solving discrete logarithms in smooth order groups with
play

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan - PowerPoint PPT Presentation

Apr 01, 2023 •28 likes •468 views

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g G be a generator. Given G , the

  1. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg

  2. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g ∈ G be a generator. Given α ∈ G , the discrete logarithm (DL) problem is to find x ∈ Z q such that g x = α . 01 / 21

  3. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g ∈ G be a generator. Given α ∈ G , the discrete logarithm (DL) problem is to find x ∈ Z q such that g x = α . Why do we care? ◮ Computing DLs is apparently difficult for classical computers ◮ Inverse problem (modular exponentiation) is easy ◮ Many cryptographic protocols exploit this asymmetry 01 / 21

  4. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition An integer n is called B -smooth if each of its prime factors is bounded above by B . A smooth-order group is just a group whose order is B -smooth for some “suitably small” value of B . 02 / 21

  5. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition An integer n is called B -smooth if each of its prime factors is bounded above by B . A smooth-order group is just a group whose order is B -smooth for some “suitably small” value of B . Why do we care? ◮ If ϕ ( N ) is B -smooth, then Z ∗ N has smooth order ◮ Many DL-based cryptographic protocols work in Z ∗ N ◮ Pollard’s rho algorithm (plus Pohlig-Hellman) solves DLs in time proportional to smoothness of group order 02 / 21

  6. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition The Compute Unified Device Architecture (CUDA) is Nvidia’s parallel computing architecture. It enables developers to use CUDA-enabled Nvidia GPUs for general purpose computing. 03 / 21

  7. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition The Compute Unified Device Architecture (CUDA) is Nvidia’s parallel computing architecture. It enables developers to use CUDA-enabled Nvidia GPUs for general purpose computing. Why do we care? ◮ Nvidia GPUs are widely deployed, and offer better price-to-GFLOP ratio than CPUs ◮ Modern GPUs have many cores and support highly parallel computation ◮ Pollard’s rho algorithm is extremely parallelizable 03 / 21

  8. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant 04 / 21

  9. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs 04 / 21

  10. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance 04 / 21

  11. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance ◮ point out a simple attack on Boudot’s zero-knowledge range proofs 04 / 21

  12. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance ◮ point out a simple attack on Boudot’s zero-knowledge range proofs ◮ construct and analyze trapdoor discrete logarithm groups 04 / 21

  13. Part I: Pollard’s rho

  14. Pollard’s rho algorithm (1/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . 05 / 21

  15. Pollard’s rho algorithm (1/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . Key observation: ◮ Consider elements g a h b ∈ G and search for collisions ◮ Since g a 1 h b 1 = g a 2 h b 2 = ⇒ g a 1 − a 2 = h b 2 − b 1 , we have ⇒ x ≡ ( a 1 − a 2 )( b 2 − b 1 ) − 1 mod n a 1 − a 2 ≡ x ( b 2 − b 1 ) mod n = � ◮ Birthday paradox: about π n / 2 selections should ⇒ expected runtime and storage in Θ( √ n ) suffice = 05 / 21

  16. Pollard’s rho algorithm (2/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . Pollard’s idea: ◮ Walk through G using iteration function f : G → G , f ( g a i h b i ) = g a i + 1 h b i + 1 ◮ Collisions = ⇒ cycles, which are cheap to detect ◮ If iteration function behaves “randomly enough”, then expected runtime is in Θ( √ n ) and storage is in Θ( 1 ) 06 / 21

  17. Pollard’s rho algorithm (3/4) gai + 1 hbi + 1 gai + 2 hbi + 2 gai + 3 hbi + 3 gai hbi gaj hbj gaj − 1 hbj − 1 gai − 1 hbi − 1 ga 2 hb 2 ga 1 hb 1 ga 0 hb 0 07 / 21

  18. Pollard’s rho algorithm (3/4) gai + 1 hbi + 1 gai + 2 hbi + 2 gai + 1 hbi + 1 gai + 1 hbi + 1 gai + 3 hbi + 3 gai + 2 hbi + 2 gai + 2 hbi + 2 gai hbi gaj hbj gaj − 1 hbj − 1 gai + 3 hbi + 3 gai + 3 hbi + 3 gai hbi gaj hbj gai hbi gaj hbj gaj − 1 hbj − 1 gaj − 1 hbj − 1 gai − 1 hbi − 1 gai − 1 hbi − 1 gai − 1 hbi − 1 ga 2 hb 2 ga 2 hb 2 ga 2 hb 2 ga 1 hb 1 ga 1 hb 1 ga 0 hb 0 ga 1 hb 1 ga 0 hb 0 ga 0 hb 0 07 / 21

  19. Pollard’s rho algorithm (4/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . van Oorschot’s and Wiener’s idea: ◮ Define a distinguished point (DP) as any point with some cheap-to-detect property (e.g., m trailing zeros) ◮ Run Ψ client threads in parallel, each reporting DPs to a central server that checks for collisions � √ n / Ψ ◮ Expected runtime is in Θ � 08 / 21

  20. Part II: GPUs and CUDA

  21. SMPs and CUDA cores Fermi architecture Instruction cache ◮ GPU has several streaming Warp scheduler Warp scheduler multiprocessors (SMP) ◮ Our Tesla M2050 cards each Dispatch unit Dispatch unit have 14 SMPs Register file (2 15 × 32-bit) ◮ SIMD architecture LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Interconnect network 64 KB memory / L1 cache Uniform cache 09 / 21

  22. SMPs and CUDA cores Fermi architecture Instruction cache ◮ GPU has several streaming Warp scheduler Warp scheduler multiprocessors (SMP) ◮ Our Tesla M2050 cards each Dispatch unit Dispatch unit have 14 SMPs Register file (2 15 × 32-bit) ◮ SIMD architecture LD/ST CUDA Core Core Core Core Core LD/ST SFU LD/ST Dispatch port Core Core Core Core LD/ST Operand collector LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST FPU unit INT unit LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Result queue LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Interconnect network 64 KB memory / L1 cache Uniform cache 09 / 21

  23. CUDA memory hierarchy Thread ◮ Developer manages memory explicitly ◮ 1 clock pulse for shared Shared memory L1 cache memory and L1 cache ◮ ≈ 300 clock pulses for L2 cache Local RAM ◮ Many more clock pulses for system RAM Local RAM 10 / 21

  24. Tesla M2050 Nvidia Tesla M2050 GPU cards: ◮ Based on Fermi architecture ◮ 14 SMPs × 32 cores / SMP = 448 cores (each running at 1.55 GHz) ◮ 2 15 × 32-bit registers / SMP ◮ Configurable: 64 KB shared memory / L1 cache price: 1,299.00 USD ◮ 3 GB GDDR5 of Local RAM Our experiments used a host PC with: ◮ Intel Xeon E5620 quad core (2.4 GHz) ◮ 2 × 4 GB of DDR3-1333 RAM ◮ 2 × Tesla M2050 GPU cards 11 / 21

  25. Part III: Implementation

  26. CUDA modular multiplication (1/2) ◮ Iteration function for Pollard rho:  g x if 0 ≤ x < q  3   x 2 if q 3 ≤ x < 2 q f ( x ) = 3  h x if 2 q  3 ≤ x < q  ◮ Need fast, multiprecision modular multiplication to solve DLs in Z ∗ N ◮ We used Koç et al’s CIOS algorithm for Montgomery multiplication ◮ Low auxiliary storage = ⇒ lots of threads ◮ We do one thread per multiplication 12 / 21

  27. CUDA modular multiplication (2/2) Table: k -bit modular multiplications per second and (amortized) time per k -bit modular multiplication on a single Tesla M2050. Bit length Time per trial Amortized time Modmults of modulus ± std dev per modmult per second 192 30.538 s ± 4 ms 1.19 ns ≈ 840,336,000 256 50.916 s ± 5 ms 1.98 ns ≈ 505,050,000 512 186.969 s ± 4 ms 7.30 ns ≈ 136,986,000 768 492.6 s ± 200 ms 19.24 ns ≈ 51,975,000 1024 2304.5 s ± 300 ms 90.02 ns ≈ 11,108,000 = Larger k each multiplication takes longer ⇒ ◮ = can compute fewer multiplications in parallel ⇒ 13 / 21

  28. CUDA Pollard rho (1/2) Goal Compute discrete logarithms modulo k N -bit RSA numbers N = pq with 2 k B -smooth totient. Our implementation: ◮ Optimized for k N = 1536 and k B ≈ 55 ◮ Assumes that the factorization of p − 1 and q − 1 is known ◮ Uses Pohlig-Hellman approach to decompose problem to k B -bit subproblems ◮ Distinguished points: at least 10 trailing zeros in binary (Montgomery) representation 14 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze multiplicative groups of cost of NFS + CVP small-characteristic finite fields for class groups, unit groups, the algorithm of Barbulescu, short

912 views • 80 slides
Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Elliptic curves over F q Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms DL Attacks BSGS PohlihHellmann DL records Square roots E LLIPTIC CURVES C RYPTOGRAPHY Reminder from Yesterday Points of finite order Important

664 views • 30 slides
Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

ANTS IX, Nancy, France Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group and g G has finite order m . Then for each t g the integers n with g n = t form a residue class mod m . Denote

585 views • 40 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Solving exponential and logarithmic equations We explore some results involving exponential

Solving exponential and logarithmic equations We explore some results involving exponential

Solving exponential and logarithmic equations We explore some results involving exponential equations and logarithms. Elementary Functions Part 3, Exponential Functions &amp; Logarithms In this presentation we concentrate on using logarithms to

1.2k views • 4 slides
Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms If x = b y then y = log b x where x and b are positive numbers and b 1 log b x is read as logarithm of x to the base of b . 2 - 2

318 views • 9 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common logarithms 1.4.2 Logarithms in general 1.4.3 Useful Results 1.4.4 Properties of logarithms 1.4.5 Natural logarithms 1.4.6 Graphs of logarithmic and

397 views • 13 slides
Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

The groups of order p 7 Eamonn OBrien and Michael Vaughan-Lee The groups of order p 7 p. 1 Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5 5 5 p 4 14 15 15 p 5 51 67 u p 6 267 504

663 views • 33 slides
Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Cryptography Number Theory Divisibility and Primes Modular Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms Computationally Hard Problems School of Engineering and Technology CQUniversity

964 views • 67 slides
Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world crypto and privacy Sibenik, Croatia // June 17 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Asymmetric crypto settings

1.17k views • 86 slides
On the correct use of the negation map in the Pollard rho method D. J. Bernstein University of

On the correct use of the negation map in the Pollard rho method D. J. Bernstein University of

On the correct use of the negation map in the Pollard rho method D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Joint work with: Peter Schwabe Academia Sinica Full version of paper with

833 views • 56 slides
Assumptions of (a) Set Theory Carl Pollard Ohio State University Linguistics 680 Formal

Assumptions of (a) Set Theory Carl Pollard Ohio State University Linguistics 680 Formal

Assumptions of (a) Set Theory Carl Pollard Ohio State University Linguistics 680 Formal Foundations Thursday, September 23, 2010 These slides are available at: http://www.ling.osu.edu/ scott/680 1 Sets and Membership (1) We assume

416 views • 22 slides
On the Use of the Negation Map in the Pollard Rho Method Joppe W. Bos Thorsten Kleinjung Arjen

On the Use of the Negation Map in the Pollard Rho Method Joppe W. Bos Thorsten Kleinjung Arjen

On the Use of the Negation Map in the Pollard Rho Method Joppe W. Bos Thorsten Kleinjung Arjen K. Lenstra Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 15 Motivation Study the negation map in

440 views • 20 slides
Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in Honor of Ivan Sag Stanford University April 28, 2013 Carl Pollard Traces Exist (Hypothetically)! Traces in Transformational Grammar (1/2) Traces

411 views • 28 slides
ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18 2y 2 =x 3 +x/GF(8 91 +5) Simplest secure and fast ECC ? Benefits of Galois field size 8 91 +5 for ECC Feature

285 views • 12 slides
Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL

Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL

Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL IC LACAL, CH-1015 Lausanne, Switzerland 2 Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA RAIM09 October 27 th 2009 LIP ENS Lyon

386 views • 28 slides
Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard

Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard

Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard vgl.cs.usfca.edu docpollard.org Visualization and Graphics Lab Pollard Group University of San Francisco Gladstone Institutes, UCSF 2 Contributions

262 views • 24 slides
Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in

Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in

Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in 2003 Woman-Owned Business Small Disadvantaged Business (SDB) GSA Schedule Unlimited ID/IQ Prime Contractor to HHS and

324 views • 10 slides

More recommend