1. No category

Catching Kangaroos in Function Fields

Catching Kangaroos in Function Fields
Catching Kangaroos in Function Fields
Andreas Stein, Edlyn Teske
Centre for Applied Cryptographic Research
University of Waterloo
Waterloo, Ontario N2L 3G1, Canada
fastein,[email protected]
March 15, 1999
1 Introduction
In this paper we generalize the parallelized lambda method for computing invariants in
real quadratic function elds.
A basic such invariant is the regulator, which plays an important role in cryptosystems
based on real quadratic function elds. For example, in the key-exchange protocol by
Scheidler, Stein and Williams [SSW96], the regulator provides a measure for the key space;
moreover, computation of the regulator is an instance of solving the discrete logarithm
problem in real quadratic function elds.
Pollard's lambda method [Pol78], also called the method of catching kangaroos, was originally developed to compute discrete logarithms in Z=pZand has been canonically generalized to solve the discrete logarithm problem in any nite abelian group. The key
ingredient for the lambda method is that we know that the discrete logarithm lies in
p
a given interval [a; b[; then the expected running time is O( b ? a) group operations.
Van Oorschot and Wiener [vOW99] have shown that the lambda method can be parallelized with linear speed-up, which makes the method attractive for distributed attacks.
Catching Kangaroos in Function Fields
2
It is important to note that the lambda method is very space ecient, which is its basic
advantage over square-root attacks based on Shanks' baby step-giant step method.
The objects with which we deal in real quadratic function elds are reduced principal
ideals, which do not constitute a group. However, the baby step-giant step method could
be eciently adapted to this setting by dening analogues of baby steps and giant steps
that make use of the ideal arithmetic (see [SZ91]). The disadvantage of this method is
that the space restrictions of the machines constitute a bound on how large regulators can
be computed. Currently, this bound is at about 25 digits ([SW98]). It is therefore natural
to ask whether such a space ecient method as the lambda method can be employed to
real quadratic function elds. In this paper we show that this indeed can be done. This
allows us to push the range for regulator computation much further. In fact, we estimate
that with the parallelized Pollard lambda attack on a network of 40 fast machines, a
31-digit regulator can be computed within a week.
In the following, we rst give an overview of the lambda method and its parallelization,
where we deal with both the variant of van Oorschot and Wiener [vOW99] and Pollard
[Pol]. We keep this exposition as general as possible. Since no experimental results with
the parallelized lambda method (not to mix with the parallelized rho method!) have
been published so far, we also include some statistics about experiments with elliptic
curve groups showing that the practical performance essentially matches the theoretical
predictions. Then, in Section 3, we give the basic denitions and facts needed about real
quadratic function elds. In Section 4 we specialize the lambda method for the problem of
regulator and class number computation in function elds and give experimental results.
For the full version of this paper, we refer to [ST].
2 The Parallelized Pollard Lambda Method
Let G be a nite cyclic group generated by the group element g, and let h 2 G. Then
there exists a least positive number x such that h = gx. This number x is usually called
the discrete logarithm , or index , of h to the base g. In the special case that h = 1, we call
x the order of g. We want to compute x. Let us assume that we know integers a and b
such that a x < b. This is the setting for which Pollard [Pol78] has designed his lambda
method: The idea is to dene two kangaroos, a tame kangaroo T with starting point
Catching Kangaroos in Function Fields
3
t = gb and a wild kangaroo W with starting point w = h. In terms of the exponents of
g, T starts at the upper end of the interval [a; b[, while W starts at an unknown spot x.
Let (T ) = b, the initial distance of T from the origin, and (W ) = 0, the initial distance
of W from h. Let S = fgs ; : : : ; gsr g be a set of jumps, and let v : G ! f1; : : : ; rg be a
hash function. We think of the exponents si as travel distances, which should be small
in comparison with the length b ? a of the interval; Pollard [Pol78] suggested that the
powers of two (starting with 2 ) up to a certain size to be specied below might be a good
choice. Now we let the tame kangaroo travel through the group, following the path
0
0
0
0
1
0
tj = tj gsv tj ;
+1
(
j2N :
)
(2.1)
0
While computing the path (tj ), we keep track of the distances j (T ),
j (T ) = j (T ) + sv tj ;
+1
(
)
j2N :
0
(2.2)
Hence, tj = gj (T ), for each j 2 N0 . After a certain number of jumps, the tame kangaroo
stops and installs a trap at its nal spot, say tM . Then the wild kangaroo is set o,
following the path
wj = wj gsv wj ;
+1
(
j2N ;
)
(2.3)
0
with the distances j (W ) given by
j (W ) = j (W ) + sv wj ;
+1
(
)
j2N :
0
(2.4)
Then wj = h gj (W ) (j 2 N0 ). Hence, in terms of the exponents of g, at each stage we
know the exact position of T , but we do not know the position of W since its starting spot
x is unknown; this is why W is wild. After each jump it is checked whether W has fallen
into the trap. If this is the case, say at wN , the equation tM = wN immediately yields
a solution of gx = h, namely x = M (T ) ? N (W ). Otherwise, after a certain number of
jumps the wild kangaroo is halted, and a new wild kangaroo with starting point w0 = hgz
and initial distance 0(W ) = z (z small) is set o. If W falls into T 's trap, this means
that the paths of the two kangaroos must have met earlier during the travel, from which
point on they have been identical. In this case, if we draw the two paths on a piece of
paper starting at the bottom left and the bottom right, respectively, we obtain the Greek
letter lambda, whence the name of the method. Van Oorschot and Wiener [vOW99] have
analyzed this method and found out that the running time is expected to be minimal if the
Catching Kangaroos in Function Fields
p
4
p
mean value of S is approximately ( b ? a)=2, and if T makes approximately 0:7 b ? a
p
jumps before placing the trap. Then after about 2:7 b ? a jumps of the wild kangaroo,
W either must have fallen into the trap, which happens with probability 0:75, or it
must have safely passed the trap and should be halted. The expected total running time
p
amounts to 3:28 b ? a group operations. The algorithm has to store the set S and the
current positions of the two kangaroos; we have jS j = O(log(b ? a)) if the exponents si
are powers of two.
