How Long Does it Take to Catch a Wild Kangaroo?

Similar documents
How long does it take to catch a wild kangaroo?

Randomized Smoothing Networks

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

UC Berkeley Department of Electrical Engineering and Computer Sciences. EECS 126: Probability and Random Processes

COMPUTING DISCRETE LOGARITHMS IN AN INTERVAL

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Bounds on Birthday Attack Times

A Generalization of a result of Catlin: 2-factors in line graphs

On a generalized combinatorial conjecture involving addition mod 2 k 1

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Discrete Logarithm Problem

Lecture 6: Cryptanalysis of public-key algorithms.,

Computing Elliptic Curve Discrete Logarithms with the Negation Map

AN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

AN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups

New Variant of ElGamal Signature Scheme

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Bloom Filters and Locality-Sensitive Hashing

Semi-simple Splicing Systems

Secure and Practical Identity-Based Encryption

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

On the Big Gap Between p and q in DSA

CHARACTERIZATION OF ULTRASONIC IMMERSION TRANSDUCERS

THE LINEAR BOUND FOR THE NATURAL WEIGHTED RESOLUTION OF THE HAAR SHIFT

Bivariate Uniqueness in the Logistic Recursive Distributional Equation

Geometric interpretation of signals: background

Endogeny for the Logistic Recursive Distributional Equation

CS259C, Final Paper: Discrete Log, CDH, and DDH

Information Storage Capacity of Crossbar Switching Networks

Breaking Plain ElGamal and Plain RSA Encryption

Short Exponent Diffie-Hellman Problems

Enhancing Generalization Capability of SVM Classifiers with Feature Weight Adjustment

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Lecture 1: Introduction to Public key cryptography

CPSC 467: Cryptography and Computer Security

On the approximation of real powers of sparse, infinite, bounded and Hermitian matrices

Pollard s Rho Algorithm for Elliptic Curves

Efficient Identity-Based Encryption Without Random Oracles

NON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION

The Probability of Pathogenicity in Clinical Genetic Testing: A Solution for the Variant of Uncertain Significance

Public Key Cryptography

Speeding Up Bipartite Modular Multiplication

reader is comfortable with the meaning of expressions such as # g, f (g) >, and their

9 Knapsack Cryptography

Lecture 4: Hashing and Streaming Algorithms

Digital Signature Scheme Based on a New Hard Problem

Average Coset Weight Distributions of Gallager s LDPC Code Ensemble

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 Number Theory Basics

EXPLICIT CONSTANTS IN AVERAGES INVOLVING THE MULTIPLICATIVE ORDER

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

Sharing DSS by the Chinese Remainder Theorem

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

Lecture 3: Randomness in Computation

Elliptic Curve Cryptography with Derive

Random Small Hamming Weight Products with Applications to Cryptography

Summation polynomials and the discrete logarithm problem on elliptic curves

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Cryptography IV: Asymmetric Ciphers

A Local-Global Principle for Diophantine Equations

Lecture 3 Frequency Moments, Heavy Hitters

ON THE AVERAGE RESULTS BY P. J. STEPHENS, S. LI, AND C. POMERANCE

The discrepancy of permutation families

4.5 Applications of Congruences

IMPROVING THE PARALLELIZED POLLARD LAMBDA SEARCH ON ANOMALOUS BINARY CURVES

CPSC 467: Cryptography and Computer Security

Minal Wankhede Barsagade, Dr. Suchitra Meshram

A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS

Complexity Analysis of a Fast Modular Multiexponentiation Algorithm

Language Recognition Power of Watson-Crick Automata

Long run input use-input price relations and the cost function Hessian. Ian Steedman Manchester Metropolitan University

