the elliptic curves discrete logarithm problem and an
play

The Elliptic Curves Discrete Logarithm Problem and an implementation - PowerPoint PPT Presentation

Dec 16, 2022 •470 likes •1.52k views

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

  1. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Success of the Elliptic Curves Cryptography. In the middle of ’80s, Neal Koblitz and Victor Miller (independently) proposed elliptic curves defined on finite fields as a base for a cryptosystem. Three main reasons caused an increasing interest in elliptic curve cryptography: Large amount of elliptic groups for each finite field (Hasse’s theorem and Deuring’s theorem). Subexponential time attacks for problems on which relie other cryptosystems (e.g. R.S.A.). Fast arithmetic.

  2. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Success of the Elliptic Curves Cryptography. In the middle of ’80s, Neal Koblitz and Victor Miller (independently) proposed elliptic curves defined on finite fields as a base for a cryptosystem. Three main reasons caused an increasing interest in elliptic curve cryptography: Large amount of elliptic groups for each finite field (Hasse’s theorem and Deuring’s theorem). Subexponential time attacks for problems on which relie other cryptosystems (e.g. R.S.A.). Fast arithmetic.

  3. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Success of the Elliptic Curves Cryptography. In the middle of ’80s, Neal Koblitz and Victor Miller (independently) proposed elliptic curves defined on finite fields as a base for a cryptosystem. Three main reasons caused an increasing interest in elliptic curve cryptography: Large amount of elliptic groups for each finite field (Hasse’s theorem and Deuring’s theorem). Subexponential time attacks for problems on which relie other cryptosystems (e.g. R.S.A.). Fast arithmetic.

  4. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Success of the Elliptic Curves Cryptography. In the middle of ’80s, Neal Koblitz and Victor Miller (independently) proposed elliptic curves defined on finite fields as a base for a cryptosystem. Three main reasons caused an increasing interest in elliptic curve cryptography: Large amount of elliptic groups for each finite field (Hasse’s theorem and Deuring’s theorem). Subexponential time attacks for problems on which relie other cryptosystems (e.g. R.S.A.). Fast arithmetic.

  5. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions The discrete logarithm in elliptic groups. The elliptic curve cryptosystems relie their security above all on the so-called Elliptic Curve Discrete Logarithm Problem : Given two points P and Q belonging to a curve E ( K ) , find (if there’s one) the integer k such that Q = kP. Such k is called (discrete) logarithm of Q in base P. All the problems in the Certicom list are instances of ECDLP (Elliptic Curve Discrete Logarithm Problem).

  6. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions The discrete logarithm in elliptic groups. The elliptic curve cryptosystems relie their security above all on the so-called Elliptic Curve Discrete Logarithm Problem : Given two points P and Q belonging to a curve E ( K ) , find (if there’s one) the integer k such that Q = kP. Such k is called (discrete) logarithm of Q in base P. All the problems in the Certicom list are instances of ECDLP (Elliptic Curve Discrete Logarithm Problem).

  7. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions The discrete logarithm in elliptic groups. The elliptic curve cryptosystems relie their security above all on the so-called Elliptic Curve Discrete Logarithm Problem : Given two points P and Q belonging to a curve E ( K ) , find (if there’s one) the integer k such that Q = kP. Such k is called (discrete) logarithm of Q in base P. All the problems in the Certicom list are instances of ECDLP (Elliptic Curve Discrete Logarithm Problem).

  8. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Diffie-Hellman key exchange with elliptic curves.

  9. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Diffie-Hellman key exchange with elliptic curves.

  10. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Diffie-Hellman key exchange with elliptic curves.

  11. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Diffie-Hellman key exchange with elliptic curves.

  12. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Diffie-Hellman key exchange with elliptic curves.

