CATCHING KANGAROOS IN FUNCTION FIELDS
(EXTENDED ABSTRACT)
ANDREAS STEIN AND EDLYN TESKE
1. Introduction
In this paper we generalize the parallelized lambda method for computing invariants in real quadratic function elds.
A basic such invariant is the regulator, which plays an important role in cryptosystems based on
real quadratic function elds. For example, in the key-exchange protocol by Scheidler, Stein and
Williams [SSW96], the regulator provides a measure for the key space; moreover, computation of
the regulator is an instance of solving the discrete logarithm problem in real quadratic function
elds.
Pollard's lambda method [Pol78], also called the method of catching kangaroos, was originally
developed to compute discrete logarithms in Z=pZand has been canonically generalized to solve
the discrete logarithm problem in any nite abelian group. The key ingredient for the lambda
method is that we p
know that the discrete logarithm lies in a given interval [a; b[; then the expected
running time is O( b ? a) group operations. Van Oorschot and Wiener [vOW99] have shown that
the lambda method can be parallelized with linear speed-up, which makes the method attractive for
distributed attacks. It is important to note that the lambda method is very space ecient, which
is its basic advantage over square-root attacks based on Shanks' baby step-giant step method.
The objects with which we deal in real quadratic function elds are reduced principal ideals, which
do not constitute a group. However, the baby step-giant step method could be eciently adapted
to this setting by dening analogues of baby steps and giant steps that make use of the ideal
arithmetic (see [SZ91]). The disadvantage of this method is that the space restrictions of the
machines constitute a bound on how large regulators can be computed. Currently, this bound is
at about 25 digits ([SW98]). It is therefore natural to ask whether such a space ecient method
as the lambda method can be employed to real quadratic function elds. In this paper we show
that this indeed can be done. This allows us to push the range for regulator computation much
further. In fact, we estimate that with the parallelized Pollard lambda attack on a network of 40
fast machines, a 31-digit regulator can be computed within a week.
In the following, we rst give an overview of the lambda method and its parallelization, where
we deal with both the variant of van Oorschot and Wiener [vOW99] and Pollard [Pol]. We keep
this exposition as general as possible. Since no experimental results with the parallelized lambda
method (not to mix with the parallelized rho method!) have been published so far, we also include
some statistics about experiments with elliptic curve groups showing that the practical performance
essentially matches the theoretical predictions. Then, in Section 3, we give the basic denitions and
facts needed about real quadratic function elds. In Section 4 we specialize the lambda method for
the problem of regulator and class number computation in function elds and give experimental
results. For the full version of this paper, we refer to [ST].
2. The Parallelized Pollard Lambda Method
Let G be a nite cyclic group generated by the group element g , and let h 2 G. Then there exists
a least positive number x such that h = g x. This number x is usually called the discrete logarithm ,
1
2
ANDREAS STEIN AND EDLYN TESKE
or index , of h to the base g . In the special case that h = 1, we call x the order of g . We want to
compute x. Let us assume that we know integers a and b such that a x < b. This is the setting
for which Pollard [Pol78] has designed his lambda method: The idea is to dene two kangaroos, a
tame kangaroo T with starting point t0 = g b and a wild kangaroo W with starting point w0 = h.
In terms of the exponents of g , T starts at the upper end of the interval [a; b[, while W starts at
an unknown spot x. Let 0(T ) = b, the initial distance of T from the origin, and 0 (W ) = 0, the
initial distance of W from h. Let S = fg s ; : : : ; g sr g be a set of jumps, and let v : G ! f1; : : : ; rg
be a hash function. We think of the exponents si as travel distances, which should be small in
comparison with the length b ? a of the interval; Pollard [Pol78] suggested that the powers of two
(starting with 20) up to a certain size to be specied below might be a good choice. Now we let
the tame kangaroo travel through the group, following the path
(2.1)
tj+1 = tj g sv tj ; j 2 N0 :
While computing the path (tj ), we keep track of the distances j (T ),
(2.2)
j+1 (T ) = j (T ) + sv(tj ) ; j 2 N0 :
Hence, tj = g j (T ), for each j 2 N0. After a certain number of jumps, the tame kangaroo stops and
installs a trap at its nal spot, say tM . Then the wild kangaroo is set o, following the path
(2.3)
wj+1 = wj g sv wj ; j 2 N0 ;
with the distances j (W ) given by
(2.4)
j+1 (W ) = j (W ) + sv(wj ) ; j 2 N0 :
Then wj = h g j (W ) (j 2 N0). Hence, in terms of the exponents of g , at each stage we know the
exact position of T , but we do not know the position of W since its starting spot x is unknown;
this is why W is wild. After each jump it is checked whether W has fallen into the trap. If this
is the case, say at wN , the equation tM = wN immediately yields a solution of g x = h, namely
x = M (T ) ? N (W ). Otherwise, after a certain number of jumps the wild kangaroo is halted, and
a new wild kangaroo with starting point w0 = h g z and initial distance 0 (W ) = z (z small) is
set o. If W falls into T 's trap, this means that the paths of the two kangaroos must have met
earlier during the travel, from which point on they have been identical. In this case, if we draw
the two paths on a piece of paper starting at the bottom left and the bottom right, respectively,
we obtain the Greek letter lambda, whence the name of the method. Van Oorschot and Wiener
[vOW99] have analyzed this method andpfound out that the running time is expected to
p be minimal
if the mean value of S is approximately ( b ? ap)=2, and if T makes approximately 0:7 b ? a jumps
before placing the trap. Then after about 2:7 b ? a jumps of the wild kangaroo, W either must
have fallen into the trap, which happens with probability 0:75, or it must have psafely passed
the trap and should be halted. The expected total running time amounts to 3:28 b ? a group
operations. The algorithm has to store the set S and the current positions of the two kangaroos;
we have jS j = O(log(b ? a)) if the exponents si are powers of two.
