Accelerating Iterative SpMV for the Discrete Logarithm Problem Using GPUs

Abstract

In the context of cryptanalysis, computing discrete logarithms in large cyclic groups using index-calculus-based methods, such as the number field sieve or the function field sieve, requires solving large sparse systems of linear equations modulo the group order. Most of the fast algorithms used to solve such systems — e.g., the conjugate gradient or the Lanczos and Wiedemann algorithms — iterate a product of the corresponding sparse matrix with a vector (SpMV). This central operation can be accelerated on GPUs using specific computing models and addressing patterns, which increase the arithmetic intensity while reducing irregular memory accesses. In this work, we investigate the implementation of SpMV kernels on NVIDIA GPUs, for several representations of the sparse matrix in memory. We explore the use of Residue Number System (RNS) arithmetic to accelerate modular operations. We target linear systems arising when attacking the discrete logarithm problem on groups of size 100 to 1000 bits, which includes the relevant range for current cryptanalytic computations. The proposed SpMV implementation contributed to solving the discrete logarithm problem in GF(\(2^{619}\)) and GF(\(2^{809}\)) using the FFS algorithm.

Appendices

A Formats and GPU Kernels of SpMV

B Resolution of Linear Algebra of the Function Field Sieve

The linear algebra step consists of solving the system \(Aw=0\), where \(A\) is the matrix produced by the filtering step of the FFS algorithm. \(A\) is singular and square. Finding a vector of the kernel of the matrix is generally sufficient for the FFS algorithm.

The simple Wiedemann algorithm [27] which resolves such a system, is composed of three steps:

• Scalar products: It consists on the computation of a sequence of scalars \(a_i = \,^txA^i y\), where \(0 \le i \le 2N\), and \(x\) and \(y\) are random vectors in \((\mathbb {Z}/\ell \mathbb {Z})^N\). We take \(x\) in the canonical basis, so that instead of performing a full dot product between \(^tx\) and \(A^i y\), we just store the element of \(A^i y\) that corresponds to the non-zero coordinate of \(x\).

• Linear generator: Using the Berlekamp-Massey algorithm, this step computes a linear generator of the \(a_i\)’s. The output \(F\) is a polynomial whose coefficients lie in \(\mathbb {Z}/\ell \mathbb {Z}\), and whose degree is very close to \(N\).

• Evaluation: The last step computes \(\sum _{i=0}^{deg(F)}{A^iF_iy}\), where \(F_i\) is the \(i^{th}\) coefficient of \(F\). The result is with high probability a non-zero vector of the kernel of \(A\).

The Block Wiedemann algorithm [11] proposes to use \(m\) random vectors for \(x\) and \(n\) random vectors for \(y\). The sequence of scalars is thus replaced by a sequence of \(m \times n\) matrices and the numbers of iterations of the first and third steps become \((N/n + N/m)\) and \(N/n\), respectively. The \(n\) subsequences can be computed independently and in parallel. So, the block Wiedemann method allows to distribute the computation without an additional overhead [25].

1.1 B.1 Linear Algebra of FFS for GF(\(2^{619}\))

The matrix has 650 k rows and columns. The prime \(\ell \) is 217 bits. The computation was completed using the simple Wiedemann algorithm on a single NVIDIA GeForce GTX 580. The overall computation needed 16 GPU hours and 1 CPU hour.

1.2 B.2 Linear Algebra of FFS for GF(\(2^{809}\))

The matrix has 3.6M rows and columns. The prime \(\ell \) is 202 bits. We run a Block Wiedemann on a cluster of 8 GPUs. We used 4 distinct nodes, each equipped with two NVIDIA Tesla M2050 graphics processors, and ran the Block Wiedemann algorithm with blocking parameters \(m=8\) and \(n=4\). The overall computation required 4.4 days in parallel on the 4 nodes.

These two computations were part of record-sized discrete logarithm computations in a prime-degree extension field [3, 10].