Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer...
-
Upload
irving-pennel -
Category
Documents
-
view
219 -
download
4
Transcript of Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer...
Elliptic Curve Cryptography
The EC Discrete Logarithm problem and Pollard’s Rho attack
Ofer Schwarz, Winter 2012-2013Advisor: Barukh Ziv
BackgroundECDLP; The ECDLP attack; Project goals
Elliptic Curves• Elliptic curves may be defined over any field• Solutions to the equation
• Obtain a simpler equation through variable changeo Over o Over
• Define an additive group structure using geometryo “Point an infinity” serves as the unit element
𝑚=𝑦2− 𝑦1𝑥2− 𝑥1
𝑥3=𝑚2− (𝑥1+𝑥2 ) 𝑦 3=𝑚 (𝑥1−𝑥3 )− 𝑦1
Calculating over :
ECDLP• Elliptic Curve Discrete Logarithm Problem• Computational hardness of DLP is the basis for
many cryptographic systems (e.g., DSA, ElGamal)• Given a finite field ,• An elliptic curve over ,• A point of order [],• And another point • The problem: find
ECDLP using collisions
• The idea: find such that
• Then we have • Simple method to find a collision: birthday
paradoxo Very heavy memory requirements
• Pollard’s Rho attack: same time, negligible memory
• The means: random functions
Pollard’s Rho• Every function over a finite space
is composed of finite chains• Each chain has a cycle, and a collision:
such that
• In a random function:o Expected tail length o Expected cycle length
• Use any cycle-detection methodo E.g., Floyd’s algorithm: EC operations
• Use a specific family of functions for which given it is easy to find s.t.
Additive walks• Partition the curve into disjoint subsets
o E.g., according to the least bits of coordinate
• Choose random integers for • For , define • For starting element, choose random
Pohlig-Hellman reduction
• Assume • Reduces ECDLP of order to instances of order
for • Uses Chinese remainder theorem and group
structure• Significance: ECDLP of order is only as hard as
the largest prime factor of • Usually the parameters are chosen so is prime
Project goals• Implement a generic EC arithmetic library• Implement the ECDLP attack• Research and implement various improvements
and optimizations for the attack• Ultimate goal: solve 64-bit ECDLP (i.e., )
Improvements and optimizations
Nivasch’s algorithm; Montgomery trick and distinguished point method; Negation map
1 .Nivasch’s algorithm• Cycle detection using stacks• The idea: find the smallest value in the cycle
o Keep a stack of values encountered so faro For each new value, remove all values larger than ito Stack is ordered by , increasing in both
• Improvement: use stacks, with partitioningo Look for smallest value on cycle in each subset separately
• Expected runtime: • Expected memory:
2 .The Montgomery trick
• Inversion is the most expensive field operation• Compute several inversions simultaneously• The trick: use accumulating products:
• Substitute inversions with multiplications and inversion
Local parallelization• Montgomery’s trick requires several parallel
instances (all running locally)• Naïve parallelization only results in a speedup• The distinguished point method yields a speedup
factor of • The result: we can use Montgomery’s trick
without losing efficiency!
Distinguished points• Pollard’s Rho chains may
intersect• Use same function in all
instances• Keep a hash table of points• Only insert “distinguished”
points• Common method: least bits of
the coordinate are all 0• Gives the same speedup factor,
but saves a factor of in memory
3 .Negation map• Method for improving the attack by a factor of • The idea: given a point , it’s very easy to
calculate o In prime curves:
• The idea: “group” each point and its negative as a single elemento E.g., use the one with an even coordinate
Fruitless cycles• Problem with negation map in additive walks• If and , then
• “Fruitless” because linear combination is the same
• Happens with every step ( = partition factor)
• Longer even-length cycles are also possibleo Probability is exponential in cycle length
Resolving fruitless cycles
• The simplest idea actually works: just check!• Check for 2-cycles every steps
o When calculating for o Check if o If so, define o Still easy to calculate the linear combination
• Do the same for larger even lengthso Analysis shows that optimal o Only need to check up to
Implementation and results
EC arithmetic library; Collision library; Challenges and results
Curve arithmetic library
• Generic EC arithmetic library in C++• Support for various different curves and
algorithmso Extensible syntax that allows adding even more curves and algorithms
• Fast field arithmetic using GMP and NTLo Incl. complex operations, e.g., Chinese remainders, modular square
roots
Collision library• Generic (templated) C++ library for finding
collisions• Only need to supply the function• Currently implemented:
o Floyd’s algorithmo Nivasch’s stack algorithmo Distinguished point method for parallelization
Challenges• 4 ECDLP challenges of increasing difficulty
o 30, 40, 50 and 64 bits
• 1 Extra challenge with non-prime order for testing Pohlig-Hellman reduction
Results!• 64-bit challenge solved in ~16 hours, ~
iterations• Results from previous group: 60 bits in 5-6 days• Best result to date: 112 bits in 3.5 months
o Used a cluster of 218 PlayStation 3 consoleso Single-Instruction, Multiple-Data architectureo Heavy optimizations on all levels
Results!
30 40 50 641
10
100
1000
10000
100000
Average time
Challenge bits
Ru
nti
me (
secon
ds)
30 40 50 640
5
10
15
20
25
30
35
Average function calls
Challenge bits
log
2(#
call
s)
Optimization tests• Check every improvement against vanilla version• Nivasch: 2.16 times less iterations, 1.4 speedup• Montgomery: 1.43 speedup factor for 40 bits,
1.33 factor for 30 bits• Negation map: 1.1 times less iterations, no
speedupo (Actually about 1.07 times slower)
Improvement ideas• Distributed attack• Low-level optimizations
o Integer arithmetico Field arithmetic (probably harder since NTL is very good at that)o In-place operations instead of constructors and copying
• Use SIMD architecture (e.g., GPUs)
The End