CRYPTOGRAPHY AND NUMBER THEORY

14.1 Finding frequent elements in stream

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

A Composition Theorem for Universal One-Way Hash Functions

Parallel Implementation of Proposed One Way Hash Function

Foundations of Cryptography

Discrete logarithm and related schemes

MATH 158 FINAL EXAM 20 DECEMBER 2016

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

REPRESENTATIONS FOR A SPECIAL SEQUENCE

Public-key Cryptography and elliptic curves

Lecture 10 - MAC s continued, hash & MAC

NAVAL POSTGRADUATE SCHOOL THESIS

Econ 201: Problem Set 3 Answers

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Modular Multiplication in GF (p k ) using Lagrange Representation

be a deterministic function that satisfies x( t) dt. Then its Fourier

Points of High Order on Elliptic Curves ECDSA

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

A Note on the Density of the Multiple Subset Sum Problems

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Transcription:

Ho Long Does it Take to Catch a Wild Kangaroo? Ravi Montenegro Prasad Tetali ABSTRACT The discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x h We give the first rigorous proof that Pollard s Kangaroo method finds the discrete logarithm in expected time (3+o(1)) b a for the orst value of x [a, b], and ( + o(1)) b a hen x uar [a, b] This matches the conjectured time complexity and, rare among the analysis of algorithms based on Markov chains, even the lead constants and 3 are correct ACM Classifiers: F1, G3 General Terms: Algorithms, Theory Keyords: Pollard s Kangaroo method, digital signature, discrete logarithm, Markov chain, mixing time 1 INTRODUCTION Cryptographic schemes are generally constructed in such a ay that breaking them ill likely require solving some presumably difficult computational problem, such as finding prime factors of a large integer or solving a discrete logarithm problem Recall that the discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x h The Diffie-Hellman key exchange, ElGamal cryptosystem, and the US government s DSA (Digital Signature Algorithm) are all based on an assumption that discrete logarithm is difficult to find Algorithms motivated by probabilistic intuition are often used to solve these problems and yet, although heuristics can be given for the time complexity of these methods, rigorous results are rare Department of Mathematical Sciences, University of Massachusetts at Loell, Loell, MA 01854, USA Email: ravi montenegro@umledu School of Mathematics and School of Computer Science, Georgia Institute of Technology, Atlanta, GA 3033, USA Email: tetali@mathgatechedu; research supported in part by NSF grants DMS 040139, 0701043 Permission to make digital or hard copies of all or part of this ork for personal or classroom use is granted ithout fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page To copy otherise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee STOC 09, May 31 June, 009, Bethesda, Maryland, USA Copyright 009 ACM 978-1-60558-506-/09/05 $500 In [, 4] one such method is considered, namely Pollard s Rho Algorithm to find the discrete logarithm on a cyclic group G, verifying the correctness of commonly held intuition This ork generated further interest in the cryptography community, and Dan Boneh in particular encouraged us to analyze Pollard s Kangaroo method [6], due to its very many applications While the Rho Algorithm is motivated by the Birthday Problem, the Kangaroo method orks on the same principle as the Kruskal Count [7] When the discrete logarithm x is knon to lie in a small interval [a, b] ith b a G, this algorithm is expected to improve on the Rho algorithm, ith a run time averaging b a steps, versus p (π/) G for the Rho algorithm In fact, the Kangaroo method is often the most efficient means for finding discrete logarithm on an arbitrary cyclic group, as the Rho algorithm requires G be knon exactly and Shanks baby-step giant-step method requires too much memory Among the cases in hich this ould be useful, Boneh and Boyen [1] give a signature scheme in hich a shorter signature can be transmitted if the recipient uses the Kangaroo method to determine certain omitted information Verification of the time complexity of the Kangaroo method (as e do here) ould then make rigorous their claim that the missing bits can be efficiently constructed While the above is an application for signature communication, another natural application is in forging a signature For instance, in order to speed up computation of a signature the secret key x may be chosen from an interval [a, b] ith b a G, or an attack might reveal a sequence of consecutive bits at the beginning or end of the key, in hich cases the Kangaroo method can be used to find the key and forge a signature The Kangaroo method is based on running to independent sequences of hops (random alks), one starting at a knon state (the tame kangaroo ) and the other starting at the unknon value of the discrete logarithm x (the ild kangaroo ) The main result of this paper ill be a bound on the expected number of steps required until these random alks intersect and the logarithm is determined Theorem 11 Suppose g, h G are such that h g x for some x [a, b] The expected number of group operations required by the Distinguished Points implementation of the Kangaroo method is (3 + o(1)) b a hen x a or x b, and is otherise upper bounded by this If x is a uniform random value in [a, b], ie x uar [a, b], then the expected number of group operations is ( + o(1)) b a

