J.M. Pollard, Monte Carlo Methods for Index Computation (mod p), Mathematics of Computation, vol. 32, no. 143 (July 1978), pp. 918--924.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....x 2 . Indeed the running time of the index calculus method depends only on the size n of the whole group. Depending on the size of c, different methods may actually be more efficient. Indeed the so called baby step giant step algorithm by Shanks [5] or the rho and lambda algorithms by Pollard [9] can compute the discrete log of y in O(2 c=2 ) time. If one restricts the field to generic algorithms (i.e. algorithms that can only perform group operations and cannot take advantage of specific properties of the encoding of group elements) then Schnorr in [10] proves that this is the best ....

J. Pollard. Monte-Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918--924, 1978.

...., K = F h n and k = F h . 3.1 Generic Attacks on Elliptic and Hyperelliptic Curves When using elliptic curve cryptography, one must prevail against known attacks on the elliptic curve discrete logarithm problem. For an elliptic curve E defined over F 2 N these are: 1. Pollard s # algorithm [17], which has a running time of O(2 t o ) where t o is the time to perform an addition of two points on the curve, O(N2 t o ) To solve the discrete logarithm problem on the Jacobian of a hyperelliptic curve H of genus g defined over k, one resorts to five methods: 1. Pollard s # [17] ....

....[17] which has a running time of O(2 t o ) where t o is the time to perform an addition of two points on the curve, O(N2 t o ) To solve the discrete logarithm problem on the Jacobian of a hyperelliptic curve H of genus g defined over k, one resorts to five methods: 1. Pollard s # [17], which has a running time of O(g h) bit operations, since card Jac(H) and a group operation on Jac(H) takes O(g q) bit operations using Cantor s algorithm [1] O(g h) 3. the Pohlig Hellman algorithm [16] which is not better than Pollard s # if card Jac(H) has a large ....

J. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32:918--924, 1978.

....schemes based on elliptic curves over nite elds [13, 20] The discrete logarithm problem on a general elliptic curve (ecdlp) is particularly attractive since there is no known sub exponential algorithm to solve it. The best method available for attacking the ecdlp is Pollard s method [21, 22] and variants thereof. 3 Permanent and Transient Faults Consider the elliptic curve E(a 1 ; a 2 ; a 3 ; a 4 ; a 6 ) over K given by Eq. 1) In [4] Biehl, Meyer and M uller observe that parameter a 6 is not involved in the addition formul (cf. Eq (2) Consequently, if a cryptographic device ....

John M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32:918-924, 1978.

....Generic algorithms [15, 21] as introduced by Nechaev and Shoup, encompass group algorithms that do not exploit any special property of the encodings of group elements other than the property that each group element is encoded by a unique string. Typically, algorithms like Pollard s ae algorithm [18] fall under the scope of this formalism while index calculus methods do not. 3.1 The Framework Recall that any Abelian finite group Gamma is isomorphic to a product of cyclic groups of the form (Z p k; where p is a prime. Such groups will be called standard Abelian groups. An encoding of a ....

J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918--924, July 1978.

....had been earlier introduced by Nechaev and Shoup [19, 28] to encompass group algorithms that do not exploit any special property of the encodings of group elements other than the property that each group element is encoded by a unique string. Typically, algorithms like Pollard s algorithm [23] fall under the scope of this formalism, while index calculus methods do not. We will now go into a bit more detail of proofs in this generic model, because in one of our examples, this model is the origin of the apparent paradox. More precisely, we will focus on groups which are isomorphic to (Z ....

J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918-924, July 1978.

....on the path between connection end points have sufficient information (namely the two ECDH components) to launch an attack against the elliptic curve system itself, such an attack requires considerable computational power. The best known attack is a distributed version of Pollard s rho algorithm [92], which Lenstra uses to show that a 193 bit Elliptic Curve system would require 8.52 MIPS years, or about 1.89 years on a 450 Mhz Pentium II, to defeat [62] While this key strength seems more than secure against ordinary attackers, an extremely wellfinanced attacker might be able to ....

