11 research outputs found
Near Optimal Bounds for Collision in Pollard Rho for Discrete Log
We analyze a fairly standard idealization of Pollard's Rho algorithm for
finding the discrete logarithm in a cyclic group G. It is found that, with high
probability, a collision occurs in steps,
not far from the widely conjectured value of . This
improves upon a recent result of Miller--Venkatesan which showed an upper bound
of . Our proof is based on analyzing an appropriate
nonreversible, non-lazy random walk on a discrete cycle of (odd) length |G|,
and showing that the mixing time of the corresponding walk is
Stopping time signatures for some algorithms in cryptography
We consider the normalized distribution of the overall running times of some
cryptographic algorithms, and what information they reveal about the
algorithms. Recent work of Deift, Menon, Olver, Pfrang, and Trogdon has shown
that certain numerical algorithms applied to large random matrices exhibit a
characteristic distribution of running times, which depends only on the
algorithm but are independent of the choice of probability distributions for
the matrices. Different algorithms often exhibit different running time
distributions, and so the histograms for these running time distributions
provide a time-signature for the algorithms, making it possible, in many cases,
to distinguish one algorithm from another. In this paper we extend this
analysis to cryptographic algorithms, and present examples of such algorithms
with time-signatures that are indistinguishable, and others with
time-signatures that are clearly distinct.Comment: 20 page
Collision bounds for the additive Pollard rho algorithm for solving discrete logarithms
We prove collision bounds for the Pollard rho algorithm to solve the discrete logarithm problem in a general cyclic group . Unlike the setting studied by Kim et al., we consider additive walks: the setting used in practice to solve the elliptic curve discrete logarithm problem. Our bounds differ from the birthday bound (||) by a factor of log|| and are based on mixing time estimates for random walks on finite abelian groups due to Dou and Hildebran
Collision Bounds for the Additive Pollard Rho Algorithm for Solving Discrete Logarithms
We prove collision bounds for the Pollard rho algorithm to solve the discrete logarithm problem in a general cyclic group . Unlike the setting studied by Kim et al. we consider additive walks: the setting used in practice to solve the elliptic curve discrete logarithm problem. Our bounds differ from the birthday bound by a factor of and are based on mixing time estimates for random walks on finite abelian groups due to Hildebrand
Isolated Curves and the MOV Attack
We present a variation on the CM method that produces elliptic curves over prime fields with nearly prime order that do not admit many efficiently computable isogenies. Assuming the Bateman-Horn conjecture, we prove that elliptic curves produced this way almost always have a large embedding degree, and thus are resistant to the MOV attack on the ECDLP
Computational Aspects of Jacobians of Hyperelliptic Curves
Nowadays, one area of research in cryptanalysis is solving the Discrete Logarithm Problem (DLP) in finite groups whose group representation is not yet exploited. For such groups, the best one can do is using a generic method to attack the DLP, the fastest of which remains the Pollard rho algorithm with -adding walks. For the first time, we rigorously analyze the Pollard rho method with -adding walks and prove a complexity bound that differs from the birthday bound observed in practice by a relatively small factor. There exist a multitude of open questions in genus cryptography. In this case, the DLP is defined in large prime order subgroups of rational points that are situated on the Jacobian of a genus~ curve defined over a large characteristic finite field. We focus on one main topic, namely we present a new efficient algorithm for computing cyclic isogenies between Jacobians. Comparing to previous work that computes non cyclic isogenies in genus~, we need to restrict to certain cases of polarized abelian varieties with specific complex multiplication and real multiplication. The algorithm has multiple applications related to the structure of the isogeny graph in genus~, including random self-reducibility of DLP. It helps support the widespread intuition of choosing \emph{any} curve in a class of curves that satisfy certain public and well studied security parameters. Another topic of interest is generating hyperelliptic curves for cryptographic applications via the CM method that is based on the numerical estimation of the rational Igusa class polynomials. A recent development relates the denominators of the Igusa class polynomials to counting ideal classes in non maximal real quadratic orders whose norm is not prime to the conductor. Besides counting, our new algorithm provides precise representations of such ideal classes for all real quadratic fields and is part of an implementation in Magma of the recent theoretic work in the literature on the topic of denominators