The Pollard Rho Method - On the Cryptanalysis of Public-Key Cryptography





G ∈ E_a,b(Fp) n=

k−1

i=0

ni2ⁱ, n ∈ Z>0, 2^k−1 ≤ n <2^k Output: P = nG ∈ Ea,b(Fp)

1. P ← G, Q ← G

2. for i= k − 2 down to 0 do 3. if n_i = 1 then

4. (P, Q) ← (P + Q, 2Q) 5. else

6. (P, Q) ← (2P, P + Q)

The Montgomery Ladder

A different approach to calculate the elliptic curve scalar multiplication is the Montgomery ladder. This technique was introduced by Montgomery in [146] in the setting of ECM. We give here the higher level description from [113]. Let L0 = s =^P^t−1_i=0k_i2ⁱ, define Lj =^P^t−1_i=j k_i2^i−j and Hj = Lj+ 1. Then,

Lj = 2Lj+1+ kj = Lj+1+ Hj+1+ kj−1 = 2Hj+1+ kj −2.

One can update these two values using (Lj, Hj) =

( (2Lj+1, L_j+1+ Hj+1) if kj = 0, (Lj+1+ Hj+1,2Hj+1) if kj = 1.

A high-level overview of this approach is given in Algorithm 4. This approach is slower compared to, for instance, the double-and-add technique (Algorithm 3) since a duplication and addition are always performed per bit. This disadvantage is actually used as a feature in environments which are exposed to side-channel attacks and where the algorithms needs to process the exact same steps independent of the input parameters. It is not difficult to alter Algorithm 4 such that it becomes branch-free (using the bit ni to select which point to double). In ECM the elliptic curve scalar multiplication is calculated using the Montgomery form (see equation (2.2)) which avoids computing on the y-coordinate. This is achieved as follows: given the and z-coordinate of the points P , Q and P − Q one can compute the x-and z-coordinates of P + Q (x-and similarly 2P or 2Q). Avoiding computations on one of the coordinates results in a speedup in practice (see [146] for all the details).

2.5 The Pollard Rho Method

The Pollard rho algorithm was proposed in 1975 as an integer factorization method to find relative small factors of a given composite input integer [165]. Three years later, Pollard

p_λ+1

p_λ+µ+1 p_λ+2 p_λ+µ+2

p_λ+3 p_λ+µ+3

p_λ+µ−2 p_λ+µ−1

p₀ p₁ p₂ p_λ−1

p_λ p_λ+µ

Figure 2.3: Representation of the ρ shape of the single-instance Pollard rho method. The points pi, p⁰_j represent points from two different walks.

adopted this method to solve the discrete logarithm problem (DLP) in generic groups [166].

Let G be a cyclic group of prime order n and let g ∈ G be a generator. The DLP is, given g and h ∈ hgi, to find y = log_gh (see Definition 1.2). We restrict ourselves in this description to the case where n is prime: a typical setting in cryptography. If n is composite one can reduce the computation of the discrete logarithm in an order n group to its prime order subgroups [161].

For arbitrary multipliers u, v ∈ Z, ug + vh ∈ hgi. A collision corresponds to random integer multipliers u, v, ¯u, ¯v such that ug + vh = ¯ug + ¯vh. Unless ¯v ≡ v mod n, the value m = ^u−¯_¯_v−v^u mod n solves the discrete logarithm problem after a collision has been found.

Given an iteration function f : hgi → hgi, the Pollard rho method calculates a sequence of points pi+1 = f(pi), i ≥ 0 in order to find a collision. This sequence of points represents a walk through the set of points hgi. Given pi = uig+ vih ∈ hgi and ui, vi ∈ [0, n − 1], f updates ui+1 and vi+1 and computes pi+1 as pi+1 = ui+1g+ vi+1h. The sequence is started from a random and known point p0 ∈ hgi by selecting random values for u0 and v0. This sequence of points eventually collides (as operations are performed over a finite cyclic group).

Let us denote λ and µ ≥ 1 as the smallest integers such that pλ = pλ+µ holds. The value λ is called the tail and µ the cycle length, graphically the walk through the set of points forms a ρ shape: see Figure 2.3. Assuming the iteration function is a random mapping of size n, i.e. f is equally probable among all functions F : hgi → hgi, it can be shown [78, 100] that the asymptotic expected values of λ and µ are λ = µ = ^q^πn₈ when n → ∞. Another way

of arriving at this average value is by regarding this walk as picking random objects (group elements) with replacement. Due to a result known as the birthday paradox this leads to the expected number of steps (or iterations) of ^q^πn₂ [122, Exercise 3.1.12].

Finding a duplicate can be done by Floyd’s cycle finding method [122, Exercise 3.1.6]

requiring only a constant number of group elements: compute (pk, p_2k) for k = 1, 2, . . . (where pk denotes the k^th point of the walk) until a collision occurs, i.e., pk = p2k. It can be seen (cf. [46]) that

( µ if µ ≡ 0 mod λ and µ > 0 µ+ λ − (µ mod λ) otherwise.

Since three calls to the iteration function f (one to compute pk and two for p2k) are required to compute the next group elements the total number of calls to f is upper bounded by 3(µ + λ).

An optimization of Floyd’s cycle finding method is proposed by Brent [46]. A paper by Sedgewick, Szymanski and Yao [179] provide an algorithm which in the worst-case setting is asymptotically optimal. A stack based approach is introduced by Nivasch [153]. Details about optimizations for Pollard’s rho algorithm, when implementing this method in practice and running multiple instances in parallel, are outlined in Chapter 4.

An alternative method to solve the DLP is Shanks’ baby step giant step method [182] [123, Exercise 5.25] which builds a hash table containing id√

negfor i = 0, 1, . . . , d√

neand searches it for h + jg for j = 0, 1, 2, . . . , until a match is found. This works in time and memory on the order of √

n. Pollard’s rho method achieves expected runtime O(√

n) and O(log n) memory or, if run in parallel, much less memory than Shanks’ method: O((log n)²) memory suffices [85, Exercise 16.23] when roughly√

nlog n out of n group elements are distinguished (see Chapter 4).

Chapter 3 High-Performance Arithmetic on Parallel Architectures

This chapter presents performance results for one of the key operations in ECC: modular mul-tiplication. The performance results are obtained when running on two parallel architectures:

the heterogeneous, multi-core, single instruction, multiple data (SIMD) Cell broadband en-gine (Cell) architecture and a number of different graphics processing unit (GPU) architecture families.

Our performance results set new speed records, in terms of throughput, for generic mod-uli, using interleaved Montgomery multiplication [145], and special modular multiplication for moduli ranging from 192 to 521 bits on the Cell. This range covers the current stan-dardized parameters for ECC cryptosystems as specified by National Institute of Standards (NIST) [199]. Besides these special NIST primes, the prime of special form used in curve25519 as proposed by Bernstein [12] is considered as well. These special primes are used to enhance the performance of ECC-based schemes in practice by exploiting the special form of the primes to construct a fast reduction step. Typically, the multiplication and special reduction are performed sequentially. For the separated multiplication step we consider schoolbook and Karatsuba multiplication [116] techniques. We use the straightforward methods to implement the fast reduction for the NIST recommended primes (see [188]). For the special prime in curve25519 we use a different approach in order to compare with the proposed fast reduction from [12].

The performance results on the Cell are obtained by using the features of SIMD archi-tectures. The implementations are specifically optimized for the Cell and take both the advantages (e.g., the rich instruction set and large register file) and disadvantages (e.g., the

“small” 16 × 16 → 32-bit multiplier) of this architecture into account. Furthermore, multiple streams of computations are interleaved to increase throughput. Multi-stream modular mul-tiplication computations are useful in both a cryptanalytic and cryptographic setting. For instance, one could use multi-stream modular multiplication routines, either the generic or special variant, to speedup batch decryption for ECC-based schemes. Additionally, this work

shows the practical benefit of using the special over generic prime moduli on the Cell.

For the GPU we study a different setting. In order to asses the possibility to use the GPU as a cryptographic accelerator we present algorithms to compute the elliptic curve scalar multiplication (ECSM) (see Section 2.4.2), the core building block in ECC, for parallel computer architectures. An orthogonal perspective, compared to the Cell, is used and we aim to decrease the latency while trying to keep the throughput loss under control. The different design goals of the arithmetic between the Cell and the GPU architecture is motivated by the fact that the GPU has orders of magnitude more cores to its disposal compared to the Cell. In order to have a acceptable response time (e.g. the latency) one can compute the ESCM with multiple cores. Previous reports implementing ECC schemes using ECSM on GPUs [4, 17, 18, 193] use multiple cores to calculate the arithmetic in the finite field. Our approach differs: the modular arithmetic in the finite field is computed with a single thread (on a single core) to aim for high-throughput while the latency reduction is achieved by doing the elliptic curve arithmetic in parallel.

The presented algorithms are based on methods originating in cryptographic side-channel analysis [126] and are designed for a parallel computer architecture with a 32-bit instruction set. This makes the third generation of NVIDIA GPUs, the GTX 400/500 series known as Fermi, an ideal target platform. Despite the fact that our algorithms are not particularly optimized for the older generation GPUs, we show that this approach outperforms, in terms of low-latency, the results reported in literature while it at the same time sustains a high throughput. For the Fermi architecture the ECSM can be computed in 1.9 milliseconds (on the GTX 580), using an elliptic curve over a 224-bit prime field, with the additional advantage that the implementation can be made to run in constant time; i.e. resistant against timing attacks.

This chapter merges the two papers [30,31] and parts of [35].

3.1 Fast Reduction using Special Primes

One way to speed up elliptic curve arithmetic is to enhance the performance of the finite field arithmetic by using a prime of a special form. The structure of such a prime is exploited by constructing a fast reduction method, applicable to this prime only. Typically, the multipli-cation and reduction are performed in two sequential phases. For the multiplimultipli-cation phase we consider the so-called schoolbook, or textbook, multiplication and the asymptotically faster Karatsuba multiplication techniques (see Chapter 2 for more details).

3.1.1 NIST Primes

In the FIPS 186-3 standard [199] NIST recommends the use of five prime fields when using the elliptic curve digital signature algorithm. These generalized Mersenne primes allow fast reduction based on the work by Solinas [188]. The five recommended primes are

Algorithm 5 Fast reduction modulo p224= 2²²⁴−2⁹⁶+ 1.

Input: Integer c = (c13, . . . , c1, c0), each ci is a 32-bit word, and 0 ≤ c < p²₂₂₄. Output: Integer d ≡ c mod p224.

Define 224-bit integers:

s₁←( c₆, c₅, c₄, c₃, c₂, c₁, c₀), s₂←( c10, c₉, c₈, c₇, 0, 0, 0), s3←( 0, c13, c12, c11, 0, 0, 0), s₄←( c13, c₁₂, c₁₁, c₁₀, c₉, c₈, c₇), s₅←( 0, 0, 0, 0, c13, c₁₂, c₁₁) return (d = s1+ s2+ s3− s₄− s₅);

p₁₉₂ = 2¹⁹²−2⁶⁴−1, p₂₂₄ = 2²²⁴−2⁹⁶+ 1,

p₂₅₆ = 2²⁵⁶−2²²⁴+ 2¹⁹²+ 2⁹⁶−1, p₃₈₄ = 2³⁸⁴−2¹²⁸−2⁹⁶+ 2³²−1, p521 = 2⁵²¹−1.

Let us take p224as an example since it is the prime considered in the GPU architecture setting in this chapter. The usage of the other primes in the setting of the Cell platform is similar.

The prime p224, together with the provided curve parameters from the FIPS 186-3, allows one to use 224-bit ECC which provides a 112-bit security level. This is the lowest strength for asymmetric cryptographic systems allowed by NIST’s “SP 800-57 (1)” [156] standard from the year 2011 on (cf. [34] for a discussion about the migration to these new standards).

Reduction modulo p224 can be done efficiently: for x ∈ Z with 0 ≤ x < (2²²⁴)² and x= xL+ 2²²⁴x_H for xL, x_H ∈ Z,0 ≤ xL, x_H <2²²⁴, define

R(x) = xL+ xH(2⁹⁶−1).

It follows that R(x) ≡ x mod p224 and R(x) ≤ 2³²⁰−2⁹⁶. Algorithm 5 shows the application of R(R(x)) for a machine word (limb) size of 32 bits, based on the work by Solinas [188]. Note that the resulting value R(R(x)) ≡ x mod p224 with −(2²²⁴+ 2⁹⁶) < R(R(x)) < 2²²⁵+ 2¹⁹². The NIST curves over prime fields all have prime order. In order to translate this curve into a suitable Edwards curve over the same prime field (see Chapter 2), in order to use the faster elliptic curve arithmetic, the curve needs to have a group element of order four [20]

(which is not the case with the prime order NIST curves). To comply with the NIST standard we choose not to use Edwards but Weierstrass curves.

An extensive study of a software implementation of the NIST-recommended elliptic curves over prime fields on the x86 architecture is given by Brown et al. [53].

3.1.2 Curve25519

The elliptic curve curve25519 is proposed by Bernstein in [12]. Besides offering high-speed arithmetic, a list of other advantages can be found in the original article [12]. This curve is

over Fp255 with p255 = 2²⁵⁵−19. An element x ∈ Fp255 can be represented as

i=0

x_i2^d25.5ie, with − 2²⁵≤ x_i ≤2²⁵.

Bernstein proposes to implement the arithmetic using floating point instructions and therefore representation inside a CPU is achieved by using floating-point registers. The original article gives performance data obtained on a Pentium M architecture. Note that the faster Edwards curves can be used in combination with p255 since the curve described in [12] has a point of order four.

In document On the Cryptanalysis of Public-Key Cryptography (Page 40-46)