Re: index calculus vs pollard rho

Bill Allombert on Fri, 16 May 2014 15:39:37 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: index calculus vs pollard rho

To: pari-dev@pari.math.u-bordeaux.fr
Subject: Re: index calculus vs pollard rho
From: Bill Allombert <Bill.Allombert@math.u-bordeaux.fr>
Date: Fri, 16 May 2014 15:39:31 +0200
Delivery-date: Fri, 16 May 2014 15:39:37 +0200
In-reply-to: <20140510184051.GE15597@yellowpig>
Mail-followup-to: pari-dev@pari.math.u-bordeaux.fr
References: <CAAuMLAmburBVqztGqO4Q-wRC_KeN8PWGFZj4DiH3_ZR=-=qMEQ@mail.gmail.com> <20140403152824.GA30708@yellowpig> <20140409214238.GC4631@yellowpig> <20140409231227.GA30132@math.u-bordeaux1.fr> <20140510184051.GE15597@yellowpig>
User-agent: Mutt/1.5.21 (2010-09-15)

On Sat, May 10, 2014 at 08:40:51PM +0200, Bill Allombert wrote:
> On Thu, Apr 10, 2014 at 01:12:27AM +0200, Karim Belabas wrote:
> > * Bill Allombert [2014-04-09 23:43]:
> > > On Thu, Apr 03, 2014 at 05:28:24PM +0200, Bill Allombert wrote:
> > > > On Thu, Apr 03, 2014 at 03:22:02PM +0200, Pascal Molin wrote:
> > > > > The following znlog uses index calculus on a 46 bits subgroup, but p itself
> > > > > is large,
> > > > > this is slow (and memory-demanding)
> > > > > 
> > > > > *gp* > p=nextprime(2^120); znlog(Mod(3,p),Mod(2,p),p-1)
> > > > > 
> > > > > time = 51,617 ms.
> > > > > 
> > > > > %21 = 391862826185609110238504885400229618
> > > > > 
> > > > > while the same is easier to compute with pollard
> > > > 
> > > > The issue is that the threshold for Pohlig-Hellman algorithm is set to 27 bits
> > > > independently of the size of p.
> > > 
> > > I join some benchmarks:
> > > [27,29]:4:8 means we are computing in (Z/lZ)* with l of 29 bits in a subgroup of
> > > order p of 27 bit. The number after the first colon is the time for
> > > Shanks/Pollard rho and the second for the linear sieve.
> > > (Remember that Pollard rho has probabilistic running time).
> > > 
> > > The thresholds are about:
> > > p -> l
> > > 27 -> 29
> > [...]
> > > 50 ->115 
> > 
> > A simple linear regression on your threshold data yields
> > 
> >   log_2(l) ~ a * log_2(p) + b
> > 
> > for a = 3.88, b = -78.78  (max. error ~ 5.55). Switching to a linear sieve when
> >   log_2(p) >= 27
> > and
> >   log_2(l) <= a * log_2(p) + b
> > will recover something close to your thresholds.
> > 
> > In fact, assuming your linear sieve implementation follow the theoretical
> > model, the threshold should rather be determined by something resembling
> >   sqrt(p) ~ exp(C*(log l log log l)^(1/2))
> > that would yield
> >   log(p) ~ 2C * (log l log log l)^(1/2)
> > 
> > A linear regression between (log_2(p))^2 and log_2(l) yields
> >   log_2(l) ~ A (log_2(p))^2 + B
> > for A = 0.05, B = -6
>  
> I have created a branch 'bill-Fp_easylog' which implement this threshold.
> Please give feedback.

Well, I have pushed a fix for this issue using Karim formula:

   23- faster znlog when p-1 has only smallish prime factors.

Please check for any slowdown.

Cheers,
Bill.

References:
- Re: index calculus vs pollard rho
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux.fr>

Prev by Date: Re: dynamic pari stack
Next by Date: pari online
Previous by thread: Re: index calculus vs pollard rho
Next by thread: More thue() troubles in master/2.5.5 after the roots patch
Index(es):
- Date
- Thread