A VARIANT OF POLLARD’S RHO ATTACK ON ELLIPTIC CURVE CRYPTOSYSTEMS

Elliptic Curve cryptosystems appear to be more secure and efficient when requiring small key size to implement than other public key cryptosystems. Its security is based upon the difficulty of solving Elliptic Curve Discrete Logarithm Problem (ECDLP). This study proposes a variant of generic algorithm Pollard’s Rho for finding ECDLP using cycle detection with stack and a mixture of cycle detection and random walks. The Pollard’s Rho using cycle detection with stack requires less iterations than Pollard’s Rho original in reaching collision. Random walks allow the iteration function to act randomly than the original iteration function, thus, the Pollard rho method performs more efficiently. In practice, the experiment results show that the proposed methods decreases the number of iterations and speed up the computation of discrete logarithm problem on elliptic curves.


INTRODUCTION
Elliptic curves over finite fields have been proposed by Diffie-Hellman to implement key passing scheme and elliptic curves variants for digital signature. The security of this cryptosystem is linked to the difficulty to solve elliptic curve discrete logarithm problem and if this problem is resolved the cryptosystem is broken.
Although there are several attacks against this cryptosystem such as Baby-Step Giant-Step (Shanks, 1971), Pollard's Rho method and its parallelized variant, their complexity is the square root of the prime order of the generating point used (Harrison, 2010). Up to now, Pollard's Rho method is known as the best method to resolve the discrete logarithm problem on general groups, specifically elliptic curve. Hence automorphism of the group (Duursma et al., 1990), parallelization (Oorschot and Wiener, 1999), iteration function (Teske, 1998;2001) or cycle detection (Brent, 1980;Cheon et al., 2012) are used to improve this attack. In this study, we try to introduce a variant of Pollard's Rho attack using the new cycle detection proposed by (Nivasch, 2004) and the random walks proposed by Teske. After that, we analyze the running time and implement the new algorithm. The remainder of this study is proceded as follow: Section 2 introduces some basic definitions for the elliptic curves, Floyd's algorithm and Pollard's Rho algorithm. Section 3 describes how Pollard's Rho algorithm may be modified using Nivash's cycle detection instead of Floyd's algorithm. We explain how to introduce random walks on the modified Pollard's Rho and the algorithms are compared in section 4.

BACKGROUND
This section introduces the elliptic curve cryptosystem, Floyd finding cycle algorithm Floyd (1962) and Pollard's Rho method (Pollard, 1978). The Pollard's Rho method uses iteration function to build sequence of elements and it uses cycle detection to find match or collision. The match leads to the solution of ECDLP. In fact, this method is based on a Science Publications JCS random walk and the Birthday Paradox which states that in a a set of 23 randomly chosen people, the chance that at least two of them share the same birthday is greater than 50%. Then, if random objects are selected with replacement from n objects, one may expect n / 2 π rounds before an object is picked twice.

Elliptic Curve Cryptosystem
The addition rule of the group of elliptic curves is easy to be implemented. Therefore, algebraic formulas for the group law can be derived from the geometric description. A general elliptic curve E over finite field K has the form y 2 +axy+by = x 3 +cx 2 +dx+e where a, b, c, d and e are in K. The addition operation is defined over elliptic curves with the inclusion of a point O called point at infinity or identity.
Let p be a prime with p>3. Elliptic curves can be implemented over fields of characteristic 2 and 3 and enjoy many optimizations, but suffer from specialized discrete log attacks Coppersmith (1984) and should generally be avoided. Let F p = GF(p) the Galois Field over p and a, b ∈ F p and satisfy the condition 4a 3 +27b 2 mod(p) ≠ 0 then an elliptic curve over the Galois field E(F p )(a,b) is defined by equation y 2 = x 3 +ax+b mod(p) where x∈ F p .

Definition 1
Given an elliptic curve E defined over a finite field F p , a point P ∈ E(F p ) of order n and a point Q∈〈P〉, find the integer l∈[0, n-1] such that Q = lP. The integer d is called the discrete logarithm of Q to the base P, denoted l = log P Q.
This problem is considered as hard mathematical problem like the Integer Factorisation Problem (IFP) and the logarithm problem in multiplicative group of finite field (DLP). All methods, proposed up to now which solve ECDLP, require exponential running time.

Floyd's Cycle-finding Algorithm
Instead of comparing each new Y i to all previous ones and stores all elements until obtaining collision, It is better to choose Floyd's algorithm Floyd (1962) in order to minimize the memory requirement and running time. In fact, one computes pairs (Y i , Y 2i ) of points for i = 1,2,3... until finding Y i = Y 2i . After computing a new pair, the previous pair can be discarded, thus the storage requirements are negligible.
Theorem 1 Knuth (1969) [exercises 6-7] for a periodic sequence Y 0 , Y 1 , Y 2 ,…, there exists an i>0 such that Y i = Y 2i and the smallest such i lies in the range µ≤i≤µ+λ. µ and λ are the preperiod and the period of the sequence Y i respectively.
If we suppose that the sequence is generated by random function then the expected value of µ and λ is close to n / 8 π . As a consequence, µ+λ is around n / 2 π .

Pollard's Rho Algorithm
The idea of Pollard is that three possibilities are chosen in a random manner and the resulting sequence is sufficiently complicated to be regarded as a random mapping. Let us start with random point R 0 and build the sequence R i with the iteration function f until the collision occurs. In fact, E(F p ) is finite, the sequence Ri become periodic after some iterations so there will be some indices i<j such that R i = R j , j-i is the period and R i ,R i+1 ,R i+2 ,…,R j form a loop. For cycle detection, Floyd's method is used. The original Pollard's Rho method on elliptic curves is detailed bellow: • Split E(F p ) into three disjoint sets S 1 , S 2 and S 3 of roughly equal size • Let R 0 = a 0 P + b 0 Q with a 0 and b 0 two random integers in ]0, n[ and the iterative function f was defined as: The sequence a i and b i can be computed as follow: • Compute R j and R 2j and compare them until a match is found using the iteration function f In the last step with negligible probability, we can have b j = b 2j . In this case, we restart the process with different starting points R 0 .
j ← 0 15: end if 16: end for 17: Return l The Pollard's Rho algorithm is known as the best algorithm to resolve ECDLP in the generic groups. If f supposed a random map than the expected number of iterations before a collision occurs is close to n / 2 π . In addition, the memory requirement is negligible and the running time is exponential.

Pollard's Rho Algorithm with Random Walks
The iteration function used in Pollard's Rho algorithm is not random enough (Knuth, 1969), So Teske proposed a better iteration function by applying more arbitrary multipliers. Divide E(F p ) into s disjoint subsets S 1 , S 2 ,..,S s of approximately the same size. A good choice for s seems to be around 20 (Teske, 2001). Choose 2s random integers a i , b i mod n.
Let S i = {R(X,Y ) ∈E(F p )} X(mod s) = i} and M i = a i P + b i Q So the iteration function is defined as bellow: Moreover, the pseudocode of the iteration function is:

POLLARD'S RHO ALGORITHM USING STACK
In this section, we explain how we can improve Pollard's Rho method using stack. First, we describe Nivasch's method for cycle detection (Nivasch, 2004). Second, we outline the Pollard's Rho modified and we show the two methods with random walks. Then we compare them and select the best one. Finaly, we implement the proposed algorithm and we make a comparison with the original algorithm.

Nivasch's Cycle-finding Algorithm
The stack has been created and starts out empty. At each step j, remove all the top entries (x i , i) (pop) from the stack where x i >x j . If x i = x j is found in the stack, we are finished. So the cycle length is j-i. Else, add (x j , j) to the top of the stack (push) and continue.
This algorithm run in linear time, use logarithmic space and halt in the smallest value of the sequence cycle.

Pollard's Rho Algorithm Modified
Our idea is to use stack to store elements generated by the iteration function, the main algorithm is as follow: We keep in the stack pairs (i, a i , b i , R i ), the Ri in the stack forms increasing sequence, so we define lexicography order on E(F p ). If Rj>R i where 0<i<j, we push the pairs (j, a j , b j , R j ) in the stack, otherwise if R i >R j we pop all pairs (i, a i , b i , R i ) until we find R i = R j or R i <R j . In the first case, we halt the process and compute l. In the second case, we push (j, a j , b j , R j ) in the stack and we generate other points. The details of the procedure are as follow: • E(F p ) is into three disjoint sets S 1 , S 2 and S 3 • S 1 , S 2 and S 3 contain points with y-coordinate value between [0, p/3[, [p/3, 2p/3[or [2p/3, p[ successively • Let R 0 = a 0 P + b 0 Q with a 0 and b 0 two random integers ∈ [1, n-1] and we define the iterative function f The sequence a i and b i can be computed as follow: If R j is less than R i we pop from the stack all R i where R j <R i else we push R j on the top of the stack and continue.
We halt the process when R i = R j then we find the fixed point, the logarithm discrete is resolved and The pseudo-code is as follow:

JCS
The stack size must not exceeded the memory allowed for this attack. In this case, this attack will be discarded and unused. For this reason, we analyse stack size at time n<µ+λ.

Theorem 2
Nivasch (2004) Given a positive integer n, let Sn be the stack size at time n and Mn the maximum stack size up to time n. Then: • S n has expectation ln n + O(1) • M n is almost surely<δ ln n for any constant δ>e At each iteration, Nivash's cycle finding algorithm stores only one element X i .
However, in our case, we store (i, a i , b i , R i ) which means that the memory required is multiplied by 5. Thus the stack size is approximately 6 ln n+O(1).

Random Walks
Random walks developed by Teske are known to do much better than the original iteration function at the cost of little more computation. Hence, we use a mixture of random walks and stack in the Pollard's Rho algorithm. The steps in Pollard's Rho modified is described as follows: • We partitioned E(F p ) into 20 disjoint sets S 1 , S 2 ,.. S 20 • S 1 , S 2 ,…,S 20 contain points with x-coordinate mod 20 equals to 0, 1, 2, …19 successively • We generete 20 random couples (a i , b i ) and we compute the points M i = a i P + b i Q • Let R 0 = a 0 P+b 0 Q with a 0 and b 0 two random integers in [1, n-1] and we define the iterative function f: The sequence a i and b i can be computed as follow: • If R i+1 is less than R i we pop from the stack all R i where R i+1 is the least else we push R i+1 on the top of the stack and continue • We halt process when R i = R k then we find the fixed point, the logarithm discrete is resolved and

Implementation
The Pollard's Rho has been tested using stack on modern PC Core Duo with the Software Software Algebra Geometry Experimentation (SAGE) (Stein, 2010). First, we produce data file containing p prime numbers and for each prime number we build a secure elliptic curve and choose arbitrary point P and Q, we add the X and Y coordinate of P and Q to the file. Second, we use our approach to compute the discrete logarithm of Q to the base P. We follow these steps to implement the algorithm: • Generate p prime numbers with size between six and fourteen digits (ten generation for each size) • Generate random numbers A and B such that (4A 3 + 27B 2 )mod(p) different from 0 • Use p prime numbers, A and B numbers to generate elliptic curve • Choose random X coordinate for Points P and Q from E(F p ) and calculate Y coordinate using Weierstrass Equation • Compute integer l such that Q = lP using the method described above

COMPARISON BETWEEN ALGORITHMS
Analysis algorithm is quite important in computer programming because there are usually several algorithms available for a particular application and we would like to know which is the best.

Analysis
The most expensive steps in the Pollard's Rho method is the evaluation of the iteration function, thus it's quite important to compute the number of evaluation of this last to analyze the performance of the modified method.
The number of iterations in Pollard's Rho modified is at most µ+2λ that is roughly 3 n / 8 π . However, with the original Pollard's Rho is n / 2 π but at each iteration, f has been evaluated three times instead of one time with the Pollard's Rho modified. Therefore, the number of evaluations of f before the algorithm terminates is 3 n / 2 π with the original Pollard's Rho and 3 n / 8 π with the modified Pollard's Rho. We conclude that the running time will be the greatest in the Pollard's Rho original. However, the amount of Science Publications JCS memory is increased because with the Pollard's Rho original we store only pair (Y i , Y 2i ) and in each step, we generate the new pairs and we discard the previous pairs, so the memory used is negligeable. However, with Pollard's Rho modified we store all generated R i that form an increasing sequence and we delete the element from the stack only if the current R i is less than this element.

Experiment Results
In order to validate what we claim, we made severel experiments on random elliptic curves by computing the running time and the number of evaluations of iteration function for each of them. In Table 1, we found that if the length of p is less than fifteen digits, the running time of Pollard's Rho modified is less than the original Pollard's Rho. In Table 2, we will compare the number of evaluations of the iteration function of two methods, it is the lowest in Pollard's Rho with stack. As a consequence, the Pollard Rho's modified method performs better than the original Pollard's Rho method.
In Table 3, we will compare the running time of Pollard's Rho with random walks and Pollard's Rho mixing stack and random walks. Our experiment used prime numbers with size between six and eleven digits and the experimental results prove that the first method is lower than the second. We found that mixed walks using stack perform better than Pollard's Rho only with random walks.

CONCLUSION
In this study we have outlined a new algorithm to speed-up Pollard's Rho attack by make use of first Nivasch's cycle detection and second mixing Nivasch's cycle detection and random walks. However, this variant is not appropriate if the memory used is limited. For further research, we intend to improve Pollard's Rho method using at the same time cycle detection, random walks and Parallelization.