two grumpy giants d. j. bernstein university of illinois ...cr.yp.to/talks/2012.06.08/slides.pdf ·...
TRANSCRIPT
![Page 1: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/1.jpg)
Two grumpy giants
and a baby
D. J. Bernstein
University of Illinois at Chicago
Tanja Lange
Technische Universiteit Eindhoven
![Page 2: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/2.jpg)
Discrete-logarithm problems
Fix a prime `.
Input: generator g
of group of order `;
element h of same group.
Output: integer k 2 Z=`
such that h = gk, where
group is written multiplicatively.
“k = logg h”.
How difficult is computation of k?
![Page 3: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/3.jpg)
Dependence on the group
Group Z=` under addition,
represented in the usual way:
DLP is very easy.
Divide h by g modulo `;
time exp(O(log log `)).
Order-` subgroup of (Z=p)�
assuming prime p = 2` + 1:
DLP is not so easy.
Best known attacks:
“index calculus” methods;
time exp((log `)1=3+o(1)).
![Page 4: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/4.jpg)
Order-` subgroup of (Z=p)�
for much larger p:
DLP is much more difficult.
Best known attacks:
“generic” attacks,
the focus of this talk.
Time exp((1=2 + o(1)) log `).
Order-` subgroup of properly
chosen elliptic-curve group:
DLP is again difficult.
Best known attacks:
“negating” variants of
generic attacks.
(See Schwabe talk, last CWG.)
![Page 5: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/5.jpg)
Real-world importance
Apple, “iOS Security”, 2012.05:
“Some files may need to be
written while the device is locked.
A good example of this is a mail
attachment downloading in the
background. This behavior is
achieved by using asymmetric
elliptic curve cryptography
(ECDH over Curve25519).”
Also used for “iCloud Backup”.
More examples: DNSCrypt;
elliptic-curve signatures
in German electronic passports.
![Page 6: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/6.jpg)
Generic algorithms
Will focus on algorithms
that work for every
group of order `.
Allowed operations:
neutral element 1;
multiplication a; b 7! ab.
Will measure algorithm cost
by counting # multiplications.
Success probability:
average over groups
and over algorithm randomness.
![Page 7: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/7.jpg)
Each group element
computed by the algorithm
is trivially expressed as
hxgy for known (x; y) 2 (Z=`)2.
1 = hxgy for (x; y) = (0; 0).
g = hxgy for (x; y) = (0; 1).
h = hxgy for (x; y) = (1; 0).
If algorithm multiplies
hx1gy1 by hx2gy2
then it obtains hxgy where
(x; y) = (x1; y1) + (x2; y2).
![Page 8: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/8.jpg)
Slopes
If hx1gy1 = hx2gy2
and (x1; y1) 6= (x2; y2)
then logg h is the negative
of the slope (y2 � y1)=(x2 � x1).
(Impossible to have x1 = x2:
if x1 = x2 then gy1 = gy2
so y1 = y2, contradiction.)
Algorithm immediately recognizes
collisions of group elements
by putting each (hxgy; x; y)
into, e.g., a red-black tree.
(Low memory? Parallel?
Distributed? Not in this talk.)
![Page 9: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/9.jpg)
Baby-step-giant-step
(1971 Shanks)
Choose n � 1,
typically n � p`.Points (x; y):
n + 1 “baby steps”
(0; 0); (0; 1); (0; 2); : : : ; (0; n);
n + 1 “giant steps”
(1; 0); (1; n); (1; 2n); : : : ; (1; n2).
Can use more giant steps.
Stop when logg h is found.
![Page 10: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/10.jpg)
Performance of BSGS
Slope jn�i from (0; i) to (1; jn).
Covers slopes��n; : : : ;�1; 0; 1; 2; 3; : : : ; n2
,
using 2n� 1 multiplications.
Finds all discrete logarithms
if ` � n2 + n + 1.
Worst case with n � p`:(2 + o(1))
p` multiplications.
(In fact always < 2p`.)
Average case with n � p`:(1:5 + o(1))
p` multiplications.
![Page 11: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/11.jpg)
Interleaving (2000 Pollard)
Improve average case to
(4=3 + o(1))p` multiplications:
(0; 0); (1; 0);
(0; 1); (1; n);
(0; 2); (1; 2n);
(0; 3); (1; 3n);...
(0; n); (1; n2).
4=3 arises asR 1
0 (2x)2 dx.
![Page 12: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/12.jpg)
Interleaving (2000 Pollard)
Improve average case to
(4=3 + o(1))p` multiplications:
(0; 0); (1; 0);
(0; 1); (1; n);
(0; 2); (1; 2n);
(0; 3); (1; 3n);...
(0; n); (1; n2).
4=3 arises asR 1
0 (2x)2 dx.
Oops: Have to start with
(0; n) as step towards (1; n).
But this costs only O(log `).
![Page 13: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/13.jpg)
Random self-reductions
Defender slows down BSGS
by choosing discrete logs
found as late as possible.
![Page 14: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/14.jpg)
Random self-reductions
Defender slows down BSGS
by choosing discrete logs
found as late as possible.
Attacker compensates by
applying a “worst-case-
to-average-case reduction”:
compute logg h as
logg(hgr)� r for
uniform random r 2 Z=`.
Negligible extra cost.
![Page 15: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/15.jpg)
Is BSGS optimal?
After m multiplications
have m + 3 points in (Z=`)2.
Can hope for (m + 3)(m + 2)=2
different slopes in Z=`.
![Page 16: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/16.jpg)
Is BSGS optimal?
After m multiplications
have m + 3 points in (Z=`)2.
Can hope for (m + 3)(m + 2)=2
different slopes in Z=`.
1994 Nechaev, 1997 Shoup:
proof that generic algorithms
have success probability O(m2=`).
Proof actually gives
� ((m + 3)(m + 2)=2 + 1)=`.
![Page 17: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/17.jpg)
Is BSGS optimal?
After m multiplications
have m + 3 points in (Z=`)2.
Can hope for (m + 3)(m + 2)=2
different slopes in Z=`.
1994 Nechaev, 1997 Shoup:
proof that generic algorithms
have success probability O(m2=`).
Proof actually gives
� ((m + 3)(m + 2)=2 + 1)=`.
BSGS: at best �m2=4 slopes,
taking n �m=2.
Factor of 2 away from the bound.
![Page 18: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/18.jpg)
The rho method
(1978 Pollard, r = 3 “mixed”;
many subsequent variants)
Initial computation:
r uniform random “steps”
(s1; t1); : : : ; (sr; tr) 2 (Z=`)2.
O(r log `) multiplications;
negligible if r is small.
The “walk”: Starting from
(xi; yi) 2 (Z=`)2 compute
(xi+1; yi+1) = (xi; yi) + (sj ; tj)
where j 2 f1; : : : ; rgis a hash of hxigyi .
![Page 19: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/19.jpg)
![Page 20: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/20.jpg)
![Page 21: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/21.jpg)
![Page 22: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/22.jpg)
![Page 23: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/23.jpg)
![Page 24: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/24.jpg)
![Page 25: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/25.jpg)
![Page 26: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/26.jpg)
![Page 27: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/27.jpg)
![Page 28: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/28.jpg)
![Page 29: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/29.jpg)
![Page 30: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/30.jpg)
![Page 31: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/31.jpg)
![Page 32: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/32.jpg)
![Page 33: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/33.jpg)
![Page 34: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/34.jpg)
![Page 35: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/35.jpg)
![Page 36: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/36.jpg)
![Page 37: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/37.jpg)
![Page 38: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/38.jpg)
![Page 39: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/39.jpg)
![Page 40: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/40.jpg)
![Page 41: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/41.jpg)
![Page 42: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/42.jpg)
![Page 43: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/43.jpg)
![Page 44: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/44.jpg)
![Page 45: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/45.jpg)
![Page 46: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/46.jpg)
![Page 47: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/47.jpg)
![Page 48: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/48.jpg)
Performance of rho
Model walk as truly random.
Using m multiplications:
�m points (xi; yi);
�m2=2 pairs of points;
slope � is missed
with chance � (1� 1=`)m2=2
� exp(�m2=(2`)).
Average # multiplications
�P1
0 exp(�m2=(2`))
� R10 exp(�m2=(2`)) dm
=p�=4
p2` = (1:25 : : :)
p`.
Better than (4=3 + o(1))p`.
![Page 49: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/49.jpg)
Performance of rho
Model walk as truly random.
Using m multiplications:
�m points (xi; yi);
�m2=2 pairs of points;
slope � is missed
with chance � (1� 1=`)m2=2
� exp(�m2=(2`)).
Average # multiplications
�P1
0 exp(�m2=(2`))
� R10 exp(�m2=(2`)) dm
=p�=4
p2` = (1:25 : : :)
p`.
Better than (4=3 + o(1))p`.
Don’t ask about the worst case.
![Page 50: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/50.jpg)
Anti-collisions
Bad news:
The walk is worse than random.
Very often have
(xi+1; yi+1) = (xi; yi) + (sj ; tj)
followed later by
(xk+1; yk+1) = (xk; yk) + (sj ; tj).
Slope from
(xk+1; yk+1) to (xi+1; yi+1)
is not new: same as slope from
(xk; yk) to (xi; yi):
Repeated slope: “anti-collision”.
![Page 51: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/51.jpg)
m2=2 was too optimistic.
About (1=r)m2=2 pairs
use same step, so only
(1� 1=r)m2=2 chances.
This replacement model )(p�=2=
p1� 1=r + o(1))
p`.
Can derivep
1� 1=r
from more complicated 1981
Brent–PollardpV heuristic.
1998 Blackburn–Murphy:
explicitp
1� 1=r.
2009 Bernstein–Lange:
simplified heuristic;
generalizedq
1�Pj p2j .
![Page 52: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/52.jpg)
Higher-degree anti-collisions
Actually, rho is even worse!
Often have
(xi+1; yi+1)=(xi; yi)+(sj ; tj)
(xi+2; yi+2)=(xi+1; yi+1)+(sh; th)
followed later by
(xk+1; yk+1)=(xk; yk)+(sh; th)
(xk+2; yk+2)=(xk+1; yk+1)+(sj ; tj)
so slope from
(xk+2; yk+2) to (xi+2; yi+2)
is not new.
“Degree-2 local anti-collisions”:
1=p
1� 1=r � 1=r2 + 1=r3.
See paper for more.
![Page 53: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/53.jpg)
Is rho optimal?
Allow r to grow slowly with `.
(Not quickly: remember
cost of initial computation.)p
1� 1=r ! 1.p1� 1=r � 1=r2 + 1=r3 ! 1.
Experimental evidence )average (
p�=2 + o(1))
p`.
But still have many
global anti-collisions:
slopes appearing repeatedly.
![Page 54: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/54.jpg)
Two grumpy giants and a baby
B: (0; 0)+f0; : : : ; ng(0; 1).
G1: (1; 0)+f0; : : : ; ng(0; n).
G2: (2; 0)�f0; : : : ; ng(0; n+1).
![Page 55: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/55.jpg)
Two grumpy giants and a baby
B: (0; 0)+f0; : : : ; ng(0; 1).
G1: (1; 0)+f0; : : : ; ng(0; n).
G2: (2; 0)�f0; : : : ; ng(0; n+1).
Minor initial cost: (0;�(n + 1)).
![Page 56: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/56.jpg)
Two grumpy giants and a baby
B: (0; 0)+f0; : : : ; ng(0; 1).
G1: (1; 0)+f0; : : : ; ng(0; n).
G2: (2; 0)�f0; : : : ; ng(0; n+1).
Minor initial cost: (0;�(n + 1)).
As before can interleave:
(0; 0); (1; 0); (2; 0);
(0; 1); (1; n); (2;�(n + 1));
(0; 2); (1; 2n); (2;�2(n + 1));
(0; 3); (1; 3n); (2;�3(n + 1));...
(0; n); (1; n2); (2;�n(n + 1)).
![Page 57: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/57.jpg)
Grumpy performance
For (1:5 + o(1))p` mults:
BSGS, with n � 0:75p`
or interleaved with n � p`,finds (0:5625 + o(1))` slopes.
![Page 58: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/58.jpg)
Grumpy performance
For (1:5 + o(1))p` mults:
BSGS, with n � 0:75p`
or interleaved with n � p`,finds (0:5625 + o(1))` slopes.
Truly random walk
finds (0:6753 : : : + o(1))` slopes.
![Page 59: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/59.jpg)
Grumpy performance
For (1:5 + o(1))p` mults:
BSGS, with n � 0:75p`
or interleaved with n � p`,finds (0:5625 + o(1))` slopes.
Truly random walk
finds (0:6753 : : : + o(1))` slopes.
Two grumpy giants and a baby,
with n � 0:5p`,
find (0:71875 + o(1))` slopes.
![Page 60: Two grumpy giants D. J. Bernstein University of Illinois ...cr.yp.to/talks/2012.06.08/slides.pdf · DLP is much more di cult. Best known attacks: \generic" attacks, the focus of this](https://reader034.vdocument.in/reader034/viewer/2022051910/5ffef43b4031eb34e70667a9/html5/thumbnails/60.jpg)
Grumpy performance
For (1:5 + o(1))p` mults:
BSGS, with n � 0:75p`
or interleaved with n � p`,finds (0:5625 + o(1))` slopes.
Truly random walk
finds (0:6753 : : : + o(1))` slopes.
Two grumpy giants and a baby,
with n � 0:5p`,
find (0:71875 + o(1))` slopes.
Also better average case than rho.