John M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918--924, July 1978.

....d from and such that Baby = V and hence recover b. The algorithm requires storage of O(q ) large integers, but is guaranteed to recover b in time O(q ) Using the Pollard Lambda method one can obtain the same effect with constant storage but only in expected run time O(q ) see [11] for details. 5 Experiments In this section we outline the process of recovering the static private key wB in the case of MQV, both in theory and in practice. In each case, we provide evidence of success through probability calculation and experiment respectively. The following calculation does ....

J.M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32, 918--924, 1978.

.... the only known methods for solving the elliptic curve discrete logarithm problem involve reducing to prime order subgroups (the Silver Pohlig Hellman reduction) and then applying generic group methods such as the baby step giant step method (see Cohen [7] and Pollard s Rho and Lambda methods [27]. The complexity of these methods depends only on the size of the largest prime factor (say L) of the number of points on the elliptic curve. This gives the naive impression that the diculty of the elliptic curve discrete logarithm problem depends only on the prime L. The experts in elliptic ....

J. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978) 918-924

....closely matches the lower bound mentioned above. The greatest disadvantage of this method is that it requires storage for p order(g) elements of G. Pollard s rho method, described in 4.1.5 below, requires hardly any storage and achieves essentially the same speed. 4.1. 5 Pollard s rho method [89]. The probability that among a group of 23 randomly selected people at least two people have the same birthday is more than 50 . This probability is much higher than most people would expect. It is therefore referred to as the birthday paradox. It lies at the heart of the most e ective general ....

.... (hopefully) random walk on #g# consisting of elements of the form g e h d for known e and d, wait for a collision, i.e. e; d and e # ; d # such that g e h d = g e # h d # , and compute log g (h) e e # d # d mod order(g) A random walk (w i ) # i=1 on #g# can, according to [89], be achieved as follows. Partition G into three subsets G 1 , G 2 , and G 3 of approximately equal cardinality. This can usually be done fairly accurately based on the representation of the elements of G. One may expect that this results in three sets G j # #g#, for j = 1; 2; 3, of about the ....

[Article contains additional citation context not shown here]

J.M. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978) 918-924.

.... (P; aP; bP; cP ) by means of the relation: ab c (mod q) e(P; cP ) e(aP; bP ) 2 3 The BLS signature algorithm Cryptosystems based on group arithmetic are all susceptible, at least to some extent, to generic group attacks, of which the most powerful known is Pollard s rho attack [22]. Two very powerful dedicated attacks are known against elliptic curve cryptosystems: the Weil descent attack and the Menezes OkamotoVanstone (MOV for short) attack. Weil descent attacks [8 10] map the elliptic curve group to a subgroup of a hyperelliptic curve of higher genus, where the discrete ....

J.M. Pollard, \Monte Carlo methods for index computation (mod p)," Mathematics of Computation 32(1978), pp. 918-924.

....obtains a new basis with only one element having trace equal to one. Many algorithms for elliptic curves over finite fields make use of the heuristic assumption that the bits of x(Q) behave like a random function. One such algorithm is that for solving the ECDLP using distinguished points, see [5] and [7] for the general method and [2] 8] for specific details with respect to certain elliptic curves. In this algorithm one aims to find such that Q = P by constructing elements of the form T i = a i ]P [b i ]Q and then storing the triple (T i ; a i ; b i ) if the point T i is ....

J.M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32, 918-- 924, 1978.

....of Elgamal signatures. In essence DSA is an immunized version of Elgamal [6] Notice that an insider attack can be mounted using this trick. Alice simply chooses x to equal q. In this case, even authentication mechanisms can t protect Bob. 3. 4 Pollard Lambda Algorithm The Pollard Lambda method [53] enables one to compute z given g z , when z is known to be in a certain interval [b; b w] in time O(w 1=2 ) This is an extremely relevant attack to consider when we want to limit the exponent range to improve eciency. For example, when x; y 2 N p the attacker can compute x and y ....

