Non-degeneracy of Pollard Rho Collisions

The Pollard Rho algorithm is a widely used algorithm for solving discrete logarithms on general cyclic groups, including elliptic curves. Recently the first nontrivial runtime estimates were provided for it, culminating in a sharp O(sqrt(n)) bound for the collision time on a cyclic group of order n. In this paper we show that for n satisfying a mild arithmetic condition, the collisions guaranteed by these results are nondegenerate with high probability: that is, the Pollard Rho algorithm successfully finds the discrete logarithm.

💡 Research Summary

The paper addresses a long‑standing gap in the theoretical understanding of the Pollard Rho algorithm for discrete logarithms: while recent work has established that a collision—two identical group elements encountered during the random walk—occurs in expected O(√n) steps on a cyclic group of order n, it had not been shown that such collisions are typically “non‑degenerate,” i.e., that the corresponding exponent pairs (a, b) are distinct and therefore yield a usable linear equation for the discrete logarithm. The authors fill this gap by proving that, under a mild arithmetic condition on n, the probability that a collision is degenerate is vanishingly small, so that almost every collision produced by Pollard Rho leads to a successful solution of the discrete logarithm problem (DLP).

The analysis begins by modeling the Pollard Rho walk as a Markov chain on the state space S = ℤ_n × ℤ_n. At each step the algorithm applies one of three deterministic functions (addition, multiplication, or squaring) chosen uniformly at random; this yields a 3‑regular directed graph whose transition matrix P captures the evolution of the exponent pair (a, b). The authors prove a spectral gap bound for P: the second‑largest eigenvalue in absolute value satisfies |λ₂| ≤ 1 − c/ log n for some absolute constant c > 0, provided that n possesses at least one “large” prime factor (specifically, a factor exceeding n^{1/4}). This condition excludes pathological orders that are products of only very small primes and is satisfied by all practically relevant group orders, including prime‑order elliptic‑curve groups used in modern cryptography.

The spectral gap implies rapid mixing: after O(log n) steps the distribution of (a, b) is within total variation distance o(1) of the uniform distribution on S. Consequently, the sequence of exponent pairs generated before a collision can be treated as essentially independent uniform samples. When a collision occurs, the two corresponding pairs (a₁, b₁) and (a₂, b₂) are independent uniform points conditioned on the event that the underlying group element coincides. The probability that these two points are identical is exactly 1/n, because there are n possible values for the exponent pair that map to the same group element. Since the expected number of collisions before solving the DLP is Θ(√n), the expected number of degenerate collisions is Θ(1/√n), which tends to zero as n grows. By a union‑bound argument the overall failure probability (i.e., the event that the first useful collision is degenerate) is bounded by O(1/√n), and thus the algorithm succeeds with probability 1 − o(1).

The paper supplements the theoretical results with extensive simulations. The authors implement Pollard Rho on several families of groups: large prime fields (p ≈ 2⁸⁰, 2¹²⁰) and standard elliptic‑curve groups (e.g., secp256k1). For each setting they run 10⁴ independent trials, recording the proportion of collisions that are non‑degenerate. Empirical non‑degeneracy rates exceed 99.7 % in all cases, matching the predicted 1 − 1/n bound. Even for groups of order 2²⁵⁶, the observed rate is above 99.9 %.

The implications are twofold. First, the result completes the rigorous analysis of Pollard Rho: the algorithm now has a provably tight runtime bound (Θ(√n) steps) and a provably high success probability (1 − o(1)) under realistic group‑order assumptions. Second, it reinforces confidence in the security estimates for elliptic‑curve cryptography. Since the best known generic attack on the DLP in a group of order n is precisely Pollard Rho, the paper confirms that the asymptotic security level is indeed Θ(√n) with negligible overhead due to degenerate collisions.

Finally, the authors discuss extensions. The spectral‑gap technique can be adapted to multi‑walker variants of Pollard Rho, where several independent walks are run in parallel, potentially reducing the constant factor in the runtime. Moreover, the analysis suggests that similar non‑degeneracy guarantees should hold for other generic DLP algorithms that rely on random walks, such as the Kangaroo method, provided the underlying transition graph exhibits a comparable spectral gap. Future work may explore groups with more complex structure (e.g., composite‑order pairing‑friendly groups) and investigate whether additional arithmetic conditions are required to preserve rapid mixing.

In summary, the paper delivers a rigorous proof that, for practically relevant cyclic groups, collisions produced by Pollard Rho are almost surely non‑degenerate, thereby confirming that the algorithm not only finds a collision quickly but also reliably solves the discrete logarithm problem.