Original

1
The Pollard Rho Attack On Elliptic Curve
Cryptosystems

• Original Improved Implementations for solving
  ECDLP over finite fields

2
Why use Elliptic Curves?

• Cryptosystems must be based on mathematical
  problems that are computationally infeasible even
  for large distributed systems
• Discrete Logarithm Problem (DLP) is a popular
  choice as a basis for modern cryptosystems
• DLP is hard but still feasible for sophisticated
  hackers since there are subexponential time
  attacks
• Elliptic curve version of this problem is
  significantly harder no general purpose
  subexponential time algorithms are known

3
Why study Pollard Rho?

• Widely accepted as the best method for solving
  Elliptic Curve Discrete Logarithm Problem (ECDLP)
• Equivalent or better running time than other
  elliptic curve attacks
• Can be parallelized in software or hardware
• Easy to implement
• Negligible storage requirements
• General purpose - works for any instance
  regardless of type or representation of
  underlying finite field

4
Elliptic Curve Cryptosystems

• Based on difficulty of the ECDLP for elliptic
  curves defined over a finite cyclic group
• In practice, the two common groups used are
• Fp 0, 1, p - 1 p is prime
• F 2m b0b1bm bi in (0,1)
• Both groups offer efficiency and freedom from
  round-off errors
• ECDLP is equally hard on curves defined over
  either group, thus both provide same level of
  security

5
Finite field F 24

• Consider the small field F 24 with generator g
  (0010)
• Field contains all powers of g from 1 to n where
  gn (0001)
• Each element can be viewed as a polynomial of
  degree lt 4 (0110) is 0x3 1x2 1x 01
• Addition is done modulo 2 (i.e 1 1 0) this
  is equivalent to bitwise exclusive OR operation
• Subtraction is the same operation
• Multiplication requires special irreducible
  polynomial of degree 4, in this case f(x) x4
  x 1

6
Elliptic Curves over F 2m

• An elliptic curve over F 2m satisfies
• y2 xy x3 ax2 b, a,b ? F 2m , b ? 0
• Includes all points (x,y) that satisfy above
  equation, where x and y are in F 2m (i.e
  m-length binary strings)
• Also includes special point at infinity, which
  is the identity ?
• Number of points on curve is finite and random,
  changing with a and b
• Order of a randomly-generated curve must be
  computed with Schoofs algorithm, which is
  time-consuming!

7
Elliptic Curve Discrete Logarithm Problem

• Consider a curve E(Fq) and point P on E with ltPgt
  P, 2P, 3P nP where nP ?, where ? is
  identity
• ECDLP Given ltPgt with generator P and element Q,
  find integer x where Q xP
• Q is the public key and x is the private key
• P is chosen so n ordltPgt is large
• We use additive notationrather than
  multiplicativeto express exponentiationP3 3P
  P P P

8
Pollards Rho Method

• Generate a sequence of terms in ltPgt called a
  walk using an iterating function F ltPgt ? ltPgt
  
• We set Y0 P
• Then Yi1 F(Yi) for i 0,1,2
• Resulting sequence consists of an initial series
  of terms followed by a cycle of terms and thus
  models the letter Rho

Ym1
Ym
Yn
Y1
Y0
9
Original Pollard Rho

• Partition the group ltPgt into 3 parts of roughly
  equal size, sayS1, S2, and S3
• When adapted for elliptic curves, iteration
  function becomes

• Generates a sequence of terms of form Yk
  akP bkQ where scalars ak and bk are
  calculated
• a0 1 and b0 0 (since Y0 P)
• ak1 ak 1, 2ak, ak mod nbk1 bk, 2bk, bk
  1 mod n

10
Solving for the Private Key

• Compare each new termgenerated with a
  fixednumber of stored termsuntil a match is
  found and we have
• aiP biQ ajP bjQ
• Since Q xP, we get
• ai xbi ? aj xbj mod n
• x (aj - ai)Inv(bi - bj) mod n
• Rho method works only if inverse exists (i.e.
  gcd(bi-bj, n) 1)
• In commercial implementations, n is prime due to
  Pohlig-Hellman, so success rate of Pollard Rho is
  nearly 100

11
Measuring Performance

• Rho method is exponential with running time O(?
  n)
• We calculate the L-factor as followsL no.
  iterations until match found ? n
• Experiments have shown that an iterating function
  that produces a truly random walk should have an
  average L-factor of 1.416
• In this analysis, we consider average L over 500
  instances of the ECDLP for prime order subgroups
  of points on curves defined over F 28

12
Results of Original Pollard Rho

• Results are about 35 slower than ideal norm
  for random walk

13
Why is original so slow?

• Iterating function does yield a truly random walk
  since point additions done at each step are not
  random enoughIf Yk ? S1, Yk1 Yk (1P
  0Q),If Yk ? S2, Yk1 2YkIf Yk ? S3, Yk1
  Yk (0P 1Q)
• In partition 1, we are taking a small step by
  adding only 1P
• In partition 3, when Q is a small scalar value of
  P, we are also taking a small step when Q is
  small
• What happens if we randomize the size of steps
  taken in rules 1 and 3?

