Article Contents
Article Contents

Computing elliptic curve discrete logarithms with improved baby-step giant-step algorithm

• * Corresponding author
This work was supported by the National Natural Science Foundation of China (No. 61672550,61402293).
• The negation map can be used to speed up the computation of elliptic curve discrete logarithms using either the baby-step giant-step algorithm (BSGS) or Pollard rho. Montgomery's simultaneous modular inversion can also be used to speed up Pollard rho when running many walks in parallel. We generalize these ideas and exploit the fact that for any two elliptic curve points X and Y, we can efficiently get X-Y when we compute X+Y. We apply these ideas to speed up the baby-step giant-step algorithm. Compared to the previous methods, the new methods can achieve a significant speedup for computing elliptic curve discrete logarithms in small groups or small intervals.

Another contribution of our paper is to give an analysis of the average-case running time of Bernstein and Lange's "grumpy giants and a baby" algorithm, and also to consider this algorithm in the case of groups with efficient inversion.

Our conclusion is that, in the fully-optimised context, both the interleaved BSGS and grumpy-giants algorithms have superior average-case running time compared with Pollard rho. Furthermore, for the discrete logarithm problem in an interval, the interleaved BSGS algorithm is considerably faster than the Pollard kangaroo or Gaudry-Schost methods.

Mathematics Subject Classification: Primary: 11Y16; Secondary: 11T71.

 Citation:

• Figure 1.  Graph of $c(t) t^2$ for $t \in [0,1]$ obtained by simulations for the three values $M = \sqrt{N/2}, M = \sqrt{N}$ and $M = \tfrac{1}{2}\sqrt{N}$. The multiple lines denote the results for different experiments coming from different choices of $N$

Figure 2.  Graph of $c(t) t^2$ for $t \in [0,1]$ obtained by simulations, for grumpy giants method using $x$-coordinates, with $M = \sqrt{N/2}$ and $M = \sqrt{N}$

Table 1.  Size of set $\mathcal{L}_L$ written as $c(t) L^2$ where $t = L/\sqrt{N}$.

 $t$ 0 0.12 0.24 0.37 0.49 0.61 0.73 0.85 0.97 $c(t)$ 3 3 3 2.99 2.79 2.3 1.77 1.35 1.06

Table 2.  Results of experiments with the grumpy-giants algorithm without negation

 Bits #Elliptic Curves #DLPs per Curve average value for c standard deviation 28 100 10000 1.2579 0.0083 29 100 10000 1.2533 0.0064 30 100 10000 1.2484 0.0062 31 100 10000 1.2517 0.0067 32 100 10000 1.2736 0.0054

Table 3.  The table lists constants $c$ such that the named algorithm requires $(c + o(1)) \sqrt{N}$ group operations for large enough groups of size $N$. The first block lists algorithms for general groups, and all these results are known (see Section 2). The values for the grumpy-giant algorithm (marked by an asterisk) are conjectural and the values for the rho and Gaudry-Schost algorithm are heuristic. The second block lists algorithms for groups having an efficiently computable inversion (see Section 3). Some of these results are new (the first one appears as an exercise in the first author's textbook). The third block lists algorithms that exploit efficient inversion as well as our main observation, and these results are all new (see Section 5)

 Algorithm Average-case Worst-case Textbook BSGS [19] $1.5$ $2.0$ Textbook BSGS optimised for average-case [18] $1.414$ $2.121$ Pollard interleaving BSGS [17] $1.333$ $2.0$ Grumpy giants [2] $1.25^*$ $\le 3$ Pollard rho using distinguished points [20] $1.253$ $\infty$ Gaudry-Schost [7] $1.661$ $\infty$ BSGS with negation $1.0$ $1.5$ Pollard interleaving BSGS with negation $0.943$ $1.414$ Grumpy giants with negation $0.9^*$ $\le 2.7$ Pollard rho using negation [3,21] $0.886(1 + o(1))$ $\infty$ Gaudry-Schost using negation [8] $1.36$ $\infty$ Interleaved BSGS with block computation $0.38$ $0.57$ Grumpy giants with block computation $0.36^*$ $\le 1.08$ Pollard rho with Montgomery trick $0.47$ $\infty$ Gaudry-Schost with Montgomery trick $0.72$ $\infty$

Table 4.  Size of set $\mathcal{L}_L$ written as $c(t) L^2$ where $t = L/\sqrt{N}$

 $t$ 0 0.15 0.3 0.46 0.61 0.76 0.91 $c(t)$ 6 5.76 5.47 4.1 2.56 1.72 1.2

Table 5.  Results of experiments with the grumpy-giants algorithm exploiting efficient inversion

 Bits #Elliptic Curves #DLPs per Curve average value for c standard deviation 28 100 10000 0.8926 0.0077 29 100 10000 0.9053 0.0061 30 100 10000 0.8961 0.0073 31 100 10000 0.9048 0.0068 32 100 10000 0.9207 0.0065

Table 6.  Results of experiments with the 4-giants algorithm without negation

 Bits #Elliptic Curves #DLPs per Curve average value for $c$ 28 100 10000 1.2867 29 100 10000 1.3002 30 100 10000 1.2926 31 100 10000 1.2944 32 100 10000 1.3150
•  [1] D. J. Bernstein and T. Lange, Computing small discrete logarithms faster, in INDOCRYPT 2012 (eds. S. D. Galbraith et al), Springer, 2012,317–338. doi: 10.1007/978-3-642-34931-7_19. [2] D. J. Bernstein and T. Lange, Two grumpy giants and a baby, in Proc. 10th Algor. Number Theory Symp. (eds. E. W. Howe et al), 2013, 87–111. doi: 10.2140/obs.2013.1.87. [3] D. J. Bernstein, T. Lange and P. Schwabe, On the correct use of the negation map in the Pollard rho method, in PKC 2011 (eds. D. Catalano et al), Springer, 2011,128–146. doi: 10.1007/978-3-642-19379-8_8. [4] D. Boneh, E. Goh and K. Nissim, Evaluating 2-DNF formulas on ciphertexts in Theory of Cryptography-TCC 2005 (ed. J. Kilian), Springer, 2005,325-341. doi: 10.1007/978-3-540-30576-7_18. [5] M. Chateauneuf, A. C. H. Ling and D. R. Stinson, Slope packings and coverings, and generic algorithms for the discrete logarithm problem, J. Combin. Des., 11 (2003), 36-50.  doi: 10.1002/jcd.10033. [6] K. Fong, D. Hankerson, J. Lopez and A. Menezes, Field inversion and point halving revisited, IEEE Trans. Comp., 53 (2004), 1047-1059. [7] S. D. Galbraith, J. M. Pollard and R. S. Ruprai, Computing discrete logarithms in an interval}, Math. Comp., 82 (2013), 1181-1195.  doi: 10.1090/S0025-5718-2012-02641-X. [8] S. D. Galbraith and R. S. Ruprai, Using equivalence classes to speed up the discrete logarithm problem in a short interval, in PKC 2010 (eds. P. Nguyen et al), Springer, 2010,368–383. doi: 10.1007/978-3-642-13013-7_22. [9] R. Gallant, R. Lambert and S. Vanstone, Improving the parallelized Pollard lambda search on binary anomalous curves, Math. Comp., 69 (1999), 1699-1705.  doi: 10.1090/S0025-5718-99-01119-9. [10] P. Gaudry and E. Schost, A low-memory parallel version of Matsuo, Chao and Tsujii's algorithm, in ANTS Ⅵ (ed. D. A. Buell), Springer, 2004,208–222. doi: 10.1007/978-3-540-24847-7_15. [11] R. Granger, D. Page and M. Stam, On small characteristic algebraic tori in pairing-based cryptography, LMS J. Comp. Math., 9 (2006), 64-85.  doi: 10.1112/S1461157000001194. [12] R. Henry, K. Henry and I. Goldberg, Making a nymbler Nymble using VERBS, in PETS 2010 (eds. M. J. Atallah), Springer, 2010,111–129. [13] N. Koblitz, Elliptic curve cryptosystems, Math. Comp., 48 (1987), 203-209.  doi: 10.2307/2007884. [14] V. Miller, Use of elliptic curves in cryptography, in Crypto '85 (ed. H. C. Williams), Springer, 1986,417–426. doi: 10.1007/3-540-39799-X_31. [15] P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization, Math. Comp., 48 (1987), 243-264.  doi: 10.2307/2007888. [16] V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm, Math. Notes, 55 (1994), 165-172.  doi: 10.1007/BF02113297. [17] J. M. Pollard, Monte Carlo methods for index computation (mod p), Math. Comp., 32 (1978), 918-924.  doi: 10.2307/2006496. [18] J. Pollard, Kangaroos, Monopoly and discrete logarithms, J. Crypt., 13 (2000), 437-447.  doi: 10.1007/s001450010010. [19] D. Shanks, Five number-theoretic algorithms, in Proc. 2nd Manitoba Conf. Numer. Math. , Winnipeg, 1973, 51–70. [20] P. van Oorschot and M. Wiener, Parallel collision search with cryptanalytic applications, J. Crypt., 12 (1999), 1-28.  doi: 10.1007/PL00003816. [21] P. Wang and F. Zhang, Computing elliptic curve discrete logarithms with the negation map, Inf. Sci., 195 (2012), 277-286.  doi: 10.1016/j.ins.2012.01.044. [22] P. Wang and F. Zhang, Improving the parallelized Pollard rho method for computing elliptic curve discrete logarithms in 4th Int. Conf. Emerging Intell. Data Web Techn. (EIDWT-2013) 2013. doi: 10.1109/EIDWT.2013.55. [23] M. Wiener and R. Zuccherato, Faster attacks on elliptic curve cryptosystems, in Selected Areas in Cryptography '98 (eds. S. E. Tavares et al), Springer, 1998,190–120. doi: 10.1007/3-540-48892-8_15.

Figures(2)

Tables(6)