elliptic curve cryptography the ec discrete logarithm problem and pollard’s rho attack ofer...

Elliptic Curve Cryptography

The EC Discrete Logarithm problem and Pollard’s Rho attack

Ofer Schwarz, Winter 2012-2013Advisor: Barukh Ziv

BackgroundECDLP; The ECDLP attack; Project goals

Elliptic Curves• Elliptic curves may be defined over any field• Solutions to the equation

• Obtain a simpler equation through variable changeo Over o Over

• Define an additive group structure using geometryo “Point an infinity” serves as the unit element

𝑚=𝑦2− 𝑦1𝑥2− 𝑥1

𝑥3=𝑚2− (𝑥1+𝑥2 ) 𝑦 3=𝑚 (𝑥1−𝑥3 )− 𝑦1

Calculating over :

ECDLP• Elliptic Curve Discrete Logarithm Problem• Computational hardness of DLP is the basis for

many cryptographic systems (e.g., DSA, ElGamal)• Given a finite field ,• An elliptic curve over ,• A point of order [],• And another point • The problem: find

ECDLP using collisions

• The idea: find such that

• Then we have • Simple method to find a collision: birthday

paradoxo Very heavy memory requirements

• Pollard’s Rho attack: same time, negligible memory

• The means: random functions

Pollard’s Rho• Every function over a finite space

is composed of finite chains• Each chain has a cycle, and a collision:

such that

• In a random function:o Expected tail length o Expected cycle length

• Use any cycle-detection methodo E.g., Floyd’s algorithm: EC operations

• Use a specific family of functions for which given it is easy to find s.t.

Additive walks• Partition the curve into disjoint subsets

o E.g., according to the least bits of coordinate

• Choose random integers for • For , define • For starting element, choose random

Pohlig-Hellman reduction

• Assume • Reduces ECDLP of order to instances of order

for • Uses Chinese remainder theorem and group

structure• Significance: ECDLP of order is only as hard as

the largest prime factor of • Usually the parameters are chosen so is prime

Project goals• Implement a generic EC arithmetic library• Implement the ECDLP attack• Research and implement various improvements

and optimizations for the attack• Ultimate goal: solve 64-bit ECDLP (i.e., )

Improvements and optimizations

Nivasch’s algorithm; Montgomery trick and distinguished point method; Negation map

1 .Nivasch’s algorithm• Cycle detection using stacks• The idea: find the smallest value in the cycle

o Keep a stack of values encountered so faro For each new value, remove all values larger than ito Stack is ordered by , increasing in both

• Improvement: use stacks, with partitioningo Look for smallest value on cycle in each subset separately

• Expected runtime: • Expected memory:

2 .The Montgomery trick

• Inversion is the most expensive field operation• Compute several inversions simultaneously• The trick: use accumulating products:

• Substitute inversions with multiplications and inversion

Local parallelization• Montgomery’s trick requires several parallel

instances (all running locally)• Naïve parallelization only results in a speedup• The distinguished point method yields a speedup

factor of • The result: we can use Montgomery’s trick

without losing efficiency!

Distinguished points• Pollard’s Rho chains may

intersect• Use same function in all

instances• Keep a hash table of points• Only insert “distinguished”

points• Common method: least bits of

the coordinate are all 0• Gives the same speedup factor,

but saves a factor of in memory

3 .Negation map• Method for improving the attack by a factor of • The idea: given a point , it’s very easy to

calculate o In prime curves:

• The idea: “group” each point and its negative as a single elemento E.g., use the one with an even coordinate

Fruitless cycles• Problem with negation map in additive walks• If and , then

• “Fruitless” because linear combination is the same

• Happens with every step ( = partition factor)

• Longer even-length cycles are also possibleo Probability is exponential in cycle length

Resolving fruitless cycles

• The simplest idea actually works: just check!• Check for 2-cycles every steps

o When calculating for o Check if o If so, define o Still easy to calculate the linear combination

• Do the same for larger even lengthso Analysis shows that optimal o Only need to check up to

Implementation and results

EC arithmetic library; Collision library; Challenges and results

Curve arithmetic library

• Generic EC arithmetic library in C++• Support for various different curves and

algorithmso Extensible syntax that allows adding even more curves and algorithms

• Fast field arithmetic using GMP and NTLo Incl. complex operations, e.g., Chinese remainders, modular square

roots

Collision library• Generic (templated) C++ library for finding

collisions• Only need to supply the function• Currently implemented:

o Floyd’s algorithmo Nivasch’s stack algorithmo Distinguished point method for parallelization

Challenges• 4 ECDLP challenges of increasing difficulty

o 30, 40, 50 and 64 bits

• 1 Extra challenge with non-prime order for testing Pohlig-Hellman reduction

Results!• 64-bit challenge solved in ~16 hours, ~

iterations• Results from previous group: 60 bits in 5-6 days• Best result to date: 112 bits in 3.5 months

o Used a cluster of 218 PlayStation 3 consoleso Single-Instruction, Multiple-Data architectureo Heavy optimizations on all levels

Results!

30 40 50 641

10

100

1000

10000

100000

Average time

Challenge bits

Ru

nti

me (

secon

ds)

30 40 50 640

5

10

15

20

25

30

35

Average function calls

Challenge bits

log

2(#

call

s)

Optimization tests• Check every improvement against vanilla version• Nivasch: 2.16 times less iterations, 1.4 speedup• Montgomery: 1.43 speedup factor for 40 bits,

1.33 factor for 30 bits• Negation map: 1.1 times less iterations, no

speedupo (Actually about 1.07 times slower)

Improvement ideas• Distributed attack• Low-level optimizations

o Integer arithmetico Field arithmetic (probably harder since NTL is very good at that)o In-place operations instead of constructors and copying

• Use SIMD architecture (e.g., GPUs)

The End