Using Equivalence Classes to Accelerate Solving the Discrete Logarithm Problem in a Short Interval

The Pollard kangaroo method solves the discrete logarithm problem (DLP) in an interval of size N with heuristic average case expected running time approximately $2 \sqrt{N}$ group operations. It is well-known that the Pollard rho method can be sped-up by using equivalence classes (such as orbits of points under an efficiently computed group homomorphism), but such ideas have not been used for the DLP in an interval. Indeed, it seems impossible to implement the standard kangaroo method with equivalence classes. The main result of the paper is to give an algorithm, building on work of Gaudry and Schost, to solve the DLP in an interval of size N with heuristic average case expected running time of close to $1.36\sqrt{N}$ group operations for groups with fast inversion. In practice the algorithm is not quite this fast, due to the usual problems with pseudorandom walks such as fruitless cycles. In addition, we present experimental results.

[1]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[2]  Éric Schost,et al.  A Low-Memory Parallel Version of Matsuo, Chao, and Tsujii?s Algorithm , 2004, ANTS.

[3]  R. Gallant,et al.  Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves , 1998 .

[4]  M. Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2011, Journal of Cryptology.

[5]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[6]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[7]  Steven D. Galbraith,et al.  A non-uniform birthday problem with applications to discrete logarithms , 2012, Discret. Appl. Math..

[8]  B. I. Selivanov On waiting time in the scheme of random allocation of coloured particies , 1995 .

[9]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[10]  Iwan M. Duursma,et al.  Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[11]  Nicolas Thériault,et al.  Solving Discrete Logarithms from Partial Knowledge of the Key , 2007, INDOCRYPT.

[12]  Arjen K. Lenstra,et al.  On the Use of the Negation Map in the Pollard Rho Method , 2010, ANTS.

[13]  Sarvar Patel,et al.  An Efficient Discrete Log Pseudo Random Generator , 1998, CRYPTO.

[14]  P. Flajolet,et al.  The Maximum of a Random Walk and Its Application to Rectangle Packing , 1997 .

[15]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[16]  Ravi Montenegro,et al.  How long does it take to catch a wild kangaroo? , 2008, STOC '09.

[17]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[18]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[19]  Rosario Gennaro,et al.  An Improved Pseudo-random Generator Based on Discrete Log , 2000, CRYPTO.

[20]  K. Nishimura,et al.  Probability to meet in the middle , 2005, Journal of Cryptology.

[21]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[22]  Robert Harley,et al.  Counting Points on Hyperelliptic Curves over Finite Fields , 2000, ANTS.

[23]  晋輝 趙,et al.  H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton)., Chapman & Hall/CRC, 2006年,xxxiv + 808ページ. , 2009 .

[24]  Steven D. Galbraith,et al.  An Improvement to the Gaudry-Schost Algorithm for Multidimensional Discrete Logarithm Problems , 2009, IMACC.

[25]  David Jao,et al.  Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem , 2009, Pairing.

[26]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.