A Birthday Paradox for Markov chains with an optimal bound for collision in the Pollard Rho algorithm for discrete logarithm

TL;DR

This paper establishes a birthday paradox for Markov chains and applies it to analyze the Pollard Rho algorithm, providing optimal bounds for collision times in discrete logarithm computations without assuming independent samples.

Contribution

It introduces a birthday paradox for Markov chains with uniform stationary distribution and applies it to derive optimal collision bounds for Pollard Rho without i.i.d. assumptions.

Findings

Collision occurs in Θ(√|G|) steps with high probability.

Parallelized algorithm reduces steps to Θ(√|G|)/J.

First proof of bounds without i.i.d. step assumption.

Abstract

We show a Birthday Paradox for self-intersections of Markov chains with uniform stationary distribution. As an application, we analyze Pollard's Rho algorithm for finding the discrete logarithm in a cyclic group $G$ and find that if the partition in the algorithm is given by a random oracle, then with high probability a collision occurs in $\Theta(\sqrt{|G|})$ steps. Moreover, for the parallelized distinguished points algorithm on $J$ processors we find that $\Theta(\sqrt{|G|}/J)$ steps suffices. These are the first proofs of the correct order bounds which do not assume that every step of the algorithm produces an i.i.d. sample from $G$.