Pollard's Rho Algorithm For Logarithms

Pollard's rho algorithm for logarithms is an algorithm introduced by John Pollard in 1978 to solve the discrete logarithm problem, analogous to Pollard's rho algorithm to solve the integer factorization problem.

The goal is to compute $\gamma$ such that $\alpha ^ \gamma = \beta$, where $\beta$ belongs to a cyclic group $G$ generated by $\alpha$. The algorithm computes integers $a$, $b$, $A$, and $B$ such that $\alpha^a \beta^b = \alpha^A \beta^B$. If the underlying group is cyclic of order $n$, by substituting $\beta$ as $^$ and noting that two powers are equal if and only if the exponents are equivalent modulo the order of the base, in this case modulo $n$, we get that $\gamma$ is one of the solutions of the equation $(B-b) \gamma = (a-A) \pmod n$. Solutions to this equation are easily obtained using the extended Euclidean algorithm.

To find the needed $a$, $b$, $A$, and $B$ the algorithm uses Floyd's cycle-finding algorithm to find a cycle in the sequence $x_i = \alpha^ \beta^$, where the function $f: x_i \mapsto x_$ is assumed to be random-looking and thus is likely to enter into a loop of approximate length $\sqrt$ after $\sqrt$ steps. One way to define such a function is to use the following rules: Partition $G$ into three disjoint subsets $S_0$, $S_1$, and $S_2$ of approximately equal size using a hash function. If $x_i$ is in $S_0$ then double both $a$ and $b$; if $x_i \in S_1$ then increment $a$, if $x_i \in S_2$ then increment $b$.

Algorithm

Let $G$ be a cyclic group of order $n$, and given $\alpha, \beta\in G$, and a partition $G = S_0\cup S_1\cup S_2$, let $f:G\to G$ be the map

:$f(x) = \begin \beta x & x\in S_0\\ x^2 & x\in S_1\\ \alpha x & x\in S_2 \end$

and define maps $g:G\times\mathbb\to\mathbb$ and $h:G\times\mathbb\to\mathbb$ by

:$\begin g(x,k) &= \begin k & x\in S_0\\ 2k \pmod & x\in S_1\\ k+1 \pmod & x\in S_2 \end \\ h(x,k) &= \begin k+1 \pmod & x\in S_0\\ 2k \pmod & x\in S_1\\ k & x\in S_2 \end \end$

input: ''a'': a generator of ''G''
''b'': an element of ''G''
output: An integer ''x'' such that ''a^x'' = ''b'', or failure

Initialise ''i'' ← 0, ''a''₀ ← 0, ''b''₀ ← 0, ''x''₀ ← 1 ∈ ''G''

loop
''i'' ← ''i'' + 1

''x_i'' ← ''f''(''x''_''i''−1),
''a_i'' ← ''g''(''x''_''i''−1, ''a''_''i''−1),
''b_i'' ← ''h''(''x''_''i''−1, ''b''_''i''−1)

''x''_2''i''−1 ← ''f''(''x''_2''i''−2),
''a''_2''i''−1 ← ''g''(''x''_2''i''−2, ''a''_2''i''−2),
''b''_2''i''−1 ← ''h''(''x''_2''i''−2, ''b''_2''i''−2)
''x''_2''i'' ← ''f''(''x''_2''i''−1),
''a''_2''i'' ← ''g''(''x''_2''i''−1, ''a''_2''i''−1),
''b''_2''i'' ← ''h''(''x''_2''i''−1, ''b''_2''i''−1)
while ''x_i'' ≠ ''x''_2''i''

''r'' ← ''b_i'' − ''b''_2''i''
if r = 0 return failure
return ''r''⁻¹(''a''_2''i'' − ''a_i'') mod ''n''

Example

Consider, for example, the group generated by 2 modulo $N=1019$ (the order of the group is $n=1018$, 2 generates the group of units modulo 1019). The algorithm is implemented by the following C++ program:

#include

const int n = 1018, N = n + 1; /* N = 1019 -- prime */
const int alpha = 2; /* generator */
const int beta = 5; /* 2^ = 1024 = 5 (N) */

void new_xab(int& x, int& a, int& b)

int main(void)

The results are as follows (edited):

i x a b X A B
------------------------------
1 2 1 0 10 1 1
2 10 1 1 100 2 2
3 20 2 1 1000 3 3
4 100 2 2 425 8 6
5 200 3 2 436 16 14
6 1000 3 3 284 17 15
7 981 4 3 986 17 17
8 425 8 6 194 17 19
..............................
48 224 680 376 86 299 412
49 101 680 377 860 300 413
50 505 680 378 101 300 415
51 1010 681 378 1010 301 416

That is $2^ 5^ = 1010 = 2^ 5^ \pmod$ and so $(416-378)\gamma = 681-301 \pmod$, for which $\gamma_1=10$ is a solution as expected. As $n=1018$ is not prime, there is another solution $\gamma_2=519$, for which $2^ = 1014 = -5\pmod$ holds.

Complexity

The running time is approximately $\mathcal(\sqrt)$. If used together with the Pohlig–Hellman algorithm, the running time of the combined algorithm is $\mathcal(\sqrt)$, where $p$ is the largest prime factor of $n$.

References

*
*

{{Number-theoretic algorithms

Logarithms
Number theoretic algorithms