Collision bounds for the additive Pollard rho algorithm for solving discrete logarithms

Abstract

Abstract. We prove collision bounds for the Pollard rho algorithm to solve the discrete logarithm problem in a general cyclic group 𝐆 $\mathbf {G}$ . Unlike the setting studied by Kim et al., we consider additive walks: the setting used in practice to solve the elliptic curve discrete logarithm problem. Our bounds differ from the birthday bound 𝒪 ( | 𝐆 | ) $\mathcal {O}(\sqrt{\vert \mathbf {G}\vert })$ by a factor of log | 𝐆 | $\sqrt{\log {\vert \mathbf {G}\vert }}$ and are based on mixing time estimates for random walks on finite abelian groups due to Dou and Hildebrand.