Table of Contents Author Guidelines Submit a Manuscript
Journal of Applied Mathematics
Volume 2012, Article ID 635909, 15 pages
http://dx.doi.org/10.1155/2012/635909
Research Article

An Efficient Collision Detection Method for Computing Discrete Logarithms with Pollard's Rho

School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510006, China

Received 7 July 2011; Revised 15 November 2011; Accepted 21 November 2011

Academic Editor: Jacek Rokicki

Copyright © 2012 Ping Wang and Fangguo Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Pollard's rho method and its parallelized variant are at present known as the best generic algorithms for computing discrete logarithms. However, when we compute discrete logarithms in cyclic groups of large orders using Pollard's rho method, collision detection is always a high time and space consumer. In this paper, we present a new efficient collision detection algorithm for Pollard's rho method. The new algorithm is more efficient than the previous distinguished point method and can be easily adapted to other applications. However, the new algorithm does not work with the parallelized rho method, but it can be parallelized with Pollard's lambda method. Besides the theoretical analysis, we also compare the performances of the new algorithm with the distinguished point method in experiments with elliptic curve groups. The experiments show that the new algorithm can reduce the expected number of iterations before reaching a match from 1.309|𝐺| to 1.295|𝐺| under the same space requirements for the single rho method.

1. Introduction

One of the most important assumptions in modern cryptography is the hardness of the discrete logarithm problem (DLP). Many popular cryptosystems base their security on DLP. Such cryptosystems are, for example, the Diffie-Hellman key agreement protocol [1], the ElGamal signature and encryption schemes [2], the US Government Digital Signature Algorithm (DSA) [3], and the Schnorr signature scheme [4]. Originally, they worked with multiplicative groups of finite prime fields. Once elliptic curve cryptosystems were proposed by Koblitz [5] and Miller [6], analogous practical systems based on the DLP in groups of points of elliptic curves over finite fields were designed [7]. Recall the following two definitions.

Definition 1.1 (discrete logarithm problem, DLP). Let 𝐺 be a cyclic group of prime order 𝑝, and let 𝑔𝐺 be generator of 𝐺. Given 𝑔,𝐺, determine the integer 0𝑘<𝑝 such that =𝑔𝑘.

Definition 1.2 (elliptic curve discrete logarithm problem, ECDLP). Let 𝐸 be an elliptic curve defined over finite field 𝔽𝑞. Let 𝑃𝐸 be a point of prime order 𝑛, and let 𝐺 be the subgroup of 𝐸 generated by 𝑃. Given 𝑄𝐺, determine the integer 0𝑘<𝑛 such that 𝑄=𝑘𝑃.

For DLP on a multiplicative subgroup 𝐺 of prime order 𝑝 of finite field 𝔽𝑞, the index calculus method determines the size of 𝑞, which is a subexponential time algorithm, while the size of 𝑝 is set by Pollard's rho method [8].

Furthermore, for ECDLP, Pollard's rho method and its modifications by Gallant et al. [9] and Wiener and Zuccherato [10] are to date known as the most efficient general algorithms. van Oorschot and Wiener [11] showed that the modified Pollard's rho method can be parallelized with linear speedup.

Pollard's rho method is a randomized algorithm for computing discrete logarithms. Generally, an iteration function 𝐹𝐺𝐺 is used to define a pseudorandom sequence 𝑌𝑖 by 𝑌𝑖+1=𝐹(𝑌𝑖) for 𝑖=0,1,2,, with some initial value 𝑌0. The sequence 𝑌0,𝑌1,𝑌2, represents a walk in the group 𝐺. The basic assumption is that the walk 𝑌𝑖 behaves as a random walk. Because the order of the group is finite, the sequence will ultimately reach an element that has occurred before. This is called a collision or a match. The advantage of this method is that the space requirements are small if one uses a clever method of detecting a collision. The problem of efficient collision detection of a pseudo-random walk in Pollard's rho method is the central topic of this paper.

There are several collision detection algorithms for a random walk in the group 𝐺. These algorithms in general do not exploit the group structure of 𝐺. As a result, the algorithms discussed in this paper in fact apply to any set 𝐺 on which an iterated function 𝐹 is used to make random walks, and their utilization goes beyond discrete logarithm computation.

A simple approach to detecting a collision with Pollard's rho method is to use Floyd's cycle-finding algorithm [8], which shows that it suffices to compare 𝑌𝑖 and 𝑌2𝑖 for all 𝑖 to find a collision. Floyd's algorithm uses only a small constant amount of storage, but needs roughly three times more work than is necessary. Brent [12] improved this approach by using an auxiliary variable. Nivasch designed an algorithm [13] for detecting periodicity in sequences using a single pointer and a small stack. This stack algorithm halts at a uniformly random point in the second loop through the sequence's cycle.

In finding DES collisions [14, 15], Quisquater and Delescaille took a different approach based on storing distinguished points, an idea noted earlier by Rivest to reduce the search time in Hellman time-memory tradeoff [16]. A distinguished point is one that has some easily checked property such as having a fixed number of leading zero bits. During the pseudo-random walk, points that satisfy the distinguishing property are stored. Collision can be detected when a distinguished point is encountered a second time. This technique can be efficiently applied to find collisions among multiple processors [11].

