On random walks for Pollard's rho method

Abstract: Abstract. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in th… Show more

“…This approach has several minor advantages (for example, x is constant in each walk and need not be updated) and the major advantage of simulating a random walk quite well as r increases. See, e.g., [30], [33], and [5] for further discussion of the impact of r. The bottom line is that this method finds a discrete logarithm within ( π/2 + o(1)) 1/2 multiplications on average.…”

Computing Small Discrete Logarithms Faster

“…This approach has several minor advantages (for example, x is constant in each walk and need not be updated) and the major advantage of simulating a random walk quite well as r increases. See, e.g., [30], [33], and [5] for further discussion of the impact of r. The bottom line is that this method finds a discrete logarithm within ( π/2 + o(1)) 1/2 multiplications on average.…”

Computing Small Discrete Logarithms Faster

“…This implies these collisions not only have always occurred but the probability of a collision has also significantly increased if it compared with original method. It can be concluded that the proposed improved method will be better than the original pollard's Rho method and these alternative collisions can also be applied to previo us proposed improvements such that dividing the group into about 20 sets (Teske, 1998;2001). …”

“…Despite the fact that there are several attacking methods to resolve ECDLP, Pollard's Rho method (Pollard, 1980) not only is at present known as the fastest algorithm to resolve the discrete logarithm problem on elliptic curves, but its parallelized variant as well because its mathematical operations is less than other methods like Baby-Step Giant-Step (Shanks, 1971). This encourages researchers to utilise from automorphism of the group (Duursma et al, 1990), random walk on certain equivalence classes (Wiener and Zuccherato, 1999;Gallant et al, 2000), parallelization (Oorschot and Wiener, 1999), iteration function (Teske, 1998;2001), negation map (Wang and Zhang, 2012) or cycle detection (Brent, 1980;Cheon et al, 2012;Ezzouak et al, 2014) to improve this attacking method. This paper will provide a new approach by using the theorem that proposed by (Sadkhan and Neamah, 2011) to improve Pollard's Rho method which use alternative collisions to resolve the ECDLP.…”

New Collisions to Improve Pollard’s Rho Method of Solving the Discrete Logarithm Problem on Elliptic Curves

“…Assume we use an radding walk without the automorphism optimization (we take m = 1, where m is the cardinality of the group automorphism that is used). Experimental results from [35] suggest that using a larger r-value, such as r ≥ 16, results in practical behavior that is closer to a truly random walk and gives a run-time that is close to the expected πn 2 . This is in agreement with the heuristic analysis from [2, Appendix B], which refines the arguments from [10], where it is shown that the average number of pseudo-random group elements required to find a collision (and solve the DLP) using an r-adding walk is…”

Elliptic and Hyperelliptic Curves: A Practical Security Analysis