2.1. The van Oorschot-Wiener parallelization. In the same paper [vOW99], van Oorschot and
Wiener improved on the above result by applying a distinguished point method . Their technique
suits both for a serial application of the lambda method and for its ecient parallelization. The idea
is to call a group element (="point") distinguished if it satises some easily checkable property.
Whenever a kangaroo hits a distinguished point, say tj or wj , it is stored, together with the
corresponding distance j . In the parallel setting, this information is sent to a central server; in this
case, the name of the corresponding kangaroo should be included to be able to deal with collisions
between members of the same herd. As soon as the same distinguished point has been found by
both a tame and a wild kangaroo, the discrete logarithm can be derived from the corresponding
1
(
(
)
)
CATCHING KANGAROOS IN FUNCTION FIELDS
3
distances. We describe this method in more detail. Let m denote the number of processors. Let
us rst assume that m is even. We work with u = m=2 tame and v = m=2 wild kangaroos. The
tame kangaroos T0 ; : : : ; Tu?1 start at and shortly after the middle of the interval, at positions
t0 (Tk ) = g (a+b)=2+k , 0 k < u, with some small constant . ( should be chosen with some care
to reduce the possibility of collisions of kangaroos of the same herd. For example, we should have
6= si, i = 0; : : : ; r.) The wild kangaroos W0 ; : : : ; Wv?1 start at w0(Wk ) = h g k , 0 k < v,
which means that their expected starting points are also at and shortly after the middle of the
interval, and the expected initial distance between the herds of the tame and the wild kangaroos is
(b ? a)=4. Then the kangaroos follow paths as in (2.1) and (2.3), where again we keep track of the
distances (2.2) and (2.4), just as in the original lambda method described above.
According to the analysis of van Oorschot and Wiener, the expected running time until two dierent
kangaroos hit the p
same distinguished point is minimal if the mean value of the exponents si in S is
approximately m( b ? a)=4. In this case, with denoting the proportion pof points that satisfy the
distinguishing property, it takes an expected number of approximately 2( b ? a)=m + 1= jumps
on each processor. If m is odd or not known (which may be the case in an attack distributed
over the Internet), we can simulate 2m half-speed processors by alternating
p between jumps of one
tame and one wild kangaroo. This takes an expected number of 2( b ? a)=m + 2= jumps on
each (real) processor. However, for a given problem, this number may be smaller or larger, even if
average values are considered. This is because the analysis assumes that the distance between the
herds of tame and the wild kangaroos is close to (b ? a)=4, that is x (ap+ b)=2 (b ? a)=4. For
jx ? (a + b)=2j = (b ? a)=l, the expected running time changes to (1 + 4=l)( b ? a)=m + 1= jumps
on each processor (m even). That is, the closer x is to the middle of the interval, the smaller the
expected running time is, and vice versa.
On comparing the expected number of jumps (= group
p operations) for the lambda method using
distinguished points with the expected number of ( ord g=2)=m +1= group operations for the
parallelized rho method (cf. [vOW99]), we see that the lambda method is expected to be faster if
b ? a < =8 ord g 0:39 ord g.
The parallelization of van Oorschot and Wiener does not exclude collisions between kangaroos of
the same herd. Such collisions do not reveal any information about the value x to be computed.
Since the kangaroos travel on the same paths once they have collided, computing power is wasted
if not one partner in the collision is halted as soon as it is detected. Halting a kangaroo (with the
purpose to restart it at a new starting point) requires a message from the central server to the
corresponding machine, an eort which we would like to avoid.
2.2. Pollard's parallelization. Pollard [Pol] altered the van Oorschot-Wiener method of parallelization such that collisions between kangaroos of the same herd cannot occur. His method works
as follows. Let m be the number of processors and let u and v denote the numbers of tame and wild
kangaroos, respectively. We choose u and v to be coprime, nearly equal and such that u + v m.