In this paper, we describe a new efficient collision detection algorithm for computing discrete logarithm with Pollard's rho method. It is a probabilistic algorithm and more efficient than the previous methods. With this algorithm, we can significantly reduce the space requirements and provide a better time-space trade-off approach. We also compare their performances in experiments with elliptic curve groups, and our experimental results confirmed the theoretical analysis.

The remainder of this paper is organized as follows. In Section 2, we recall Pollard's rho method for discrete logarithm computation and discuss several previous methods for collision detection. We describe and analyze the new algorithm in Section 3 and discuss its applications in Section 4. We present our experiments in Section 5 and conclude the paper in Section 6.

2. Preliminary

In this section, we describe Pollard's rho method for discrete logarithm computation and then discuss several collision detection algorithms and their performances.

2.1. Pollard's Rho Method

Pollard [8] proposed an elegant algorithm for the discrete logarithms based on a Monte Carlo idea and called it the rho method. The rho method works by first defining a sequence of elements that will be periodically recurrent, then looking for a match in the sequence. The match will lead to a solution of the discrete logarithm problem with high probability. The two key ideas involved are the iteration function for generating the sequence and the cycle-finding algorithm for detecting a match.

If 𝐷 is any finite set and 𝐹𝐷𝐷 is a mapping and the sequence (𝑋𝑖) in 𝐷 is defined by the rule: 𝑋0𝐷,𝑋𝑖+1𝑋=𝐹𝑖,(2.1) this sequence is ultimately periodic. Hence, there exist unique integers 𝜇0 and 𝜆1 such that 𝑋0,,𝑋𝜇+𝜆1 are all distinct, but 𝑋𝑖=𝑋𝑖+𝜆 for all 𝑖𝜇. A pair (𝑋𝑖,𝑋𝑗) of two elements of the sequence is called a match if 𝑋𝑖=𝑋𝑗 where, 𝑖𝑗. For the expected values of 𝜇 and 𝜆, we have the following theorem.

Theorem 2.1 (see [17]). Under the assumption that an iteration function 𝐹𝐷𝐷 behaves like a truly random mapping and the initial value 𝑋0 is a randomly chosen group element, the expected values for 𝜇 and 𝜆 are 𝜋|𝐷|/8. The expected number of evaluations before a match appears is 𝐸(𝜇+𝜆)=𝜋|𝐷|/21.25|𝐷|.

Now we explain how the rho method for computing discrete logarithms works. Let 𝐺 be a cyclic group of prime order 𝑝, and let 𝑔𝐺 be generator of 𝐺 and 𝐺. The discrete logarithm problem is to compute 𝑥 satisfying 𝑔𝑥. Pollard defined the iteration function 𝐹𝐺𝐺 as follows: 𝐹(𝑌)=𝑔𝑌𝑌𝑆1,𝑌2𝑌𝑆2,𝑌𝑌𝑆3.(2.2)

Let the initial value 𝑌0=1. In each iteration of 𝑌𝑖+1=𝐹(𝑌𝑖), the function uses one of three rules depending on the value of 𝑌𝑖. The group 𝐺 is partitioned into three subsets 𝑆1, 𝑆2, 𝑆3 of roughly equal size. Each 𝑌𝑖 has the form 𝑔𝑎𝑖𝑏𝑖. The sequence (𝑎𝑖) (and similarly for (𝑏𝑖)) can be computed as follows: 𝑎𝑖+1=𝑎𝑖+1(mod𝑝)𝑌i𝑆1,2𝑎𝑖(mod𝑝)𝑌𝑖𝑆2,𝑎𝑖𝑌(mod𝑝)i𝑆3.(2.3)

As soon as we have a match (𝑌𝑖,𝑌𝑗), we have the equation 𝑔𝑎𝑖𝑏𝑖=𝑔𝑎𝑗𝑏𝑗.

Since =𝑔𝑥, this gives 𝑎𝑖+𝑏𝑖𝑥𝑎𝑗+𝑏𝑗𝑥mod𝑝.(2.4) Now, if gcd(𝑏𝑖𝑏𝑗,𝑝)=1, we get that 𝑥=(𝑎𝑗𝑎𝑖)(𝑏𝑖𝑏𝑗)1mod𝑝. Due to the method of Pohlig and Hellman [18], in practice applications the group order 𝑝 is prime, so that it is very unlikely that gcd(𝑏𝑖𝑏𝑗,𝑝)>1 if 𝑝 is large.

Theorem 2.1 makes the assumption of true randomness. However, it has been shown empirically that this assumption does not hold exactly for Pollard's iteration function [19]. The actual performance is worse than the expected value given in Theorem 2.1.

Teske [19] proposed better iteration functions by applying more arbitrary multipliers. Assume that we are using 𝑟 partitions (multipliers). We generate 2𝑟 random numbers,𝑚𝑖,𝑛𝑖𝑅{0,1,,𝑝1},for𝑖=1,2,,𝑟.(2.5) Then we precompute 𝑟 multipliers 𝑀1,𝑀2,,𝑀𝑟, where 𝑀𝑖=𝑔𝑚𝑖𝑛𝑖, for 𝑖=1,2,,𝑟. Define a hash function, 𝑣𝐺{1,2,,𝑟}.(2.6) Then the iteration function 𝐹𝐺𝐺 defined as 𝐹(𝑌)=𝑌𝑀𝑣(𝑌),where𝑣(𝑌){1,2,,𝑟}.(2.7) The indices are update by 𝑎𝑖+1=𝑎𝑖+𝑚𝑣(𝑌𝑖),𝑏𝑖+1=𝑏𝑖+𝑛𝑣(𝑌𝑖).(2.8)

The difference in performance between Pollard's original walk and Teske’s 𝑟-adding walk has been studied in [19, 20]. We summarize the results as follows. In prime order subgroups of 𝑝, the value of 𝐸(𝜇+𝜆) for Pollard's original walk and Teske's 𝑟-adding walk is 1.55|𝐺| and 1.27|𝐺|, while in groups of points of elliptic curves over finite fields, the value is 1.60|𝐺| and 1.29|𝐺|, respectively.

2.2. Previous Methods for Collision Detection

To find the collision in the pseudo-random walk, it always needs much storage. In order to minimize the storage requirements, a collision detection algorithm can be applied with a small penalty in the running time.

Floyd's Cycle-Finding Algorithm
In Pollard's paper, Floyd's algorithm is applied. To find 𝑌𝑖=𝑌𝑗, the algorithm calculates (𝑌𝑖,𝑎𝑖,𝑏𝑖,𝑌2𝑖,𝑎2𝑖,𝑏2𝑖) until 𝑌𝑖=𝑌2𝑖. For each iteration, we compute 𝑌𝑖+1=𝐹(𝑌𝑖) and 𝑌2(𝑖+1)=𝐹(𝐹(𝑌2𝑖)), which means that this algorithm requires negligible storage. Floyd's algorithm is based on the following idea.

Theorem 2.2 (see [25]). For a periodic sequence 𝑌0,𝑌1,𝑌2,, there exists an 𝑖>0 such that 𝑌𝑖=𝑌2𝑖 and the smallest such 𝑖 lies in the range 𝜇𝑖𝜇+𝜆.

The best running time requires 𝜇 iterations and the worst takes 𝜇+𝜆 iterations. Under the assumption that 𝐹𝐺𝐺 behaves like a truly random mapping, the expected number of iterations before reaching a match is 𝜋5|𝐺|/2881.03|𝐺| [20]. The key point for this algorithm is that we need three group operations and one comparison for each iteration, which makes it inefficient.

Brent's Algorithm
Brent proposed an algorithm [12] which is generally 25% faster than Floyd's method. It uses an auxiliary variable, say 𝑤, which at each stage of the algorithm holds 𝑌𝑙(𝑖)1, where 𝑙(𝑖)=2log𝑖. 𝑤 is compared with 𝑌𝑖 for each iteration and is updated by 𝑤=𝑌𝑖 when 𝑖=2𝑘1 for 𝑘=1,2,. The correctness of this algorithm depends on the following fact.

Theorem 2.3 (see [20]). For a periodic sequence 𝑌0,𝑌1,𝑌2,, there exists an 𝑖>0 such that 𝑌𝑖=𝑌𝑙(𝑖)1 and 𝑙(𝑖)𝑖<2𝑙(𝑖). The smallest such 𝑖 is 2logmax(𝜇+1,𝜆)+𝜆1.

Under the assumption that 𝐹𝐺𝐺 is a random mapping, with Brent's algorithm the first match is expected to occur after 1.98|𝐺| iterations [12]. The algorithm needs one group operation and one comparison for each iteration, which makes it 25%–30% faster than Floyd's algorithm. Variations of Brent's algorithm requiring slightly more storage and comparisons but less iterations can be found in [21, 22].

Stack Algorithm
In 2004, Nivasch proposed an interesting algorithm that uses logarithmic storage space and can be adapted with tradeoff for storage space versus speed. This algorithm requires that a total ordering < be defined on the set 𝐺, and it works as follows. Keep a stack of pairs (𝑌𝑖,𝑖), where, at all times, both the 𝑖's and the 𝑌𝑖's in the stack form strictly increasing sequences. The stack is initially empty. At each step 𝑗, pop from the stack all entries (𝑌𝑖,𝑖), where 𝑌𝑖>𝑌𝑗. If a match 𝑌𝑖=𝑌𝑗 is found with an element in the stack, the algorithm terminates successfully. Otherwise, push (𝑌𝑗,𝑗) on top of the stack and continue. The stack algorithm depends on the following fact.

Theorem 2.4 (see [13]). The stack algorithm always halts on the smallest value of the sequence's cycle, at some time in [𝜇+𝜆,𝜇+2𝜆).

Under the assumption that 𝐹𝐺𝐺 is a random mapping, the expected number of iterations before finding a match is 5/2𝜋|𝐺|/81.57|𝐺| [13]. The algorithm needs a little bit more than one group operation and one comparison for each iteration. Under the same assumption, Nivasch proves also that the expected size of the stack is ln +𝑂(1). Therefore, the algorithm only requires a logarithmic amount of memory.

