CRYPTOGRAPHIC COMPUTING

Transcription

1 CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009

2 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven, the Netherlands Bo Yin Yang, Academia Sinica 1

3 OUTLINE Background on elliptic curve method of factorization (ECM) Our design and implementation of ECM on GPU 2

4 FACTORIZATION IN CRYPTANALYSIS RSA s security depends on how fast we can factor big integers Can use quantum computers Champion on traditional computers is General Number Field Sieves (GNFS) Factorization of (lots of) mid sized integers is an important subroutine of GNFS 3

5 FACTORIZATION OF RSA 155 In the factorization of an RSA 155 number (about ) Used 2 50 auxiliary integers < Found 2 27 smooth integers Factoring into primes < 2 30 Can C use Pollard s p 1 method or Lenstra s elliptic curve method (ECM) 4

6 POLLARD S P 1 METHOD N is B powersmooth means that for all prime p and integer n, p n N p n B Consider a simplified factorization problem Want to factor N=pq for p, q distinct primes Exists a smoothness bound B such that p 1 is B powersmooth but q 1 is not Outline of the algorithm 1. Pick a random a from {2,,p 1},p 2. Compute gcd(a R 1,N) for R=lcm(1,,B) 3. If the gcd is not 1 or N, then p is revealed 5 4. Otherwise, go to step 1 (or give up)

7 WHY IT WORKS p 1 B powersmooth that implies p 1 R=lcm(1,,B) Hence a R =a k(p 1) =1 mod p by Fermat s Little Theorem, so p a R 1 However, q 1 does not divide R since q 1 contains at least a prime power factor that is greater than B Therefore, there exists some a such that a R 1 mod q In this case, gcd(a R 1,q)=1, hence gcd(a R 1,N)=p Otherwise, gcd(a R 1,N)=N and we can pick another a Can mod N in the exponentiation of a because we are only interested in gcd(a R 1,N) at the end 6

8 HOW IT CAN FAIL 1. N does not have any prime factors that are B powersmooth gcd(a R 1,N)=1 Fix: increase B 2. All prime factors of N are B powersmooth and hence are found simultaneously gcd(a R 1,N)=N Fix: decrease B 7

9 LENSTRA S ELLIPTIC CURVE METHOD OF FACTORIZATION (ECM) Problem: find a prime factor of an integer N Outline of the algorithm Let p be a prime factor of N Choose an elliptic curve E over Q (but reduce modulo N) Set R=lcm(1,,B) for some smoothness bound B Pick a random point P on E and compute Q=[R]P Put Q in projective coordinates: Q=(X:Y:Z) If the order m of P modulo p is B powersmooth, then m R, and hence Q modulo p is the neutral element (0:1:0) on E modulo p Thus gcd(x,n) and gcd(z,n) are divisors of N 8

10 ADVANTAGES OF ECM OVER P 1 Can vary the curve, which increases the chance of finding at least one curve such that P has smooth order modulo p If using Pollard s p 1, then we are restricted to Z/pZ. When computing Q=[R]P in affine coordinates, the inversion in Z/NZ can fail since Z/NZ is not a field In this case the gcd of N and the element to be inverted is 1 and hence we have already found a divisor of N! Normally one uses Montgomery curves for ECM We replace them with Edwards curves since the 9 arithmetic is faster

11 WHY PEOPLE CARE ABOUT GPUS? 10

12 DETAILED CHARACTERISTICS OF 280 GTX Massively parallel architecture 240 cores, > 1.4 billion transistors mm 2, TDP: 236 watts (TSMC 65 nm) Thread level parallelism: use thousands of threads to fill up the instruction pipelines Peak P kperformance: 933 GFLOPS Compare: 64 GFLOPS of Core 2 Quad at 3 GHz Memory bandwidth: GB/s vs GB/s Thegap is still increasing! 11

13 GPUS INCRYPTOLOGY Various attempts since middle age of GPGPU, i.e., lots of OpenGL tweaking Attacks on symmetric ciphers Implementations of AES; many parallel executions Cook, Keromytis, CryptoGraphics: Exploiting Graphics Cards For Security, Advances in Information Security, 20, Springer, 2006 Moss, Page, Smart, Toward Acceleration of RSA Using 3D Graphics Hardware, in Cryptography and Coding

14 NVIDIA S CUDA CUDA: Compute Unified Device Architecture Provides general DRAM addressing for support of scatter and gather memory operations Adopts a general purpose programming model, in which GPUsare treated assuper threaded, super massivelydata parallel coprocessors Interface designed for computation No OpenGL, no graphics API any more! Provides high level language support Provides tools and drivers for tasks such as loading user programs onto GPU and managing GPU memory 13

15 STATE OF THE ART Szerwinski and Güneysu, Exploiting the Power of GPUs for Asymmetric Cryptography, CHES 2008, Washington, DC, USA, August 2008 Using nvidia GeForce 8800 GTS 320 (G80) 224 bit scalar 224 bit modulus Special modulus: elliptic curve scalar multiplications per second 14

16 PREVIEW OF OUR RESULT Also using same card, 8800 GTS 320 (G80) 280 bit scalar 280 bit modulus General 280 bit modulus 2414 elliptic curve scalar multiplications per second 15

17 MODULAR ARITHMETIC UNITS 28 limb, radix 2 10, schoolbook multiplication Karatsuba is slower because of inefficient use of the native floating point MAD (multiplyand add) instructions Montgomery s modular reduction Implies that small integers turn into full size modular values Result: R l turns each streaming multiprocessor li into an 8 way modular arithmetic unit 16

18 THREAD ORGANIZATION DESIGN A group of 32 threads (4 are idle) from 4 different warps work on multiplying two 28 limb, 280 bit integers Each hthread works on a 7 by 4 region 21 loads from and 10 stores to on die fast memory 28 multiplication and adds and adds plus 10 additions Each stream multiprocessor executes 256 threads Hence works on 8 modular multiplications at the same time Which thread works on what region is carefully designed Memory accesses by the threads within a same half warp are coalesced properly, avoiding bank conflict in reading from and writing to the fast on die shared memory 17

19

20 ELLIPTIC CURVE ARITHMETIC Use Edwards coordinates! Double and add with sliding window Shared memory is scarce and can only store 1 point New formulas for running two operations in parallel DBL DBL: 4M+3S+6a madd DBL: 7M+1S+7a DBL+mADD: 6M+2S+8a These numbers are even we managed to get perfect parallelism, ie i.e. no wait stages for multiplications Result: frees up enough storage so that we can 19 store 8 points: P, [3]P, [5]P,..., [15]P

21 NEW SPEED RECORDS FOR ECM curves/sec for ECM stage 1 with B1 = 8192 for 280 bit integers on a single PC Using two NVIDIA GeForce 280 GTX graphics cards and an Intel Core 2 Quad Q6600 CPU A single 280 GTX can do modular multiplications per second Compare to (almost) speed leader on CPU, the GMP ECM: curves/secon a 2.4GHz Q modular multiplications per second 20

22 PERFORMANCE COMPARISON 21

23 COST PERFORMANCE ANALYSIS 22

24 WHAT WE ARE WORKING ON NOW Efficient squarings Curves with universally small parameters under Montgomery s reduction Or no Montgomery s reduction at all! Porting to IBM Cell processor, the engine of the IBM Blue Gene supercomputers 23

25 PRELIMINARY RESULTS ON CELL CPU: Q6600, GHz mults/sec (288 bits) GPU: 8800 GTS, GHz mults/sec (288 bits) Cell: ll GHz mults/sec (256 bits) 24

26 RSA CRACKING MACHINES IN VISION 25

27 THANK YOU!! Questions and comments? 26