1 / 26

Elliptic Curve Cryptography

Elliptic Curve Cryptography. Ofer Schwarz , Winter 2012-2013 Advisor: Barukh Ziv. The EC Discrete Logarithm problem and Pollard’s Rho attack. Background. ECDLP; The ECDLP attack; Project goals. Elliptic Curves. Elliptic curves may be defined over any field Solutions to the equation

halle
Télécharger la présentation

Elliptic Curve Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elliptic Curve Cryptography Ofer Schwarz, Winter 2012-2013 Advisor: BarukhZiv The EC Discrete Logarithm problem and Pollard’s Rho attack

  2. Background ECDLP; The ECDLP attack; Project goals

  3. Elliptic Curves • Elliptic curves may be defined over any field • Solutions to the equation • Obtain a simpler equation through variable change • Over • Over • Define an additive group structure using geometry • “Point an infinity” serves as the unit element Calculating over :

  4. ECDLP • Elliptic Curve Discrete Logarithm Problem • Computational hardness of DLP is the basis for many cryptographic systems (e.g., DSA, ElGamal) • Given a finite field , • An elliptic curve over , • A point of order [], • And another point • The problem: find

  5. ECDLP using collisions • The idea: find such that • Then we have • Simple method to find a collision: birthday paradox • Very heavy memory requirements • Pollard’s Rho attack: same time, negligible memory • The means: random functions

  6. Pollard’s Rho • Every function over a finite spaceis composed of finite chains • Each chain has a cycle, and a collision: such that • In a random function: • Expected tail length • Expected cycle length • Use any cycle-detection method • E.g., Floyd’s algorithm: EC operations • Use a specific family of functions for which given it is easy to find s.t.

  7. Additive walks • Partition the curve into disjoint subsets • E.g., according to the least bits of coordinate • Choose random integers for • For , define • For starting element, choose random

  8. Pohlig-Hellman reduction • Assume • Reduces ECDLP of order to instances of order for • Uses Chinese remainder theorem and group structure • Significance: ECDLP of order is only as hard as the largest prime factor of • Usually the parameters are chosen so is prime

  9. Project goals • Implement a generic EC arithmetic library • Implement the ECDLP attack • Research and implement various improvements and optimizations for the attack • Ultimate goal: solve 64-bit ECDLP (i.e., )

  10. Improvements and optimizations Nivasch’s algorithm; Montgomery trick and distinguished point method; Negation map

  11. 1. Nivasch’s algorithm • Cycle detection using stacks • The idea: find the smallest value in the cycle • Keep a stack of values encountered so far • For each new value, remove all values larger than it • Stack is ordered by , increasing in both • Improvement: use stacks, with partitioning • Look for smallest value on cycle in each subset separately • Expected runtime: • Expected memory:

  12. 2. The Montgomery trick • Inversion is the most expensive field operation • Compute several inversions simultaneously • The trick: use accumulating products: • Substitute inversions with multiplications and inversion

  13. Local parallelization • Montgomery’s trick requires several parallel instances (all running locally) • Naïve parallelization only results in a speedup • The distinguished point method yields a speedup factor of • The result: we can use Montgomery’s trick without losing efficiency!

  14. Distinguished points • Pollard’s Rho chains may intersect • Use same function in all instances • Keep a hash table of points • Only insert “distinguished” points • Common method: least bits of the coordinate are all 0 • Gives the same speedup factor, but saves a factor of in memory

  15. 3. Negation map • Method for improving the attack by a factor of • The idea: given a point , it’s very easy to calculate • In prime curves: • The idea: “group” each point and its negative as a single element • E.g., use the one with an even coordinate

  16. Fruitless cycles • Problem with negation map in additive walks • If and , then • “Fruitless” because linear combination is the same • Happens with every step ( = partition factor) • Longer even-length cycles are also possible • Probability is exponential in cycle length

  17. Resolving fruitless cycles • The simplest idea actually works: just check! • Check for 2-cycles every steps • When calculating for • Check if • If so, define • Still easy to calculate the linear combination • Do the same for larger even lengths • Analysis shows that optimal • Only need to check up to

  18. Implementation and results EC arithmetic library; Collision library; Challenges and results

  19. Curve arithmetic library • Generic EC arithmetic library in C++ • Support for various different curves and algorithms • Extensible syntax that allows adding even more curves and algorithms • Fast field arithmetic using GMP and NTL • Incl. complex operations, e.g., Chinese remainders, modular square roots

  20. Collision library • Generic (templated) C++ library for finding collisions • Only need to supply the function • Currently implemented: • Floyd’s algorithm • Nivasch’s stack algorithm • Distinguished point method for parallelization

  21. Challenges • 4 ECDLP challenges of increasing difficulty • 30, 40, 50 and 64 bits • 1 Extra challenge with non-prime order for testing Pohlig-Hellman reduction

  22. Results! • 64-bit challenge solved in ~16 hours, ~ iterations • Results from previous group: 60 bits in 5-6 days • Best result to date: 112 bits in 3.5 months • Used a cluster of 218 PlayStation 3 consoles • Single-Instruction, Multiple-Data architecture • Heavy optimizations on all levels

  23. Results!

  24. Optimization tests • Check every improvement against vanilla version • Nivasch: 2.16 times less iterations, 1.4 speedup • Montgomery: 1.43 speedup factor for 40 bits, 1.33 factor for 30 bits • Negation map: 1.1 times less iterations, no speedup • (Actually about 1.07 times slower)

  25. Improvement ideas • Distributed attack • Low-level optimizations • Integer arithmetic • Field arithmetic (probably harder since NTL is very good at that) • In-place operations instead of constructors and copying • Use SIMD architecture (e.g., GPUs)

  26. The End

More Related