ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

Similar documents
ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

Edwards Curves and the ECM Factorisation Method

ECM at Work. 1 Introduction. Joppe W. Bos 1 and Thorsten Kleinjung 2

PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES

ECM at Work. Keywords: Elliptic curve factorization, cofactorization, additionsubtraction chains, twisted Edwards curves, parallel architectures.

Faster cofactorization with ECM using mixed representations

Parametrizations for Families of ECM-Friendly Curves

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

ECM using Edwards curves

Starfish on Strike. University of Illinois at Chicago, Chicago, IL , USA

CRYPTOGRAPHIC COMPUTING

Elliptic Curve Method for Integer Factorization on Parallel Architectures

ECM using Edwards curves

On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic

Parameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

FACTORIZATION WITH GENUS 2 CURVES

Four-Dimensional GLV Scalar Multiplication

Fully Deterministic ECM

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

FINDING ECM-FRIENDLY CURVES THROUGH A STUDY OF GALOIS PROPERTIES

Another Attempt to Sieve With Small Chips Part II: Norm Factorization

Faster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs.

Inverted Edwards coordinates

Mersenne factorization factory

Twisted Edwards Curves Revisited

D. J. Bernstein University of Illinois at Chicago

Edwards coordinates for elliptic curves, part 1

FFT extension for algebraic-group factorization algorithms

Experience in Factoring Large Integers Using Quadratic Sieve

Hyperelliptic Curve Cryptography

Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Selecting Elliptic Curves for Cryptography Real World Issues

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Models of Elliptic Curves

Fast Multibase Methods and Other Several Optimizations for Elliptic Curve Scalar Multiplication

Good algebraic reading. MPRI Cours III. Integer factorization NFS. A) Definitions and properties

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography

Efficient SIMD arithmetic modulo a Mersenne number

Software implementation of ECC

Comparison of Elliptic Curve and Edwards Curve

Twisted Jacobi Intersections Curves

Curve41417: Karatsuba revisited

HOMEWORK 11 MATH 4753

ECPP in PARI/GP. Jared Asuncion. 29 January Asuncion, J. ECPP in PARI/GP 29 January / 27

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Efficiency of RSA Key Factorization by Open-Source Libraries and Distributed System Architecture

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Fast Cryptography in Genus 2

Double-base scalar multiplication revisited

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Modular Multiplication in GF (p k ) using Lagrange Representation

Differential Addition in generalized Edwards Coordinates

Fast, twist-secure elliptic curve cryptography from Q-curves

Factoring integers, Producing primes and the RSA cryptosystem. December 14, 2005

Faster Group Operations on Elliptic Curves

Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven

Number Theory and Group Theoryfor Public-Key Cryptography

Computing Elliptic Curve Discrete Logarithms with the Negation Map

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

arxiv: v1 [math.nt] 31 Dec 2011

Fast point multiplication algorithms for binary elliptic curves with and without precomputation

Factorisation of RSA-704 with CADO-NFS

Post-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

An Analysis of Affine Coordinates for Pairing Computation

Optimal Extension Field Inversion in the Frequency Domain

Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography

Pairing Computation on Elliptic Curves of Jacobi Quartic Form

Integer Factoring Utilizing PC Cluster

Pollard s Rho Algorithm for Elliptic Curves

Ed448-Goldilocks, a new elliptic curve

Fast Cryptography in Genus 2

Basic Algorithms in Number Theory

Polynomial Selection for Number Field Sieve in Geometric View

Selecting Elliptic Curves for Cryptography: An Eciency and Security Analysis

The equivalence of the computational Diffie Hellman and discrete logarithm problems in certain groups

Implementation of ECM Using FPGA devices. ECE646 Dr. Kris Gaj Mohammed Khaleeluddin Hoang Le Ramakrishna Bachimanchi

Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

A new algorithm for residue multiplication modulo

Elliptic curves: Theory and Applications. Day 3: Counting points.

Fast Elliptic Curve Cryptography Using Optimal Double-Base Chains

Fast Scalar Multiplication for Elliptic Curves over Prime Fields by Efficiently Computable Formulas

ECDLP course. Daniel J. Bernstein University of Illinois at Chicago. Tanja Lange Technische Universiteit Eindhoven

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Applied Cryptography and Computer Security CSE 664 Spring 2018

New Minimal Weight Representations for Left-to-Right Window Methods

Number Theory A focused introduction

RSA Implementation. Oregon State University

Homework #2 solutions Due: June 15, 2012

Numbers. Çetin Kaya Koç Winter / 18

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

Transcription:

ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( 100 200-bits) to factor large numbers (Mersenne, Cunningham etc) 2 / 14

Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( 100 200-bits) to factor large numbers (Mersenne, Cunningham etc) Edwards curves vs Montgomery curves U faster EC-arithmetic D more memory is required 2 / 14

Motivation The elliptic curve method for integer factorization is used in the cofactorization phase of NFS ( 100 200-bits) to factor large numbers (Mersenne, Cunningham etc) Edwards curves vs Montgomery curves U faster EC-arithmetic D more memory is required Difficult to run Edwards-ECM fast on memory-constrained devices This presentation: slightly faster, memory efficient Edwards ECM 2 / 14

Edwards Curves (based on work by Euler & Gauss) Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined (ad(a d) 0) ax 2 + y 2 = 1 + dx 2 y 2 and (ax 2 + y 2 )z 2 = z 4 + dx 2 y 2 2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Edwards Curves (based on work by Euler & Gauss) Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined (ad(a d) 0) ax 2 + y 2 = 1 + dx 2 y 2 and (ax 2 + y 2 )z 2 = z 4 + dx 2 y 2 Elliptic Curve Point Addition { a = 1: 8M a = 1, z 1 = 1: 7M Elliptic Curve Point Duplication: a = 1: 3M + 4S 2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Elliptic Curve Method (ECM) Try and factor n = p q with 1 < p < q < n. Repeat: Pick a random point P and construct an elliptic E over Z/nZ containing P Compute Q = kp E(Z/nZ) for some k Z If #E(F p ) k (and #E(Z/qZ) k) then Q and the neutral element become the same modulo p p = gcd(n, Q z ) In practice given a bound B 1 Z: k = lcm(1, 2,..., B 1 ) H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987. 4 / 14

Elliptic Curve Method (ECM) Try and factor n = p q with 1 < p < q < n. Repeat: Pick a random point P and construct an elliptic E over Z/nZ containing P Compute Q = kp E(Z/nZ) for some k Z If #E(F p ) k (and #E(Z/qZ) k) then Q and the neutral element become the same modulo p p = gcd(n, Q z ) In practice given a bound B 1 Z: k = lcm(1, 2,..., B 1 ) O(exp(( 2 + o(1))( log p log log p))m(log n)) where M(log n) represents the complexity of multiplication modulo n and the o(1) is for p. H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987. 4 / 14

EC-multiplication Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w-bit windows #R 14 4(2 w 1 ) + 4 + 2 D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology eprint Archive, Report 2008/016 D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010 5 / 14

EC-multiplication Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w-bit windows #R 14 4(2 w 1 { ) + 4 + 2 Performance #(S + M)/bit 8-9 B 1 #A/bit 0, #R (3M + 4S) / bit D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology eprint Archive, Report 2008/016 D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010 5 / 14

B1 GMP-ECM #S #M #S+#M 256 1 066 2 025 3 091 512 2 200 4 210 6 400 1 024 4 422 8 494 12 916 12 288 53 356 103 662 157 018 49 152 214 130 417 372 631 502 262 144 1 147 928 2 242 384 3 390 312 1 048 576 4 607 170 9 010 980 13 618 150 EECM-MPFQ (a = 1) 256 1 436 1 608 3 044 512 2 952 3 138 6 090 1 024 5 892 6 116 12 008 12 288 70 780 67 693 138 473 49 152 283 272 260 372 543 644 262 144 1 512 100 1 351 268 2 863 368 1 048 576 6 050 208 5 306 139 11 356 347 6 / 14

B1 GMP-ECM #S #M #S+#M #R 256 1 066 2 025 3 091 14 512 2 200 4 210 6 400 14 1 024 4 422 8 494 12 916 14 12 288 53 356 103 662 157 018 14 49 152 214 130 417 372 631 502 14 262 144 1 147 928 2 242 384 3 390 312 14 1 048 576 4 607 170 9 010 980 13 618 150 14 EECM-MPFQ (a = 1) 256 1 436 1 608 3 044 38 512 2 952 3 138 6 090 62 1 024 5 892 6 116 12 008 134 12 288 70 780 67 693 138 473 1 046 49 152 283 272 260 372 543 644 2 122 262 144 1 512 100 1 351 268 2 863 368 9 286 1 048 576 6 050 208 5 306 139 11 356 347 32 786 6 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1? 7 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1? B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992. Observation: Low Hamming-weight integers fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by a factor three 7 / 14

Elliptic Curve Constant Scalar Multiplication In practice people use the same B 1 for many numbers: Can we do better for a fixed B 1? B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992. Observation: Low Hamming-weight integers fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by a factor three 1028107 1030639 1097101 = 1162496086223388673 w(1028107) = 10, w(1030639) = 16, w(1097101) = 11, w(1162496086223388673) = 8 7 / 14

Elliptic Curve Constant Scalar Multiplication We try the opposite approach (c(s) := #A in the addition chain) Generate integers s with good D/A ratio Test for B 1 -smoothness and factor these integers s = i ŝ i J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastecpp. Algorithmic Number Theory 2004 8 / 14

Elliptic Curve Constant Scalar Multiplication We try the opposite approach (c(s) := #A in the addition chain) Generate integers s with good D/A ratio Test for B 1 -smoothness and factor these integers s = i ŝ i J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastecpp. Algorithmic Number Theory 2004 Combine integers s j such that s i = i i ŝ i,j = k = lcm(1,..., B 1 ) = j l p l i.e. all the ŝ i,j match all the p l Such that c(s i = ŝ i,j ) < c ( i j i ŝ i,j ) = c (k) j 8 / 14

Addition/subtraction chain Addition/subtraction chain resulting in s a r = s,..., a 1, a 0 = 1 s.t. every a i = a j ± a k with 0 j, k < i Avoid unnecessary computations Only double the last element A 3,0, D 0, D 0, D 0 (3, 2, 2, 2, 1) vs A 1,0, D 0 (3, 2, 1) Only add or subtract to the last integer in the sequence (Brauer chains or star addition chains) This avoids computing the addition of two previous values without using this result 9 / 14

Addition chains with restrictions Reduce the number of duplicates Idea: Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication Generation Start with u 0 = 1 (and end with an ±), { 2ui u i+1 = u i ± u j for j < i and u i 0 u j mod 2 10 / 14

Addition chains with restrictions Reduce the number of duplicates Idea: Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication Generation Start with u 0 = 1 (and end with an ±), { 2ui u i+1 = u i ± u j for j < i and u i 0 u j mod 2 Given A EC-additions and D EC-duplications this approach generates ( ) D 1 A! 2 A integers A 1 10 / 14

Brauer chains vs Restricted chains (A = 3, D = 50) 140 #Restricted chain #Brauer chain 1.09 uniq(#restricted chains) uniq(#brauer chains) No storage Only add or subtract the input ( ) D 1 Less integers are generated: 2 A A 1 11 / 14

Brauer chains vs Restricted chains (A = 3, D = 50) 140 #Restricted chain #Brauer chain 1.09 uniq(#restricted chains) uniq(#brauer chains) No storage Only add or subtract the input ( ) D 1 Less integers are generated: 2 A A 1 Combining the smooth-integers Greedy approach (use good D/A ratios first) Selection process is randomized Score according to the size of the prime divisors Left-overs are done using brute-force 11 / 14

2.9 10 9 -smoothness testing No-storage setting Low-storage setting A D #ST A D #ST 1 5 200 3.920 10 2 1 5 250 4.920 10 2 2 10 200 7.946 10 4 2 10 250 2.487 10 5 3 15 200 1.050 10 7 3 15 250 1.235 10 8 4 20 200 1.035 10 9 4 20 221 3.714 10 10 5 25 200 8.114 10 10 5 25 152 2.429 10 12 6 30 124 2.858 10 11 5 153 220 1.460 10 11 7 35 55 2.529 10 10 6 60 176 2.513 10 11 Total 3.932 10 11 2.864 10 12 2.9 10 9 -smoothness tests on our mini-cluster using 4.5 GB memory (5 8 Intel Xeon CPU E5430 2.66GHz) Results obtained in 6 months 12 / 14

2.9 10 9 -smoothness testing No-storage setting Low-storage setting A D #ST A D #ST 1 5 200 3.920 10 2 1 5 250 4.920 10 2 2 10 200 7.946 10 4 2 10 250 2.487 10 5 3 15 200 1.050 10 7 3 15 250 1.235 10 8 4 20 200 1.035 10 9 4 20 221 3.714 10 10 5 25 200 8.114 10 10 5 25 152 2.429 10 12 6 30 124 2.858 10 11 5 153 220 1.460 10 11 7 35 55 2.529 10 10 6 60 176 2.513 10 11 Total 3.932 10 11 2.864 10 12 Smooth integers B 1 No-storage Low-Storage Total 3 000 000 1.99 10 9 7.00 10 9 8.99 10 9 2 900 000 000 1.05 10 10 3.47 10 10 4.53 10 10 12 / 14

Example B 1 = 256, No-Storage #D #A product addition chain 11 1 89 23 S 0D 11 14 2 197 83 S 0D 5 S 0D 9 15 2 193 191 S 0D 12 A 0D 3 15 2 199 19 13 A 0D 14 A 0D 1 18 1 109 37 13 5 A 0D 18 19 2 157 53 7 3 3 S 0D 6 S 0D 13 21 3 223 137 103 A 0D 10 A 0D 10 A 0D 1 23 3 179 149 61 5 S 0D 13 A 0D 5 S 0D 5 28 1 127 113 43 29 5 3 S 0D 28 30 3 181 173 167 11 7 3 A 0D 11 A 0D 16 A 0D 3 33 5 211 73 67 59 47 3 S 0D 6 A 0D 2 A 0D 11 S 0D 3 S 0D 11 36 4 241 131 101 79 31 11 A 0D 2 A 0D 16 A 0D 16 A 0D 2 41 4 233 229 163 139 107 17 S 0D 9 S 0D 4 S 0D 11 S 0D 17 49 5 251 239 227 151 97 71 41 S 0D 3 S 0D 29 A 0D 4 A 0D 8 A 0D 5 8 0 2 8 D 8 361 38 Total 13 / 14

Results Cost \ B 1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26 14 / 14

Results Cost \ B 1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26 14 / 14

Results Cost \ B 1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26 14 / 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback