Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
|
|
- Bruce Spencer
- 5 years ago
- Views:
Transcription
1 Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR
2 Part I. Linear maps Consider computing 0 = Õ 0 ; 1 = Õ 1 ; 2 = Õ 2 (Ô 0 Õ 0 Ö 0 ); 3 = (Ô 1 Õ 1 Ö 1 ); 4 = (Ô 2 Õ 2 Ö 2 ) Ö 0 ; 5 = Ö 1 ; 6 = Ö 2. Easy: 8 additions. Can find these 8 additions in several papers. But 8 is not optimal!
3 Wasting brain power is bad for the environment. Use existing algorithms to find addition chains. Apply, e.g., greedy additive CSE algorithm from 1997 Paar: find input pair 0 1 with most popular 0 1 ; compute 0 1 ; simplify using 0 1 ; repeat. This algorithm finds repeated Õ 2 Ö 0 ; uses 7 additions.
4 A new algorithm: xor largest. Start with the matrix mod 2 for the desired linear map. If two largest rows have same first bit, replace largest row by its xor with second-largest row. Otherwise change largest row by clearing first bit. In both cases, compute result recursively, and finish with one xor.
5 A small example: 1011 = Ü 0 + Ü 2 + Ü = Ü 0 + Ü 1 + Ü 2 + Ü = Ü 1 + Ü = Ü 1 + Ü 3 Replace largest row by its xor with second-largest row.
6 Recursively compute 1011 = Ü 0 + Ü 2 + Ü = Ü = Ü 1 + Ü = Ü 1 + Ü 3 plus 1 xor of first output into second output.
7 Recursively compute plus 1 input load, 2 xors.
8 Recursively compute plus 1 input load, 3 xors.
9 Recursively compute plus 1 input load, 4 xors.
10 Recursively compute plus 2 input loads, 4 xors. Note: this was just a copy.
11 Recursively compute plus 2 input loads, 4 xors.
12 Recursively compute plus 3 input loads, 5 xors.
13 Recursively compute plus 3 input loads, 5 xors.
14 Recursively compute plus 4 input loads, 5 xors.
15 Memory friendliness: Algorithm writes only to the output registers. No temporary storage. Ò inputs, Ò outputs: total 2Ò registers with 0 loads, 0 stores. Or Ò + 1 registers with Ò loads, 0 stores: each input is read only once. Or Ò registers with Ò loads, 0 stores, if platform has load-xor insn.
16 Two-operand friendliness: Platform with but without uses only Ò extra copies. Naive column sweep also uses Ò + 1 registers, Ò loads, but usually many more xors. Input partitioning (e.g., 1956 Lupanov) uses somewhat more xors, copies; somewhat more registers. Greedy additive CSE uses somewhat fewer xors but many more copies, registers.
17 For Ñ inputs and Ò outputs, average Ò Ñ matrix: The xor-largest algorithm uses ÑÒ lg Ò two-operand xors; Ò copies; Ñ loads; Ò + 1 regs.
18 For Ñ inputs and Ò outputs, average Ò Ñ matrix: The xor-largest algorithm uses ÑÒ lg Ò two-operand xors; Ò copies; Ñ loads; Ò + 1 regs. Pippenger s algorithm uses ÑÒ lg ÑÒ three-operand xors but seems to need many regs. Pippenger proved that his algebraic complexity was near optimal for most matrices (at least without mod 2), but didn t consider regs, two-operand complexity, etc.
19 Our original example: Each row has coefficients of Ô 0 Ô 1 Ô 2 Õ 0 Õ 1 Õ 2 Ö 0 Ö 1 Ö 2.
20 Our original example: plus 1 xor, 1 input load.
21 Our original example: plus 2 xors, 2 input loads.
22 Our original example: plus 3 xors, 3 input loads.
23 Our original example: plus 4 xors, 3 input loads.
24 Our original example: plus 4 xors, 4 input loads.
25 Our original example: plus 5 xors, 4 input loads.
26 Our original example: plus 5 xors, 5 input loads.
27 Our original example: plus 6 xors, 5 input loads.
28 Our original example: plus 7 xors, 6 input loads.
29 Our original example: plus 7 xors, 7 input loads.
30 Our original example: plus 7 xors, 7 input loads.
31 Our original example: plus 7 xors, 8 input loads.
32 Our original example: plus 7 xors, 8 input loads.
33 Our original example: plus 7 xors, 9 input loads. Algorithm found the speedup.
34 Part II. The Å(Ò) game Define Å(Ò) as the minimum number of bit operations (ands, xors) needed to multiply Ò-bit polys ¾ F 2 [Ü] (in standard representation). e.g. Å(2) 5: to compute Ü + 2 Ü 2 = ( Ü)( Ü) can compute 0 = 0 0, 1 = , 2 = 1 1 with 4 ands, 1 xor.
35 Schoolbook multiplication: Å(Ò) Θ(Ò 2 ) Karatsuba: Å(Ò) Θ(Ò lg 3 ) Toom: Å(Ò) Ò2 Θ(Ô lg Ò) Schönhage Strassen: Å(Ò) Θ(Ò lg Ò lg lg Ò) Fürer improves lg lg Ò for integers but doesn t help mod 2.
36 What does this tell us about Å(131) or Å(251)? Absolutely nothing! Reanalyze algorithms to see exact complexity. Rethink algorithm design to find constant-factor (and sub-constant-factor) speedups that are not visible in the asymptotics.
37 Schoolbook recursion: Å(Ò + 1) Å(Ò) + 4Ò. Hence Å(Ò) 2Ò 2 2Ò + 1. Karatsuba recursion as commonly stated: Å(2Ò) 3Å(Ò) + 8Ò 4. e.g. Karatsuba for Ò = 1: = Ü, = Ü, 0 = 0 0, 2 = 1 1, 1 = ( )( ) 0 2 µ = Ü + 2 Ü 2.
38 Karatsuba for Ò = 2: = Ü + 2 Ü Ü 3, = Ü + 2 Ü Ü 3, À 0 = ( Ü)( Ü), À 2 = ( Ü)( Ü), À 1 = ( ( )Ü) ( ( )Ü) À 0 À 2 µ = À 0 + À 1 Ü 2 + À 2 Ü 4.
39 Initial linear computation: ; cost 4. Three size-2 mults producing À 0 = Õ 0 + Õ 1 Ü + Õ 2 Ü 2 ; À 2 = Ö 0 + Ö 1 Ü + Ö 2 Ü 2 ; À 0 + À 1 + À 2 = Ô 0 + Ô 1 Ü + Ô 2 Ü 2. Final linear reconstruction: À 1 = (Ô 0 Õ 0 Ö 0 ) + (Ô 1 Õ 1 Ö 1 )Ü + (Ô 2 Õ 2 Ö 2 )Ü 2, cost 6; = À 0 + À 1 Ü 2 + À 2 Ü 4, cost 2.
40 Let s look more closely at the reconstruction: = Ü Ü 6 with 0 = Õ 0 ; 1 = Õ 1 ; 2 = Õ 2 + (Ô 0 Õ 0 Ö 0 ); 3 = (Ô 1 Õ 1 Ö 1 ); 4 = (Ô 2 Õ 2 Ö 2 ) + Ö 0 ; 5 = Ö 1 ; 6 = Ö 2.
41 Let s look more closely at the reconstruction: = Ü Ü 6 with 0 = Õ 0 ; 1 = Õ 1 ; 2 = Õ 2 + (Ô 0 Õ 0 Ö 0 ); 3 = (Ô 1 Õ 1 Ö 1 ); 4 = (Ô 2 Õ 2 Ö 2 ) + Ö 0 ; 5 = Ö 1 ; 6 = Ö 2. We ve seen this before! Reduce = 8 ops to 7 ops by reusing Õ 2 Ö 0.
42 2000 Bernstein: Å(2Ò) 3Å(Ò) + 7Ò Bernstein: new bounds on Å(Ò) from further improvements to Karatsuba, Toom, etc. binary.cr.yp.to/m.html Typically 20% smaller than 2003 Rodríguez-Henríquez Koç, 2005 Chang Kim Park Lim, 2006 Weimerskirch Paar, 2006 von zur Gathen Shokrollahi, 2007 Peter Langendörfer.
43 So far have focused on Å(Ò) for small Ò, but different techniques are better for large Ò. I m now exploring impact of 2008 Gao Mateer. For F 2 F Õ : 1988 Wang Zhu, 1989 Cantor diagonalize [Ø] (Ø Õ + Ø) using 0 5Õ lg Õ mults in, 0 5Õ(lg Õ) lg 3 adds in Gao Mateer use 0 5Õ lg Õ mults, 0 25Õ lg Õ lg lg Õ adds.
44 Who cares? Conventional wisdom: Detailed Å(Ò) analysis has very little relevance to software speed. We multiply by by looking up 4 bits of in a size-16 table of precomputed multiples of ; looking up next 4 bits; etc. One table lookup replaces many bit operations! Might use Karatsuba etc., but only for large Ò.
45 Part III. Batching Classic F index calculus Ô needs to check smoothness of many positive integers Ô. Smooth integer: integer with no prime divisors Ý. Typical: (log Ý) 2 ¾ (1 2 + Ó(1)) log Ô log log Ô. Many: typically Ý 2+Ó(1), of which Ý 1+Ó(1) are smooth. (Modern index calculus, NFS: smaller integers; smaller Ý.) How to check smoothness?
46 Old answers: Trial division, time Ý 1+Ó(1) ; rho, time Ý 1 2+Ó(1), assuming standard conjectures. Better answer: ECM etc. Time Ý Ó(1) ; specifically exp Ô (2 + Ó(1)) log Ý log log Ý, assuming standard conjectures. Much better answer (in standard RAM model): Known batch algorithms test smoothness of many integers simultaneously. Time per input: (log Ý) Ç(1) = exp Ç(log log Ý).
47 General pattern: Algorithm designer optimizes algorithm for one input. But algorithm is then applied to many inputs! Oops. Often much better speed from batch algorithms optimized for many inputs. e.g. Batch ECDL: Ô # speedup. Batch NFS: smaller exponent. Can find many more examples.
48 Surprising recent example: Batching can save time in multiplication! Largest speedups: F 2 [Ü]. Consequence: New speed record for public-key cryptography scalar mults/second on a 3.2GHz Phenom II X4 for a secure elliptic curve/f
49 Surprising recent example: Batching can save time in multiplication! Largest speedups: F 2 [Ü]. Consequence: New speed record for public-key cryptography scalar mults/second on a 3.2GHz Phenom II X4 for a secure elliptic curve/f Note: No subfields were exploited in the creation of this record.
50 Simplest batching technique: bitslicing. Transpose 128 polynomials ¾ F 2 [Ü], each having coefficients, into vectors ¾ F 128 2, where [ ] = [ ]. Vector operation 1 33 adds bit 1 of to bit 33 of for each in parallel.
51 Bitslicing disadvantages: Table lookups are expensive. e.g. tab[ mod 16]. Conditional branches are expensive. 128 volume of data; harder to avoid load/store bottlenecks. Transposition costs roughly 1 cycle per byte; frequent transposition is bad.
52 Bitslicing advantages: Free bit extraction, bit shuffling, etc. No word-size penalty. e.g. 128 additions of -bit polynomials cost vector xors instead of Huge speedup for small. µ Productive synergy with Å(Ò) techniques.
53 Elliptic-curve addition È + É traditionally uses conditional branches: É = È? É = È? etc Bernstein: cheaply avoid conditional branches in È ÒÈ if 2 = Bernstein Lange, using Edwards curves: arbitrary group ops if 2 = Bernstein Lange Rezaeian Farashahi, binary Edwards curves : arbitrary group ops if 2 = 0.
54 Part IV. Normal bases Current ECRYPT project, spearheaded by Tanja Lange: break Certicom s ECC2K-130. i.e., compute discrete log of a challenge point on Ý 2 + ÜÝ = Ü over F Carefully selected iteration function for Pollard rho involves 5 mults, 21 squarings, 7 adds, occasional inversions, and one computation of weight in normal basis.
55 F has type-2 normal basis + 1, 2 + 2, 4 + 4,, where is primitive 263rd root of 1. Weight is sum of coefficients. Squaring is rotation. Multi-squaring is rotation. Inversion by Fermat uses many multi-squarings.
56 But fast ECDL software uses polynomial basis: e.g., basis 1 Ü Ü 2 Ü 130 of F 2 [Ü] (Ü Ü 13 + Ü 2 + Ü + 1). Many obvious disadvantages: more expensive squaring, multi-squaring, inversion; must convert to normal basis (e.g., with xor-largest) before computing weight. But huge speedup in the 5 mults: polynomial multiplication uses Karatsuba etc.; reduction is very fast.
57 How slow is normal-basis mult? Type-1 normal basis of F 2 Ò, where 2 has order Ò mod Ò + 1, is a permutation of 2 Ò in F 2 [ ] ( Ò+1 1). Å(Ò) operations to multiply, obtaining coefficients of 2 3 2Ò. 2Ò 1 operations to reduce 2 3 2Ò to 2 Ò. Alternative: Å(Ò + 1) + Ò for redundant 1 Ò.
58 Type-2 normal basis of F 2 Ò, where 2 has order Ò mod 2Ò + 1, is a permutation of + 1, 2 + 2, 3,, Ò + Ò 3 + in F 2 [ ] ( 2Ò+1 1) Gao von zur Gathen Panario Shoup: 2Å(Ò) + Ç(Ò) operations to multiply on this basis. Polynomial basis of F 2 Ò is about twice as fast.
59 2007 von zur Gathen Shokrollahi Shokrollahi: Å(Ò) + Ç(Ò lg Ò) operations to multiply on this basis Bernstein: improved variant of algorithm sets Core 2 speed records for the ECC2K-130 attack Schwabe: also Cell speed records Bernstein Lange: mix normal bases with polynomial bases and speed up reduction.
60 vzg S S in a nutshell: Write Æ = + and È = ( + 1 ). If È È È 3 = Æ Æ Æ 3 and È È È 3 = Æ Æ Æ 3 then È È È È È È È 7 = 0 + ( )Æ 1 + ( )Æ 2 + ( )Æ Æ Æ Æ Æ 7.
61 Proof: e.g., ( + 1 ) 4 ( ) = so È 4 Æ 3 = Æ 7 + Æ 1. Q.E.D. So size-8 conversion from 1 È 1 È 2 È 7 to 1 Æ 1 Æ 2 Æ 7 can be done with two size-4 conversions and three additions. Apply same idea recursively: size-ò conversion uses Ò(lg Ò Inverse has same cost. 2) additions.
62 To multiply on basis Æ 1 Æ 2 Æ Ò : Convert to 1 È 1 È Ò ; cost 0 5Ò lg Ò, twice. Polynomial product; Å(Ò + 1). Convert 1 È 1 È 2Ò to 1 Æ 1 Æ 2Ò ; cost Ò lg Ò. Eliminate Æ Ò+1 Æ 2Ò using Æ 2Ò+1 = Æ ; cost Ò. Eliminate 1 using 1 + Æ Æ Ò = 0; cost Ò.
63 Some new improvements: 1. For 1 È 1 È Ò : coefficient of 1 is 0. Cost Å(Ò) instead of Å(Ò + 1). 2. For 1 È 1 È 2Ò : coefficients of 1 È 1 are 0. Reduces cost by Ò If mults share input, reuse input conversion. Reduces cost by 0 5Ò lg Ò. 4. If output is an input, use different reduction strategy to skip a first-half conversion. Reduces cost by 0 5Ò lg Ò.
64 Can represent field element using basis È 1 È Ò for fast multiplication; or basis Æ 1 Æ Ò for fast multi-squarings; or both. Can vary this choice across field-element variables. Can also vary over time. Approximate costs: È Æ: 0 5Ò lg Ò. Æ È: 0 5Ò lg Ò. È È Æ: Å(Ò) + Ò lg Ò. È È È: Å(Ò) + Ò lg Ò. Æ 2 Æ: 0.
McBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationThe tangent FFT. D. J. Bernstein University of Illinois at Chicago
The tangent FFT D. J. Bernstein University of Illinois at Chicago Advertisement SPEED: Software Performance Enhancement for Encryption and Decryption A workshop on software speeds for secret-key cryptography
More informationOn the correct use of the negation map in the Pollard rho method
On the correct use of the negation map in the Pollard rho method Daniel J. Bernstein 1, Tanja Lange 2, and Peter Schwabe 2 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL
More informationInteger factorization, part 1: the Q sieve. D. J. Bernstein
Integer factorization, part 1: the Q sieve D. J. Bernstein Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc. Sieving and 611 +
More informationInteger factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness D. J. Bernstein The Q sieve factors by combining enough -smooth congruences ( + ). Enough log. Plausible conjecture:
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationCurve41417: Karatsuba revisited
Curve41417: Karatsuba revisited Chitchanok Chuengsatiansup Technische Universiteit Eindhoven September 25, 2014 Joint work with Daniel J. Bernstein and Tanja Lange Chitchanok Chuengsatiansup Curve41417:
More informationThe factorization of RSA D. J. Bernstein University of Illinois at Chicago
The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationAddition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven
Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven 2007.01.10, 09:00 (yikes!), Leiden University, part of
More informationThanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation
Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS 0140542 Alfred P. Sloan Foundation I want to work for NSA as an independent contractor.
More informationThree Ways to Test Irreducibility
Three Ways to Test Irreducibility Richard P. Brent Australian National University joint work with Paul Zimmermann INRIA, Nancy France 12 Feb 2009 Outline Polynomials over finite fields Irreducibility criteria
More informationThree Ways to Test Irreducibility
Outline Three Ways to Test Irreducibility Richard P. Brent Australian National University joint work with Paul Zimmermann INRIA, Nancy France 8 Dec 2008 Polynomials over finite fields Irreducibility criteria
More informationOn the strength comparison of ECC and RSA
SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) Date: 17-18 March 2012 Place: Washington, DC, USA On the strength comparison of ECC and RSA Masaya Yasuda, Takeshi Shimoyama,
More informationObjectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) Objectives Set new speed records for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationSoftware implementation of Koblitz curves over quadratic fields
Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,
More informationLow complexity bit-parallel GF (2 m ) multiplier for all-one polynomials
Low complexity bit-parallel GF (2 m ) multiplier for all-one polynomials Yin Li 1, Gong-liang Chen 2, and Xiao-ning Xie 1 Xinyang local taxation bureau, Henan, China. Email:yunfeiyangli@gmail.com, 2 School
More informationDouble-base scalar multiplication revisited
Double-base scalar multiplication revisited Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O.
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationPost-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity
We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...
More informationFrequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography
Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Selçuk Baktır, Berk Sunar {selcuk,sunar}@wpi.edu Department of Electrical & Computer Engineering Worcester Polytechnic Institute
More informationECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA
ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationHOW TO FIND SMOOTH PARTS OF INTEGERS. 1. Introduction. usually negligible Smooth part of x. usually negligible Is x smooth?
Draft. Aimed at Math. Comp. I m rewriting [8] in light of this. HOW TO FIND SMOOTH PARTS OF INTEGERS DANIEL J. BERNSTEIN Abstract. Let P be a finite set of primes, and let S be a finite sequence of positive
More informationImplementation of the DKSS Algorithm for Multiplication of Large Numbers
Implementation of the DKSS Algorithm for Multiplication of Large Numbers Christoph Lüders Universität Bonn The International Symposium on Symbolic and Algebraic Computation, July 6 9, 2015, Bath, United
More informationIntroduction to Algorithms
Lecture 1 Introduction to Algorithms 1.1 Overview The purpose of this lecture is to give a brief overview of the topic of Algorithms and the kind of thinking it involves: why we focus on the subjects that
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationElliptic Curves Spring 2013 Lecture #3 02/12/2013
18.783 Elliptic Curves Spring 2013 Lecture #3 02/12/2013 3.1 Arithmetic in finite fields To make explicit computations with elliptic curves over finite fields, we need to know how to perform arithmetic
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationObjectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) Objectives Set new speed records for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische
More informationA new algorithm for residue multiplication modulo
A new algorithm for residue multiplication modulo 2 521 1 Shoukat Ali and Murat Cenk Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey shoukat.1983@gmail.com mcenk@metu.edu.tr
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationBlock vs. Stream cipher
Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most
More informationS XMP LIBRARY INTERNALS. Niall Emmart University of Massachusetts. Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library
S6349 - XMP LIBRARY INTERNALS Niall Emmart University of Massachusetts Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library High Performance Modular Exponentiation A^K mod P Where A,
More informationSignatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Signatures and DLP Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein ECDSA Users can sign messages using Edwards curves. Take a point P on an Edwards curve modulo a
More informationEfficient random number generation on FPGA-s
Proceedings of the 9 th International Conference on Applied Informatics Eger, Hungary, January 29 February 1, 2014. Vol. 1. pp. 313 320 doi: 10.14794/ICAI.9.2014.1.313 Efficient random number generation
More informationD. J. Bernstein University of Illinois at Chicago
Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature: Recognizing primes: 1982 Atkin Larson On a primality test of Solovay and Strassen ; 1995 Atkin Intelligent primality
More informationGF(2 m ) arithmetic: summary
GF(2 m ) arithmetic: summary EE 387, Notes 18, Handout #32 Addition/subtraction: bitwise XOR (m gates/ops) Multiplication: bit serial (shift and add) bit parallel (combinational) subfield representation
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationInteger multiplication with generalized Fermat primes
Integer multiplication with generalized Fermat primes CARAMEL Team, LORIA, University of Lorraine Supervised by: Emmanuel Thomé and Jérémie Detrey Journées nationales du Calcul Formel 2015 (Cluny) November
More informationI. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k
F. Morain École polytechnique MPRI cours 2-12-2 2009-2010 3/26 F. Morain École polytechnique MPRI cours 2-12-2 2009-2010 4/26 MPRI Cours 2-12-2 I. Introduction ECOLE POLYTECHNIQUE F. Morain Lecture IIb:
More informationArithmetic in Integer Rings and Prime Fields
Arithmetic in Integer Rings and Prime Fields A 3 B 3 A 2 B 2 A 1 B 1 A 0 B 0 FA C 3 FA C 2 FA C 1 FA C 0 C 4 S 3 S 2 S 1 S 0 http://koclab.org Çetin Kaya Koç Spring 2018 1 / 71 Contents Arithmetic in Integer
More informationFast integer multiplication
Fast integer multiplication David Harvey, Joris van der Hoeven, Grégoire Lecerf CNRS, École polytechnique Bordeaux, February 2, 2015 http://www.texmacs.org Fundamental complexities I(n): multiplication
More informationReducing the Complexity of Normal Basis Multiplication
Reducing the Complexity of Normal Basis Multiplication Ömer Eǧecioǧlu and Çetin Kaya Koç Department of Computer Science University of California Santa Barbara {omer,koc}@cs.ucsb.edu Abstract In this paper
More informationDiscrete Mathematics U. Waterloo ECE 103, Spring 2010 Ashwin Nayak May 17, 2010 Recursion
Discrete Mathematics U. Waterloo ECE 103, Spring 2010 Ashwin Nayak May 17, 2010 Recursion During the past week, we learnt about inductive reasoning, in which we broke down a problem of size n, into one
More informationMcBits: fast constant-time code-based cryptography
McBits: fast constant-time code-based cryptography Daniel J. Bernstein 1,2, Tung Chou 2, and Peter Schwabe 3 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL 60607 7053,
More informationFields in Cryptography. Çetin Kaya Koç Winter / 30
Fields in Cryptography http://koclab.org Çetin Kaya Koç Winter 2017 1 / 30 Field Axioms Fields in Cryptography A field F consists of a set S and two operations which we will call addition and multiplication,
More informationBlock-tridiagonal matrices
Block-tridiagonal matrices. p.1/31 Block-tridiagonal matrices - where do these arise? - as a result of a particular mesh-point ordering - as a part of a factorization procedure, for example when we compute
More informationCRYPTOGRAPHIC COMPUTING
CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven,
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationFactoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationCS 542G: Conditioning, BLAS, LU Factorization
CS 542G: Conditioning, BLAS, LU Factorization Robert Bridson September 22, 2008 1 Why some RBF Kernel Functions Fail We derived some sensible RBF kernel functions, like φ(r) = r 2 log r, from basic principles
More informationComputing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.
Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best
More informationCS/COE 1501 cs.pitt.edu/~bill/1501/ Integer Multiplication
CS/COE 1501 cs.pitt.edu/~bill/1501/ Integer Multiplication Integer multiplication Say we have 5 baskets with 8 apples in each How do we determine how many apples we have? Count them all? That would take
More informationEven faster integer multiplication
Even faster integer multiplication DAVID HARVEY School of Mathematics and Statistics University of New South Wales Sydney NSW 2052 Australia Email: d.harvey@unsw.edu.au JORIS VAN DER HOEVEN a, GRÉGOIRE
More informationRSA Implementation. Oregon State University
RSA Implementation Çetin Kaya Koç Oregon State University 1 Contents: Exponentiation heuristics Multiplication algorithms Computation of GCD and Inverse Chinese remainder algorithm Primality testing 2
More informationAnalysis of Algorithms [Reading: CLRS 2.2, 3] Laura Toma, csci2200, Bowdoin College
Analysis of Algorithms [Reading: CLRS 2.2, 3] Laura Toma, csci2200, Bowdoin College Why analysis? We want to predict how the algorithm will behave (e.g. running time) on arbitrary inputs, and how it will
More informationpart 2: detecting smoothness part 3: the number-field sieve
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms
More informationSCALED REMAINDER TREES
Draft. Aimed at Math. Comp. SCALED REMAINDER TREES DANIEL J. BERNSTEIN Abstract. It is well known that one can compute U mod p 1, U mod p 2,... in time n(lg n) 2+o(1) where n is the number of bits in U,
More informationREDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2
REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2 CHRISTOPHE DOCHE Abstract. In this paper we introduce so-called redundant trinomials to represent elements of nite elds of characteristic 2. The
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationSieve-based factoring algorithms
Sieve-based factoring algorithms From bicycle chains to number fields Eran Tromer tromer@wisdom.weizmann.ac.il Weizmann Institute of Science Sieve-based factoring p.1/23 Factoring by square root extraction
More informationFast Matrix Multiplication Over GF3
Fast Matrix Multiplication Over GF3 Matthew Lambert Advised by Dr. B. David Saunders & Dr. Stephen Siegel February 13, 2015 Matrix Multiplication Outline Fast Matrix Multiplication Outline Fast Matrix
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationParallel Numerical Algorithms
Parallel Numerical Algorithms Chapter 13 Prof. Michael T. Heath Department of Computer Science University of Illinois at Urbana-Champaign CS 554 / CSE 512 Michael T. Heath Parallel Numerical Algorithms
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationThe Kolakoski Sequence and Some Fast Algorithms, Part 2
The Kolakoski Sequence and Some Fast Algorithms, Part 2 Richard P. Brent Australian National University and University of Newcastle 1 October 2017 Joint work with Judy-anne Osborn Copyright c 2017, R.
More informationThis is the new speed record for high-security Diffie-Hellman. Thanks to: University of Illinois at Chicago NSF CCR Alfred P.
New speed records for point multiplication D. J. Bernstein 640838 Pentium M cycles to compute a 32-byte secret shared by Dan and Tanja, given Dan s 32-byte secret key and Tanja s 32-byte public key. All
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationFaster ECC over F 2. (feat. PMULL)
Faster ECC over F 2 571 (feat. PMULL) Hwajeong Seo 1 Institute for Infocomm Research (I2R), Singapore hwajeong84@gmail.com Abstract. In this paper, we show efficient elliptic curve cryptography implementations
More informationF O R SOCI AL WORK RESE ARCH
7 TH EUROPE AN CONFERENCE F O R SOCI AL WORK RESE ARCH C h a l l e n g e s i n s o c i a l w o r k r e s e a r c h c o n f l i c t s, b a r r i e r s a n d p o s s i b i l i t i e s i n r e l a t i o n
More informationUniversity of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?
Challenges in quantum algorithms for integer factorization 1 D. J. Bernstein University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array? def blindsort(x): while not issorted(x):
More informationAnother Attempt to Sieve With Small Chips Part II: Norm Factorization
Another Attempt to Sieve With Small Chips Part II: Norm Factorization Rainer Steinwandt Florida Atlantic University (joint work with Willi Geiselmann, Fabian Januszewski, Hubert Köpfer and Jan Pelzl) Setting
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationEfficient multiplication using type 2 optimal normal bases
Efficient multiplication using type 2 optimal normal bases Joachim von zur Gathen 1, Amin Shokrollahi 2, and Jamshid Shokrollahi 3 1 B-IT, Dahlmannstr. 2, Universität Bonn, 53113 Bonn, Germany gathen@bit.uni-bonn.de
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationMastrovito Form of Non-recursive Karatsuba Multiplier for All Trinomials
1 Mastrovito Form of Non-recursive Karatsuba Multiplier for All Trinomials Yin Li, Xingpo Ma, Yu Zhang and Chuanda Qi Abstract We present a new type of bit-parallel non-recursive Karatsuba multiplier over
More informationSmoothness Testing of Polynomials over Finite Fields
Smoothness Testing of Polynomials over Finite Fields Jean-François Biasse and Michael J. Jacobson Jr. Department of Computer Science, University of Calgary 2500 University Drive NW Calgary, Alberta, Canada
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More information1: Please compute the Jacobi symbol ( 99
SCORE/xx: Math 470 Communications Cryptography NAME: PRACTICE FINAL Please show your work write only in pen. Notes are forbidden. Calculators, all other electronic devices, are forbidden. Brains are encouraged,
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationFaster integer multiplication using short lattice vectors
Faster integer multiplication using short lattice vectors David Harvey and Joris van der Hoeven ANTS XIII, University of Wisconsin, Madison, July 2018 University of New South Wales / CNRS, École Polytechnique
More informationInverted Edwards coordinates
Inverted Edwards coordinates Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607 7045, USA
More informationType-II Optimal Polynomial Bases
Type-II Optimal Polynomial Bases Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Computer Science MC 152) University of Illinois at Chicago, Chicago, IL 60607 7053, USA djb@cr.yp.to 2 Department
More informationECM using Edwards curves
ECM using Edwards curves Daniel J. Bernstein 1, Peter Birkner 2, Tanja Lange 2, and Christiane Peters 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at
More informationAre standards compliant Elliptic Curve Cryptosystems feasible on RFID?
Are standards compliant Elliptic Curve Cryptosystems feasible on RFID? Sandeep S. Kumar and Christof Paar Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany Abstract. With elliptic
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More information