Pollard, J. M. Monte Carlo methods for index computation (modp). Mathematics of Computation 32, 143 (July 1978), 918-924.

.... the necessary background to understand the cryptosystems that utilize them [5] 6] Part 2 presents the elliptic curve analogs of various public key cryptosystems [5] Part 3 covers the elliptic curve discrete logarithm problem (ECDLP) and presents algorithms for solving it [13] 7] 3] [10]. The difficulty of this problem is compared to other commonly used hard problems. Part 4 examines the order of an elliptic curve [11] 1 Math An elliptic curve over any field F is the set of (x; y) with x; y 2 F satisfying the general equation y 2 axy by = x 3 cx 2 dx e (1) ....

....3) g List 2 = f(1; 8; 1) 2; 12; 1) 3; 9; 3) g Item 1 in L 1 matches item 3 in L 2 . This indicates that 4Q = Gamma3Q A or 7Q = A. This is correct. 11 3. 3 Pollard s Rho Method The rho method of Pollard is currently the best algorithm for finding discrete logs on an elliptic curve [10]. It has running time O(n 1 2 ) where n is the order of the generator, and the space complexity can be significantly reduced to storage of 6 numbers. Take A to be the point of unknown index and Q to be a generator on the curve; let the order of Q be n. We believe that A = xQ, and in this ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte carlo methods for index computation. Math. Comp., 32:918--924, 1978.

....if it needs to perform (expected) O( p n ) group operations to compute the solution. All generic square root algorithms for the DLP known to date are based on only a few methods: the baby step giant step method due to Shanks [Sha71] and the rho method and the kangaroo method, due to Pollard [Pol78]. The baby step giant step method is a deterministic method that uses a time memory trade o and takes const p ord g group operations and has to store const p ord g group elements. The rho method is a probabilistic method based on the birthday paradoxon. It can be implemented very space ....

....Unless the m processors have fully shared memory with unlimited and immediate access to it a p m fold speed up is the best one can achieve. In other words, the baby step giant step method cannot be eciently parallelized. 4. Pollard s Rho Method The rho method has been developed by J. Pollard [Pol78] to compute discrete logarithms in (Z=pZ) The key idea is that for any nite set W and mapping F : W W , the sequence (w k ) k2N 0 formed by the rule w 0 2 W , w k 1 = F (w k ) k 2 N 0 ) is ultimately periodic. Hence, there exist integers 1 and 0 such that w 0 ; w 1 ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918-924, 1978.

....These methods are generic methods in the sense that they do not require any speci c knowledge about the group we only assume that we can compute the product u v of any two group elements u and v, and that each group element can be uniquely represented as a binary string. The rho method [Pol78] is applied when x can be any non negative integer smaller than ord g, where ord g denotes the element order of ord g, i.e. the least positive integer n such that g n = 1. Then the rho method can be implemented such that it requires an expected number of p (ord g) 2 O(log(ord g) ....

....want to choose the secret key x from an interval [0; b] that is much smaller than the whole range [0; ordg] However, Date: January 2, 2001. 1991 Mathematics Subject Classi cation. 11Y16, 94A60. 1 2 EDLYN TESKE this reduces the security of the scheme, because with Pollard s kangaroo method [Pol78] one can compute discrete logarithms x 2 [a; b] in expected running time 2 p b a O(log(ord g) rather than O( p ord g) operations. Just as the rho method, the kangaroo method needs to store only a small, constant number of group elements, and it can be parallelized with linear speed up ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918-924, 1978.

....2 c . Indeed the running time of the index calculus method depends only on the size n of the whole group. Depending on the size of c, different methods may actually be more efficient. Indeed the so called baby step giant step algorithm by Shanks [13] or the rho and lambda algorithms by Pollard [20] can compute the discrete log of y in O(2 c=2 ) time. If one restricts the field to generic algorithms (i.e. algorithms that can only perform group operations and cannot take advantage of specific properties of the encoding of group elements) then Schnorr in [21] proves that this is the best ....

J. Pollard. Monte-Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918--924, 1978.

....now to the basic index calculus method, which is the rst subexponential algorithm for the problem, and provided the basis for several more sophisticated algorithms. The idea rst appeared in the work of Kraitchik [26] and was rediscovered and analyzed by Adleman [1] Merkle [31] and Pollard [38]. Our presentation will be for nite elds F q with q = p n , n 1, a prime power, i.e. the element of F q will be polynomials over F p of degree n. The basic method, however, works also for the case that q is a prime. Let f be a monic, irreducible polynomial over F p , and let g be a ....

J. Pollard. Monte carlo methods for index computations (mod p). Math. Comp., 32:918-924, 1978.

....a relatively small size there exists a number of algorithms which can extract k in O( p k)multiplications (modulo n) Shank s baby step giant step algorithm (see e.g. 7] Section 5.4. 1) provides a deterministic method with space requirement also measured by O( p k) Pollard s kangaroo algorithm [23] provides a probabilistic method and requires a trivial amount of space. Note that Pollard s rho method (e.g. page 106 of [17] is not applicable here because it needs the order of w which is unknown in this case. Figure 1 provides an algorithm which factors n = pq using r, a known factor of ....

J.M. Pollard. Monte Carlo method for index computation (mod p), Mth. Comp., Vol.32, No.143 (1978), pages 918--924.

....thank T. Denny and D. Weber for allowing us to use this code. This was run on a machine with 6 processors and 8GB of RAM running HP UX. 4. Comparison with Pollard rho To have something concrete to compare the method of Weil descent to, we implemented the parallel version of Pollard s rho method [16] for the ECDLP. We used the method of distinguished points due to Wiener and van Oorschot [13] which has been used in recent years to solve various challenge ECDLP examples set by Certicom. Since we are using elliptic curves defined over fields of the form F q n where n = 4 or 5 we implemented ....

J.M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32, 918--924, 1978.

....For example, in the key exchange protocol by Scheidler, Stein and Williams [SSW96] the regulator provides a measure for the key space; moreover, computation of the regulator is an instance of solving the discrete logarithm problem in real quadratic function fields. Pollard s lambda method [Pol78], also called the method of catching kangaroos, was originally developed to compute discrete logarithms in Z=pZand has been canonically generalized to solve the discrete logarithm problem in any finite abelian group. The key ingredient for the lambda method is that we know that the discrete ....

....x such that h = g x . This number x is usually called the discrete logarithm, or index , of h to the base g. In the special case that h = 1, we call x the order of g. We want to compute x. Let us assume that we know integers a and b such that a x b. This is the setting for which Pollard [Pol78] has designed his lambda method: The idea is to define two kangaroos, a tame kangaroo T with starting point Catching Kangaroos in Function Fields 3 t 0 = g b and a wild kangaroo W with starting point w 0 = h. In terms of the exponents of g, T starts at the upper end of the interval [a; b[ while ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918--924, 1978.

....p used in this protocol: The largest prime divisor q of p Gamma 1 must be large . Pohlig and Hellman conjectured that their algorithm was the best possible. For the original problem they were proved wrong. However, in a sense (to be explained) they were correct (see section 3) John Pollard [27] gave another algorithm with approximately the same running time, but with a much smaller storage requirement. Unknown to them, a description of a much better method for calculating discrete logarithms had been given by the number theorists Western and Miller in 1968 [37] This method was ....

....[11] 3 Generic Methods A number of the algorithms used for calculating discrete logarithms don t use any special properties of the elements of the group. These algorithms are the Baby Step Giant Step method of Shanks [33, page 419] the lambda and catching kangaroos method of Pollard [27], and the Pohlig Hellman algorithm [26] Shoup [34] calls a method of finding discrete logarithms generic if the only properties of the underlying group that it uses, are the fact that elements may be multiplied, inverted, and that each element has a unique encoding as a bit string. This ....

John Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32:918--924, 1978.

....For example, in the key exchange protocol by Scheidler, Stein and Williams [SSW96] the regulator provides a measure for the key space; moreover, computation of the regulator is an instance of solving the discrete logarithm problem in real quadratic function fields. Pollard s lambda method [Pol78], also called the method of catching kangaroos, was originally developed to compute discrete logarithms in Z=pZand has been canonically generalized to solve the discrete logarithm problem in any finite abelian group. The key ingredient for the lambda method is that we know that the discrete ....

....x is usually called the discrete logarithm, 1 2 ANDREAS STEIN AND EDLYN TESKE or index , of h to the base g. In the special case that h = 1, we call x the order of g. We want to compute x. Let us assume that we know integers a and b such that a x b. This is the setting for which Pollard [Pol78] has designed his lambda method: The idea is to define two kangaroos, a tame kangaroo T with starting point t 0 = g b and a wild kangaroo W with starting point w 0 = h. In terms of the exponents of g, T starts at the upper end of the interval [a; b[ while W starts at an unknown spot x. Let ffi ....

[Article contains additional citation context not shown here]

J. M. Pollard, Monte Carlo methods for index computation (mod p), Mathematics of Computation 32 (1978), no. 143, 918--924.

....on random elliptic curves instead of specific curves as it used to be. 1 Introduction It is well known that the discrete logarithm problem is hard on elliptic curves defined over finite fields IF q . This is due to the fact that the only known attacks (baby steps giant steps [Sha71] Pollard ae [Pol78] and Pohlig Hellman [PH78] methods) are still exponential in log q. So, cryptosystems based on this problem can reach the same level of security as non elliptic versions with slightly higher computation rates and much smaller keys [SOOS95, HMV93] The remaining difficulty to design elliptic ....

J. M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32(143):918--924, July 1978.

.... B, the third party recovers L divided by a factor d smaller than B. This missing information can be computed using an algorithm which finds the order of the z i s as follows. For any i, we know that the order of y = z L0 i mod n is less than B because z L i = 1 mod n. The method of Pollard [21] enables to find this order in time O( p B) with memory complexity O(1) The idea is to choose a randomly looking function f and to iteratively compute y i 1 = y i Theta y f(y i ) mod n, with y 0 = 1, for i = 1: M where M is a fixed parameter. Then, just remembering this last value, we ....

....M is a fixed parameter. Then, just remembering this last value, we compute y 0 i 1 = y 0 i Theta y f(y 0 i ) mod n, with y 0 0 = y B , until we find an index M 0 such that yM = y 0 M 0 mod n or until M 0 exceeds a fixed bound. If a collision yM = y 0 M 0 mod n is found (see [21] for a precise analysis) it leads to y B P M 0 Gamma1 i=0 f(y 0 i ) Gamma P M Gamma1 i=0 f(y i ) 1 mod n so L 0 Theta 0 B M 0 Gamma1 X i=0 f(y 0 i ) Gamma M Gamma1 X i=0 f(y i ) 1 A is a multiple of the order of z i modulo n. Finally, in time O( p B) and with ....

J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918--924, July 1978.

....1.923] where L[n, v, u] exp( u o(1) ln(n) v (ln(ln(n) 1 v ) If p is small, e.g. p = 2, then the constant 1.923 can be replaced by 1.53. Alternatively, one can use one of several methods that take O( # #) operations in ###, such as Pollard s Birthday Paradox based rho method (cf. [18]) This implies that the di#culty of the DL problem in ### depends on the size of the minimal surrounding subfield of ### and on the size of its prime order #. If GF(p t ) itself is the minimal surrounding subfield of ### and # is su#ciently large, then the DL problem in ### is as hard ....

J.M. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978), 918-924.

