Special purpose hardware for factoring the linear algebra part
Download
1 / 45

Special Purpose Hardware for Factoring: The Linear Algebra Part - PowerPoint PPT Presentation


  • 137 Views
  • Uploaded on

Special Purpose Hardware for Factoring: The Linear Algebra Part. Eran Tromer and Adi Shamir Applied Math Dept The Weizmann Institute of Science SHARCS 2005. Cryptanalysis is Evil. A simple mathematical proof: The definition of throughput cost implies that cryptanalysis = time x money

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Special Purpose Hardware for Factoring: The Linear Algebra Part' - duard


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Special purpose hardware for factoring the linear algebra part
Special Purpose Hardware for Factoring: The Linear Algebra Part

Eran Tromer and Adi Shamir

Applied Math Dept

The Weizmann Institute of Science

SHARCS 2005


Cryptanalysis is evil
Cryptanalysis is Evil Part

  • A simple mathematical proof:

  • The definition of throughput cost implies that

    cryptanalysis = time x money

  • Since time = money,

    cryptanalysis = money2

  • Since money is the root of evil,

    money2=evil

  • Consequently, cryptanalysis = evil


Hardware cryptanalysis is the last frontier
Hardware cryptanalysis is Partthe last frontier:

Government organizations used to dominate cryptography, but over the last 25 years they faced increasing competition from academia and industry:

  • Public key cryptosystems

  • Protocols and modes of operation

  • Secret key cryptosystems

  • Algorithmic cryptanalysis

  • Hardware cryptanalysis


Special purpose hardware for factoring the linear algebra part
Since this is the first workshop on cryptanalytic hardware, we have to consider the scope of the field:

Totally impractical hardware designs?

Quantum computers?

Other nonstandard models of computation?

Optimized implementations of cryptosystems?

Small improvements in constants?

Low level hardware details?

Attack hardware or hardware attacks?


Some of my personal opinions
Some of my personal opinions: we have to consider the scope of the field:

  • Near term practicality is crucial

  • Constants are important

  • Ideal cases: marginal schemes, awkward on PC

  • General tools are better than specific hardware

  • Funding for practical research can be sensitive


Which directions look promising
Which directions look promising? we have to consider the scope of the field:

Optimizing some general tools in cryptanalysis:

  • Improving time/memory tradeoff attacks (?)

  • Implementing lattice reduction algorithms

  • Applying transforms such as Walsh or FFT

  • Solving large systems of sparse linear equations

  • Computing Grobner bases with hardware assistance


Which directions look promising1
Which directions look promising? we have to consider the scope of the field:

Cryptanalysis of block ciphers:

  • In the case of schemes with 40 bit keys or DES, exhaustive search machines were very useful

  • These days are over: modern block ciphers such as the AES are very unlikely to be broken by pure hardware optimizations of exhaustive search

  • Faster hardware implementations of differential and linear cryptanalysis do not address the real bottleneck, which is the huge amount of chosen/known plaintexts


Which directions look promising2
Which directions look promising? we have to consider the scope of the field:

Promising research directions in block ciphers deal primarily with cryptanalytic countermeasures:

  • Searching for improved differentials and linear hulls in order to prove the strength of the scheme against such attacks

  • Choosing S-boxes which satisfy certain criteria

  • Finding the minimal bit-slice implementations of S-boxes (e.g., to avoid cache timing attacks)


Which directions look promising3
Which directions look promising? we have to consider the scope of the field:

Stream ciphers tend to be weaker, and there are several ways to use hardware assistance in their cryptanalysis:

  • Applying fast correlation attack

  • Finding sparse multiples of the recursion polynomial

  • Trying many possible clock control sequences

  • Applying algebraic attacks


Which directions look promising4
Which directions look promising? we have to consider the scope of the field:

Hash algorithm collisions are a hot new topic:

  • Hardware can assist in finding good message modification patterns, but software is easier to tweak and PC’s seem to be sufficiently powerful

  • It is too early to decide whether special purpose hardware can help in solving the generated systems of boolean conditions


Which directions look promising5
Which directions look promising? we have to consider the scope of the field:

Public key algorithms seem to be the best targets for hardware-assisted attacks:

  • The security of many number theoretic schemes is marginal, and it is difficult to make them much stronger without making the keys too long or the scheme too slow

  • Improved attacks are discovered quite frequently, and their hardware implementations are less obvious

  • This is well demonstrated by the talks here


Which directions look promising6
Which directions look promising? we have to consider the scope of the field:

Some of the lesser known public key schemes may be vulnerable to hardware attacks:

  • Algebraic schemes such as NTRU may be attacked by better implementations of lattice reduction algorithms

  • Multivariate public key schemes such as HFE may be attacked by better implementations of Grobner basis algorithms


Special purpose hardware for factoring the linear algebra part

We now turn to our main topic, which is an we have to consider the scope of the field:efficient hardware implementation of modern factoring algorithms. This talk will deal with the linear algebra part, and will present an improved version of the hardware first proposed in:

Analysis of Bernstein’s Factorization Circuit

Arjen Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

ASIACRYPT, December 2002


Integer factorization
Integer Factorization we have to consider the scope of the field:

multiplication is easy

  • RSA and many other cryptographic schemes rely on the hardness of factorization, by using n as a public key and p,q as the secret key.

  • The size of the public key determines the efficiency and the security of the scheme.

  • We’ll concentrate on 1024 bit keys, which are the vast majority of the keys in use today.

Large

primes

p,q

Product

n=p£q

factorization is hard


Special purpose hardware for factoring the linear algebra part
Previous estimates of the cost of factoring a 1024-bit RSA key within 1 year were around a trillion dollars:

  • Traditional PC-based: [Silverman 2000]

    100M PCs with 170GB RAM each: $5£1012

  • TWINKLE: [Lenstra,Shamir 2000, Silverman 2000]*3.5M TWINKLEs and 14M simple PCs: ~ $1011


Improved factorization results can be derived from
Improved Factorization Results key within 1 year were around a trillion dollars:Can be derived from:

  • Non-conventional computation models (unlimited word length, quantum computers, …)

  • New conventional devices (PC’s, massively parallel computers, wafer scale integration, optoelectronics, …)

  • Improved performance of standard devices (Moore’s law,…)

  • New factoring algorithms (Pollard’s Rho method, Quadratic Sieve, Number Field Sieve, …)

  • Optimized implementations of known algorithms on standard computation devices


Special purpose hardware for factoring the linear algebra part

Bicycle chain sieve [D. H. Lehmer, 1928] key within 1 year were around a trillion dollars:


The number field sieve nfs integer factorization algorithm
The Number Field Sieve (NFS) Integer Factorization Algorithm key within 1 year were around a trillion dollars:

  • The best algorithm known for factoring RSA keys, similar in structure to the quadratic sieve.

  • Better Subexponential time.

  • Successfully factored a 512-bit integer (RSA-155) in 1999 (using hundreds of workstations running for many months).

  • Latest record achieved in 2004: 576-bit integer (RSA-174).


Simplified nfs main parts
Simplified NFS – main parts key within 1 year were around a trillion dollars:

  • Sieving step (relation collection):Find many B-smooth integers which factor completely into a product of primes which are smaller than some bound B.

    (This is the harder part, described in the next talk)

  • Matrix step: Find a linear relationship between the factorizations of those integers.

    (This is the easier part, described here.)


The basic idea shared with many previous factoring algorithms
The basic idea (shared with many previous factoring algorithms)

To factor n:

  • Find “random” r1,r2such that r12 r22 (mod n)

  • Hope that gcd(r1-r2,n) is a nontrivial factor of n.

    How?

  • Let f1(a) = a2 mod n These values are squares mod n, but not over Z

  • Find a nonempty set S½Z such thatthe product of the values of f1(a) for a2S is a square over the integers

  • This gives us the two “independent” representations

    r12 r22 (mod n)


The basic idea cont
The basic idea (cont.) algorithms)

How to find Ssuch that is a square?

Look at the factorization of smooth f1(a) which factor completely into a product of small primes:

This is a square, because all exponents are even.


The basic idea cont1
The basic idea (cont.) algorithms)

How to find Ssuch that is a square?

  • Consider all the primes smaller than some bound B, and find many integers a for which f1(a) isB-smooth.

  • For each such a, represent the factorization of f1(a) as a vector of b exponents: f1(a)=2e1 3e2 5e3 7e4 L a (e1,e2,...,eb)

  • Once b+1 such vectors are found, find a dependency modulo 2 among them. That is, find S such that=2e1 3e2 5e3 7e4 L where the ei are all even.

Sieving step

Matrix step


The matrix step
The matrix step algorithms)

We look for elements from the kernel of asparse matrix over GF(2). Using Wiedemann’s algorithm, this can be reduced to the following:

  • Input: a DxD binary matrix A and a binary D-vector v.

  • Output: the first few bits of each of the vectorsAv,A2v,A3v,...,ADv(mod 2).

  • Dis huge (between 100 million and 10 billion), but the matrix is very sparse (e.g., 100 ones in each row)


Observations bernstein 2001
Observations algorithms)[Bernstein 2001]

  • On a single-processor computer, storage dominates cost yet is poorly utilized.

  • Sharing the input among multiple processors can lead to collisions, propagation delays.

  • Solution: use a mesh-based device, with a small processor attached to each storage cell.

  • Bernstein proposed an algorithm based on mesh sorting.


Matrix by vector multiplication

Σ algorithms)

Matrix-by-vector multiplication

X

=

(mod 2)


Is the mesh sorting idea optimal
Is the mesh sorting idea optimal? algorithms)

  • The fastest known mesh sorting algorithm for a mxm mesh requires about 3m steps, but it is too complicated to implement on simple processors.

  • Bernstein used the Schimmler mesh sorting algorithm three times to complete each matrix-vector product. For a mxm matrix, this requires about 24m steps.

  • We proposed to replace the mesh sorting by mesh routing, which is both simpler and faster. We use only one full routing, which requires 2m steps.


A routing based circuit for the matrix step lenstra shamir tomlinson tromer 2002
A routing-based circuit for the matrix step algorithms)[Lenstra,Shamir,Tomlinson,Tromer 2002]

Model: two-dimensional mesh, nodes connected to ·4 neighbours.

Preprocessing: load the non-zero entries of A into the mesh, one entry per node. The entries of each column are stored in a square block of the mesh, along with a “target cell” for the corresponding vector bit.


Operation of the routing based circuit
Operation of the routing-based circuit algorithms)

To perform a multiplication:

  • Initially the target cells contain the vector bits. These are locally broadcast within each block(i.e., within the matrix column).

  • A cell containing a row index ithat receives a “1” emits an value(which corresponds to a at row i).

  • Each value is routed to thetarget cell of the i-th block(which is collecting ‘s for row i).

  • Each target cell counts thenumber of values it received.

  • That’s it! Ready for next iteration.


How to perform the routing
How to perform the routing? algorithms)

If the original sparse matrix A has size DxD, we have to fold the D vector entries into a mxm mesh where m=sqrt(D).

Routing dominates cost, so the choice of algorithm (time, circuit area) is critical.

There is extensive literature about mesh routing. Examples:

  • Bounded-queue-size algorithms

  • Hot-potato routing

  • Off-line algorithms

    None of these are ideal.


Clockwise transposition routing on the mesh

1 algorithms)

2

4

3

Clockwise transposition routing on the mesh

  • One packet per cell.

  • Only pairwise compare-exchange operations ( ).

  • Compared pairs are swapped according to the preference of the packet that has the farthestto go along this dimension.

  • Very simple schedule, can be realized implicitly by a pipeline.

  • Pairwise annihilation.

  • Worst-case: m2

  • Average-case: ?

  • Experimentally:2m steps suffice for random inputs – optimal.

  • The point: m2 values handled in time O(m). [Bernstein]


Comparison to bernstein s design
Comparison to Bernstein’s design algorithms)

1/12

  • Time: A single routing operation (2m steps)vs. 3 sorting operations (8m steps each).

  • Circuit area:

    • Only the move; the matrix entries don’t.

    • Simple routing logic and small routed values

    • Matrix entries compactly stored in DRAM (~1/100 the area of “active” storage)

1/3


Further improvements
Further improvements algorithms)

1/7

  • Reduce the number of cells in the mesh (for small μ, decreasing #cells by a factor of μ decreases throughput cost by ~μ1/2)

  • Use Coppersmith’s block Wiedemann

  • Execute the separate multiplication chains of block Wiedemann simultaneously on one mesh (for small K, reduces cost by ~K)

    Compared to Bernstein’s original design, this reduces the throughput cost by a constant factor

1/6

1/15

of 45,000.


Hardware fault tolerance
Hardware Fault tolerance algorithms)

  • Any wafer scale design will contain defective cells.

  • Cells found to be defective during the initial testing can be handled by modifying the routing algorithm.


Algorithmic fault tolerance
Algorithmic fault tolerance algorithms)

  • Transient errors must be detected and corrected as soon as possible since they can lead to totally unusable results.

  • This is particularly important in our design, since the routing is not guaranteed to stop after 2m steps, and packets may be dropped


How to detect an error in the computation of axv mod 2
How to detect an error in the computation of AxV (mod 2)? algorithms)

The original matrix-vector product:


How to detect an error in the computation of axv mod 21
How to detect an error in the computation of AxV (mod 2)? algorithms)

Sum of some matrix rows:

Check bit


Problems with this solution
Problems with this solution: algorithms)

  • If the new test vector at the bottom is the sum mod 2 of few rows, it will remain sparse but have extremely small chance of detecting a transient error in one of the output bits

  • If the new test vector at the bottom is the sum mod 2 of a random subset of rows, it will become dense, but still miss errors with constant probability


Problems with this solution1
Problems with this solution: algorithms)

  • To reduce the probability of missing an error to a negligible value, we can add hundreds of dense test vectors derived from independent random subsets of the rows of the matrix.

  • However, in this case the cost of the checking dominates the cost of the actual computation.


Our new solution
Our new solution: algorithms)

  • We add only one test vector, which adds only 1% to the cost of the computation, and still get negligible probability of missing transient errors

  • We achieve it by using the fact that in Weidemann’s algorithm we compute all the products

  • V1=AV, V2=A2V, V3=A3V, …Vi=AiV,…VD=ADV


Our new solution1
Our new solution: algorithms)

  • We choose a random row vector R, and precompute (on a reliable machine) the row vector W=RAkfor some small k (e.g., k=200).

  • We add to the matrix the two row vectors W and R as the only additional test vectors. Note that these vectors are no longer the sum of subsets of rows of the matrix A.


Our new solution2
Our new solution: algorithms)

  • Consider now the following equation, which is true for all i:

    Vi+k=Ai+kV=AkAiV=AkVi

  • Multiplying it on the left with R, we get that for all i:

    RVi+k=RAkVi=WVi

  • Since we added the two vectors R and W to the matrix, we get for each vector Vi the products RViand WVi , which are two bits


Our new solution3
Our new solution: algorithms)

  • We store the computed values of WVi in a short shift register of length k=200, and compare it after a delay k with the computed value of RVi+k

  • We periodically store the current vector Vi (say, once a day) in an off-line storage. If any one of the consistency tests fails, we stop the computation, test for faulty components, and restart from the last good Vi


Why does it catch transient errors with overwhelming probability
Why does it catch transient errors with overwhelming probability?

  • Assume that at step i the algorithm computed the erroneous Vi ‘=Vi +E and that all the computations before and after step i were correct (wrt the wrong Vi ‘)

  • Due to the linearity of the computation, for any j>0:

    V ’i+j=AjV ’i=Aj(Vi+E)=AjVi+AjE=Vi+j+AjE

    and thus the difference between the correct and erroneous Vi develops as AjE from time i onwards


Why does it catch transient errors with overwhelming probability1
Why does it catch transient errors with overwhelming probability?

  • Each test checks whether W(AjE)=0 for some j<k

  • Since the matrix A generated by the number field sieve is random looking, its first k=200 powers are likely to be random and dense, and thus each test has an independent probability of 0.5 to fail.

First error detection

No more detectableerrors


End of part one
-END OF PART ONE- probability?