Baby Step Giant Step Algorith for Computing Discrete Logs Elliptic Curve

The negation map can be used to speed up the computation of elliptic curve detached logarithms using either the babe-pace giant-step algorithm (BSGS) or Pollard rho. Montgomery's simultaneous modular inversion can also be used to speed upward Pollard rho when running many walks in parallel. Nosotros generalize these ideas and exploit the fact that for any two elliptic curve points X and Y, nosotros tin efficiently get 10-Y when nosotros compute 10+Y. Nosotros utilise these ideas to speed up the baby-stride giant-step algorithm. Compared to the previous methods, the new methods tin achieve a meaning speedup for computing elliptic curve detached logarithms in small groups or small intervals.

Another contribution of our paper is to requite an analysis of the average-case running time of Bernstein and Lange's "grumpy giants and a infant" algorithm, and as well to consider this algorithm in the case of groups with efficient inversion.

Our conclusion is that, in the fully-optimised context, both the interleaved BSGS and grumpy-giants algorithms take superior average-example running time compared with Pollard rho. Furthermore, for the discrete logarithm trouble in an interval, the interleaved BSGS algorithm is considerably faster than the Pollard kangaroo or Gaudry-Schost methods.

Mathematics Subject Classification: Main: 11Y16; Secondary: 11T71.

Citation: Steven D. Galbraith, Ping Wang, Fangguo Zhang. Calculating elliptic bend discrete logarithms with improved baby-stride behemothic-step algorithm. Advances in Mathematics of Communications, 2017, eleven (3) : 453-469. doi: 10.3934/amc.2017038

References:

[1]	D. J. Bernstein and T. Lange, Calculating pocket-sized discrete logarithms faster, in INDOCRYPT 2012 (eds. S. D. Galbraith et al), Springer, 2012,317–338. doi: ten.1007/978-iii-642-34931-7_19.  Google Scholar
[2]	D. J. Bernstein and T. Lange, Two grumpy giants and a baby, in Proc. tenth Algor. Number Theory Symp. (eds. Due east. W. Howe et al), 2013, 87–111. doi: x.2140/obs.2013.1.87.  Google Scholar
[iii]	D. J. Bernstein, T. Lange and P. Schwabe, On the correct use of the negation map in the Pollard rho method, in PKC 2011 (eds. D. Catalano et al), Springer, 2011,128–146. doi: 10.1007/978-3-642-19379-8_8.  Google Scholar
[4]	D. Boneh, East. Goh and K. Nissim, Evaluating two-DNF formulas on ciphertexts in Theory of Cryptography-TCC 2005 (ed. J. Kilian), Springer, 2005,325-341. doi: 10.1007/978-3-540-30576-7_18.  Google Scholar
[5]	M. Chateauneuf, A. C. H. Ling and D. R. Stinson, Slope packings and coverings, and generic algorithms for the detached logarithm problem, J. Combin. Des., 11 (2003), 36-l.  doi: 10.1002/jcd.10033.  Google Scholar
[6]	K. Fong, D. Hankerson, J. Lopez and A. Menezes, Field inversion and point halving revisited, IEEE Trans. Comp., 53 (2004), 1047-1059.   Google Scholar
[7]	Southward. D. Galbraith, J. G. Pollard and R. S. Ruprai, Computing discrete logarithms in an interval}, Math. Comp., 82 (2013), 1181-1195.  doi: ten.1090/S0025-5718-2012-02641-Ten.  Google Scholar
[8]	South. D. Galbraith and R. Due south. Ruprai, Using equivalence classes to speed up the discrete logarithm trouble in a short interval, in PKC 2010 (eds. P. Nguyen et al), Springer, 2010,368–383. doi: 10.1007/978-3-642-13013-7_22.  Google Scholar
[nine]	R. Gallant, R. Lambert and South. Vanstone, Improving the parallelized Pollard lambda search on binary dissonant curves, Math. Comp., 69 (1999), 1699-1705.  doi: 10.1090/S0025-5718-99-01119-nine.  Google Scholar
[ten]	P. Gaudry and E. Schost, A low-memory parallel version of Matsuo, Chao and Tsujii'south algorithm, in ANTS Ⅵ (ed. D. A. Buell), Springer, 2004,208–222. doi: 10.1007/978-3-540-24847-7_15.  Google Scholar
[xi]	R. Granger, D. Page and M. Stam, On small characteristic algebraic tori in pairing-based cryptography, LMS J. Comp. Math., 9 (2006), 64-85.  doi: 10.1112/S1461157000001194.  Google Scholar
[12]	R. Henry, K. Henry and I. Goldberg, Making a nymbler Nymble using VERBS, in PETS 2010 (eds. Thou. J. Atallah), Springer, 2010,111–129. Google Scholar
[13]	Northward. Koblitz, Elliptic curve cryptosystems, Math. Comp., 48 (1987), 203-209.  doi: ten.2307/2007884.  Google Scholar
[xiv]	V. Miller, Use of elliptic curves in cryptography, in Crypto '85 (ed. H. C. Williams), Springer, 1986,417–426. doi: 10.1007/3-540-39799-X_31.  Google Scholar
[fifteen]	P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization, Math. Comp., 48 (1987), 243-264.  doi: 10.2307/2007888.  Google Scholar
[16]	V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm, Math. Notes, 55 (1994), 165-172.  doi: ten.1007/BF02113297.  Google Scholar
[17]	J. M. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978), 918-924.  doi: 10.2307/2006496.  Google Scholar
[eighteen]	J. Pollard, Kangaroos, Monopoly and discrete logarithms, J. Crypt., 13 (2000), 437-447.  doi: ten.1007/s001450010010.  Google Scholar
[19]	D. Shanks, Five number-theoretic algorithms, in Proc. 2nd Manitoba Conf. Numer. Math. , Winnipeg, 1973, 51–seventy.  Google Scholar
[xx]	P. van Oorschot and K. Wiener, Parallel collision search with cryptanalytic applications, J. Catacomb., 12 (1999), ane-28.  doi: 10.1007/PL00003816.  Google Scholar
[21]	P. Wang and F. Zhang, Computing elliptic bend discrete logarithms with the negation map, Inf. Sci., 195 (2012), 277-286.  doi: 10.1016/j.ins.2012.01.044.  Google Scholar
[22]	P. Wang and F. Zhang, Improving the parallelized Pollard rho method for calculating elliptic curve discrete logarithms in 4th Int. Conf. Emerging Intell. Information Spider web Techn. (EIDWT-2013) 2013. doi: ten.1109/EIDWT.2013.55.  Google Scholar
[23]	M. Wiener and R. Zuccherato, Faster attacks on elliptic bend cryptosystems, in Selected Areas in Cryptography '98 (eds. South. Eastward. Tavares et al), Springer, 1998,190–120. doi: 10.1007/3-540-48892-8_15.  Google Scholar

testify all references

References:

[1]	D. J. Bernstein and T. Lange, Calculating small discrete logarithms faster, in INDOCRYPT 2012 (eds. S. D. Galbraith et al), Springer, 2012,317–338. doi: ten.1007/978-3-642-34931-7_19.  Google Scholar
[ii]	D. J. Bernstein and T. Lange, Two grumpy giants and a baby, in Proc. 10th Algor. Number Theory Symp. (eds. E. West. Howe et al), 2013, 87–111. doi: x.2140/obs.2013.ane.87.  Google Scholar
[3]	D. J. Bernstein, T. Lange and P. Schwabe, On the correct utilize of the negation map in the Pollard rho method, in PKC 2011 (eds. D. Catalano et al), Springer, 2011,128–146. doi: x.1007/978-3-642-19379-8_8.  Google Scholar
[4]	D. Boneh, East. Goh and K. Nissim, Evaluating two-DNF formulas on ciphertexts in Theory of Cryptography-TCC 2005 (ed. J. Kilian), Springer, 2005,325-341. doi: 10.1007/978-3-540-30576-7_18.  Google Scholar
[5]	Yard. Chateauneuf, A. C. H. Ling and D. R. Stinson, Slope packings and coverings, and generic algorithms for the discrete logarithm problem, J. Combin. Des., eleven (2003), 36-l.  doi: 10.1002/jcd.10033.  Google Scholar
[6]	K. Fong, D. Hankerson, J. Lopez and A. Menezes, Field inversion and point halving revisited, IEEE Trans. Comp., 53 (2004), 1047-1059.   Google Scholar
[7]	S. D. Galbraith, J. Yard. Pollard and R. S. Ruprai, Calculating discrete logarithms in an interval}, Math. Comp., 82 (2013), 1181-1195.  doi: x.1090/S0025-5718-2012-02641-Ten.  Google Scholar
[eight]	S. D. Galbraith and R. Southward. Ruprai, Using equivalence classes to speed upward the detached logarithm problem in a short interval, in PKC 2010 (eds. P. Nguyen et al), Springer, 2010,368–383. doi: 10.1007/978-3-642-13013-7_22.  Google Scholar
[9]	R. Gallant, R. Lambert and S. Vanstone, Improving the parallelized Pollard lambda search on binary dissonant curves, Math. Comp., 69 (1999), 1699-1705.  doi: x.1090/S0025-5718-99-01119-9.  Google Scholar
[10]	P. Gaudry and E. Schost, A low-memory parallel version of Matsuo, Chao and Tsujii's algorithm, in ANTS Ⅵ (ed. D. A. Buell), Springer, 2004,208–222. doi: 10.1007/978-three-540-24847-7_15.  Google Scholar
[11]	R. Granger, D. Page and K. Stam, On pocket-size characteristic algebraic tori in pairing-based cryptography, LMS J. Comp. Math., ix (2006), 64-85.  doi: x.1112/S1461157000001194.  Google Scholar
[12]	R. Henry, M. Henry and I. Goldberg, Making a nymbler Nymble using VERBS, in PETS 2010 (eds. K. J. Atallah), Springer, 2010,111–129. Google Scholar
[thirteen]	Northward. Koblitz, Elliptic bend cryptosystems, Math. Comp., 48 (1987), 203-209.  doi: x.2307/2007884.  Google Scholar
[14]	5. Miller, Use of elliptic curves in cryptography, in Crypto '85 (ed. H. C. Williams), Springer, 1986,417–426. doi: x.1007/iii-540-39799-X_31.  Google Scholar
[15]	P. L. Montgomery, Speeding the Pollard and elliptic bend methods of factorization, Math. Comp., 48 (1987), 243-264.  doi: 10.2307/2007888.  Google Scholar
[16]	V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm, Math. Notes, 55 (1994), 165-172.  doi: x.1007/BF02113297.  Google Scholar
[17]	J. M. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978), 918-924.  doi: x.2307/2006496.  Google Scholar
[eighteen]	J. Pollard, Kangaroos, Monopoly and discrete logarithms, J. Crypt., 13 (2000), 437-447.  doi: 10.1007/s001450010010.  Google Scholar
[nineteen]	D. Shanks, Five number-theoretic algorithms, in Proc. 2nd Manitoba Conf. Numer. Math. , Winnipeg, 1973, 51–lxx.  Google Scholar
[xx]	P. van Oorschot and M. Wiener, Parallel standoff search with cryptanalytic applications, J. Crypt., 12 (1999), one-28.  doi: x.1007/PL00003816.  Google Scholar
[21]	P. Wang and F. Zhang, Computing elliptic curve detached logarithms with the negation map, Inf. Sci., 195 (2012), 277-286.  doi: 10.1016/j.ins.2012.01.044.  Google Scholar
[22]	P. Wang and F. Zhang, Improving the parallelized Pollard rho method for calculating elliptic bend discrete logarithms in 4th Int. Conf. Emerging Intell. Data Web Techn. (EIDWT-2013) 2013. doi: 10.1109/EIDWT.2013.55.  Google Scholar
[23]	M. Wiener and R. Zuccherato, Faster attacks on elliptic curve cryptosystems, in Selected Areas in Cryptography '98 (eds. Due south. E. Tavares et al), Springer, 1998,190–120. doi: 10.1007/iii-540-48892-8_15.  Google Scholar