2.1 The van Oorschot-Wiener parallelization
In the same paper [vOW99], van Oorschot and Wiener improved on the above result by
applying a distinguished point method . Their technique suits both for a serial application
of the lambda method and for its ecient parallelization. The idea is to call a group
element (="point") distinguished if it satises some easily checkable property. Whenever
a kangaroo hits a distinguished point, say tj or wj , it is stored, together with the corresponding distance j . In the parallel setting, this information is sent to a central server;
in this case, the name of the corresponding kangaroo should be included to be able to deal
with collisions between members of the same herd. As soon as the same distinguished
point has been found by both a tame and a wild kangaroo, the discrete logarithm can be
derived from the corresponding distances. We describe this method in more detail. Let
m denote the number of processors. Let us rst assume that m is even. We work with
u = m=2 tame and v = m=2 wild kangaroos. The tame kangaroos T0; : : : ; Tu?1 start at
and shortly after the middle of the interval, at positions t0(Tk) = g(a+b)=2+k , 0 k < u,
with some small constant . ( should be chosen with some care to reduce the possibility of collisions of kangaroos of the same herd. For example, we should have 6= si,
i = 0; : : : ; r.) The wild kangaroos W0; : : : ; Wv?1 start at w0(Wk ) = h gk , 0 k < v,
which means that their expected starting points are also at and shortly after the middle
of the interval, and the expected initial distance between the herds of the tame and the
wild kangaroos is (b ? a)=4. Then the kangaroos follow paths as in (2.1) and (2.3), where
again we keep track of the distances (2.2) and (2.4), just as in the original lambda method
described above.
According to the analysis of van Oorschot and Wiener, the expected running time until
two dierent kangaroos hit the same distinguished point is minimal if the mean value of
Catching Kangaroos in Function Fields
5
p
the exponents si in S is approximately m( b ? a)=4. In this case, with denoting the
proportion of points that satisfy the distinguishing property, it takes an expected number
p
of approximately 2( b ? a)=m + 1= jumps on each processor. If m is odd or not known
(which may be the case in an attack distributed over the Internet), we can simulate 2m
half-speed processors by alternating between jumps of one tame and one wild kangaroo.
p
This takes an expected number of 2( b ? a)=m + 2= jumps on each (real) processor.
However, for a given problem, this number may be smaller or larger, even if average values
are considered. This is because the analysis assumes that the distance between the herds
of tame and the wild kangaroos is close to (b ? a)=4, that is x (a + b)=2 (b ? a)=4. For
p
jx ? (a + b)=2j = (b ? a)=l, the expected running time changes to (1+4=l)( b ? a)=m +1=
jumps on each processor (m even). That is, the closer x is to the middle of the interval,
the smaller the expected running time is, and vice versa.
On comparing the expected number of jumps (= group operations)
for the lambda method
p
using distinguished points with the expected number of ( ord g=2)=m + 1= group
operations for the parallelized rho method (cf. [vOW99]), we see that the lambda method
is expected to be faster if b ? a < =8 ord g 0:39 ord g.
The parallelization of van Oorschot and Wiener does not exclude collisions between kangaroos of the same herd. Such collisions do not reveal any information about the value x
to be computed. Since the kangaroos travel on the same paths once they have collided,
computing power is wasted if not one partner in the collision is halted as soon as it is
detected. Halting a kangaroo (with the purpose to restart it at a new starting point)
requires a message from the central server to the corresponding machine, an eort which
we would like to avoid.
2.2 Pollard's parallelization
Pollard [Pol] altered the van Oorschot-Wiener method of parallelization such that collisions between kangaroos of the same herd cannot occur. His method works as follows. Let
m be the number of processors and let u and v denote the numbers of tame and wild kangaroos, respectively. We choose u and v to be coprime, nearly equal and such that u + v m.
The powers of g in the set of jumps are multiples of uv: S = fgs uv ; gs uv ; : : : ; gsr uv g. As
before, the tame kangaroos T0; : : : ; Tu?1 are set o at and shortly after the middle of
1
2
Catching Kangaroos in Function Fields
6
the interval, now at positions t0(Ti) = g(a+b)=2+iv , 0 i < u, and the wild kangaroos
W0; : : : ; Wv?1 start at positions w0(Wk ) = h gku , 0 k < v. Then they travel through
the group just as before. Since the equation
(a + b)=2 + iv = x + ku mod uv
(x = logg h)
has a unique solution in i (mod u) and k (mod v), there is exactly one pair (Ti; Wk ) of
kangaroos that travel in the same residue class modulo uv; this is the only pair which
can meet. No two tame and no two wild kangaroos can meet each other. Hence, as
soon as any two kangaroos have met and a distinguished point tj (Ti) = wj (Wk ) has been
found, the unknown x can be determined from the starting points t0(Ti) and w0(Wk ) and
distances j (Ti) and j (Wk ). Pollard's analysis of this methodpshows that the optimal
choice for S is such that the mean value of the
s is close to ( (b ? a)=uv)=2. Then it
p i
takes an expected number of approximately ( (b ? a)=(uv))B (S ) + 1= jumps on each
processor. Here, B (S ) is a correction factor depending on the choice of S ; Pollard [Pol]
gives experimental evidence that B (S ) 1 if the exponents si in S are the consecutive
powers of 2 or 4 (starting with 20 resp. 40) and jS j 6. Since both u and v are close
to m=2, this then gives essentially the same expected running time as for the method by
van Oorschot and Wiener.
0
0
2.3 The parallelized Pollard lambda method in practice
There are a couple of aspects to consider when it comes to actually implementing a parallelized Pollard lambda attack. We begin with some typical experimental data, shown
in Tables 1 { 3, to illustrate our discussion. Using the computer algebra system LiDIA
[LiD97], we implemented both the van Oorschot-Wiener and the Pollard variants of parallelization for groups of points of elliptic curves over nite elds, to compute the group
order.
In our rst example we work with the curve y2 = x3 + 7x + 13 dened over the nite
eld Fp with the 15-digit prime p = 100000005000197; the point group E7;13(Fp ) is cyclic.
A theorem due to Hasse says that its order n satises the inequality jn ? p ? 1j 2pp; in fact n = 100000015380435. We choose a random point P on the curve and
we use the parallelized lambda method to nd a multiple of its order in the interval
[p + 1 ? 2pp; p + 2 + 2pp[. Note that if ord P > 4pp, then the unique multiple of ord P
Catching Kangaroos in Function Fields
7
in the interval must be the group order. In our example, the length of the interval is
approximately 4 107 , and we have jn ? p ? 1j = 4pp=l with l = 3:853:::. This means that
the distance between the herd of tame kangaroos, set o near (p + 1) P , and the herd
of wild kangaroos, set o near the neutral element O of E7;13(Fp ), is approximately pp,
which is the distance on which the running time analysis in [vOW99] and [Pol] is based.
Then the expected running time is 4 p1=4 =m + 1= = 12649=m + 1= jumps/kangaroo.
We work with four and 20 kangaroos. We use various sizes for the sets of distinguished
points, from = 1; 2?1 ; : : : to 2?12 . For the jump distances si we choose the powers of
two (van Oorschot/Wiener), respectively powers of two multiplied by uv with u = m=2 ? 1
and v = m=2 + 1 (Pollard), and such that the mean value of the si is as close as possible
to the respective optimal values indicated above. In the van Oorschot-Wiener variant, we
work with = 13 as distance between the starting points of two consecutive kangaroos
of the same herd; whenever two tame or two wild kangaroos meet (which is signalled
by their nding the same distinguished point), one of these two kangaroos is halted and
set o at a new starting point. For each order computation, we count the number of
jumps of each kangaroo until any pair of tame and wild kangaroos has found the same
distinguished point, and the total number of distinguished points found by all kangaroos.
Table 1 shows the average values taken over 100 such runs; here we considered only those
runs with points P whose order exceeded 4pp. Note that in the van Oorschot-Wiener
variant, there were in average two collisions between kangaroos of the same herd, both
for m = 4 and for m = 20.
In our second example, we work with the curve y2 = x3 + 5x + 17 dened over Fp ,
where p = 100000000000000500053 (21 digits). E5;17(Fp ) is cyclic of group order n =
99999999991517342872. Hence, jn ? p ? 1j = 4pp=l with l = 4:715:::. This means that
the distance between the herds of tame and wild kangaroos is smaller than pp, and we
expect an average running time of only about 3:7 p1=4=m + 1= jumps for each kangaroo.
