Cryptology ePrint Archive: Report 2010/617

Computing Discrete Logarithms in an Interval

Steven D. Galbraith and John M. Pollard and Raminder S. Ruprai

Abstract: The discrete logarithm problem in an interval of size $N$ in a group $G$ is: Given $g, h \in G$ and an integer $ N$ to find an integer $0 \le n \le N$, if it exists, such that $h = g^n$. Previously the best low-storage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo method. The heuristic average case running time of this method is $(2 + o(1)) \sqrt{N}$ group operations.

We present two new low-storage algorithms for the discrete logarithm problem in an interval of size $N$. The first algorithm is based on the Pollard kangaroo method, but uses 4 kangaroos instead of the usual two. We explain why this algorithm has heuristic average case expected running time of $(1.715 + o(1)) \sqrt{N}$ group operations. The second algorithm is based on the Gaudry-Schost algorithm and the ideas of our first algorithm. We explain why this algorithm has heuristic average case expected running time of $(1.661 + o(1)) \sqrt{N}$ group operations. We give experimental results that show that the methods do work close to that predicted by the theoretical analysis.

This is a revised version since the published paper that contains a corrected proof of Theorem 6 (the statement of Theorem 6 is unchanged). We thank Ravi Montenegro for pointing out the errors.

Category / Keywords: public-key cryptography / discrete logarithm problem (DLP)

Original Publication (with minor differences): Math. Comp., 82, No. 282 (2013) 1181-1195.
DOI:
10.1090/S0025-5718-2012-02641-X

Date: received 1 Dec 2010, last revised 23 Nov 2018

Contact author: S Galbraith at math auckland ac nz

Available format(s): PDF | BibTeX Citation

Version: 20181123:190156 (All versions of this report)

Short URL: ia.cr/2010/617


[ Cryptology ePrint archive ]