Figure i. Graph of

$c(t) t^ii$

for

$t \in [0,1]$

obtained by simulations for the three values

$G = \sqrt{N/2}, M = \sqrt{Northward}$

and

$M = \tfrac{ane}{2}\sqrt{N}$

. The multiple lines denote the results for unlike experiments coming from different choices of

$Due north$

Figure 2. Graph of

$c(t) t^two$

for

$t \in [0,ane]$

obtained past simulations, for grumpy giants method using

$x$

-coordinates, with

$1000 = \sqrt{N/ii}$

and

$ M = \sqrt{N}$

Table one. Size of ready

$\mathcal{L}_L$

written as

$c(t) L^2$

where

$t = L/\sqrt{North}$

.

$t$	0	0.12	0.24	0.37	0.49	0.61	0.73	0.85	0.97
$c(t)$	3.00	three.00	3.00	ii.99	two.79	2.30	ane.77	1.35	one.06

$t$	0	0.12	0.24	0.37	0.49	0.61	0.73	0.85	0.97
$c(t)$	three.00	3.00	3.00	ii.99	two.79	two.30	i.77	1.35	1.06

Table 2. Results of experiments with the grumpy-giants algorithm without negation

$.25	#Elliptic Curves	#DLPs per Curve	boilerplate value for c	standard deviation
28	100	10000	i.2579	0.0083
29	100	10000	1.2533	0.0064
30	100	10000	i.2484	0.0062
31	100	10000	one.2517	0.0067
32	100	10000	1.2736	0.0054

$.25	#Elliptic Curves	#DLPs per Curve	average value for c	standard deviation
28	100	10000	ane.2579	0.0083
29	100	10000	1.2533	0.0064
30	100	10000	ane.2484	0.0062
31	100	10000	i.2517	0.0067
32	100	10000	1.2736	0.0054

Table 3. The table lists constants

$c$

such that the named algorithm requires

$(c + o(i)) \sqrt{Northward}$

group operations for large enough groups of size

$N$

. The offset block lists algorithms for full general groups, and all these results are known (see Section 2). The values for the grumpy-giant algorithm (marked past an asterisk) are conjectural and the values for the rho and Gaudry-Schost algorithm are heuristic. The 2d cake lists algorithms for groups having an efficiently computable inversion (meet Department 3). Some of these results are new (the first one appears as an exercise in the first author'southward textbook). The third block lists algorithms that exploit efficient inversion equally well as our primary observation, and these results are all new (see Section v)

Algorithm	Boilerplate-case	Worst-case
Textbook BSGS [nineteen]	$i.v$	$ii.0$
Textbook BSGS optimised for average-example [eighteen]	$1.414$	$two.121$
Pollard interleaving BSGS [17]	$1.333$	$two.0$
Grumpy giants [2]	$ane.25^* $	$ \le 3$
Pollard rho using distinguished points [20]	$one.253$	$\infty$
Gaudry-Schost [vii]	$ane.661$	$\infty$
BSGS with negation	$1.0$	$ane.v$
Pollard interleaving BSGS with negation	$0.943$	$i.414$
Grumpy giants with negation	$0.9^*$	$\le 2.7$
Pollard rho using negation [iii,21]	$0.886(1 + o(one))$	$\infty$
Gaudry-Schost using negation [eight]	$1.36$	$\infty$
Interleaved BSGS with block computation	$0.38$	$0.57$
Grumpy giants with block computation	$0.36^*$	$\le 1.08$
Pollard rho with Montgomery trick	$0.47 $	$\infty$
Gaudry-Schost with Montgomery trick	$0.72 $	$\infty$

