Abstract:Abstract. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in th… Show more
“…This approach has several minor advantages (for example, x is constant in each walk and need not be updated) and the major advantage of simulating a random walk quite well as r increases. See, e.g., [30], [33], and [5] for further discussion of the impact of r. The bottom line is that this method finds a discrete logarithm within ( π/2 + o(1)) 1/2 multiplications on average.…”
Section: Review Of Generic Discrete-logarithm Algorithmsmentioning
Abstract. Computations of small discrete logarithms are feasible even in "secure" groups, and are used as subroutines in several cryptographic protocols in the literature. For example, the Boneh-Goh-Nissim degree-2-homomorphic public-key encryption system uses generic square-root discrete-logarithm methods for decryption. This paper shows how to use a small group-specific table to accelerate these subroutines. The cost of setting up the table grows with the table size, but the acceleration also grows with the table size. This paper shows experimentally that computing a discrete logarithm in an interval of order takes only 1.93 · 1/3 multiplications on average using a table of size 1/3 precomputed with 1.21 · 2/3 multiplications, and computing a discrete logarithm in a group of order takes only 1.77 · 1/3 multiplications on average using a table of size 1/3 precomputed with 1.24 · 2/3 multiplications.
“…This approach has several minor advantages (for example, x is constant in each walk and need not be updated) and the major advantage of simulating a random walk quite well as r increases. See, e.g., [30], [33], and [5] for further discussion of the impact of r. The bottom line is that this method finds a discrete logarithm within ( π/2 + o(1)) 1/2 multiplications on average.…”
Section: Review Of Generic Discrete-logarithm Algorithmsmentioning
Abstract. Computations of small discrete logarithms are feasible even in "secure" groups, and are used as subroutines in several cryptographic protocols in the literature. For example, the Boneh-Goh-Nissim degree-2-homomorphic public-key encryption system uses generic square-root discrete-logarithm methods for decryption. This paper shows how to use a small group-specific table to accelerate these subroutines. The cost of setting up the table grows with the table size, but the acceleration also grows with the table size. This paper shows experimentally that computing a discrete logarithm in an interval of order takes only 1.93 · 1/3 multiplications on average using a table of size 1/3 precomputed with 1.21 · 2/3 multiplications, and computing a discrete logarithm in a group of order takes only 1.77 · 1/3 multiplications on average using a table of size 1/3 precomputed with 1.24 · 2/3 multiplications.
“…This implies these collisions not only have always occurred but the probability of a collision has also significantly increased if it compared with original method. It can be concluded that the proposed improved method will be better than the original pollard's Rho method and these alternative collisions can also be applied to previo us proposed improvements such that dividing the group into about 20 sets (Teske, 1998;2001). …”
Section: Comparison Between Methodsmentioning
confidence: 97%
“…Despite the fact that there are several attacking methods to resolve ECDLP, Pollard's Rho method (Pollard, 1980) not only is at present known as the fastest algorithm to resolve the discrete logarithm problem on elliptic curves, but its parallelized variant as well because its mathematical operations is less than other methods like Baby-Step Giant-Step (Shanks, 1971). This encourages researchers to utilise from automorphism of the group (Duursma et al, 1990), random walk on certain equivalence classes (Wiener and Zuccherato, 1999;Gallant et al, 2000), parallelization (Oorschot and Wiener, 1999), iteration function (Teske, 1998;2001), negation map (Wang and Zhang, 2012) or cycle detection (Brent, 1980;Cheon et al, 2012;Ezzouak et al, 2014) to improve this attacking method. This paper will provide a new approach by using the theorem that proposed by (Sadkhan and Neamah, 2011) to improve Pollard's Rho method which use alternative collisions to resolve the ECDLP.…”
It is true that different approaches have been utilised to accelerate the computation of discrete logarithm problem on elliptic curves with Pollard's Rho method. However, trapping in cycles fruitless will be obtained by using the random walks with Pollard's Rho. An efficient alternative approach that is based on new collisions which are reliant on the values a i , b i to solve this problem is proposed. This may requires less iterations than Pollard's Rho original in reaching collision. Thus, the performance of Pollard's Rho method is more efficiently because the improved method not only reduces the number of mathematical operations but these collisions can also applied on previous improvements which reported in the literature.
“…Assume we use an radding walk without the automorphism optimization (we take m = 1, where m is the cardinality of the group automorphism that is used). Experimental results from [35] suggest that using a larger r-value, such as r ≥ 16, results in practical behavior that is closer to a truly random walk and gives a run-time that is close to the expected πn 2 . This is in agreement with the heuristic analysis from [2, Appendix B], which refines the arguments from [10], where it is shown that the average number of pseudo-random group elements required to find a collision (and solve the DLP) using an r-adding walk is…”
Abstract. Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.