Attacking any one in many public keysAfter ECDH with Curve25519, is it pointless to use anything stronger than AES128?Is it possible to pick your Ed25519 public key?Why are elliptic curve variants of RSA “chiefly of academic interest”?Security of pairing-based cryptography over binary fields regarding new attacksWhy can ECC key sizes be smaller than RSA keys for similar security?Adi Shamir's secret database of all primesExtracting Private Keys in Diffie HellmanPrimitive root in a finite fieldDiffie-Hellman private key recover with non-prime modulus
Does Australia produce unique 'specialty steel'?
Why does 1.1.1.1 not resolve archive.is?
How to deal with intolerable behavior of a subordinate?
5v home network
How is the corresponding author on a (math) paper typically chosen?
What is the word for things that work even when they aren't working (e.g. escalators)?
What is the German word for: "It only works when I try to show you how it does not work"?
Is it possible to do a low carb diet for a month in Sicily?
Would removing the "total cover" part of a Paladin's Divine Sense unbalance the feature?
Are there any rules around when something can be described as "based on a true story"?
Disrespectful employee going above my head and telling me what to do. I am his manager
Sum in bash outside while read line
Can you decide not to sneak into a room after seeing your roll?
Is Having my Players Control Two Parties a Good Idea?
Doggerel for tonight
How do I weigh a kitchen island to determine what size castors to get?
Employer says he needs to delay payment in 3 months due to bureaucracy
Print the sequence
Giving a character trauma but not "diagnosing" her?
Negative feedbacks and "Language smoother"
Which collation should I use for biblical Hebrew?
Does wall of stone need support or not?
A demigod among men
How can AnyDVD destroy a DVD drive?
Attacking any one in many public keys
After ECDH with Curve25519, is it pointless to use anything stronger than AES128?Is it possible to pick your Ed25519 public key?Why are elliptic curve variants of RSA “chiefly of academic interest”?Security of pairing-based cryptography over binary fields regarding new attacksWhy can ECC key sizes be smaller than RSA keys for similar security?Adi Shamir's secret database of all primesExtracting Private Keys in Diffie HellmanPrimitive root in a finite fieldDiffie-Hellman private key recover with non-prime modulus
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
The problem of finding private key from public key is typically studied in the one-key setup: what's the expected cost of breaking one key (e.g. by factoring a public modulus, or solving a discrete logarithm in some group).
There is much less work on simultaneously attacking $k>1$ keys. One notable exception is Daniel J. Bernstein and Tanja Lange's Batch NFS, in proceedings of SAC 2014. They conclude that increasing $k$ allows asymptotic savings on the expected cost per factorization.
A different problem is attacking any one in $k>1$ keys. It seems understudied too, although it is of practical concern, especially in setups where there can't be a revocation list. For example, there are deployed systems such that an attacker could gather many thousands public keys of devices that can write in Smart Cards after authentication, and does not care which one is broken: whatever one allows falsifying records made in the Smart Cards. Also, from a public relations perspective, it's hard to convey that indeed, a hacker demonstrated breaking one key in your system, but it is still safe enough since there's no positive evidence that the adversary could attack a particular key.
We can trivially state that the expected difficulty of attacking any one in $k$ public keys is at most that of attacking one key, and at least $1/k$ that.
Can we be more precise, in general, or in the special cases of factorization (RSA…), discrete logarithm in $Bbb Z_p^*$ (DSA…) or elliptic curve group groups (ECDSA, EdDSA…)?
Update: Poncho quickly pointed that the problem is settled for the discrete logarithm with shared parameters like public prime modulus or curve, which is customary. The question remains in general, for factorization, and DL with per-key parameters.
public-key discrete-logarithm attack factoring
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
$endgroup$
add a comment
|
$begingroup$
The problem of finding private key from public key is typically studied in the one-key setup: what's the expected cost of breaking one key (e.g. by factoring a public modulus, or solving a discrete logarithm in some group).
There is much less work on simultaneously attacking $k>1$ keys. One notable exception is Daniel J. Bernstein and Tanja Lange's Batch NFS, in proceedings of SAC 2014. They conclude that increasing $k$ allows asymptotic savings on the expected cost per factorization.
A different problem is attacking any one in $k>1$ keys. It seems understudied too, although it is of practical concern, especially in setups where there can't be a revocation list. For example, there are deployed systems such that an attacker could gather many thousands public keys of devices that can write in Smart Cards after authentication, and does not care which one is broken: whatever one allows falsifying records made in the Smart Cards. Also, from a public relations perspective, it's hard to convey that indeed, a hacker demonstrated breaking one key in your system, but it is still safe enough since there's no positive evidence that the adversary could attack a particular key.
We can trivially state that the expected difficulty of attacking any one in $k$ public keys is at most that of attacking one key, and at least $1/k$ that.
Can we be more precise, in general, or in the special cases of factorization (RSA…), discrete logarithm in $Bbb Z_p^*$ (DSA…) or elliptic curve group groups (ECDSA, EdDSA…)?
Update: Poncho quickly pointed that the problem is settled for the discrete logarithm with shared parameters like public prime modulus or curve, which is customary. The question remains in general, for factorization, and DL with per-key parameters.
public-key discrete-logarithm attack factoring
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
$endgroup$
1
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
$begingroup$
The problem of finding private key from public key is typically studied in the one-key setup: what's the expected cost of breaking one key (e.g. by factoring a public modulus, or solving a discrete logarithm in some group).
There is much less work on simultaneously attacking $k>1$ keys. One notable exception is Daniel J. Bernstein and Tanja Lange's Batch NFS, in proceedings of SAC 2014. They conclude that increasing $k$ allows asymptotic savings on the expected cost per factorization.
A different problem is attacking any one in $k>1$ keys. It seems understudied too, although it is of practical concern, especially in setups where there can't be a revocation list. For example, there are deployed systems such that an attacker could gather many thousands public keys of devices that can write in Smart Cards after authentication, and does not care which one is broken: whatever one allows falsifying records made in the Smart Cards. Also, from a public relations perspective, it's hard to convey that indeed, a hacker demonstrated breaking one key in your system, but it is still safe enough since there's no positive evidence that the adversary could attack a particular key.
We can trivially state that the expected difficulty of attacking any one in $k$ public keys is at most that of attacking one key, and at least $1/k$ that.
Can we be more precise, in general, or in the special cases of factorization (RSA…), discrete logarithm in $Bbb Z_p^*$ (DSA…) or elliptic curve group groups (ECDSA, EdDSA…)?
Update: Poncho quickly pointed that the problem is settled for the discrete logarithm with shared parameters like public prime modulus or curve, which is customary. The question remains in general, for factorization, and DL with per-key parameters.
public-key discrete-logarithm attack factoring
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
$endgroup$
The problem of finding private key from public key is typically studied in the one-key setup: what's the expected cost of breaking one key (e.g. by factoring a public modulus, or solving a discrete logarithm in some group).
There is much less work on simultaneously attacking $k>1$ keys. One notable exception is Daniel J. Bernstein and Tanja Lange's Batch NFS, in proceedings of SAC 2014. They conclude that increasing $k$ allows asymptotic savings on the expected cost per factorization.
A different problem is attacking any one in $k>1$ keys. It seems understudied too, although it is of practical concern, especially in setups where there can't be a revocation list. For example, there are deployed systems such that an attacker could gather many thousands public keys of devices that can write in Smart Cards after authentication, and does not care which one is broken: whatever one allows falsifying records made in the Smart Cards. Also, from a public relations perspective, it's hard to convey that indeed, a hacker demonstrated breaking one key in your system, but it is still safe enough since there's no positive evidence that the adversary could attack a particular key.
We can trivially state that the expected difficulty of attacking any one in $k$ public keys is at most that of attacking one key, and at least $1/k$ that.
Can we be more precise, in general, or in the special cases of factorization (RSA…), discrete logarithm in $Bbb Z_p^*$ (DSA…) or elliptic curve group groups (ECDSA, EdDSA…)?
Update: Poncho quickly pointed that the problem is settled for the discrete logarithm with shared parameters like public prime modulus or curve, which is customary. The question remains in general, for factorization, and DL with per-key parameters.
public-key discrete-logarithm attack factoring
public-key discrete-logarithm attack factoring
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
edited 6 hours ago
Squeamish Ossifrage
33.9k2 gold badges57 silver badges144 bronze badges
33.9k2 gold badges57 silver badges144 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
asked 8 hours ago
fgrieufgrieu
86.1k7 gold badges192 silver badges378 bronze badges
86.1k7 gold badges192 silver badges378 bronze badges
1
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
1
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago
1
1
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
1 Answer
1
active
oldest
votes
$begingroup$
Actually, a well known result is that, for any cryptosystem that relies on the hardness of the DLog problem (including ECDlog), there is no such reduction in strength if you have $k$ keys. That is, the problem of "here are $k$ keys, break any one" is essentially as hard as the problem "here is one key, break it".
The proof is straight-forward; first off, we assume that the cryptosystem is based on Dlog, hence breaking the system is equivalent to solving some DLog problem. Further suppose we did have a method of, given $k$ values $a_1G, a_2G, …, a_kG$, of finding $a_i$ for some $i$, and this takes effort $M$ [1].
Then, given $bG$, we can attempt to recover $b$ by selecting $k$ random values $r_1, r_2, …, r_k$; and compute $r_1(bG), r_2(bG), …, r_k(bG)$. We then hand this off to our oracle, which gives us the value $c$ s.t. $cG = r_i(bG)$ for some $i$; we then compute $b = cr_i^-1$, and thus recovering $b$, at the cost of $M$ plus the time to do $k$ point multiplications (which is quite feasible assuming $k$ isn't ridiculously large).
Similar proofs would apply to DH-based cryptosystems as well.
[1]: I'm using additive notation, mostly because I find it easier to read...
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
$endgroup$
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74825%2fattacking-any-one-in-many-public-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Actually, a well known result is that, for any cryptosystem that relies on the hardness of the DLog problem (including ECDlog), there is no such reduction in strength if you have $k$ keys. That is, the problem of "here are $k$ keys, break any one" is essentially as hard as the problem "here is one key, break it".
The proof is straight-forward; first off, we assume that the cryptosystem is based on Dlog, hence breaking the system is equivalent to solving some DLog problem. Further suppose we did have a method of, given $k$ values $a_1G, a_2G, …, a_kG$, of finding $a_i$ for some $i$, and this takes effort $M$ [1].
Then, given $bG$, we can attempt to recover $b$ by selecting $k$ random values $r_1, r_2, …, r_k$; and compute $r_1(bG), r_2(bG), …, r_k(bG)$. We then hand this off to our oracle, which gives us the value $c$ s.t. $cG = r_i(bG)$ for some $i$; we then compute $b = cr_i^-1$, and thus recovering $b$, at the cost of $M$ plus the time to do $k$ point multiplications (which is quite feasible assuming $k$ isn't ridiculously large).
Similar proofs would apply to DH-based cryptosystems as well.
[1]: I'm using additive notation, mostly because I find it easier to read...
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
$endgroup$
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
add a comment
|
$begingroup$
Actually, a well known result is that, for any cryptosystem that relies on the hardness of the DLog problem (including ECDlog), there is no such reduction in strength if you have $k$ keys. That is, the problem of "here are $k$ keys, break any one" is essentially as hard as the problem "here is one key, break it".
The proof is straight-forward; first off, we assume that the cryptosystem is based on Dlog, hence breaking the system is equivalent to solving some DLog problem. Further suppose we did have a method of, given $k$ values $a_1G, a_2G, …, a_kG$, of finding $a_i$ for some $i$, and this takes effort $M$ [1].
Then, given $bG$, we can attempt to recover $b$ by selecting $k$ random values $r_1, r_2, …, r_k$; and compute $r_1(bG), r_2(bG), …, r_k(bG)$. We then hand this off to our oracle, which gives us the value $c$ s.t. $cG = r_i(bG)$ for some $i$; we then compute $b = cr_i^-1$, and thus recovering $b$, at the cost of $M$ plus the time to do $k$ point multiplications (which is quite feasible assuming $k$ isn't ridiculously large).
Similar proofs would apply to DH-based cryptosystems as well.
[1]: I'm using additive notation, mostly because I find it easier to read...
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
$endgroup$
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
add a comment
|
$begingroup$
Actually, a well known result is that, for any cryptosystem that relies on the hardness of the DLog problem (including ECDlog), there is no such reduction in strength if you have $k$ keys. That is, the problem of "here are $k$ keys, break any one" is essentially as hard as the problem "here is one key, break it".
The proof is straight-forward; first off, we assume that the cryptosystem is based on Dlog, hence breaking the system is equivalent to solving some DLog problem. Further suppose we did have a method of, given $k$ values $a_1G, a_2G, …, a_kG$, of finding $a_i$ for some $i$, and this takes effort $M$ [1].
Then, given $bG$, we can attempt to recover $b$ by selecting $k$ random values $r_1, r_2, …, r_k$; and compute $r_1(bG), r_2(bG), …, r_k(bG)$. We then hand this off to our oracle, which gives us the value $c$ s.t. $cG = r_i(bG)$ for some $i$; we then compute $b = cr_i^-1$, and thus recovering $b$, at the cost of $M$ plus the time to do $k$ point multiplications (which is quite feasible assuming $k$ isn't ridiculously large).
Similar proofs would apply to DH-based cryptosystems as well.
[1]: I'm using additive notation, mostly because I find it easier to read...
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
$endgroup$
Actually, a well known result is that, for any cryptosystem that relies on the hardness of the DLog problem (including ECDlog), there is no such reduction in strength if you have $k$ keys. That is, the problem of "here are $k$ keys, break any one" is essentially as hard as the problem "here is one key, break it".
The proof is straight-forward; first off, we assume that the cryptosystem is based on Dlog, hence breaking the system is equivalent to solving some DLog problem. Further suppose we did have a method of, given $k$ values $a_1G, a_2G, …, a_kG$, of finding $a_i$ for some $i$, and this takes effort $M$ [1].
Then, given $bG$, we can attempt to recover $b$ by selecting $k$ random values $r_1, r_2, …, r_k$; and compute $r_1(bG), r_2(bG), …, r_k(bG)$. We then hand this off to our oracle, which gives us the value $c$ s.t. $cG = r_i(bG)$ for some $i$; we then compute $b = cr_i^-1$, and thus recovering $b$, at the cost of $M$ plus the time to do $k$ point multiplications (which is quite feasible assuming $k$ isn't ridiculously large).
Similar proofs would apply to DH-based cryptosystems as well.
[1]: I'm using additive notation, mostly because I find it easier to read...
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
answered 7 hours ago
ponchoponcho
99.9k3 gold badges163 silver badges262 bronze badges
99.9k3 gold badges163 silver badges262 bronze badges
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
add a comment
|
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
$begingroup$
This is an important argument for DL-based cryptography, and especially for shared public modulus/curve (which is necessary for that argument to work). I wish I realized that sooner.
$endgroup$
– fgrieu
7 hours ago
add a comment
|
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74825%2fattacking-any-one-in-many-public-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
Like Kuhn & Struik, ‘Random Walks Revisited: Extensions of Pollard’s Rho Algorithm for Computing Multiple Discrete Logarithms’, SAC 2001? The cost to first key among $t$ targets is still $sqrt n$ where $n$ is the number of possible DLOG exponents, but the cost to all keys is $sqrtt n$ rather than $tsqrt n$.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
The story for generic preimage search, of course, is different.
$endgroup$
– Squeamish Ossifrage
7 hours ago