 Mae'n gweithio'n cyd-dweud yr unig yr Ystod. Rhaid i'r Gwladys Gwladys Gwladys. Dyna'n gwneud o'r llai gwahanol. Rhyw gyd, mae'n ddiwylliant o'r rhywfyrddol yn ychydig o'r famousol yn gweithio. Ond oes yn ffair, mae'n gweithio'n ddysgu'n ddymarthau o'r Llywodraeth. So yng nghyrch, oedd ydych chi'n adroddiadau? First of all, I would introduce the problem and hope to motivate it, then we'll describe the Godish's algorithm for solving that problem. I'll explain our improvements to the standard Godish's algorithm in specific groups, with fast inversion, and then if time allows some experimental results, then conclude. The DLP in a short interval, essentially it's the DLP except that instead of the discrete log being between 0 and the order of the order of g, it's now between 0 and some, oh, sorry, minus n over 2 and n over 2. So it's a lot smaller interval. Hence the name DLP in a short interval. That's really what this problem is. So really what you're after is you're after an algorithm that instead of just being a standard solving the discrete log algorithm you want something that can solve this specifically so that rather than using a standard algorithm you use one which specifically solves this problem. OK, so this problem arises in a number of contexts, so for example the DLP with C bit exponents, decryption of the Bonnet go near-sim homomorphic encryption scheme, counting points on curves or a billion varieties of finite fields, analysis of the strong-to-failman problem and side-general small subgroup attacks. So it does appear in a number of places. OK. So now going on to the running time of a number of different algorithms to solve in this. So the first one is obviously the baby step giant step which solves this problem in oh, root n, time and space. Of course it's not a low memory algorithm and the average case expected running time is approximately root 2n group operations. So that's not the low memory algorithm and really what we're after is a low memory algorithm for solving this problem. So the low memory algorithm for doing that is Pollard's parallelised can-grew algorithm or the method of Van Orsot and Wiener which solves this problem in approximately 2 root n group operations. So that's the well-known algorithm that's been out there for quite a while. And recently Pollard has improved his can-grew algorithm to achieve 1.71 root n group operations. And also we've made some improvements to the standard Godishos algorithm which reduces the running time to 1.48 root n group operations. So both these last two results are very new and hopefully will appear in a forthcoming paper. But all of these algorithms, they solve the DLP in an interval in a generic group, in any group. So we want to motivate this problem and see if we can solve it quicker in specific groups. So in particular we worked on groups which had fast inversion. So what we mean by fast inversion is that if you have an element u that belongs to the group, then calculating the inverse of u, u inverse, is much faster than a group operation. That's what we mean by fast inversion. So a simple example of this is obviously the group of points of ellipticob over a finite field. So in particular, when you have fast inversion, if you know the discrete logarithm of an element, then you very quickly know the discrete logarithm of the inverse of the element. And because you have fast inversion, you know the inverse as well. So we were hoping that you could use equivalence class in some way, equivalence class consisting of an element and its inverse to somehow speed up some of these algorithms. Okay, so obviously we went to the original algorithm to do this, that was the kangaroo algorithm. And contrary to a claim that was made in the handbook of ellipticob and ellipticob cryptography, I stress it seems impossible to implement equivalence classes on the kangaroo algorithm. I stress seems that if someone else can do it, then I'm happy to be proven wrong. So instead, what we decided to do was we decided to see if we could implement or use equivalence class in somewhere in the Godi Shostar algorithm, which I'll explain in a moment, to speed up solving the DLP in an interval in groups with a fast inversion. So let me quickly explain the Godi Shostar algorithm for solving this problem in a generic group and then move on to when we have fast inversion. So the Godi Shostar algorithm works in following way. You have a tameset t and a wildset w such that you know the discrete log of every element in the tameset and the tamesets is between minus n over 2 and n over 2. And the wildset is a set of the same size as the tameset but translated and centred on the element that you're trying to find the discrete log of. So you know the discrete log of everything in the tameset but you don't know the discrete log of everything in the wildset except that you know where it is in relation to the element that you're trying to find the discrete log of. So I've got a little diagram on the next slide. And in a similar method of the Van Orschot and Weener method, you have tame walks which walk in the tameset and wild walks which walk in the wildset. And what you're trying to do is find a collision between a tamewalk and a wildwalk. So diagrammatically, I thought a diagram would be the best thing to show here, the tameset is the black rectangle at the top. So it's between minus n over 2 and n over 2. And I've shown the wildset for a number of different problem instances. So the first one is the worst case. That's a problem instance where the element that you're trying to find the discrete log of is equal to g to the minus n over 2. So it's at the left-hand extreme edge of the tameset. So what I've done is I've translated a same size set as a tameset around that point. Hence you get the first shaded rectangle where it says the worst case. And you can see the overlap between the tameset and the wildset in that case is quite small. And so as h, our element that we're trying to find the discrete log of, moves down the tameset, so we're moving to the next stage. So where g is equal to g to the minus n over 4. You see that that's the average case and the overlap between the tame and wildset is increasing. And it increases all the way to the best case where h sits in the middle of the tameset. And when you have the largest overlap, you have the smallest running time. OK. So before I just explain the, or give the running time, I have to explain distinguished points. When you're doing an algorithm like this which is, you want to keep it low memory. So what you do is you have a number of, you have multiple walks, multiple tame walks, multiple wild walks. And just as you think of, consider the kangaroo algorithm, what the kangaroo algorithm does is it, it's tame walk, walks until it hits, until you've decided to stop and you save what's known as the trap, the thing at the end. The element and it's just a street log at the end. So in this case you have multiple tame walks, multiple wild walks, and you set a certain subset of the group as being distinguished. So a simple way of doing that, for example, could be if you consider the elements as they're in their binary form, you take the first L bits to be 0. And you call that a distinguished point. And we can decide, you can decide on how large or small L is. So hence deciding what's the probability of a point being distinguished. And so when a walk hits a distinguished point, the algorithm sends the element and it's the street log to the server and the walk then starts somewhere else. So here I've just said theatre is the probability of a distinguished point. You don't need to worry about the last paragraph, you have to remove that. Okay, so the algorithm as I was mentioning earlier was. So as is a paralyser algorithm you can run it on multiple machines. So you have NP processes that work on this, half work on the tame walks and half work on the wild walks. So a tame processor starts a tame walk by picking a random point in the tame set, walks a number of steps until it hits a distinguished point, then it sends the distinguished point and it's the street log to the server. The server then checks, has it seen that point in the wild hash table? Has there been a wild walk that's hit the same distinguished point? If it has, you've solved the discrete log, however if it hasn't, what it does is it then stores that element in the discrete log in the tame hash table and starts the tame walk from another random point in the tame set. And the wild walks are analogous to this, they start somewhere in the wild set and so on and so forth. Okay, so to analyse this algorithm we use what we call the tame old birthday paradox. It's very similar to the birthday paradox with a few minor changes. And the running time of the algorithm that I've described by averaging overall problem instances is 2.08 root n group operations. So of course that's slower than the Pollard kangaroo algorithm. But with improvements we've made this as low as 1.48 root n and again that's to appear in a forthcoming paper. But we're trying to say, can we go further than this in groups with fast inversion? Okay, so now I'm going to describe the algorithm, the improved Goldyshoff's algorithm, where we utilise equivalence classes in groups with fast inversion and see if we can improve on that. Okay, so first an obvious example is elliptic curves. So elliptic curves are obviously a fast inversion and what we're trying to say is if I have an element q, and with its discrete log n, which happens to be an interval minus n over 2 and n over 2, then the inverse of q minus q has its discrete log minus n, which is equidistant from the centre of that interval. Okay, so if q sits over here and the centre is over here, minus q sits equidistant from the centre. So if you know q and its discrete log you automatically know minus q and minus n. So it's obvious to take the equivalence class q and minus q. So it's natural then to perform random walks in random elements but random walks in sets of equivalence classes. Therefore our taming wild sets become the following. So our taming set is t and the wild set w. So the old taming wild sets were of size n plus 1 or approximately n. And in this case because you know walking in equivalence classes, the equivalence classes number n over 2 instead of n. So you're walking in the taming wild sets and that seems great. So it seems that you are going to get an instant improvement but it's not as easy as that. Okay, so diagrammatically and here's the issue if you see it diagrammatically. So the taming set, if we map the taming wild sets to just the positive side, then the taming set is given by that rectangle there. So size n over 2. And in the best case where h is equal to g to 0, the wild set is also of the same size. However because we are now working in equivalence classes, as h moves to the right, as we move towards the average case, rather than the wild set being a translation of the taming set, the wild set starts increasing in size. Okay, the crisscross shading is meant to describe different densities of walks because if you consider the wild set now, in the average case, it goes a bit into the negative and obviously maps over when you take the positive side of the equivalence class, you now have different densities of searching. So the density on the crisscross shading is higher of searching then on the right hand side where it's just a single shading. And as h moves to the right of the taming set, so where h is equal to g to the n over 2, you now have the worst case where the wild set is twice the size of the taming set. We did some, to re-analyze this algorithm, and it did give us an improvement on the 2 root n, didn't give us an improvement on the 1.48 root n group operations, and we thought can we do any better than this. So we decided rather than searching in the whole of the wild set or what we described in the wild set before, we decided is there a way that we can search in a smaller wild set and achieve a better running time. So let me just go back again quickly. So as I said before, the running time depends on the overlap between the taming wild sets. So if you look at the, in the worst case, you're wasting a lot of walks in the wild set. They're completely wasted. So can we change where we walk in the wild set so that we're wasting less walks? So what we decided to do is we decided to, sorry, we decided to, there we go, we decided to search in a smaller wild set. In fact, instead of searching where a belongs to minus n over 2 to n over 2, we decided to go from minus n over 4 to n over 4. So we're halfing the size of the wild set in the best case, in the previous best case. So does this give any further improvement? So again, good to look at a diagram to see what's going on in the different cases. So again I give you the tamed set which is the black rectangle, and the previous best case, if it's now not the best case anymore, the wild set is now half the size, but you're now doing double the amount of walks in half the size. But you're not wasting any walks. You're wasting some tamed walks and under wild walks anymore. And as h moves towards the right, so if h is g to the n over 8, so that's the new average case, there's some different densities of walking, but again you're wasting less walks. And you have the overlap is the size of the wild set. And then in the new best case, g is equal to, so h is equal to g to the n over 4, you now have no different densities of walking, you have a full overlap, that's why it's the new best case. And at that point, because you're only searching between minus n over 4 and n over 4, that point, the wild set actually starts moving as opposed to being bigger. So the wild set's never any bigger than the tamed set. And this seems to work better. We used a slightly different form to the birthday paradox of the Gaudi Shosarwim, and taking into account the different densities of walks, because even with a smaller wild set you do have different densities of walks, the expected running time of the improved Gaudi Shosarwim was 1.36 root n root operations, which is slightly better than 1.48 root n. But there are a few issues with walking in equivalence classes as opposed to walking in elements. And I'll describe two of the issues that we had to deal with. Okay, so the first issue, which is easily dealt with, is that when you're trying to do a deterministic suit around and walk on equivalence classes, the first thing you need to do is you need to decide which element of the equivalence class am I going to walk from. And it needs to be deterministic, so a simple way of getting around that is we said, let's walk from the element with the largest y quorn that's taken as an integer. So that was an easy fix. So the first thing you do when you walk in equivalence class is you decide, am I going to walk from this element or that element, because you don't know which one's negative. Okay, then the next issue is cycles. So as in the original Gaudi Shosarwim, all our steps are positive. However, with the walking in equivalence classes, because the first thing you do is you decide, am I going to walk from the left element or the right element of the equivalence class, is you end up with side to side walks. So let me give you a quick example of how that happened. Say we start a walk from minus 1313, and we decide to step from minus 13, or that's how our deterministic rule decides, and we have a step size of plus four. Then we end up at minus nine nine, but if we then decide to step from, or deterministically we step from nine instead of the negative side, which does happen, and we happen to use the same step size of plus four, you end up back in a cycle. So that's actually a two cycle, and that does occur quite frequently in our experiments. They occurred very frequently. So there has to be a method of getting out of the cycle. So that phenomena was noted by Gallup, Lambert Vanstone, and Vino and Zagrachel. And if you, once you enter a cycle, it can cause walks never to hit a distinguished point. And so you have to have another rule for having a maximum length of walk to get out of that cycle, but that means you've wasted the entire walk. And given that these two cycles occur frequently, you don't want to waste all these walks that you're doing. So a way to get around this is collapsing the cycle. So a simple example, which is not the most efficient, but is an example nonetheless, of how to get out of a cycle is as follows. So say we enter a cycle. So how do we know firstly that we've entered a cycle? A simple way is you record the last number of elements that you've visited, and if you keep seeing the same elements, you know you're in the cycle. Once you know that you're in the cycle, you have to have, again, a deterministic way of getting out of the cycle. So to do that, what you can do, for example, is you can say, given that we know that we're in the cycle, and we know every element in the cycle, we can find out what's the largest, say, and once you've found the element with the large sex coordinate, we can then say we're going to take a step, a standard step to get out of the cycle. That would mean that any other walk that enters the same cycle will use the same deterministic method of jumping out of the cycle. That way the walk is not wasted, and only a few steps are wasted. So this example is very costly, but nonetheless it's just an example, and there are better ways of doing it as suggested by my friend. Okay, so I think I have time for some of our experiment results. So we used kind of a toy example, purely because we only had one machine to do this on, the elliptic curve that we used was the one there, where the group of points on the elliptic curve were slightly bigger than 2 to 51. And we put various interval sizes in that 2 to 51, because we're not, and we ran experiments on those intervals. If it comes up. So we ran experiments on intervals of 2 to the 34, 2 to the 40 and 2 to the 48, and due to the time of each experiment we ran 1,000, 1,000, 1,000, 350 and the third. The first column, so that's improved GSA, those were the experiments completely before we submitted the paper. And then since then we've run more experiments with better mean step sizes and a few more tweaks in the algorithm but still the same algorithm nonetheless. We've achieved slightly better running times. The xx in the bottom corner is just where the experiments are still running and they're still ongoing. So we haven't quite achieved 1.36 root n from the theory but we believe that with better methods of collapsing cycle and with better mean step sizes and so forth we can achieve close to that. So what we've seen is I've described the DLP in the interval and that it occurs in many situations. I've mentioned the improved parallelised kangaroo algorithm which solves the standard DLP in an interval in all groups in 1.71 root n steps. I've then mentioned our improved Godeshaw's algorithm for all groups which completes in 1.48 root n steps. And then I've shown the improved Godeshaw's algorithm using equivalence classes solves this problem in 1.36 root n steps. But with that algorithm as we've seen there are a few issues with the practical running of that algorithm. Okay, and that's it. Thank you.