Distinguished Point
The idea of the distinguished point method is to search for a match not among all terms of the sequence, but only among a small subset of terms that satisfy a certain distinguishing property. It works as follows. One defines a set 𝐷, a subset of 𝐺, that consists of all group elements that satisfy a certain distinguishing property. During the pseudo-random walk, points that satisfy the distinguishing property are stored. Collision can be detected when a distinguished point is encountered a second time.
Currently, the distinguished point method is the most efficient algorithm to detect collisions in pseudo-random walk when |𝐺| is large. A popular way of defining 𝐷 is to fix an integer 𝑘 and to define that 𝑤𝐷 if and only if the 𝑘 least significant bits in the representation of 𝑤 as a binary string are zero. To break ECC2K-130, it [23] defines the distinguishing property as the Hamming weight of normal-basis representation of 𝑥-coordinate of the point less than or equal to 34. Notice that this kind of definitions allows a fast check for the distinguishing property to hold, and the size of 𝐷 can be easily monitored as well. Obviously, we have the following theorem.

Theorem 2.5 (see [11]). Let 𝜃 be the proportion of points in 𝐺 which satisfy the distinguishing property, that is, 𝜃=|𝐷|/|𝐺|. Under the assumption that 𝐹𝐺𝐺 is a random mapping and 𝐷 is a uniform distribution in 𝐺, the expected number of iterations before finding a match is 𝜋|𝐺|/2+1/𝜃.

3. The New Algorithm

We are motivated by the fact that, in distinguished point method, the distinguished points may be not uniformly distributed in the pseudo-random walk, also the points in subset 𝐷 may be not uniformly distributed in 𝐺, which always results in more iteration requirements. We are trying to design an algorithm which leads to a uniform distribution and also to provide a better way for time-space tradeoff rather than distinguishing property.

3.1. The Basic Algorithm

To find a collision in pseudo-random walk, which is produced by the iteration function 𝐹𝐺𝐺, assuming 𝐹 is a random mapping on 𝐺, our basic algorithm works as follows. We fix an integer 𝑁 and use an auxiliary variable, say 𝑤, which at each 𝑁 iterations keep the minimum value of 𝑁 successive values produced by the iteration function 𝐹. Once getting the minimum value 𝑤 from 𝑁 successive values, we check whether this value has occurred before in the stored sequence, if so, we find the match and we are done. Otherwise, store this value 𝑤 to the sequence. Then continue to compute the next 𝑁 new values and repeat the previous procedures. Choose the integer 𝑁 properly, we will find the match among the newly generated minimum value and stored minimum values.

More precisely, to find a collision in pseudo-random sequence 𝑌0,𝑌1,𝑌2,, which is produced by the iteration function 𝐹𝐺𝐺, we have Algorithm 1.

alg1
Algorithm 1: The new algorithm for collision detection.

It is obvious that the algorithm can be considered as two parts. In the first part, that is from step (3) to step (11), we seek the minimum value 𝑤 from 𝑁 successive values in the pseudo-random walk. The operation is very simple; if the current value 𝑌𝑗 is smaller than 𝑤, then just update 𝑤 with the current value and continue the next iteration. Notice that steps (7), (8), and (9) can be omitted, since it is unlikely that there is a match within 𝑁 iterations. Even if it happened, the algorithm ensures that we can find a match within the next 𝑁 iterations. As a result, there is only one group operation and one comparison in the first part, which consist the main operations of the algorithm.

In the second part, that is from step (13) to step (19), once we get a minimum value 𝑤, we check whether 𝑤 has appeared before in the previous stored values (𝑢𝑘), which is empty at the beginning. If this is the case, the algorithm will return the corresponding indices and we are done. Otherwise, save the value 𝑤 to the sequence (𝑢𝑘) of the minimum values, and the second part is finished, continue the next 𝑁 iterations. It is clear that the second part can be speeded up by using a hash table. And, more important, the second part can be independent to the first part, which means the stored sequence of minimum values can be off line; that is, the first part is response for generating minimum values along the random walk, while the second part searches the collision among stored minimum values independently.

3.2. Analysis

For further analysis of the algorithm, we assume that the iteration function 𝐹𝐺𝐺 behaves like a truly random mapping. According to Theorem 2.1, the expected number of iterations before reaching a match is 𝜋|𝐺|/2. Let us look at some simple cases for the new algorithm. For 𝑁=1, which means we store all the values in the sequence before reaching a match, and the match can be found once it appears. For 𝑁=2, we need to store half of the values in the sequence before reaching a match, and always the match can be found once it appears. Obviously, the bigger the integer 𝑁, the less values we need to store. As a result, with the integer 𝑁 increasing, there is a probability that we cannot detect the collision immediately when it happens. So, the new algorithm is a probabilistic algorithm. However, with high probability, the algorithm will halt close to the beginning of the second loop. More precisely, we have the following theorem.

Theorem 3.1. Under the assumption that an iteration function 𝐹𝐺𝐺 behaves like a truly random mapping and the initial value 𝑌0 is a randomly chosen group element, for Algorithm 1, the expected number of iterations before finding a match is 𝜋|𝐺|/2+(𝑘+1/2)𝑁 with probability 1(2/3)(𝑘1)/2, where 𝑘=0,1,2,.

