Low weight discrete logarithm and subset sum in 20.65n with Polynomial Memory

Abstract

We propose two heuristic polynomial memory collision finding algorithms for the low Hamming weight discrete logarithm problem in any abelian group G. The first one is a direct adaptation of the Becker-Coron-Joux (BCJ) algorithm for subset sum to the discrete logarithm setting. The second one significantly improves on this adaptation for all possible weights using a more involved application of the representation technique together with some new Markov chain analysis. In contrast to other low weight discrete logarithm algorithms, our second algorithm’s time complexity interpolates to Pollard’s |G|1/2 bound for general discrete logarithm instances. We also introduce a new heuristic subset sum algorithm with polynomial memory that improves on BCJ’s 20.72n time bound for random subset sum instances (Formula presented). Technically, we introduce a novel nested collision finding for subset sum – inspired by the NestedRho algorithm from Crypto ’16 – that recursively produces collisions. We first show how to instantiate our algorithm with run time 20.649n. Using further tricks, we are then able to improve its complexity down to 20.649n.