How long does it take to catch a wild kangaroo?
Ravi Montenegro
∗
Prasad Tetali
†
arXiv:0812.0789v1 [math.PR] 3 Dec 2008
December 3, 2008
Abstract
The discrete logarithm problem asks to solve for the exponent x, given the generator g of a
cyclic group G and an element h ∈ G such that g x = h. We give the first rigorous
√ proof that
b − a when
Pollard’s Kangaroo method finds the discrete
logarithm
in
expected
time
(3
+
o(1))
√
the logarithm x ∈ [a, b], and (2 + o(1)) b − a when x ∈uar [a, b]. This matches the conjectured
time complexity and, rare among the analysis of algorithms based on Markov chains, even the
lead constants 2 and 3 are correct.
Keywords: Pollard’s Kangaroo method, digital signature, discrete logarithm, Markov chain,
mixing time.
1
Introduction
Cryptographic schemes are generally constructed in such a way that breaking them will likely
require solving some presumably difficult computational problem, such as finding prime factors or
solving a discrete logarithm problem. Recall that the discrete logarithm problem asks to solve for
the exponent x, given the generator g of a cyclic group G and an element h ∈ G such that gx = h.
The Diffie-Hellman key exchange, ElGamal cryptosystem, and the US government’s DSA (Digital
Signature Algorithm) are all based on an assumption that discrete logarithm is difficult to find. A
Birthday Attack is a common approach towards solving these problems, and although heuristics
can be given for the time complexity of these methods, rigorous results are rare.
In [3] we examined one such method, namely Pollard’s Rho Algorithm to find the discrete logarithm on a cyclic group G, and verified the correctness of commonly held intuition. This work
generated further interest among some of the experts in cryptography, and Dan Boneh [1] in particular encouraged us to analyze Pollard’s Kangaroo method [5], due to its very many applications.
When the discrete logarithm x is known to lie in a small interval [a, b] with b − a√≪ |G|, this
algorithm
p is expected to improve on the Rho algorithm, with a run time averaging 2 b − a steps,
versus (π/2)|G| for the Rho algorithm. In fact, for some cyclic groups the Kangaroo method is
the most efficient means known for finding discrete logarithm over an interval, as Shanks baby-step
giant-step method requires too much memory.
Among the cases in which this would be useful, Boneh and Boyen [2] give a signature scheme in
which a shorter signature can be transmitted if the receiver uses the Kangaroo method to determine
the missing information. Verification of the time complexity of the Kangaroo method (as we do
∗
Department of Mathematical Sciences, University of Massachusetts at Lowell, Lowell, MA 01854, USA. Email:
ravi [email protected]
†
School of Mathematics and School of Computer Science, Georgia Institute of Technology, Atlanta, GA 30332,
USA. Email: [email protected]; research supported in part by NSF grants DMS 0401239, 0701043.
1
here) would then make rigorous their claim that the missing bits can be efficiently constructed.
While the above is an application for signature communication, another natural application is in
forging a signature. For instance, in order to speed up computation of a signature the secret key
x may be chosen from an interval [a, b] with b − a ≪ |G|, or an attack might reveal a sequence of
consecutive bits at the beginning or end of the key, in which cases the Kangaroo method can be
used to find the key and forge a signature.
The Kangaroo method is based on running two independent sequences of hops (random walks),
one starting at a known state (the “tame kangaroo”) and the other starting at the unknown value
of the discrete logarithm x (the “wild kangaroo”). The main result of this paper will be a bound
on the expected number of steps required by the kangaroos before the logarithm is determined. In
particular, we find that for the Distinguished Points implementation of the Kangaroo method,
Theorem 1.1. Suppose g, h ∈ G are such that h = gx for some x ∈ [a, b]. The expected number of
group operations required by the Kangaroo method is
√
(3 + o(1)) b − a .
If x ∈uar [a, b] then the expected number of group operations is
√
(2 + o(1)) b − a .