Proof. Let 𝐼𝑖 be the set that consists of the 𝑖th 𝑁 successive values generated by iteration function 𝐹; that is, 𝐼𝑖=𝑌𝑗||𝐺||𝑖𝑁𝑗(𝑖+1)𝑁1,𝑗0,for𝑖=0,1,2,,/𝑁1.(3.1) For finite group 𝐺, the sequence produced by 𝐹 is eventually period; that is, for any fixed 𝐹 and 𝑌0, there exist certain integers 𝑚 and 𝑛, such that 𝐼𝑚𝐼𝑛𝐼,𝑚<𝑛,𝑖𝐼𝑗=,for0𝑖,𝑗<𝑛,𝑖𝑗,(3.2) and also 𝐼𝑚+𝑖𝐼𝑛+𝑖,for𝑖0.(3.3)
To prove the theorem, we divide it into two cases, that is, 𝑘=0 and 𝑘=1,2,. For 𝑘=0, let min𝑚 and min𝑛 be the minimum values of 𝐼𝑚 and 𝐼𝑛, thenPrmin𝑚=min𝑛=1𝑁𝑁1𝑖=01𝑁+2𝑁++𝑁𝑖𝑁1=𝑁𝑁𝑖2+3𝑁+34𝑁214,(3.4) that is, the probability of successfully detecting the collision within the first two intersection sets is 1/4.
For each of 𝑘=1,2,, we notice that, for two (intersected) sets 𝐼𝑖 and 𝐼𝑗, let min𝑖 and min𝑗 be the minimum values of 𝐼𝑖 and 𝐼𝑗, respectively, we have Prmin𝑖=min𝑗=||𝐼𝑖𝐼𝑗||2𝑁2||𝐼,where𝑖𝐼𝑗||denotesthecardinalityof𝐼𝑖𝐼𝑗.(3.5) Therefore, we have Prmin𝑚+𝑘=min𝑛+𝑘=1𝑁1𝑁2+22𝑁2++(𝑁1)2𝑁2=2𝑁23𝑁+16𝑁213.(3.6) Under the assumption that the iteration function 𝐹𝐺𝐺 is a random mapping, according to Theorem 2.1, the expected number of evaluations before a match appears is 𝜋|𝐷|/2. Combining the above two cases, using Algorithm 1, the expected number of iterations before reaching a match among minimum values is 𝜋|𝐺|/2+(𝑘+1/2)𝑁 with probability 1(2/3)(𝑘1)/2, where 𝑘=0,1,2,.

Remark 3.2. According to the above theorem, we need to store 𝜋|𝐺|/2/𝑁+𝑘 terms to find the match with the probability 1(2/3)(𝑘1)/2, where 𝑘 can be 0,1,2,; that is, by setting parameter 𝑁, we can balance the expected number of iterations and the expected space requirements. Therefore, Algorithm 1 is a time-space trade-off algorithm.

Remark 3.3. Algorithm 1 is a probabilistic algorithm. There is a probability that we cannot detect the collision immediately when it happens. However, with high probability, the algorithm will halt close to the beginning of the second loop. For example, the probability of successfully detecting the collision 1(2/3)(𝑘1)/2 is 0.90 with 𝑘=5.

Notice that, compared to the distinguished point method, the new algorithm has two advantages. First, the distinguished point method depends on the assumption that the distinguished points are uniformly distributed in the pseudo-random walk, and also the points in subset 𝐷 are uniformly distributed in 𝐺. However, in practice this may not be the case, which generally results in more iterations requirement, while, for the new algorithm, each stored minimum value represents 𝑁 successive values and the performance of the new algorithm independent of such assumption. Because the distinguished point method is currently the most efficient algorithm, we compare the actual performances of the new algorithm with the distinguished point method under the same expected storage requirement in experiments with elliptic curve groups in Section 5.

Second, using distinguished point method, it is possible for a random walk to fall into a loop which contains no distinguished point [11]. Then, the processor cannot find new distinguished point any more on the path. Left undetected, the processor would cease to contribute to the collision search. In this case, we can restart the random walk by choosing a different initial point. However, those points calculated by previous walk do not help for the collision search, while the new algorithm can avoid such problem, because it can always find the collision among minimum values whenever it falls into a loop.

4. Applications

The new algorithm can be combined with other algorithms, such as Pollard's lambda method, and can be adapted to a wide range of problems which can be reduced to finding collisions, such as in Pollard's rho method for factorization [24] and in studying the behavior of random number generators [25]. In this section, we will address some of these issues.

4.1. Pollard's Lambda Method

It is clear that the new algorithm can be applied to Pollard's lambda method (also called the kangaroo method). The lambda method computes a discrete logarithm in an arbitrary cyclic group, given that the value is known to lie in a certain interval, that is, =𝑔𝑘, where 𝑘[𝑎,𝑏] but unknown.

Generally, we have two kangaroos, one tame and one wild. Their positions are represented by group elements, the tame kangaroo 𝑇 with starting point 𝑡0=𝑔(𝑎+𝑏)/2 and the wild kangaroo 𝑊 with starting point 𝑤0=, and they travel in the cyclic group 𝐺=𝑔. In terms of the exponents of 𝑔, 𝑇 starts at the middle of the interval [𝑎,𝑏], while 𝑊 starts at 𝑥. Since we do not know 𝑘, we do not know the exact location of the wild kangaroo, and that is why it is called wild. The two kangaroos produce two different pseudo-random walks with the same walking rules. It is obvious that, at all times, the point of tame kangaroo has the form 𝑔𝑖 and the point of wild kangaroo has the form 𝑔𝑗 for some known integers 𝑖 and 𝑗. The purpose is to provoke a collision between the tame and the wild kangaroos, from which we can deduce the wild kangaroo's starting point, that is, 𝑘=(𝑖𝑗)mod|𝐺|.

Similar to the case of Pollard's rho method, the new algorithm can be applied in this case to efficiently detect the collision. The advantage of the new algorithm is that we can achieve uniform distributions of minimum values in the pseudo-random walks both for the tame kangaroos and the wild kangaroos. The different performances of the new algorithm and distinguished point method in this case can refer to the case of Pollard's rho method.

4.2. Parallelization

As we have mentioned above, during the random walk, finding the minimum value from 𝑁 iterations and comparing the minimum value 𝑤 to all previously stored values can be separated. This feature makes the new algorithm suit for distributed computation.

However, Pollard's rho method is inherently serial in nature; one must wait for the current iteration of the function 𝐹 to complete before the next can begin. Each value in the sequence totally depends on the previous value and the iteration rules. In discussing the rho method for factorization, Brent considered running many processors in parallel each producing an independent sequence and noted that “Unfortunately, parallel implementation of the “rho” method does not give linear speedup” [26]. Analogous comments apply to the rho method for computing logarithms and the generalized rho method for collision search. Notice that here each parallel processor is producing its own sequence of points independently of the others and each particular processor does not increase the probability of success of any other processor. For the corresponding picture, with high probability, each processor draws a different “rho” that never intersect with each other. There is a little chance that different processors may intersect with each other.

van Oorschot and Wiener [11] showed that the expected speedup of the direct parallelization of Pollard's rho method, using 𝑚 processors, is only a factor of 𝑚. This is a very inefficient use of parallelization. They provided a modified version of Pollard's rho method and claimed that it can be linearly parallelized with the distinguished point method; that is, the expected running time of the modified version, using 𝑚 processors, is roughly 𝜋|𝐺|/2/𝑚 group operations.

In the modified version, to perform a parallel collision search each processor proceeds as follows. Select a random starting point 𝑌0𝐺, and produce the trail of points 𝑌𝑖+1=𝐹(𝑌𝑖), for 𝑖=0,1,2,, until a distinguished point 𝑌𝑑 is reached based on some easily testable distinguished property. Store distinguished point, and start producing a new trail from a new random starting point. Unfortunately, the new algorithm is not efficient for the parallelized modified version of Pollard's rho method. The key point is that there is a probability that the new algorithm fails to detect the collision while it actually happened, which cannot be efficiently solved like the serial version.

However, for Pollard's lambda method, the new algorithm can be efficiently parallelized with linear speedup. We present here a modified version of parallelized Pollard's lambda method from [11]. Assume we have 𝑚 processors with 𝑚 even. Then, instead of one tame and one wild kangaroo, we work with two herds of kangaroos, one herd of 𝑚/2 tame kangaroos and one herd of 𝑚/2 wild kangaroos, with one kangaroo on each processor. Each kangaroo starts from a different point, stores a minimum value every 𝑁 iterations, just like the serial version. A center server collects all the minimums, and tries to find a collision between the tame kangaroo minimums and the wild kangaroo minimums By choosing a reasonable integer 𝑁, the new algorithm provides an optimal time-space trade-off method for collision detection.

5. Experiments

We implemented Pollard's rho method with elliptic curve groups over prime fields using SAGE [27], which is an open source computer algebra software. Obviously, such experiments can also be done for DLP on a multiplicative subgroup 𝐺 of finite field 𝔽𝑞. We compared the different performances between distinguished point method and the new algorithm. In this section, we describe these experiments and analyse the results.

For our experiments, we briefly introduce the elliptic curve groups over prime fields and the notation we use in the following. Let 𝑞 be a prime, and let 𝔽𝑞 denote the field 𝑞 of integers modulo 𝑞. Let 𝑎,𝑏𝔽𝑞 such that 4𝑎3+27𝑏20. Then the elliptic curve 𝐸𝑎,𝑏 over 𝔽𝑞 is defined through the equation 𝐸𝑎,𝑏𝑦2=𝑥3+𝑎𝑥+𝑏.(5.1) The set of all solutions (𝑥,𝑦)𝔽𝑞×𝔽𝑞 of this equation, together with the element 𝒪 called the “point at infinity,” forms a finite abelian group which we denote by 𝐸𝑎,𝑏(𝔽𝑞). Usually, this group is written additively. Let 𝑃𝐸𝑎,𝑏(𝔽𝑞) be a point of prime order 𝑛, and let 𝐺 denote the subgroup of 𝐸 generated by 𝑃. Given 𝑄𝐺, determine the integer 0𝑘<𝑛 such that 𝑄=𝑘𝑃.

For the iteration function, we use Teske's 𝑟-adding walk and set 𝑟=20; that is, we divide the group 𝐺 into 20 subsets: 𝑆1,𝑆2,,𝑆20. Define the iteration function as follows: 𝐹𝑚(𝑌)=𝑌+𝑖𝑃+𝑛𝑖𝑄for𝑌𝑆𝑖[],𝑖1,20,(5.2) where 𝑚𝑖 and 𝑛𝑖 randomly chosen from [0,𝑛1] and (𝑚𝑖𝑃+𝑛𝑖𝑄) can be precomputed for 𝑖=1,2,,20. This means it only needs one group operation for each iteration.

Let 𝑊=(𝑥,𝑦) be any point of 𝐺; we define the partition of 𝐺 into 𝑟 subsets 𝑆1,𝑆2,,𝑆𝑟 as follows. First we compute a rational approximation 𝐴 of the golden ratio (51)/2, with a precision of 2+log10(𝑞𝑟) decimal places. Let 𝑢[𝐺0,1),(𝑥,𝑦)𝐴𝑥𝐴𝑥if𝑊𝒪,0if𝑊=𝒪,(5.3) where 𝐴𝑥𝐴𝑥 is the nonnegative fraction part of 𝐴𝑥. Then let 𝑢𝐺{1,2,,𝑟},𝑢(𝑊)=𝑢𝑆(𝑊)𝑟+1,𝑖={𝑊𝐺𝑢(𝑊)=𝑖}.(5.4) This method is originally from Knuth's multiplicative hash function [28] and suggested by Teske [29]. From the theory of multiplicative hash functions, we know that, among all numbers between 0 and 1, choosing 𝐴 as a rational approximation of (51)/2 with a sufficiently large precision leads to the most uniformly distributed hash values, even for nonrandom inputs.

The purpose of our experiments is to evaluate the expected numbers of steps until a match is found with different collision detection methods, that is, distinguished point method and the new algorithm, under the same expected space requirement. Generally, we randomly choose a big prime number 𝑞, where 𝑞 is in certain range. Then we randomly choose the parameters 𝑎 and 𝑏, where 𝑎,𝑏𝔽𝑞, which determine the unique elliptic curve 𝐸𝑎,𝑏 over 𝔽𝑞. We will check whether the order of group 𝐸𝑎,𝑏(𝔽𝑞) has large prime factor 𝑛 in certain range. If not, repeat the above procedures until we get a prime order subgroup 𝐺 of 𝐸𝑎,𝑏(𝔽𝑞). Then we set the generator 𝑃 of 𝐺 and choose a random point 𝑄 of 𝐺. When using Pollard's rho method to compute this discrete logarithm, we count the number of steps we performed until a match is found with different collision detection methods on the same case. Then we determine the ratio 𝑅 of the number of steps and 𝑛. We repeat it a couple of times with the same 𝑃 but several randomly chosen 𝑄’s. Furthermore, for practical reasons, we do the above procedures with a couple of groups, where the group order 𝑝 is between 231 and 236. We have Algorithm 2.

alg2
Algorithm 2: Experiments for distinguished point method and the new algorithm.

More precisely, for each 𝑖[31,36], we generate 20 elliptic curves, where each of them has a subgroup 𝐺 of prime order 𝑛, such that 𝑛[2𝑖,2𝑖+1]. Then for, each group 𝐺, we generate 100 to 3200 DLPs with the same generator 𝑃 but randomly generated 𝑄. The number of elliptic curves and instances of DLPs computed is given in Table 1. For each DLP, we use Teske's 𝑟-adding walk for iteration function and find the match using distinguished point method and the new algorithm simultaneously. Once reaching a match, we compute the ratio 𝑅𝑙 as (the number of steps until match is found)/𝑛. Then we compute the average ratio 𝑅𝑗 of all DLPs over the same elliptic curve. Finally, we count the average ratio 𝑅𝑖 of all DLPs with the same 𝑖, where 𝑖[31,36] and 𝑛[2𝑖,2𝑖+1].

tab1
Table 1: Number of elliptic curves and instances of DLPs.

Now, let us explain the parameters for distinguishing property and the new algorithm in more detail. In our experiments, we compute the average ratio of (numberofstepsuntilmatchisfound)/𝑛 under the same space requirement. To do this, generally we first define the distinguishing property and then compute the expected storage requirements. With the same storage requirements, we can deduce the parameter 𝑁 for the new algorithm.

For example, if 𝑖=36, which means 𝑛, the order of 𝐺 is a 36-bit prime number. According to [19], we are expected to take 1.292𝑛 iterations before reaching a match. We define the distinguishing property as the Hamming weight of normal-basis representation of 𝑥-coordinate of the point less than or equal to 9. Each point has probability almost exactly (936+836+736+)/23628.99 of being a distinguished point, that is, 𝜃=28.99; that is, to find a collision it is expected to compute 1.29228.99𝑛 distinguished points. To keep the same storage requirements, we set 𝑁=1/𝜃=28.99508 for the new algorithm.

The experimental results are given in Table 2. It shows that on average using the new algorithm for collision detection can reduce the number of iterations until a match is found from 1.309|𝐺| to 1.295|𝐺| under the same space requirements for the single rho method.

tab2
Table 2: Different performance for distinguished point method and the new algorithm.

Under the same expected storage requirements, the main reason for the different performances of the distinguished point method and the new algorithm is that the distinguished points may be not uniformly distributed in the pseudo-random walk, also the points in subset 𝐷 may be not uniformly distributed in 𝐺, which always results in more iterations requirement. while, for the new algorithm, each stored minimum value represents 𝑁 successive values, which leads to an equal-interval distribution.

