This is correct only for BSGS (Baby-Step-Giant-Step).
Using Pollard Rho method, the expected work is 3*2^80 group operations with almost zero memory requirements.
Note that unlike BSGS this method is probabilistic, and might fail with very low probability (on the order of 2^-160).
One can improve the algorithm using Distinguished Points, bringing the expected work down to 1.253*2^80 group operations, using both less memory and less group operations (on average) than BSGS.
Pollard Rho can't exploit the fact that the private key is in the range from 1 to 2^160 for example, because it is probabilistic. It would need always 2^128 steps. Only BSGS is suitable for this task.
If you try to retrieve #57 with Pollard Rho, you won't retrieve the private key in a few seconds or in a few years.
With "space search is 2^160" in this context we mean a 2^160 points subset in the space of the 2^256 points of the secp256k1 curve.
Pollard Rho can be modified for an interval shorter than the whole group, at the cost of more group operations, i.e. for range 1 to 2^160 a possible solution would take 10*3*2^80 group ops plus 10*2^16 group points additional memory.
There are other probabilistic algorithms when private key is in a range significantly smaller than the size of the whole group - Pollard Kangaroo, and Gaudry-Schost algorithms.
Pollard Kangaroo with four kangaroos (the optimal) and distinguished points (DP) has expected work 1.715*2^80.
Four set Gaudry-Schost algorithm with DP gives 1.661*2^80 group operations, and is easy to parallelise.
There might be additional memory requirements for both methods, negligible compared to the enormous cost of BSGS.
Show Posts