We sho matching upper and loer bounds, so the lead constants are sharp, hich is quite rare among the analyses of algorithms based on Markov chains Previously the first bound as knon only by a rough heuristic, hile Pollard [7] gives a convincing but not completely rigorous argument for the second Given the practical significance of Pollard s Kangaroo method for solving the discrete logarithm problem, e find it surprising that there has been no fully rigorous analysis of this algorithm, particularly since it has been 30 years since it as first proposed in [6] Past ork on problems related to the Kruskal Count seem to be of little help here Pollard s argument of [7] gives rigorous results for specific values of b a, but the recurrence relations he uses can only be solved on a case-by-case basis by numerical computation Lagarias etal [3] used probabilistic methods to study the distance traveled before to alks intersect, but only for alks in hich the number of steps until an intersection as simple to bound Although our approach here borros a fe concepts from the study of the Rho algorithm in [], such as the use of a second moment method to study the number of intersections, a significant complication in studying this algorithm is that, hen b a G, the kangaroos ill have proceeded only a small ay around the cyclic group before the algorithm terminates As such, mixing time is no longer a useful notion, and instead a notion of convergence is required hich occurs long before the mixing time We expect that the tools developed in this paper to avoid this problem ill prove useful in examining other such randomized algorithms Our analysis assumes that the Kangaroo method involves a truly random hash function: if g G then F (g) is equally likely to be any of the jump sizes, independent of all other F (g ) In practice different hash functions ill be used on different groups hether over a subgroup of integers mod p, elliptic curve groups, etc but in general the hash is chosen to look random Since the Kangaroo method applies on all cyclic groups then a constructive proof ould involve the impossible task of explicitly constructing a hash on every cyclic group, and so the assumption of a truly random hash is made in all attempts at analyzing it of hich e are aare [8, 5, 7] The paper proceeds as follos In Section e introduce the Kangaroo method A general frameork for analyzing intersection of independent alks on the integers is constructed in Section 3 This is folloed by a detailed analysis for the Kangaroo method in Section 4 PRELIMINARIES We describe here the Kangaroo method, originally knon as the Lambda method for catching Kangaroos The Distinguished Points implementation of [5] is given because it is more efficient than the original implementation of [6] Problem: Given g, h G, solve for x [a, b] ith h g x Method: Pollard s Kangaroo method (distinguished points version) Preliminary Steps: Define a set D G of distinguished points, ith c b a for some constant c D G Define a set of jump sizes S {s 0, s 1,, s d } We consider poers of to, S { k } d k0, ith d log b a+ log log b a, chosen so that elements of S average to a jump size of b a Finally, a hash function F : G S The Algorithm: Let Y 0 a+b, 0 x, and d0 0 Observe that g 0 hg d 0 Recursively define Y j+1 Y j + F (g Y j ) and likeise d i+1 d i + F (hg d i ) This implicitly defines i+1 i + F (g i ) x + d i+1 If g Y j D then store the pair (g Y j, Y j Y 0) ith an identifier T (for tame) Likeise if g i hg d i D then store (g i, d i) ith an identifier W (for ild) Once some distinguished point has been stored ith both identifiers T and W, say g i g Y j here (g i, d j) and (g Y j, Y j Y 0) ere stored, then Y j i x + d i mod G x Y j d i mod G The Y j alk is called the tame kangaroo because its position is knon, hereas the position i of the ild kangaroo is to be determined by the algorithm This as originally knon as the Lambda method because the to alks are initially different, but once g Y j g i then they proceed along the same route, forming a λ shape Theorem 11 makes rigorous the folloing commonly used rough heuristic: Suppose Y 0 0 Run the tame kangaroo infinitely far Since the kangaroos have an average step size b a, one expects the ild kangaroo requires b a/ Y 0 0 steps to reach Y 0 Subsequently, at each step the probability that the ild kangaroo lands on a spot visited by the tame 1 kangaroo is roughly p b a/, so the expected number of additional steps by the ild kangaroo until a collision is then around p 1 b a By symmetry the tame kangaroo also averaged p 1 steps About b a additional steps are c required until a distinguished point is reached Since i and Y j are incremented simultaneously the total number of steps taken is then «Y0 0 + p 1 b a + (3 + c 1 ) b a b a/ c If 0 x uar [a, b] then E Y 0 0 b a/ b a and the bound is ( + c 1 ) b a Recall e assume a random hash function F : if g G then F (g) is equally likely to be any value in S, independent of all other F (g ) A second assumption is that the distinguished points are ell distributed ith c (b a) ; either they are chosen uniformly at random, or if c Ω(d log d) then roughly constant spacing beteen points ill suffice The assumption on distinguished points can be dropped if one instead analyzes Pollard s (sloer) original algorithm, to hich our methods also apply

