FPGA and ASIC Implementation of Rho and P-1 Methods of Factoring. Master s Thesis Presentation Ramakrishna Bachimanchi Director: Dr.

Transcription

1 FPGA and ASIC Implementation of Rho and P-1 Methods of Factoring Master s Thesis Presentation Ramakrishna Bachimanchi Director: Dr. Kris Gaj

2 Contents Introduction Background Hardware Architecture FPGA and ASIC Design Flow Results Conclusions

3 RSA In 1977 Ron Rivest, Adi Shamir & Leonard Adleman developed the first public key cryptosystems, they called RSA

4 RSA Public key {e, N} Private key {d, P,Q} Alice Encryption Network Decryption Bob { e, N } { d, P, Q } N = P Q P, Q - large prime factors e d 1 mod ((P-1)(Q-1))

5 Common Applications of RSA Secure WWW, SSL Network Browser WebServer S/MIME, PGP Alice Bob

6 Recommended key sizes for RSA Size of the RSA key = size of N=P Q Old standard: Individual users New standard: Short-term use ( up to 2010) 512 bits (155 decimal digits) 1024 bits Long-term use 2048 bits

7 Factoring RSA RSA-200 (663-bits) factored by Bahr, Boehm, Frank and Kleinjung When? Dec 2003 May 2005 Effort? First stage: About 1 year on various machines, equivalent to 55 years on Opteron 2.2 GHz CPU Second stage: 3 months on a cluster of GHz Opterons connected via a gigabit network

8 Number Field Sieve Best Algorithm to Factor Large Numbers Complexity: Sub-exponential time and memory N = Number to factor, k = Number of bits of N Exponential function, e k Sub-exponential function, e k1/3 (ln k) 2/3 Polynomial function, a k m

9 Steps of Number Field Sieve (NFS) Polynomial Selection Relation Collection Sieving 200 bit & 350 bit numbers Mini factoring Pollard rho p-1 method ECM Linear Algebra Square Root

10 Rho Algorithm

11 Pollard s Rho Method Birthday paradox: If more than 23 random people are in a room (or even if they aren't) there is a more than 50% probability that the birthdays of two of them fall on the same day of the year.

12 Pollard's rho method - Example N = = x i+1 = x i2 + 1 mod N x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x mod 97: x 2 x 5 x 8 mod q x 1 x 4 x 7 mod q x 0 x 3 x 6 x 9 mod q x 1 x 4 mod q q (x 1 x 4 ) q N q gcd(x 1 x 4, N) q=gcd( , ) = 97

13 Pollard s Rho Method x 3 mod q x 4 mod q x s x e mod q x e mod q.... x e-1 mod q... x s mod q x i+1 mod q x s+1 mod q period=e-s.. x s+2 mod q. x i mod q x 2 mod q x 1 mod q x 0 mod q x s x e mod q x s+1 x e+1 mod q.... x s+k x e+k mod q

14 Rho Algorithm- Floyd s Version Initialize b c x 0 1. ( ) 2 choose the polynomial as f x x a 2. calculate b f ( b) mod n and c f ( f ( c)) mod n 3. compute d gcd( b- c, n) 4. if 1 d n, a non trivial factor of n is found 5. if d 1 go to step 2 if d N change a and go to step 1

15 Rho Method - Floyd s Version x 1 -x 2 x 1 -x 3 x 1 -x 4 x 1 -x 5 x 1 -x x 1 -x i x 2 -x 3 x 2 -x 4 x 2 -x 5 x 2 -x 6 x 2 -x x 2 -x i x 3 -x 4 x 3 -x 5 x 3 -x 6 x 3 -x 7 x 3 -x x 3 -x i x 4 -x 5 x 4 -x 6 x 4 -x 7 x 4 -x 8 x 4 -x x 4 -x i x 5 -x 6 x 5 -x 7 x 5 -x 8 x 5 -x 9 x 5 -x x 5 -x i x 6 -x 7 x 6 -x 8 x 6 -x 9 x 6 -x 10 x 6 -x 11 x 6 -x x 6 -x i x 7 -x 8 x 7 -x 9 x 7 -x 10 x 7 -x 11 x 7 -x 12 x 7 -x 13 x 7 -x x 7 -x i x 8 -x 9 x 8 -x 10 x 8 -x 11 x 8 -x 12 x 8 -x 13 x 8 -x 14 x 8 -x 15 x 8 -x x 8 -x i x k -x k+1 x k -x k+2 x k -x k x k -x 2k x k -x i

16 Pollard s Rho Algorithm - Floyd s Version f(x)=x 2 +a with a {-2,0} # iterations t <100 q max (q max is the maximum factor we expect to find using rho method) We choose random x 0 in the range(0,n-1) and x 1 =f(x 0 ) V 2 V 1 d x 0 d=1 x 2 x 1 d=d*(x 2 -x 1 ) f(f()) f() x 4 x 2 d=d*(x 4 -x 2 ) x 6 x 3 d=d*(x 6 -x 3 )... x t x t/2 d=d*(x t -x t/2 ) x t+2 x (t+2)/2 d=d*(x t+2 -x (t+2)/2 ) x 2i x i d=d*(x 2i -x i ) x 2(i+1) x i+1 d=d*(x 2i+2 -x i+1 ) x 2t x t d=d*(x 2t -x t ) *x 2i+2 =f(f(x 2i )),x i+1 =f(x i ) q=gcd(d,n) Minimization for area and/or memory

17 Rho Algorithm- Floyd s Version Contd. Inputs x a f x x a N t even 2 : 0,, ( ),, (, 2) Outputs : q ( such that q N) v x f ( x ), v x f ( x ), temp v -v x - x, d for ( i 2; i t; i ) { v v v v a v 2 2 v v v a v 2 2 v v v a * all operations are done 1 1 temp v -v mod ulo N 2 1 d d* temp } q gcd ( d, N)

18 Rho Method - Brent s Version x 1 -x 2 x 1 -x 3 x 1 -x 4 x 1 -x 5 x 1 -x x 1 -x i x 2 -x 3 x 2 -x 4 x 2 -x 5 x 2 -x 6 x 2 -x x 2 -x i x 3 -x 4 x 3 -x 5 x 3 -x 6 x 3 -x 7 x 3 -x x 3 -x i x 4 -x 5 x 4 -x 6 x 4 -x 7 x 4 -x 8 x 4 -x x 4 -x i x 5 -x 6 x 5 -x 7 x 5 -x 8 x 5 -x 9 x 5 -x x 5 -x i x 6 -x 7 x 6 -x 8 x 6 -x 9 x 6 -x 10 x 6 -x 11 x 6 -x x 6 -x i x 7 -x 8 x 7 -x 9 x 7 -x 10 x 7 -x 11 x 7 -x 12 x 7 -x 13 x 7 -x x 7 -x i x 8 -x 9 x 8 -x 10 x 8 -x 11 x 8 -x 12 x 8 -x 13 x 8 -x 14 x 8 -x 15 x 8 -x x 8 -x i x k -x k+1 x k -x k+2 x k -x k x 2k -x 2 k + 2 k x 2k -x 2 k+1

19 Rho Method - Brent s Version Sequence of Operations v 2 d v 1 x 2 d=1 x 2 x 3 x 4 d=d*(x 4 -x 2 ) x 4 x 5 x 6 x 7 d*(x 7 -x 4 ) x 8 d*(x 8 -x 4 ) x 8 x 9 x 10 x 11 x 12 x 13 d*(x 13 -x 8 ) x 14 d*(x 14 -x 8 ) Minimization for x 15 d*(x 15 -x 8 ) execution time x 16 d*(x 16 -x 8 ) x 16 24%

20 Rho Algorithm- Brent s Version Inputs x a f x x a N t even 2 : 0,, ( ),, (, 2) Outputs : q ( such that q N) x f ( x ), v v x f ( x ), k for ( i 3; i 2 t; i ) { v f ( v ) if { 2 2 k k-1 k 1 (2 2 1 i 2 ) temp v -v 2 1 d d * temp } if { v k 1 ( i 2 ) v 1 2 k k 1 } } q gcd( d, N)

21 p-1 Algorithm

22 p-1 Algorithm Based on Fermat s Little Theorem a p-1 1(mod p) a m(p-1) 1(mod p) a m(p-1) 1 0(mod p) N number to be factored a, any small integer p, non-trivial factor of N Choose a small number a, such that 1<a<N Choose a special number k Compute a k (mod N) 1 Compute gcd(a k (mod N) 1, N)

23 p-1 algorithm Inputs : N a B 1 B 2 number to be factored arbitrary integer such that gcd(a, N)=1 smoothness bound for Phase1 smoothness bound for Phase2 Outputs: q - factor of N, 1 < q N or FAIL

24 p-1 algorithm Phase 1 ei 1: k p such that p - consecutive primes B k 2: q a mod N 0 3: q gcd( q 1, N) p i 0 i 4 : if q 1 5: return q (factor of N) 6: else 7: go to Phase 2 8: end if i ei e - largest exponent such that p B i precomputations 1 main computations postcomputations i 1

25 p-1 algorithm Phase 2 09: d 1 10: for each prime p B to B do p : d d ( q 1) (mod N) 12 : end for 13: q gcd( d, N) 14: if q 1 then 15: return q 16: else 17: return FAIL 18: end if main computations postcomputations

26 p-1 Phase 1 Numerical example N = = a = 2 B 1 = 20 k = = q 0 =a k mod N = mod = q = gcd ( ; ) = 1361 Why did the method work? q-1 = 1360 = k a k mod q = a (q-1) m mod q = 1 q a k -1

27 Modular Exponentiation- Sliding Window Method Input : g, e ( e e... e, e ) with e 1, and an int eger w 1 Output : g 1. precomputation e 1 2 t t g g, g g 2. A 1, i t 3. while i 0 do the following 2 For i from to do g g g w 1 1 (2 1) : 2i 1 2i 1 * 2 2 if e 0 then do : A A, i i -1 i i-l 1 i i 1 t otherwise ( e 0), find the longest bitstring e e... e such that i - l 1 w and e 4.Re turn( A) l 1, i i i-1 l and do the following 2 A A g( e e... e ) i l *, 1 l

28 Sliding Window Method- Example calculating g 50, e = (110010) 2, window size 2 Pre-computations g 3 Main computations, A , window size = 2 and the value = 11 = 3 A (A) 4.g 3 = g A A 2 = g A A 2 = g , window size = 1 and the value = 1 = 1 A (A) 2.g 1 = g A A 2 = g 50

29 Hardware Architecture

30 Top-level View FPGA / ASIC Control Unit I/O Host computer Global memory Rho, p-1, unified Units RAM

31 Low Level Arithmetic Units

32 Montgomery Multiplication A _M _C hoice B A _M write start w w B M A ws ws ws S1in S2in Es Es Eb Eb loada S1 S2 B reset M reset A (Shift_Reg) reg_rst reg_rst reset clk reset M U LT IPLIE R read S1out S2out zeros Bout zeros w w Mout read w w Ai qi BB mm w w w w A(0) Ai C 32 read done_m ul Based on McIvor, McLoone, et al. Asilomar 2003: full-length CSAs word-length CPAs S1in S2in >>1 >>1 A1 A2 B C CSR42 + ws read ws data_out S2out(0) S1out(0) SUM CARRY sum carry w w S1out(ws-1 downto 0) S2out(ws-1 downto 0) ws ws Bout(0) Ai U V W Y w w w w CSR42 CSA w+1 w+1 CSA w+2 w+2 qi S C

33 Addition / Subtraction a d d r1 W E L a d d r2 B A_M _Choice L U T 3 2 X 3 2 M E M A _ M A_M write add_sub M A _ M _ C h o ic e A _ M B < < 1 2 M clk reset ADDE R/ SUB TRACTO R O P 1 O P 2 E A 3 2 b ti re g A 3 2 b ti re g B E B s u b 32 + s u m 1 s u m 2 E C 1 C read Original design C o u t A D D E R C in C 1 E C 2 C 2 < > re a d s ig n Z

34 Global Memory- Rho n for unit1 n for unit n for unit m Same for all units x 0 a t No. of iterations

35 Local Memory- Rho data_out g_l A_M Grei 32 0 M temp data_in Kout 32 C V1 6 Aaddr 1 V2 u_l a 6 Baddr B 32 d WEA Local Memory 63

36 Computation Flow MUL ADD/SUB 1 to 2t-1 v 2 v 2 2 cond1 temp (v 2 -v 1 ) cond1 d d*temp 1 to 2t-1 v 2 v 2 + a cond1: 2 k +2 k-1 +1 i-1 2 k+1

37 Control Unit - Rho Memory Initialization Main Computations Reading Out Results

38 Global Memory p-1 0 Phase N for unit 1 N for unit 2... N for unit m 0 Phase GCD_table[1]... GCD_table[GMAXD] M min M max Determines j such that 1 j D and gcd(j, D) = 1 g 2 g 1 initial values for All units prime_table[1] prime_table[2] k N... Determines m,j such that P = m.d-j is a prime k prime_table[pmax D ]

39 Local Memory p-1 a) 0 Phase N g 2 g 1 g b) 0 Phase N /d d 2 d d 11 d g s *s = 2 k -1 d 209 d D d m.d 511 d = g e 511 d md - d j x

40 Control Unit Phase 1 Phase 2 Memory Initialization Memory Initialization Pre-Computations Modular Exponentiation Reading Out Results Main-Computations Reading Out Results

41 Unified Architecture ADD/SUB Local Memory for p-1 Control Unit MUL Local Memory for Rho Global Memory

42 Control Unit Memory Initialization Rho-Computations P-1 -Computations Reading Out Results

43 Control Unit Total 17 state machines with 140 states 5 state machines with 45 states in Rho 12 state machines with 103 states in P-1 5 Shift registers 9 Registers 13 Counters 22 Comparators Original design

44 Design Flow

45 FPGA vs ASIC FPGA Field Programmable Gate Array Array of logic blocks Switchable interconnect resources Final user can set switches Immediate use ( Zero fab time) Not good for high volume applications ASIC Application Specific Integrated Circuit Standard cells and Macros Requires full manufacturing sequence Good for high volume applications

46 FPGA Design Flow Design Entry Design Verification Specification RTL Description (VHDL / Verilog HDL) Functional Simulation Synthesis Post-Synthesis Simulation Implementation Timing Simulation Configuration On Chip Testing

47 ASIC Design Flow Front-End Design Synthesis Timing Analysis Design Analyzer Primetime Back-End Design Floorplanning Placement Clock Tree Synthesis Astro Routing Design for Manufacturing

48 Results

49 Families of Xilinx FPGA Devices Low-cost High-performance Spartan 3 Virtex II (< $130*) (< $2,700*) Spartan 3E Virtex 4 (< $35*) (< $3,000*) *approximate cost of the largest device per unit for a batch of 10,000 units

50 FPGA Implementation of Single Units Results Rho P-1 Unified Resources -CLB Slices 1,680(4%) 1,749(5%) 2,042(6%) -LUTs 2,714(4%) 2,875(4%) 3,451(5%) -FFs 1,518(2%) 1,645(2%) 1,740(2%) -BRAMs 0/144 2/144 2/144 Max. Clock Frequency 130 MHz 131 MHz 115 MHz Target device is Virtex II XC2v6000-6

51 Number of unified units per FPGA Spartan 3 Virtex II Spartan 3E Virtex 4 XC3S XC2V XC3S XC4VLX Low-cost High-performance Low-cost High-performance

52 Performance Unified Operations per Second 2, x 1.41 x Spartan 3 Virtex II Spartan 3E Virtex 4 XC3S XC2V XC3S XC4VLX Low-cost High-performance Low-cost High-performance

53 Performance to cost ratio Unified Operations per second per $ x 14.9 x Spartan 3 Virtex II Spartan 3E Virtex 4 XC3S XC2V XC3S XC4VLX Low-cost High-performance Low-cost High-performance

54 ASIC - Layout of p-1 - floorplanning

55 Layout of p-1 - placement

56 Layout of p-1 clock tree synthesis

57 Layout of p-1 Global Routing

58 Layout of p-1 Detailed Routing

59 Results - ASIC Implementation Unified architecture Operation rho p-1 Area 1.15 mm mm2 1.8 mm2 Max. Clock Frequency 200 MHz 200MHz 200 MHz Time for execution 3.52 ms 9.56 ms 13.1 ms # of operations per second (using maximum no. of units) 96,022 34,100 16,615 Core utilization ratio 70% 70% 65% Area of Virtex II FPGA is x 19.8 mm2 (estimation by R.J. Lim Fong, MS Thesis, VPI, 2004)

60 FPGA vs ASIC - Area 338 ASIC FPGA x Rho x x P-1 Unified Area of Virtex II FPGA is x 19.8 mm2 (estimation by R.J. Lim Fong, MS Thesis, VPI, 2004)

61 Rho in an ASIC 130 nm Global Memory Local Memory

62 ASIC 130 nm vs. Virtex II 6000 rho (20 units) mm mm 51x Area of Virtex II 6000 (estimation by R.J. Lim Fong, MS Thesis, VPI, 2004) 2.7 mm 2.82 mm Area of an ASIC with equivalent functionality

63 ASICs vs. FPGAs Source: I. Kuon, J. Rose, University of Toronto Measuring the Gap Between FPGAs and ASICs IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 62, no. 2, Feb 2007.

64

65

66 Contributions Verified the VHDL code through functional and timing simulation by comparison with the operation of test software implementation written in C. Ported the VHDL code to 4 different families of FPGA devices and to a standard-cell ASIC based on 130 nm TSMC library

67 Conclusions Low-cost FPGA devices, such as Spartan 3, outperformed high-performance devices, such as Virtex II, in terms of performance to cost ratio by a factor of 14.9 ASIC Implementation outperforms FPGA with a factor of 50* in terms of area and 1.5 times in terms of frequency. *In case of rho it is 50, for other architectures it may be less

68 Conclusions Low cost FPGA devices Spartan 3 and Spartan 3E are suitable for code-breaking ASIC implementation is suitable when large number of chips (>1,000,000) are considered

69 Future Work Implementation of Trial Division in Hardware Implementation of ECM in Hardware using one multiplier and one adder/subtractor Integrating Trial division, Rho, P-1 and ECM to build a co-factoring machine Experiments on COPACOBANA

70 Thank you! Questions???