We show matching upper and lower bounds, so the lead constants are sharp, which is rare
among the analyses of algorithms based on Markov chains. Previously the first bound was known
only by rough heuristic, while Pollard [6] gives a convincing but not completely rigorous argument
for the second. Given the practical significance of Pollard’s Kangaroo method for solving the
discrete logarithm problem, we find it surprising that there has been no fully rigorous analysis of
this algorithm, particularly since it has been 30 years since it was first proposed in [5].
Although our approach borrows a few concepts from the study the Rho algorithm in [3], such as
the use of a second moment method to study the number of intersections, a significant complication
in studying this algorithm is that when b − a ≪ |G| the kangaroos will have proceeded only a small
way around the cyclic group before the algorithm terminates. As such, mixing time is no longer a
useful notion, and instead a notion of convergence is required which occurs long before the mixing
time. We expect that the tools developed in this paper to avoid this problem will prove useful in
examining other randomized algorithms.
The paper proceeds as follows. In Section 2 we introduce the Kangaroo method. A general
framework for analysing intersection of independent walks on the integers is constructed in Section
3. This is followed by a detailed analysis for the Kangaroo method in Section 4. The Appendix
contains the proof of a technical lemma used in Section 3.
2
Preliminaries
We describe here the Kangaroo method, originally known as the Lambda method for catching
Kangaroos. The Distinguished Points implementation of [4] is given, rather than the original
implementation of [5], as the former is more efficient.
Problem: Given g, h ∈ G, solve for x ∈ [a, b] with h = gx .
Method: Pollard’s Kangaroo method (with distinguished points).
Preliminary Steps:
2
• Define a set D of “distinguished points”, with
|D|
|G|
=
√c
b−a
for some constant c.
• Define a set of jump sizes S = {s0 , s1 , . . . , sd }. We consider powers of two, S √
= {2k }dk=0 , with
√
√
d = log2 b − a + log2 log2 b − a − 2 chosen so that elements of S average b−a
2 .
• Finally, a hash function F : G → S.
The Algorithm:
• Let X0 =
a+b
2 ,
Y0 = x, and d0 = 0. Observe that gY0 = hgd0 .
• Recursively define Xi+1 = Xi + F (gXi ) and likewise di+1 = di + F (hgdi ). This implicitly
defines Yi+1 = Yi + F (gYi ) = x + di+1 .
• If gXi ∈ D then store the pair (gXi , Xi − X0 ) with an identifier T (for tame). Likewise if
gYi = hgdi ∈ D then store (gYi , di ) with an identifier W (for wild).
• Once some distinguished point has been stored with both identifiers T and W , say gXi = gYj
where (gXi , Xi − X0 ) and (gYj , dj ) were stored, then
Xi ≡ Yj ≡ x + dj
mod |G| =⇒ x ≡ Xi − dj
mod |G|
The Xi walk is called the “tame kangaroo” because its position is known, whereas the position
Yj of the “wild kangaroo” is to be determined by the algorithm. This was originally known as the
Lambda method because the two walks are initially different, but once gXi = gYj then they proceed
along the same route, forming a λ shape.
Theorem 1.1 makes rigorous the following commonly used rough heuristic: Suppose X
√0 ≥
Y0 . Run the tame kangaroo infinitely far. Since the kangaroos have an average step size b−a
2 ,
0 −Y0
steps to reach X0 . Subsequently, at each step
one expects the wild kangaroo requires √Xb−a/2
the probability that the wild kangaroo lands on a spot visited by the tame kangaroo is roughly
1
p = √b−a/2
, so the expected number of additional steps by the wild kangaroo until a collision is
√
√
−1 steps. About b−a
then around p−1 = b−a
2 . By symmetry the tame kangaroo also averaged p
c
additional steps are required until a distinguished point is reached. Since Xi and Yi are incremented
simultaneously the total number of steps taken is then
√
√
b−a
|X0 − Y0 |
−1
+p +
≤ (3 + 2c−1 ) b − a
2 √
c
b − a/2
√
√
−Y0 |
b−a
√0
If Y0 = x ∈uar [a, b] then E |X
=
and the bound is (2 + 2c−1 ) b − a.
2
b−a/2
We make only two assumptions in our analysis. First, that the hash F : G → S is a random
function, i.e. if g ∈ G then F (g) is equally likely to be any value in S, independent of all other
(b−a)→∞
F (g′ ). Second, that the distinguished points are well distributed with c −−−−−−→ ∞; either they
are chosen uniformly at random, or if c = Ω(d2 log2 d) then roughly constant spacing between points
will suffice. The assumption on distinguished points can be dropped if we instead analyze Pollard’s
(slower) original algorithm, to which our methods also apply. Both assumptions are made in most
discussions of the Kangaroo method [7, 4, 6], and so are quite acceptable.
3
3
Uniform Intersection Time and a Collision Bound
In order to understand our approach to bounding time until the kangaroos have visited a common
location, which we call a collision, it will be helpful to consider a simplified version of the Kangaroo
method. First, observe by the assumption about the hash F : G → S that Xi and Yj are independent random walks at least until they collide, and so to bound time until this occurs it suffices
to assume they are independent random walks even after they have collided. Second, these are
random walks on Z/|G|Z, so if we drop the modular arithmetic and work on Z then the time until
a collision can only be made worse. Third, since the walks proceed strictly in the positive direction
on Z then in order to determine the number of hops the “tame kangaroo” (described by Xi ) takes
until it meets the “wild kangaroo” (i.e. Xi = Yj on Z), it suffices to run the wild kangaroo infinitely
long and only after this have the tame kangaroo start hopping.
With these simplifications the problem reduces to one about intersection of walks Xi and Yj ,
both proceeding in the positive direction on the integers, in which Yj proceeds an infinite number
of steps and then Xi proceeds some N steps until ∃j, XN = Yj . Thus, rather than considering a
specific probability Pr[Xi = Yj ] it is better to look at Pr[∃j, Xi = Yj ]. By symmetry, the same
approach will also bound the expected number of hops the wild kangaroo requires to reach a location
the tame kangaroo visits.
First however, because the walk does not proceed long enough to approach its stationary distribution (true on both Z/|G|Z and more obviously on Z), alternate notions resembling mixing time
and a stationary distribution will be required.
Definition 3.1. Consider a Markov chain P on Z which is non-decreasing, i.e. P(u, v) > 0 only
when v ≥ u. Let Xi and Yj denote independent walks starting at states (X0 , Y0 ) ∈ Ω ⊆ Z × Z, for
some set of permitted initial states Ω ⊃ ∪v∈Z {(v, v)}. For fixed ǫ ∈ [0, 1], the uniform intersection
time T (ǫ) ∈ N and uniform intersection probability U ∈ R+ are such that
∀i ≥ T (ǫ) : (1 − ǫ)U ≤ Pr(∃j, Xi = Yj ) ≤ (1 + ǫ)U .
We do not attempt to show a general existence result for uniform intersection time and probability, as our primary interest is in the Kangaroo method. Also, to avoid clutter we write T to
denote T (ǫ) in the remainder.
A natural approach is to consider an appropriate random variable counting the number of
intersections of the two walks. Towards this, let SN denote the number of times the Xi walk
intersects the Yj walk in the first N steps, i.e.
SN =
N
X
i=1
1{∃j: Xi =Yj } .
The second moment method used will involve showing that Pr[SN > 0] is non-trivial for some
N . Our collision bound will involve the quantity BT , an upper bound on the expected number of
collisions in the first T steps between two independent walks. To be precise, define:
BT =
max
(X0 ,Y0 )∈Ω
T
X
Pr[∃j, Xi = Yj ] .
i=1
Then the expected number of steps until a collision can be bounded as follows.
4
Theorem 3.2. Consider a non-decreasing Markov chain on Z, two independent walks with starting
states (X0 , Y0 ) ∈ Ω, and uniform intersection time and probability T = T (ǫ) and U respectively.
Then
!2
r
√
√
1 + 2BT
1 − 2 BT
−1
.
− T ≤ E min{i > 0 : ∃j, Xi = Yj } ≤ (1 − 4ǫ)
T+
U (1 + ǫ)
U
If BT , ǫ ≈ 0 and U −1 ≫ T then these bounds show that
E min{i > 0 : ∃j, Xi = Yj } ∼
1
.