  13. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  14. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  15. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  16. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  17. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  18. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  19. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  20. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  21. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  22. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  23. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  24. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  25. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  26. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  27. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  28. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  29. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  30. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Trivial method. Given the curve y 2 = x 3 − 5 x + 4 and points P = ( − 1 . 65 , 2 . 79 ) and Q = ( − 0 . 35 , 2 . 39 ) , find the integer k such that Q = kP

  31. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (1/2) All the problems of the Certicom list solved, until now, got a solution through ρ -Pollard method or some of its variants. This method iterates through the elements of the group until an element is discovered twice. The greek letter ρ in the name of the algorithm recalls the shape of the ‘walk’ of the iterations that closes over itself.

  32. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (1/2) All the problems of the Certicom list solved, until now, got a solution through ρ -Pollard method or some of its variants. This method iterates through the elements of the group until an element is discovered twice. The greek letter ρ in the name of the algorithm recalls the shape of the ‘walk’ of the iterations that closes over itself.

  33. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (1/2) All the problems of the Certicom list solved, until now, got a solution through ρ -Pollard method or some of its variants. This method iterates through the elements of the group until an element is discovered twice. The greek letter ρ in the name of the algorithm recalls the shape of the ‘walk’ of the iterations that closes over itself.

  34. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (2/2) Given P , Q ∈ E ( F p ) , if we want to find the k such that Q = kP , the original version of ρ -Pollard works in this way: The group is partitioned into three disjoint subsets S 1 , S 2 and S 3 of about the same size. Two integers a 0 and b 0 are choosen randomly with 0 ≤ a 0 , b 0 ≤ n − 1, where n is the cardinality of E ( F p ) . Starting with the point X 0 = a 0 P + b 0 Q , a sequence of X i is generated, defined for each i ≥ 1, according following relation:  P + X i − 1 if X i − 1 ∈ S 1  X i = 2 X i − 1 X i − 1 ∈ S 2 if Q + X i − 1 if X i − 1 ∈ S 3  If X i = X j for some i � = j ( collision ), we can compute a i P + b i Q = a j P + b j Q and then ( a i − a j ) P = ( b j − b i ) Q .

  35. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (2/2) Given P , Q ∈ E ( F p ) , if we want to find the k such that Q = kP , the original version of ρ -Pollard works in this way: The group is partitioned into three disjoint subsets S 1 , S 2 and S 3 of about the same size. Two integers a 0 and b 0 are choosen randomly with 0 ≤ a 0 , b 0 ≤ n − 1, where n is the cardinality of E ( F p ) . Starting with the point X 0 = a 0 P + b 0 Q , a sequence of X i is generated, defined for each i ≥ 1, according following relation:  P + X i − 1 if X i − 1 ∈ S 1  X i = 2 X i − 1 X i − 1 ∈ S 2 if Q + X i − 1 if X i − 1 ∈ S 3  If X i = X j for some i � = j ( collision ), we can compute a i P + b i Q = a j P + b j Q and then ( a i − a j ) P = ( b j − b i ) Q .

  36. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (2/2) Given P , Q ∈ E ( F p ) , if we want to find the k such that Q = kP , the original version of ρ -Pollard works in this way: The group is partitioned into three disjoint subsets S 1 , S 2 and S 3 of about the same size. Two integers a 0 and b 0 are choosen randomly with 0 ≤ a 0 , b 0 ≤ n − 1, where n is the cardinality of E ( F p ) . Starting with the point X 0 = a 0 P + b 0 Q , a sequence of X i is generated, defined for each i ≥ 1, according following relation:  P + X i − 1 if X i − 1 ∈ S 1  X i = 2 X i − 1 X i − 1 ∈ S 2 if Q + X i − 1 if X i − 1 ∈ S 3  If X i = X j for some i � = j ( collision ), we can compute a i P + b i Q = a j P + b j Q and then ( a i − a j ) P = ( b j − b i ) Q .