Algorithm	Boilerplate-instance	Worst-instance
Textbook BSGS [19]	$1.v$	$2.0$
Textbook BSGS optimised for average-case [eighteen]	$i.414$	$2.121$
Pollard interleaving BSGS [17]	$1.333$	$two.0$
Grumpy giants [2]	$ane.25^* $	$ \le 3$
Pollard rho using distinguished points [20]	$1.253$	$\infty$
Gaudry-Schost [7]	$1.661$	$\infty$
BSGS with negation	$one.0$	$1.5$
Pollard interleaving BSGS with negation	$0.943$	$ane.414$
Grumpy giants with negation	$0.9^*$	$\le two.7$
Pollard rho using negation [three,21]	$0.886(ane + o(1))$	$\infty$
Gaudry-Schost using negation [8]	$ane.36$	$\infty$
Interleaved BSGS with cake computation	$0.38$	$0.57$
Grumpy giants with block computation	$0.36^*$	$\le i.08$
Pollard rho with Montgomery play a joke on	$0.47 $	$\infty$
Gaudry-Schost with Montgomery trick	$0.72 $	$\infty$

Table 4. Size of ready

$\mathcal{L}_L$

written as

$c(t) 50^2$

where

$t = L/\sqrt{North}$

$t$	0	0.15	0.30	0.46	0.61	0.76	0.91
$c(t)$	6.00	5.76	five.47	four.10	2.56	1.72	1.twenty

$t$	0	0.xv	0.30	0.46	0.61	0.76	0.91
$c(t)$	6.00	five.76	5.47	4.10	two.56	1.72	1.20

Tabular array v. Results of experiments with the grumpy-giants algorithm exploiting efficient inversion

Bits	#Elliptic Curves	#DLPs per Curve	average value for c	standard departure
28	100	10000	0.8926	0.0077
29	100	10000	0.9053	0.0061
30	100	10000	0.8961	0.0073
31	100	10000	0.9048	0.0068
32	100	10000	0.9207	0.0065

$.25	#Elliptic Curves	#DLPs per Bend	average value for c	standard deviation
28	100	10000	0.8926	0.0077
29	100	10000	0.9053	0.0061
30	100	10000	0.8961	0.0073
31	100	10000	0.9048	0.0068
32	100	10000	0.9207	0.0065

Table vi. Results of experiments with the 4-giants algorithm without negation

Bits	#Elliptic Curves	#DLPs per Curve	average value for $c$
28	100	10000	one.2867
29	100	10000	i.3002
xxx	100	10000	1.2926
31	100	10000	1.2944
32	100	10000	1.3150

Bits	#Elliptic Curves	#DLPs per Curve	average value for $c$
28	100	10000	1.2867
29	100	10000	one.3002
xxx	100	10000	ane.2926
31	100	10000	1.2944
32	100	10000	1.3150

[1]	Lianshuan Shi, Enmin Feng, Huanchun Sun, Zhaosheng Feng. A two-stride algorithm for layout optimization of structures with discrete variables. Journal of Industrial & Direction Optimization, 2007, 3 (3) : 543-552. doi: 10.3934/jimo.2007.three.543
[ii]	Kazeem Olalekan Aremu, Chinedu Izuchukwu, Grace Nnenanya Ogwo, Oluwatosin Temitope Mewomo. Multi-step iterative algorithm for minimization and fixed bespeak problems in p-uniformly convex metric spaces. Journal of Industrial & Management Optimization, 2021, 17 (4) : 2161-2180. doi: ten.3934/jimo.2020063
[iii]	Behrouz Kheirfam. A total Nesterov-Todd footstep infeasible interior-point algorithm for symmetric optimization based on a specific kernel role. Numerical Algebra, Control & Optimization, 2013, three (4) : 601-614. doi: 10.3934/naco.2013.three.601
[4]	Yanqin Bai, Lipu Zhang. A total-Newton step interior-point algorithm for symmetric cone convex quadratic optimization. Journal of Industrial & Management Optimization, 2011, 7 (4) : 891-906. doi: 10.3934/jimo.2011.seven.891
[five]	Yinghong Xu, Lipu Zhang, Jing Zhang. A full-modified-Newton step infeasible interior-point algorithm for linear optimization. Periodical of Industrial & Management Optimization, 2016, 12 (1) : 103-116. doi: 10.3934/jimo.2016.12.103
[6]	Leonid Faybusovich, Cunlu Zhou. Long-step path-following algorithm for quantum information theory: Some numerical aspects and applications. Numerical Algebra, Control & Optimization, 2022, 12 (ii) : 445-467. doi: 10.3934/naco.2021017
[vii]	Xiaoyu Xing, Hailiang Yang. American type geometric stride options. Periodical of Industrial & Management Optimization, 2013, 9 (3) : 549-560. doi: 10.3934/jimo.2013.ix.549
[viii]	Cuixia Miao, Yuzhong Zhang. Scheduling with step-deteriorating jobs to minimize the makespan. Journal of Industrial & Management Optimization, 2019, 15 (four) : 1955-1964. doi: 10.3934/jimo.2018131
[9]	Delphine Boucher. A first pace towards the skew duadic codes. Advances in Mathematics of Communications, 2018, 12 (iii) : 553-577. doi: 10.3934/amc.2018033
[x]	Jon Aaronson, Michael Bromberg, Nishant Chandgotia. Rational ergodicity of footstep part skew products. Journal of Modern Dynamics, 2018, xiii: 1-42. doi: 10.3934/jmd.2018012
[11]	Santos González, Llorenç Huguet, Consuelo Martínez, Hugo Villafañe. Discrete logarithm like bug and linear recurring sequences. Advances in Mathematics of Communications, 2013, 7 (2) : 187-195. doi: 10.3934/amc.2013.vii.187
[12]	Andrew J. Steyer, Erik S. Van Vleck. Underlying one-footstep methods and nonautonomous stability of general linear methods. Detached & Continuous Dynamical Systems - B, 2018, 23 (7) : 2859-2877. doi: 10.3934/dcdsb.2018108
[thirteen]	Peter Eastward. Kloeden, Björn Schmalfuss. Lyapunov functions and attractors nether variable fourth dimension-footstep discretization. Discrete & Continuous Dynamical Systems, 1996, 2 (two) : 163-172. doi: ten.3934/dcds.1996.ii.163
[fourteen]	Michael A. Saum, Tim Schulze. The role of processing speed in determining footstep patterns during directional epitaxy. Discrete & Continuous Dynamical Systems - B, 2009, xi (two) : 443-457. doi: ten.3934/dcdsb.2009.11.443
[15]	Lifeng Chen, Jifa Jiang. Stochastic epidemic models driven past stochastic algorithms with constant step. Discrete & Continuous Dynamical Systems - B, 2016, 21 (2) : 721-736. doi: 10.3934/dcdsb.2016.21.721
[16]	Yoonsang Lee, Bjorn Engquist. Variable step size multiscale methods for stiff and highly oscillatory dynamical systems. Discrete & Continuous Dynamical Systems, 2014, 34 (three) : 1079-1097. doi: 10.3934/dcds.2014.34.1079
[17]	Behrouz Kheirfam, Guoqiang Wang. An infeasible full NT-step interior point method for round optimization. Numerical Algebra, Control & Optimization, 2017, seven (2) : 171-184. doi: 10.3934/naco.2017011
[eighteen]	Tingting Wu, Yufei Yang, Huichao Jing. Two-step methods for paradigm zooming using duality strategies. Numerical Algebra, Control & Optimization, 2014, 4 (3) : 209-225. doi: ten.3934/naco.2014.iv.209
[19]	Van Hieu Dang. An extension of hybrid method without extrapolation step to equilibrium bug. Journal of Industrial & Management Optimization, 2017, 13 (iv) : 1723-1741. doi: ten.3934/jimo.2017015
[20]	Angelamaria Cardone, Dajana Conte, Beatrice Paternoster. Two-step collocation methods for fractional differential equations. Detached & Continuous Dynamical Systems - B, 2018, 23 (7) : 2709-2725. doi: ten.3934/dcdsb.2018088

goodwingremeaunk.blogspot.com

Source: https://www.aimsciences.org/article/doi/10.3934/amc.2017038