3 UNIFORM INTERSECTION TIME AND A COLLISION BOUND In order to understand our approach to bounding time until the kangaroos have visited a common location, hich e call a collision, it ill be helpful to consider a simplified version of the Kangaroo method First, observe that because hash values F (g) are independent then i and Y j are independent random alks at least until they collide, and so to bound time until this occurs it suffices to assume they are independent random alks even after they have collided Second, these are random alks on Z/ G Z, so if e drop the modular arithmetic and ork on Z then the time until a collision can only be made orse Third, since the alks proceed strictly in the positive direction on Z then in order to determine the number of hops the ild kangaroo (described by i) takes until it is caught by the tame kangaroo (ie i Y j on Z), it suffices to run the tame kangaroo infinitely long and only after this have the ild kangaroo start hopping With these simplifications the problem reduces to one about intersection of alks i and Y j, both proceeding in the positive direction on the integers, in hich Y j proceeds an infinite number of steps and then i proceeds until some i Y j Thus, rather than considering a specific probability Pr ( i Y j) it is better to look at Pr ( j : i Y j) By symmetry, the same approach ill also bound the expected number of hops the tame kangaroo requires to reach the location here it can trap the ild kangaroo First hoever, because the alk does not proceed long enough to approach its stationary distribution (obvious on Z and also true on Z/ G Z hen b a G ), alternate notions resembling mixing time and a stationary distribution ill be required Recall the heuristic that at each step the probability of a collision is roughly the inverse of the average step size Our mixing time quantity ill measure the number of steps required for this to become a rigorous statement: Definition 31 Consider a Markov chain P on Z hich is increasing (ie P(u, v) > 0 only hen v > u) and transitive (ie u, v Z : P(u, v) P(0, v u)) Define the uniform intersection probability U by U P k1 1 kp(0, k) Let i and Y j denote independent alks starting from states ( 0, Y 0) Ω, here Ω {(x, y) Z Z : x y < {k : P(0, k) > 0}} If ɛ [0, 1] the uniform intersection time T (ɛ) N is ( ) i T, ( 0, Y 0) Ω, T (ɛ) min T Pr( j: iy j) 1 U ɛ If gcd{k : P(0, k) > 0} 1 then the uniform intersection time is finite To avoid clutter e rite T to denote T (ɛ) in the remainder More generally, our results ill apply if P is an increasing Markov chain on a poset S, ie P(u, v) > 0 only if u v, and Ω is a binary relation on S hich is reflexive, symmetric, and such that if ( 0, Y 0) Ω then i Y j : ( i, Y j) Ω (Y j i) A uniform intersection probability ould be any value U satisfying the definition for the uniform intersection time A natural approach to studying collisions is to consider an appropriate random variable counting the number of intersections of the to alks Toards this, let S N denote the number of times the i alk intersects the Y j alk in the first N steps, ie S N 1 { j: i Y j } The second moment method used ill involve shoing that Pr (S N > 0) is non-trivial for some N Our collision bound ill involve the quantity B T, the expected number of collisions in the first T steps beteen to independent alks started at nearby states To be precise, define: B T Pr ( j : i Y j) ( 0,Y 0 ) Ω Then the expected number of steps until a collision can be bounded as follos Theorem 3 Given an increasing Markov chain P on Z, if to independent alks have starting states ( 0, Y 0) Ω then 1 B T U(1 + ɛ) T E min{i > 0 : j, i Yj} (1 4ɛ) 1 T + r 1 + BT U If B T, ɛ 0 and U 1 T then these bounds sho that E min{i > 0 : j, i Y j} 1 U, hich makes rigorous the heuristic that the expected number of steps needed until a collision is the average step size It ill prove easiest to study S N by first considering the first and second moments of the number of intersections in steps T + 1 to N, ie R N it +1 1 { j: i Y j }, in terms of the uniform intersection time and probability: Lemma 33 Under the conditions of Theorem 3, if N T T (ɛ) then (1 ɛ) E[R N ] (1 + ɛ) E[R N ] 1/ (1 + ɛ) Proof The expectation E[R N ] satisfies E[R N ] E it +1 it +1 1 + 1 + 1/ BT 1 { j: i Y j } E[1 { j: i Y j }]! (1 ɛ) (1)

The inequality follos from the relation E[1 { j: i Y j }] Pr ( j : i Y j) The upper bound on E[R N ] follos by taking (1 + ɛ) in place of (1 ɛ) No for E[R N ] Note that " N # E[R N ] E 1 { j: i Y j }1 { l: k Y l } it +1 kt +1 it +1 kt +1 Pr ( j, l : i Y j, k Y l ) By symmetry it suffices to consider the case that k i > T Then if i Y j then because the and Y alks are increasing then k Y l is possible only if l j When k > i+t then Pr ( l : k Y l i Y j) U(1+ ɛ) by definition of T, and so Pr ( j, l : i Y j, k Y l ) Pr ( j : i Y j) Pr ( l : k Y l i Y j) (1 + ɛ) U When k i + T then i+t ki+1 Pr ( j, l : i Y j, k Y l ) Pr ( j : i Y j) Pr ( l : k Y l 0 Y 0 u) u k1 B T U(1 + ɛ), since i T It follos that E[R N ] it +1 + Pr ( j : i Y j) + i+t ki+1 it +1 ki+t +1 «Pr ( j, l : i Y j, k Y l ) Pr ( j, l : i Y j, k Y l ) (1 + ɛ)(1 + B T ) (N T )(N T + 1) + U (1 + ɛ) (1 + ɛ) U (N T ) 1 1 + B T + (1 + ɛ)u(n T ) This shos that if the number of steps N is much bigger than U 1 then the standard deviation ill be small relative to expectation Thus R N is concentrated around its mean In particular e have Lemma 34 Under the conditions of Theorem 3, if N T then Pr (S N > 0) B T + (1 + ɛ) Pr (S N > 0) (1 4ɛ) 1 + 1 + 1 BT Proof Observe that Pr (S N > 0) Pr (R N > 0), so for the loer bound it suffices to consider R N Recall the standard second moment bound: using Cauchy-Schartz, e have that E[R N ] E[R N 1 {RN >0}] E[R N ] 1/ E[1 {RN >0}] 1/ and hence Pr (R N > 0) E[R N ] /E[R N ] By Lemma 33 then, independent of starting point, «1 ɛ Pr (R N > 0) 1 + 1 + 1 BT 1 + ɛ (1 4ɛ) 1 + 1 + 1 BT, 1 ɛ since 1+ɛ 1 4ɛ, for ɛ 0 No to upper bound Pr (S N > 0) Since S N N then Pr (S N > 0) E[1 {SN >0}] E[S N ] The expectation E[S N ] satisfies E[S N ] E 1 { j: i Y j } E[1 { j: i Y j }] Pr ( j : i Y j) + B T + (1 + ɛ) it +1 Pr ( j : i Y j) Proof of Theorem 3 To start ith, upper and loer bounds on Pr (S kn 0) ill be shon in terms of k 1 For l 1, let S (l) N N 1 { j: (l 1)N+i Y j }, so that S (1) N SN By taking 0 (l 1)N and Y 0 Y j here j is the smallest index such that ( (l 1)N, Y j) Ω and Y j (l 1)N, then by Lemma 34 e may bound: But and so B T + (1 + ɛ) 1 Pr S (l) N 0 S (l 1)N 0 (1 4ɛ) 1 + 1 + 1 BT Pr (S kn 0) ky l1 Pr S (l) N 0 S (l 1)N 0 1 (1 4ɛ) 1 + 1 +! 1 k BT Pr (S kn 0) (1 B T (1 + ɛ)) k These upper and loer bounds ill no be used to bound the collision time

First, the upper bound E min{i : S i > 0} E 1 {Si 0} 1 + Pr (S i 0) i0 Pr (S kn 0) N k0 i0 N 1 (1 4ɛ) 1 + 1 + BT k0 (1 4ɛ) 1 N 1 + 1 + «BT q This is minimized hen N T + the upper bound of the theorem To sho the loer bound, take i0 1! k (1+B T )T, hich gives U E min{i : S i > 0} Pr (S i 0) Pr (S kn 0) N N k1 (1 B T (1 + ɛ)) k k1 «1 N B T + (1 + ɛ) 1 If B T 1 then the bound stated in the theorem is trivial, so assume B T < 1 If B T (1 B T ) < T U(1 + ɛ) then the imum of the above bound is at N T In this case the bound is «1 E min{i : S i > 0} N 1 B T 1 BT U(1 + ɛ) T When B T (1 B T ) T U(1 + ɛ) then the imum is at N γ(1 γ), here γ p B U(1+ɛ) T T U(1 + ɛ) In this case the bound is 1 p B T T U(1 + ɛ) E min{i : S i > 0} U(1 + ɛ) (1 B T ) U(1 + ɛ) To bound the value of B T it ill prove easier to consider those intersections that occur early in the Y j alk separately from those that occur later Lemma 35 Let γ [0, 1] and τ T be such that Then ( 0, Y 0) Ω : Pr (Y τ < T ) γ B T γt + (τ T )U(1 + ɛ) + Proof Recall that B T ( 0,Y 0 ) Ω (1 + i) u,v Pi (u, v) Pr ( j : i Y j) When j > τ then Pr ( j > τ : i Y j) T Pr (Y τ < T ) When T < j τ then γt Pr ( j (T, τ] : i Y j) E τ jt +1 τ jt +1 τ jt +1 τ jt +1 E 1 {i Y j } 1 {i Y j } Pr ( i [1, T ] : i Y j) Pr ( i : i Y j) (τ T )U(1 + ɛ) The first equality is because the alks are increasing, so for fixed i there can be at most one j ith i Y j Likeise for the third equality but for fixed j The final inequality is because Ω is symmetric, so the uniform intersection time also holds if the roles of the and Y alks are reversed When j T then Pr ( j T : i Y j) P i ( 0, )P j (Y 0, ) j0 u,v Pi (u, v) i (1 + 1 {j<i} ) P j (z, ) j0 (1 + i) u,v Pi (u, v) The second inequality follos by letting i denote the larger of the to indices and j the smaller The final equality is because P Pj (z, ) 1 4 CATCHING KANGAROOS The collision results of the previous section ill no be applied to the Kangaroo method Recall that d is chosen so that the average step size is roughly b a, and so in particular the uniform intersection probability is Throughout e take U d + 1 d+1 1 b a Ω {( 0, Y 0) Z Z : 0 Y 0 < d } The first step in bounding collision time ill be to bound the uniform intersection time This ill be done by selecting some d of the first T steps of the i alk (for suitable T ), and using these to construct a uniformly random d-bit z

binary string hich is independent of the specific step sizes taken on other steps This implies that if i T then the i alk is uniformly distributed over some interval of d elements, and so the probability that some i Y j ill be exactly the expected number of times the Y j alk visits this interval, divided by the interval size (ie d ) Lemma 41 The Kangaroo alk has «3 T (d + 1) ln + (d + 1) ln d d + 1 That is, if ( 0, Y 0) Ω and i (d + 1) ln + (d + 1) ln d then Pr ( j : i Yj) 1 U 3 d + 1 3 log b a Proof The i alk ill be implemented by choosing k uar {0, 1,, d} and then flipping a coin to decide hether to increment by k or k+1 (if k d then increment by d or 0 ) We say generator k has been chosen if value k as chosen, even though the step size taken might not be k We no decompose the i alk into a fe components For k {0, 1,, d 1} let δ k denote the step taken the first time generator k is chosen, so that δ k k uar {0, k } Also, let T be the first time all of the generators { k } d 1 k0 have been chosen (so ignore generator d ) Define d 1 δ (δ k k ) uar {0, 1,, d 1} k0 and let I i denote the sum of all increments in the first i steps except those incorporated in a δ k, so that if i T then i 0 + I i + d 1 + δ Suppose i T Then δ is independent of the value of I i, and so i uar [ 0 + I i + d 1, 0 + I i + d+1 ] Observe that 0 + I i + d 1 0 + d 1 Y 0 Since U 1 is the average step size for Y j then Pr ( j : i Y j i T ) E {Y j} [ 0 + I i + d 1, 0 + I i + d+1 ] d /U 1 d U d An upper bound of U + d follos by taking ceiling instead of floor, and so Pr ( j : i Y j i T ) U d () Next, consider T In T steps the probability that not all generators { k } d 1 k0 have been chosen is at most Pr (T > T ) d 1 1 «T de T /(d+1) d + 1 It follos that Pr T (d + 1) ln d d+1 (d+1) Thus, if i (d + 1) ln + (d + 1) ln d then Pr ( j : i Y j) (1 Pr (T > i))pr ( j : i Y j i T ) d +Pr (T > i) Pr ( j : i Y j i < T ) Since 0 Pr (T > i) (d+1) and the other probabilities are in [0, 1], then Pr ( j : i Y j) Pr ( j : i Y j i T ) (d+1) By () and (3) then Pr ( j : i Y j) U d + (d+1) 3U d + 1 It remains only to upper bound B T Lemma 4 If T (d + 1) ln + (d + 1) ln d then B T o d (1) Proof This ill be shon by applying Lemma 35 We compute the first fe values of v P i (u, v) directly Observe that P i c (u, v) is exactly i here c (d+1) i i is the number of ays to rite v u as the sum of i (non-distinct, ordered) elements of { k } d k0 To determine c i note that if the binary expansion of v u contains B non-zero bits, then any non-zero bit l came about as the sum of at most i B + 1 terms of { k } l kl (i B), and so any string of more than i B consecutive zeros can be contracted to i B zeros ithout effecting the number of ays to rite v u, ie it suffices to consider all B B(i B + 1) ` i+1 bit strings This simplifies the problem into fe enough cases to make it feasible by brute force, done either by hand or on a computer Either ay e find the folloing: i c i at v u 1 1 1! 11 3 3! 111 ` `3 4 4 1,1,1 36 101010 ` `3 5 5 `,,1 + `3 5 1,1,1,1 70 100100100 6 `4 ` ` 6,,1,1 + `4 6 1,1,1,1,1 50 100100100100 If i 6 then v P i (u, v) v v P i 6 (u, )P 6 (, v) P i 6 (u, ) P6 (, v),v P6 (, v) 50 (d + 1) 6 because P Pi 6 (u, ) 1 Hence (1 + i) u,v Pi (u, v) 3 1 d + 1 + 5 (d + 1) + 7 6 (d + 1) 3 + 9 36 (d + 1) 4 11 70 (T 5)(T + 7)50 + + (d + 1) 5 (d + 1) 6 50(ln ) (d + 1) o d (1) (3)

It remains only to find values for τ and γ in Lemma 35 Suppose ( 0, Y 0) Ω, ie 0 Y 0 < d Then T 0 + T d < Y 0 + (T + 1) d Consider the Y j alk In the first τ (d + 1)(T + 1) steps the expected number of steps of size d is µ (T + 1), so that E[Y τ Y 0] (T +1) d With δ 1/ then a Chernoff bound implies that Pr (Y τ < T ) e µδ / e ln()(d+1) /8 (d+1) /4 It thus suffices to take τ (d+1)(t +1) ( ln +o(1))(d+ 1) 3, ith γ (d+1) /4 and γt o d (1) Remark 43 It is possible to avoid computing poers of P at the cost of a eaker bound on the rate of convergence of B T to zero When i [1, 3 d + 1] use the bound u,v Pi (u, v) P i 1 (u, )P(, v) u,v u,v P i 1 1 (u, ) d + 1 1 d + 1 When i > κ 3 d + 1 then consider the proof of Lemma 41 Let R denote the generators chosen in the first i steps, and I i denote the sum of the increments in the first i steps except P those the first time a generator as chosen Then k R (δ k k ) is a uniform random variable in a set of R possible values, so Hence, Then Pr ( i v R) I i Pr ( i v R, I i) R u,v Pi (u, v) Pr ( R κ) 1 + Pr ( R > κ) κ! «i d + 1 κ 1 + 1 1 κ d + 1 κ (d + 1) κ (d + 1) i/3 + κ (d + 1) κ/3 + κ B T γt + (τ T )U(1 + ɛ) κ 1 + i + d + 1 + T (1 + i) (d + 1) κ/3 + κ κ+1 O (d + 1) 1/3 o d (1) We can no prove the main result of the paper Proof of Theorem 11 Note that the group elements g (k) can be pre-computed, so that each step of a kangaroo requires only a single group multiplication As discussed in the heuristic argument of Section, an average of Y 0 0 b a/ steps are needed to put the smaller of the starting states (eg Y 0 < 0) ithin d of the one that started ahead If the Distinguished Points are uniformly randomly distributed then the heuristic for these points is again correct If instead they are roughly constantly spaced and c Ω(d log d) then observe that, in the proof of Lemma 41, it as established that after T T (ɛ) (d + 1) ln + (d + 1) ln d steps the kangaroos ill be nearly uniformly random over some interval of length d 1 4 b a log b a; so if the Distinguished Points cover a c b a fraction of vertices, then an average of b a such samples are needed, hich c amounts to T b a o c d (1) b a extra steps It remains to make rigorous the claim regarding p 1 In the remainder e may thus assume that Y 0 0 < d Take ɛ 3 3 d+1 log b a By Lemma 41, the uniform intersection time is T T (ɛ) (d + 1) ln + (d + 1) ln d ith uniform intersection probability U b a, hile by Lemma 4 also B T o(1) The upper bound of Theorem 3 is then ` 1 + o(1) b a The loer bound of Theorem 3 is then ` 1 o(1) b a Acknoledgments The authors thank Dan Boneh for encouraging them to study the Kangaroo method, and John Pollard for several helpful comments 5 REFERENCES [1] D Boneh and Boyen, Short Signatures Without Random Oracles, Proc of Eurocrypt 004, LNCS 307, pp 56 73 (004) [] J-H Kim, R Montenegro, Y Peres and P Tetali, A Birthday Paradox for Markov chains, ith an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm, Proc of the 8th Algorithmic Number Theory Symposium (ANTS-VIII), Springer LNCS vol 5011, pp 40 415 (008) [3] J Lagarias, E Rains and RJ Vanderbei, The Kruskal Count, in The Mathematics of Preference, Choice and Order Essays in Honor of Peter J Fishburn, (Stephen Brams, William V Gehrlein and Fred S Roberts, Eds), Springer-Verlag: Berlin Heidelberg, pp 371 391 (009) [4] S Miller and R Venkatesan, Spectral Analysis of Pollard Rho Collisions, Proc of the 7th Algorithmic Number Theory Symposium (ANTS-VII), Springer LNCS vol 4076, pp 573 581 (006) [5] PC van Oorschot and MJ Wiener, Parallel collision search ith cryptanalytic applications, Journal of Cryptology, vol 1 no 1, pp 1 8 (1999) [6] J Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, vol 3 no 143, pp 918 94 (1978) [7] J Pollard, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol 13 no 4, pp 437 447 (000) [8] E Teske, Square-root Algorithms for the Discrete Logarithm Problem (A Survey), in Public-Key Cryptography and Computational Number Theory, Walter de Gruyter, Berlin - Ne York, pp 83 301 (001)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback