On random walks for Pollard's rho method

Edlyn Teske

Math. Comp. **70** (2001), 809-825

Primary 11Y16; Secondary 65C05, 94A60

February 18, 2000

1697652

We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard's rho method for prime group orders about faster than before.

**Edlyn Teske**

University of Waterloo, Department of Combinatorics and Optimization, Waterloo, Ontario, Canada N2L 3G1

eteske@cacr.math.uwaterloo.ca

https://doi.org/10.1090/S0025-5718-00-01213-8

Pollard's rho method,
discrete logarithm,
random walks in groups

February 23, 1999

May 24, 1999

February 18, 2000

