Collision of Random Walks and a Refined Analysis of Attacks on the Discrete Logarithm Problem

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


Some of the most efficient algorithms for finding the discrete logarithm involve pseudo-random implementations of Markov chains, with one or more “walks” proceeding until a collision occurs, i.e. some state is visited a second time. In this paper we develop a method for determining the expected time until the first collision. We use our technique to examine three methods for solving discrete-logarithm problems: Pollard’s Kangaroo, Pollard’s Rho, and a few versions of Gaudry-Schost. For the Kangaroo method we prove new and fairly precise matching upper and lower bounds. For the Rho method we prove the first rigorous non-trivial lower bound, and under a mild assumption show matching upper and lower bounds. Our Gaudry-Schost results are heuristic, but improve on the prior limited understanding of this method. We also give results for parallel versions of these algorithms.


Discrete Logarithm Collision Time Step Type Discrete Logarithm Problem Potential Collision 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bailey, D., Batina, L., Bernstein, D., Birkner, P., Bos, J., Chen, H.-C., Cheng, C.-M., Van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gürkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsade, L., Van Herrewege, A., Yang, B-Y.: “Breaking ECC2K-130,” Cryptology ePrint Archive, Report 2009/541 (2009).
  2. 2.
    Bernstein, D.J., Lange, T.: Two grumpy giants and a baby. In: ANTS X: Proceedings of the 10th International Symposium on Algorithmic Number Theory. Mathematical Sciences Publishers (2013)Google Scholar
  3. 3.
    Blackburn, S., Scott, S.: The discrete logarithm problem for exponents of bounded height. In: ANTS XI: Proceedings of the 11th International Symposium on Algorithmic Number Theory. LMS J. Comput. Math 17, 148–156 (2014)Google Scholar
  4. 4.
    Blackburn, S., Murphy, S.: The number of partitions in Pollard Rho, Unpublished note : Later made available as Technical report RHUL-MA-2011-11 (Department of Mathematics, p. 2011. University of London, Royal Holloway (1998)Google Scholar
  5. 5.
    Galbraith, S.D., Pollard, J.M., Ruprai, R.S.: Computing discrete logarithms in an interval. Math. Comp. 82, 1181–1195 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Galbraith, S., Ruprai, R.S.: An improvement to the Gaudry-Schost algorithm for multidimensional discrete logarithm problems. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 368–382. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Gaudry, P., Schost, É.: A low-memory parallel version of Matsuo, Chao, and Tsujii’s algorithm. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 208–222. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  8. 8.
    Hildebrand, M.: On the Chung-Diaconis-Graham random process. Electron. Comm. Probab. 11, 347–356 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Kim, J-H., Montenegro, R., Tetali, P.: Near Optimal Bounds for Collision in Pollard Rho for Discrete Log. In: IEEE Proc. of the Symposium on Foundations of Computer Science (FOCS 2007), pp. 215–223 (2007)Google Scholar
  10. 10.
    Kim, J.-H., Montenegro, R., Peres, Y., Tetali, P.: A Birthday Paradox for Markov chains, with an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm. The Annals of Applied Probability 20(2), 495–521 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Transactions on Modeling and Computer Simulation 8(1), 3–30 (1998)CrossRefzbMATHGoogle Scholar
  12. 12.
    Miller, S.D., Venkatesan, R.: Spectral analysis of Pollard rho collisions. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 573–581. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  13. 13.
    Montenegro, R., Tetali, P.: How long does it take to catch a wild kangaroo?. In: Proc. of 41st ACM Symposium on Theory of Computing (STOC 2009), pp. 553–559 (2009). Citations refer to an improved version at
  14. 14.
    Nishimura, K., Shibuya, M.: Probability to meet in the middle. Journal of Cryptology 2(1), 13–22 (1990)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Pollard, J.: Monte Carlo methods for index computation mod p. Mathematics of Computation 32(143), 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  16. 16.
    Pollard, J.: Kangaroos, Monopoly and Discrete Logarithms. Journal of Cryptology 13(4), 437–447 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  18. 18.
    Teske, E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  19. 19.
    Rosini, M.D.: Applications. In: Rosini, M.D. (ed.) Macroscopic Models for Vehicular Flows and Crowd Dynamics: Theory and Applications. UCS, vol. 12, pp. 217–226. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Graduate School of Information Science and Electrical EngineeringKyushu UniversityFukuokaJapan
  2. 2.Department of Mathematical SciencesUniversity of Massachusetts LowellLowellUSA

Personalised recommendations