Fast Exhaustive Search for Quadratic Systems in F 2 on FPGAs Charles Bouillaguet, Chen-Mou Cheng, Tung Chou, Ruben Niederhagen, Bo- Yin Yang August 15, 2013
Introduction The MP Problem Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . The MP problem is an NP-hard problem even for multivariate quadratic systems and q ✏ 2. Introduction August 15, 2013 1 / 13
➓ ➓ ➓ Introduction Multivariate Public-Key Cryptography: e.g. HFE, SFLASH, and QUARTZ Provably-Secure Stream Ciphers: e.g. QUAD Introduction August 15, 2013 2 / 13
Introduction Multivariate Public-Key Cryptography: e.g. HFE, SFLASH, and QUARTZ Provably-Secure Stream Ciphers: e.g. QUAD Algebraic Cryptanalysis: Obtain a system of multivariate polynomial equations with the secret among the variables. ➓ Naturally breaks the above, ➓ does not break AES as first advertised, ➓ but does break, e.g., KeeLoq. Complexity? Introduction August 15, 2013 2 / 13
Introduction Most Efficient Algorithm for F 2 : Brute-force search, testing all 2 n possible inputs. Previous Work: On GPUs we can solve a quadratic system of 48+ equations in 48 variables in 21min . Introduction August 15, 2013 3 / 13
Introduction Most Efficient Algorithm for F 2 : Brute-force search, testing all 2 n possible inputs. Previous Work: On GPUs we can solve a quadratic system of 48+ equations in 48 variables in 21min . Research Question: How would specifically designed hardware perform on this task? We approach the answer by solving multivariate quadratic systems on reconfigurable hardware ( FPGAs ). Introduction August 15, 2013 3 / 13
➓ ➓ ➓ ♣ q ➓ ♣ q ➓ Gray-Code Approach Full-Evaluation Approach ➓ Evaluate the whole equation for each possible input. ➓ Time Complexity: O ♣ 2 n n 2 q ➓ Memory Complexity: O ♣ n q Exhaustive Search August 15, 2013 4 / 13
Gray-Code Approach Full-Evaluation Approach ➓ Evaluate the whole equation for each possible input. ➓ Time Complexity: O ♣ 2 n n 2 q ➓ Memory Complexity: O ♣ n q Gray-Code Approach ➓ Only re-compute those parts of the equation that have changed. ➓ Enumerate input vector in Gray-code order. ➓ Update solution using the derivatives of the involved variables. ➓ Time Complexity: O ♣ 2 n m q ➓ Memory Complexity: O ♣ n 2 m q Trade computation for memory. Exhaustive Search August 15, 2013 4 / 13
✏ ✏ ✏ ✏ ✏ ✏ ✏ � � � � � � ✏ ☎ � ☎ � ☎ � � � � Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 Exhaustive Search August 15, 2013 5 / 13
Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 k ✏ 01011 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 1 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 1 � � � � 1 1 1 1 Exhaustive Search August 15, 2013 5 / 13
Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 k ✏ 01011 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 1 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 1 � � � � 1 1 1 1 k ✏ 01100 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 1 , x 1 ✏ 0 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 1 � 1 ☎ 0 � 1 ☎ 0 � � � � 1 1 0 0 Exhaustive Search August 15, 2013 5 / 13
✏ ♣ q ✁ ☎ ✁ � ☎ � ❇ ✏ ♣ q � ♣ q ❇ Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 k ✏ 01011 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 1 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 1 � � � � 1 1 1 1 k ✏ 01001 b in Gray-code order f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � � x 1 � x 0 � 1 x 3 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 0 � � � � 1 1 0 1 Exhaustive Search August 15, 2013 5 / 13
❇ ✏ ♣ q � ♣ q ❇ Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 k ✏ 01011 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 1 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 1 � � � � 1 1 1 1 k ✏ 01001 b in Gray-code order f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � � x 1 � x 0 � 1 x 3 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 0 � � � � 1 1 0 1 f ✏ f ♣ 01011 b q ✁ 0 ☎ 1 ✁ � 0 ☎ 0 � 0 1 Exhaustive Search August 15, 2013 5 / 13
Gray-Code Approach k ✏ 01010 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 0 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 0 � 0 ☎ 1 � � � � 1 1 1 0 k ✏ 01011 b ; x 4 ✏ 0 , x 3 ✏ 1 , x 2 ✏ 0 , x 1 ✏ 1 , x 0 ✏ 1 f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � x 3 � x 1 � x 0 � 1 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 1 � � � � 1 1 1 1 k ✏ 01001 b in Gray-code order f ✏ x 4 x 2 � x 3 x 0 � x 2 x 1 � � x 1 � x 0 � 1 x 3 f ✏ 0 ☎ 0 � 1 ☎ 1 � 0 ☎ 0 � � � � 1 1 0 1 f ✏ f ♣ 01011 b q ✁ 0 ☎ 1 ✁ � 0 ☎ 0 � 0 1 ❇ f f ✏ f ♣ 01011 b q � ❇ x 1 ♣ 01001 b q Exhaustive Search August 15, 2013 5 / 13
Gray-Code Approach Full-Evaluation Approach ➓ Evaluate the whole equation for each possible input. ➓ Time Complexity: O ♣ 2 n n 2 q ➓ Memory Complexity: O ♣ n q Gray-Code Approach ➓ Only re-compute those parts of the equation that have changed. ➓ Enumerate input vector in Gray-code order. ➓ Update solution using the derivatives of the involved variables. ➓ Time Complexity: O ♣ 2 n m q ➓ Memory Complexity: O ♣ n 2 m q Trade computation for memory. Exhaustive Search August 15, 2013 6 / 13
Xilinx Spartan6 FPGA Lookup Table (LUT) – LUT-6 Can be seen as ➓ logic: compute any logical expression in 6 variables, ➓ ROM: store 64bit, addressed by 6 address ports. Can be used as two LUT-5 with identical input wires and independent output wires. Exhaustive Search on FPGAs August 15, 2013 7 / 13
Xilinx Spartan6 FPGA Resources ➓ 50% SLICEX ➓ 4 LUT-6 ➓ 8 Flip-Flops ➓ 25% SLICEL + wide multiplexers + carry logic for large adders ➓ 25% SLICEM + LUT can be used as shift registers + LUT can be used as RAM sharing the same write address ➓ Block RAM, DSPs, IO, ... Exhaustive Search on FPGAs August 15, 2013 7 / 13
Gray-Code Algorithm 24: function EVAL( s ) while s . i ➔ 2 n do 25: s . i Ð s . i � 1 ; 26: k 1 Ð BIT 1 ♣ s . i q ; 27: k 2 Ð BIT 2 ♣ s . i q ; 28: if k 2 valid then 29: s . d ✶ r k 1 s Ð s . d ✶ r k 1 s ❵ s . d ✷ r k 1 , k 2 s ; 30: end if 31: s . y Ð s . y ❵ s . d ✶ r k 1 s ; 32: if s . y ✏ 0 then 33: return shr ♣ s . i , 1 q ❵ s . i ; 34: end if 35: end while 36: 37: end function Exhaustive Search on FPGAs August 15, 2013 8 / 13
Parallelization Fix i Variables for 2 i Parallel Instances: ✏ � � x 2 x 1 � x 3 � x 1 � x 0 � 1 f x 4 x 2 x 3 x 0 e.g. i ✏ 2 : f 00 b ✏ 0 ☎ x 2 � 0 ☎ x 0 � x 2 x 1 � � x 1 � x 0 � 1 0 f 01 b ✏ 0 ☎ x 2 � 1 ☎ x 0 � x 2 x 1 � � x 1 � x 0 � 1 1 f 10 b ✏ 1 ☎ x 2 � 0 ☎ x 0 � x 2 x 1 � 0 � x 1 � x 0 � 1 f 11 b ✏ 1 ☎ x 2 � 1 ☎ x 0 � x 2 x 1 � 1 � x 1 � x 0 � 1 2 i independent equations (systems) Exhaustive Search on FPGAs August 15, 2013 9 / 13
Parallelization Fix i Variables for 2 i Parallel Instances: ✏ � � x 2 x 1 � x 3 � x 1 � x 0 � 1 f x 4 x 2 x 3 x 0 e.g. i ✏ 2 : f 00 b ✏ 0 ☎ x 2 � 0 ☎ x 0 � x 2 x 1 � � x 1 � x 0 � 1 0 f 01 b ✏ 0 ☎ x 2 � 1 ☎ x 0 � x 2 x 1 � � x 1 � x 0 � 1 1 f 10 b ✏ 1 ☎ x 2 � 0 ☎ x 0 � x 2 x 1 � 0 � x 1 � x 0 � 1 f 11 b ✏ 1 ☎ x 2 � 1 ☎ x 0 � x 2 x 1 � 1 � x 1 � x 0 � 1 2 i independent equations (systems) sharing the same quadratic terms! Exhaustive Search on FPGAs August 15, 2013 9 / 13
Instance sol buffer buffer LUT-6 or RAM d' new_y new_d' flip new_d' = d' ⊕ d''; flop new_y = d' ⊕ d'' ⊕ y; y inst j,k inst j,k+1 inst j,k+2 inst j,k+3 inst j,k...k+3 d'' k1 Exhaustive Search on FPGAs August 15, 2013 10 / 13
Instance sol buffer buffer LUT-6 Program a LUT-6 or RAM d' directly new_y as two LUT-5. new_d' flip new_d' = d' ⊕ d''; flop new_y = d' ⊕ d'' ⊕ y; y inst j,k inst j,k+1 inst j,k+2 inst j,k+3 inst j,k...k+3 d'' k1 Exhaustive Search on FPGAs August 15, 2013 10 / 13
Recommend
More recommend
