Results 1  10
of
26
SquareRoot Algorithms For The Discrete Logarithm Problem (a Survey)
 In Public Key Cryptography and Computational Number Theory, Walter de Gruyter
, 2001
"... The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the babystep giantstep method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speedup. In this paper, we present the state of the art in these methods.
Spectral Analysis of Pollard Rho Collisions
 Proc. of the 7th Algorithmic Number Theory Symposium (ANTS VII); Springer LNCS
"... Abstract. We show that the classical Pollard ρ algorithm for discrete logarithms produces a collision in expected time O ( √ n(log n) 3). This is the first nontrivial rigorous estimate for the collision probability for the unaltered Pollard ρ graph, and is close to the conjectured optimal bound of ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. We show that the classical Pollard ρ algorithm for discrete logarithms produces a collision in expected time O ( √ n(log n) 3). This is the first nontrivial rigorous estimate for the collision probability for the unaltered Pollard ρ graph, and is close to the conjectured optimal bound of O ( √ n). The result is derived by showing that the mixing time for the random walk on this graph is O((log n) 3); without the squaring step in the Pollard ρ algorithm, the mixing time would be exponential in log n. The technique involves a spectral analysis of directed graphs, which captures the effect of the squaring step.
On the security of 1024bit RSA and 160bit elliptic curve cryptography: version 2.1. Cryptology ePrint Archive, Report 2009/389
, 2009
"... Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to asse ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their unavoidable continued usage beyond 2010 until the migration to the new standards has been completed. We conclude that for 1024bit RSA the risk is small at least until the year 2014, and that 160bit ECC over a prime field may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160bit prime field ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts.
Weak Fields for ECC
, 2003
"... We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.
Computing Discrete Logarithms With The Parallelized Kangaroo Method
 Method, CACR Combinatorics and Optimization Research Report
, 2001
"... . The Pollard kangaroo method computes discrete logarithms in arbitrary cyclic groups. It is applied if the discrete logarithm is known to lie in a certain interval, say [a; b], and then has expected running time O( p b a) group operations. In its serial version it uses very little storage. It ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
. The Pollard kangaroo method computes discrete logarithms in arbitrary cyclic groups. It is applied if the discrete logarithm is known to lie in a certain interval, say [a; b], and then has expected running time O( p b a) group operations. In its serial version it uses very little storage. It can be parallelized with linear speedup, and in its parallelized version its storage requirements can be eciently monitored. This makes the kangaroo method the most powerful method to solve the discrete logarithm problem in this situation. In this paper, we discuss various experimental and theoretical aspects of the method that are important for its most eective application. 1. Introduction The security of several important publickey cryptographic systems relies on the diculty of the discrete logarithm problem (DLP). Important examples are the Digital Signature Algorithm (DSA), which is based on the DLP in multiplicative subgroups of nite elds, or its elliptic curve analogon ECDSA,...
The parallelized Pollard kangaroo method in real quadratic function
 Mathematics of Computation
"... Abstract. We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution of the divisor class number, and by using the relatively inexpensive baby steps in the real quadratic model of a hyperelliptic function field. Furthermore, we provide examples for regulators and class numbers of hyperelliptic function fields of genus 3 that are larger than those ever reported before. 1.
BonehBoyen signatures and the Strong DiffieHellman problem
 PairingBased Cryptography — Pairing 2009, Lecture Notes in Computer Science
"... Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalen ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalent to solving the qStrong DiffieHellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairingfriendly curves, recovers BonehBoyen private keys in O(p 2 5 +ε) time, using O(p 1 5 +ε) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard’s lambda algorithm and Pollard’s rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings. 1
Cryptographic Implications of Hess' Generalized GHS Attack
 Applicable Algebra in Engineering, Communication and Computing
, 2004
"... A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent a ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are potentially partially weak. Finally, we argue that the other fields F 2 N where N is not divisible by 3, 5, 6, 7 or 8, are not weak under Hess' generalized GHS attack.
An Improvement to the GaudrySchost Algorithm for Multidimensional Discrete Logarithm Problems
"... Abstract. Gaudry and Schost gave a lowmemory algorithm for solving the 2dimensional discrete logarithm problem. We present an improvement to their algorithm and extend this improvement to the general multidimensional DLP. An important component of the algorithm is a multidimensional pseudorandom w ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
Abstract. Gaudry and Schost gave a lowmemory algorithm for solving the 2dimensional discrete logarithm problem. We present an improvement to their algorithm and extend this improvement to the general multidimensional DLP. An important component of the algorithm is a multidimensional pseudorandom walk which we analyse thoroughly in the 1 and 2 dimensional cases as well as giving some discussion for higher dimensions.
Cryptography meets voting
, 2005
"... We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail and argued to be feasible to implement. It is explained precisely what these ideas accomplish but also what they do not accomplish, and a short history of election fraud throughout history is included.