Follow-Up Work - On the Cryptanalysis of Public-Key Cryptography

After the publication of our work in [38] a follow-up work appeared by Bernstein, Lange, and Schwabe [24]. Here some techniques are presented, in the setting of the 112-bit ECDLP (see Chapter 5), to eliminate the branches required to compute the negation map in SIMD-environments. This removes one of the main obstacles to use the negation map in such parallel environments. Although no direct comparison between a regular (non-negation map) and a negation map implementation are being made, the authors claim to achieve a speedup

“very close to √

2” on the Cell broadband engine. In [24] it is estimated that “under 4%

of the cycles per iteration are spent on operations that can be blamed on negation”. Note that a speedup of√

2 − 0.04 ≈ 1.37 is in correspondence with the theoretical speedup figures as presented in Table 4.3 taking into account that [24] used an 2048-adding walk on the cache-less SPE of the Cell.

Chapter 5 Solving ECDLPs on the Cell

In this chapter an implementation of Pollard’s rho method to solve prime field ECDLPs on the Cell processor, the processor that is the heart of the Sony PlayStation 3 (PS3) game console is described. The underlying modular arithmetic is targeted at single instruction multiple data (SIMD) platforms and is mostly branch-free. It can take advantage of prime moduli of a special form using efficient “sloppy reduction.” We used the implementation to set a new prime field ECDLP record for a 112-bit prime of the proper special form. The calculation was performed on EPFL’s cluster of about 215 PS3s.

The previous prime field ECDLP record, reported in 2002, involved a 109-bit prime [55].

The following may explain the apparent lack of interest to set new ECDLP records. The expected cost to solve a particular ECDLP on any combination of platforms can be extrap-olated from a relatively short calculation, given implementations of Pollard’s rho method.

Cryptographically relevant ECDLPs turn out to be firmly out of reach, despite occasional improvements of Pollard’s rho method. Given easy estimation of overall cost and infeasi-bility of cryptographically relevant problems, not much is gained by solving an ECDLP, in particular of a cryptographically irrelevant size. This is unlike integer factorization where the only convincing way to show the feasibility and estimate the cost of a record-breaking calculation is completing it (cf. the orders of magnitude difference between the actual cost reported in [120] and the estimate in [175]).

We present a parallelized implementation of Pollard’s rho method on a cluster of PS3 game consoles, devices that are relatively inexpensive given their processing power. The parallelization exists on five distinct levels: each PS3 runs independently of all others, on each PS3’s Cell processor six cores work independently of each other, and each of these cores simultaneously runs 50 times two interleaved 4-fold SIMD processes. The top two levels are merely ‘embarrassingly parallel’, the first at the physical PS3 level, the other provided by the Cell processor’s multi-core design. The 50 simultaneous copies serve to amortize a high cost modular inversion, interleaving is done to improve throughput, and 4-way SIMD exploits the core’s arithmetic instruction set.

The first projects on EPFL’s PS3 cluster concerned cryptographic hash collisions [192]. To 65

ascertain the cluster’s reliability and stability for projects requiring long integer arithmetic, a rough version of Pollard’s rho method for prime field ECDLP was run for a few weeks.

Because it turned out to work satisfactorily and because no other project was ready to be deployed, it was left running. As this soon led to the completion of a non-negligible fraction of the total expected work for the ECDLP at hand, it was decided to further optimize the code and, some misgivings notwithstanding, to attempt to solve it. Although our choice of improvements that could be carried through was limited by the early design decisions (as we did not want to start afresh), the overall expected runtime was reduced by more than 60%

in the course of the calculation. It may be further reduced by adopting a variety of changes in the initial design [24].

Apart from the prime field ECDLP record we present an efficient 4-way SIMD binary modular inversion and a fast branch-free sloppy reduction and normalization modulo primes of the form ²^32`_c^±m, for relatively small `, m, c ∈ Z>0. These methods are designed for cryptanalytic applications in a SIMD environment. The sloppy reduction may not be suitable for cryptographic applications, because it can produce an incorrect result. When solving ECDLPs, however, it suffices if calculations are most of the time correct: as expected based on our heuristics, sloppy reduction never produced an incorrect result. Many of these methods can be used on SIMD platforms other than the Cell processor, such as graphics cards.

In the second part of this chapter we describe an approach to solve the Certicom chal-lenge ECC2K-130 chalchal-lenge. This chalchal-lenge states an ECDLP using a Koblitz curve [125], an elliptic curve defined over a particular type of binary extension field. This work is part of a larger project which aims to solve this challenge using a variety of platforms [7]. Many op-timization techniques used to achieve the fast arithmetic do not require independent parallel computations (batching) and are therefore not only relevant in the context of cryptanalytical applications but can also be used to accelerate cryptographic schemes in practice.

Section 5.1 contains material from [35,36] while Section 5.4 is based on parts of [40].

5.1 A 112-bit Prime Field ECDLP

The first part of this chapter concentrates on curve “secp112r1” from [173] (also defined in the Wireless Transport Layer Security Specification [80] as curve number 6 ). Let R = 2¹²⁸ and ˜p = R − 3, then p = _11·6949^p^˜ is prime. The elliptic curve Ea,b over Fp defined by a = p − 3 and

b= 2061118396808653202902996166388514

has a group Ea,b(Fp) of prime order q = p + 1 + 4407293269000505 and is generated by g= (188281465057972534892223778713752, 3419875491033170827167861896082688).

This curve and generator were created “verifiably at random” [173], implying that solving ECDLP in hgi = Ea,b(Fp) should not be unexpectedly easy due to a built-in trapdoor.

Because no corresponding challenge ECDLP was included in [173], we defined one ourselves in a “verifiably not pre-cooked” manner by taking h = (x, y) ∈ hgi for an unforgeable value

of x. With x = b(π − 3)10³⁴c, this leads to the 112-bit prime ECDLP where h= ( 1415926535897932384626433832795028,

3846759606494706724286139623885544) ∈ Ea,b(Fp), is given and an m with mg = h must be found.

In document On the Cryptanalysis of Public-Key Cryptography (Page 84-87)