Subset-Restricted Random Walks for Pollard rho Method on ${\MATHBF{F}_{P^M}}$.

In this paper, we propose a variant of the Pollard rho method. We use an iterating function whose image size is much smaller than its domain and hence reaches a collision faster than the original iterating function. We also explicitly show how this general method can be applied to multiplicative subgroups of finite fields with large extension degree. The construction for finite fields uses a distinctive feature of the normal basis representation, namely, that the p-th power of an element is just the cyclic shift of its normal basis representation, when the underlying field is of characteristic p. This makes our method appropriate for hardware implementations. On multiplicative subgroups of ]> , our method shows time complexity advantage over the original Pollard rho method by a factor of approximately ]> . Through the MOV reduction, our method can be applied to pairing-based cryptosystems over binary or ternary fields. Hence our algorithm suggests that the order of subgroups, on which the pairing-based cryptosystems rely, needs to be increased by a factor of approximately m. [ABSTRACT FROM AUTHOR]