Resolution of Linear Algebra for the Discrete Logarithm Problem Using GPU and Multi-core Architectures

In cryptanalysis, solving the discrete logarithm problem (DLP) is key to assessing the security of many public-key cryptosystems. The index-calculus methods, that attack the DLP in multiplicative subgroups of finite fields, require solving large sparse systems of linear equations modulo large primes. This article deals with how we can run this computation on GPU- and multi-core-based clusters, featuring InfiniBand networking. More specifically, we present the sparse linear algebra algorithms that are proposed in the literature, in particular the block Wiedemann algorithm. We discuss the parallelization of the central matrix--vector product operation from both algorithmic and practical points of view, and illustrate how our approach has contributed to the recent record-sized DLP computation in GF($2^{809}$).Comment: Euro-Par 2014 Parallel Processing, Aug 2014, Porto, Portugal. \<http://europar2014.dcc.fc.up.pt/\&gt

Hadronic freeze-out following a first order hadronization phase transition in ultrarelativistic heavy-ion collisions

We analyze the hadronic freeze-out in ultra-relativistic heavy ion collisions at RHIC in a transport approach which combines hydrodynamics for the early, dense, deconfined stage of the reaction with a microscopic non-equilibrium model for the later hadronic stage at which the hydrodynamic equilibrium assumptions are not valid. With this ansatz we are able to self-consistently calculate the freeze-out of the system and determine space-time hypersurfaces for individual hadron species. The space-time domains of the freeze-out for several hadron species are found to be actually four-dimensional, and differ drastically for the individual hadrons species. Freeze-out radii distributions are similar in width for most hadron species, even though the Omega-baryon is found to be emitted rather close to the phase boundary and shows the smallest freeze-out radii and times among all baryon species. The total lifetime of the system does not change by more than 10% when going from SPS to RHIC energies.Comment: 11 pages, 4 eps-figures included, revised versio

Space-time evolution and HBT analysis of relativistic heavy ion collisions in a chiral SU(3) x SU(3) model

The space-time dynamics and pion-HBT radii in central heavy ion-collisions at CERN-SPS and BNL-RHIC are investigated within a hydrodynamic simulation. The dependence of the dynamics and the HBT-parameters on the EoS is studied with different parametrisations of a chiral SU(3) sigma-omega model. The selfconsistent collective expansion includes the effects of effective hadron masses, generated by the nonstrange and strange scalar condensates. Different chiral EoS show different types of phase transitions and even a crossover. The influence of the order of the phase transition and of the difference in the latent heat on the space-time dynamics and pion-HBT radii is studied. A small latent heat, i.e. a weak first-order chiral phase transition, or even a smooth crossover leads to distinctly different HBT predictions than a strong first order phase transition. A quantitative description of the data, both at SPS energies as well as at RHIC energies, appears difficult to achieve within the ideal hydrodynamical approach using the SU(3) chiral EoS. A strong first-order quasi-adiabatic chiral phase transition seems to be disfavored by the pion-HBT data from CERN-SPS and BNL-RHIC

Comparison of space-time evolutions of hot/dense matter in sNN\sqrt{s_{NN}}=17 and 130 GeV relativistic heavy ion collisions based on a hydrodynamical model

Based on a hydrodynamical model, we compare 130 GeV/$A$ Au+Au collisions at RHIC and 17 GeV/$A$ Pb+Pb collisions at SPS. The model well reproduces the single-particle distributions of both RHIC and SPS. The numerical solution indicates that huge amount of collision energy in RHIC is mainly used to produce a large extent of hot fluid rather than to make a high temperature matter; longitudinal extent of the hot fluid in RHIC is much larger than that of SPS and initial energy density of the fluid is only 5% higher than the one in SPS. The solution well describes the HBT radii at SPS energy but shows some deviations from the ones at RHIC.Comment: 28 pages, 21 figures, REVTeX4, one figure is added and some figures are replace

Improving the Berlekamp Algorithm for Binomials x n − a

In this paper, we describe an improvement of the Berlekamp algorithm, a method for factoring univariate polynomials over finite fields, for binomials xn −a over finite fields Fq. More precisely, we give a deterministic algorithm for solving the equation h(x)q≡h(x) (mod xn−a) directly without applying the sweeping-out method to the corresponding coefficient matrix. We show that the factorization of binomials using the proposed method is performed in O˜, (n log q) operations in Fq if we apply a probabilistic version of the Berlekamp algorithm after the first step in which we propose an improvement. Our method is asymptotically faster than known methods in certain areas of q, n and as fast as them in other areas

Solving a 676-Bit Discrete Logarithm Problem in GF(36n )

Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The \eta_T pairing on supersingular curves over GF(3^n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(3^{6n}) becomes a concern for the security of cryptosystems using \eta_T pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(3^{6n}). Therefore, we first fulfilled such an implementation and we successfully set a new record for solving the DLP in GF(3^{6n}), the DLP in GF(3^{6 \cdot 71}) of 676-bit size. In addition, we also compared JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions

Algebraic Cryptanalysis of Curry and Flurry using Correlated Messages

In \cite{BPW}, Buchmann, Pyshkin and Weinmann have described two families of Feistel and SPN block ciphers called Flurry and Curry respectively. These two families of ciphers are fully parametrizable and have a sound design strategy against basic statistical attacks; i.e. linear and differential attacks. The encryption process can be easily described by a set of algebraic equations. These ciphers are then targets of choices for algebraic attacks. In particular, the key recovery problem has been reduced to changing the order of a Groebner basis \cite{BPW,BPWext}. This attack - although being more efficient than linear and differential attacks - remains quite limited. The purpose of this paper is to overcome this limitation by using a small number of suitably chosen pairs of message/ciphertext for improving algebraic attacks. It turns out that this approach permits to go one step further in the (algebraic) cryptanalysis of Flurry and \textbf{Curry}. To explain the behavior of our attack, we have established an interesting connection between algebraic attacks and high order differential cryptanalysis \cite{Lai}. From extensive experiments, we estimate that our approach, that we can call an ``algebraic-high order differential cryptanalysis, is polynomial when the Sbox is a power function. As a proof of concept, we have been able to break Flurry -- up to $8$ rounds -- in few hours