A Near Optimal Bound for Pollard’s Rho to Solve Discrete Log

We analyze the classical Pollard’s Rho algorithm for finding the discrete logarithm in a cyclic group G. We prove that, with high probability, a collision occurs and the discrete logarithm is potentially found in O( √ |G| log |G| log log |G|) steps, not far from the widely conjectured value of Θ( √ |G|). This improves upon a recent result of Miller–Venkatesan which showed an upper bound of O( √ |G| log |G|). Our proof is based on analyzing an appropriate nonreversible, non-lazy random walk on a discrete cycle of (odd) length |G|, and showing that the mixing time of the corresponding walk is O(log |G| log log |G|). We also observe that the standard methods using functional-analytic constants (spectral gap, logarithmic Sobolev etc.), combinatorial comparison or standard coupling arguments fall short here and will at best offer a bound of O(log |G|).