U
It will prove easiest to study SN by first considering the first and second moments of the number
of intersections in steps T + 1 to N , i.e.
SN =
N
X
i=T +1
1{∃j: Xi =Yj } ,
in terms of the uniform intersection time and probability:
Lemma 3.3. Under the conditions of Theorem 3.2, if N ≥ T then
(1 − ǫ)(N − T )U ≤ E[SN ] ≤ (1 + ǫ)(N − T )U ,
2
]
E[SN
2
2
≤ (1 + ǫ) (N − T ) U
2
1 + 2BT
1+
(N − T )U
.
This is a technical lemma and offers little insight into our proof, so it is left for the Appendix.
We now upper and lower bound the probability of an intersection in the first N steps:
Lemma 3.4. Under the conditions of Theorem 3.2, if N ≥ T then
BT + (N − T )U (1 + ǫ) ≥ Pr[SN
1 + 2BT
> 0] ≥ (1 − 4ǫ) 1 +
(N − T )U
−1
.
Proof. Observe that Pr[SN > 0] ≥ Pr[SN > 0], so for the lower bound it suffices to consider SN .
Recall the standard second moment bound: using Cauchy-Schwartz, we have that
2 1/2
E[SN ] = E[SN 1{SN >0} ] ≤ E[SN
] E[1{SN >0} ]1/2
2 ] . By Lemma 3.3 then, independent of starting point,
and hence Pr[SN > 0] ≥ E[SN ]2 /E[SN
Pr[SN > 0] ≥
1−ǫ
1+ǫ
2 1 + 2BT
1+
(N − T )U
−1
1 + 2BT
≥ (1 − 4ǫ) 1 +
(N − T )U
2
since 1−ǫ
≥ 1 − 4ǫ, for ǫ ≥ 0.
1+ǫ
Now to upper bound Pr[SN > 0]. Since SN ∈ N then
Pr[SN > 0] = E[1SN >0 ] ≤ E[SN ] .
5
−1
,
The expectation E[SN ] satisfies
E[SN ] = E
N
X
i=1
=
T
X
1{∃j, Xi =Yj } =
N
X
i=1
N
X
Pr[∃j, Xi = Yj ] +
i=1
E[1{∃j, Xi =Yj } ]
Pr[∃j, Xi = Yj ]
i=T +1
≤ BT + (N − T )U (1 + ǫ) .
Proof of Theorem 3.2. First, we upper and lower bound Pr[SkN = 0] for every k ≥ 1.
For ℓ ≥ 1, let
N
X
(ℓ)
1{∃j: X(ℓ−1)N+i =Yj } ,
SN =
i=1
so that
(1)
SN
= SN . Thus
Pr[SkN = 0] = Pr[SN = 0]Pr[S2N = 0 | SN = 0] · · · Pr[SkN = 0 | S(k−1)N = 0]
=
k
Y
ℓ=1
(ℓ)
Pr[SN = 0 | S(ℓ−1)N = 0]
By taking X0 ← X(ℓ−1)N and Y0 ← min{Yj : Yj > X(ℓ−1)N }, we may bound:
BT + (N − T )U (1 + ǫ) ≥ 1 −
(ℓ)
Pr[SN
= 0 | S(ℓ−1)N
1 + 2BT
= 0] ≥ (1 − 4ǫ) 1 +
(N − T )U
−1
Hence
1 + 2BT
1 − (1 − 4ǫ) 1 +
(N − T )U
−1 !k
≥ Pr[SkN = 0] ≥ (1 − BT − (N − T )U (1 + ǫ))k .
These upper and lower bounds will now be used to bound the collision time.
First, the upper bound.
E min{i : Si > 0} = E
∞
X
1Si =0 = 1 +
∞
X
i=0
i=0
Pr[Si = 0] ≤
∞
X
Pr[SkN = 0]N
k=0
!k
1 + 2BT −1
1 − (1 − 4ǫ) 1 +
≤ N
(N − T )U
k=0
1 + 2BT
−1
.
= (1 − 4ǫ) N 1 +
(N − T )U
q
T )T
, which gives the upper bound of the theorem.
This is minimized when N = T + (1+2B
U
∞
X
6
.
To show the lower bound, take
E min{i : Si > 0} =
∞
X
i=0
≥ N
= N
Pr[Si = 0] ≥
∞
X
k=1
∞
X
Pr[SkN = 0]N
k=1
(1 − BT − (N − T )U (1 + ǫ))k
1
−1 .
BT + (N − T )U (1 + ǫ)
If BT ≥ 1 then the bound stated in the theorem is trivial, so assume BT < 1.
If BT (1 − BT ) < T U (1 + ǫ) then the maximum of the above bound is at N = T . In this case
the bound is
1 − BT
1
−1 ≥
−T .
E min{i : Si > 0} ≥ N
BT
U (1 + ǫ)
γ(1−γ)
When BT (1 − BT ) ≥ T U (1 + ǫ) then the maximum is at N = U
(1+ǫ) , where the quantity
p
γ = BT − T U (1 + ǫ). In this case the bound is
2
p
√
1 − BT − T U (1 + ǫ)
(1 − BT )2
≥
.
E min{i : Si > 0} ≥
U (1 + ǫ)
U (1 + ǫ)
To bound the value of BT it will prove easier to consider those intersections that occur early in
the Yj walk separately from those that occur later.
Lemma 3.5. Let τ ≥ T be such that whenever (X0 , Y0 ) ∈ Ω then
Pr[{Xi }Ti=1 ∩ {Yj }j>τ 6= ∅] ≤ γ .
Then
BT ≤ γT + 2
Proof. Recall that
BT =
τ
X
i=1
max
(X0 ,Y0 )∈Ω
i=1
T
X
Pr(∃j, Xi = Yj ) .
i=1
Pr[∃j > τ : Xi = Yj ] ≤ T Pr[{Xi }Ti=1 ∩ {Yj }j>τ 6= ∅] ≤ γT .
When j ≤ τ then
T
X
u,v
j=1
When j > τ then
T
X
(1 + j) max Pj (u, v) .
Pr[∃j ≤ τ : Xi = Yj ] ≤
T X
τ X
X
Pi (X0 , v)Pj (Y0 , v)
i=1 j=0 v
≤ 2
= 2
j
τ X
X
j=1 i=0
τ
X
j=1
7
max Pj (w, x) max
w,x
u
(1 + j) max Pj (w, x) .
w,x
X
v
Pi (u, v)
The second inequality followsPby letting j denote the larger of the two indices and i the smaller.
The final equality is because v Pi (u, v) = 1.
4
Catching Kangaroos
The collision results of the previous section will now be applied to the Kangaroo method. The first
step in bounding collision time will be to bound the uniform intersection time and probability. This
will be done by selecting some d of the first T steps of the Xi walk (for suitable i), and using these
to construct a uniformly random d-bit binary string which is independent of the specific step sizes
taken on other steps. This implies that the Xi walk is uniformly distributed over some interval
of 2d elements, and so the probability that some Yj = Xi will be exactly the expected number of
times the Yj walk visits this interval, divided by the interval size (i.e. 2d ).
Throughout we take
Ω = {(X0 , Y0 ) : X0 ≤ Y0 < X0 + 2d } .
Lemma 4.1. If (X0 , Y0 ) ∈ Ω and i ≥ T = 2(d + 1)2 (1 + log2 (d + 1)) then
Pr(∃j, Xi = Yj )
3
3
≤
√
√
−
1
∼ ,
d
2/ b − a
log2 b − a
i.e. when ǫ =
3
d
then one may take T (ǫ) = T as above and U =
√2 .
b−a
Proof. The tame kangaroo will be implemented by choosing k ∈uar {0, 1, . . . , d} and then flipping
a coin to decide whether to increment by 2k or 2k+1 (if k = d then increment by 2d or 20 ). We say
generator 2k has been chosen if value k was chosen, even though the step size taken may not be 2k .
Consider the tame kangaroo. For k ∈ {0, 1, . . . , d − 1} let δk denote the step taken the first
time generator 2k is chosen, so that δk − 2k ∈uar {0, 2k }.
Also, let T be the first time all of the
Pd−1
d
generators have been chosen (including 2 ). Define δ = k=0 (δk − 2k ) ∈uar {0, 1, . . . , 2d − 1} and
let Ii denote the sum of all increments except those incorporated in a δk , so that if i ≥ T then
Xi = X0 + Ii + 2d − 1 + δ.
Suppose i ≥ T . Then δ is independent of the value of Ii , and so
Xi ∈uar [X0 + Ii + 2d − 1, X0 + Ii + 2d+1 − 1) .
Observe
that X0 + Ii + 2d − 1 ≥ X0 + 2d − 1 ≥ Y0 . Since the average non-zero step size for Yj is
√
b−a
(recall d was chosen to guarantee this) then
2
Pr(∃j, Xi = Yj | i ≥ T )
E {Yj } ∩ [X0 + Ii + 2d − 1, X0 + Ii + 2d+1 − 1)
=
2d
√
1
d
⌊2 /( 2 b − a)⌋
≥
2d
2
2
2
−d
√
≥ √
−2 = √
1−
.
b−a
b−a
log2 b − a
2
+ 2−d follows by taking ceiling instead of floor.
Similarly, an upper bound of √b−a
consider T . By the Coupon Collector’s problem E(T ) = (d + 1)Hd+1 where Hn =
PnNext,
−1 is the n-th harmonic number. By Markov’s Inequality Pr[T ≥ 2(d + 1)H
ℓ
d+1 ] ≤ 1/2 and
ℓ=1
8
so if α = d + 1 then
Pr [T ≥ α 2(d + 1)Hd+1 ] =
α
Y
≤ 2
Since Hn ≤ ln n + 0.6 +
1
2n ,
Pr [T ≥ ℓ 2(d + 1)Hd+1 | T ≥ (ℓ − 1)2(d + 1)Hd+1 ]
ℓ=1
−α
= 2−(d+1) .
we get in turn Pr[T > T ] ≤ 2−(d+1) . To finish,
Pr[∃j, Xi = Yj ] = (1 − Pr[T > T ])Pr[∃j, Xi = Yj | T ≤ T ]
+Pr[T > T ] Pr[∃j, Xi = Yj | T > T ] .
Since all probabilities are in [0, 1], and 0 ≤ Pr[T > T ] ≤ 2−(d+1) then
|Pr[∃j, Xi = Yj ] − Pr[∃j, Xi = Yj | T ≤ T ]| ≤ 2−(d+1) .
It remains only to upper
√ bound BT . This will be shown by breaking up the sum of Lemma 3.5
into two parts. Let κ = 5 d + 1. When j ≤ 2κ then it will be shown that with high probability
every step size taken was distinct, in which case the sum of the step sizes is a random (d + 1) bit
binary string containing exactly j ones, i.e. uniform over d+1
possibilities. When j > 2κ then
j
with high probability at least κ distinct step sizes have been chosen, in which case a random κ-bit
binary string is extracted as in the proof of Lemma 4.1 and used to show the maximum probability
of a state is at most 2−κ .
Lemma 4.2. If T = 2(d + 1)2 (1 + log2 (d + 1)) then BT = od (1).
Proof. This will be shown by applying Lemma 3.5. To bound Pj (u, v) we set√X0 = u and consider
Xj for j ∈ {1, 2, . . . , τ }, where τ is to be determined later. Recall that κ = 5 d + 1.
First suppose 1 ≤ j ≤ 2κ. Assume d ≥ 2 so that j < d + 1. Implement the kangaroo walk in
the obvious way, i.e. choose k ∈ {0, 1, . . . , d} and increment by 2k . Let E denote the event that all
j increment sizes were distinct. Then
(d + 1)d · · · (d + 2 − j)
d+2−j j
j(j − 1)
Pr[E] =
≥
≥1−
j
(d + 1)
d+1
d+1
because (1 − x)n ≥ 1 − nx if x ∈ [0, 1] and n ∈ N. Then
max Pj (u, v) = max Pr[Xj = v]
v
v
= max Pr[E]Pr[Xj = v | E] + Pr[E]Pr[Xj = v | E]
v
≤ 1∗
≤
1
d+1
j
+ (1 − Pr[E]) ∗ 1
1
j(j − 1)
+
≤ 4(d + 1)−3/5
d+1
d+1
If d = 1 then trivially Pj (u, v) ≤ 4(d + 1)−3/5 ≈ 2.64. Then
2κ
X
(j + 1) max Pj (u, v) ≤ (1 + 2κ)2 4(d + 1)−3/5 = od (1) .
j=1
v
9
Before calculating the remaining terms in the sum, a value for τ in Lemma 3.5 is needed. Note
that trivially
XT ≤ X0 + T 2d .
Let ∆Y be a random increment of the Y walk. Then
2d
1 + log2 (d + 1)
Pr ∆Y ≥
.
=
d+1
d+1
A Chernoff bound can be used here. If j ≥
2d
d+1
2T (d+1)2
1+log2 (d+1)
the expected number of steps of size at least
is µ = 2T (d + 1) so that E[Yj − X0 ] ≥ E[Yj − Y0 ] ≥ 2T 2d . With δ = 1/2 then
Pr[Yj ≤ X0 + T 2d ] ≤ e−µδ
2 /2
3 (1+log
≤ e−4(d+1)
2 (d+1))/8
≤ 2−(d+1) .
2
2T (d+1)
It thus suffices to take τ = 1+log
= 4(d + 1)4 , with γ = 2−(d+1) and γT = od (1).
2 (d+1)
Finally, suppose 2κ < j ≤ τ . Implement the kangaroo walk as in the proof of Lemma 4.1, and
likewise assume the same terminology. Let S denote the
P set of distinct generators that have been
chosen excluding 2d , so that |S| ≤ d, and observe that k∈S (δk − 2k ) ∈uar {2|S| elements}, so that
if Ij is the sum of all increments except those used the first time an element of S was chosen then
Pr[Xj = v | S, Ij ] ≤ 2−|S| . It follows that Pr[Xj = v | |S|] ≤ 2−|S| . Hence, if E denotes the event
that κ or fewer distinct generators have been chosen, so that E implies |S| ≥ κ, then
1
max Pj (u, v) ≤ Pr[E] ∗ 1 + Pr[E] κ
u,v
2
j
1
d+1
κ
∗1+1∗ κ
≤
d+1
2
κ
≤ (d + 1)κ (d + 1)−4j/5 + 2−κ
3
≤ (d + 1)− 5 κ + 2−κ
It follows that
τ
X
3
(1 + j) max Pj (u, v) ≤ (1 + τ )2 (d + 1)− 5 κ + 2−κ = od (1) .
j=2κ+1
u,v
We can now prove the main result of the paper.
k
Proof of Theorem 1.1. Note that the group elements g(2 ) can be pre-computed, so that each step
of a kangaroo requires only a single group multiplication.
−Y |
√ 0 0 steps are needed to
As discussed in the heuristic argument of Section 2, an average of |X
b−a/2
put the smaller of the starting states (e.g. X0 < Y0 ) within 2d of the one that started ahead. If the
Distinguished Points are randomly distributed then the heuristic for these points is again correct.
If instead they are roughly constantly spaced and c = Ω(d2 log2 d) then observe that in the proof of
Lemma 4.1 it was established that after T = T (ǫ) = 2(d + 1)2 (1 + log2 (d +√1)) steps the
√ kangaroos
1
d+1
will be nearly uniformly random over some interval of length 2
= 2 b − a log2 b − a, so if
c
the Distinguished Points are uniformly distributed and cover a √b−a
fraction of vertices then an
√
√
√
such samples are needed, which amounts to T b−a
= o(1) ∗ b − a extra steps.
average of b−a
c
c
10
It remains to make rigorous the claim regarding p−1 . In the remainder we may thus assume
3
∼ d3 . By Lemma 4.1 the uniform intersection time is
that |X0 − Y0 | ≤ 2d . Take ǫ = log √
b−a
2
2
, while by
T = T (ǫ) = 2(d + 1)2 (1 + log2 (d + 1)) with uniform intersection probability U = √b−a
√
1
Lemma 4.2 also BT = o(1). The upper bound
√ of Theorem 3.2 is then 2 + o(1) b − a. The lower
1
bound of Theorem 3.2 is then 2 − o(1) b − a.
