Ho Long Does it Take to Catch a Wild Kangaroo? Ravi Montenegro Prasad Tetali ABSTRACT The discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x h We give the first rigorous proof that Pollard s Kangaroo method finds the discrete logarithm in expected time (3+o(1)) b a for the orst value of x [a, b], and ( + o(1)) b a hen x uar [a, b] This matches the conjectured time complexity and, rare among the analysis of algorithms based on Markov chains, even the lead constants and 3 are correct ACM Classifiers: F1, G3 General Terms: Algorithms, Theory Keyords: Pollard s Kangaroo method, digital signature, discrete logarithm, Markov chain, mixing time 1 INTRODUCTION Cryptographic schemes are generally constructed in such a ay that breaking them ill likely require solving some presumably difficult computational problem, such as finding prime factors of a large integer or solving a discrete logarithm problem Recall that the discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x h The Diffie-Hellman key exchange, ElGamal cryptosystem, and the US government s DSA (Digital Signature Algorithm) are all based on an assumption that discrete logarithm is difficult to find Algorithms motivated by probabilistic intuition are often used to solve these problems and yet, although heuristics can be given for the time complexity of these methods, rigorous results are rare Department of Mathematical Sciences, University of Massachusetts at Loell, Loell, MA 01854, USA Email: ravi montenegro@umledu School of Mathematics and School of Computer Science, Georgia Institute of Technology, Atlanta, GA 3033, USA Email: tetali@mathgatechedu; research supported in part by NSF grants DMS 040139, 0701043 Permission to make digital or hard copies of all or part of this ork for personal or classroom use is granted ithout fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page To copy otherise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee STOC 09, May 31 June, 009, Bethesda, Maryland, USA Copyright 009 ACM 978-1-60558-506-/09/05 $500 In [, 4] one such method is considered, namely Pollard s Rho Algorithm to find the discrete logarithm on a cyclic group G, verifying the correctness of commonly held intuition This ork generated further interest in the cryptography community, and Dan Boneh in particular encouraged us to analyze Pollard s Kangaroo method [6], due to its very many applications While the Rho Algorithm is motivated by the Birthday Problem, the Kangaroo method orks on the same principle as the Kruskal Count [7] When the discrete logarithm x is knon to lie in a small interval [a, b] ith b a G, this algorithm is expected to improve on the Rho algorithm, ith a run time averaging b a steps, versus p (π/) G for the Rho algorithm In fact, the Kangaroo method is often the most efficient means for finding discrete logarithm on an arbitrary cyclic group, as the Rho algorithm requires G be knon exactly and Shanks baby-step giant-step method requires too much memory Among the cases in hich this ould be useful, Boneh and Boyen [1] give a signature scheme in hich a shorter signature can be transmitted if the recipient uses the Kangaroo method to determine certain omitted information Verification of the time complexity of the Kangaroo method (as e do here) ould then make rigorous their claim that the missing bits can be efficiently constructed While the above is an application for signature communication, another natural application is in forging a signature For instance, in order to speed up computation of a signature the secret key x may be chosen from an interval [a, b] ith b a G, or an attack might reveal a sequence of consecutive bits at the beginning or end of the key, in hich cases the Kangaroo method can be used to find the key and forge a signature The Kangaroo method is based on running to independent sequences of hops (random alks), one starting at a knon state (the tame kangaroo ) and the other starting at the unknon value of the discrete logarithm x (the ild kangaroo ) The main result of this paper ill be a bound on the expected number of steps required until these random alks intersect and the logarithm is determined Theorem 11 Suppose g, h G are such that h g x for some x [a, b] The expected number of group operations required by the Distinguished Points implementation of the Kangaroo method is (3 + o(1)) b a hen x a or x b, and is otherise upper bounded by this If x is a uniform random value in [a, b], ie x uar [a, b], then the expected number of group operations is ( + o(1)) b a
We sho matching upper and loer bounds, so the lead constants are sharp, hich is quite rare among the analyses of algorithms based on Markov chains Previously the first bound as knon only by a rough heuristic, hile Pollard [7] gives a convincing but not completely rigorous argument for the second Given the practical significance of Pollard s Kangaroo method for solving the discrete logarithm problem, e find it surprising that there has been no fully rigorous analysis of this algorithm, particularly since it has been 30 years since it as first proposed in [6] Past ork on problems related to the Kruskal Count seem to be of little help here Pollard s argument of [7] gives rigorous results for specific values of b a, but the recurrence relations he uses can only be solved on a case-by-case basis by numerical computation Lagarias etal [3] used probabilistic methods to study the distance traveled before to alks intersect, but only for alks in hich the number of steps until an intersection as simple to bound Although our approach here borros a fe concepts from the study of the Rho algorithm in [], such as the use of a second moment method to study the number of intersections, a significant complication in studying this algorithm is that, hen b a G, the kangaroos ill have proceeded only a small ay around the cyclic group before the algorithm terminates As such, mixing time is no longer a useful notion, and instead a notion of convergence is required hich occurs long before the mixing time We expect that the tools developed in this paper to avoid this problem ill prove useful in examining other such randomized algorithms Our analysis assumes that the Kangaroo method involves a truly random hash function: if g G then F (g) is equally likely to be any of the jump sizes, independent of all other F (g ) In practice different hash functions ill be used on different groups hether over a subgroup of integers mod p, elliptic curve groups, etc but in general the hash is chosen to look random Since the Kangaroo method applies on all cyclic groups then a constructive proof ould involve the impossible task of explicitly constructing a hash on every cyclic group, and so the assumption of a truly random hash is made in all attempts at analyzing it of hich e are aare [8, 5, 7] The paper proceeds as follos In Section e introduce the Kangaroo method A general frameork for analyzing intersection of independent alks on the integers is constructed in Section 3 This is folloed by a detailed analysis for the Kangaroo method in Section 4 PRELIMINARIES We describe here the Kangaroo method, originally knon as the Lambda method for catching Kangaroos The Distinguished Points implementation of [5] is given because it is more efficient than the original implementation of [6] Problem: Given g, h G, solve for x [a, b] ith h g x Method: Pollard s Kangaroo method (distinguished points version) Preliminary Steps: Define a set D G of distinguished points, ith c b a for some constant c D G Define a set of jump sizes S {s 0, s 1,, s d } We consider poers of to, S { k } d k0, ith d log b a+ log log b a, chosen so that elements of S average to a jump size of b a Finally, a hash function F : G S The Algorithm: Let Y 0 a+b, 0 x, and d0 0 Observe that g 0 hg d 0 Recursively define Y j+1 Y j + F (g Y j ) and likeise d i+1 d i + F (hg d i ) This implicitly defines i+1 i + F (g i ) x + d i+1 If g Y j D then store the pair (g Y j, Y j Y 0) ith an identifier T (for tame) Likeise if g i hg d i D then store (g i, d i) ith an identifier W (for ild) Once some distinguished point has been stored ith both identifiers T and W, say g i g Y j here (g i, d j) and (g Y j, Y j Y 0) ere stored, then Y j i x + d i mod G x Y j d i mod G The Y j alk is called the tame kangaroo because its position is knon, hereas the position i of the ild kangaroo is to be determined by the algorithm This as originally knon as the Lambda method because the to alks are initially different, but once g Y j g i then they proceed along the same route, forming a λ shape Theorem 11 makes rigorous the folloing commonly used rough heuristic: Suppose Y 0 0 Run the tame kangaroo infinitely far Since the kangaroos have an average step size b a, one expects the ild kangaroo requires b a/ Y 0 0 steps to reach Y 0 Subsequently, at each step the probability that the ild kangaroo lands on a spot visited by the tame 1 kangaroo is roughly p b a/, so the expected number of additional steps by the ild kangaroo until a collision is then around p 1 b a By symmetry the tame kangaroo also averaged p 1 steps About b a additional steps are c required until a distinguished point is reached Since i and Y j are incremented simultaneously the total number of steps taken is then «Y0 0 + p 1 b a + (3 + c 1 ) b a b a/ c If 0 x uar [a, b] then E Y 0 0 b a/ b a and the bound is ( + c 1 ) b a Recall e assume a random hash function F : if g G then F (g) is equally likely to be any value in S, independent of all other F (g ) A second assumption is that the distinguished points are ell distributed ith c (b a) ; either they are chosen uniformly at random, or if c Ω(d log d) then roughly constant spacing beteen points ill suffice The assumption on distinguished points can be dropped if one instead analyzes Pollard s (sloer) original algorithm, to hich our methods also apply
3 UNIFORM INTERSECTION TIME AND A COLLISION BOUND In order to understand our approach to bounding time until the kangaroos have visited a common location, hich e call a collision, it ill be helpful to consider a simplified version of the Kangaroo method First, observe that because hash values F (g) are independent then i and Y j are independent random alks at least until they collide, and so to bound time until this occurs it suffices to assume they are independent random alks even after they have collided Second, these are random alks on Z/ G Z, so if e drop the modular arithmetic and ork on Z then the time until a collision can only be made orse Third, since the alks proceed strictly in the positive direction on Z then in order to determine the number of hops the ild kangaroo (described by i) takes until it is caught by the tame kangaroo (ie i Y j on Z), it suffices to run the tame kangaroo infinitely long and only after this have the ild kangaroo start hopping With these simplifications the problem reduces to one about intersection of alks i and Y j, both proceeding in the positive direction on the integers, in hich Y j proceeds an infinite number of steps and then i proceeds until some i Y j Thus, rather than considering a specific probability Pr ( i Y j) it is better to look at Pr ( j : i Y j) By symmetry, the same approach ill also bound the expected number of hops the tame kangaroo requires to reach the location here it can trap the ild kangaroo First hoever, because the alk does not proceed long enough to approach its stationary distribution (obvious on Z and also true on Z/ G Z hen b a G ), alternate notions resembling mixing time and a stationary distribution ill be required Recall the heuristic that at each step the probability of a collision is roughly the inverse of the average step size Our mixing time quantity ill measure the number of steps required for this to become a rigorous statement: Definition 31 Consider a Markov chain P on Z hich is increasing (ie P(u, v) > 0 only hen v > u) and transitive (ie u, v Z : P(u, v) P(0, v u)) Define the uniform intersection probability U by U P k1 1 kp(0, k) Let i and Y j denote independent alks starting from states ( 0, Y 0) Ω, here Ω {(x, y) Z Z : x y < {k : P(0, k) > 0}} If ɛ [0, 1] the uniform intersection time T (ɛ) N is ( ) i T, ( 0, Y 0) Ω, T (ɛ) min T Pr( j: iy j) 1 U ɛ If gcd{k : P(0, k) > 0} 1 then the uniform intersection time is finite To avoid clutter e rite T to denote T (ɛ) in the remainder More generally, our results ill apply if P is an increasing Markov chain on a poset S, ie P(u, v) > 0 only if u v, and Ω is a binary relation on S hich is reflexive, symmetric, and such that if ( 0, Y 0) Ω then i Y j : ( i, Y j) Ω (Y j i) A uniform intersection probability ould be any value U satisfying the definition for the uniform intersection time A natural approach to studying collisions is to consider an appropriate random variable counting the number of intersections of the to alks Toards this, let S N denote the number of times the i alk intersects the Y j alk in the first N steps, ie S N 1 { j: i Y j } The second moment method used ill involve shoing that Pr (S N > 0) is non-trivial for some N Our collision bound ill involve the quantity B T, the expected number of collisions in the first T steps beteen to independent alks started at nearby states To be precise, define: B T Pr ( j : i Y j) ( 0,Y 0 ) Ω Then the expected number of steps until a collision can be bounded as follos Theorem 3 Given an increasing Markov chain P on Z, if to independent alks have starting states ( 0, Y 0) Ω then 1 B T U(1 + ɛ) T E min{i > 0 : j, i Yj} (1 4ɛ) 1 T + r 1 + BT U If B T, ɛ 0 and U 1 T then these bounds sho that E min{i > 0 : j, i Y j} 1 U, hich makes rigorous the heuristic that the expected number of steps needed until a collision is the average step size It ill prove easiest to study S N by first considering the first and second moments of the number of intersections in steps T + 1 to N, ie R N it +1 1 { j: i Y j }, in terms of the uniform intersection time and probability: Lemma 33 Under the conditions of Theorem 3, if N T T (ɛ) then (1 ɛ) E[R N ] (1 + ɛ) E[R N ] 1/ (1 + ɛ) Proof The expectation E[R N ] satisfies E[R N ] E it +1 it +1 1 + 1 + 1/ BT 1 { j: i Y j } E[1 { j: i Y j }]! (1 ɛ) (1)
The inequality follos from the relation E[1 { j: i Y j }] Pr ( j : i Y j) The upper bound on E[R N ] follos by taking (1 + ɛ) in place of (1 ɛ) No for E[R N ] Note that " N # E[R N ] E 1 { j: i Y j }1 { l: k Y l } it +1 kt +1 it +1 kt +1 Pr ( j, l : i Y j, k Y l ) By symmetry it suffices to consider the case that k i > T Then if i Y j then because the and Y alks are increasing then k Y l is possible only if l j When k > i+t then Pr ( l : k Y l i Y j) U(1+ ɛ) by definition of T, and so Pr ( j, l : i Y j, k Y l ) Pr ( j : i Y j) Pr ( l : k Y l i Y j) (1 + ɛ) U When k i + T then i+t ki+1 Pr ( j, l : i Y j, k Y l ) Pr ( j : i Y j) Pr ( l : k Y l 0 Y 0 u) u k1 B T U(1 + ɛ), since i T It follos that E[R N ] it +1 + Pr ( j : i Y j) + i+t ki+1 it +1 ki+t +1 «Pr ( j, l : i Y j, k Y l ) Pr ( j, l : i Y j, k Y l ) (1 + ɛ)(1 + B T ) (N T )(N T + 1) + U (1 + ɛ) (1 + ɛ) U (N T ) 1 1 + B T + (1 + ɛ)u(n T ) This shos that if the number of steps N is much bigger than U 1 then the standard deviation ill be small relative to expectation Thus R N is concentrated around its mean In particular e have Lemma 34 Under the conditions of Theorem 3, if N T then Pr (S N > 0) B T + (1 + ɛ) Pr (S N > 0) (1 4ɛ) 1 + 1 + 1 BT Proof Observe that Pr (S N > 0) Pr (R N > 0), so for the loer bound it suffices to consider R N Recall the standard second moment bound: using Cauchy-Schartz, e have that E[R N ] E[R N 1 {RN >0}] E[R N ] 1/ E[1 {RN >0}] 1/ and hence Pr (R N > 0) E[R N ] /E[R N ] By Lemma 33 then, independent of starting point, «1 ɛ Pr (R N > 0) 1 + 1 + 1 BT 1 + ɛ (1 4ɛ) 1 + 1 + 1 BT, 1 ɛ since 1+ɛ 1 4ɛ, for ɛ 0 No to upper bound Pr (S N > 0) Since S N N then Pr (S N > 0) E[1 {SN >0}] E[S N ] The expectation E[S N ] satisfies E[S N ] E 1 { j: i Y j } E[1 { j: i Y j }] Pr ( j : i Y j) + B T + (1 + ɛ) it +1 Pr ( j : i Y j) Proof of Theorem 3 To start ith, upper and loer bounds on Pr (S kn 0) ill be shon in terms of k 1 For l 1, let S (l) N N 1 { j: (l 1)N+i Y j }, so that S (1) N SN By taking 0 (l 1)N and Y 0 Y j here j is the smallest index such that ( (l 1)N, Y j) Ω and Y j (l 1)N, then by Lemma 34 e may bound: But and so B T + (1 + ɛ) 1 Pr S (l) N 0 S (l 1)N 0 (1 4ɛ) 1 + 1 + 1 BT Pr (S kn 0) ky l1 Pr S (l) N 0 S (l 1)N 0 1 (1 4ɛ) 1 + 1 +! 1 k BT Pr (S kn 0) (1 B T (1 + ɛ)) k These upper and loer bounds ill no be used to bound the collision time
First, the upper bound E min{i : S i > 0} E 1 {Si 0} 1 + Pr (S i 0) i0 Pr (S kn 0) N k0 i0 N 1 (1 4ɛ) 1 + 1 + BT k0 (1 4ɛ) 1 N 1 + 1 + «BT q This is minimized hen N T + the upper bound of the theorem To sho the loer bound, take i0 1! k (1+B T )T, hich gives U E min{i : S i > 0} Pr (S i 0) Pr (S kn 0) N N k1 (1 B T (1 + ɛ)) k k1 «1 N B T + (1 + ɛ) 1 If B T 1 then the bound stated in the theorem is trivial, so assume B T < 1 If B T (1 B T ) < T U(1 + ɛ) then the imum of the above bound is at N T In this case the bound is «1 E min{i : S i > 0} N 1 B T 1 BT U(1 + ɛ) T When B T (1 B T ) T U(1 + ɛ) then the imum is at N γ(1 γ), here γ p B U(1+ɛ) T T U(1 + ɛ) In this case the bound is 1 p B T T U(1 + ɛ) E min{i : S i > 0} U(1 + ɛ) (1 B T ) U(1 + ɛ) To bound the value of B T it ill prove easier to consider those intersections that occur early in the Y j alk separately from those that occur later Lemma 35 Let γ [0, 1] and τ T be such that Then ( 0, Y 0) Ω : Pr (Y τ < T ) γ B T γt + (τ T )U(1 + ɛ) + Proof Recall that B T ( 0,Y 0 ) Ω (1 + i) u,v Pi (u, v) Pr ( j : i Y j) When j > τ then Pr ( j > τ : i Y j) T Pr (Y τ < T ) When T < j τ then γt Pr ( j (T, τ] : i Y j) E τ jt +1 τ jt +1 τ jt +1 τ jt +1 E 1 {i Y j } 1 {i Y j } Pr ( i [1, T ] : i Y j) Pr ( i : i Y j) (τ T )U(1 + ɛ) The first equality is because the alks are increasing, so for fixed i there can be at most one j ith i Y j Likeise for the third equality but for fixed j The final inequality is because Ω is symmetric, so the uniform intersection time also holds if the roles of the and Y alks are reversed When j T then Pr ( j T : i Y j) P i ( 0, )P j (Y 0, ) j0 u,v Pi (u, v) i (1 + 1 {j<i} ) P j (z, ) j0 (1 + i) u,v Pi (u, v) The second inequality follos by letting i denote the larger of the to indices and j the smaller The final equality is because P Pj (z, ) 1 4 CATCHING KANGAROOS The collision results of the previous section ill no be applied to the Kangaroo method Recall that d is chosen so that the average step size is roughly b a, and so in particular the uniform intersection probability is Throughout e take U d + 1 d+1 1 b a Ω {( 0, Y 0) Z Z : 0 Y 0 < d } The first step in bounding collision time ill be to bound the uniform intersection time This ill be done by selecting some d of the first T steps of the i alk (for suitable T ), and using these to construct a uniformly random d-bit z
binary string hich is independent of the specific step sizes taken on other steps This implies that if i T then the i alk is uniformly distributed over some interval of d elements, and so the probability that some i Y j ill be exactly the expected number of times the Y j alk visits this interval, divided by the interval size (ie d ) Lemma 41 The Kangaroo alk has «3 T (d + 1) ln + (d + 1) ln d d + 1 That is, if ( 0, Y 0) Ω and i (d + 1) ln + (d + 1) ln d then Pr ( j : i Yj) 1 U 3 d + 1 3 log b a Proof The i alk ill be implemented by choosing k uar {0, 1,, d} and then flipping a coin to decide hether to increment by k or k+1 (if k d then increment by d or 0 ) We say generator k has been chosen if value k as chosen, even though the step size taken might not be k We no decompose the i alk into a fe components For k {0, 1,, d 1} let δ k denote the step taken the first time generator k is chosen, so that δ k k uar {0, k } Also, let T be the first time all of the generators { k } d 1 k0 have been chosen (so ignore generator d ) Define d 1 δ (δ k k ) uar {0, 1,, d 1} k0 and let I i denote the sum of all increments in the first i steps except those incorporated in a δ k, so that if i T then i 0 + I i + d 1 + δ Suppose i T Then δ is independent of the value of I i, and so i uar [ 0 + I i + d 1, 0 + I i + d+1 ] Observe that 0 + I i + d 1 0 + d 1 Y 0 Since U 1 is the average step size for Y j then Pr ( j : i Y j i T ) E {Y j} [ 0 + I i + d 1, 0 + I i + d+1 ] d /U 1 d U d An upper bound of U + d follos by taking ceiling instead of floor, and so Pr ( j : i Y j i T ) U d () Next, consider T In T steps the probability that not all generators { k } d 1 k0 have been chosen is at most Pr (T > T ) d 1 1 «T de T /(d+1) d + 1 It follos that Pr T (d + 1) ln d d+1 (d+1) Thus, if i (d + 1) ln + (d + 1) ln d then Pr ( j : i Y j) (1 Pr (T > i))pr ( j : i Y j i T ) d +Pr (T > i) Pr ( j : i Y j i < T ) Since 0 Pr (T > i) (d+1) and the other probabilities are in [0, 1], then Pr ( j : i Y j) Pr ( j : i Y j i T ) (d+1) By () and (3) then Pr ( j : i Y j) U d + (d+1) 3U d + 1 It remains only to upper bound B T Lemma 4 If T (d + 1) ln + (d + 1) ln d then B T o d (1) Proof This ill be shon by applying Lemma 35 We compute the first fe values of v P i (u, v) directly Observe that P i c (u, v) is exactly i here c (d+1) i i is the number of ays to rite v u as the sum of i (non-distinct, ordered) elements of { k } d k0 To determine c i note that if the binary expansion of v u contains B non-zero bits, then any non-zero bit l came about as the sum of at most i B + 1 terms of { k } l kl (i B), and so any string of more than i B consecutive zeros can be contracted to i B zeros ithout effecting the number of ays to rite v u, ie it suffices to consider all B B(i B + 1) ` i+1 bit strings This simplifies the problem into fe enough cases to make it feasible by brute force, done either by hand or on a computer Either ay e find the folloing: i c i at v u 1 1 1! 11 3 3! 111 ` `3 4 4 1,1,1 36 101010 ` `3 5 5 `,,1 + `3 5 1,1,1,1 70 100100100 6 `4 ` ` 6,,1,1 + `4 6 1,1,1,1,1 50 100100100100 If i 6 then v P i (u, v) v v P i 6 (u, )P 6 (, v) P i 6 (u, ) P6 (, v),v P6 (, v) 50 (d + 1) 6 because P Pi 6 (u, ) 1 Hence (1 + i) u,v Pi (u, v) 3 1 d + 1 + 5 (d + 1) + 7 6 (d + 1) 3 + 9 36 (d + 1) 4 11 70 (T 5)(T + 7)50 + + (d + 1) 5 (d + 1) 6 50(ln ) (d + 1) o d (1) (3)
It remains only to find values for τ and γ in Lemma 35 Suppose ( 0, Y 0) Ω, ie 0 Y 0 < d Then T 0 + T d < Y 0 + (T + 1) d Consider the Y j alk In the first τ (d + 1)(T + 1) steps the expected number of steps of size d is µ (T + 1), so that E[Y τ Y 0] (T +1) d With δ 1/ then a Chernoff bound implies that Pr (Y τ < T ) e µδ / e ln()(d+1) /8 (d+1) /4 It thus suffices to take τ (d+1)(t +1) ( ln +o(1))(d+ 1) 3, ith γ (d+1) /4 and γt o d (1) Remark 43 It is possible to avoid computing poers of P at the cost of a eaker bound on the rate of convergence of B T to zero When i [1, 3 d + 1] use the bound u,v Pi (u, v) P i 1 (u, )P(, v) u,v u,v P i 1 1 (u, ) d + 1 1 d + 1 When i > κ 3 d + 1 then consider the proof of Lemma 41 Let R denote the generators chosen in the first i steps, and I i denote the sum of the increments in the first i steps except P those the first time a generator as chosen Then k R (δ k k ) is a uniform random variable in a set of R possible values, so Hence, Then Pr ( i v R) I i Pr ( i v R, I i) R u,v Pi (u, v) Pr ( R κ) 1 + Pr ( R > κ) κ! «i d + 1 κ 1 + 1 1 κ d + 1 κ (d + 1) κ (d + 1) i/3 + κ (d + 1) κ/3 + κ B T γt + (τ T )U(1 + ɛ) κ 1 + i + d + 1 + T (1 + i) (d + 1) κ/3 + κ κ+1 O (d + 1) 1/3 o d (1) We can no prove the main result of the paper Proof of Theorem 11 Note that the group elements g (k) can be pre-computed, so that each step of a kangaroo requires only a single group multiplication As discussed in the heuristic argument of Section, an average of Y 0 0 b a/ steps are needed to put the smaller of the starting states (eg Y 0 < 0) ithin d of the one that started ahead If the Distinguished Points are uniformly randomly distributed then the heuristic for these points is again correct If instead they are roughly constantly spaced and c Ω(d log d) then observe that, in the proof of Lemma 41, it as established that after T T (ɛ) (d + 1) ln + (d + 1) ln d steps the kangaroos ill be nearly uniformly random over some interval of length d 1 4 b a log b a; so if the Distinguished Points cover a c b a fraction of vertices, then an average of b a such samples are needed, hich c amounts to T b a o c d (1) b a extra steps It remains to make rigorous the claim regarding p 1 In the remainder e may thus assume that Y 0 0 < d Take ɛ 3 3 d+1 log b a By Lemma 41, the uniform intersection time is T T (ɛ) (d + 1) ln + (d + 1) ln d ith uniform intersection probability U b a, hile by Lemma 4 also B T o(1) The upper bound of Theorem 3 is then ` 1 + o(1) b a The loer bound of Theorem 3 is then ` 1 o(1) b a Acknoledgments The authors thank Dan Boneh for encouraging them to study the Kangaroo method, and John Pollard for several helpful comments 5 REFERENCES [1] D Boneh and Boyen, Short Signatures Without Random Oracles, Proc of Eurocrypt 004, LNCS 307, pp 56 73 (004) [] J-H Kim, R Montenegro, Y Peres and P Tetali, A Birthday Paradox for Markov chains, ith an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm, Proc of the 8th Algorithmic Number Theory Symposium (ANTS-VIII), Springer LNCS vol 5011, pp 40 415 (008) [3] J Lagarias, E Rains and RJ Vanderbei, The Kruskal Count, in The Mathematics of Preference, Choice and Order Essays in Honor of Peter J Fishburn, (Stephen Brams, William V Gehrlein and Fred S Roberts, Eds), Springer-Verlag: Berlin Heidelberg, pp 371 391 (009) [4] S Miller and R Venkatesan, Spectral Analysis of Pollard Rho Collisions, Proc of the 7th Algorithmic Number Theory Symposium (ANTS-VII), Springer LNCS vol 4076, pp 573 581 (006) [5] PC van Oorschot and MJ Wiener, Parallel collision search ith cryptanalytic applications, Journal of Cryptology, vol 1 no 1, pp 1 8 (1999) [6] J Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, vol 3 no 143, pp 918 94 (1978) [7] J Pollard, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol 13 no 4, pp 437 447 (000) [8] E Teske, Square-root Algorithms for the Discrete Logarithm Problem (A Survey), in Public-Key Cryptography and Computational Number Theory, Walter de Gruyter, Berlin - Ne York, pp 83 301 (001)