The powers of g in the set of jumps are multiples of uv : S = fg s uv ; g s uv ; : : : ; g sr uv g. As before,
the tame kangaroos T0; : : : ; Tu?1 are set o at and shortly after the middle of the interval, now at
positions t0 (Ti ) = g (a+b)=2+iv , 0 i < u, and the wild kangaroos W0 ; : : : ; Wv?1 start at positions
w0(Wk ) = h g ku , 0 k < v. Then they travel through the group just as before. Since the equation
(a + b)=2 + iv = x + ku mod uv (x = logg h)
has a unique solution in i (mod u) and k (mod v ), there is exactly one pair (Ti; Wk ) of kangaroos
that travel in the same residue class modulo uv ; this is the only pair which can meet. No two
tame and no two wild kangaroos can meet each other. Hence, as soon as any two kangaroos have
met and a distinguished point tj (Ti ) = wj (Wk ) has been found, the unknown x can be determined
from the starting points t0 (Ti) and w0 (Wk ) and distances j (Ti ) and j (Wk ). Pollard's analysis of
this method shows that the optimal choice for S is such that the mean value of the si is close to
1
2
0
0
4
p
ANDREAS STEIN AND EDLYN TESKE
p
( (b ? a)=uv)=2. Then it takes an expected number of approximately ( (b ? a)=(uv ))B (S )+1=
jumps on each processor. Here, B (S ) is a correction factor depending on the choice of S ; Pollard
[Pol] gives experimental evidence that B (S ) 1 if the exponents si in S are the consecutive powers
of 2 or 4 (starting with 20 resp. 40) and jS j 6. Since both u and v are close to m=2, this then
gives essentially the same expected running time as for the method by van Oorschot and Wiener.
2.3. The parallelized Pollard lambda method in practice. There are a couple of aspects to
consider when it comes to actually implementing a parallelized Pollard lambda attack. We begin
with some typical experimental data, shown in Tables 1 { 3, to illustrate our discussion. Using the
computer algebra system LiDIA [LiD97], we implemented both the van Oorschot-Wiener and the
Pollard variants of parallelization for groups of points of elliptic curves over nite elds, to compute
the group order.
In our rst example we work with the curve y 2 = x3 + 7x + 13 dened over the nite eld Fp with
the 15-digit prime p = 100000005000197; the point group E7;13p
(Fp ) is cyclic. A theorem due to
Hasse says that its order n satises the inequality jn ? p ? 1j 2 p; in fact n = 100000015380435.
We choose a random point P on the curve andp we use the pparallelized lambda method pto nd a
multiple of its order in the interval [p + 1 ? 2 p; p + 2 + 2 p[. Note that if ord P > 4 p, then
the unique multiple of ord P in the interval must be the group order.pIn our example, the length
of the interval is approximately 4 107, and we have jn ? p ? 1j = 4 p=l with l = 3:853:::. This
means that the distance between the herd of tame kangaroos, set o near (p + 1) P , and
the herd
of wild kangaroos, set o near the neutral element O of E7;13(Fp ), is approximately pp, which is
the distance on which the running time analysis in [vOW99] and [Pol] is based. Then the expected
running time is 4 p1=4=m + 1= = 12649=m + 1= jumps/kangaroo. We work with four and 20
kangaroos. We use various sizes for the sets of distinguished points, from = 1; 2?1; : : : to 2?12.
For the jump distances si we choose the powers of two (van Oorschot/Wiener), respectively powers
of two multiplied by uv with u = m=2 ? 1 and v = m=2 + 1 (Pollard), and such that the mean
value of the si is as close as possible to the respective optimal values indicated above. In the van
Oorschot-Wiener variant, we work with = 13 as distance between the starting points of two
consecutive kangaroos of the same herd; whenever two tame or two wild kangaroos meet (which is
signalled by their nding the same distinguished point), one of these two kangaroos is halted and
set o at a new starting point. For each order computation, we count the number of jumps of each
kangaroo until any pair of tame and wild kangaroos has found the same distinguished point, and
the total number of distinguished points found by all kangaroos. Table 1 shows the average values
taken
over 100 such runs; here we considered only those runs with points P whose order exceeded
p
4 p. Note that in the van Oorschot-Wiener variant, there were in average two collisions between
kangaroos of the same herd, both for m = 4 and for m = 20.
In our second example, we work with the curve y 2 = x3 + 5x + 17 dened over Fp , where p =
100000000000000500053p(21 digits). E5;17(Fp ) is cyclic of group order n = 99999999991517342872.
Hence, jn ? p ? 1j = 4 p=l with l = 4:715:::. This means that the distance between the herds
of tame and wild kangaroos is smaller than pp, and we expect an average running time of only
about 3:7 p1=4=m + 1= jumps for each kangaroo. With m = 20 kangaroos, we conduct the same
computations as in the rst example. The average values of the results, taken over 100 computations
with ord P > 4pp, are shown in Table 2. This time there was an average of three collisions between
kangaroos of the same herd (in the van Oorschot-Wiener variant).