With m = 20 kangaroos, we conduct the same computations as in the rst example. The
average values of the results, taken over 100 computations with ord P > 4pp, are shown
in Table 2. This time there was an average of three collisions between kangaroos of the
same herd (in the van Oorschot-Wiener variant).
We nd it necessary to include a third example. Here, the curve is y2 = x3 + 13x + 5
over Fp with the 16-digit prime p = 1000000000000037. The group E5;17(Fp ) is cyclic and
Catching Kangaroos in Function Fields
8
1 2?1 2?2 2?3 2?4 2?5 2?6 2?7 2?8
4 kangaroos. Expected: 1=4 = 3162 + 1 jumps/kangaroo
van Oorschot-Wiener variant
15495 7758 3884 1939 969 486 246 126 66
3874 3876 3878 3884 3900 3929 3976 4056 4273
Pollard's variant
16899 8464 4233 2119 1061 534 268 137 70
4225 4226 4227 4231 4240 4254 4292 4362 4492
20 kangaroos. Expected: 1=4 5 = 632 + 1 jumps/kangaroo
van Oorschot-Wiener variant
12671 6349 3190 1606 811 412 214 116 64
633 634 636 640 649 663 696 758 860
Pollard's variant
16384 7792 3906 1965 991 509 267 143 80
778 779 781 784 792 814 848 915 1018
p
dist. points
jumps/kang.
dist. points
jumps/kang.
p
dist. points
jumps/kang.
dist. points
jumps/kang.
2?10 2?12
=
=
19
6
5096 8685
20
9
5245 8323
=
23 10
1327 2607
34 21
1723 4347
Table 1: E7;13(Fp ) with p = 100000005000197. Order computation.
2?2 2?3 2?4 2?5 2?6 2?7 2?8 2?10 2?12
20 kangaroos. Expected: 3 7 1=4 20 = 18500 + 1 jumps/kangaroo
van Oorschot-Wiener variant
dist. points
91312 45675 22851 11437 5730 2876 1448 377 107
jumps/kang. 18260 18266 18276 18289 18325 18388 18511 19288 22308
Pollard's variant
dist. points 104559 52270 26147 13078 6551 3289 1653 428 121
jumps/kang. 20916 20920 20928 20945 20983 21053 21191 21779 24643
:
p
=
=
Table 2: E5;17(Fp ) with p = 100000000000000500053. Order computation.
Catching Kangaroos in Function Fields
9
1 2?1 2?2 2?3 2?4 2?5 2?6 2?7
8 kangaroos. Expected: 3796 + 1 jumps/kangaroo
van Oorschot-Wiener variant
dist. points 41325 20671 10332 5162 2582 1292 651 329
jumps/kang. 5166 5167 5170 5175 5184 5206 5257 5332
Pollard's variant
dist. points 36215 18125 9063 4538 2270 1142 576 291
jumps/kang. 4527 4528 4530 4533 4543 4560 4597 4660
2?8 2?10 2?12
=
165 45 14
5459 6245 8539
148 43 17
4805 5568 8660
Table 3: E13;5(Fp ) with p = 1000000000000037. Order computation.
has order n = 1000000058247036. This time the distance between the herds of tame and
wild kangaroos is larger than pp. Indeed, we have jn ? p ? 1j = 4pp=l with l = 2:287:::.
We then expect about 5:4 p1=4=m + 1= jumps for each kangaroo. Our results, this time
for m = 8 kangaroos, are shown in Table 3. As before, all averages are taken over 100
computations. In the van Oorschot-Wiener variant, we observed an average of as many
as four collisions between members of the same herd.
2.3.1 Which variant: van Oorschot-Wiener or Pollard?
Our experimental data suggest that with both variants, we achieve an almost linear speedup. The Pollard variant of parallelization has the advantage that collisions between kangaroos of the same herd are impossible. In the van Oorschot-Wiener variant we do have
to deal with such collisions, which requires communication from the central server to the
processors. On the other hand, this variant allows that additional kangaroos (=processors) can join a parallelized lambda attack at any stage and contribute with each single
distinguished point they nd. Thus, it mainly depends on the application which variant
suits better.
2.3.2 The distinguished point set
A simple way to implement the distinguished point set is to dene a point to be distinguished if the f lowest bits in the representation of the point as a binary string are zero.
Catching Kangaroos in Function Fields
10
Then the proportion of distinguished points is = 1=2f . In our experiments, we worked
with f = 0; : : : ; 12. Our results match the theoretical predictions how eects the running time. In general, f should be chosen small enough such that 1= = 2f is small
p
compared with b ? a, but not too small since the algorithm has to store an expected
p
number of 2 b ? a distinguished points.
2.3.3 The jump distances
Our experimental results suggest that choosing the exponents si as powers of two in
principal works ne. However, is might be possible to achieve some improvement by
choosing other jump distances.
