Designs, Codes and Cryptography

, Volume 67, Issue 2, pp 197–208 | Cite as

Speeding up elliptic curve discrete logarithm computations with point halving

  • Fangguo ZhangEmail author
  • Ping Wang


Pollard rho method and its parallelized variants are at present known as the best generic algorithms for computing elliptic curve discrete logarithms. We propose new iteration function for the rho method by exploiting the fact that point halving is more efficient than point addition for elliptic curves over binary fields. We present a careful analysis of the alternative rho method with new iteration function. Compared to the previous r-adding walk, generally the new method can achieve a significant speedup for computing elliptic curve discrete logarithms over binary fields. For instance, for certain NIST-recommended curves over binary fields, the new method is about 12–17% faster than the previous best methods.


Pollard rho method Elliptic curve discrete logarithm Point halving Random walk 

Mathematics Subject Classification (2000)

11T71 11G20 14Q20 68Q25 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ANSI X9.62-199x: Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA), January 13, (1998).Google Scholar
  2. ANSI X9.63-199x: Public key cryptography for the financial services industry: elliptic curve key agreement and transport protocols, October 5, (1997).Google Scholar
  3. Avanzi R., Cohen H., Doche C., Frey G., Lange T., Nguyen K., Vercauteren F.: Handbook of elliptic and hyperelliptic curve cryptography. CRC Press, Boca Raton (2005)Google Scholar
  4. Bai S., Brent R.P.: On the efficiency of Pollard’s rho method for discrete logarithms. In: Harland J., Manyem P. (eds.) CATS 2008, pp. 125–131. Australian Computer Society, Wollongong (2008).Google Scholar
  5. Bailey D.V., Baldwin B., Batina L., Bernstein D.J., Birkner P., Bos J.W., Damme G.V., Meulenaer G., Fan J., Güneysu T., Gurkaynak F., Kleinjung T., Lange T., Mentens N., Paar C., Regazzoni F., Schwabe P., Uhsadel L.: The certicom challenges ECC2-X. Cryptology ePrint Archive, Report 2009/466, (2009).Google Scholar
  6. Bailey D.V., Batina L., Bernstein D.J., Birkner P., Bos J.W., Chen H., Cheng C., Damme G.V., Meulenaer G., Perez L.J.D., Fan J., Guneysu T., Gurkaynak F., Kleinjung T., Lange T., Mentens N., Niederhagen R., Paar C., Regazzoni F., Schwabe P., Uhsadel L., Herrewege A.V., Yang B.: “Breaking ECC2K-130”, Cryptology ePrint Archive, Report 2009/541, (2009).Google Scholar
  7. Bernstein D.J.: “Batch binary Edwards”, In Crypto 2009, LNCS, vol. 5677, pp. 317–336. Springer, Berlin (2009).Google Scholar
  8. Bernstein D.J., Lange T., Schwabe P.: On the correct use of the negation map in the Pollard rho method. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011, LNCS, vol. 6571. Springer, Heidelberg (2011).Google Scholar
  9. Bessalov A.V.: A method of solution of the problem of taking the discrete logarithm on an elliptic curve by division of points by two. Cybern. Syst. Anal. 37(6), 820–823 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  10. Bos J.W., Kleinjung T., Lenstra A.K.: On the use of the negation map in the Pollard Rho method. In: Hanrot G., Morain F., Thomé E. (eds.) ANTS IX, LNCS, vol. 6197, pp. 66–82. Springer, Heidelberg (2010).Google Scholar
  11. Brent R.P., Pollard J.M.: Factorization of the eighth Fermat number. Math. Comput. 36, 627–630 (1981)MathSciNetzbMATHCrossRefGoogle Scholar
  12. Cohen H.: A course in computational algebraic number theory. Graduate texts in mathematics, vol. 138. Springer-Verlag, Berlin (1993)Google Scholar
  13. Diffie W., Hellman M.: New directions in cryptography. IEEE Trans. Inform. Theory. 22, 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  14. FIPS 186-2: Digital signature standard. Federal information processing standards publication 186-2, February (2000).Google Scholar
  15. Fong K., Hankerson D., Lopez J., Menezes A.: Field inversion and point halving revisited. IEEE Trans. Comput. 53(8), 1047–1059 (2004)CrossRefGoogle Scholar
  16. Gallant R., Lambert R., Vanstone S.: Improving the parallelized Pollard lambda search on binary anomalous curves. Math. Comput. 69, 1699–1705 (1999)MathSciNetCrossRefGoogle Scholar
  17. Harley R.: Elliptic curve discrete logarithms project, Avaliable from
  18. Harris B.: Probability distribution related to random mappings. Ann. Math. Stat. 31, 1045–1062 (1960)zbMATHCrossRefGoogle Scholar
  19. Knudsen E.: Elliptic scalar multiplication using point halving. Advances in Cryptology-ASIACRYPT’99, Lecture Notes in Computer Science 1716, 135–149 (1999).Google Scholar
  20. Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  21. Miller V.: Use of elliptic curves in cryptography. Advances in cryptology: proceedings of Crypto’85, LNCS 218, pp. 417–426. Springer-Verlag, New York (1986).Google Scholar
  22. Montgomery P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)zbMATHCrossRefGoogle Scholar
  23. National Institute for Standards and Technology: Digital signature standard. Federal information processing standard, U.S. Department of Commerce, FIPS PUB 186, Washington, DC (1994).Google Scholar
  24. Pollard J.M.: A Monte Carlo method for factorization. BIT 15(3), 331–335 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  25. Pollard J.M.: Monte Carlo methods for index computation mod p. Math. Comp. 32, 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  26. Sattler J., Schnorr C.P.: Generating random walks in groups. Ann. Univ. Sci. Budapest. Sect. Comput. 6, 65–79 (1985)MathSciNetzbMATHGoogle Scholar
  27. Schnorr C.P., Lenstra H.W.: A Monte Carlo factoring algorithm with linear storage. Math. Comp. 43(167), 289–311 (1984)MathSciNetzbMATHCrossRefGoogle Scholar
  28. Schroeppel R.: Elliptic curve point halving wins big. 2nd midwest arithmetical geometry in cryptography workshop, Urbana (2000).Google Scholar
  29. Schroeppel R.: Elliptic curve point ambiguity resolution apparatus and method. International Application Number PCT/US00/31014, filed 9 November 2000, publication number WO 01/35573 A1, 17 May (2001).Google Scholar
  30. Teske E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Algorithmic Number Theory Symposium (ANTS IV), LNCS 1423, pp. 541–553. Springer-Verlag, Berlin (1998).Google Scholar
  31. Teske E.: On random walks for Pollard’s rho method. Math. Comput. 70(234), 809–825 (2001)MathSciNetzbMATHGoogle Scholar
  32. van Oorschot P., Wiener M.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–28 (1999)zbMATHCrossRefGoogle Scholar
  33. Wiener M., Zuccherato R.: Faster attacks on elliptic curve cryptosystems. Selected areas in cryptography’98, LNCS 1556, pp. 190–200, Springer-Verlag, Berlin (1998).Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.School of Information Science and TechnologySun Yat-sen UniversityGuangzhouChina

Personalised recommendations