  37. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (2/2) Given P , Q ∈ E ( F p ) , if we want to find the k such that Q = kP , the original version of ρ -Pollard works in this way: The group is partitioned into three disjoint subsets S 1 , S 2 and S 3 of about the same size. Two integers a 0 and b 0 are choosen randomly with 0 ≤ a 0 , b 0 ≤ n − 1, where n is the cardinality of E ( F p ) . Starting with the point X 0 = a 0 P + b 0 Q , a sequence of X i is generated, defined for each i ≥ 1, according following relation:  P + X i − 1 if X i − 1 ∈ S 1  X i = 2 X i − 1 X i − 1 ∈ S 2 if Q + X i − 1 if X i − 1 ∈ S 3  If X i = X j for some i � = j ( collision ), we can compute a i P + b i Q = a j P + b j Q and then ( a i − a j ) P = ( b j − b i ) Q .

  38. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard (2/2) Given P , Q ∈ E ( F p ) , if we want to find the k such that Q = kP , the original version of ρ -Pollard works in this way: The group is partitioned into three disjoint subsets S 1 , S 2 and S 3 of about the same size. Two integers a 0 and b 0 are choosen randomly with 0 ≤ a 0 , b 0 ≤ n − 1, where n is the cardinality of E ( F p ) . Starting with the point X 0 = a 0 P + b 0 Q , a sequence of X i is generated, defined for each i ≥ 1, according following relation:  P + X i − 1 if X i − 1 ∈ S 1  X i = 2 X i − 1 X i − 1 ∈ S 2 if Q + X i − 1 if X i − 1 ∈ S 3  If X i = X j for some i � = j ( collision ), we can compute a i P + b i Q = a j P + b j Q and then ( a i − a j ) P = ( b j − b i ) Q .

  39. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions λ -Pollard It has been shown that ρ -Pollard algorithm can be efficiently parallelized over an arbitrary number of processors, reserving one of them for collisions search. Such method is called λ -Pollard where the greek letter λ recalls to mind the collision between two walks generated by two different processors.

  40. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving performances of Pollard’s algorithms. How can we improve performances of Pollard’s algorithms ? Optimizing the iterating function. Using better all hardware resources available.

  41. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving performances of Pollard’s algorithms. How can we improve performances of Pollard’s algorithms ? Optimizing the iterating function. Using better all hardware resources available.

  42. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving the iterating function. The complexity of the Pollard’s algorithm is proportional to the square root of the order of the group where you want to solve the discrete logarithm problem. Such estimate is done under the hypotesis that the points generated through the method are generated randomly, so that they build a ‘random walk’ inside the group. Sadly, the original function proposed by Pollard has a behaviour that is really far from being random. It has been shown heuristically that increasing the number of partition S i into which is split the group, cause a good gain of performances.

  43. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving the iterating function. The complexity of the Pollard’s algorithm is proportional to the square root of the order of the group where you want to solve the discrete logarithm problem. Such estimate is done under the hypotesis that the points generated through the method are generated randomly, so that they build a ‘random walk’ inside the group. Sadly, the original function proposed by Pollard has a behaviour that is really far from being random. It has been shown heuristically that increasing the number of partition S i into which is split the group, cause a good gain of performances.

  44. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving the iterating function. The complexity of the Pollard’s algorithm is proportional to the square root of the order of the group where you want to solve the discrete logarithm problem. Such estimate is done under the hypotesis that the points generated through the method are generated randomly, so that they build a ‘random walk’ inside the group. Sadly, the original function proposed by Pollard has a behaviour that is really far from being random. It has been shown heuristically that increasing the number of partition S i into which is split the group, cause a good gain of performances.

  45. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Improving the iterating function. The complexity of the Pollard’s algorithm is proportional to the square root of the order of the group where you want to solve the discrete logarithm problem. Such estimate is done under the hypotesis that the points generated through the method are generated randomly, so that they build a ‘random walk’ inside the group. Sadly, the original function proposed by Pollard has a behaviour that is really far from being random. It has been shown heuristically that increasing the number of partition S i into which is split the group, cause a good gain of performances.

  46. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions How to improve the use of the hardware ? Taking advantage of computational power of other devices together with main cpu. Typical example: graphic processing unit of video cards in 3D graphics. Recently NVidia released some libraries that allow programmers to use video cards like general purpose processors.

  47. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions How to improve the use of the hardware ? Taking advantage of computational power of other devices together with main cpu. Typical example: graphic processing unit of video cards in 3D graphics. Recently NVidia released some libraries that allow programmers to use video cards like general purpose processors.

  48. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions How to improve the use of the hardware ? Taking advantage of computational power of other devices together with main cpu. Typical example: graphic processing unit of video cards in 3D graphics. Recently NVidia released some libraries that allow programmers to use video cards like general purpose processors.

  49. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA Acronym of Compute Unified Device Architecture . Video card is viewed like a multiprocessor architecture (since, usually, there is a large number of ‘cores’ in the graphic processor). Library written in C language for device programming, but there are wrappers of third parts for other languages like Python, Fortran and Java.

  50. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA Acronym of Compute Unified Device Architecture . Video card is viewed like a multiprocessor architecture (since, usually, there is a large number of ‘cores’ in the graphic processor). Library written in C language for device programming, but there are wrappers of third parts for other languages like Python, Fortran and Java.

  51. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA Acronym of Compute Unified Device Architecture . Video card is viewed like a multiprocessor architecture (since, usually, there is a large number of ‘cores’ in the graphic processor). Library written in C language for device programming, but there are wrappers of third parts for other languages like Python, Fortran and Java.

  52. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Code execution in CUDA.

  53. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Code execution in CUDA.

  54. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Code execution in CUDA.

  55. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Code execution in CUDA.

  56. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Code execution in CUDA.

  57. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA limitations. Arithmetic divisions are really computationally expensive and should be avoided. Memory should be carefully handled to avoid latencies when loading data from it and writing data to it. Since graphics processor is a SIMD (Single Instruction Multiple Data) architecture, every branch dependent from data in the code execution could cause the so called ‘divergent threads’, furtherly reducing the speed of the algorithm.

  58. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA limitations. Arithmetic divisions are really computationally expensive and should be avoided. Memory should be carefully handled to avoid latencies when loading data from it and writing data to it. Since graphics processor is a SIMD (Single Instruction Multiple Data) architecture, every branch dependent from data in the code execution could cause the so called ‘divergent threads’, furtherly reducing the speed of the algorithm.

  59. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions CUDA limitations. Arithmetic divisions are really computationally expensive and should be avoided. Memory should be carefully handled to avoid latencies when loading data from it and writing data to it. Since graphics processor is a SIMD (Single Instruction Multiple Data) architecture, every branch dependent from data in the code execution could cause the so called ‘divergent threads’, furtherly reducing the speed of the algorithm.

  60. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (1/7) In a code for ECDLP resolution, of course we’re handling multi-words integers all of them belonging to the field F p on which the elliptic curve is defined. Modular addition can be efficiently performed first adding two operands a and b . Then subtracting the modulus p to the sum previously computed. If this subtraction cause a positive result, then this is the sum reduced modulus p , otherwise the right sum modulus p is the one previously computed. In a similar way can be done the modular subtraction.

  61. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (1/7) In a code for ECDLP resolution, of course we’re handling multi-words integers all of them belonging to the field F p on which the elliptic curve is defined. Modular addition can be efficiently performed first adding two operands a and b . Then subtracting the modulus p to the sum previously computed. If this subtraction cause a positive result, then this is the sum reduced modulus p , otherwise the right sum modulus p is the one previously computed. In a similar way can be done the modular subtraction.

  62. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (1/7) In a code for ECDLP resolution, of course we’re handling multi-words integers all of them belonging to the field F p on which the elliptic curve is defined. Modular addition can be efficiently performed first adding two operands a and b . Then subtracting the modulus p to the sum previously computed. If this subtraction cause a positive result, then this is the sum reduced modulus p , otherwise the right sum modulus p is the one previously computed. In a similar way can be done the modular subtraction.

  63. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (2/7) Modular multiplication is realized through the so called Montgomery product. If p is the modulus, we call k the integer such that 2 k − 1 ≤ p < 2 k and r is 2 k . Given an integer a < p , we define Montgomery representation (or p-residue ) with respect to r as a ≡ a · r ( mod p ) Sum and difference of the Mongomery representations of two integers is Montgomery representation of their sum or difference.

  64. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (2/7) Modular multiplication is realized through the so called Montgomery product. If p is the modulus, we call k the integer such that 2 k − 1 ≤ p < 2 k and r is 2 k . Given an integer a < p , we define Montgomery representation (or p-residue ) with respect to r as a ≡ a · r ( mod p ) Sum and difference of the Mongomery representations of two integers is Montgomery representation of their sum or difference.

  65. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (2/7) Modular multiplication is realized through the so called Montgomery product. If p is the modulus, we call k the integer such that 2 k − 1 ≤ p < 2 k and r is 2 k . Given an integer a < p , we define Montgomery representation (or p-residue ) with respect to r as a ≡ a · r ( mod p ) Sum and difference of the Mongomery representations of two integers is Montgomery representation of their sum or difference.

  66. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (3/7) Given two numbers a , b in their Montgomery representations ( a , b respectively) the Montgomery product is defined as: u ≡ a · b · r − 1 ( mod p ) where r − 1 is the multiplicative inverse of r modulo p . The result of Montgomery product u is the p -residue of the product u = a · b ( mod p ) since a · b · r − 1 ( mod p ) u ≡ ( a · r ) · ( b · r ) · r − 1 ( mod p ) = = ( a · b ) · r ( mod p ) .

  67. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (3/7) Given two numbers a , b in their Montgomery representations ( a , b respectively) the Montgomery product is defined as: u ≡ a · b · r − 1 ( mod p ) where r − 1 is the multiplicative inverse of r modulo p . The result of Montgomery product u is the p -residue of the product u = a · b ( mod p ) since a · b · r − 1 ( mod p ) u ≡ ( a · r ) · ( b · r ) · r − 1 ( mod p ) = = ( a · b ) · r ( mod p ) .

  68. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (4/7) To describe Montgomery reduction algorithm, we need also the quantity p ′ , that satisfies the property r · r − 1 − p · p ′ = 1 Both integers r − 1 and p ′ can be easily computed through the extended Euclidean algorithm. And since in our algorithm the modulus is fixed, we can precompute these values and store them for all multiplications.

  69. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (5/7) Given the integers a , b the Montgomery product is computed by this algorithm: MonPro( a , b ) t = a · b 1 m ≡ t · p ′ ( mod r ) 2 u = ( t + m · r ) / r 3 if u ≥ p then return u − p else return u . 4 The main feature of this product is that the operations involved are multiplications modulo r and division by r that can be efficiently implemented using bitwise operations since r is a power of 2.

  70. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (5/7) Given the integers a , b the Montgomery product is computed by this algorithm: MonPro( a , b ) t = a · b 1 m ≡ t · p ′ ( mod r ) 2 u = ( t + m · r ) / r 3 if u ≥ p then return u − p else return u . 4 The main feature of this product is that the operations involved are multiplications modulo r and division by r that can be efficiently implemented using bitwise operations since r is a power of 2.

  71. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (6/7) If p is odd, Montgomery product algorithm can be used to compute (normal) product u ≡ a · b ( mod p ) : ModMul( a , b ) Compute p ′ using extended Euclidean algorithm 1 a ≡ a · r ( mod p ) 2 b ≡ b · r ( mod p ) 3 u = MonPro( a , b ) 4 u = MonPro( u , 1) 5 return u . 6

  72. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (7/7) A better algorithm is obtained observing that MonPro( a , b )= ( a · r ) · b · r − 1 ( mod p ) = a · b ( mod p ) Thus we can modify the algorithm above: ModMul( a , b ) Compute p ′ using extended Euclidean algorithm, and r 2 ( 1 mod p ) a = MonPro( a , r 2 ) 2 u = MonPro( a , b ) 3

  73. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Modular arithmetic with CUDA (7/7) A better algorithm is obtained observing that MonPro( a , b )= ( a · r ) · b · r − 1 ( mod p ) = a · b ( mod p ) Thus we can modify the algorithm above: ModMul( a , b ) Compute p ′ using extended Euclidean algorithm, and r 2 ( 1 mod p ) a = MonPro( a , r 2 ) 2 u = MonPro( a , b ) 3

  74. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard with CUDA Further optimizations of the algorithm include: Group has been split into 64 disjoint subsets (a ‘good’ value according to some recent heuristic results by E.Teske) Jacobian coordinate system to memorize points given in input to the iterating function of the Pollard’s method. Affine coordinate system to memorize points that are added to input points in the iterating function. These different coordinate systems allows the use of mixed affine-jacobian addition formulas that have better performances than pure affine addition formulas, while lower storage needing of affine coordinate allows to store thepoints of the iterating function in the memory region of the video card reserved to constants (a faster memory region in which all thread can access together without the introduction of any latency in the execution of code).

  75. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard with CUDA Further optimizations of the algorithm include: Group has been split into 64 disjoint subsets (a ‘good’ value according to some recent heuristic results by E.Teske) Jacobian coordinate system to memorize points given in input to the iterating function of the Pollard’s method. Affine coordinate system to memorize points that are added to input points in the iterating function. These different coordinate systems allows the use of mixed affine-jacobian addition formulas that have better performances than pure affine addition formulas, while lower storage needing of affine coordinate allows to store thepoints of the iterating function in the memory region of the video card reserved to constants (a faster memory region in which all thread can access together without the introduction of any latency in the execution of code).

  76. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard with CUDA Further optimizations of the algorithm include: Group has been split into 64 disjoint subsets (a ‘good’ value according to some recent heuristic results by E.Teske) Jacobian coordinate system to memorize points given in input to the iterating function of the Pollard’s method. Affine coordinate system to memorize points that are added to input points in the iterating function. These different coordinate systems allows the use of mixed affine-jacobian addition formulas that have better performances than pure affine addition formulas, while lower storage needing of affine coordinate allows to store thepoints of the iterating function in the memory region of the video card reserved to constants (a faster memory region in which all thread can access together without the introduction of any latency in the execution of code).

  77. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions ρ -Pollard with CUDA Further optimizations of the algorithm include: Group has been split into 64 disjoint subsets (a ‘good’ value according to some recent heuristic results by E.Teske) Jacobian coordinate system to memorize points given in input to the iterating function of the Pollard’s method. Affine coordinate system to memorize points that are added to input points in the iterating function. These different coordinate systems allows the use of mixed affine-jacobian addition formulas that have better performances than pure affine addition formulas, while lower storage needing of affine coordinate allows to store thepoints of the iterating function in the memory region of the video card reserved to constants (a faster memory region in which all thread can access together without the introduction of any latency in the execution of code).

  78. What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. ρ -Pollard and CUDA. Conclusions Performances Tabella: Performances (points generated per second) of various architectures over the curve ECCp − 97 of the Certicom list. Architecture Points/second NVidia 8800GTS g92 720.000 Alpha 22164 440.000 Pentium II 300Mhz 125.000 Core 2 Duo E8500 10.000

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
Elliptic Curves Dr. Carmen Bruni University of Waterloo November 4th, 2015 Dr. Carmen Bruni

Elliptic Curves Dr. Carmen Bruni University of Waterloo November 4th, 2015 Dr. Carmen Bruni

Elliptic Curves Dr. Carmen Bruni University of Waterloo November 4th, 2015 Dr. Carmen Bruni Elliptic Curves Revisit the Congruent Number Problem Congruent Number Problem Determine which positive integers N can be expressed as the area of a

722 views • 33 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
RSA Question 2 Bob thinks that p and q are primes but p isnt. Then, Bob thinks Bob

RSA Question 2 Bob thinks that p and q are primes but p isnt. Then, Bob thinks Bob

RSA Question 2 Bob thinks that p and q are primes but p isnt. Then, Bob thinks Bob :=(p-1)(q-1) = (n). Is this true ? Bob chooses a random e (1 &lt; e &lt; Bob ) such that gcd(e, Bob )=1. Then, d = e -1 mod Bob . Example: p = 9,

187 views • 16 slides
Abstraction Hierarchy Concept Structural Domain: component described in terms of

Abstraction Hierarchy Concept Structural Domain: component described in terms of

Abstraction Hierarchy Concept Structural Domain: component described in terms of interconnection of primitives Behavioral Domain: component described by defining its input/output response Abstraction Hierarchy: set of interrelated

617 views • 43 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Wynne Harlen Four issues: The disconnect between the aims, goals and values of 1. education and

Wynne Harlen Four issues: The disconnect between the aims, goals and values of 1. education and

SMEC/SAILS conference, Dublin, June 2014 Wynne Harlen Four issues: The disconnect between the aims, goals and values of 1. education and what is currently assessed. The disconnect between the aspirations of using 2. assessment formatively

524 views • 24 slides
Can we Beat the Square Root Bound for ECDLP over F p 2 via Representation? NutMiC 2019 , Paris

Can we Beat the Square Root Bound for ECDLP over F p 2 via Representation? NutMiC 2019 , Paris

Can we Beat the Square Root Bound for ECDLP over F p 2 via Representation? NutMiC 2019 , Paris Claire Delaplace Alexander May Elliptic Curve O y 4 K : Field of characteristic = 2 , 3 E : y 2 = f ( x ) = x 3 + ax + b 2 x 2 2 4 2

801 views • 52 slides
PRESIDENTS COUNCIL October 24, 2019 2019 United Way Campaign YOU CAN CHANGE THE STORY. YOU

PRESIDENTS COUNCIL October 24, 2019 2019 United Way Campaign YOU CAN CHANGE THE STORY. YOU

PRESIDENTS COUNCIL October 24, 2019 2019 United Way Campaign YOU CAN CHANGE THE STORY. YOU CAN CHANGE THE STORY. The Team 2019 ISU Campaign Chair Dawn Bratsch-Prince 2019 Leadership Chair John Lawrence 2019 Unit Volunteers

643 views • 20 slides
Tight Bounds for Learning a Mixture of Two Gaussians Moritz Hardt Eric Price Google Research

Tight Bounds for Learning a Mixture of Two Gaussians Moritz Hardt Eric Price Google Research

Tight Bounds for Learning a Mixture of Two Gaussians Moritz Hardt Eric Price Google Research UT Austin 2015-06-17 Moritz Hardt, Eric Price (Google/UT) Tight Bounds for Learning a Mixture of Two Gaussians 2015-06-17 1 / 27 Problem 140 140

1.9k views • 165 slides
Rational Minimax Filtering Arthur J. Krener Wei Kang ajkrener@nps.edu wkang@nps.edu Research

Rational Minimax Filtering Arthur J. Krener Wei Kang ajkrener@nps.edu wkang@nps.edu Research

Rational Minimax Filtering Arthur J. Krener Wei Kang ajkrener@nps.edu wkang@nps.edu Research supported in part by AFOSR and NSF Dedicated to our Esteemed Colleague Eduardo Sontag on the occasion of his 60 th birthday Kalman Filtering We

1.56k views • 133 slides

More recommend