Acknowledgments
The authors thank Dan Boneh for encouraging them to study the Kangaroo method.
References
[1] D. Boneh, Private Communication.
[2] D. Boneh and X. Boyen, “Short Signatures Without Random Oracles,” Proc. of Eurocrypt
2004, LNCS 3027, pp. 56-73 (2004).
[3] J-H. Kim, R. Montenegro, Y. Peres and P. Tetali, “A Birthday Paradox for Markov chains,
with an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm,”
Proc. of the Algorithmic Number Theory Symposium (ANTS-VIII), Springer LNCS 5011, pp.
402-415 (2008).
[4] P.C. van Oorschot and M.J. Wiener, “Parallel collision search with cryptanalytic applications,”
Journal of Cryptology, vol. 12 no. 1, pp. 1–28 (1999).
[5] J. Pollard, “Monte Carlo methods for index computation mod p,” Mathematics of Computation, vol. 32 no. 143, pp. 918–924 (1978).
[6] J. Pollard, “Kangaroos, Monopoly and Discrete Logarithms,” Journal of Cryptology, vol. 13
no. 4, pp. 437–447 (2000).
[7] E. Teske, “Square-root Algorithms for the Discrete Logarithm Problem (A Survey),” in PublicKey Cryptography and Computational Number Theory, Walter de Gruyter, Berlin - New York,
pp. 283–301 (2001).
Appendix
The proof of Lemma 3.3 was left to the Appendix:
Proof. The expectation E[SN ] satisfies
E[SN ] = E
N
X
i=T +1
1∃j, Xi =Yj =
N
X
i=T +1
E[1∃j, Xi =Xj ] ≥ (N − T )U (1 − ǫ) .
(1)
The inequality is because E[1∃j, Xi =Xj ] = Pr[∃j, Xi = Xj ]. The upper upper bound follows by
taking (1 + ǫ) in place of (1 − ǫ).
11
2 ]. Note that
Now for E[SN
2
E[SN
] = E
N
X
N
X
i=T +1 k=T +1
=
N
X
N
X
1∃j, Xi =Yj 1∃ℓ, Xk =Yℓ
!
Pr(∃j, ℓ : Xi = Yj , Xk = Xℓ ) .
i=T +1 k=T +1
By symmetry it suffices to consider the case that k ≥ i > T . Also, observe that if Xi = Yj then
Xk = Yℓ is possible only if ℓ ≥ j, because the X and Y walks proceed in the positive direction on
the integer line.
When k > i + T then Pr(∃ℓ, Xk = Yℓ | Xi = Yj ) ≤ U (1 + ǫ) by definition of T , and so
Pr(∃j, ℓ : Xi = Yj , Xk = Yℓ )
= Pr(∃j : Xi = Yj ) Pr(∃ℓ, Xk = Yℓ | Xi = Yj )
≤ (1 + ǫ)2 U 2 .
When k ≤ i + T then
i+T
X
Pr(∃j, ℓ : Xi = Yj , Xk = Yℓ )
k=i+1
≤ Pr(∃j : Xi = Yj ) max
u
≤ BT U (1 + ǫ) ,
T
X
k=1
Pr(∃ℓ, Xk = Yℓ | X0 = Y0 = u)
since i ≥ T . It follows that
2
E[SN
] =
N
X
Pr(∃j : Xi = Yj ) + 2
i=T +1
+2
N
X
i+T
X
Pr(∃j, ℓ : Xi = Yj , Xk = Xℓ )
k=i+1
N
X
!
Pr(∃j, ℓ : Xi = Yj , Xk = Xℓ )
i=T +1 k=i+T +1
(N − 2T )(N − 2T + 1)
≤ 2(1 + ǫ)U (N − T )(1/2 + BT ) + 2(1 + ǫ)2 U 2
2
1
+
2B
T
.
≤ (1 + ǫ)2 U 2 (N − T )2 1 +
(1 + ǫ)U (N − T )
12