Comparison Between Cell and Regular Processors

A single PS3 processes 24 stage one ECM trials for 2¹¹⁹³ −1 in 19.2 hours. To put this number into perspective, we did the same computation using GMP-ECM 6.3 powered by GMP 5.0.1 [82] (both the latest versions at the time of writing) using all cores on a variety of processors, with optimal multiplication parameters obtained using the tune-up script, and taking advantage of the special Mersenne-arithmetic available in GMP-ECM. Table 6.4 lists the results. On a per-core basis, and accounting for the ratio in clock-speeds, our special 4-way SPE Mersenne arithmetic turns out to about ⁴₃ times more effective than the regular Mersenne arithmetic from GMP-ECM 6.3 when run on Intel processors, despite the fact that

Table 6.4: Time to complete 24 stage one ECM trials for 2¹¹⁹³−1 with B1= 3 · 10⁹.

processor GHz cores hours

Mersenne generic

Intel Core i7 920 2.67 4 46.28 83.52

Intel Core2 Quad Q9550 2.83 4 47.26 85.93

AMD Opteron 1381 2.50 4 33.78 58.46

AMD Opteron 6168 1.90 12 15.32 25.44

PlayStation 3 3.19 6 19.20

the SPE does not have 64-bit or 32-bit integer multiplications. The lack of such multipliers is clearly to the SPE’s disadvantage when comparing it to the AMD processor with its much faster (than Intel) integer multiplication. The more recent generations of processors, like the 12-core AMD Opteron, are catching up with the performance of the PS3.

6.3 Conclusion

For integers M in the range from 1000 to 1200 we presented our Cell processor implementation of multiplication of M-bit integers, processing 24 such multiplications in parallel on a single PlayStation 3 game console, and used it to obtain efficient multiplication modulo 2^M −1.

The ideas underlying our implementation apply to many arithmetic contexts of cryptologic relevance. We focused on application to elliptic curve factoring, which led to the three largest ECM factors found so far¹.

1In January 2012 S. Wagstaff found a 72-decimal digit factor of 3⁷¹³− 1 using ECM, moving our 70-decimal digit factor of 2¹²³⁷− 1 to the fourth place.

Chapter 7

ECM at Work

Today, more than 25 years after its invention by Hendrik Lenstra Jr., the elliptic curve method [136] (ECM) remains the asymptotically fastest integer factorization method for finding relatively small prime factors of large integers. Although it is not the fastest general purpose integer factorization method, when factoring a composite integer n = pq with p ≈ q ≈ √

n the number field sieve [133, 163] (NFS) is asymptotically faster, it has recently received a renewed research interest due to the discovery of an interesting normal form for elliptic curves introduced by Edwards [74].

In this chapter we optimize ECM by exploiting the fact that the same scalar is often used when computing the elliptic curve scalar multiplication (ECSM) in practice. This allows one to prepare particularly good addition chains for these fixed scalars. Our approach is inspired by the ideas used in the ECM implementation by Dixon and Lenstra [71] from 1992. In [71]

the total cost to compute the ECSM, in terms of point duplications and point additions, is lowered by testing if the ECSM of small product of primes is cheaper (requires less point additions) than processing the primes one at a time (or all at once using a single large batch).

Inspired by this technique we generalize this idea; many billions of integers, which are constructed such that they can be computed using addition chains with a high duplica-tion/addition ratio, are tested for smoothness and factored. Combining some of these integers using a greedy approach results in more efficient ECSM algorithms when the scalar is fixed (in terms of memory consumption and run-time performance).

Arithmetic using Edwards curves is faster than using Montgomery curves [146] (see Sec-tion 2.4), the approach used in most ECM implementaSec-tions. In order to obtain this efficient arithmetic, when using Edwards curves, addition chains using large windowing methods are used (cf. [22] for a summary of these techniques). The memory (storage) requirement grows roughly linearly with the input parameters of ECM while it is an independent low constant value (14 residues modulo n) when using Montgomery curves.

We study two variants of our approach. A version which can compute the ECSM without requiring any additional memory, besides the in- and output point, and a more efficient ver-sion which requires a small amount of memory. These two verver-sions are applied in two settings

101

Table 7.1: A summary of the cost of elliptic curve addition and duplication when using Montgomery or Edwards curves with different coordinate systems. The cost is expressed in modular multiplications (M), squarings (S) and multiplication by a curve constant (d). The notation z1 = 1 indicates that the z-coordinate of one of the input points is equal to one (an affine point).

Projective coordinate system Addition Duplication

Montgomery 4M + 2S 2M + 2S + 1d

Twisted Edwards 10M + 1S + 2d 3M + 4S + 1d

a= −1 10M + 1S + 1d 3M + 4S

a= −1, z1 = 1 9M + 1S + 1d 3M + 3S Extended Twisted Edwards 9M + 1d 4M + 4S + 4d

a= −1 8M 4M + 4S

a= −1, z1 = 1 7M 4M + 3S

of ECM: for large input parameters (when using ECM to find factors of large integers) and for small input parameters (which is of cryptanalytic interest). This makes our approach particu-larly interesting for environments where the memory (per thread) is constrained; e.g. graphics processing units.

7.1 ECM in Practice

Traditionally, ECM is implemented using Montgomery coordinates (see Section 2.4.1) and uses the various techniques described in [207]. The most-widely used ECM implementation is GMP-ECM [209] and this implementation, or modifications to it, is responsible for setting all recent ECM record factorizations. After the invention of Edwards curves (see Section 2.4) Bernstein, Birkner, Lange, and Peters explored the possibility to use these curves in the ECM setting [15]. A follow-up paper [14] discusses the usage of the “a = −1” twisted Edwards curves. The main reason to use Edwards curves is performance. The cost to implement elliptic curve addition and duplication when using projective Montgomery or (extended) twisted Edwards is summarized in Table 7.1. There are two implementations of ECM using Edwards curves available called GMP-EECM and EECM-MPFQ (see the web-page [16]).

Both are designed to run on relatively small integers used in a cofactorization phase of the number field sieve (see Section 2.4.1).

Since different approaches are used to compute the elliptic curve scalar multiplication when using either Montgomery or Edwards curves the numbers in Table 7.1 do not show the total cost to compute the ECSM. Table 7.2 compares the required total number of modular multiplications and squarings required in GMP-ECM and EECM-MPFQ for different typi-cal B1 values used in ECM. These numbers show that using Edwards curves result in fewer multiplications and squarings. However, the required storage for GMP-ECM (Montgomery curves) is independent of B1 while it grows almost linearly with the size of B1 and is signif-icantly higher, due to the use of width-w windowing methods, for EECM-MPFQ (Edwards curves, see [15, Table 4.1]).

103

Table 7.2: Performance comparison between GMP-ECM and EECM-MPFQ in terms of multiplica-tions (M) and squarings (S) in the finite field. The number of residues modulo n (R) which needs to be kept in memory is shown for GMP-ECM and EECM-MPFQ in the a = −1 setting.

B1 GMP-ECM [209]

#S #M #S+#M #R

256 1 066 2 025 3 091 14

512 2 200 4 210 6 410 14

1024 4 422 8 494 12 916 14

12 288 53 356 103 662 157 018 14 49 152 214 130 417 372 631 502 14 262 144 1 147 928 2 242 384 3 390 312 14 1 048 576 4 607 170 9 010 980 13 618 150 14

B1 EECM-MPFQ [15]

(a = 1) (a = −1)

#S #M #S+#M #M #S+#M #R

256 1 436 1 707 3 143 1 638 3 074 38

512 2 952 3 303 6 255 3 183 6 135 62

1 024 5 892 6 363 12 255 6 144 12 036 134

12 288 70 780 69 870 140 650 68 006 138 786 1 046 49 152 283 272 269 991 553 263 263 599 546 871 2 122 262 144 1 512 100 1 395 435 2 907 535 1 366 396 2 878 496 9 286 1 048 576 6 050 208 5 462 496 11 512 704 5 359 737 11 409 945 32 786