elliptic curve cryptography the ec discrete logarithm problem and pollard’s rho attack ofer...
TRANSCRIPT
![Page 1: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/1.jpg)
Elliptic Curve Cryptography
The EC Discrete Logarithm problem and Pollard’s Rho attack
Ofer Schwarz, Winter 2012-2013Advisor: Barukh Ziv
![Page 2: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/2.jpg)
BackgroundECDLP; The ECDLP attack; Project goals
![Page 3: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/3.jpg)
Elliptic Curves• Elliptic curves may be defined over any field• Solutions to the equation
• Obtain a simpler equation through variable changeo Over o Over
• Define an additive group structure using geometryo “Point an infinity” serves as the unit element
𝑚=𝑦2− 𝑦1𝑥2− 𝑥1
𝑥3=𝑚2− (𝑥1+𝑥2 ) 𝑦 3=𝑚 (𝑥1−𝑥3 )− 𝑦1
Calculating over :
![Page 4: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/4.jpg)
ECDLP• Elliptic Curve Discrete Logarithm Problem• Computational hardness of DLP is the basis for
many cryptographic systems (e.g., DSA, ElGamal)• Given a finite field ,• An elliptic curve over ,• A point of order [],• And another point • The problem: find
![Page 5: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/5.jpg)
ECDLP using collisions
• The idea: find such that
• Then we have • Simple method to find a collision: birthday
paradoxo Very heavy memory requirements
• Pollard’s Rho attack: same time, negligible memory
• The means: random functions
![Page 6: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/6.jpg)
Pollard’s Rho• Every function over a finite space
is composed of finite chains• Each chain has a cycle, and a collision:
such that
• In a random function:o Expected tail length o Expected cycle length
• Use any cycle-detection methodo E.g., Floyd’s algorithm: EC operations
• Use a specific family of functions for which given it is easy to find s.t.
![Page 7: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/7.jpg)
Additive walks• Partition the curve into disjoint subsets
o E.g., according to the least bits of coordinate
• Choose random integers for • For , define • For starting element, choose random
![Page 8: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/8.jpg)
Pohlig-Hellman reduction
• Assume • Reduces ECDLP of order to instances of order
for • Uses Chinese remainder theorem and group
structure• Significance: ECDLP of order is only as hard as
the largest prime factor of • Usually the parameters are chosen so is prime
![Page 9: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/9.jpg)
Project goals• Implement a generic EC arithmetic library• Implement the ECDLP attack• Research and implement various improvements
and optimizations for the attack• Ultimate goal: solve 64-bit ECDLP (i.e., )
![Page 10: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/10.jpg)
Improvements and optimizations
Nivasch’s algorithm; Montgomery trick and distinguished point method; Negation map
![Page 11: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/11.jpg)
1 .Nivasch’s algorithm• Cycle detection using stacks• The idea: find the smallest value in the cycle
o Keep a stack of values encountered so faro For each new value, remove all values larger than ito Stack is ordered by , increasing in both
• Improvement: use stacks, with partitioningo Look for smallest value on cycle in each subset separately
• Expected runtime: • Expected memory:
![Page 12: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/12.jpg)
2 .The Montgomery trick
• Inversion is the most expensive field operation• Compute several inversions simultaneously• The trick: use accumulating products:
• Substitute inversions with multiplications and inversion
![Page 13: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/13.jpg)
Local parallelization• Montgomery’s trick requires several parallel
instances (all running locally)• Naïve parallelization only results in a speedup• The distinguished point method yields a speedup
factor of • The result: we can use Montgomery’s trick
without losing efficiency!
![Page 14: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/14.jpg)
Distinguished points• Pollard’s Rho chains may
intersect• Use same function in all
instances• Keep a hash table of points• Only insert “distinguished”
points• Common method: least bits of
the coordinate are all 0• Gives the same speedup factor,
but saves a factor of in memory
![Page 15: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/15.jpg)
3 .Negation map• Method for improving the attack by a factor of • The idea: given a point , it’s very easy to
calculate o In prime curves:
• The idea: “group” each point and its negative as a single elemento E.g., use the one with an even coordinate
![Page 16: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/16.jpg)
Fruitless cycles• Problem with negation map in additive walks• If and , then
• “Fruitless” because linear combination is the same
• Happens with every step ( = partition factor)
• Longer even-length cycles are also possibleo Probability is exponential in cycle length
![Page 17: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/17.jpg)
Resolving fruitless cycles
• The simplest idea actually works: just check!• Check for 2-cycles every steps
o When calculating for o Check if o If so, define o Still easy to calculate the linear combination
• Do the same for larger even lengthso Analysis shows that optimal o Only need to check up to
![Page 18: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/18.jpg)
Implementation and results
EC arithmetic library; Collision library; Challenges and results
![Page 19: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/19.jpg)
Curve arithmetic library
• Generic EC arithmetic library in C++• Support for various different curves and
algorithmso Extensible syntax that allows adding even more curves and algorithms
• Fast field arithmetic using GMP and NTLo Incl. complex operations, e.g., Chinese remainders, modular square
roots
![Page 20: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/20.jpg)
Collision library• Generic (templated) C++ library for finding
collisions• Only need to supply the function• Currently implemented:
o Floyd’s algorithmo Nivasch’s stack algorithmo Distinguished point method for parallelization
![Page 21: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/21.jpg)
Challenges• 4 ECDLP challenges of increasing difficulty
o 30, 40, 50 and 64 bits
• 1 Extra challenge with non-prime order for testing Pohlig-Hellman reduction
![Page 22: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/22.jpg)
Results!• 64-bit challenge solved in ~16 hours, ~
iterations• Results from previous group: 60 bits in 5-6 days• Best result to date: 112 bits in 3.5 months
o Used a cluster of 218 PlayStation 3 consoleso Single-Instruction, Multiple-Data architectureo Heavy optimizations on all levels
![Page 23: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/23.jpg)
Results!
30 40 50 641
10
100
1000
10000
100000
Average time
Challenge bits
Ru
nti
me (
secon
ds)
30 40 50 640
5
10
15
20
25
30
35
Average function calls
Challenge bits
log
2(#
call
s)
![Page 24: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/24.jpg)
Optimization tests• Check every improvement against vanilla version• Nivasch: 2.16 times less iterations, 1.4 speedup• Montgomery: 1.43 speedup factor for 40 bits,
1.33 factor for 30 bits• Negation map: 1.1 times less iterations, no
speedupo (Actually about 1.07 times slower)
![Page 25: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/25.jpg)
Improvement ideas• Distributed attack• Low-level optimizations
o Integer arithmetico Field arithmetic (probably harder since NTL is very good at that)o In-place operations instead of constructors and copying
• Use SIMD architecture (e.g., GPUs)
![Page 26: Elliptic Curve Cryptography The EC Discrete Logarithm problem and Pollard’s Rho attack Ofer Schwarz, Winter 2012-2013 Advisor: Barukh Ziv](https://reader038.vdocuments.net/reader038/viewer/2022102814/551c4fe7550346a5458b4c88/html5/thumbnails/26.jpg)
The End