Hardware Assisted Solution of Huge Systems of Linear Equations. Adi Shamir Computer Science and Applied Math Dept The Weizmann Institute of Science Joint work with Eran Tromer Hebrew University, 6/3/06. Cryptanalysis is Evil. A simple mathematical proof:
Computer Science and Applied Math Dept
The Weizmann Institute of Science
Joint work with Eran Tromer
Hebrew University, 6/3/06
cryptanalysis = time x money
cryptanalysis = money2
multiplication is easy
factorization is hard
Bicycle chain sieve [D. H. Lehmer, 1928] Cryptography
To factor n:
r12 r22 (mod n)
How to find Ssuch that is a square?
We want to find a subset Ssuch that is a square
Look at the factorization of smooth f1(a) which factor completely into a product of small primes:
This is a square, because all exponents are even.
Find a nonzero x satisfying Ax=0 over GF(2) where:
Daniel Bernstein’s observations (2001):
Σ kernel of a singular A:Matrix-by-vector multiplication
Model: two-dimensional mesh, nodes connected to ·4 neighbours.
Preprocessing: load the non-zero entries of A into the mesh, one entry per node. The entries of each column are stored in a square block of the mesh, along with a “target cell” for the corresponding vector bit.
To perform a multiplication:
If the original sparse matrix A has size dxd, we have to fold the d vector entries into a mxm mesh where m=sqrt(d).
Routing dominates cost, so the choice of algorithm (time, circuit area) is critical.
There is extensive literature about mesh routing. Examples:
None of these are ideal.
1 kernel of a singular A:
3Clockwise transposition routing on the mesh
Compared to Bernstein’s original design, this reduces the throughput cost by a constant factor
The original matrix-vector product:
Sum of some matrix rows:
V ’i+j=AjV ’i=Aj(Vi+E)=AjVi+AjE=Vi+j+AjE
and thus the difference between the correct and erroneous Vi develops as AjE from time i onwards
First error detection
No more detectableerrors