Journal of Applied Mathematics

Journal of Applied Mathematics / 2012 / Article

Research Article | Open Access

Volume 2012 |Article ID 635909 | 15 pages | https://doi.org/10.1155/2012/635909

An Efficient Collision Detection Method for Computing Discrete Logarithms with Pollard's Rho

Academic Editor: Jacek Rokicki
Received07 Jul 2011
Revised15 Nov 2011
Accepted21 Nov 2011
Published16 Jan 2012

Abstract

Pollard's rho method and its parallelized variant are at present known as the best generic algorithms for computing discrete logarithms. However, when we compute discrete logarithms in cyclic groups of large orders using Pollard's rho method, collision detection is always a high time and space consumer. In this paper, we present a new efficient collision detection algorithm for Pollard's rho method. The new algorithm is more efficient than the previous distinguished point method and can be easily adapted to other applications. However, the new algorithm does not work with the parallelized rho method, but it can be parallelized with Pollard's lambda method. Besides the theoretical analysis, we also compare the performances of the new algorithm with the distinguished point method in experiments with elliptic curve groups. The experiments show that the new algorithm can reduce the expected number of iterations before reaching a match from 1.309√|𝐺| to 1.295√|𝐺| under the same space requirements for the single rho method.

1. Introduction

One of the most important assumptions in modern cryptography is the hardness of the discrete logarithm problem (DLP). Many popular cryptosystems base their security on DLP. Such cryptosystems are, for example, the Diffie-Hellman key agreement protocol [1], the ElGamal signature and encryption schemes [2], the US Government Digital Signature Algorithm (DSA) [3], and the Schnorr signature scheme [4]. Originally, they worked with multiplicative groups of finite prime fields. Once elliptic curve cryptosystems were proposed by Koblitz [5] and Miller [6], analogous practical systems based on the DLP in groups of points of elliptic curves over finite fields were designed [7]. Recall the following two definitions.

Definition 1.1 (discrete logarithm problem, DLP). Let 𝐺 be a cyclic group of prime order 𝑝, and let 𝑔∈𝐺 be generator of 𝐺. Given 𝑔,â„Žâˆˆğº, determine the integer 0≤𝑘<𝑝 such that ℎ=𝑔𝑘.

Definition 1.2 (elliptic curve discrete logarithm problem, ECDLP). Let 𝐸 be an elliptic curve defined over finite field ğ”½ğ‘ž. Let 𝑃∈𝐸 be a point of prime order 𝑛, and let 𝐺 be the subgroup of 𝐸 generated by 𝑃. Given 𝑄∈𝐺, determine the integer 0≤𝑘<𝑛 such that 𝑄=𝑘𝑃.

For DLP on a multiplicative subgroup 𝐺 of prime order 𝑝 of finite field ğ”½ğ‘ž, the index calculus method determines the size of ğ‘ž, which is a subexponential time algorithm, while the size of 𝑝 is set by Pollard's rho method [8].

Furthermore, for ECDLP, Pollard's rho method and its modifications by Gallant et al. [9] and Wiener and Zuccherato [10] are to date known as the most efficient general algorithms. van Oorschot and Wiener [11] showed that the modified Pollard's rho method can be parallelized with linear speedup.

Pollard's rho method is a randomized algorithm for computing discrete logarithms. Generally, an iteration function 𝐹∶𝐺→𝐺 is used to define a pseudorandom sequence 𝑌𝑖 by 𝑌𝑖+1=𝐹(𝑌𝑖) for 𝑖=0,1,2,…, with some initial value 𝑌0. The sequence 𝑌0,𝑌1,𝑌2,… represents a walk in the group 𝐺. The basic assumption is that the walk 𝑌𝑖 behaves as a random walk. Because the order of the group is finite, the sequence will ultimately reach an element that has occurred before. This is called a collision or a match. The advantage of this method is that the space requirements are small if one uses a clever method of detecting a collision. The problem of efficient collision detection of a pseudo-random walk in Pollard's rho method is the central topic of this paper.

There are several collision detection algorithms for a random walk in the group 𝐺. These algorithms in general do not exploit the group structure of 𝐺. As a result, the algorithms discussed in this paper in fact apply to any set 𝐺 on which an iterated function 𝐹 is used to make random walks, and their utilization goes beyond discrete logarithm computation.

A simple approach to detecting a collision with Pollard's rho method is to use Floyd's cycle-finding algorithm [8], which shows that it suffices to compare 𝑌𝑖 and 𝑌2𝑖 for all 𝑖 to find a collision. Floyd's algorithm uses only a small constant amount of storage, but needs roughly three times more work than is necessary. Brent [12] improved this approach by using an auxiliary variable. Nivasch designed an algorithm [13] for detecting periodicity in sequences using a single pointer and a small stack. This stack algorithm halts at a uniformly random point in the second loop through the sequence's cycle.

In finding DES collisions [14, 15], Quisquater and Delescaille took a different approach based on storing distinguished points, an idea noted earlier by Rivest to reduce the search time in Hellman time-memory tradeoff [16]. A distinguished point is one that has some easily checked property such as having a fixed number of leading zero bits. During the pseudo-random walk, points that satisfy the distinguishing property are stored. Collision can be detected when a distinguished point is encountered a second time. This technique can be efficiently applied to find collisions among multiple processors [11].

In this paper, we describe a new efficient collision detection algorithm for computing discrete logarithm with Pollard's rho method. It is a probabilistic algorithm and more efficient than the previous methods. With this algorithm, we can significantly reduce the space requirements and provide a better time-space trade-off approach. We also compare their performances in experiments with elliptic curve groups, and our experimental results confirmed the theoretical analysis.

The remainder of this paper is organized as follows. In Section 2, we recall Pollard's rho method for discrete logarithm computation and discuss several previous methods for collision detection. We describe and analyze the new algorithm in Section 3 and discuss its applications in Section 4. We present our experiments in Section 5 and conclude the paper in Section 6.

2. Preliminary

In this section, we describe Pollard's rho method for discrete logarithm computation and then discuss several collision detection algorithms and their performances.

2.1. Pollard's Rho Method

Pollard [8] proposed an elegant algorithm for the discrete logarithms based on a Monte Carlo idea and called it the rho method. The rho method works by first defining a sequence of elements that will be periodically recurrent, then looking for a match in the sequence. The match will lead to a solution of the discrete logarithm problem with high probability. The two key ideas involved are the iteration function for generating the sequence and the cycle-finding algorithm for detecting a match.

If 𝐷 is any finite set and 𝐹∶𝐷→𝐷 is a mapping and the sequence (𝑋𝑖) in 𝐷 is defined by the rule: 𝑋0∈𝐷,𝑋𝑖+1𝑋=𝐹𝑖,(2.1) this sequence is ultimately periodic. Hence, there exist unique integers 𝜇≥0 and 𝜆≥1 such that 𝑋0,…,𝑋𝜇+𝜆−1 are all distinct, but 𝑋𝑖=𝑋𝑖+𝜆 for all 𝑖≥𝜇. A pair (𝑋𝑖,𝑋𝑗) of two elements of the sequence is called a match if 𝑋𝑖=𝑋𝑗 where, 𝑖≠𝑗. For the expected values of 𝜇 and 𝜆, we have the following theorem.

Theorem 2.1 (see [17]). Under the assumption that an iteration function 𝐹∶𝐷→𝐷 behaves like a truly random mapping and the initial value 𝑋0 is a randomly chosen group element, the expected values for 𝜇 and 𝜆 are √𝜋|𝐷|/8. The expected number of evaluations before a match appears is √𝐸(𝜇+𝜆)=√𝜋|𝐷|/2≈1.25|𝐷|.

Now we explain how the rho method for computing discrete logarithms works. Let 𝐺 be a cyclic group of prime order 𝑝, and let 𝑔∈𝐺 be generator of 𝐺 and â„Žâˆˆğº. The discrete logarithm problem is to compute 𝑥 satisfying ğ‘”ğ‘¥â‰¡â„Ž. Pollard defined the iteration function 𝐹∶𝐺→𝐺 as follows: ⎧⎪⎨⎪⎩𝐹(𝑌)=𝑔⋅𝑌𝑌∈𝑆1,𝑌2𝑌∈𝑆2,â„Žâ‹…ğ‘Œğ‘Œâˆˆğ‘†3.(2.2)

Let the initial value 𝑌0=1. In each iteration of 𝑌𝑖+1=𝐹(𝑌𝑖), the function uses one of three rules depending on the value of 𝑌𝑖. The group 𝐺 is partitioned into three subsets 𝑆1, 𝑆2, 𝑆3 of roughly equal size. Each 𝑌𝑖 has the form ğ‘”ğ‘Žğ‘–â„Žğ‘ğ‘–. The sequence (ğ‘Žğ‘–) (and similarly for (𝑏𝑖)) can be computed as follows: ğ‘Žğ‘–+1=âŽ§âŽªâŽ¨âŽªâŽ©ğ‘Žğ‘–+1(mod𝑝)𝑌i∈𝑆1,2ğ‘Žğ‘–(mod𝑝)𝑌𝑖∈𝑆2,ğ‘Žğ‘–ğ‘Œ(mod𝑝)i∈𝑆3.(2.3)

As soon as we have a match (𝑌𝑖,𝑌𝑗), we have the equation ğ‘”ğ‘Žğ‘–âˆ—â„Žğ‘ğ‘–=ğ‘”ğ‘Žğ‘—âˆ—â„Žğ‘ğ‘—.

Since ℎ=𝑔𝑥, this gives ğ‘Žğ‘–+ğ‘ğ‘–ğ‘¥â‰¡ğ‘Žğ‘—+𝑏𝑗𝑥mod𝑝.(2.4) Now, if gcd(𝑏𝑖−𝑏𝑗,𝑝)=1, we get that 𝑥=(ğ‘Žğ‘—âˆ’ğ‘Žğ‘–)(𝑏𝑖−𝑏𝑗)−1mod𝑝. Due to the method of Pohlig and Hellman [18], in practice applications the group order 𝑝 is prime, so that it is very unlikely that gcd(𝑏𝑖−𝑏𝑗,𝑝)>1 if 𝑝 is large.

Theorem 2.1 makes the assumption of true randomness. However, it has been shown empirically that this assumption does not hold exactly for Pollard's iteration function [19]. The actual performance is worse than the expected value given in Theorem 2.1.

Teske [19] proposed better iteration functions by applying more arbitrary multipliers. Assume that we are using 𝑟 partitions (multipliers). We generate 2𝑟 random numbers,𝑚𝑖,𝑛𝑖∈𝑅{0,1,…,𝑝−1},for𝑖=1,2,…,𝑟.(2.5) Then we precompute 𝑟 multipliers 𝑀1,𝑀2,…,𝑀𝑟, where 𝑀𝑖=ğ‘”ğ‘šğ‘–â‹…â„Žğ‘›ğ‘–, for 𝑖=1,2,…,𝑟. Define a hash function, 𝑣∶𝐺⟶{1,2,…,𝑟}.(2.6) Then the iteration function 𝐹∶𝐺→𝐺 defined as 𝐹(𝑌)=𝑌⋅𝑀𝑣(𝑌),where𝑣(𝑌)∈{1,2,…,𝑟}.(2.7) The indices are update by ğ‘Žğ‘–+1=ğ‘Žğ‘–+𝑚𝑣(𝑌𝑖),𝑏𝑖+1=𝑏𝑖+𝑛𝑣(𝑌𝑖).(2.8)

The difference in performance between Pollard's original walk and Teske’s 𝑟-adding walk has been studied in [19, 20]. We summarize the results as follows. In prime order subgroups of ℤ∗𝑝, the value of 𝐸(𝜇+𝜆) for Pollard's original walk and Teske's 𝑟-adding walk is √1.55|𝐺| and √1.27|𝐺|, while in groups of points of elliptic curves over finite fields, the value is √1.60|𝐺| and √1.29|𝐺|, respectively.

2.2. Previous Methods for Collision Detection

To find the collision in the pseudo-random walk, it always needs much storage. In order to minimize the storage requirements, a collision detection algorithm can be applied with a small penalty in the running time.

Floyd's Cycle-Finding Algorithm
In Pollard's paper, Floyd's algorithm is applied. To find 𝑌𝑖=𝑌𝑗, the algorithm calculates (𝑌𝑖,ğ‘Žğ‘–,𝑏𝑖,𝑌2𝑖,ğ‘Ž2𝑖,𝑏2𝑖) until 𝑌𝑖=𝑌2𝑖. For each iteration, we compute 𝑌𝑖+1=𝐹(𝑌𝑖) and 𝑌2(𝑖+1)=𝐹(𝐹(𝑌2𝑖)), which means that this algorithm requires negligible storage. Floyd's algorithm is based on the following idea.

Theorem 2.2 (see [25]). For a periodic sequence 𝑌0,𝑌1,𝑌2,…, there exists an 𝑖>0 such that 𝑌𝑖=𝑌2𝑖 and the smallest such 𝑖 lies in the range 𝜇≤𝑖≤𝜇+𝜆.

The best running time requires 𝜇 iterations and the worst takes 𝜇+𝜆 iterations. Under the assumption that 𝐹∶𝐺→𝐺 behaves like a truly random mapping, the expected number of iterations before reaching a match is √𝜋5√|𝐺|/288≈1.03|𝐺| [20]. The key point for this algorithm is that we need three group operations and one comparison for each iteration, which makes it inefficient.

Brent's Algorithm
Brent proposed an algorithm [12] which is generally 25% faster than Floyd's method. It uses an auxiliary variable, say 𝑤, which at each stage of the algorithm holds 𝑌𝑙(𝑖)−1, where 𝑙(𝑖)=2⌊log𝑖⌋. 𝑤 is compared with 𝑌𝑖 for each iteration and is updated by 𝑤=𝑌𝑖 when 𝑖=2𝑘−1 for 𝑘=1,2,…. The correctness of this algorithm depends on the following fact.

Theorem 2.3 (see [20]). For a periodic sequence 𝑌0,𝑌1,𝑌2,…, there exists an 𝑖>0 such that 𝑌𝑖=𝑌𝑙(𝑖)−1 and 𝑙(𝑖)≤𝑖<2𝑙(𝑖). The smallest such 𝑖 is 2⌈logmax(𝜇+1,𝜆)⌉+𝜆−1.

Under the assumption that 𝐹∶𝐺→𝐺 is a random mapping, with Brent's algorithm the first match is expected to occur after √1.98|𝐺| iterations [12]. The algorithm needs one group operation and one comparison for each iteration, which makes it 25%–30% faster than Floyd's algorithm. Variations of Brent's algorithm requiring slightly more storage and comparisons but less iterations can be found in [21, 22].

Stack Algorithm
In 2004, Nivasch proposed an interesting algorithm that uses logarithmic storage space and can be adapted with tradeoff for storage space versus speed. This algorithm requires that a total ordering < be defined on the set 𝐺, and it works as follows. Keep a stack of pairs (𝑌𝑖,𝑖), where, at all times, both the 𝑖's and the 𝑌𝑖's in the stack form strictly increasing sequences. The stack is initially empty. At each step 𝑗, pop from the stack all entries (𝑌𝑖,𝑖), where 𝑌𝑖>𝑌𝑗. If a match 𝑌𝑖=𝑌𝑗 is found with an element in the stack, the algorithm terminates successfully. Otherwise, push (𝑌𝑗,𝑗) on top of the stack and continue. The stack algorithm depends on the following fact.

Theorem 2.4 (see [13]). The stack algorithm always halts on the smallest value of the sequence's cycle, at some time in [𝜇+𝜆,𝜇+2𝜆).

Under the assumption that 𝐹∶𝐺→𝐺 is a random mapping, the expected number of iterations before finding a match is √5/2√𝜋|𝐺|/8≈1.57|𝐺| [13]. The algorithm needs a little bit more than one group operation and one comparison for each iteration. Under the same assumption, Nivasch proves also that the expected size of the stack is ln ℎ+𝑂(1). Therefore, the algorithm only requires a logarithmic amount of memory.

Distinguished Point
The idea of the distinguished point method is to search for a match not among all terms of the sequence, but only among a small subset of terms that satisfy a certain distinguishing property. It works as follows. One defines a set 𝐷, a subset of 𝐺, that consists of all group elements that satisfy a certain distinguishing property. During the pseudo-random walk, points that satisfy the distinguishing property are stored. Collision can be detected when a distinguished point is encountered a second time.
Currently, the distinguished point method is the most efficient algorithm to detect collisions in pseudo-random walk when |𝐺| is large. A popular way of defining 𝐷 is to fix an integer 𝑘 and to define that 𝑤∈𝐷 if and only if the 𝑘 least significant bits in the representation of 𝑤 as a binary string are zero. To break ECC2K-130, it [23] defines the distinguishing property as the Hamming weight of normal-basis representation of 𝑥-coordinate of the point less than or equal to 34. Notice that this kind of definitions allows a fast check for the distinguishing property to hold, and the size of 𝐷 can be easily monitored as well. Obviously, we have the following theorem.

Theorem 2.5 (see [11]). Let 𝜃 be the proportion of points in 𝐺 which satisfy the distinguishing property, that is, 𝜃=|𝐷|/|𝐺|. Under the assumption that 𝐹∶𝐺→𝐺 is a random mapping and 𝐷 is a uniform distribution in 𝐺, the expected number of iterations before finding a match is √𝜋|𝐺|/2+1/𝜃.

3. The New Algorithm

We are motivated by the fact that, in distinguished point method, the distinguished points may be not uniformly distributed in the pseudo-random walk, also the points in subset 𝐷 may be not uniformly distributed in 𝐺, which always results in more iteration requirements. We are trying to design an algorithm which leads to a uniform distribution and also to provide a better way for time-space tradeoff rather than distinguishing property.

3.1. The Basic Algorithm

To find a collision in pseudo-random walk, which is produced by the iteration function 𝐹∶𝐺→𝐺, assuming 𝐹 is a random mapping on 𝐺, our basic algorithm works as follows. We fix an integer 𝑁 and use an auxiliary variable, say 𝑤, which at each 𝑁 iterations keep the minimum value of 𝑁 successive values produced by the iteration function 𝐹. Once getting the minimum value 𝑤 from 𝑁 successive values, we check whether this value has occurred before in the stored sequence, if so, we find the match and we are done. Otherwise, store this value 𝑤 to the sequence. Then continue to compute the next 𝑁 new values and repeat the previous procedures. Choose the integer 𝑁 properly, we will find the match among the newly generated minimum value and stored minimum values.

More precisely, to find a collision in pseudo-random sequence 𝑌0,𝑌1,𝑌2,…, which is produced by the iteration function 𝐹∶𝐺→𝐺, we have Algorithm 1.

Input: Initial value 𝑌 0 , iteration function 𝐹 ∶ 𝐺 → 𝐺 , fixed integer 𝑁
Output: 𝑚 and 𝑛 , such that 𝑌 𝑚 = 𝑌 𝑛
(1) 𝑤 ← 𝑌 0 , 𝑚 ← 0 , 𝑛 ← 0
(2) for 𝑖 = 1 to ⌈ | 𝐺 | / 𝑁 ⌉   do
(3)  for 𝑗 = ( 𝑖 − 1 ) 𝑁 + 1 to 𝑖 𝑁 − 1   do
(4)    𝑌 𝑗 ← 𝐹 ( 𝑌 𝑗 − 1 )
(5)   if 𝑌 𝑗 < 𝑤 then
(6)     𝑤 ← 𝑌 𝑗 , 𝑛 ← 𝑗
(7)   else if 𝑌 𝑗 = 𝑤   then
(8)     𝑚 ← 𝑗
(9)    return   𝑚 , 𝑛
(10)    end if
(11)   end for
(12)
(13)   for 𝑘 = 1 to 𝑖 − 1   do
(14)     if 𝑢 𝑘 = 𝑤   then
(15)      𝑚 ← 𝑣 𝑘
(16)     return   𝑚 , 𝑛
(17)     end if
(18)    end for
(19)    𝑢 𝑖 ← 𝑤 , 𝑣 𝑖 ← 𝑛
(20)    𝑤 ← 𝐹 ( 𝑌 𝑖 𝑁 − 1 ) , 𝑛 ← 𝑖 𝑁
(21) end for

It is obvious that the algorithm can be considered as two parts. In the first part, that is from step (3) to step (11), we seek the minimum value 𝑤 from 𝑁 successive values in the pseudo-random walk. The operation is very simple; if the current value 𝑌𝑗 is smaller than 𝑤, then just update 𝑤 with the current value and continue the next iteration. Notice that steps (7), (8), and (9) can be omitted, since it is unlikely that there is a match within 𝑁 iterations. Even if it happened, the algorithm ensures that we can find a match within the next 𝑁 iterations. As a result, there is only one group operation and one comparison in the first part, which consist the main operations of the algorithm.

In the second part, that is from step (13) to step (19), once we get a minimum value 𝑤, we check whether 𝑤 has appeared before in the previous stored values (𝑢𝑘), which is empty at the beginning. If this is the case, the algorithm will return the corresponding indices and we are done. Otherwise, save the value 𝑤 to the sequence (𝑢𝑘) of the minimum values, and the second part is finished, continue the next 𝑁 iterations. It is clear that the second part can be speeded up by using a hash table. And, more important, the second part can be independent to the first part, which means the stored sequence of minimum values can be off line; that is, the first part is response for generating minimum values along the random walk, while the second part searches the collision among stored minimum values independently.

3.2. Analysis

For further analysis of the algorithm, we assume that the iteration function 𝐹∶𝐺→𝐺 behaves like a truly random mapping. According to Theorem 2.1, the expected number of iterations before reaching a match is √𝜋|𝐺|/2. Let us look at some simple cases for the new algorithm. For 𝑁=1, which means we store all the values in the sequence before reaching a match, and the match can be found once it appears. For 𝑁=2, we need to store half of the values in the sequence before reaching a match, and always the match can be found once it appears. Obviously, the bigger the integer 𝑁, the less values we need to store. As a result, with the integer 𝑁 increasing, there is a probability that we cannot detect the collision immediately when it happens. So, the new algorithm is a probabilistic algorithm. However, with high probability, the algorithm will halt close to the beginning of the second loop. More precisely, we have the following theorem.

Theorem 3.1. Under the assumption that an iteration function 𝐹∶𝐺→𝐺 behaves like a truly random mapping and the initial value 𝑌0 is a randomly chosen group element, for Algorithm 1, the expected number of iterations before finding a match is √𝜋|𝐺|/2+(𝑘+1/2)𝑁 with probability 1−(2/3)(𝑘−1)/2, where 𝑘=0,1,2,….

Proof. Let 𝐼𝑖 be the set that consists of the 𝑖th 𝑁 successive values generated by iteration function 𝐹; that is, 𝐼𝑖=𝑌𝑗||𝐺||∣𝑖𝑁≤𝑗≤(𝑖+1)𝑁−1,𝑗≥0,for𝑖=0,1,2,…,/𝑁−1.(3.1) For finite group 𝐺, the sequence produced by 𝐹 is eventually period; that is, for any fixed 𝐹 and 𝑌0, there exist certain integers 𝑚 and 𝑛, such that 𝐼𝑚𝐼𝑛𝐼≠∅,𝑚<𝑛,𝑖𝐼𝑗=∅,for0≤𝑖,𝑗<𝑛,𝑖≠𝑗,(3.2) and also 𝐼𝑚+𝑖𝐼𝑛+𝑖≠∅,for𝑖≥0.(3.3)
To prove the theorem, we divide it into two cases, that is, 𝑘=0 and 𝑘=1,2,…. For 𝑘=0, let min𝑚 and min𝑛 be the minimum values of 𝐼𝑚 and 𝐼𝑛, thenPrmin𝑚=min𝑛=1𝑁𝑁−1𝑖=01𝑁+2𝑁+⋯+𝑁−𝑖𝑁1=𝑁𝑁−𝑖2+3𝑁+34𝑁2≈14,(3.4) that is, the probability of successfully detecting the collision within the first two intersection sets is 1/4.
For each of 𝑘=1,2,…, we notice that, for two (intersected) sets 𝐼𝑖 and 𝐼𝑗, let min𝑖 and min𝑗 be the minimum values of 𝐼𝑖 and 𝐼𝑗, respectively, we have Prmin𝑖=min𝑗=||𝐼𝑖⋂𝐼𝑗||2𝑁2||𝐼,where𝑖𝐼𝑗||denotesthecardinalityof𝐼𝑖𝐼𝑗.(3.5) Therefore, we have Prmin𝑚+𝑘=min𝑛+𝑘=1𝑁1𝑁2+22𝑁2+⋯+(𝑁−1)2𝑁2=2𝑁2−3𝑁+16𝑁2≈13.(3.6) Under the assumption that the iteration function 𝐹∶𝐺→𝐺 is a random mapping, according to Theorem 2.1, the expected number of evaluations before a match appears is √𝜋|𝐷|/2. Combining the above two cases, using Algorithm 1, the expected number of iterations before reaching a match among minimum values is √𝜋|𝐺|/2+(𝑘+1/2)𝑁 with probability 1−(2/3)(𝑘−1)/2, where 𝑘=0,1,2,….

Remark 3.2. According to the above theorem, we need to store √𝜋|𝐺|/2/𝑁+𝑘 terms to find the match with the probability 1−(2/3)(𝑘−1)/2, where 𝑘 can be 0,1,2,…; that is, by setting parameter 𝑁, we can balance the expected number of iterations and the expected space requirements. Therefore, Algorithm 1 is a time-space trade-off algorithm.

Remark 3.3. Algorithm 1 is a probabilistic algorithm. There is a probability that we cannot detect the collision immediately when it happens. However, with high probability, the algorithm will halt close to the beginning of the second loop. For example, the probability of successfully detecting the collision 1−(2/3)(𝑘−1)/2 is 0.90 with 𝑘=5.

Notice that, compared to the distinguished point method, the new algorithm has two advantages. First, the distinguished point method depends on the assumption that the distinguished points are uniformly distributed in the pseudo-random walk, and also the points in subset 𝐷 are uniformly distributed in 𝐺. However, in practice this may not be the case, which generally results in more iterations requirement, while, for the new algorithm, each stored minimum value represents 𝑁 successive values and the performance of the new algorithm independent of such assumption. Because the distinguished point method is currently the most efficient algorithm, we compare the actual performances of the new algorithm with the distinguished point method under the same expected storage requirement in experiments with elliptic curve groups in Section 5.

Second, using distinguished point method, it is possible for a random walk to fall into a loop which contains no distinguished point [11]. Then, the processor cannot find new distinguished point any more on the path. Left undetected, the processor would cease to contribute to the collision search. In this case, we can restart the random walk by choosing a different initial point. However, those points calculated by previous walk do not help for the collision search, while the new algorithm can avoid such problem, because it can always find the collision among minimum values whenever it falls into a loop.

4. Applications

The new algorithm can be combined with other algorithms, such as Pollard's lambda method, and can be adapted to a wide range of problems which can be reduced to finding collisions, such as in Pollard's rho method for factorization [24] and in studying the behavior of random number generators [25]. In this section, we will address some of these issues.

4.1. Pollard's Lambda Method

It is clear that the new algorithm can be applied to Pollard's lambda method (also called the kangaroo method). The lambda method computes a discrete logarithm in an arbitrary cyclic group, given that the value is known to lie in a certain interval, that is, ℎ=𝑔𝑘, where 𝑘∈[ğ‘Ž,𝑏] but unknown.

Generally, we have two kangaroos, one tame and one wild. Their positions are represented by group elements, the tame kangaroo 𝑇 with starting point 𝑡0=𝑔⌊(ğ‘Ž+𝑏)/2⌋ and the wild kangaroo 𝑊 with starting point 𝑤0=ℎ, and they travel in the cyclic group 𝐺=⟨𝑔⟩. In terms of the exponents of 𝑔, 𝑇 starts at the middle of the interval [ğ‘Ž,𝑏], while 𝑊 starts at 𝑥. Since we do not know 𝑘, we do not know the exact location of the wild kangaroo, and that is why it is called wild. The two kangaroos produce two different pseudo-random walks with the same walking rules. It is obvious that, at all times, the point of tame kangaroo has the form 𝑔𝑖 and the point of wild kangaroo has the form â„Žâˆ—ğ‘”ğ‘— for some known integers 𝑖 and 𝑗. The purpose is to provoke a collision between the tame and the wild kangaroos, from which we can deduce the wild kangaroo's starting point, that is, 𝑘=(𝑖−𝑗)mod|𝐺|.

Similar to the case of Pollard's rho method, the new algorithm can be applied in this case to efficiently detect the collision. The advantage of the new algorithm is that we can achieve uniform distributions of minimum values in the pseudo-random walks both for the tame kangaroos and the wild kangaroos. The different performances of the new algorithm and distinguished point method in this case can refer to the case of Pollard's rho method.

4.2. Parallelization

As we have mentioned above, during the random walk, finding the minimum value from 𝑁 iterations and comparing the minimum value 𝑤 to all previously stored values can be separated. This feature makes the new algorithm suit for distributed computation.

However, Pollard's rho method is inherently serial in nature; one must wait for the current iteration of the function 𝐹 to complete before the next can begin. Each value in the sequence totally depends on the previous value and the iteration rules. In discussing the rho method for factorization, Brent considered running many processors in parallel each producing an independent sequence and noted that “Unfortunately, parallel implementation of the “rho” method does not give linear speedup” [26]. Analogous comments apply to the rho method for computing logarithms and the generalized rho method for collision search. Notice that here each parallel processor is producing its own sequence of points independently of the others and each particular processor does not increase the probability of success of any other processor. For the corresponding picture, with high probability, each processor draws a different “rho” that never intersect with each other. There is a little chance that different processors may intersect with each other.

van Oorschot and Wiener [11] showed that the expected speedup of the direct parallelization of Pollard's rho method, using 𝑚 processors, is only a factor of √𝑚. This is a very inefficient use of parallelization. They provided a modified version of Pollard's rho method and claimed that it can be linearly parallelized with the distinguished point method; that is, the expected running time of the modified version, using 𝑚 processors, is roughly √𝜋|𝐺|/2/𝑚 group operations.

In the modified version, to perform a parallel collision search each processor proceeds as follows. Select a random starting point 𝑌0∈𝐺, and produce the trail of points 𝑌𝑖+1=𝐹(𝑌𝑖), for 𝑖=0,1,2,…, until a distinguished point 𝑌𝑑 is reached based on some easily testable distinguished property. Store distinguished point, and start producing a new trail from a new random starting point. Unfortunately, the new algorithm is not efficient for the parallelized modified version of Pollard's rho method. The key point is that there is a probability that the new algorithm fails to detect the collision while it actually happened, which cannot be efficiently solved like the serial version.

However, for Pollard's lambda method, the new algorithm can be efficiently parallelized with linear speedup. We present here a modified version of parallelized Pollard's lambda method from [11]. Assume we have 𝑚 processors with 𝑚 even. Then, instead of one tame and one wild kangaroo, we work with two herds of kangaroos, one herd of 𝑚/2 tame kangaroos and one herd of 𝑚/2 wild kangaroos, with one kangaroo on each processor. Each kangaroo starts from a different point, stores a minimum value every 𝑁 iterations, just like the serial version. A center server collects all the minimums, and tries to find a collision between the tame kangaroo minimums and the wild kangaroo minimums By choosing a reasonable integer 𝑁, the new algorithm provides an optimal time-space trade-off method for collision detection.

5. Experiments

We implemented Pollard's rho method with elliptic curve groups over prime fields using SAGE [27], which is an open source computer algebra software. Obviously, such experiments can also be done for DLP on a multiplicative subgroup 𝐺 of finite field ğ”½ğ‘ž. We compared the different performances between distinguished point method and the new algorithm. In this section, we describe these experiments and analyse the results.

For our experiments, we briefly introduce the elliptic curve groups over prime fields and the notation we use in the following. Let ğ‘ž be a prime, and let ğ”½ğ‘ž denote the field â„¤ğ‘ž of integers modulo ğ‘ž. Let ğ‘Ž,ğ‘âˆˆğ”½ğ‘ž such that 4ğ‘Ž3+27𝑏2≠0. Then the elliptic curve ğ¸ğ‘Ž,𝑏 over ğ”½ğ‘ž is defined through the equation ğ¸ğ‘Ž,𝑏∶𝑦2=𝑥3+ğ‘Žğ‘¥+𝑏.(5.1) The set of all solutions (𝑥,𝑦)âˆˆğ”½ğ‘žÃ—ğ”½ğ‘ž of this equation, together with the element 𝒪 called the “point at infinity,” forms a finite abelian group which we denote by ğ¸ğ‘Ž,𝑏(ğ”½ğ‘ž). Usually, this group is written additively. Let ğ‘ƒâˆˆğ¸ğ‘Ž,𝑏(ğ”½ğ‘ž) be a point of prime order 𝑛, and let 𝐺 denote the subgroup of 𝐸 generated by 𝑃. Given 𝑄∈𝐺, determine the integer 0≤𝑘<𝑛 such that 𝑄=𝑘𝑃.

For the iteration function, we use Teske's 𝑟-adding walk and set 𝑟=20; that is, we divide the group 𝐺 into 20 subsets: 𝑆1,𝑆2,…,𝑆20. Define the iteration function as follows: 𝐹𝑚(𝑌)=𝑌+𝑖𝑃+𝑛𝑖𝑄for𝑌∈𝑆𝑖[],𝑖∈1,20,(5.2) where 𝑚𝑖 and 𝑛𝑖 randomly chosen from [0,𝑛−1] and (𝑚𝑖𝑃+𝑛𝑖𝑄) can be precomputed for 𝑖=1,2,…,20. This means it only needs one group operation for each iteration.

Let 𝑊=(𝑥,𝑦) be any point of 𝐺; we define the partition of 𝐺 into 𝑟 subsets 𝑆1,𝑆2,…,𝑆𝑟 as follows. First we compute a rational approximation 𝐴 of the golden ratio (√5−1)/2, with a precision of 2+⌊log10(ğ‘žğ‘Ÿ)⌋ decimal places. Let 𝑢∗[∶𝐺⟶0,1),(𝑥,𝑦)⟶𝐴𝑥−⌊𝐴𝑥⌋if𝑊≠𝒪,0if𝑊=𝒪,(5.3) where 𝐴𝑥−⌊𝐴𝑥⌋ is the nonnegative fraction part of 𝐴𝑥. Then let 𝑢∶𝐺⟶{1,2,…,𝑟},𝑢(𝑊)=⌊𝑢∗𝑆(𝑊)⋅𝑟⌋+1,𝑖={𝑊∈𝐺∶𝑢(𝑊)=𝑖}.(5.4) This method is originally from Knuth's multiplicative hash function [28] and suggested by Teske [29]. From the theory of multiplicative hash functions, we know that, among all numbers between 0 and 1, choosing 𝐴 as a rational approximation of (√5−1)/2 with a sufficiently large precision leads to the most uniformly distributed hash values, even for nonrandom inputs.

The purpose of our experiments is to evaluate the expected numbers of steps until a match is found with different collision detection methods, that is, distinguished point method and the new algorithm, under the same expected space requirement. Generally, we randomly choose a big prime number ğ‘ž, where ğ‘ž is in certain range. Then we randomly choose the parameters ğ‘Ž and 𝑏, where ğ‘Ž,ğ‘âˆˆğ”½ğ‘ž, which determine the unique elliptic curve ğ¸ğ‘Ž,𝑏 over ğ”½ğ‘ž. We will check whether the order of group ğ¸ğ‘Ž,𝑏(ğ”½ğ‘ž) has large prime factor 𝑛 in certain range. If not, repeat the above procedures until we get a prime order subgroup 𝐺 of ğ¸ğ‘Ž,𝑏(ğ”½ğ‘ž). Then we set the generator 𝑃 of 𝐺 and choose a random point 𝑄 of 𝐺. When using Pollard's rho method to compute this discrete logarithm, we count the number of steps we performed until a match is found with different collision detection methods on the same case. Then we determine the ratio 𝑅 of the number of steps and √𝑛. We repeat it a couple of times with the same 𝑃 but several randomly chosen 𝑄’s. Furthermore, for practical reasons, we do the above procedures with a couple of groups, where the group order 𝑝 is between 231 and 236. We have Algorithm 2.

Input: Iteration function 𝐹 ∶ 𝐺 → 𝐺
Output: The average ratio √ ( n u m b e r o f s t e p s ) / 𝑛 ∶ 𝑅 𝑖 1 and 𝑅 𝑖 2 for distinguished point method and the new algorithm, respectively
(1) for 𝑖 = 3 1 to 36  do
(2)  for 𝑗 = 1 to 20  do
(3)   repeat
(4)    Choose a random prime number ğ‘ž ∈ [ 2 𝑖 + 1 , 2 𝑖 + 3 ]
(5)    Choose two random numbers ğ‘Ž , 𝑏 ∈ 𝔽 q, where 4 ğ‘Ž 3 + 2 7 𝑏 2 ≠ 0
(6)    𝑛 ← the largest prime factor of # 𝐸 ğ‘Ž , 𝑏
(7)   until 2 𝑖 ≤ 𝑛 ≤ 2 𝑖 + 1
(8)   Choose a random point 𝑊 ∈ 𝐸 ğ‘Ž , 𝑏 , where the order of 𝑊 equal to # 𝐸 ğ‘Ž , 𝑏
(9)    𝑃 ← ( # 𝐸 ğ‘Ž , 𝑏 / 𝑛 ) ∗ 𝑊 (the generator of 𝐺 )
(10)   for 𝑙 = 1 to 3 2 0 0 / 2 𝑖 − 3 1   do
(11)    Choose a random number 𝑐 ∈ [ 0 , 𝑛 − 1 ] , 𝑄 ← 𝑐 ∗ 𝑃
(12)    Choose a random point in 𝐺 be the initial point 𝑌 0
(13)     𝑘 ← 1
(14)    repeat
(15)      𝑌 𝑘 ← 𝐹 ( 𝑌 𝑘 − 1 )
(16)     Check whether the Hamming weight of 𝑌 𝑘 less than certain value
(17)     Check whether the 𝑥 -coordinate of 𝑌 𝑘 is a minimum value
(18)     if there is a match among distinguished points  then
(19)       𝑘 1 ← 𝑘
(20)     end if
(21)     if there is a match among minimum values  then
(22)       𝑘 2 ← 𝑘
(23)     end if
(24)    until  Both of two methods have found the match
(25)     𝑅 𝑙 1 ← 𝑘 1 / √ 𝑛 for distinguished point method
(26)     𝑅 𝑙 2 ← 𝑘 2 / √ 𝑛 for the new algorithm
(27)    end for
(28)    𝑅 𝑗 1 ∑ 𝑅 ← ( 𝑙 1 ) / 3 2 0 0 / 2 𝑖 − 3 1 for distinguished point method
(29)    𝑅 𝑗 2 ∑ 𝑅 ← ( 𝑙 2 ) / 3 2 0 0 / 2 𝑖 − 3 1 for the new algorithm
(30)  end for
(31)   𝑅 𝑖 1 ∑ 𝑅 ← ( 𝑗 1 ) / 2 0 for distinguished point method
(32)  𝑅 𝑖 2 ∑ 𝑅 ← ( 𝑗 2 ) / 2 0 for the new algorithm
(33) end for

More precisely, for each 𝑖∈[31,36], we generate 20 elliptic curves, where each of them has a subgroup 𝐺 of prime order 𝑛, such that 𝑛∈[2𝑖,2𝑖+1]. Then for, each group 𝐺, we generate 100 to 3200 DLPs with the same generator 𝑃 but randomly generated 𝑄. The number of elliptic curves and instances of DLPs computed is given in Table 1. For each DLP, we use Teske's 𝑟-adding walk for iteration function and find the match using distinguished point method and the new algorithm simultaneously. Once reaching a match, we compute the ratio 𝑅𝑙 as (the number of steps until match is found)/√𝑛. Then we compute the average ratio 𝑅𝑗 of all DLPs over the same elliptic curve. Finally, we count the average ratio 𝑅𝑖 of all DLPs with the same 𝑖, where 𝑖∈[31,36] and 𝑛∈[2𝑖,2𝑖+1].


Bits No. of elliptic curves No. of DLPs per curve

31 20 3200
32 20 1600
33 20 800
34 20 400
35 20 200
36 20 100

Now, let us explain the parameters for distinguishing property and the new algorithm in more detail. In our experiments, we compute the average ratio of √(numberofstepsuntilmatchisfound)/𝑛 under the same space requirement. To do this, generally we first define the distinguishing property and then compute the expected storage requirements. With the same storage requirements, we can deduce the parameter 𝑁 for the new algorithm.

For example, if 𝑖=36, which means 𝑛, the order of 𝐺 is a 36-bit prime number. According to [19], we are expected to take √1.292𝑛 iterations before reaching a match. We define the distinguishing property as the Hamming weight of normal-basis representation of 𝑥-coordinate of the point less than or equal to 9. Each point has probability almost exactly (936+836+736+⋯)/236≈2−8.99 of being a distinguished point, that is, 𝜃=2−8.99; that is, to find a collision it is expected to compute 1.292∗2−8.99√𝑛 distinguished points. To keep the same storage requirements, we set 𝑁=1/𝜃=28.99≈508 for the new algorithm.

The experimental results are given in Table 2. It shows that on average using the new algorithm for collision detection can reduce the number of iterations until a match is found from √1.309|𝐺| to √1.295|𝐺| under the same space requirements for the single rho method.


BitsNo. of DLPsRatio for distinguished pointRatio for the new algorithm

31 64000 1.309 1.295
32 32000 1.309 1.295
33 16000 1.310 1.296
34 8000 1.310 1.297
35 4000 1.309 1.295
36 2000 1.310 1.294

Average 126000 1.309 1.295

Under the same expected storage requirements, the main reason for the different performances of the distinguished point method and the new algorithm is that the distinguished points may be not uniformly distributed in the pseudo-random walk, also the points in subset 𝐷 may be not uniformly distributed in 𝐺, which always results in more iterations requirement. while, for the new algorithm, each stored minimum value represents 𝑁 successive values, which leads to an equal-interval distribution.

6. Conclusion

In this paper, we proposed an optimal time-space trade-off method for collision detection in the pseudo-random walk when computing discrete logarithms with Pollard's rho method. We discussed the new algorithm both in theoretical analysis and in practical experiments. By comparison to other methods, it shows that the new algorithm is more efficient than previous methods. Unfortunately, the only practical application of the new idea is with the parallelized lambda method and it does not work with the parallelized rho method. As a further work, we would like to explore the performances of the new algorithm in other applications.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (no. 61070168). The authors would like to thank the reviewers for their helpful comments and suggestions.

References

  1. W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976. View at: Google Scholar | Zentralblatt MATH
  2. T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  3. FIPS 186-2, “Digital signature standard,” Tech. Rep. 186-2, Federal Information Processing Standards Publication, 2000. View at: Google Scholar
  4. C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991. View at: Publisher Site | Google Scholar
  5. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  6. V. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology: Proceedings of Crypto'85, vol. 218 of LNCS, pp. 417–426, Springer, New York, NY, USA, 1986. View at: Google Scholar
  7. A. Menezes, P. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla, USA, 1996.
  8. J. M. Pollard, “Monte Carlo methods for index computation mod p,” Mathematics of Computation, vol. 32, no. 143, pp. 918–924, 1978. View at: Google Scholar | Zentralblatt MATH
  9. R. Gallant, R. Lambert, and S. Vanstone, “Improving the parallelized Pollard lambda search on anomalous binary curves,” Mathematics of Computation, vol. 69, no. 232, pp. 1699–1705, 2000. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  10. M. Wiener and R. Zuccherato, “Faster attacks on elliptic curve cryptosystems,” in Selected Areas in Cryptography'98, vol. 1556 of LNCS, pp. 190–200, Springer, Berlin, Germany, 1998. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  11. P. van Oorschot and M. Wiener, “Parallel collision search with cryptanalytic applications,” Journal of Cryptology, vol. 12, no. 1, pp. 1–28, 1999. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  12. R. P. Brent, “An improved Monte Carlo factorization algorithm,” BIT, vol. 20, no. 2, pp. 176–184, 1980. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  13. G. Nivasch, “Cycle detection using a stack,” Information Processing Letters, vol. 90, no. 3, pp. 135–140, 2004. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  14. J. J. Quisquater and J. P. Delescaille, “How easy is collision search? Application to DES,” in Proceedings of the Advances in Cryptology—Eurocrypt, vol. 434 of Lecture Notes in Computer Science, pp. 429–434, Springer, New York, NY, USA, 1989. View at: Google Scholar
  15. J. J. Quisquater and J. P. Delescaille, “How easy is collision search. New results and applications to DES,” in Proceedings of the Advances in Cryptology—Crypto, vol. 435 of Lecture Notes in Computer Science, pp. 408–413, Springer, New York, NY, USA, 1989. View at: Google Scholar
  16. M. E. Hellman, “A cryptanalytic time-memory trade-off,” IEEE Transactions on Information Theory, vol. 26, no. 4, pp. 401–406, 1980. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  17. B. Harris, “Probability distributions related to random mappings,” Annals of Mathematical Statistics, vol. 31, pp. 1045–1062, 1960. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  18. S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,” IEEE-Transactions on Information Theory, vol. 24, no. 1, pp. 106–110, 1978. View at: Google Scholar | Zentralblatt MATH
  19. E. Teske, “Speeding up Pollard's rho method for computing discrete logarithms,” in Algorithmic Number Theory Symposium (ANTS IV), vol. 1423 of LNCS, pp. 541–553, Springer, New York, NY, USA, 1998. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  20. S. Bai and R. P. Brent, “On the efficiency of Pollard’s rho method for discrete logarithms,” in CATS 2008, J. Harland and P. Manyem, Eds., pp. 125–131, Australian Computer Society, 2008. View at: Google Scholar
  21. C.-P. Schnorr and H. W. Lenstra Jr., “A Monte Carlo factoring algorithm with linear storage,” Mathematics of Computation, vol. 43, no. 167, pp. 289–311, 1984. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  22. E. Teske, “A space efficient algorithm for group structure computation,” Mathematics of Computation, vol. 67, no. 224, pp. 1637–1663, 1998. View at: Publisher Site | Google Scholar | Zentralblatt MATH
  23. D. V. Bailey, L. Batina, D. J. Bernstein et al., “Breaking ECC2K-130,” Tech. Rep. 2009/541, Cryptology ePrint Archive, 2009. View at: Google Scholar
  24. J. M. Pollard, “A Monte Carlo method for factorization,” BIT, vol. 15, no. 3, pp. 331–335, 1975. View at: Google Scholar | Zentralblatt MATH
  25. D. E. Knuth, The Art of Computer Programming, vol. 2, Addison-Wesley, Reading, Mass, USA, 3rd edition, 1997.
  26. R. P. Brent, “Parallel algorithms for integer factorisation,” in Number Theory and Cryptography, J. H. Loxton, Ed., vol. 154 of London Mathematical Society Lecture Note Series, pp. 26–37, Cambridge University, Cambridge, UK, 1990. View at: Google Scholar | Zentralblatt MATH
  27. “SAGE: an open source mathematics software,” http://www.sagemath.org/. View at: Google Scholar
  28. D. E. Knuth, The Art of Computer Programming, vol. 3, Addison-Wesley, Reading, Mass, USA, 2nd edition, 1981.
  29. E. Teske, “On random walks for Pollard's rho method,” Mathematics of Computation, vol. 70, no. 234, pp. 809–825, 2001. View at: Publisher Site | Google Scholar | Zentralblatt MATH

Copyright © 2012 Ping Wang and Fangguo Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


More related articles

2388 Views | 596 Downloads | 2 Citations
 PDF  Download Citation  Citation
 Download other formatsMore
 Order printed copiesOrder

Related articles

We are committed to sharing findings related to COVID-19 as quickly and safely as possible. Any author submitting a COVID-19 paper should notify us at help@hindawi.com to ensure their research is fast-tracked and made available on a preprint server as soon as possible. We will be providing unlimited waivers of publication charges for accepted articles related to COVID-19. Sign up here as a reviewer to help fast-track new submissions.