Solving Quadratic Equations with XL on Parallel Architectures

Transcription

1 Solving Quadratic Equations with XL on Parallel Architectures Cheng Chen-Mou 1, Chou Tung 2, Ni Ru-Ben 2, Yang Bo-Yin 2 1 National Taiwan University 2 Academia Sinica Taipei, Taiwan Leuven, Sept. 11, 2012

2 Solving Quadratic Equations with XL on Parallel Architectures Chen-Mou Cheng 1, Tung Chou 2, Ruben Niederhagen 2, Bo-Yin Yang 2 1 National Taiwan University 2 Academia Sinica Taipei, Taiwan Leuven, Sept. 11, 2012

3 The XL algorithm Some cryptographic systems can be attacked by solving a system of multivariate quadratic equations, e.g.: AES: 8000 quadratic equations with 1600 variables over F 2 (Courtois and Pieprzyk, 2002) 840 sparse quadratic equations and 1408 linear equations over 3968 variables of F 256 (Murphy and Robshaw, 2002) multivariate cryptographic systems, e.g. QUAD stream cipher (cryptanalysis by Yang, Chen, Bernstein, and Chen, 2007)

4 The XL algorithm XL is an acronym for extended linearization: extend a quadratic system by multiplying with appropriate monomials linearize by treating each monomial as an independent variable solve the linearized system special case of Gröbner basis algorithms first suggested by Lazard (1983) reinvented by Courtois, Klimov, Patarin, and Shamir (2000) alternative to Gröbner basis solvers like Faugère s F 4 (1999, e.g., Magma) and F 5 (2002) algorithms

5 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: choose: extend: linearize: solve: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] operational degree D N system A to the system R (D) = {x b l i = 0 : b D 2, l i A} consider x d, d D a new variable to obtain a linear system M linear system M

6 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M

7 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}

8 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M How? minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}

9 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational We use the degree Wiedemann D N algorithm How? extend: system insteada of toathe Gauss system solver. Thus, we R do (D) not = {x compute b l i = 0 : a b complete D 2, Gröbner l i A} consider basis but x d distinguished, d D a new solutions! variable linearize: to obtain a linear system M solve: linear system M How? minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}

10 The Wiedemann algorithm the basic idea given: A K N N wanted: v K N such that Av = 0 solution: compute minimal polynomial f of A of degree d: f (A) = 0 d f i A i = 0 i=0 d f i A i z = 0 i=0 d f i A i z + f 0 z = 0 i=1 d f i A i z = 0 since f 0 = 0 i=1 ( d ) A f i A i 1 z = 0 i=1 } {{ } =v choose z K N randomly

11 The Wiedemann algorithm the basic idea given: A K N N wanted: v K N such that Av = 0 How? solution: compute minimal polynomial f of A of degree d: f (A) = 0 d f i A i = 0 i=0 d f i A i z = 0 i=0 d f i A i z + f 0 z = 0 i=1 d f i A i z = 0 since f 0 = 0 i=1 ( d ) A f i A i 1 z = 0 i=1 } {{ } =v choose z K N randomly

12 The Berlekamp Massey algorithm Given a linearly recurrent sequence S = {a i } i=0, a i K, compute an annihilating polynomial f of degree d such that d f i a j+i = 0, for all j N. i=0 The Berlekamp Massey algorithm requires the first 2 d elements of S as input and computes f i K, 0 i d.

13 The Berlekamp Massey algorithm Given a linearly recurrent sequence a i = xa i z, x K 1 N S = {a i } i=0, a i K, compute an annihilating polynomial f of degree d such that d f i a j+i = 0, for all j N. i=0 The Berlekamp Massey algorithm requires the first 2 d elements of S as input and computes f i K, 0 i d.

14 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1).

15 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) )

16 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) ) BW2: Use block Berlekamp Massey to compute polynomial f with coefficients in K n n. Coppersmith s version: O(N 2 n) Thomé s version: O(N log 2 N n)

17 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) ) BW2: Use block Berlekamp Massey to compute polynomial f with coefficients in K n n. Coppersmith s version: O(N 2 n) Thomé s version: O(N log 2 N n) BW3: Evaluate the reverse of f : W = deg(f ) j=0 A j z(f deg(f ) j ) T. O ( N 2 (w A + n) )

18 Parallelization of BW1 Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az using {t i } κ i=0, t i K N n, { y = Az for i = 0 t i = At i 1 for 0 < i κ, a i = (xt i ) T.

19 Parallelization of BW1 INPUT: macaulay_matrix<n, N> A; sparse_matrix<n, n> z; matrix<n, n> t_new, t_old; matrix<m, n> a[n/m + N/n + O(1)]; sparse_matrix<m, N, weight> x; x.rand(); t_old = z; for (unsigned i = 0; i <= N/m + N/n + O(1); i++) { t_new = A * t_old; a[i] = x * t_new; swap(t_old, t_new); } RETURN a

20 Parallelization of BW1 multicore processor t i = A t i 1

21 Parallelization of BW1 multicore processor 2 cores t i = A t i 1

22 Parallelization of BW1 multicore processor 4 cores t i = A t i 1

23 Parallelization of BW1 multicore processor 4 cores t i = A t i 1

24 Parallelization of BW1 multicore processor 4 cores t i = A t i 1 OpenMP

25 Parallelization of BW1 cluster system t i = A t i 1

26 Parallelization of BW1 cluster system 2 computing nodes t i = A t i 1

27 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1

28 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1

29 Parallelization of BW1 cluster system 4 computing nodes a (i) K n m n t i = A t i 1

30 Parallelization of BW1 cluster system BW1 BW2 Thomé BW2 Coppersmith BW3 Runtime [s] Block Width: m = n

31 Parallelization of BW1 cluster system Memory [GB] BW2 Thomé BW2 Coppersmith 36 GB Block Width: m = n

32 Parallelization of BW1 cluster system t i = A t i 1

33 Parallelization of BW1 cluster system 2 computing nodes t i = A t i 1

34 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1

35 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1

36 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1

37 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i 1 t i 1

38 Parallelization of BW1 cluster system 4 computing nodes t i t i 1 = A t i 1 t i 1

39 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

40 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1 MPI: ISend, IRecv,...

41 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

42 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

43 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

44 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

45 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1

46 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1 InfiniBand Verbs

47 Parallelization of BW1 cluster system Verbs API MPI Ratio Number of Nodes

48 Parallelization of BW1 cluster system Communication Computation Sent per Node Runtime Number of Cluster Nodes (InfiniBand MT26428, 2 ports of 4 QDR, 32 Gbit/s)

49 Runtime n = 16, m = 18, F 16 Runtime [min] BW1 BW2 Tho. BW2 Cop. BW Cluster NUMA Number of Cores

50 Comparison to Magma F 4 Time [hrs] XL (64 cores) XL (scaled) Magma F n, m = 2n Memory [GB] XL Magma F n, m = 2n

51 Conclusions XL with block Wiedemann as system solver is an alternative for Gröbner basis solvers, because and in about 80% of the cases it operates on the same degree, it scales well on multicore systems and moderate cluster sizes, it has a relatively small memory demand.

52 Thank you!