)steps. This is the first proof of the correct bound which does not assumethat every step of the algorithm produces an i.i.d. sample from G.

[1]  By J. M. Pollard Monte Carlo Methods for Index Computation (mod p) , 2010 .

[2]  Ramarathnam Venkatesan,et al.  Non-degeneracy of Pollard Rho Collisions , 2008, ArXiv.

[3]  C. Pomerance Elementary thoughts on discrete logarithms , 2008 .

[4]  Boaz Barak,et al.  Lower Bounds on Signatures From Symmetric Primitives , 2008, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[5]  Ravi Montenegro,et al.  Near Optimal Bounds for Collision in Pollard Rho for Discrete Log , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[6]  Ramarathnam Venkatesan,et al.  Spectral Analysis of Pollard Rho Collisions , 2006, ANTS.

[7]  Martin Hildebrand,et al.  On the Chung-Diaconis-Graham random process , 2005 .

[8]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[9]  Igor Pak Mixing time and long paths in graphs , 2002, SODA '02.

[10]  Y. Peres,et al.  Markov chain intersections andtheloop-erased walk , 2001, math/0107055.

[11]  Edlyn Teske Square-root algorithms for the discrete logarithm problem (a survey) , 2001 .

[12]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[13]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[14]  D. Goodman Personal Communications , 1994, Mobile Communications.

[15]  Alistair Sinclair,et al.  Improved Bounds for Mixing Rates of Markov Chains and Multicommodity Flow , 1992, Combinatorics, Probability and Computing.

[16]  Jay Rosen,et al.  The Range of Stable Random Walks , 1991 .

[17]  J. A. Fill Eigenvalue bounds on convergence to stationarity for nonreversible markov chains , 1991 .

[18]  Milena Mihail,et al.  Conductance and convergence of Markov chains-a combinatorial treatment of expanders , 1989, 30th Annual Symposium on Foundations of Computer Science.

[19]  R. Graham,et al.  Random Walks Arising in Random Number Generation , 1987 .

[20]  P. Diaconis,et al.  SHUFFLING CARDS AND STOPPING-TIMES , 1986 .

[21]  William Ellison,et al.  Prime numbers , 1985 .

[22]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[23]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[24]  J. Pollard A monte carlo method for factorization , 1975 .