Square-root algorithms for the discrete logarithm problem (a survey)

Teske, Edlyn

doi:10.1515/9783110881035.283

Cited by 31 publications

(35 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The attacker can then use Pollard's rho method or Pollard's kangaroo method to compute the discrete logarithm of this point, namely n. The main cost in either method is the cost of performing a huge number of additions of elliptic-curve points; both methods are almost perfectly parallelizable, with negligible communication costs. See [60], [52], [58], and [59].…”

Section: Generic Discrete Logarithms By the Rho And Kangaroo Methodsmentioning

confidence: 99%

Curve25519: New Diffie-Hellman Speed Records

Bernstein¹

2006

Lecture Notes in Computer Science

601

452

View full text Add to dashboard Cite

Abstract. This paper explains the design and implementation of a highsecurity elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors' results at the same conjectured security level (with or without the side benefits).

show abstract

Section: Generic Discrete Logarithms By the Rho And Kangaroo Methodsmentioning

confidence: 99%

Curve25519: New Diffie-Hellman Speed Records

Bernstein¹

2006

Lecture Notes in Computer Science

601

452

View full text Add to dashboard Cite

show abstract

“…The number of successes (R ku :H(R ku ,B) = u) in these computations is a binomial random variable with parameters (2 l , 1/2 l ); hence these computations lead to a decomposed i-point with probability P rs = 1 − (1 − 1/2 l ) 2 l ≈ 1 − e −1 ≈ 0.63 > 1/2 for l sufficiently large. Pollard's rho algorithm [24,26,25] can be modified to take into account decomposed i-points detection, the resulting algorithm produces either a decomposed i-point or a discrete logarithm; this approach is expected to duplicate the efficiency of the rho algorithm.…”

Section: Attack 2 Hmqv Impersonation Ofâ Tobmentioning

confidence: 99%

“…The identity element in G is denoted1, Shank's method is deterministic, but requires a large storage; using the Pollard's Kangaroo method [24,25] …”

Section: Introductionmentioning

confidence: 99%

A Secure and Efficient Authenticated Diffie–Hellman Protocol

Sarr

Elbaz-Vincent

Bajard

2010

Public Key Infrastructures, Services and Applications

View full text Add to dashboard Cite

Abstract. The Exponential Challenge Response (XRC) and Dual Exponential Challenge Response (DCR) signature schemes are the building blocks of the HMQV protocol. We propose a complementary analysis of these schemes; on the basis of this analysis we show how impersonation and man in the middle attacks can be mounted against the HMQV protocol when some session specific information leakages happen. We define the Full Exponential Challenge Response (FXRC) and Full Dual Exponential Challenge Response (FDCR) signature schemes; using these schemes we propose the Fully Hashed MQV protocol (with security arguments), which preserves the remarkable performance of the (H)MQV protocols and resists the attacks we present.

show abstract

“…While the algorithms are of much interest in computational number theory and cryptography, there has been very little work on rigorous analyses. We refer the reader to [9] and other existing literature (e.g., [18,3]) for further cryptographic and number-theoretical motivation for the discrete logarithm problem.…”

Section: Introductionmentioning

confidence: 99%

Near Optimal Bounds for Collision in Pollard Rho for Discrete Log

Kim¹,

Montenegro²,

Tetali³

2007

48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07)

View full text Add to dashboard Cite

We analyze a fairly standard idealization of Pollard's Rho algorithm for finding the discrete logarithm in a cyclic group G. It is found that, with high probability, a collision occurs in O( |G| log |G| log log |G|) steps, not far from the widely conjectured value of Θ( |G|). This improves upon a recent result of Miller-Venkatesan which showed an upper bound of O( |G| log 3 |G|). Our proof is based on analyzing an appropriate nonreversible, non-lazy random walk on a discrete cycle of (odd) length |G|, and showing that the mixing time of the corresponding walk is O(log |G| log log |G|).

show abstract

Square-root algorithms for the discrete logarithm problem (a survey)

Cited by 31 publications

References 0 publications

Curve25519: New Diffie-Hellman Speed Records

Curve25519: New Diffie-Hellman Speed Records

A Secure and Efficient Authenticated Diffie–Hellman Protocol

Near Optimal Bounds for Collision in Pollard Rho for Discrete Log

Contact Info

Product

Resources

About