. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least non-negative number x such that g x = h. This problem is the discre...

. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard's rho method for prime group orders about 20% faster than before. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. We define the discrete logarithm problem (DLP) as follows: given a group element h, find the least non-negative integer x such that h = g x . We write x = log g h and call it the discrete logarithm of h...

The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the baby-step giant-step method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the baby-step giant-step method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speed-up. In this paper, we present the state of the art in these methods.

Summary. Markov chains on finite sets are used in a great variety of situations to approximate, understand and sample from their limit distribution. A familiar example is provided by card shuffling methods. From this viewpoint, one is interested in the “mixing time ” of the chain, that is, the time at which the chain gives a good approximation of the limit distribution. A remarkable phenomenon known as the cut-off phenomenon asserts that this often happens abruptly so that it really makes sense to talk about “the mixing time”. Random walks on finite groups generalize card shuffling models by replacing the symmetric group by other finite groups. One then would like to understand how the structure of a particular class of groups relates to the mixing time of natural random walks on those groups. It turns out that this is an extremely rich problem which is very far to be understood. Techniques from a great

This paper considers "lazy" random walks supported on a random subset of k elements of a finite group G with order n. If k = da log 2 ne where a ? 1 is constant, then most such walks take no more than a multiple of log 2 n steps to get close to uniformly distributed on G. If k = log 2 n + f(n) where f(n) ! 1 and f(n)= log 2 n ! 0 as n ! 1, then most such walks take no more than a multiple of (log 2 n) ln(log 2 n) steps to get close to uniformly distributed. To get these results, this paper extends techniques of Erdos and R'enyi and of Pak. Key words: Random walks, finite groups, uniform distribution. 1

Consider the Cayley graph of the cyclic group of prime order q with k uniformly chosen generators. For fixed k, we prove that the diameter of said graph is asymptotically (in q) of order k √ q. This answers a question of Benjamini. The same also holds when the generating set is taken to be a symmetric set of size 2k. 1

Abstract. Pollard’s rho algorithm, along with parallelized, vectorized, and negating variants, is the standard method to compute discrete logarithms in generic prime-order groups. This paper presents two reasons that Pollard’s rho algorithm is farther from optimality than generally believed. First, “higherdegree local anti-collisions ” make the rho walk less random than the predictions made by the conventional Brent–Pollard heuristic. Second, even a truly random walk is suboptimal, because it suffers from “global anti-collisions ” that can at least partially be avoided. For example, after (1.5 + o(1)) √ ℓ additions in a group of order ℓ (without fast negation), the baby-step-giant-step method has probability 0.5625 + o(1) of finding a uniform random discrete logarithm; a truly random walk would have probability 0.6753... + o(1); and this paper’s new two-grumpy-giants-and-a-baby method has probability 0.71875 + o(1). 1.