....no special properties of the group are exploited, the best algorithms to determine x have (expected) running time O( p n) where n = ord g. These algorithms are based on Shanks baby step giant step method [Sha71] in which case they require O( p n) elements to store, or on Pollard s rho method [Pol78]. Pollard s rho method has the advantage that it has negligible space requirements, and it can be parallelized with linear speedup [vOW99] If we are given an interval [a; b) such that x is known to lie in this interval, we have Pollard s lambda method [Pol78] whose running time is bounded by a ....

.... to store, or on Pollard s rho method [Pol78] Pollard s rho method has the advantage that it has negligible space requirements, and it can be parallelized with linear speedup [vOW99] If we are given an interval [a; b) such that x is known to lie in this interval, we have Pollard s lambda method [Pol78] whose running time is bounded by a multiple of p b Gamma a rather than of p n. In its variant employing distinguished points it can also be efficiently parallelized, and it is faster than the rho method if b Gamma a 0:39n. Notice that also the baby step giant step method can be applied in ....

J. M. Pollard, Monte Carlo methods for index computation (mod p), Mathematics of Computation 32 (1978), no. 143, 918--924.

....For example, in the key exchange protocol by Scheidler, Stein and Williams [SSW96] the regulator provides a measure for the key space; moreover, computation of the regulator is an instance of solving the discrete logarithm problem in real quadratic function elds. The Pollard kangaroo method [Pol78], also called the lambda method, was originally developed to compute discrete logarithms in Z=pZand has been canonically generalized to solve the discrete logarithm problem in any nite abelian group. The key ingredient for the kangaroo method is that we know that the discrete logarithm lies in a ....

....x such that h = g x . This number x is usually called the discrete logarithm, or index , of h to the base g. In the special case that h = 1, we call x the order of g. We want to compute x. Let us assume that we know integers a and b such that a x b. This is the setting for which Pollard [Pol78] has designed his kangaroo method: The idea is to de ne two kangaroos, a tame kangaroo T with starting point t 0 = g b and a wild kangaroo W with starting point w 0 = h. In terms of the exponents of g, T starts at the upper end of the interval [a; b[ while W starts at an unknown spot x. Let 0 ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918-924, 1978.

....[1] and [7] where s is the smallest divisor of t such that #g# is contained in a subfield of GF (p t ) isomorphic to GF (p s ) If p = 2 then the constant 1.923 can be replaced by 1. 587, see [3] Alternatively one can use Birthday Paradox (BP) based algorithms (e.g. Pollard s rho algorithm [13]) that have expected running times exponential in the size of the q. More precisely, breaking the Discrete Logarithm problem can be solved in expected O( p (q) elementary operations in GF (p t ) This leads us to the conclusion from [7] that w.r.t. attacks known today if the minimal ....

J.M. Pollard, Monte Carlo methods for index computation (modp), Mathematics of Computation, 32, (1978), pp. 918-924.

.... in an efficient zero knowledge proof by the puzzle maker [2] However, unlikethe non parallelizable property for finding the P a (t)thatwehave discussed above, the problem of extraction of a discrete logarithm can be parallelized (e.g. 3 using the parallelized Pollard s kangaroo algorithm [3] due to Van Oorschot and Wiener [6] Therefore Mao s time lock puzzle scheme suffers from a parallelization attack. In this paper we will construct an efficient interactive protocol for proof of membership regarding the language L n def = f a 2 t (modn) j gcd(a# n) 1# t ng: This is the ....

Pollard, J.M. Monte Carlo method for index computation (mod p), Mth. Comp.,Vol.32, No.143 (1978), pages 918--924. 10

....necessary conditions for the class number h of such orders: h must be large, i.e. the regulator R should be small. This condition prevents the success of the following algorithms for determining the class number or discrete logarithms: The exhaustive search method, Pollard s Rho method ([Pol78]) Shanks Baby Step Giant Step algorithm ( Coh95] including all variants (e.g. BJT96] the Hafner McCurley algorithm ( McC89, HM89] and the index calculus algorithms (e.g. COS ( COS86] or NFS ( Web96] From the Brauer Siegel Theorem (see [Lan94] we know that for sufficiently large ....

