Computing discrete logarithms in an interval

The discrete logarithm problem in an interval of size N in a group G is: Given g, h ∈ G and an integer N to find an integer 0 ≤ n ≤ N , if it exists, such that h = gn. Previously the best low-storage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo method. The heuristic average case running time of this method is (2 + o(1)) √ N group operations. We present two new low-storage algorithms for the discrete logarithm problem in an interval of size N . The first algorithm is based on the Pollard kangaroo method, but uses 4 kangaroos instead of the usual two. We explain why this algorithm has heuristic average case expected running time of (1.714 + o(1)) √ N group operations. The second algorithm is based on the Gaudry-Schost algorithm and the ideas of our first algorithm. We explain why this algorithm has heuristic average case expected running time of (1.660 + o(1)) √ N group operations. We give experimental results that show that the methods do work close to that predicted by the theoretical analysis.

[1]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[2]  Nicolas Thériault,et al.  Solving Discrete Logarithms from Partial Knowledge of the Key , 2007, INDOCRYPT.

[3]  B. I. Selivanov On waiting time in the scheme of random allocation of coloured particies , 1995 .

[4]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[5]  Steven D. Galbraith,et al.  An Improvement to the Gaudry-Schost Algorithm for Multidimensional Discrete Logarithm Problems , 2009, IMACC.

[6]  David Jao,et al.  Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem , 2009, Pairing.

[7]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[8]  Ravi Montenegro,et al.  How long does it take to catch a wild kangaroo? , 2008, STOC '09.

[9]  Sarvar Patel,et al.  An Efficient Discrete Log Pseudo Random Generator , 1998, CRYPTO.

[10]  John M. Pollard,et al.  Kangaroos, Monopoly and Discrete Logarithms , 2015, Journal of Cryptology.

[11]  Rosario Gennaro,et al.  An Improved Pseudo-random Generator Based on Discrete Log , 2000, CRYPTO.

[12]  Paul C. van Oorschot,et al.  Parallel collision search with application to hash functions and discrete logarithms , 1994, CCS '94.

[13]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[14]  Steven D. Galbraith,et al.  A non-uniform birthday problem with applications to discrete logarithms , 2012, Discret. Appl. Math..

[15]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[16]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[17]  Steven D. Galbraith,et al.  Using Equivalence Classes to Accelerate Solving the Discrete Logarithm Problem in a Short Interval , 2010, IACR Cryptol. ePrint Arch..

[18]  Éric Schost,et al.  A Low-Memory Parallel Version of Matsuo, Chao, and Tsujii?s Algorithm , 2004, ANTS.

[19]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.