We nd it necessary to include a third example. Here, the curve is y 2 = x3 + 13x + 5 over
Fp with the 16-digit prime p = 1000000000000037. The group E5;17(Fp ) is cyclic and has order
n = 1000000058247036. This time the distance between the herds of tame and wild kangaroos is
larger than pp. Indeed, we have jn ? p ? 1j = 4pp=l with l = 2:287:::. We then expect about
5:4 p1=4=m + 1= jumps for each kangaroo. Our results, this time for m = 8 kangaroos, are shown
CATCHING KANGAROOS IN FUNCTION FIELDS
1 2?1 2?2 2?3 2?4 2?5 2?6 2?7 2?8
4 kangaroos. Expected: p1=4 = 3162 + 1= jumps/kangaroo
van Oorschot-Wiener variant
dist. points 15495 7758 3884 1939 969 486 246 126 66
jumps/kang. 3874 3876 3878 3884 3900 3929 3976 4056 4273
Pollard's variant
dist. points 16899 8464 4233 2119 1061 534 268 137 70
jumps/kang. 4225 4226 4227 4231 4240 4254 4292 4362 4492
20 kangaroos. Expected: p1=4=5 = 632 + 1= jumps/kangaroo
van Oorschot-Wiener variant
dist. points 12671 6349 3190 1606 811 412 214 116 64
jumps/kang. 633 634 636 640 649 663 696 758 860
Pollard's variant
dist. points 16384 7792 3906 1965 991 509 267 143 80
jumps/kang. 778 779 781 784 792 814 848 915 1018
5
2?10 2?12
19
6
5096 8685
20
9
5245 8323
23 10
1327 2607
34 21
1723 4347
Table 1. E7;13(Fp ) with p = 100000005000197. Order computation.
2?2 2?3 2?4 2?5 2?6 2?7 2?8 2?10 2?12
20 kangaroos. Expected: 3:7 p1=4=20 = 18500 + 1= jumps/kangaroo
van Oorschot-Wiener variant
dist. points 91312 45675 22851 11437 5730 2876 1448 377 107
jumps/kang. 18260 18266 18276 18289 18325 18388 18511 19288 22308
Pollard's variant
dist. points 104559 52270 26147 13078 6551 3289 1653 428 121
jumps/kang. 20916 20920 20928 20945 20983 21053 21191 21779 24643
Table 2. E5;17(Fp ) with p = 100000000000000500053. Order computation.
1 2?1 2?2 2?3 2?4 2?5 2?6 2?7 2?8 2?10 2?12
8 kangaroos. Expected: 3796 + 1= jumps/kangaroo
van Oorschot-Wiener variant
dist. points 41325 20671 10332 5162 2582 1292 651 329 165 45 14
jumps/kang. 5166 5167 5170 5175 5184 5206 5257 5332 5459 6245 8539
Pollard's variant
dist. points 36215 18125 9063 4538 2270 1142 576 291 148 43 17
jumps/kang. 4527 4528 4530 4533 4543 4560 4597 4660 4805 5568 8660
Table 3. E13;5(Fp ) with p = 1000000000000037. Order computation.
in Table 3. As before, all averages are taken over 100 computations. In the van Oorschot-Wiener
variant, we observed an average of as many as four collisions between members of the same herd.
2.3.1. Which variant: van Oorschot-Wiener or Pollard? Our experimental data suggest that with
both variants, we achieve an almost linear speed-up. The Pollard variant of parallelization has the
6
ANDREAS STEIN AND EDLYN TESKE
advantage that collisions between kangaroos of the same herd are impossible. In the van OorschotWiener variant we do have to deal with such collisions, which requires communication from the
central server to the processors. On the other hand, this variant allows that additional kangaroos
(=processors) can join a parallelized lambda attack at any stage and contribute with each single
distinguished point they nd. Thus, it mainly depends on the application which variant suits
better.
2.3.2. The distinguished point set. A simple way to implement the distinguished point set is to
dene a point to be distinguished if the f lowest bits in the representation of the point as a binary
string are zero. Then the proportion of distinguished points is = 1=2f . In our experiments,
we worked with f = 0; : : : ; 12. Our results match the theoretical predictions how eects the
running
p
p time. In general, f should be chosen small enough such that 1= = 2f is small compared
with b ? a, but not too small since the algorithm has to store an expected number of 2 b ? a
distinguished points.
2.3.3. The jump distances. Our experimental results suggest that choosing the exponents si as
powers of two in principal works ne. However, is might be possible to achieve some improvement
by choosing other jump distances.
2.3.4. Choice of in the van Oorschot-Wiener variant. In the experiments shown in our tables,
we worked only with = 13. Working with other choices of such as the primes 31, 1031, 1000031
yielded almost identical results.
3. A Brief Introduction into Real Quadratic Function Fields
3.1. Basic denitions. Let k = Fq be a nite eld of odd characteristic with q elements. A
hyperelliptic function eld over the constant eld k of genus
p g is a quadratic extension of the
rational function eld over k in one variable, i.e. K = k(X )( D), where D = D(X ) is a squarefree
polynomial of degree 2g + 1 or 2g + 2. If D is a monic, squarefree polynomial of degree 2g + 2, then
K is called a real quadratic function eld over k, and otherwise imaginary quadratic
.
p
Let D be a monic, squarefree polynomial of degree 2g +2 so that K = k(X )( pD) is a real quadratic
function eld over k with respect to the real quadratic order O(X ) = k[X ][ D]. In this case, the
innite place 1 of k(X ) splits into two extensions 11 and 12 in K . We know that O(X ) = k hi,
where 2 K is a fundamental unit. Denoting by v1 and v2 the corresponding normalized valuations
of K , we dene the regulator R of K over k with respect to O(X ) as R := jv1()j: Furthermore, we
have that h = Rh0 ; where h0 denotes the ideal class number of K with respect to O(X ) and h the
divisor class number of K . The completions of K with respect to 11 and 12 are isomorphic to
the eld of Puiseux series
p Fq ((1=X )). Also, K Fq ((1=X )). Let 11 be the place which corresponds
to the branch where 1 = 1. We then consider elementsPof K as Puiseux series at 11 in 1=X .
Now, let 2 Fq ((1=X )) be a non-zero element. Then = di=?1 ci X i with cd 6= 0. We denote by
deg() = d the degree of : We set deg(0) = ?1.
3.2. Ideals. For more details on the ideal arithmetic in real quadratic function elds we refer to
[SSW96, SW98]. The ring O(X ) is a Dedekind domain. Any
p (non-zero integral O(X )-)ideal can
be uniquely written in the form a = SQ k[X ] + (SP + S D) k[X ] ; where S; P;pQ 2 k[X ] with
Qj(D ? P 2 ), sgn(S ) = sgn(Q) = 1; and deg(P ) < deg(Q). The set fSQ; SP + S Dg is called a
k[X ]-basis of a: An ideal is called primitive if S = 1: If a is given in standard representation, then
the norm of a is dened by N (a) = sgn(QQS S ) 2 k[X ]: If a = () = O(X ) with 2 O(X ), we call
a a principal ideal. We say that two integral ideals a and b are equivalent, written a b, if there
exist some non-zero elements ; 2 O(X ) such that ()a = ( )b.
2
2
CATCHING KANGAROOS IN FUNCTION FIELDS
7
A primitive ideal a is called reduced, if deg N (a) g . Hence, each reduced ideal a can be uniquely
represented by a pair (Q; P ) of polynomials in k[X ], where Qj(D ? P 2 ), sgn(Q) = 1; i.e. Q = N (a),
and deg(P ) < deg(Q) g . For instance, O(X ) is a reduced principal ideal with representation
(1; 0). Throughout our computations, we will only be performingparithmetic with reduced principal
ideals, which will be represented by their k[x]-bases fQ; P + Dg. We denote by R the set
of reduced principal ideals. The continued fraction expansion of ideals starting at r1 = O(X )
produces all elements of R. This innite process is ultimately periodic with period p, and thus
R = fr1; : : : ; rpg, where rp+i = ri for i 2 N.
3.3. Distance. With each reduced principal ideal a = (), we associate a distance
(3.1)
(a) = (a; O(X )) := deg() :
From [SSW96] we know that is unique modulo R, and denes an order r1 = O(X ) < r2 < : : : <
rp < rp+1 < : : : of the reduced principal ideals. Furthermore, (ri) is strictly increasing with i, ;
more exactly, we have that 1 (ri+1 ) ? (ri ) g + 1. Note that (r2) = g + 1 and R = (rp+1 ).
Two reduced principal ideals a and b are equal if and only if
(a) (b) (mod R) :
Given any positive integer y , there certainly exists an index j 2 N such that
(rj ) y < (rj+1 ) :
We call (rj ) the closest ideal to y and denote it by a(y ). Note that 0 y ? (a(y )) g .
Finally, we can dene the discrete logarithm problem for real quadratic function elds as follows:
For any a 2 R, nd (a), 0 (a) < R.
3.4. Infrastructure. Shanks' infrastructure idea [Sha72] also applies to the set of reduced principal ideals in a real quadratic function eld. We dene an operation ? (a giant step ) on R as
follows: Let a = (Qa ; Pa) and b = (Qb ; Pb) be two reduced principal ideals. Firstly, compute the
ideal product ab = (S )c0, where c0 is a primitive principal ideal. Secondly, reduce c0 to obtain an
equivalent reduced principal ideal c. Put c = a ? b. If one knows the distances (a) and (b), then
(c) can be computed as well, and (c) = (a) + (b) + f , where ?2g f 0. In general, this
operation can be performed eciently in 19 g 2 + O(g ) operations in the nite eld k. Note that this
operation is not a group operation on R. Furthermore, given any real number y , we may compute
a(y) eectively in O(log n) giant steps.