J.M. Pollard. Monte carlo methods for index computation (mod p). Math. Comp., 32:918--924, 1978.

....105 sec Table 1: Original Shanks and its Refinement (BJT) 2. 4 Pollard s Probabilistic Algorithms The advantage of Pollard s algorithms is the use of constant space while preserving an expected running time of O( p n) In their original version, these algorithms have been proposed for GF (p) [20]. The main idea here for computing x is to produce iteratively a sequence of elements (d i ) i1 ; d i 2 G, where all the d i s are of the form a k b l : So (d i ) will become periodic after at most n iterations. For a sequence producing group elements at random, this can be expected to ....

J. M. Pollard. Monte carlo methods for index computation (mod p). Math. Comp., 32:918--924, 1978.

....to be reducible to the problem of computing discrete logarithms in the fields GF(p m i ) separately. Finally, we mention that the ability to compute quantities generalizing discrete logarithms in rings of integers modulo composite integers would lead to efficient integer factorization algorithms [5,40,45,52]. 3. Some special algorithms In this section we discuss briefly some algorithms that apparently don t work very well and then we discuss a very useful algorithm that works well only when all the prime divisors of q 1 are of moderate size. The first method we discuss was not designed as an ....

....is another polynomial time discrete logarithm method [41] Therefore great care has to be taken in selecting the fields GF(q) for use in cryptography. This question will be discussed further in Section 8. We conclude this section by mentioning two interesting randomized algorithms due to Pollard [52]. One of them computes discrete logarithms in fields GF(q) in time roughly q 1 2 . The other algorithm finds the discrete logarithm of an element in time roughly w 1 2 , if that logarithm is known to lie in an interval of size w. 4. A subexponential discrete logarithm method This section ....

[Article contains additional citation context not shown here]

J. Pollard, Monte Carlo methods for index computations (mod p), Math. Comp. 32 (1978), 918-924.

....d is publicly known. The cryptosystem can be broken by solving the elliptic curve discrete log problem (ECDLP) that is calculating d knowing only P, Q and G. With n prime (which gives the best security) the best known method of solving the ECDLP is the parallelisation of the Pollard rho method [8] by van Oorschot and Wiener [11] In the Pollard rho method the subgroup G is partitioned into 3 subsets S 1 , S 2 and S 3 of roughly equal size. Two numbers a 0 and b 0 are randomly generated such that 1 a 0 , b 0 n 1. Starting with X 0 = a 0 P b 0 Q, a sequence X i is calculated using ....

....95.7 98.1 99.3 Table 3: The percentage ECDLP completed in less than the given multiple of the expected number of iterations Table 2: Average number of iterations to solve ECDLP with different iteration functions functions in various circumstances. The iteration function suggested by Pollard [8] had three iterators, namely add P, add Q or double the current X. We compare this iteration function against other functions with different iterators. We label an iterator AB if it is of the form add a.P b.Q, A if it is of the form add a.P and D if it is double the current X. Numbers are ....

J.M. Pollard. Monte carlo methods for index computation (mod p). Mathematics of Computation, vol. 32 (no. 143): pp. 918-924, July 1978.

No context found.

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918--924, 1978.

....discrete logarithms by generic algorithms (probabilistic or deterministic) in groups of prime order. The time needed to solve the DLP with a non negligible probabil ity is cx group operations for some constant c. The best algorithm known for solving the general DLP is Pollard s rho algorithm [8]. It does not only match Shoup s lower bound, but also needs very little memory and is parallelizable with a linear speed up (see [6] For many groups of cryptographic interest, such S. Vaudenay and A. Youssef (Eds. SAC 2001, LNCS 2259, pp. 212 229, 2001. Springer Verlag Berlin Heidelberg ....

J.M. Pollard, Monte Carlo Methods for Index Computation ( rood p), Mathematics of Computation, Vol. 32, No. 143, pp. 918-924, July 1978.