6. Conclusion

In this paper, we proposed an optimal time-space trade-off method for collision detection in the pseudo-random walk when computing discrete logarithms with Pollard's rho method. We discussed the new algorithm both in theoretical analysis and in practical experiments. By comparison to other methods, it shows that the new algorithm is more efficient than previous methods. Unfortunately, the only practical application of the new idea is with the parallelized lambda method and it does not work with the parallelized rho method. As a further work, we would like to explore the performances of the new algorithm in other applications.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (no. 61070168). The authors would like to thank the reviewers for their helpful comments and suggestions.

References

  1. W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976. View at Google Scholar · View at Zentralblatt MATH
  2. T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  3. FIPS 186-2, “Digital signature standard,” Tech. Rep. 186-2, Federal Information Processing Standards Publication, 2000. View at Google Scholar
  4. C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991. View at Publisher · View at Google Scholar · View at Scopus
  5. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  6. V. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology: Proceedings of Crypto'85, vol. 218 of LNCS, pp. 417–426, Springer, New York, NY, USA, 1986. View at Google Scholar
  7. A. Menezes, P. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla, USA, 1996.
  8. J. M. Pollard, “Monte Carlo methods for index computation mod p,” Mathematics of Computation, vol. 32, no. 143, pp. 918–924, 1978. View at Google Scholar · View at Zentralblatt MATH
  9. R. Gallant, R. Lambert, and S. Vanstone, “Improving the parallelized Pollard lambda search on anomalous binary curves,” Mathematics of Computation, vol. 69, no. 232, pp. 1699–1705, 2000. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  10. M. Wiener and R. Zuccherato, “Faster attacks on elliptic curve cryptosystems,” in Selected Areas in Cryptography'98, vol. 1556 of LNCS, pp. 190–200, Springer, Berlin, Germany, 1998. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  11. P. van Oorschot and M. Wiener, “Parallel collision search with cryptanalytic applications,” Journal of Cryptology, vol. 12, no. 1, pp. 1–28, 1999. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  12. R. P. Brent, “An improved Monte Carlo factorization algorithm,” BIT, vol. 20, no. 2, pp. 176–184, 1980. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  13. G. Nivasch, “Cycle detection using a stack,” Information Processing Letters, vol. 90, no. 3, pp. 135–140, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  14. J. J. Quisquater and J. P. Delescaille, “How easy is collision search? Application to DES,” in Proceedings of the Advances in Cryptology—Eurocrypt, vol. 434 of Lecture Notes in Computer Science, pp. 429–434, Springer, New York, NY, USA, 1989.
  15. J. J. Quisquater and J. P. Delescaille, “How easy is collision search. New results and applications to DES,” in Proceedings of the Advances in Cryptology—Crypto, vol. 435 of Lecture Notes in Computer Science, pp. 408–413, Springer, New York, NY, USA, 1989.
  16. M. E. Hellman, “A cryptanalytic time-memory trade-off,” IEEE Transactions on Information Theory, vol. 26, no. 4, pp. 401–406, 1980. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  17. B. Harris, “Probability distributions related to random mappings,” Annals of Mathematical Statistics, vol. 31, pp. 1045–1062, 1960. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  18. S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,” IEEE-Transactions on Information Theory, vol. 24, no. 1, pp. 106–110, 1978. View at Google Scholar · View at Zentralblatt MATH
  19. E. Teske, “Speeding up Pollard's rho method for computing discrete logarithms,” in Algorithmic Number Theory Symposium (ANTS IV), vol. 1423 of LNCS, pp. 541–553, Springer, New York, NY, USA, 1998. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  20. S. Bai and R. P. Brent, “On the efficiency of Pollard’s rho method for discrete logarithms,” in CATS 2008, J. Harland and P. Manyem, Eds., pp. 125–131, Australian Computer Society, 2008. View at Google Scholar
  21. C.-P. Schnorr and H. W. Lenstra Jr., “A Monte Carlo factoring algorithm with linear storage,” Mathematics of Computation, vol. 43, no. 167, pp. 289–311, 1984. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  22. E. Teske, “A space efficient algorithm for group structure computation,” Mathematics of Computation, vol. 67, no. 224, pp. 1637–1663, 1998. View at Publisher · View at Google Scholar · View at Zentralblatt MATH
  23. D. V. Bailey, L. Batina, D. J. Bernstein et al., “Breaking ECC2K-130,” Tech. Rep. 2009/541, Cryptology ePrint Archive, 2009. View at Google Scholar
  24. J. M. Pollard, “A Monte Carlo method for factorization,” BIT, vol. 15, no. 3, pp. 331–335, 1975. View at Google Scholar · View at Zentralblatt MATH
  25. D. E. Knuth, The Art of Computer Programming, vol. 2, Addison-Wesley, Reading, Mass, USA, 3rd edition, 1997.
  26. R. P. Brent, “Parallel algorithms for integer factorisation,” in Number Theory and Cryptography, J. H. Loxton, Ed., vol. 154 of London Mathematical Society Lecture Note Series, pp. 26–37, Cambridge University, Cambridge, UK, 1990. View at Google Scholar · View at Zentralblatt MATH
  27. “SAGE: an open source mathematics software,” http://www.sagemath.org/.
  28. D. E. Knuth, The Art of Computer Programming, vol. 3, Addison-Wesley, Reading, Mass, USA, 2nd edition, 1981.
  29. E. Teske, “On random walks for Pollard's rho method,” Mathematics of Computation, vol. 70, no. 234, pp. 809–825, 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH