elliptic curve cryptography the ec discrete logarithm problem and pollard’s rho attack ofer...
TRANSCRIPT
Elliptic Curve Cryptography
The EC Discrete Logarithm problem and Pollard’s Rho attack
Ofer Schwarz, Winter 2012-2013Advisor: Barukh Ziv
BackgroundECDLP; The ECDLP attack; Project goals
Elliptic Curves• Elliptic curves may be defined over any field• Solutions to the equation
• Obtain a simpler equation through variable changeo Over o Over
• Define an additive group structure using geometryo “Point an infinity” serves as the unit element
𝑚=𝑦2− 𝑦1𝑥2− 𝑥1
𝑥3=𝑚2− (𝑥1+𝑥2 ) 𝑦 3=𝑚 (𝑥1−𝑥3 )− 𝑦1
Calculating over :
ECDLP• Elliptic Curve Discrete Logarithm Problem• Computational hardness of DLP is the basis for
many cryptographic systems (e.g., DSA, ElGamal)• Given a finite field ,• An elliptic curve over ,• A point of order [],• And another point • The problem: find
ECDLP using collisions
• The idea: find such that
• Then we have • Simple method to find a collision: birthday
paradoxo Very heavy memory requirements
• Pollard’s Rho attack: same time, negligible memory
• The means: random functions
Pollard’s Rho• Every function over a finite space
is composed of finite chains• Each chain has a cycle, and a collision:
such that
• In a random function:o Expected tail length o Expected cycle length
• Use any cycle-detection methodo E.g., Floyd’s algorithm: EC operations
• Use a specific family of functions for which given it is easy to find s.t.
Additive walks• Partition the curve into disjoint subsets
o E.g., according to the least bits of coordinate
• Choose random integers for • For , define • For starting element, choose random
Pohlig-Hellman reduction
• Assume • Reduces ECDLP of order to instances of order
for • Uses Chinese remainder theorem and group
structure• Significance: ECDLP of order is only as hard as
the largest prime factor of • Usually the parameters are chosen so is prime
Project goals• Implement a generic EC arithmetic library• Implement the ECDLP attack• Research and implement various improvements
and optimizations for the attack• Ultimate goal: solve 64-bit ECDLP (i.e., )
Improvements and optimizations
Nivasch’s algorithm; Montgomery trick and distinguished point method; Negation map
1 .Nivasch’s algorithm• Cycle detection using stacks• The idea: find the smallest value in the cycle
o Keep a stack of values encountered so faro For each new value, remove all values larger than ito Stack is ordered by , increasing in both
• Improvement: use stacks, with partitioningo Look for smallest value on cycle in each subset separately
• Expected runtime: • Expected memory:
2 .The Montgomery trick
• Inversion is the most expensive field operation• Compute several inversions simultaneously• The trick: use accumulating products:
• Substitute inversions with multiplications and inversion
Local parallelization• Montgomery’s trick requires several parallel
instances (all running locally)• Naïve parallelization only results in a speedup• The distinguished point method yields a speedup
factor of • The result: we can use Montgomery’s trick
without losing efficiency!
Distinguished points• Pollard’s Rho chains may
intersect• Use same function in all
instances• Keep a hash table of points• Only insert “distinguished”
points• Common method: least bits of
the coordinate are all 0• Gives the same speedup factor,
but saves a factor of in memory
3 .Negation map• Method for improving the attack by a factor of • The idea: given a point , it’s very easy to
calculate o In prime curves:
• The idea: “group” each point and its negative as a single elemento E.g., use the one with an even coordinate
Fruitless cycles• Problem with negation map in additive walks• If and , then
• “Fruitless” because linear combination is the same
• Happens with every step ( = partition factor)
• Longer even-length cycles are also possibleo Probability is exponential in cycle length
Resolving fruitless cycles
• The simplest idea actually works: just check!• Check for 2-cycles every steps
o When calculating for o Check if o If so, define o Still easy to calculate the linear combination
• Do the same for larger even lengthso Analysis shows that optimal o Only need to check up to
Implementation and results
EC arithmetic library; Collision library; Challenges and results
Curve arithmetic library
• Generic EC arithmetic library in C++• Support for various different curves and
algorithmso Extensible syntax that allows adding even more curves and algorithms
• Fast field arithmetic using GMP and NTLo Incl. complex operations, e.g., Chinese remainders, modular square
roots
Collision library• Generic (templated) C++ library for finding
collisions• Only need to supply the function• Currently implemented:
o Floyd’s algorithmo Nivasch’s stack algorithmo Distinguished point method for parallelization
Challenges• 4 ECDLP challenges of increasing difficulty
o 30, 40, 50 and 64 bits
• 1 Extra challenge with non-prime order for testing Pohlig-Hellman reduction
Results!• 64-bit challenge solved in ~16 hours, ~
iterations• Results from previous group: 60 bits in 5-6 days• Best result to date: 112 bits in 3.5 months
o Used a cluster of 218 PlayStation 3 consoleso Single-Instruction, Multiple-Data architectureo Heavy optimizations on all levels
Results!
30 40 50 641
10
100
1000
10000
100000
Average time
Challenge bits
Ru
nti
me (
secon
ds)
30 40 50 640
5
10
15
20
25
30
35
Average function calls
Challenge bits
log
2(#
call
s)
Optimization tests• Check every improvement against vanilla version• Nivasch: 2.16 times less iterations, 1.4 speedup• Montgomery: 1.43 speedup factor for 40 bits,
1.33 factor for 30 bits• Negation map: 1.1 times less iterations, no
speedupo (Actually about 1.07 times slower)
Improvement ideas• Distributed attack• Low-level optimizations
o Integer arithmetico Field arithmetic (probably harder since NTL is very good at that)o In-place operations instead of constructors and copying
• Use SIMD architecture (e.g., GPUs)
The End