Subset-Restricted Random Walks for Pollard rho Method on Fpm

In this paper, we propose a variant of the Pollard rho method. We use an iterating function whose image size is much smaller than its domain and hence reaches a collision faster than the original iterating function. We also explicitly show how this general method can be applied to multiplicative subgroups of finite fields with large extension degree. The construction for finite fields uses a distinctive feature of the normal basis representation, namely, that the p-th power of an element is just the cyclic shift of its normal basis representation, when the underlying field is of characteristic p. This makes our method appropriate for hardware implementations. On multiplicative subgroups of Fpm, our method shows time complexity advantage over the original Pollard rho method by a factor of approximately 3p3 p m. Through the MOV reduction, our method can be applied to pairing- based cryptosystems over binary or ternary fields. Hence our algorithm suggests that the order of subgroups, on which the pairing-based cryp- tosystems rely, needs to be increased by a factor of approximately m.

[1]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[2]  Iwan M. Duursma,et al.  Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[3]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[4]  Richard P. Brent,et al.  An improved Monte Carlo factorization algorithm , 1980 .

[5]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[6]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[7]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[8]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[9]  Andrew Chi-Chih Yao,et al.  The Complexity of Finding Cycles in Periodic Functions , 1982, SIAM J. Comput..

[10]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[11]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[12]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[13]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[14]  C. Schnorr,et al.  A Monte Carlo factoring algorithm with linear storage , 1984 .

[15]  Leonard M. Adleman,et al.  A subexponential algorithm for the discrete logarithm problem with applications to cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[16]  Arjen K. Lenstra,et al.  Factorization of RSA-140 Using the Number Field Sieve , 1999, ASIACRYPT.

[17]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[18]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[19]  Gabriel Nivasch,et al.  Cycle detection using a stack , 2004, Inf. Process. Lett..

[20]  Arnold Schönhage,et al.  Schnelle Multiplikation von Polynomen über Körpern der Charakteristik 2 , 1977, Acta Informatica.

[21]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[22]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[23]  Joachim von zur Gathen,et al.  Algorithms for Exponentiation in Finite Fields , 2000, J. Symb. Comput..

[24]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[25]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[26]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[27]  Arnold Schönhage,et al.  Schnelle Multiplikation großer Zahlen , 1971, Computing.

[28]  Jung Hee Cheon,et al.  Speeding Up the Pollard Rho Method on Prime Fields , 2008, ASIACRYPT.

[29]  R. Gallant,et al.  Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves , 1998 .

[30]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[31]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[32]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[33]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..