3.5. An estimate of h. The idea is to determine integers E and L such that
jh ? E j < L2 :
Of course, L should be as small as possible. As in [SW98], we make use of the analogue of the
analytic class number formula for function elds and proceed with approximating h by truncated
Euler products. We know that
g +1 Y
h = (qq ? 1) 1 ? (P )1q ? deg(P ) ;
P
where P runs through all monic prime polynomials of k[X ] and (P ) = [D=P ] denotes the Legendre
symbol for polynomials of D over P . For n 2 N, we put
g +1
Y
1
E 0(n; D) = (qq ? 1)
1 ? (P )q ? deg(P )
P
deg(P )n
8
ANDREAS STEIN AND EDLYN TESKE
and E (n; D) = Ne(E 0(n; D)), where Ne(y ) denotes the nearest integer to y . Obviously, we have
that
Y
1
h = E 0(n; D)
:
1 ? (P )q ? deg(P )
P
deg(P )>n
By using similar techniques as in [SW98], we derive that
Y
1
log
? deg(P ) (n; D) ;
1
?
(
P
)
q
P
deg(P )>n
where
?
(n; D) = (2g +n1)+q1
We dene
L(n; D) =
q
(n+1)
2
?
+ O (2g +n1)+q1
E 0(n; D)(e (n;D) ? 1) + 21
;
(n+2)
2
!
:
n2N:
It immediately follows that
(3.2)
jh ? E (n; D)j < L2(n; D) ; n 2 N :
g
Furthermore, we have for suciently small values of g that L(n; D) = O(q ?n+14 ), since E (n; D) =
O(q g ). We discuss the optimal choice of n in the next section.
3.6. The computation of R and h. The algorithm of computing R and h consists of three steps.
First, we compute an approximation E = E (n; D) of h such that jh ? E j < L2 for some integer
L = L(n; D), as explained above. In the second step, we compute a multiple h0 = h R of R in
the interval ]E ? L2 ; E + L2 [. This can be done either by Shanks' baby step-giant step method as
described in [SW98], or by applying Pollard's lambda method to function elds (see below). In the
nal step, one determines h by factoring h0 and using the fact that a prime divisor r of h0 divides
h if and only if a(h0=r) = O(X ) : Once having computed h, one knows R = h0 =h. In general,
we expect R to be greater than 2L2 ? 2, in which case h0 = h and h = h0 . If R 2L2 ? 2, some
additional steps will produce the values of h and h0 .
The complexity of this algorithm is mainly determined by the rst and the second step. The running
time for the approximation is O(q n ). The multiple of the regulator can be computed in O(L(n; D))
operations by the baby step-giant-step method
or in expected running time O(L(n; D)) by Pollard's
g?n
), the optimal choice of n is n = Ne((2g ? 1)=5)
lambda method. Since L(n; D) = O(q
which yields a total (expected) running time of O(q (2g?1)=5). More exactly, the total running time
is O(q Ne((2g?1)=5)+), where = 0, 1=4, or 1=2, respectively, depending on whether g 0; 2; 3
(mod 5), g 1 (mod 5), or g 4 (mod 5).
2
2
+1
4
4. The Parallelized Lambda Method in Real Quadratic Function Fields
In this section we apply the parallelized lambda method to compute the the regulator
p R, and
0
hence the class numbers h and h , in a real quadratic function eld. Let k = k(X )( D) be a
real quadratic function eld. In view of (3.2), we let E = Ne(E 0(n; D)) and L = L(n; D) where
n = Ne((2g ? 1)=5). Then, h lies in the interval [E ? L2 +1; E + L2[ of length 2L2 ? 1. This estimate
for h and the distance (3.1) represent the necessary ingredients such that the lambda method can
be applied to compute a multiple of the regulator R in expected running time O(L). This works as
CATCHING KANGAROOS IN FUNCTION FIELDS
9
follows. We rst dene the set of jumps. Hereby, we have to take into account that (r2) = g + 1.
We put r0 = dlog2 (g + 1)e and r = blog2 Lc. Then, we let si = 2i+r for i 0, and
(4.1)
bi = a(si) ; 0 i r ? r0 :
We dene the set of jumps S = fb0 ; b1; : : : ; br?r g and let v : R ! f0; : : : ; r ? r0g be a hash
function. For instance, if the reduced principal ideal a is represented by (Q; P ), then we can take
v(a) to be the last coecient of the polynomial Q modulo (r ? r0 + 1).
A kangaroo Z (tame or wild) with starting point z0 then follows the path (zj ) of reduced principal
ideals such that
(4.2)
zj+1 = zj ? bv( j ) ; j 2 N0 :
In the beginning, we let 0 (Z ) = (z0) and, in general, we dene j (Z ) = (zj ) for j 1. By results
mentioned in Section 3.4, we have
(4.3)
j+1 (Z ) = j (Z ) + (bv( j )) + fj+1 (Z ) ; j 2 N0 ;
where fj +1 (Z ) is a computable integer with ?2g fj +1 (Z ) 0. With that denition, the distance
j (Z ) of Section 2 coincides with the distance of Section 3.3 in real quadratic function elds.
Notice that the reduced principal ideals bi and their distances (bi ) can assumed to be precomputed.
Let (Qi ; Pi) be their unique representation, then we store them as triples (Qi; Pi ; (bi)) for i =
0; 1; : : : ; r ? r0.
Having introduced the notation of kangaroos in real quadratic function elds, we can now follow
precisely the lines of Section 2 and dene tame and wild kangaroos. We just have to show how
to nd a multiple of the regulator. In the original setting of Pollard, we dene two kangaroos, a
tame kangaroo T following the path (tj ) with starting point t0 = a(E + L2) and a wild kangaroo
W traveling along the path (wj ) with starting point w0 = O(X ) = a(h). We keep track of the
distances j (T ) and j (W ), where E + L2 ? 0 (T ) g and 0 (W ) = 0. The tame kangaroo jumps
M steps and then stops at the nal resting spot tM , where it installs the trap. If it happens that
the wild kangaroo W falls into the trap, then there exists an index N such that tM = wN . Thus,
M (T ) N (W ) (mod R), i.e. M (T ) ? N (W ) is a (non-trivial) multiple of the regulator R.
Otherwise, the wild kangaroo is halted after a certain number of steps, and a new wild kangaroo
is started at a(z ) with a small value pof z . As in the general setting, we expect this process to
terminate after a total number of 3:28 2L2 ? 1 jumps.
The distinguished point method can be employed in an analogous way. We call a reduced principal
ideal a distinguished point if it satises some easily checkable property. For instance, we can ask for
a to be a distinguished point if and only if the last coecient of N (a) has a certain number of zero
bits. We denote the set of distinguished points by D. Whenever a kangaroo reaches a distinguished
point, we store the ideal together with its distance.
In the parallel setting of van Oorschot and Wiener, we proceed as in Section 2.1. Let m denote an
even number of processors, and let u = v = m=2. We then dene two herds of kangaroos, namely
m=2 tame kangaroos T0 ; : : : ; Tu?1 and m=2 wild kangaroos W0; : : : ; Wv?1. The tame kangaroos
are set o around E at starting points t0(Tk ) = a(E + k ), 0 k < u; with some small constant
> g + 1. The wild kangaroos start at w0 (Wk ) = a(k ); 0 k < v. Both herds now follow the
paths and keep track of the distances as in (4.2) and (4.3). When it happens that two members of
dierent herds reach the same distinguished
p 2 point, then we have found a multiple of the regulator.
This takes an expected number of 2 2L ? 1 + 1= jumps for each kangaroo.
0
0
z
z
4.1. Experimental Results. Our computations were run on a Sun SPARC Ultra 1=140 under
Solaris 2:5 by making use of the Computer Algebra System SIMATH [Zim97]. We computed
p the
0
regulator R and the class numbers h, h of a real quadratic function eld K = k(X )( D) over
10
ANDREAS STEIN AND EDLYN TESKE
k = Fq , where q is an odd prime. The discriminants D 2 k[X ] were random monic squarefree
polynomials of even degree.
We implemented the parallelized Pollard's lambda method successfully in the sense of van Oorschot
and Wiener as described in Section 4. We now provide examples for 2 and 20 kangaroos. We dene
a distinguished point to be a reduced ideal a forpwhich the lowest f = blog2 Lc=2 bits of the last
coecient of N (a) are 0. pThen = p1=2f 1= 2L2, and the expected number of distinguished
points to be stored is 2 2L2 2 2L2 . Note that this is only the square root of the space
requirement of the baby step-giant step algorithm.
In the rst example, we simulated two parallel processors by letting the kangaroos jump alternately.
There are only two kangaroos, a tame kangaroo T with starting point t0 (T ) = a(E ) and a wild
kangaroo W with starting point w0 (W ) = O(X ). For k = F1000003 and
D(X ) =X 8 + 468956X 7 + 37181X 6 + 932611X 5 + 318823X 4 + 84267X 3
+ 296096X 2 + 494421X + 144857 ;
we found that h = R = 999481471285346309 (18 digits) and h0 = 1. In course of the computation,
1326 distinguished points were reached. For the computation of the multiple of the regulator (in
this case, the regulator itself), both kangaroos together needed 8 minutes and 50 seconds to perform
680683 jumps each; hence, on two parallel processors this would have taken about 4 1=2 minutes.
The remaining steps to compute R, h, and h0 , including precomputations, only took 6 seconds.
In the second example, we worked with 20 kangaroos giving two herds of 10 kangaroos each that
perform jumps alternately. For k = F100000007 and
D(X ) =X 8 + 9888621X 7 + 40790591X 6 + 42899267X 5 + 87677365X 4 + 72847284X 3
+ 95244197X 2 + 14221927X + 7243290 ;
the regulator turned out to be R = 55554995017873220130683 (23 digits), and the divisor class
number h = 999989910321717962352294 was equal to the computed multiple h0 of R. Furthermore,
h0 = 18. A total of 50070 distinguished points were reached by the 20 kangaroos. Each kangaroo
performed 82475002 jumps, which in total took 58 hours, that is, about 2 hours and 54 minutes
for each kangaroo. Since the remaining steps only took 12 minutes, the total running time for
computing the divisor class number h of 25 digits on 20 parallel processors would have been 3
hours and 6 minutes. (Here, we did not take into account that the computation of E and L as in
(3.2), which mainly causes the running time of the remaining steps, can be easily parallelized as
well).
Based on the above observations, we estimate the running time with parallelized Pollard's lambda
method for the computation of 31-digit regulators and divisor class numbers. Assuming that there
are 40 SPARC 20 (or comparably fast) machines available, we predict a total expected running
time of 45 days. If we even have 40 SPARC ultra-60 available, which are approximately six times
faster, then we expect to need no more than 7:5 days.
4
4
5. Outlook
Pollard's lambda method also extends to imaginary quadratic function elds. In the case that D is
a monic, squarefree polynomial of degree 2g + 1, a simple birational transformation leads to a real
quadratic function eld over the same constant eld. Furthermore, the corresponding operation
on reduced ideals as described in Section 3.4 is a group operation (see [Can87, PS98]) so that
the parallelized lambda method as suggested by van Oorschot-Wiener and Pollard immediately
generalizes to any hyperelliptic function eld.
In Section 4, we were only considering the computation of the regulator and the class number
of a real quadratic function eld, since we are able to determine an interval for the divisor class
CATCHING KANGAROOS IN FUNCTION FIELDS
11
number. Of course, Pollard's lambda method also applies to solving the discrete logarithm problem
in real quadratic function elds provided that one knows that the discrete logarithm lies in a given
interval. A generalization of Pollard's rho method and its parallelized versions (see [Pol78, Tes98,
vOW99, Pol]) to function elds can be employed as well by applying similar ideas as in Section
4. We suggest this method for the case that one has no additional information on the size of the
regulator or the class numbers.
References
[Can87] D. G. Cantor, Computing in the jacobian of a hyperelliptic curve, Mathematics of Computation 48 (1987),
95{101.
[LiD97] LiDIA Group, Technische Universitat Darmstadt, Darmstadt, Germany, LiDIA - a library for computational
number theory, version 1.3, 1997.
[Pol] J. M. Pollard, Kangaroos, monopoly and discrete logarithms, preprint.
[Pol78] J. M. Pollard, Monte Carlo methods for index computation (mod p), Mathematics of Computation 32 (1978),
no. 143, 918{924.
[PS98] S. Paulus and A. Stein, Comparing real and imaginary arithmetics for divisor class groups of hyperelliptic
curves, Algorithmic Number Theory Seminar ANTS-III, Lecture Notes in Computer Science, vol. 1423,
Springer-Verlag, 1998, pp. 576{591.
[Sha72] D. Shanks, The infrastructure of a real quadratic eld and its applications, Proc. 1972 Number Th. Conf.,
Boulder, Col., 1972, pp. 217{224.
[SSW96] R. Scheidler, A. Stein, and H. C. Williams, Key-exchange in real quadratic congruence function elds,
Designs, Codes and Cryptography 7 (1996), 153{174.
[ST] A. Stein and E. Teske, The parallelized Pollard lambda method in real quadratic elds, unpublished manuscript.
[SW98] A. Stein and H. Williams, An improved method of computing the regulator of a real quadratic function eld,
Algorithmic Number Theory Seminar ANTS-III, Lecture Notes in Computer Science, vol. 1423, SpringerVerlag, 1998, pp. 607{620.
[SZ91] A. Stein and H. G. Zimmer, An algorithm for determining the regulator and the fundamenta l unit of a
hyperelliptic congruence function eld, Proc. 1991 Int. Symp. on Symbolic and Algebraic Computation,
ISAAC, Bonn, July 15-17, ACM Press, 1991, pp. 183{184.
[Tes98] E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory
Seminar ANTS-III, Lecture Notes in Computer Science, vol. 1423, Springer-Verlag, 1998, pp. 541{554.
[vOW99] P. C. van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, Journal of
Cryptology 12 (1999), 1{28.
[Zim97] H. G. Zimmer et al., Simath manual, 1997, Universitat des Saarlandes, Saarbrucken, Germany.
University of Waterloo, Department of Combinatorics and Optimization, Waterloo, Ontario, Canada
N2L 3G1
E-mail address : fastein,[email protected]