## The parallelized Pollard kangaroo method in real quadratic function

Venue: | Mathematics of Computation |

Citations: | 7 - 3 self |

### BibTeX

@INPROCEEDINGS{Stein_theparallelized,

author = {Andreas Stein and Edlyn Teske},

title = {The parallelized Pollard kangaroo method in real quadratic function},

booktitle = {Mathematics of Computation},

year = {}

}

### OpenURL

### Abstract

Abstract. We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution of the divisor class number, and by using the relatively inexpensive baby steps in the real quadratic model of a hyperelliptic function field. Furthermore, we provide examples for regulators and class numbers of hyperelliptic function fields of genus 3 that are larger than those ever reported before. 1.

### Citations

347 |
Algebraic function fields and codes
- Stichtenoth
- 1993
(Show Context)
Citation Context ...se the spacings, for example, by introducing any kind of randomization. 3. A brief introduction to real quadratic function fields 3.1. Basic definitions. For details about function fields we refer to =-=[Sti93]-=-, and for the arithmetic of real quadratic function fields we mention [Art24, SSW96, PR99]. Let k = Fq be a finite field of odd characteristic with q elements. A hyperelliptic function field over the ... |

238 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ...or provides a measure for the key space; moreover, computation of the regulator is an instance of solving the discrete logarithm problem in real quadratic function fields. The Pollard kangaroo method =-=[Pol78]-=-, also called the lambda method, was originally developed to compute discrete logarithms in Z/pZ and has been canonically generalized to solve the discrete logarithm problem in any finite abelian grou... |

160 | Computing in the Jacobian of a hyperelliptic curve - Cantor - 1987 |

152 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...ingredient for the kangaroo method is that we know that the discrete logarithm lies in a given interval [a, b[; then the expected running time is O( √ b − a) group operations. Van Oorschot and Wiener =-=[vOW99]-=- have shown that the kangaroo method can be parallelized with linear speed-up, which makes the method attractive for distributed attacks. It is important to note that the serial version of the kangaro... |

59 | Counting points on hyperelliptic curves over finite fields
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...ion (see [Can87, PR99, Ste99]) so that the parallelized kangaroo methods as suggested by van Oorschot and Wiener and by Pollard immediately generalize to imaginary quadratic function fields (see also =-=[GH]-=-). However, since one only has one operation in the imaginary case, baby steps and giant steps have the same complexity and the idea of speeding up with baby steps does not work. In Section 4 we only ... |

57 | Quadratische Körper im Gebiete der höheren Kongruenzen - Artin - 1924 |

52 |
Class number, a theory of factorization, and genera
- Shanks
- 1971
(Show Context)
Citation Context ...at the space requirements of the parallelized version can be adjusted to the constraints of the machines. This is a big advantage over square-root attacks based on Shanks' baby step-giant step method =-=[Sha71]-=-. The objects with which we deal in real quadratic functionselds are reduced principal ideals, which do not constitute a group. However, the baby step-giant step method could be eciently adapted to th... |

49 |
The infrastructure of a real quadratic field and its applications
- Shanks
- 1972
(Show Context)
Citation Context ... ri+1 is said to be a baby step (backward). Generally, a baby step can be performed by using 4g + O(1) operations in the finite field k (see [Ste99]). 3.4. Infrastructure. Shanks’ infrastructure idea =-=[Sha72]-=- also applies to the set of reduced principal ideals in a real quadratic function field. We define an operation ⋆ (a giant step or an infrastructure operation) onRas follows. Let a =(Qa,Pa) and b =(Qb... |

45 | Speeding up Pollard’s Rho method for computing discrete logarithms
- TESKE
- 1998
(Show Context)
Citation Context ... 4 together with the aforementioned improvements. We now provide examples for 2 and 16 kangaroos. We used a set of jumps S with l = 50 elements; we believe that arguments similar to the ones given in =-=[Tes98]-=- will show that a choice of l ≥ 20 elements is sufficient. We define a distinguished point to be a reduced ideal a =(Q, P ) ∈Qρ for which the lowest F bits of last(Q)/ρ are 0 (in the non–baby step set... |

37 |
monopoly and discrete logarithms
- Pollard, Kangaroos
(Show Context)
Citation Context ...n the following, we first give an overview of the kangaroo method and its parallelization, where in the parallelized case we deal with both the variants of van Oorschot and Wiener [vOW99] and Pollard =-=[Pol]-=-. We keep this exposition as general as possible. Since no experimental results with the parallelized kangaroo method (not to mix with the parallelized rho method!) have been published so far, we also... |

32 | On Random Walks for Pollard’s Rho Method
- Teske
- 2001
(Show Context)
Citation Context ...ct that in the second stage of the algorithm, i.e., when both herds travel in the same region, the algorithm experiences performance variances as they are typical for birthday paradox algorithms (see =-=[Tes00]-=- for some details). Since, on average, it took 1 hour and 12-1/4 minutes to find a distinguished point on a SunUltra Enterprise 450 running Solaris 2.6, we estimate that the whole computation would ha... |

29 |
a theory of factorization, and genera
- number
- 1971
(Show Context)
Citation Context ...at the space requirements of the parallelized version can be adjusted to the constraints of the machines. This is a big advantage over square-root attacks based on Shanks’ baby step–giant step method =-=[Sha71]-=-. The objects with which we deal in real quadratic function fields are reduced principal ideals, which do not constitute a group. However, the baby step–giant step method could be efficiently adapted ... |

28 | Key-exchange in real quadratic congruence function elds
- Scheidler, Stein, et al.
- 1996
(Show Context)
Citation Context ...regulator and the divisor class number which play an important role in cryptosystems based on hyperelliptic function fields. For example, in the key-exchange protocol by Scheidler, Stein and Williams =-=[SSW96]-=-, the regulator provides a measure for the key space; moreover, computation of the regulator is an instance of solving the discrete logarithm problem in real quadratic function fields. The Pollard kan... |

19 | Lidia - a c library for computational number theory
- Group
- 1995
(Show Context)
Citation Context ...ctually implementing a parallelized Pollard kangaroo attack. We begin with some typical experimental data, shown in Tables 1 - 3, to illustrate our discussion. Using the computer algebra system LiDIA =-=[LiD97]-=-, we implemented both the van Oorschot-Wiener and the Pollard variants of parallelization for groups of points of elliptic curves oversniteselds, to compute the group order. We simulated the paralleli... |

14 | Teske – Explicit bounds and heuristics on class numbers in hyperelliptic function fields
- Stein, E
(Show Context)
Citation Context ...at a ≤ h = hXRX <b.Ofcourse,b − a should be as smallsTHE KANGAROO METHOD IN REAL QUADRATIC FIELDS 803 as possible. Luckily, a reasonable interval for h can be determined by evaluating the formulas in =-=[ST99b]-=-. The idea is to determine integers E and L such that |h − E| <L 2 . If we put a = E − L 2 +1 andb = E + L 2 ,thenb − a =2L 2 − 1. Of course, we want L to be as small as possible. For g ≤ 2, we find a... |

13 |
Sharp upper bounds for arithmetics in hyperelliptic function fields
- Stein
- 2001
(Show Context)
Citation Context ...ababy step (forward). Similarly, the computation of ri from ri+1 is said to be a baby step (backward). Generally, a baby step can be performed by using 4g + O(1) operations in the finite field k (see =-=[Ste99]-=-). 3.4. Infrastructure. Shanks’ infrastructure idea [Sha72] also applies to the set of reduced principal ideals in a real quadratic function field. We define an operation ⋆ (a giant step or an infrast... |

11 |
and imaginary quadratic representations of hyperelliptic function elds
- Real
(Show Context)
Citation Context ...s an index j ≥ 1 such that δ(rj) ≤ y<δ(rj+1) . We call δ(rj) theclosest ideal to (the left of) y and denote it by Nearest(y). In this situation, we put n(y) =y − δ(Nearest(y)) = y − δ(rj) . Following =-=[PR99]-=-, we identify any integer y between 0 and RX − 1 with a tuple (Nearest(y),n(y)), where y = δ(Nearest(y)) + n(y) and0≤n(y) ≤ g. That means there exists a unique representation for any integer y between... |

9 |
An algorithm for determining the regulator and the fundamental unit of a hyperelliptic congruence function field
- Stein, Zimmer
(Show Context)
Citation Context ...onstitute a group. However, the baby step–giant step method could be efficiently adapted to this setting by defining analogues of baby steps and giant steps that make use of the ideal arithmetic (see =-=[SZ91]-=-). The Received by the editor July 10, 2000. 2000 Mathematics Subject Classification. Primary 11Y16, 11Y40, 11R29; Secondary 11R58, 14H05. 793 c○2001 American Mathematical Societys794 ANDREAS STEIN AN... |

6 |
Technische Universitat
- Group
- 1997
(Show Context)
Citation Context ... actually implementing a parallelized Pollard kangaroo attack. We begin with some typical experimental data, shown in Tables 1–3, to illustrate our discussion. Using the computer algebra system LiDIA =-=[LiD97]-=-, we implemented both the van Oorschot–Wiener and the Pollard variants of parallelization for groups of points of elliptic curves over finite fields, to compute the group order. We simulated the paral... |

6 |
An improved method of computing the regulator of a real quadratic function field, Algorithmic Number Theory Seminar
- Stein, Williams
- 1998
(Show Context)
Citation Context ...from [ST99b, Theorem 4.3] that |h − E| <L 2 and L = O(q g λ+1 2 − 4 ) . Note that for g ≥ 3 the approximation E can be determined efficiently in O(q λ ) operations. There is a detailed description in =-=[SW98]-=- of how to evaluate E efficiently if λ =1orλ =2.s804 ANDREAS STEIN AND EDLYN TESKE 3.6. The computation of RX and h. The complete algorithm for computing RX and h consists of three steps. First, we co... |

4 | Catching kangaroos in function fields - Stein, Teske - 1999 |

4 |
Counting points on hyperelliptic curves over
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...ation (see [Can87, PR99, Ste99]) so that the parallelized kangaroo methods as suggested by van Oorschot and Wiener and by Pollard immediately generalize to imaginary quadratic functionselds (see also =-=[GH]-=-). However, since one only has one operation in the imaginary case, baby steps and giant steps have the same complexity and the idea of speeding up with baby steps does not work. In Section 4, we only... |

2 |
et al. Simath manual
- Zimmer
- 1997
(Show Context)
Citation Context ...orschot and Wiener parallelization by the factor t=t g = (2(g) + 1)=(2 p 2(g)). 4.2. Experimental Results. For our computations we used several Suns and SGIs, and the Computer Algebra System SIMATH [Z=-=im97]-=-. The reference machine was a Sun Ultra Enterprise 450 under Solaris 2.6. We computed the regulator RX and the class numbers h, hX of a real quadratic functionseld K = k(X)( p D) over k = F q , where ... |

1 |
At low temperatures the paramagnetic phase can be stabilized by appropriately frustrating the incipient antiferromagnetic order in the Hubbard model at half filling
- unknown authors
- 1997
(Show Context)
Citation Context ...l van Oorschot–Wiener parallelization by the factor t/tg = (2α(g)+1)/(2 � 2α(g)). 4.2. Experimental results. For our computations we used several Suns and SGIs, and the Computer Algebra System SIMATH =-=[Zim97]-=-. The reference machine was a Sun Ultra Enterprise 450 under Solaris 2.6. We computed the regulator RX and the class numbers h, hX of a real quadratic function field K = k(X)( √ D) over k = Fq, whereq... |

1 |
The infrastructure of a real quadratic and its applications
- Shanks
- 1972
(Show Context)
Citation Context ...rom r i+1 is said to be a baby step (backwards). Generally, a baby step can be performed by using 4g +O(1) operations in thesniteseld k (see [Ste99]). 3.4. Infrastructure. Shanks' infrastructure idea =-=[Sha72-=-] also applies to the set of reduced principal ideals in a real quadratic functionseld. We dene an operation ? (a giant step or an infrastructure operation) on R as follows: Let a = (Q a ; P a ) and b... |

1 | Catching kangaroos in function - Stein, Teske - 1999 |