....(cf. MvOV96] While for solving the DLP in (Z=pZ) there exists the index calculus method, which is a subexponential time algorithm, for the elliptic curve DLP the best algorithms currently known have exponential run time. Among these algorithms we find algorithms based on Pollard s rho method [Pol78]. They take expected time O( p n) group operations to compute log g h, where n denotes the order of g. Their space requirements are negligible, and van Oorschot and Wiener [vOW99] showed that they can be efficiently parallelized, which makes the rho method the most powerful method to attack the ....

....are uniquely represented, and that we have an algorithm to perform the group operation. In Section 2, we give the basic facts and definitions needed throughout the paper, and we describe the set up for our experiments. Then, in Section 3, we study the function originally suggested by Pollard [Pol78] for discrete logarithm computation in (Z=pZ) p prime) where we observe that its average performance is worse than expected for a random mapping. We also study the obvious generalization of Pollard s function for arbitrary groups (of prime order) for which we get that its average performance ....

[Article contains additional citation context not shown here]

J. M. Pollard, Monte Carlo methods for index computation (mod p), Mathematics of Computation 32 (1978), no. 143, 918--924. MR 58:10684

....any pair (y i ; y j ) with y i = y j and i 6= j a match. If the function f , which we refer to as the iterating function, is a random function in the sense that each of the jGj jGj functions f : G G is equally probable, the expected value for is close to p jGj=2 = 1:253 p jGj . Pollard [12] showed how this theory can be applied to solve the DLP in expected run time O( p jGj ) multiplications in G. Pollard s algorithm [12] is generic in the sense that it can be applied to any group for which the following is satisfied. ffl Given any two group elements g and h we can compute the ....

....in the sense that each of the jGj jGj functions f : G G is equally probable, the expected value for is close to p jGj=2 = 1:253 p jGj . Pollard [12] showed how this theory can be applied to solve the DLP in expected run time O( p jGj ) multiplications in G. Pollard s algorithm [12] is generic in the sense that it can be applied to any group for which the following is satisfied. ffl Given any two group elements g and h we can compute the product g h. ffl Given any two group elements g and h we can check whether g = h. Key words and phrases. Pollard s rho method, discrete ....

[Article contains additional citation context not shown here]

J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, 32(143):918--924, 1978.

No context found.

J.M. Pollard, Monte Carlo Methods for Index Computation (mod p), Mathematics of Computation, vol. 32, no. 143 (July 1978), pp. 918--924.

No context found.

J. M. Pollard. Monte carlo methods for index computation (mod p). Mathematics of Computation, 32:918--924, 1978.

No context found.

J. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32, 918--924, 1978.

No context found.

J. M. Pollard, Monte Carlo Methods for Index Computation (mod p), Math. Comp. 32, 918--924, 1978

No context found.

J. M. Pollard, Monte Carlo Methods for Index Computation (mod p) , Math. Comp. 32, 918--924, 1978

No context found.

J. M. Pollard. Monte carlo methods for index computation (mod p). Math. Comp., 32:918--924, 1978.

No context found.

John M. Pollard. Monte carlo methods for index computation (mod p). Math.Comp., 32(143):918--924, 1978.

No context found.

Pollard, J.M. Monte Carlo method for index computation (mod p), Mth. Comp., Vol.32, No.143 (1978), pages 918--924. 10

No context found.

J. M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32(143):918-924, 1978.

No context found.

J. Pollard. Monte Carlo methods for index computation (mod p). Mathematics of Computation, vol. 32, pp. 918--924, 1978.

No context found.

J.M. Pollard. Monte Carlo method for index computation (mod p), Mth. Comp., Vol.32, No.143 (1978), pages 918--924.

No context found.

J. M. Pollard. Monte Carlo methods for index computation ( mod p). Mathematics of Computation, 32:918-924, 1978.

No context found.

J.M. Pollard, \Monte Carlo Methods for Index Computation (mod p)." Mathematics of Computation, 32(143):918-924, 1978.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC