## Speeding Up Pollard's Rho Method For Computing Discrete Logarithms (1998)

### Cached

### Download Links

- [cacr.math.uwaterloo.ca]
- [ftp.informatik.tu-darmstadt.de]
- DBLP

### Other Repositories/Bibliography

Citations: | 44 - 7 self |

### BibTeX

@INPROCEEDINGS{Teske98speedingup,

author = {Edlyn Teske},

title = {Speeding Up Pollard's Rho Method For Computing Discrete Logarithms},

booktitle = {},

year = {1998},

pages = {541--554},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least non-negative number x such that g x = h. This problem is the discre...

### Citations

818 |
The arithmetic of elliptic curves
- Silverman
- 1986
(Show Context)
Citation Context ...s. Let us first introduce elliptic curve groups over prime fields and the notation we use in the following. We refer to Koblitz [6] for an elementary introduction to elliptic curves, and to Silverman =-=[15]-=- for more details. So let q be a prime 6= 2; 3, and let F q denote the field Z=qZ of integers modulo q. Let a; b 2 F q such that 4a 3 + 27b 2 6= 0. Then the elliptic curve E a;b over F q is defined th... |

695 |
The Art of Computer Programming, Volume 3: Sorting and Searching, Second Edition
- Knuth
- 1998
(Show Context)
Citation Context ... c, namely c \Gamma bcc. Then let u : E a;b (F q ) ! f1; : : : ; rg ; u(P ) = bu (P ) \Delta rc + 1 and T s = fP 2 E a;b (F q ) : u(P ) = sg : From the theory of multiplicative hash functions we know =-=[5]-=- that among all numbers between 0 and 1, choosing A as a rational approximation of ( p 5 \Gamma 1)=2 with a sufficiently large precision (that is, in comparison with the input size) leads to the most ... |

695 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...s these groups particularly interesting for cryptographic applications, and much work has been done in this area since elliptic curve cryptosystems have first been proposed by Miller [10] and Koblitz =-=[7]-=-. However, since we do not exploit any special properties of the groups, the results we obtain are very likely to hold in any other finite abelian group. We also use a result about random walks on the... |

529 |
Uses of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...o date. This makes these groups particularly interesting for cryptographic applications, and much work has been done in this area since elliptic curve cryptosystems have first been proposed by Miller =-=[10]-=- and Koblitz [7]. However, since we do not exploit any special properties of the groups, the results we obtain are very likely to hold in any other finite abelian group. We also use a result about ran... |

301 | improved algorithm for computing logarithms over GF(p) and its cryptographic significanceā€¯, IEEETIT
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...or group structure computation is independent of the size of the group orders, thus answering an open question in Teske [17] in the case of prime group orders. Due to the method of Pohlig and Hellman =-=[11]-=-, both in our experiments and in our theoretical considerations we restrict ourselves to groups of prime order. Then our main result consists of the following empirical estimates. Let G be a group of ... |

230 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ... to as the iterating function, is a random function in the sense that each of the jGj jGj functions f : G ! G is equally probable, the expected value fors+sis close to p jGj=2 = 1:253 p jGj . Pollard =-=[12]-=- showed how this theory can be applied to solve the DLP in expected run time O( p jGj ) multiplications in G. Pollard's algorithm [12] is generic in the sense that it can be applied to any group for w... |

192 |
A Course in Number Theory and Cryptography
- Koblitz
- 1994
(Show Context)
Citation Context ...periments and give a representative selection of our experimental results. Let us first introduce elliptic curve groups over prime fields and the notation we use in the following. We refer to Koblitz =-=[6]-=- for an elementary introduction to elliptic curves, and to Silverman [15] for more details. So let q be a prime 6= 2; 3, and let F q denote the field Z=qZ of integers modulo q. Let a; b 2 F q such tha... |

146 | Parallel Collision Search with Cryptanalytic Applications - Oorschot, Wiener - 1999 |

51 |
The number of points on an elliptic curve modulo a prime. manuscript
- Atkin
- 1988
(Show Context)
Citation Context ...heck whether 4a 3 + 27b 2 6= 0 mod q. If this is the case, we use our implementation for the group structure computation [17] or, for primes q ? 10 9 , the implementation [8] of an algorithm of Atkin =-=[1]-=-, to compute the order n of E a;b (F q ). Finally we factor n to find p and k. Having built up this file, for k = 3; 4; : : : ; 13 we go through the following algorithm: 1. Read 6-tuple (q; a; b; n; p... |

51 |
An improved monte carlo factorization algorithm
- Brent
- 1980
(Show Context)
Citation Context ...ions to solve the DLP in various finite abelian groups of considerably larger group orders. Some work has been done to speed-up the rho method. There are better methods to find matches, e.g. by Brent =-=[2]-=-, and van Oorschot and Wiener [18] have developed a method for efficient parallelization of the rho method. We now suggest to choose a more efficient iterating function to obtain further speed-up. Rec... |

50 |
Class number, a theory of factorization, and genera
- Shanks
- 1969
(Show Context)
Citation Context .... The space requirements of algorithms using the rho method are negligible. Therefore, to solve the DLP in groups of large group orders, this method is superior to Shanks' baby step-giant step method =-=[14]-=- that has roughly the same run time but space requirements O( p jGj ). Pollard's original algorithm for discrete logarithm computation [12] could be used on a programmable calculator, and Pollard appl... |

18 |
jr., A Monte Carlo factoring algorithm with linear storage
- Schnorr, Lenstra
- 1984
(Show Context)
Citation Context ...s above. While computing the terms (y i ; ff i ; fi i ), we try to find a match (y j ; y i ) for some j ! i. We use the same method as in Teske [17], which is based on a method of Schnorr and Lenstra =-=[13]-=- but with optimized parameters. This means that we work with a chain of 8 cells, which in each stage of the algorithm store altogether 8 triplets (y oe d ; ff oe d ; fi oe d ), d = 1; : : : ; 8. In th... |

16 | A space efficient algorithm for group structure computation
- Teske
- 1998
(Show Context)
Citation Context ...ethod for efficient parallelization of the rho method. We now suggest to choose a more efficient iterating function to obtain further speed-up. Recently, the author has elaborated a generic algorithm =-=[17]-=- that uses the rho method to compute the structure of a finite abelian group. This algorithm uses a type of iterating functions specially designed to meet the requirements for the group structure comp... |

14 |
Random walks supported on random points of Z/nZ. Probability Theory and Related
- Hildebrand
- 1994
(Show Context)
Citation Context ... (= 20). We are not aware of any theoretical result about the behaviour of the sequence given through (3.1). In the case of the sequence given through (3.2), we can make use of a result of Hildebrand =-=[4]-=-, which we present in the following. Let n be a prime. Let ks2 and p 1 ; : : : ; p k such that p j ? 0 for all j and P k j=1 p j = 1. For a 1 ; : : : ; a k 2 [j1; n[j, let ea = (a 1 ; : : : ; a k ) an... |

8 |
Random walks on groups with subgroup invariance properties
- Greenhalgh
- 1989
(Show Context)
Citation Context ...tation is taken over a uniform choice of all possible ea such that a 1 ; : : : ; a k 2 [j1; n[j and such that all values of a 1 ; : : : ; a k are pairwise distinct. It is worth noting that Greenhalgh =-=[3]-=- has shown the following lower bound, which nicely complements Theorem 3.1. Theorem 3.2. Let p j (j = 1; : : : ; k), ea and P ea be as above. Then there exists a value fi = fi(p 1 ; : : : ; p k ) ? 0 ... |

5 |
New algorithms for finite abelian groups
- Teske
- 1998
(Show Context)
Citation Context ...sumption that f is a random mapping and that jGj is large enough such that a continuous approximation is valid, the expected value of the right-hand side of (2.1) is approximately 1:229 p jGj=2 . See =-=[16]-=- for details. 3. The Iterating Functions We next define some new iterating functions. For r 2 N, let T 1 ; : : : ; T r be a partition of G into r pairwise disjoint and roughly equally large sets. The ... |

4 |
Technische Universitat Darmstadt, LiDIA - a library for computational number theory, version 1.3
- Group
- 1997
(Show Context)
Citation Context ...sufficiently large range of group orders, it will not considerably improve when passing over to much larger group orders. 8 EDLYN TESKE 4. Experimental Results Using the computer algebra system LiDIA =-=[9]-=-, we implemented the Pohlig-Hellman and the rho methods and conducted experiments to compare the performances of the iterating functions fP , fPm , fT and fC to solve the DLP in elliptic curve groups ... |

1 |
eco - a tool for elliptic curve group order computations
- Lehmann, Maurer, et al.
- 1997
(Show Context)
Citation Context ...mly chose a; b 2 (F q ) and check whether 4a 3 + 27b 2 6= 0 mod q. If this is the case, we use our implementation for the group structure computation [17] or, for primes q ? 10 9 , the implementation =-=[8]-=- of an algorithm of Atkin [1], to compute the order n of E a;b (F q ). Finally we factor n to find p and k. Having built up this file, for k = 3; 4; : : : ; 13 we go through the following algorithm: 1... |

1 |
Random walks supported on the random points of ZZ=nZZ. Probability Theory and Related
- Hildebrand
- 1994
(Show Context)
Citation Context ...tant (= 20). We are not aware of any theoretical result about the behaviour of the sequence given through (2). In the case of the sequence given through (3), we can make use of a result of Hildebrand =-=[4]-=-, which we present in the following. Let n be a prime. Let ks2 and p 1 ; : : : ; p k such that p j ? 0 for all j and P k j=1 p j = 1. For a 1 ; : : : ; a k 2 [j1; n[j, let ~ a = (a 1 ; : : : ; a k ) a... |