Computing discrete logarithms in an interval

Abstract

The discrete logarithm problem in an interval of size N in a group G is: Given g, h ∈ G and an integer N to find an integer 0 ≤ n ≤ N , if it exists, such that h = g n. Previously the best low-storage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo method. The heuristic average case running time of this method is (2 + o(1)) √ N group operations. We present two new low-storage algorithms for the discrete logarithm problem in an interval of size N. The first algorithm is based on the Pollard kangaroo method, but uses 4 kangaroos instead of the usual two. We explain why this algorithm has heuristic average case expected running time of (1.715 + o(1)) √ N group operations. The second algorithm is based on the Gaudry-Schost algorithm and the ideas of our first algorithm. We explain why this algorithm has heuristic average case expected running time of (1.661 + o(1)) √ N group operations. We give experimental results that show that the methods do work close to that predicted by the theoretical analysis. This is a revised version since the published paper that contains a corrected proof of Theorem 6 (the statement of Theorem 6 is unchanged). We thank Ravi Montenegro for pointing out the errors.