Two grumpy giants and a baby

Abstract

Pollard's rho algorithm, along with parallelized, vectorized, and negating variants, is the standard method to compute discrete logarithms in generic prime-order groups.\rThis paper presents two reasons that Pollard's rho algorithm\ris farther from optimality than generally believed.\rFirst, ``higher-degree local anti-collisions''\rmake the rho walk less random than the predictions made by the conventional Brent--Pollard heuristic.\rSecond, even a truly random walk is suboptimal,\rbecause it suffers from ``global anti-collisions'' that can at least partially be avoided.\rFor example, after (1.5+o(1))\sqrt(l) additions in a group of order l (without fast negation),\rthe baby-step-giant-step method has probability 0.5625+o(1)\rof finding a uniform random discrete logarithm;\ra truly random walk would have probability 0.6753\ldots+o(1);\rand this paper's new two-grumpy-giants-and-a-baby method has probability 0.71875+o(1).