Keywords

1 Introduction

The discrete logarithm problem (DLP) in a group G is to find the integer n such that gn = h holds given g, h  G. As one of the most important mathematical primitives in modern cryptography, there are some classic algorithms to solve it, such as the Pollard’s rho method, the index calculus method, and the Pollard’s kangaroos method as well [1]. It’s interesting to study solving discrete logarithm problem of the given interval in the practical cryptography system. The discrete logarithm problem in an interval is defined as following:

Definition 1

(DLP in an interval). Let p be a prime number and G be a cyclic subgroup of order q in \( F_{p}^{*} \). Given the generator g and an element h of G, and an integer N less than the order of g, it is assumed that there exists an unknown integer n in the interval [0, N] such that h = gn holds. To compute n.

Indeed, some instances belonging to this case had been studied, such as the DLP with c-bit exponents (c-DLSE) [2,3,4], Boneh-Goh-Nissim homomorphic encryption scheme [5], counting points on curves or abelian varieties over finite fields [6], the analysis of the strong Diffie-Hellman problem [1, 7], and side-channel or small subgroup attacks [8, 9] and reference therein. Pollard’s rho algorithm costs time \( O\left( {\sqrt n } \right) \) to solve it. [4] improves Pollard’s kangaroos algorithm to solve DLP in an interval of size N with expected running time \( ( 2 {\text{ + O(1))}}\sqrt {\text{N}} \) group operations and polynomial storage. Galbraith et al. improve it by increasing the number of kangaroos showing that when the number of kangaroos is four, total number of jumps is optimal and number of group operations is \( ( 1. 7 1 4 {\text{ + O(1))}}\sqrt {\text{N}} \) [10]. [11] uses series of small integer multiplications to replace every multiplication of elements of a group, which reduces the cost of each jump in Pollard’s rho algorithm and to determine to compute a complete multiplication according to whether some function values belong to the set of distinguished points or not. The definition of distinguished points is originally introduced in [12] for time-memory trade-off, which is some elements of group G satisfying a certain condition such that these points can be checked easily. [11] showed that when the related results meet the pre-defined distinguished point condition, we make a complete integer multiplication operation, thereby reducing the number of complete multiplications and time cost of each jump. A preprocessing storage size is \( O\left( {\left( {{ \log }p} \right)^{r + 1} \cdot {\text{loglog}}p} \right) \) and running time is at least 10 times faster than the original algorithm.

Contribution.

We use the sine-function to implement periodic iterates and give some pre-computation to reduce the cost of Pollard’s kangaroos algorithm obviously. we can reduce \( \left| {\left| p \right|} \right|^{ 2} \) bit operations of a complete integer multiplication to at most \( d\left\| \varepsilon \right\|\left\| {\eta^{2} } \right\| \) bit operations, where \( d = \log_{\varepsilon } p \). The pre-defined distinguished point condition is [ηk, η], where \( k = { \log }\eta + \nu ,\;\nu \) is an integer satisfying \( 0 \le \nu < \eta - \left\lfloor {{ \log }\eta } \right\rfloor \). Furthermore, we also properly increase the number of kangaroos to reduce the total number of jumps, which improve both the time cost and the total number of jumps. Compared with the classic algorithm, the efficiency is noticeably improved.

2 Pollard’s Kangaroos Algorithm

The Pollard’s kangaroos algorithm [13] is based on random walk and each kangaroo jumps one step at a time. The main process is: First, fix a set of small integers of k elements \( S = \left\{ {s_{1} ,s_{2} , \ldots ,s_{k} } \right\} \), which is also considered as the set of the distances of jump steps such that the mean value of the elements of S is about \( \sqrt N \) and k is a small integer. We randomly select some elements from group G to form the distinguished set D = {g1g 2 g 3,…,  g t }, such that the size of D is approximately \( \left| D \right| / \left| G \right| = \frac{c}{\sqrt N } \), where c is a constant and c ≫1. Define a random map f from G to S. mA kangaroo’s jumps corresponds to a sequence in \( G,g_{i + 1} = g_{i} g_{i}^{f(g)} ,\;i = 0,\, 1,\, 2, \ldots , \) starting from the given g0. Let d0 = 0, di+1 = d i  + f(g i ), i = 0, 1, 2, …. Then, d i is the sum of distances of first i jumps of kangaroo and \( g_{i} = g_{0} g_{i}^{d} ,\;i = 0, 1, 2, \ldots \). The algorithm requires \( 2\sqrt N \) group operations and a small amount of additional storage space.

For each jump, we need to compute a complete integer multiplication between two group elements, which costs about \( \left| {\left| p \right|} \right|^{ 2} \) bit operations. When the product belongs to the distinguished set D, the values related to this jump will be stored for collision detection; otherwise, the related values will not be stored. Thus, storage operations are not carried out every time, so it is not necessary to do a full product for each jump.

3 The Improved Pollard’s Kangaroos Algorithm

In Pollard’s kangaroos algorithm, the cost of each jump is complete multiplication operation of ||p||2 bits. We improve computational cost of jumpsusing pre-computation and periodic iterative functions, so that the total cost is reduced. Let p be a prime, n be an integer, and \( G = {<}g{>} \) be a cyclic subgroup of order q of \( F_{p}^{*} \). Given the generator g of G, element h and positive integer N, suppose there exists an unknown integer n in the interval [0, N] such that h = gn holds, the algorithm to compute n is given in the following.

Let \( \eta \) denotes a small integer, we set \( \varGamma = \left\{ {t_{1} ,t_{2} , \ldots ,t_{\eta } } \right\} \), which is also considered as the set of the distances of jump steps and the mean value of the elements of \( \varGamma \) is about \( \sqrt N \). Let the index set be \( S = \{ 1,{ 2}, \, \ldots ,\eta {\text{\} }} \) and set \( \left\{ {M_{s} {\text{ = g}}^{{t_{s} }} |t_{s} \in \varGamma } \right\} \). Fix a small positive integer l and precompute \( M_{l} = \left\{ {M \cup \left\{ 1 \right\}} \right\}^{l} \). Initially, both tables L t and L w are null. We choose small integers d and ε such that \( d = \left\lceil {\log_{\varepsilon } p} \right\rceil \). In order to facilitate the calculation of the discrete logarithm, we pre-calculate the \( M_{l} \) before the algorithm runs and store it in the appropriate table. The size of the set \( M_{l} \) does not exceed \( \left( {\begin{array}{*{20}c} {l + \eta } \\ \eta \\ \end{array} } \right) \).

Next, we define label function \( \tau :G \to S \) such that \( \tau (g )= \frac{{g {\text{mod }}p}}{p} \cdot \eta + 1 \).

Given \( x,y\, \in \,G \), for each 0 ≤ i ≤ d−1, write

$$ x = \sum\nolimits_{\text{i = 0}}^{{{\text{d}} - 1}} {{\text{x}}_{\text{i}} \varepsilon^{\text{i}} } , \quad {\text{where}}\quad 0\, \le \,{\text{x}}_{\text{i}} \, < \,\varepsilon $$
(1)

and

$$ t_{i} = \varepsilon^{i} y\bmod 360,\quad {\text{then}}\, 0\, \le \,t_{i} \, < \,360. $$
(2)

Define the auxiliary label function \( \bar{\tau }:G \times M_{l} \to S \)

$$ \bar{\tau }\left( {x,y} \right) = \sum\nolimits_{i = 0}^{d - 1} {x_{i} \left\lfloor {\left| {u{ \sin }\left( {t_{i} } \right)} \right|} \right\rfloor } \bmod \eta + 1 $$
(3)

where \( u \ge \eta^{2} \), for the convenience of computation, u is taken as \( \eta^{2} \). For any given \( g\, \in \,G \) and \( M\, \in \,{\text{M}}_{\text{l}} \), the time computing \( \bar{\tau }\left( {g,M} \right) \) is much less than the cost of computing \( g \cdot M \).

We define index function and auxiliary index function \( \bar{s}:G \times M_{l} \to S \), such that \( s:G \to S \) is a surjective and pre-image is approximately uniform,, and \( \bar{s}\left( {g,M} \right) = s(gM) \). Let \( \bar{s} = \bar{\tau } \). The pre-defined distinguished point condition is defined as the interval [ηk, η], where \( k = \left\lfloor {{ \log }\eta } \right\rfloor + \nu ,\;0 \le \nu < \eta - \left\lfloor {{ \log }\eta } \right\rfloor \). Generally, the value of \( \nu \) is a small integer.

The jumping process of a kangaroo is a sequence table of G, \( G,\,g_{{i{ + 1}}} = g_{i} \cdot M_{{s(g_{i} )}} \) for \( i \ge 0 \). The algorithm starts at an initial value \( g_{ 0} \, \in \,G \), and the initial \( s_{ 0} = s (g_{ 0} ) \)) is randomly selected from the set S. Since \( g_{ 1} { = }g_{ 0} \cdot M_{{s(g_{0} )}} \), we can get the next index \( s_{ 1} = s (g_{ 1} ) = s (g_{ 0} M_{{s\left( {{\text{g}}_{ 0} } \right)}} ) = \bar{s} (g_{ 0} ,\,M_{{s\left( {g_{ 0} } \right)}} ) \) by calculating \( \bar{s} (g_{ 0} ,\,M_{{s\left( {g_{ 0} } \right)}} ) \) without computing \( g_{ 0} \cdot M_{{s (g_{ 0} )}} \). If the computed index value \( s_{ 1} \) satisfies distinguished point condition, we can calculate \( g_{ 2} = g_{ 0} \cdot M_{{s_{ 0} }} M_{{s_{ 1} }} ,\;M_{{s_{ 0} }} M_{{s_{ 1} }} \, \in \,M_{l} \) has been pre-computed without computing \( g_{ 1} = g_{ 0} \cdot M_{{s_{ 0} }} \). In the next process, for each iteration to complete a jump, the index value \( s_{ 2} ,\,s_{ 3} ,\,{\text{etc}}, \) can be calculated in the same way, and we do not compute the complete multiplication until that the pre-defined distinguished point condition is met, that is, the value of the function \( \bar{s} \) falls in the interval [ηk, η]. At same time, we get the corresponding point \( g_{\text{i}} = g_{ 0} M_{{s_{ 0} }} \ldots \,M_{{s_{{i{ - 1}}} }} \), where \( {\text{M}}_{{{\text{s}}_{ 0} }} \ldots \,{\text{M}}_{{{\text{s}}_{\text{i - 1}} }} \in {\text{M}}_{\text{l}} \) has been basically precomputed and can be obtained through look-up the table. If the collision has not occurred for l iterations, i.e., \( {\text{g}}_{\text{l + 1}} {\text{ = g}}_{ 0} M_{{{\text{s}}_{ 0} }} \ldots \, M_{{{\text{s}}_{\text{l}} }} \), the computed value of \( g_{{l{ + 1}}} \) will be stored in the table and the algorithm can be re-executed with \( g_{{l{ + 1}}} \) as a new starting point.

We denote two kangaroos as T and W. T and W jump respectively from the midpoint of the interval (i.e., \( g_{0} = g^{N/2} \)) and \( g_{0}^{\prime } = h \) to the right side of the interval. The jumping process of T and W are alternately executed. The branches T and W randomly select the initial values \( s_{ 0} = s (g_{ 0} ) \)) and \( s_{0}^{\prime } = (g_{0}^{\prime } ) \) from the set S respectively and set their own initial jumping points and initial distances of the jump step of the two branches be \( g_{ 0} = M_{{s_{ 0} }} ,\;g = M_{{s_{0}^{\prime } }} \) and \( {\text{d}}_{ 0} ( {\text{T)}} = 0 ,\;{\text{d}}_{ 0} ( {\text{W)}} = 0 \). When i > 1, we have \( d_{i} (T) = \sum\nolimits_{i = 0}^{i - 1} {t_{{s_{i} }} } ,\;d_{j} (W) = \sum\nolimits_{i = 0}^{j - 1} {t_{{s_{j}^{\prime } }} } \). Let T i and W j denote the i and j-th jump of the two branches respectively. i and j start from 0. T 0 , W 0 , T 1 , W 1 , T 2 , W 2 ,,T i-1 , Wi-1 are alternately executed. When the distinguished point condition is satisfied, the current jumping point’s value of branch T or W will be computed. Then we can get the triplets that are \( (g_{i} ,d_{i} (T ) ,T) \) or \( g ,\;d_{j} (W ) ,W \) and store it into the corresponding table L t or L w at index \( g_{i} \) and \( g_{j} \) respectively. A collision occurs when \( g_{i} \) is accessed by a different type of branch kangaroo, so the value of \( n = N/2 + d_{i} \left( T \right) - d_{j} \left( W \right) \) can be computed and the algorithm terminates.

Running Time.

From Eq. (3), we can know the time of calculating \( \bar{\tau }\left( {x,y } \right) \) includes d multiplications of modulo η, d-1 additions of modulo η, and d sinusoidal operations. Considering the time of calculating a sine operation as a constant \( C_{0} \) and ignoring the relatively small cost of addition, time of computing \( \bar{\tau } \) is about \( d{\text{Mul}}\left( {\left| {\left| \eta \right|} \right|} \right) + \left( {\theta + 1/l} \right){\text{Mul}}\left( {\left| {\left| p \right|} \right|} \right) + dC_{0} \), where θ is the probability that a point is a distinguished point, and l is the maximum number of iterations of the pre-process. Notice that the time of calculating sine function is neglected after processing in (2), the time of a jump is \( d{\text{Mul}}\left( {\left| {\left| \eta \right|} \right|} \right) + \left( {\theta + 1/l} \right){\text{Mul}}\left( {\left| {\left| p \right|} \right|} \right) \), where θ is the probability that a point is a distinguishable point, and l is the maximum number of iterations in the preprocessing table. Since the total number of jumps is \( N/\left( { 2m} \right) + 2m + 2/\theta \), the total time is \( \left\{ {d{\text{Mul}}\left( {\left| {\left| \eta \right|} \right|} \right) + \left( {\theta + 1/l} \right){\text{Mul}}\left( {\left| {\left| p \right|} \right|} \right)} \right\}\, *\,\left\{ {N/\left( {2m} \right) + 2m + 2 \cdot 1/\theta } \right\} \). From (1) and (3), we need about \( d\left| {\left| \varepsilon \right|} \right|\left\| {\eta^{ 2} } \right\| \) bit operations required for a complete multiplication, obviously smaller than the \( \left| {\left| p \right|} \right|^{ 2} \) bit operations required for a complete multiplication of the original algorithm. Usually we have the comparison results, seeing Table 1.

Table 1. Time contrast in case of Two Kangaroos
Full size table

We can take the pre-defined distinguished point condition as \( [\eta - k,\eta ] \), the number of group operations is about \( { \log }\eta /\eta ( 2 {\text{ + O(1))}}\sqrt {\text{N}} \). [10] improves the classic Pollard’s kangaroos algorithm by increasing the number of kangaroos such that the total number of jumps is reduced and the probability of collision is increased. When the number of kangaroos is four, the total number of jumps is optimal and number of group operations is \( ( 1. 7 1 4 {\text{ + O(1))}}\sqrt {\text{N}} \).

4 Experiments on Improved Pollard’s Kangaroos Algorithm

Given a 32-bit prime number p = 2147483659, g = 29, and take \( \varepsilon = 8, N = 50 \). Since \( \sqrt N \) = 7, here we set \( \eta \) = 13 and \( \varGamma = \left\{ { 1, 2, 3, \ldots , 1 3} \right\} \). Then \( k = \left\lfloor {{ \log }\eta } \right\rfloor = 3 \), so the interval [ηk, η] =  [10, 13]. The distinguished point condition is [10, 13]. \( M = \left\{ {{\text{g}}^{1} ,{\text{g}}^{2} , \ldots , {\text{g}}^{13} } \right\} \). Given h = 44895682, then our task is to seek x in the interval [1, N] such that \( 2 9^{x} \bmod p = 44895682 \). Here, we set l = 3 and precompute \( M_{l} = \{ \{ 2 9^{ 1} , 2 9^{ 2} , \ldots , 2 9^{ 1 3} \} \cup \{ 1\} \}^{3} \). We show some instances of experiment for different size primes p to display advantage of the improved algorithm in Table 2.

Table 2. Experiment cost
Full size table

5 Conclusion

In this paper, we improve Pollard’s kangaroos algorithm using pre-defined distinguished point condition and periodic iterations. We reduce the cost of kangaroos’ jumps by using the sine function to iterate periodically and pre- computation instead of multiplication between the elements of a group. The related function definition of the algorithm is not limited to a certain interval, the improved algorithm can be extended for the calculation of the discrete logarithm problem in the usual case.