solving discrete logarithms in smooth order groups with
play

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan - PowerPoint PPT Presentation

Apr 01, 2023 •28 likes •468 views

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g G be a generator. Given G , the

  1. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg

  2. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g ∈ G be a generator. Given α ∈ G , the discrete logarithm (DL) problem is to find x ∈ Z q such that g x = α . 01 / 21

  3. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g ∈ G be a generator. Given α ∈ G , the discrete logarithm (DL) problem is to find x ∈ Z q such that g x = α . Why do we care? ◮ Computing DLs is apparently difficult for classical computers ◮ Inverse problem (modular exponentiation) is easy ◮ Many cryptographic protocols exploit this asymmetry 01 / 21

  4. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition An integer n is called B -smooth if each of its prime factors is bounded above by B . A smooth-order group is just a group whose order is B -smooth for some “suitably small” value of B . 02 / 21

  5. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition An integer n is called B -smooth if each of its prime factors is bounded above by B . A smooth-order group is just a group whose order is B -smooth for some “suitably small” value of B . Why do we care? ◮ If ϕ ( N ) is B -smooth, then Z ∗ N has smooth order ◮ Many DL-based cryptographic protocols work in Z ∗ N ◮ Pollard’s rho algorithm (plus Pohlig-Hellman) solves DLs in time proportional to smoothness of group order 02 / 21

  6. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition The Compute Unified Device Architecture (CUDA) is Nvidia’s parallel computing architecture. It enables developers to use CUDA-enabled Nvidia GPUs for general purpose computing. 03 / 21

  7. Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition The Compute Unified Device Architecture (CUDA) is Nvidia’s parallel computing architecture. It enables developers to use CUDA-enabled Nvidia GPUs for general purpose computing. Why do we care? ◮ Nvidia GPUs are widely deployed, and offer better price-to-GFLOP ratio than CPUs ◮ Modern GPUs have many cores and support highly parallel computation ◮ Pollard’s rho algorithm is extremely parallelizable 03 / 21

  8. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant 04 / 21

  9. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs 04 / 21

  10. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance 04 / 21

  11. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance ◮ point out a simple attack on Boudot’s zero-knowledge range proofs 04 / 21

  12. In this presentation, we... ◮ describe Pollard’s rho algorithm and its parallel variant ◮ discuss CUDA and GP GPU computing on Nvidia GPUs ◮ present our implementation of modular multiplication and parallel rho in CUDA and analyze its performance ◮ point out a simple attack on Boudot’s zero-knowledge range proofs ◮ construct and analyze trapdoor discrete logarithm groups 04 / 21

  13. Part I: Pollard’s rho

  14. Pollard’s rho algorithm (1/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . 05 / 21

  15. Pollard’s rho algorithm (1/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . Key observation: ◮ Consider elements g a h b ∈ G and search for collisions ◮ Since g a 1 h b 1 = g a 2 h b 2 = ⇒ g a 1 − a 2 = h b 2 − b 1 , we have ⇒ x ≡ ( a 1 − a 2 )( b 2 − b 1 ) − 1 mod n a 1 − a 2 ≡ x ( b 2 − b 1 ) mod n = � ◮ Birthday paradox: about π n / 2 selections should ⇒ expected runtime and storage in Θ( √ n ) suffice = 05 / 21

  16. Pollard’s rho algorithm (2/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . Pollard’s idea: ◮ Walk through G using iteration function f : G → G , f ( g a i h b i ) = g a i + 1 h b i + 1 ◮ Collisions = ⇒ cycles, which are cheap to detect ◮ If iteration function behaves “randomly enough”, then expected runtime is in Θ( √ n ) and storage is in Θ( 1 ) 06 / 21

  17. Pollard’s rho algorithm (3/4) gai + 1 hbi + 1 gai + 2 hbi + 2 gai + 3 hbi + 3 gai hbi gaj hbj gaj − 1 hbj − 1 gai − 1 hbi − 1 ga 2 hb 2 ga 1 hb 1 ga 0 hb 0 07 / 21

  18. Pollard’s rho algorithm (3/4) gai + 1 hbi + 1 gai + 2 hbi + 2 gai + 1 hbi + 1 gai + 1 hbi + 1 gai + 3 hbi + 3 gai + 2 hbi + 2 gai + 2 hbi + 2 gai hbi gaj hbj gaj − 1 hbj − 1 gai + 3 hbi + 3 gai + 3 hbi + 3 gai hbi gaj hbj gai hbi gaj hbj gaj − 1 hbj − 1 gaj − 1 hbj − 1 gai − 1 hbi − 1 gai − 1 hbi − 1 gai − 1 hbi − 1 ga 2 hb 2 ga 2 hb 2 ga 2 hb 2 ga 1 hb 1 ga 1 hb 1 ga 0 hb 0 ga 1 hb 1 ga 0 hb 0 ga 0 hb 0 07 / 21

  19. Pollard’s rho algorithm (4/4) Problem Given g , h ∈ G , compute the discrete logarithm x ∈ Z n of h with respect to g . van Oorschot’s and Wiener’s idea: ◮ Define a distinguished point (DP) as any point with some cheap-to-detect property (e.g., m trailing zeros) ◮ Run Ψ client threads in parallel, each reporting DPs to a central server that checks for collisions � √ n / Ψ ◮ Expected runtime is in Θ � 08 / 21

  20. Part II: GPUs and CUDA

  21. SMPs and CUDA cores Fermi architecture Instruction cache ◮ GPU has several streaming Warp scheduler Warp scheduler multiprocessors (SMP) ◮ Our Tesla M2050 cards each Dispatch unit Dispatch unit have 14 SMPs Register file (2 15 × 32-bit) ◮ SIMD architecture LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Interconnect network 64 KB memory / L1 cache Uniform cache 09 / 21

  22. SMPs and CUDA cores Fermi architecture Instruction cache ◮ GPU has several streaming Warp scheduler Warp scheduler multiprocessors (SMP) ◮ Our Tesla M2050 cards each Dispatch unit Dispatch unit have 14 SMPs Register file (2 15 × 32-bit) ◮ SIMD architecture LD/ST CUDA Core Core Core Core Core LD/ST SFU LD/ST Dispatch port Core Core Core Core LD/ST Operand collector LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST FPU unit INT unit LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Result queue LD/ST Core Core Core Core LD/ST SFU LD/ST Core Core Core Core LD/ST Interconnect network 64 KB memory / L1 cache Uniform cache 09 / 21

  23. CUDA memory hierarchy Thread ◮ Developer manages memory explicitly ◮ 1 clock pulse for shared Shared memory L1 cache memory and L1 cache ◮ ≈ 300 clock pulses for L2 cache Local RAM ◮ Many more clock pulses for system RAM Local RAM 10 / 21

  24. Tesla M2050 Nvidia Tesla M2050 GPU cards: ◮ Based on Fermi architecture ◮ 14 SMPs × 32 cores / SMP = 448 cores (each running at 1.55 GHz) ◮ 2 15 × 32-bit registers / SMP ◮ Configurable: 64 KB shared memory / L1 cache price: 1,299.00 USD ◮ 3 GB GDDR5 of Local RAM Our experiments used a host PC with: ◮ Intel Xeon E5620 quad core (2.4 GHz) ◮ 2 × 4 GB of DDR3-1333 RAM ◮ 2 × Tesla M2050 GPU cards 11 / 21

  25. Part III: Implementation

  26. CUDA modular multiplication (1/2) ◮ Iteration function for Pollard rho:  g x if 0 ≤ x < q  3   x 2 if q 3 ≤ x < 2 q f ( x ) = 3  h x if 2 q  3 ≤ x < q  ◮ Need fast, multiprecision modular multiplication to solve DLs in Z ∗ N ◮ We used Koç et al’s CIOS algorithm for Montgomery multiplication ◮ Low auxiliary storage = ⇒ lots of threads ◮ We do one thread per multiplication 12 / 21

  27. CUDA modular multiplication (2/2) Table: k -bit modular multiplications per second and (amortized) time per k -bit modular multiplication on a single Tesla M2050. Bit length Time per trial Amortized time Modmults of modulus ± std dev per modmult per second 192 30.538 s ± 4 ms 1.19 ns ≈ 840,336,000 256 50.916 s ± 5 ms 1.98 ns ≈ 505,050,000 512 186.969 s ± 4 ms 7.30 ns ≈ 136,986,000 768 492.6 s ± 200 ms 19.24 ns ≈ 51,975,000 1024 2304.5 s ± 300 ms 90.02 ns ≈ 11,108,000 = Larger k each multiplication takes longer ⇒ ◮ = can compute fewer multiplications in parallel ⇒ 13 / 21

  28. CUDA Pollard rho (1/2) Goal Compute discrete logarithms modulo k N -bit RSA numbers N = pq with 2 k B -smooth totient. Our implementation: ◮ Optimized for k N = 1536 and k B ≈ 55 ◮ Assumes that the factorization of p − 1 and q − 1 is known ◮ Uses Pohlig-Hellman approach to decompose problem to k B -bit subproblems ◮ Distinguished points: at least 10 trailing zeros in binary (Montgomery) representation 14 / 21

Recommend

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze multiplicative groups of cost of NFS + CVP small-characteristic finite fields for class groups, unit groups, the algorithm of Barbulescu, short

912 views • 80 slides
Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Elliptic curves over F q Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms DL Attacks BSGS PohlihHellmann DL records Square roots E LLIPTIC CURVES C RYPTOGRAPHY Reminder from Yesterday Points of finite order Important

664 views • 30 slides
Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

ANTS IX, Nancy, France Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group and g G has finite order m . Then for each t g the integers n with g n = t form a residue class mod m . Denote

585 views • 40 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Solving exponential and logarithmic equations We explore some results involving exponential

Solving exponential and logarithmic equations We explore some results involving exponential

Solving exponential and logarithmic equations We explore some results involving exponential equations and logarithms. Elementary Functions Part 3, Exponential Functions &amp; Logarithms In this presentation we concentrate on using logarithms to

1.2k views • 4 slides
Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms If x = b y then y = log b x where x and b are positive numbers and b 1 log b x is read as logarithm of x to the base of b . 2 - 2

318 views • 9 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common logarithms 1.4.2 Logarithms in general 1.4.3 Useful Results 1.4.4 Properties of logarithms 1.4.5 Natural logarithms 1.4.6 Graphs of logarithmic and

397 views • 13 slides
Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

The groups of order p 7 Eamonn OBrien and Michael Vaughan-Lee The groups of order p 7 p. 1 Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5 5 5 p 4 14 15 15 p 5 51 67 u p 6 267 504

663 views • 33 slides
Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Cryptography Number Theory Divisibility and Primes Modular Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms Computationally Hard Problems School of Engineering and Technology CQUniversity

964 views • 67 slides
Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world crypto and privacy Sibenik, Croatia // June 17 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Asymmetric crypto settings

1.17k views • 86 slides
Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier

Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier

Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR &amp; University of Rennes France Reynald.Lercier (at)

650 views • 38 slides
Applications of Verified Methods for Solving Non-smooth Initial Value Problems Ekaterina Auer,

Applications of Verified Methods for Solving Non-smooth Initial Value Problems Ekaterina Auer,

Motivation Non-smooth IVPs Example Applications Conclusions Applications of Verified Methods for Solving Non-smooth Initial Value Problems Ekaterina Auer, Andreas Rauh University of Duisburg-Essen, University of Rostock June 14, 2011

420 views • 31 slides
Rules for logarithms We review the properties of logarithms from the previous lecture. In that

Rules for logarithms We review the properties of logarithms from the previous lecture. In that

Rules for logarithms We review the properties of logarithms from the previous lecture. In that lecture, we developed the following identities. The Product Property is an identity involving the logarithm of product: Elementary Functions log

93 views • 6 slides
Discrete groups acting on complex projective spaces e Seade 1 Jos 1 Instituto de Matem

Discrete groups acting on complex projective spaces e Seade 1 Jos 1 Instituto de Matem

Discrete groups acting on complex projective spaces e Seade 1 Jos 1 Instituto de Matem aticas, Universidad Nacional Aut onoma de M exico. LMS Singularity Day, Liverpool, G.B., March 29, 2016 Seade Discrete groups acting on complex

924 views • 48 slides
A sequential quadratic Hamiltonian scheme for solving optimal control problems with non-smooth

A sequential quadratic Hamiltonian scheme for solving optimal control problems with non-smooth

A sequential quadratic Hamiltonian scheme for solving optimal control problems with non-smooth cost functionals Alfio Borz and Tim Breitenbach Institute for Mathematics, University of Wrzburg, Germany A sequential quadratic Hamiltonian

697 views • 41 slides
Continuous-Discrete Filtering using the Zakai Equation: Smooth Likelihood Surface Hermann Singer

Continuous-Discrete Filtering using the Zakai Equation: Smooth Likelihood Surface Hermann Singer

Continuous-Discrete Filtering using the Zakai Equation: Smooth Likelihood Surface Hermann Singer Department of Economics FernUniversitt in Hagen Statistische Woche Trier September 2019 October 16, 2019 1/21 Continuous Time State Space

512 views • 23 slides
Outline Optimisation Discrete Introduction 1 Solving the Knapsack Problem Heuristics for the

Outline Optimisation Discrete Introduction 1 Solving the Knapsack Problem Heuristics for the

Outline Optimisation Discrete Introduction 1 Solving the Knapsack Problem Heuristics for the Knapsack Problem 2 Solving the Continuous Knapsack Problem Sonia Cafieri 3 ENAC Exact solution of the KP 4 Branch and Bound algorithms for IP

563 views • 12 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides

More recommend