2.3.4 Choice of in the van Oorschot-Wiener variant
In the experiments shown in our tables, we worked only with = 13. Working with other
choices of such as the primes 31, 1031, 1000031 yielded almost identical results.
3 A Brief Introduction into Real Quadratic Function Fields
3.1 Basic denitions
Let k = Fq be a nite eld of odd characteristic with q elements. A hyperelliptic function
eld over the constant eld k of genus g is a quadratic
extension of the rational function
p
eld over k in one variable, i.e. K = k(X )( D), where D = D(X ) is a squarefree
polynomial of degree 2g + 1 or 2g + 2. If D is a squarefree polynomial of degree 2g + 2
whose leading coecient is a square in k, then K is called a real quadratic function eld
over k, and otherwise imaginary quadratic .
p
Let D be a monic, squarefree polynomial of degree 2g +2 so that K = k(X )( D) is apreal
quadratic function eld over k with respect to the real quadratic order O(X ) = k[X ][ D].
In this case, the innite place 1 of k(X ) splits into two extensions 11 and 12 in K . We
know that O(X ) = k hi, where 2 K is a fundamental unit. Denoting by v1 and v2
the corresponding normalized valuations of K , we dene the regulator R of K over k with
Catching Kangaroos in Function Fields
11
respect to O(X ) as R := jv1()j: Furthermore, we have that h = Rh0 ; where h0 denotes
the ideal class number of K with respect to O(X ) and h the divisor class number of K .
The completions of K with respect to 11 and 12 are isomorphic to the eld of Puiseux
series Fq ((1=X )).
p Also, K Fq ((1=X )). Let 11 be the place which corresponds to the
branch where 1 = 1. We then consider elements of K as Puiseux series at 11 in 1=X .
P
Now, let 2 Fq ((1=X )) be a non-zero element. Then = di=?1 ciX i with cd 6= 0. We
denote by deg() = d the degree of : We set deg(0) = ?1.
3.2 Ideals
For more details on the ideal arithmetic in real quadratic function elds we refer to
[SSW96, SW98]. The ring O(X ) is a Dedekind domain. Any (non-zero
p integral O(X ))ideal can be uniquely written in the form a = SQ k[X ] + (SP + S D) k[X ] ; where
S; P; Q 2 k[Xp] with Qj(D ? P 2), sgn(S ) = sgn(Q) = 1; and deg(P ) < deg(Q). The set
fSQ; SP + S Dg is called a k[X ]-basis of a: An ideal is called primitive if S = 1: If a is
given in standard representation, then the norm of a is dened by N (a) = sgnQ(SQ S ) 2
k[X ]: If a = () = O(X ) with 2 O(X ), we call a a principal ideal. We say that two
integral ideals a and b are equivalent, written a b, if there exist some non-zero elements
; 2 O(X ) such that ()a = ( )b.
2
2
A primitive ideal a is called reduced, if deg N (a) g. Hence, each reduced ideal a can
be uniquely represented by a pair (Q; P ) of polynomials in k[X ], where Qj(D ? P 2),
sgn(Q) = 1; i.e. Q = N (a), and deg(P ) < deg(Q) g. For instance, O(X ) is a reduced
principal ideal with representation (1; 0). Throughout our computations, we will only be
performing arithmetic
p with reduced principal ideals, which will be represented by their
k[x]-bases fQ; P + Dg. We denote by R the set of reduced principal ideals. The
continued fraction expansion of ideals starting at r1 = O(X ) produces all elements of
R. This innite process is ultimately periodic with period p, and thus R = fr1; : : : ; rp g,
where rp+i = ri for i 2 N.
Catching Kangaroos in Function Fields
12
3.3 Distance
With each reduced principal ideal a = (), we associate a distance
(a) = (a; O(X )) := deg() :
(3.1)
From [SSW96] we know that is unique modulo R, and denes an order r1 = O(X ) <
r2 < : : : < rp < rp+1 < : : : of the reduced principal ideals. Furthermore, (ri) is strictly
increasing with i, ; more exactly, we have that 1 (ri+1) ? (ri) g + 1. Note that
(r2) = g + 1 and R = (rp+1). Two reduced principal ideals a and b are equal if and only
if
(a) (b) (mod R) :
Given any positive integer y, there certainly exists an index j 2 N such that
(rj ) y < (rj ) :
+1
We call (rj ) the closest ideal to y and denote it by a(y). Note that 0 y ? (a(y)) g.
Finally, we can dene the discrete logarithm problem for real quadratic function elds as
follows: For any a 2 R, nd (a), 0 (a) < R.
3.4 Infrastructure
Shanks' infrastructure idea [Sha72] also applies to the set of reduced principal ideals in a
real quadratic function eld. We dene an operation ? (a giant step ) on R as follows: Let
a = (Qa; Pa) and b = (Qb; Pb) be two reduced principal ideals. Firstly, compute the ideal
product ab = (S )c0, where c0 is a primitive principal ideal. Secondly, reduce c0 to obtain
an equivalent reduced principal ideal c. Put c = a ? b. If one knows the distances (a) and
(b), then (c) can be computed as well, and (c) = (a) + (b) + f , where ?2g f 0.
In general, this operation can be performed eciently in 19 g2 + O(g) operations in the
nite eld k. Note that this operation is not a group operation on R. Furthermore, given
any real number y, we may compute a(y) eectively in O(log n) giant steps.
Catching Kangaroos in Function Fields
13
3.5 An estimate of h
The idea is to determine integers E and L such that
jh ? E j < L2 :
Of course, L should be as small as possible. As in [SW98], we make use of the analogue
of the analytic class number formula for function elds and proceed with approximating
h by truncated Euler products. We know that
g +1 Y
h = (qq ? 1) 1 ? (P1)q? deg(P ) ;
P
where P runs through all monic prime polynomials of k[X ] and (P ) = [D=P ] denotes
the Legendre symbol for polynomials of D over P . For n 2 N, we put
g +1
Y
1
E 0(n; D) = (qq? 1)
1 ? (P )q? deg(P )
P
deg(P ) n
and E (n; D) = Ne(E 0(n; D)), where Ne(y) denotes the nearest integer to y. Obviously,
we have that
Y
1
h = E 0(n; D)
1 ? (P )q? deg(P ) :
P
deg(P )>n
By using similar techniques as in [SW98], we derive that
Y
1
log
? deg(P ) (n; D) ;
1
?
(
P
)
q
P
deg(P )>n
where
?
(n; D) = (2g +n1)+q1
We dene
L(n; D) =
q
(n+1)
2
E 0(n; D)(e
?
+ O (2g +n1)+q1
(n;D )
? 1) +
1
2
;
(n+2)
2
!
:
n2N:
It immediately follows that
jh ? E (n; D)j < L2(n; D) ; n 2 N :
(3.2)
Furthermore, we have for suciently small values of g that L(n; D) = O(q g ? n ), since
E (n; D) = O(qg ). We discuss the optimal choice of n in the next section.
2
+1
4
Catching Kangaroos in Function Fields
14
3.6 The computation of R and h
The algorithm of computing R and h consists of three steps. First, we compute an
approximation E = E (n; D) of h such that jh ? E j < L2 for some integer L = L(n; D), as
explained above. In the second step, we compute a multiple h0 = hR of R in the interval
]E ? L2; E + L2[. This can be done either by Shanks' baby step-giant step method
as described in [SW98], or by applying Pollard's lambda method to function elds (see
below). In the nal step, one determines h by factoring h0 and using the fact that a
prime divisor r of h0 divides h if and only if a(h0=r) = O(X ) : Once having computed
h, one knows R = h0=h. In general, we expect R to be greater than 2L2 ? 2, in which
case h0 = h and h = h0. If R 2L2 ? 2, some additional steps will produce the values
of h and h0.
The complexity of this algorithm is mainly determined by the rst and the second step.
The running time for the approximation is O(qn ). The multiple of the regulator can be
computed in O(L(n; D)) operations by the baby step-giant-step method or in expected
running time O(L(n; D)) by Pollard's lambda method. Since L(n; D) = O(q g ? n ), the
optimal choice of n is n = Ne((2g ? 1)=5) which yields a total (expected) running time of
O(q(2g?1)=5). More exactly, the total running time is O(qNe((2g?1)=5)+), where = 0, 1=4,
or 1=2, respectively, depending on whether g 0; 2; 3 (mod 5), g 1 (mod 5), or g 4
(mod 5).
2
+1
4
4 The Parallelized Lambda Method in Real Quadratic
Function Fields
In this section we apply the parallelized lambda method to compute the the regulator
R, andp hence the class numbers h and h0, in a real quadratic function eld. Let k =
k(X )( D) be a real quadratic function eld. In view of (3.2), we let E = Ne(E 0(n; D))
and L = L(n; D) where n = Ne((2g ? 1)=5). Then, h lies in the interval [E ? L2 +1; E + L2[
of length 2L2 ? 1. This estimate for h and the distance (3.1) represent the necessary
ingredients such that the lambda method can be applied to compute a multiple of the
regulator R in expected running time O(L). This works as follows. We rst dene
the set of jumps. Hereby, we have to take into account that (r2) = g + 1. We put
Catching Kangaroos in Function Fields
15
r = dlog (g + 1)e and r = blog Lc. Then, we let si = 2i
0
2
+r0
2
b = a(s ) ;
i
for i 0, and
0 i r ? r0 :
i
(4.1)
We dene the set of jumps S = fb0; b1; : : : ; br?r g and let v : R ! f0; : : : ; r ? r0g be
a hash function. For instance, if the reduced principal ideal a is represented by (Q; P ),
then we can take v(a) to be the last coecient of the polynomial Q modulo (r ? r0 + 1).
0
A kangaroo Z (tame or wild) with starting point z0 then follows the path (zj ) of reduced
principal ideals such that
z =z ?b
j +1
j
v (zj )
;
j2N :
(4.2)
0
In the beginning, we let 0(Z ) = (z0) and, in general, we dene j (Z ) = (zj ) for j 1.
By results mentioned in Section 3.4, we have
j (Z ) = j (Z ) + (bv j ) + fj (Z ) ;
+1
(z )
+1
j2N ;
0
(4.3)
where fj+1(Z ) is a computable integer with ?2g fj+1(Z ) 0. With that denition,
the distance j (Z ) of Section 2 coincides with the distance of Section 3.3 in real quadratic
function elds.
Notice that the reduced principal ideals bi and their distances (bi) can assumed to be
precomputed. Let (Qi; Pi ) be their unique representation, then we store them as triples
(Qi; Pi; (bi)) for i = 0; 1; : : : ; r ? r0.
Having introduced the notation of kangaroos in real quadratic function elds, we can
now follow precisely the lines of Section 2 and dene tame and wild kangaroos. We just
have to show how to nd a multiple of the regulator. In the original setting of Pollard,
we dene two kangaroos, a tame kangaroo T following the path (tj ) with starting point
t0 = a(E + L2) and a wild kangaroo W traveling along the path (wj ) with starting
point w0 = O(X ) = a(h). We keep track of the distances j (T ) and j (W ), where
E + L2 ? 0(T ) g and 0(W ) = 0. The tame kangaroo jumps M steps and then
stops at the nal resting spot tM , where it installs the trap. If it happens that the wild
kangaroo W falls into the trap, then there exists an index N such that tM = wN . Thus,
M (T ) N (W ) (mod R), i.e. M (T ) ? N (W ) is a (non-trivial) multiple of the regulator
R. Otherwise, the wild kangaroo is halted after a certain number of steps, and a new wild
Catching Kangaroos in Function Fields
16
kangaroo is started at a(z) with a small value of z. As in the general setting, we expect
p
this process to terminate after a total number of 3:28 2L2 ? 1 jumps.
The distinguished point method can be employed in an analogous way. We call a reduced
principal ideal a distinguished point if it satises some easily checkable property. For
instance, we can ask for a to be a distinguished point if and only if the last coecient of
N (a) has a certain number of zero bits. We denote the set of distinguished points by D.
Whenever a kangaroo reaches a distinguished point, we store the ideal together with its
distance.
In the parallel setting of van Oorschot and Wiener, we proceed as in Section 2.1. Let
m denote an even number of processors, and let u = v = m=2. We then dene two
herds of kangaroos, namely m=2 tame kangaroos T0; : : : ; Tu?1 and m=2 wild kangaroos
W0; : : : ; Wv?1 . The tame kangaroos are set o around E at starting points t0(Tk ) =
a(E + k ), 0 k < u; with some small constant > g + 1. The wild kangaroos start
at w0(Wk ) = a(k ); 0 k < v. Both herds now follow the paths and keep track of the
distances as in (4.2) and (4.3). When it happens that two members of dierent herds
reach the same distinguished point,
p 2then we have found a multiple of the regulator. This
takes an expected number of 2 2L ? 1 + 1= jumps for each kangaroo.
4.1 Experimental Results
Our computations were run on a Sun SPARC Ultra 1=140 under Solaris 2:5 by making
use of the Computer Algebra System SIMATH [Zim97]. We computedpthe regulator R
and the class numbers h, h0 of a real quadratic function eld K = k(X )( D) over k = Fq ,
where q is an odd prime. The discriminants D 2 k[X ] were random monic squarefree
polynomials of even degree.
We implemented the parallelized Pollard's lambda method successfully in the sense of van
Oorschot and Wiener as described in Section 4. We now provide examples for 2 and 20
kangaroos. We dene a distinguished point to be a reduced ideal a for which pthe lowest
f = blog2 Lc=2 bits of the last coecient of N (a) are 0. Thenp = 1=2fp 1= 2L2 , and
the expected number of distinguished points to be stored is 2 2L2 2 2L2. Note that
this is only the square root of the space requirement of the baby step-giant step algorithm.
4
4
Catching Kangaroos in Function Fields
17
In the rst example, we simulated two parallel processors by letting the kangaroos jump
alternately. There are only two kangaroos, a tame kangaroo T with starting point t0(T ) =
a(E ) and a wild kangaroo W with starting point w0(W ) = O(X ). For k = F1000003 and
D(X ) =X + 468956X + 37181X + 932611X + 318823X + 84267X
+ 296096X + 494421X + 144857 ;
8
7
6
5
4
3
2
we found that h = R = 999481471285346309 (18 digits) and h0 = 1. In course of the
computation, 1326 distinguished points were reached. For the computation of the multiple
of the regulator (in this case, the regulator itself), both kangaroos together needed 8
minutes and 50 seconds to perform 680683 jumps each; hence, on two parallel processors
this would have taken about 4 1=2 minutes. The remaining steps to compute R, h, and
h0, including precomputations, only took 6 seconds.
In the second example, we worked with 20 kangaroos giving two herds of 10 kangaroos
each that perform jumps alternately. For k = F100000007 and
D(X ) =X + 9888621X + 40790591X + 42899267X + 87677365X + 72847284X
+ 95244197X + 14221927X + 7243290 ;
8
7
6
5
4
3
2
the regulator turned out to be R = 55554995017873220130683 (23 digits), and the divisor
class number h = 999989910321717962352294 was equal to the computed multiple h0 of
R. Furthermore, h0 = 18. A total of 50070 distinguished points were reached by the
20 kangaroos. Each kangaroo performed 82475002 jumps, which in total took 58 hours,
that is, about 2 hours and 54 minutes for each kangaroo. Since the remaining steps only
took 12 minutes, the total running time for computing the divisor class number h of 25
digits on 20 parallel processors would have been 3 hours and 6 minutes. (Here, we did
not take into account that the computation of E and L as in (3.2), which mainly causes
the running time of the remaining steps, can be easily parallelized as well).
Based on the above observations, we estimate the running time with parallelized Pollard's
lambda method for the computation of 31-digit regulators and divisor class numbers.
Assuming that there are 40 SPARC 20 (or comparably fast) machines available, we predict
a total expected running time of 45 days. If we even have 40 SPARC ultra-60 available,
which are approximately six times faster, then we expect to need no more than 7:5 days.
Catching Kangaroos in Function Fields
18
5 Outlook
Pollard's lambda method also extends to imaginary quadratic function elds. In the case
that D is a monic, squarefree polynomial of degree 2g + 1, a simple birational transformation leads to a real quadratic function eld over the same constant eld. Furthermore,
the corresponding operation on reduced ideals as described in Section 3.4 is a group operation (see [Can87, PS98]) so that the parallelized lambda method as suggested by van
Oorschot-Wiener and Pollard immediately generalizes to any hyperelliptic function eld.
In Section 4, we were only considering the computation of the regulator and the class
number of a real quadratic function eld, since we are able to determine an interval for
the divisor class number. Of course, Pollard's lambda method also applies to solving the
discrete logarithm problem in real quadratic function elds provided that one knows that
the discrete logarithm lies in a given interval. A generalization of Pollard's rho method
and its parallelized versions (see [Pol78, Tes98, vOW99, Pol]) to function elds can be
employed as well by applying similar ideas as in Section 4. We suggest this method for
the case that one has no additional information on the size of the regulator or the class
numbers.
References
[Can87] D. G. Cantor. Computing in the jacobian of a hyperelliptic curve. Mathematics
of Computation, 48:95{101, 1987.
[LiD97] LiDIA Group, Technische Universitat Darmstadt, Darmstadt, Germany. LiDIA
- A library for computational number theory, Version 1.3, 1997.
[Pol]
J. M. Pollard. Kangaroos, monopoly and discrete logarithms. preprint.
[Pol78] J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics
of Computation, 32(143):918{924, 1978.
[PS98] S. Paulus and A. Stein. Comparing real and imaginary arithmetics for divisor
class groups of hyperelliptic curves. In Algorithmic Number Theory Seminar
ANTS-III, volume 1423 of Lecture Notes in Computer Science, pages 576{591.
Springer-Verlag, 1998.
Catching Kangaroos in Function Fields
19
[Sha72] D. Shanks. The infrastructure of a real quadratic eld and its applications. In
Proc. 1972 Number Th. Conf., Boulder, Col., pages 217{224, 1972.
[SSW96] R. Scheidler, A. Stein, and H. C. Williams. Key-exchange in real quadratic
congruence function elds. Designs, Codes and Cryptography, 7:153{174, 1996.
[ST]
A. Stein and E. Teske. The parallelized Pollard lambda method in real quadratic
elds. unpublished manuscript.
[SW98] A. Stein and H. Williams. An improved method of computing the regulator of a
real quadratic function eld. In Algorithmic Number Theory Seminar ANTS-III,
volume 1423 of Lecture Notes in Computer Science, pages 607{620. SpringerVerlag, 1998.
[SZ91] A. Stein and H. G. Zimmer. An algorithm for determining the regulator and
the fundamenta l unit of a hyperelliptic congruence function eld. In Proc. 1991
Int. Symp. on Symbolic and Algebraic Computation, ISAAC, Bonn, July 15-17,
pages 183{184. ACM Press, 1991.
[Tes98] E. Teske. Speeding up Pollard's rho method for computing discrete logarithms.
In Algorithmic Number Theory Seminar ANTS-III, volume 1423 of Lecture Notes
in Computer Science, pages 541{554. Springer-Verlag, 1998.
[vOW99] P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic
applications. Journal of Cryptology, 12:1{28, 1999.
[Zim97] H. G. Zimmer et al. Simath manual, 1997. Universitat des Saarlandes,
Saarbrucken, Germany.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz