Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster

Transcription

1 Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India

2 We solved the discrete logarithm of a 113-bit Koblitz Curve. Challenge generated using SHA-256 Extrapolated 24 days on 18 Virtex-6 FPGAs

3 ECDLP Records In 2000: Binary Koblitz curve - ECC2K-108 using 9,500 PCs in 126 days In 2004: Binary elliptic curve - ECC2-109 using 2,600 PCs for 510 days In 2012: Elliptic curve over 112-bit prime field using 200 Playstation 3 for 6 months

4 TU Graz Records IT-Security Lecture 2012: 75 bit in days on quad-core 2013: 80 bit in 17 days on Core i Master project: Virtex 6 FPGA 83 bit in (avg) 4.1 days Room for improvement

5

6 The higher the security level the lower the speed. With knowledge on the best attacks realistic security bounds are possible. potentially smaller parameters can be used. potentially faster algorithms can be used.

7 Elliptic Curve Discrete Logarithm Problem Parallelized Pollard s Rho Algorithm

8 We are looking for

9 Pollard s Rho Algorithm Iteration function Parallelized Pollard s Rho

10 Iteration Function

11 Iteration Function 41-bit Koblitz Curve Reference Iteration function Expected Measured iterations iterations Teske [29] f(x i )=X i + R[j] Wiener and Zuccherato [31] f(x i )= min 0applel<m l (X i + R[j]) Gallant et al. [14] f(x i )=X i + l (X i ) Bailey et al. [4] f(x i )=X i + (l mod 16)/2+3 (X i )

12 Architecture

13 FPGA Development Board

14 ASIC Design AND OR XOR One NAND Gate: NAND NOR XNOR 4 Transistors µm UMC 90nm GE Register/Flip-flop: ~5 GE

15

16 FPGA Design X-Ref Target - Figure 3 A6:A1 D COUT D DX C CX B BX A AX O6 DI2 O5 DI1 MC31 WEN CK DI1 MC31 WEN CK DI1 MC31 WEN CK DI1 MC31 WEN CK ug364_03_ DX DMUX D DQ C CQ CMUX B BQ BMUX A AQ AMUX Reset Type D FF/LAT INIT1 INIT0 SRHI SRLO SR CE CK FF/LAT INIT1 INIT0 SRHI SRLO FF/LAT INIT1 INIT0 SRHI SRLO FF/LAT INIT1 INIT0 SRHI SRLO D SR CE CK D SR CE CK D SR Q CE CK CIN 0/1 WEN CK Sync/Async FF/LAT A6:A1 O6 O5 C6:1 CX D6:1 DI A6:A1 O6 O5 B6:1 BX A6:A1 W6:W1 W6:W1 W6:W1 W6:W1 O6 O5 A6:1 AX SR CE CLK CE Q CK SR Q Q Q SRHI SRLO INIT1 INIT0 D CE Q CK SR SRHI SRLO INIT1 INIT0 D CE Q CK SR SRHI SRLO INIT1 INIT0 D CE Q CK SR SRHI SRLO INIT1 INIT0 DI2 DI2 DI2 CI BI AI LUT FF

17 FPGA Development Board

18 Multiple Small Cores Area Time

19 Core Idea

20 ECC Breaker X i c i d i Interface NextInput Point Addition F 2 m multiplier 79 % F 2 m squarer Branching Table F n adder F n adder F 2 m inverter Iteration Function Point Automorphism 14 % Lambda Table FIFO FIFO Distinguished Point Storage FIFO multiplier multiplier X i+1 c i+1 d i+1 F n F n

21 Point Addition and FF Inversion y 1 y 2 x 2 x 1 a S + M ADD ADD ADD S + M FIFO INV MUL FIFO FIFO 3S + M S + M FIFO SQU ADD 7S + M ADD 14S + M MUL ADD y 3 FIFO x 3 28S + M 56S + M S

22 Binary Field Multiplier Method Size Parallel 5,497 LUTs Mastrovito 7,104 LUTs Bernstein s Batch Binary Edwards Recursive Karatsuba 4,409 LUTs 3,757 LUTs

23 Point Automorphism i (P ) i+ smallest Point x y x y Square Square Compare x y C N C N rot 0 rot 1 rot 2 rot 3... x' y' x' y' FIFO i+1 (P ) FIFO comparator tree BARREL ROTATE N C N C x' y'

24 Details 210 pipeline stages Per default: canonical basis Normal basis used for point automorphism module Karatsuba Multiplier for tion Itoh-Tsujii Inversion tion Montgomery Multiplier based on DSP slices F n F 2 m F 2 m

25 Computation Time Distinguished Triples 7,000,000 5,250,000 3,500,000 1,750, Time [Days] April 19th, 2014 Extrapolated: 24 days

26 Challenge Generation import hashlib PX = str_to_poly(hashlib.sha256(str(0)).hexdigest()) PY=PolynomialRing(K, PY ).gen() P_ROOTS = (PY^2+PX*PY+PX^3+a*PX^2+b).roots() P=E([PX,P_ROOTS[0][0]]); P=P*h QX = str_to_poly(hashlib.sha256(str(1)).hexdigest()) Q_ROOTS = (PY^2+QX*PY+QX^3+a*QX^2+b).roots() Q=E([QX,Q_ROOTS[0][0]]); Q=Q*h

27 Different FPGAs Series Development Kit LUTs used maximum Frequency Price Virtex-6 ML605 38% 261 MHz 2,495 USD Spartan-6 LX150T MHz 995 USD Artix-7 AC701 62% 264 MHz 999 USD Virtex-7 VC707 28% 313 MHz 3,495 USD Kintex-7 KC705 42% 313 MHz 1,695 USD

28 Different Targets Target Iterations Costs [USD] Days (Estimated) ECC2K x 10 42, ECC x 10 42, ECC2K-130 4,055 x 10 1,000, ECC ,239 x 10 10,000, ECC ,030 x 10 1,000,000, ,934

29 Open Issues Power problems Maximum frequency: 165 MHz vs 275 MHz Multiple instances Negation map and fruitless cycles

30 Random Facts Necessary budget: 18 FPGAs: 2,500 USD x 18 = 45,000 USD Power consumption: different budget :-) 1.5 man-years: 100,000 USD (different budget) Money actually spent: 20 EUR on chocolate

31 Room for improvement YES!!!! 2x speed equals 2 extra bits to attack 128x speed equals 14 extra bits to attack

32 Expected(Number(of(Itera2ons([bits]( 70" 60" 50" 40" 30" 20" 10" 0" Prime numbers: 109, 113, 127, 131, New Challenges 113*bit"Koblitz"a=1" 113*bit"Koblitz"a=0" 113*bit"Weierstrass" 127*bit"Koblitz"a=1" 127*bit"Koblitz"a=0" 127*bit"Weierstrass" 131*bit"Koblitz"a=1" 131*bit"Koblitz"a=0" 131*bit"Weierstrass" Without"Speedup" With"Speedup"

33 Prime numbers: 109, 113, 127, 131, New Challenges

34 Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India