14
Modified Original Method

• The iterating function now becomes

where am,bm,an,bn random in 0, n-1
15
Results of Modified Original

• Results are better, but still about 30
  slower than ideal norm for random walk

?
16
Why is modified also slow?

• Iterating function is still limited to three
  rules, which means we can only take three
  different sizes of steps at a given turn
• We wish to explore the group ltPgt in as random as
  fashion as possible, so we should be taking many
  different sized steps
• Work by Teske has shown that increasing number of
  partitions leads to significant performance
  improvement
• We introduce two new walks Adding walks and
  Mixed walks

17
Adding Walks

• Partition the group ltPgt into r parts of roughly
  equal size
• We map an element to a particular partition using
  a hashing function v ltPgt ? 1,r
• Iterating function becomes
• F(Y) Y Mv(Y)
• We have r addition steps, each of which uses a
  representative element Ms for its partition
• Terms Ms are computed as follows
• Ms asP bsQ
• where as,bs random in 0, n-1
• What is the ideal value of r?

18
Adding Walk Results
19
Mixed Walks

• Partition the group ltPgt into rq parts of roughly
  equal size
• With hashing function v ltPgt ? 1,rq, our
  iterating function is

• We have r addition steps using
  representative terms M1, M2Mr, each of which
  is a random linear combination of P and Q
• We have q doubling steps applied for
  partitions r1,q
• What is the ideal ratio of r to q?

20
Mixed Walk Results
21
Mixed Walk Results (contd)
22
Adding vs. Mixed Walks
Adding Mixed

• Using doubling steps only improves
  performance when a small number of additions
  steps are used
• Improvement of doubling steps vanishes well
  below the area of peak performance for adding
  walks
• Can doubling ever help for large r?

23
Hash Function Details

• We examine the original hash function adapted for
  mixed walks, which models v ltPgt ? 1,rq
• Consider Y ? ltPgt, which is a curve point with
  coordinates x, y ? F 2m
• Let l (2m / rq)

• Partitions 1 to r lead to point additions
  and partitions r1 to rq lead to point
  doubling
• Curve points with X values in the upper
  range of F 2m are doubled

24
New Idea Doubling the Identity Point

• Set hash function so identity point is
  doubled
• F(?) ? ? 2? ?
• When we reach ? in our walk, next term
  generated will also be ?
• We then have matching terms and can solve
  for the private key
• Since ? is represented as (0,0), we want
  elements in ltPgt with X value 0 to be mapped
  to a doubling step

25
Partition Shifting

• Perform regular hash operation, then shift result
  to a different partition
• Consider generalized hashing function v(Y) ltPgt
  ? 1,rq
• Define modified hash function
• v(Y) v(Y) k mod rq
• where k ? 1, rq
• Pick k r. Then we shifts terms in partition 1
  to r1, 2 to r2, etc...
• Identity is mapped to a doubling step
• We only need one doubling step, so we set q1 and
  examine the effects of changing r

26
Results of Partition Shifting
r L-factor
Improve-(q1) Original Shift by r ment
() 3 1.714 1.588 7.35
4 1.610 1.499 6.89 6
1.531 1.414 7.64 8
1.492 1.376 7.77 10 1.448
1.363 5.87 15 1.419
1.352 4.72 20 1.437 1.314
8.56 30 1.400 1.285
8.21 40 1.341 1.261 5.97
60 1.325 1.231 7.09 80
1.381 1.243 9.99
27
Analysis of Results

• Partition shifting by a factor of r inmixed
  walks withq1 yields modestperformanceimproveme
  nt
• Average improvement for the 11 values of r shown
  is 7.28
• L values for instances using partition shifting
  follow similar trends for increasing r values as
  those for adding walks with no shifting
• In both cases, peak in performance occurs at or
  around r 60

28
Conclusions

• Original Pollard Rho method does not achieve
  performance of a truly random walk
• Randomizing size of steps taken in original leads
  to a slight speed-up
• Teskes Adding and Mixed walks achieve better
  performance than the average random walk
• Modifying hash function so identity is always
  mapped to a doubling step gives a modest boost to
  performance
• For future improvements, consider defining an
  iterating function where were likely to reach
  identity quickly