P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, 12:1--28, 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....generalized to solve the discrete logarithm problem in any finite abelian group. The key ingredient for the lambda method is that we know that the discrete logarithm lies in a given interval [a; b[ then the expected running time is O( p b Gamma a) group operations. Van Oorschot and Wiener [vOW99] have shown that the lambda method can be parallelized with linear speed up, which makes the method attractive for distributed attacks. Catching Kangaroos in Function Fields 2 It is important to note that the lambda method is very space efficient, which is its basic advantage over square root ....

....estimate that with the parallelized Pollard lambda attack on a network of 40 fast machines, a 31 digit regulator can be computed within a week. In the following, we first give an overview of the lambda method and its parallelization, where we deal with both the variant of van Oorschot and Wiener [vOW99] and Pollard [Pol] We keep this exposition as general as possible. Since no experimental results with the parallelized lambda method (not to mix with the parallelized rho method ) have been published so far, we also include some statistics about experiments with elliptic curve groups showing that ....

[Article contains additional citation context not shown here]

P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, 12:1--28, 1999.

....Gallant, Lambert and Vanstone [23] and Wiener and Zuccherato [97] showed how Pollard s rho algorithm can be sped up by a factor of p 2. Thus the expected running time of Pollard s rho method with this speedup is ( p n) 2 steps. 5. Parallelized Pollard s Rho Algorithm. Van Oorschot and Wiener [70] showed how Pollard s rho algorithm can be parallelized so that when the algorithm is run in parallel on r processors, the expected running time of the algorithm is roughly ( p n) 2r) steps. That is, using r processors results in an r fold speed up. 6. Pollard s lambda method. This is another ....

....results in an r fold speed up. 6. Pollard s lambda method. This is another randomized algorithm due to Pollard [73] Like Pollard s rho method, the lambda method can also be parallelized with a linear speedup. The parallelized lambda method is slightly slower than the parallelized rho method [70]. The lambda method is, however, faster in situations when the logarithm being sought is known to lie in a subinterval [0; b] of [0; n Gamma 1] where b 0:39n [70] 7. Multiple Logarithms. R. Silverman and Stapleton [85] observed that if a single instance of the ECDLP (for a given elliptic ....

[Article contains additional citation context not shown here]

P. van Oorschot and M. Wiener, "Parallel collision search with cryptanalytic applications", Journal of Cryptology, 12 (1999), 1-28.

....so this produces a pseudo collision for the compression function. The total computational complexity of this attack is 2 m=2 encryptions. A naive implementation of this attack might require 2 m=2 units of storage, but we note that using Floyd s cycle nding algorithm or any of its improvements [7] reduces the storage complexity of the attack to a very small constant. The full collision attack. In the remainder of this section, we will analyze the security of the Yi Lam hash against full collision attacks. Let G i jjH i (for i = 1; n) be any n values for the chaining variables. ....

....i = G 0 j also holds. To summarize, this shows how to nd a collision in the Yi Lam hash with about 2 :71m o ine hash computations. We expect that the storage complexity of the collision nding attack will be negligible, if parallel collision search techniques are used to implement the attack [7]. 4 Conclusions We have shown that the Yi Lam hash has serious aws, and it is clear that the construction o ers only minor bene ts over traditional single length hash functions. The fundamental problem is that the Yi Lam construction relied on the nonlinearity of the carry bits found in modular ....

P.C. van Oorschot and M.J. Wiener, \Parallel Collision Search with Cryptanalytic Applications," Journal of Cryptology, vol.12, no. 1, 1999, pp.1-28.

....generalized to solve the discrete logarithm problem in any finite abelian group. The key ingredient for the lambda method is that we know that the discrete logarithm lies in a given interval [a; b[ then the expected running time is O( p b Gamma a) group operations. Van Oorschot and Wiener [vOW99] have shown that the lambda method can be parallelized with linear speed up, which makes the method attractive for distributed attacks. It is important to note that the lambda method is very space efficient, which is its basic advantage over square root attacks based on Shanks baby step giant ....

....estimate that with the parallelized Pollard lambda attack on a network of 40 fast machines, a 31 digit regulator can be computed within a week. In the following, we first give an overview of the lambda method and its parallelization, where we deal with both the variant of van Oorschot and Wiener [vOW99] and Pollard [Pol] We keep this exposition as general as possible. Since no experimental results with the parallelized lambda method (not to mix with the parallelized rho method ) have been published so far, we also include some statistics about experiments with elliptic curve groups showing that ....

[Article contains additional citation context not shown here]

P. C. van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology 12 (1999), 1--28.

....currently known have exponential run time. Among these algorithms we find algorithms based on Pollard s rho method [Pol78] They take expected time O( p n) group operations to compute log g h, where n denotes the order of g. Their space requirements are negligible, and van Oorschot and Wiener [vOW99] showed that they can be efficiently parallelized, which makes the rho method the most powerful method to attack the elliptic curve DLP known to date. In the rho method, an iterating function F : G G is used to define a sequence (y i ) by y i 1 = F (y i ) for i = 0; 1; 2; with some ....

....by Schnorr and Lenstra [SL84] such that optimal average case performance (experimentally) is achieved. A family of match finding algorithms with optimal worst case performance is discussed in [SSY82] If storing a large number of terms is not a problem, distinguished point methods as described in [vOW99] can be more efficient to find matches. 2.3. Partitioning the group. Let T 1 ; T r be a partition of G, such that the T s are pairwise disjoint and of roughly equal size. The iterating functions considered in the following are always given in terms of r different rules, one for each part ....

P. C. van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology 12 (1999), 1--28. MR 99i:49054

....n is a prime and h is a small integer. The most ecient general algorithm known to date is the Pollard method [62] and its recent modi cations by Gallant, Lambert, and Vanstone [24] and Wiener and Zuccherato [82] which requires about p n=2 elliptic group operations. Van Oorschot and Wiener [63] showed that the Pollard method can be parallelized, and that the expected running time of this algorithm, using r processors, is roughly p n= 2r) groups operations. This runtime is exponential in n. Although no general subexponential algorithms to solve the ECDLP are known, there are fast ....

....ECDSA, ECDH) By an appropriate elliptic curve, we mean an elliptic curve de ned over the nite eld F q that resists all known attacks on the ECDLP. Speci cally: 1. The number of points, #E(F q ) is divisible by a prime n that is suciently large to resist the parallelized Pollard attack [63] againts general curves, and its improvements [24, 82] which apply to Koblitz curves. 2. #E(F q ) 6= q, to resist the following attacks: Semaev [74] Smart [76] and Satoh Araki [68] 3. n does not divide q k 1 for all 1 k 30, to resist the Weil paring attack [55] and the Tate paring ....

P. Van Oorschot and M. Wiener, \Parallel collision search with cryptanalytic applications ", Journal of Cryptology, 12, pp. 1-28, 1999. An Overview of Elliptic Curve Cryptography 33

....algorithms based on the rho method run on powerful workstations to solve the DLP in various finite abelian groups of considerably larger group orders. Some work has been done to speed up the rho method. There are better methods to find matches, e.g. by Brent [2] and van Oorschot and Wiener [18] have developed a method for efficient parallelization of the rho method. We now suggest to choose a more efficient iterating function to obtain further speed up. Recently, the author has elaborated a generic algorithm [17] that uses the rho method to compute the structure of a finite abelian ....

P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. To appear in Journal of Cryptology. Technische Universit at Darmstadt, Institut f ur Theoretische Informatik, Alexanderstra e 10, 64283 Darmstadt, Germany E-mail address: teske@cdc.informatik.tu-darmstadt.de

....Attacks Meet in the middle attacks occur when the first part of a cipher depends upon a di#erent set of key bits than does the second part. This allows an attacker to attack the two parts independently, and works against double encryption with a block cipher and two di#erent keys [MH81, OW91, OW95]. 2.2 Linear Factors A linear factor is a fixed set of key bits whose complementation leaves the XOR of a fixed set of ciphertext bits unchanged; this weakness can be used to speed up an exhaustive key search. Six round DES has a linear factor [CE86] 2.3 Weak Keys A weak key, K, is a key for ....

....the key K, we obtain the decryption of C under key K # to obtain P # = E 1 (k a ##,E(k a , P ) now exhaustive search will recover k a in 2 56 encryptions. After that, one can find k b , k c with a meet in the middle attack on double DES, which has complexity of approximately 2 56 to 2 72 [MH81, OW91, OW95]. In total, we need one chosen related key query, one chosen ciphertext query, and 2 56 2 72 o#ine trial encryptions. Note this attack does not work against two key triple DES, and is the first attack for which two key triple DES is stronger than three key triple DES. 4.7 ECB OFB Matt ....

P.C. van Oorschot and M.J. Wiener, "Parallel Collision Search with Cryptanalytic Applications," to appear, 1995.

....g. These algorithms are based on Shanks baby step giant step method [Sha71] in which case they require O( p n) elements to store, or on Pollard s rho method [Pol78] Pollard s rho method has the advantage that it has negligible space requirements, and it can be parallelized with linear speedup [vOW99]. If we are given an interval [a; b) such that x is known to lie in this interval, we have Pollard s lambda method [Pol78] whose running time is bounded by a multiple of p b Gamma a rather than of p n. In its variant employing distinguished points it can also be efficiently parallelized, and ....

P. C. van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology 12 (1999), 1--28. University of Waterloo, Department of Combinatorics and Optimization, Waterloo, Ontario, Canada N2L 3G1 E-mail address: eteske@cacr.math.uwaterloo.ca

....generalized to solve the discrete logarithm problem in any nite abelian group. The key ingredient for the kangaroo method is that we know that the discrete logarithm lies in a given interval [a; b[ then the expected running time is O( p b a) group operations. Van Oorschot and Wiener [vOW99] have shown that the kangaroo method can be parallelized with linear speed up, which makes the method attractive for distributed attacks. It is important to note that the serial version of the kangaroo method is very space ecient, and that the space requirements of the parallelized version can be ....

....450 under Solaris 2.6 that computation of a 29 digit class number and regulator would have taken about 73 hours. In the following, we rst give an overview of the kangaroo method and its parallelization, where in the parallelized case we deal with both the variants of van Oorschot and Wiener [vOW99] and Pollard [Pol] We keep this exposition as general as possible. Since no experimental results with the parallelized kangaroo method (not to mix with the parallelized rho method ) have been published so far, we also include some statistics about experiments with elliptic curve groups showing ....

[Article contains additional citation context not shown here]

P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, 12:1-28, 1999.

....F p . Its storage requirements are very small. Shanks method needs about the same number of operations but needs storage for about q group elements. Pollard s rho method can easily be parallelized over any number of processors, with very limited communication, resulting in a linear speedup (cf. [28]) This is another illustration of the power of parallelization and another reason to keep track of the computational power of the Internet. Furthermore, there is no post processing involved in Pollard s rho (unlike the (DL)NFS, where after completion of the sieving step the cumbersome matrix step ....

....it is used as the basis for extrapolations to estimate the effort required for software attacks on larger EC systems over prime fields (cf. 1.3) Special purpose hardware data points. In 1996 an attack against a 120 bit EC system with p = 2 155 was sketched (and published 3 years later, cf. [28]) based on a specialpurpose hardware design that achieves a 25 million fold parallelism, i.e. 330,000 specialpurpose processor chips each running 75 independent Pollard rho processes. Building this machine would cost 10 million and its run time would be about 32 days. The designers claim that an ....

P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, v. 12 (1999), 1-28.

.... proof by the puzzle maker [2] However, unlikethe non parallelizable property for finding the P a (t)thatwehave discussed above, the problem of extraction of a discrete logarithm can be parallelized (e.g. 3 using the parallelized Pollard s kangaroo algorithm [3] due to Van Oorschot and Wiener [6]) Therefore Mao s time lock puzzle scheme suffers from a parallelization attack. In this paper we will construct an efficient interactive protocol for proof of membership regarding the language L n def = f a 2 t (modn) j gcd(a# n) 1# t ng: This is the first protocol that proves the ....

van Oorschot, P.C. and M.J.Wiener M.J. Parallel collision search with cryptanalytic applications. J. of Cryptology,Vol.12, No.1 (1999), pages 1--28. 11

....over 40 runs of Pollard s original algorithm has been 27.3 minutes in contrast to 22.5 minutes of the improved version. This reflects the stable improvement of about 20 of the total running time observed for all group sizes. A version which allows for parallel computations has been proposed in [28] and is of practical significance as long there is no subexponential algorithm available for the group under consideration. 2.5 Shoup s Lower Bound A recent result of Shoup shows that the two algorithms discussed above are optimal for groups where the group operations itself are the only ....

....hold. With this addition, E; is an abelian group. Let K consist of q elements. By a theorem of Hasse, the number of elements of E is bounded by q 1 Gamma 2 p q #E q 1 2 p q: Since 1997, there exist several public EC DL challenges for finite fields [6] By utilizing the ideas of [28] some of them have already been broken (electronic messages on the number theory net, Harley et al. see table 2. Here, p 79 , p 89 , and p 97 are 79 , 89 , and 97 bit primes respectively. 4 Prime Fields We now turn to a special version of the index calculus algorithm of section 2.6. 4.1 ....

P. van Oorschot and M. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology. to appear.

....no subexponential algorithm for solving the discrete logarithm problem (ECDLP) in the elliptic point group of a general elliptic curve is known, elliptic curve cryptosystems became a popular choice for implementations. The fastest knows attack to the ECDLP is the parallelized Pollard s rho method [18, 21, 27]. In an elliptic curve public key protocol the most important operation is the scalar multiplication by a positive integer m. That means computing mP for a point P on an elliptic curve. For example, the complexity of the ElGamal encryption scheme [4] and the Diffie Hellmann key agreement protocol ....

van Oorschot, P., Wiener, M. J.: Parallel Collision Search with Cryptanalytic Applications. Journal of Cryptology 12 (1999) 1--28

....can be broken by solving the elliptic curve discrete log problem (ECDLP) that is calculating d knowing only P, Q and G. With n prime (which gives the best security) the best known method of solving the ECDLP is the parallelisation of the Pollard rho method [8] by van Oorschot and Wiener [11]. In the Pollard rho method the subgroup G is partitioned into 3 subsets S 1 , S 2 and S 3 of roughly equal size. Two numbers a 0 and b 0 are randomly generated such that 1 a 0 , b 0 n 1. Starting with X 0 = a 0 P b 0 Q, a sequence X i is calculated using the relation Adrian E. Escott, ....

....Table 3 compares the expected percentage of ECDLPs solved in less than the given multiple of the expected number of iterations and the observed percentage from 5000 runs over each curve using the iteration function A15D1. The following calculation for the expected percentage is taken from [11]. Let X be the random variable representing the number of elements needed before a duplication. Then for large n and k = n we have Pr (X k) e k 2 (2n) The results show that solving the ECDLP using the parallel Pollard rho method is very slightly harder in practice than in theory. 4.2 ....

Paul C. van Oorschot and Michael J. Wiener. Parallel collision search with cryptanalytic applications. Journal

....it was shown that this problem was rather easy [22] 10] 39] 34] Apart from new lifting ideas [38, 13, 6] that remain to be tested, it seems that the discrete log on elliptic curves still resists. On ordinary curves, the only known attack is a parallelized version of Pollard s rho method [44]. The Certicom challenge 1 records the state of the art in the eld. Among the curves suggested for cryptographic use, the so called ABC curves have been shown to be somewhat less secure than ordinary curves, due to the existence of an automorphism of large order. Two types of attack have been ....

....for the rst time in [31] If is the proportion of distinguished points, then we should nd a collision after computing about p n=2 points, or p n=2 distinguished points. Now, parallelization is straightforward: have each processor contribute to the same list of distinguished points [44]. Each processor would have to nd p n=2=M points, thus yielding a speedup of M to the total running time. To understand how a parallelized search works, consider gure 2, on which we have drawn two paths, the one corresponding to processor i and the second to processor j. Their paths ....

P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. J. of Cryptology, 12:1-28, 1999.

....algorithms based on the rho method run on powerful workstations to solve the DLP in various finite abelian groups of considerably larger group orders. Some work has been done to speed up the rho method. There are better methods to find matches, e.g. by Brent [2] and van Oorschot and Wiener [18] have developed a method for efficient parallelization of the rho method. We now suggest to choose a more efficient iterating function to obtain further speed up. Recently, the author has elaborated a generic algorithm [17] that uses the rho method to compute the structure of a finite abelian ....

P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. To appear in Journal of Cryptology.

....in an interval of length at most m. Hence cryptosystem designers have to be careful not to limit the range in which discrete logs lie. The running times of the Shanks and Pollard algorithms have not been improved to any substantial extent. Only improvements by constant factors have been obtained [Pollard2, Teske, VanOorschotW]. There has been progress, on the other hand, in obtaining fast parallel versions [Pollard2, VanOorschotW] in which the elapsed time for the computation shrinks by a factor that is linear in the number of processors used. For the latest applications of these techniques to elliptic curve ....

....discrete logs lie. The running times of the Shanks and Pollard algorithms have not been improved to any substantial extent. Only improvements by constant factors have been obtained [Pollard2, Teske, VanOorschotW] There has been progress, on the other hand, in obtaining fast parallel versions [Pollard2, VanOorschotW], in which the elapsed time for the computation shrinks by a factor that is linear in the number of processors used. For the latest applications of these techniques to elliptic curve discrete logs, see [EscotSST] For a state of the art survey on parallel integer factorization, see [Brent] ....

P. C. Van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, J. Cryptology, 12 (1999), 1--28.

....Attacks Meet in the middle attacks occur when the first part of a cipher depends upon a different set of key bits than does the second part. This allows an attacker to attack the two parts independently, and works against double encryption with a block cipher and two different keys [MH81, OW91, OW95]. 2.2 Linear Factors A linear factor is a fixed set of key bits whose complementation leaves the XOR of a fixed set of ciphertext bits unchanged; this weakness can be used to speed up an exhaustive key search. Six round DES has a linear factor [CE86] 2.3 Weak Keys A weak key, K, is a key for ....

....the decryption of C under key K 0 to obtain P 0 = E Gamma1 (k a Phi Delta; E(k a ; P ) now exhaustive search will recover k a in 2 56 encryptions. After that, one can find k b ; k c with a meet in the middle attack on doubleDES, which has complexity of approximately 2 56 to 2 72 [MH81, OW91, OW95]. In total, we need one chosen related key query, one chosen ciphertext query, and 2 56 2 72 offline trial encryptions. Note this attack does not work against two key triple DES, and is the first attack for which two key triple DES is stronger than three key triple DES. 4.7 ECB OFB Matt ....

P.C. van Oorschot and M.J. Wiener, "Parallel Collision Search with Cryptanalytic Applications," to appear, 1995.

....of Q to the base P , denoted log P Q. The problem of finding k, given P , Q, and the parameters of E, is known as the discrete logarithm problem on the elliptic curve. The best known general algorithm for this problem is the Pollard lambda method [5] as parallelized by van Oorschot and Wiener [4]. When M processors are used, the expected running time of this method is ( q n=2) M steps. Binary anomalous curves were first suggested for use in cryptography by Koblitz [3] see also Solinas [6] In this paper, we show how the parallelized Pollard lambda method can be sped up by a factor of ....

....particular, suppose we want to find k = log P Q, for Q 2 P . As usual, the idea is to iterate starting at various classes in E= When we detect a collision we can (usually) determine k. The algorithm is an analogue of the Pollard lambda algorithm, as parallelized by Wiener and van Oorschot [4]. It is best described in the setting of multiple processors, although it can of course be simulated on a single processor. Suppose we have M processors. On machine i, start iterating on the point R i , where R i = u i P v i Q, with u i ; v i chosen randomly from [0; n Gamma 1] One iteration ....

P. van Oorschot and M. Wiener, "Parallel collision search with cryptanalytic applications", to appear in Journal of Cryptology.

....each by exhaustion to find the correct triple, or can repeat the experiment to see whether any triple occurs several times. This attack, as described, has incredibly large storage requirements. We have not paid much attention to storage cost, and techniques such as those of van Oorschot and Wiener [19] might well reduce it. Attack 4. Requirements: 170 blocks of known plaintext and ciphertext; 2 120 DES encryptions; 2 64 bits of storage. This attack makes use of the fact that, for a fixed key k 2 , as Z ranges over all possible 64 bit message blocks, the function f(Z) Z Phi d(k 2 ; ....

P.C. van Oorschot and M.J. Wiener, "Parallel collision search with cryptanalytic applications," preprint.

....expected time O( p n) group operations to Date: November 11, 1998. Key words and phrases. Pollard s rho method, discrete logarithm, random walks in groups. 2 EDLYN TESKE compute log g h, where n denotes the order of g. Their space requirements are negligible, and van Oorschot and Wiener [vOW] showed that they can be efficiently parallelized, which makes the rho method to the most powerful methods known to date to attack the elliptic curve DLP. In the rho method, an iterating function F : G G is used to define a sequence (y i ) by y i 1 = F (y i ) for i = 0; 1; 2; with some ....

P. C. van Oorschot and M. J. Wiener, Parallel collision search with cryptanalytic applications, to appear in Journal of Cryptology.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC