Skip to main content
SpringerLink
Log in

Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Computing discrete logarithms takes time. It takes time to develop new algorithms, choose the best algorithms, implement these algorithms correctly and efficiently, keep the system running for several months, and, finally, publish the results. In this paper, we present a highly performant architecture that can be used to compute discrete logarithms of Weierstrass curves defined over binary fields and Koblitz curves using FPGAs. We used the architecture to compute for the first time a discrete logarithm of the elliptic curve sect113r1, a previously standardized binary curve, using 10 Kintex-7 FPGAs. To achieve this result, we investigated different iteration functions, used a negation map, dealt with the fruitless cycle problem, built an efficient FPGA design that processes 900 million iterations per second, and we tended for several months the optimized implementations running on the FPGAs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Babbage, S., Catalano, D., Cid, C., de Weger, B., Dunkelman, O., Gehrmann, C., Granboulan, L., Güneysu, T., Hermans, J., Lange, T. Lenstra, A., Mitchell, C., Näslund, M., Nguyen, P., Paar, C., Paterson, K., Pelzl, J., Pornin, T., Preneel, B., Rechberger, C., Rijmen, V., Robshaw, M., Rupp, A., Schläffer, M., Vaudenay, S., Vercauteren, F., Ward, M.: ECRYPT II yearly report on algorithms and keysizes (2011-2012). Available online at http://www.ecrypt.eu.org/ (2012)

  2. Bailey, D.V., Baldwin, B., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., van Damme, G., de Meulenaer, G., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L.: The Certicom Challenges ECC2-X. IACR Cryptology ePrint Archive, Report 2009/466 (2009)

  3. Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.-Y.: Breaking ECC2K-130. IACR Cryptology ePrint Archive, Report 2009/541 (2009)

  4. Barker, E., Roginsky, A.: Recommendation for cryptographic key generation. NIST Special Publ. 800, 133 (2012)

    Google Scholar 

  5. Bernstein, D.J.: Batch binary edwards. In: Advances in Cryptology-CRYPTO 2009, LNCS, vol. 5677, pp. 317–336. Springer, Berlin (2009)

  6. Bernstein, D.J.: Binary batch edwards 113-bit multiplier. http://binary.cr.yp.to/bbe251/113.gz (2009). Accessed Oct 2013

  7. Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Public Key Cryptography—PKC 2011, LNCS, vol. 6571, pp. 128–146. Springer, Berlin (2011)

  8. Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptogr. 2(3), 212–228 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  9. Bos, J.W., Kleinjung, T., Lenstra, A.K.: On the use of the negation map in the Pollard rho method. In: Algorithmic Number Theory—ANTS-IX, LNCS, vol. 6197, pp. 66–82. Springer, Berlin (2010)

  10. Certicom Research. The Certicom ECC challenge. Available online at https://www.certicom.com/index.php/the-certicom-ecc-challenge (1997)

  11. Certicom Research. Standards for efficient cryptography, SEC 1: elliptic curve cryptography, Version 1.0. Available online at http://www.secg.org/ (2000)

  12. Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and its Applications. Chapman & Hall/CRC, Boca Raton (2006)

  13. de Dormale, G.M., Bulens, P., Quisquater, J.-J.: Collision search for elliptic curve discrete logarithm over GF(\(2^m\)) with FPGA. In: Cryptographic Hardware and Embedded Systems—HES, LNCS, pp. 378–393. Springer, Berlin (2007)

  14. Engels, S.: Breaking ECC2-113: efficient implementation of an optimized attack on a reconfigurable hardware cluster. Master’s thesis, Ruhr Universityät Bochum (2014)

  15. Fan, J., Bailey, D.V., Batina, L., Güneysu, T., Paar, C., Verbauwhede, I.: Breaking elliptic curve cryptosystems using reconfigurable hardware. In: Field Programmable Logic and Applications (FPL), pp. 133–138. IEEE (2010)

  16. Frey, G., Rück, H.-G.: A remark concerning \(m\)-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994)

  17. Gallant, R., Lambert, R., Vanstone, S.: Improving the parallelized Pollard lambda search on anomalous binary curves. Math. Comput. Am. Math. Soc. 69(232), 1699–1705 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  18. Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  19. Giry, D.: BlueKrypt—v28.4—Cryptographic key length recommendation. http://www.keylength.com/en/. Accessed Feb 2015

  20. Güneysu, T., Paar, C., Pelzl, J.: Attacking elliptic curve cryptosystems with Special-Purpose Hardware. In: ACM/SIGDA Symposium on Field Programmable Gate Arrays (FPGA), pp. 207–215. ACM Press (2007)

  21. Hankerson, D., Vanstone, S., Menezes, A.J.: Guide to Elliptic Curve Cryptography. Springer, Berlin (2004)

    MATH  Google Scholar 

  22. Harley, R.: Elliptic curve discrete logarithms: ECC2K-108. Available online at http://cristal.inria.fr/~harley/ecdl7/readMe.html (2000)

  23. Itoh, T., Tsujii, S.: A fast algorithm for computing multiplicative inverses in gf(\(2^m\)) using normal bases. Inf. Comput. 78(3), 171–177 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  24. Judge, L., Mane, S., Schaumont, P.: A Hardware-accelerated ECDLP with high-performance modular multiplication. Int. J. Reconfigurable Comput 2012 (2012)

  25. Mane, S., Judge, L., Schaumont, P.: An integrated prime-field ECDLP hardware accelerator with high-performance modular arithmetic units. In: Reconfigurable Computing and FPGAs—ReConFig, pp. 198–203. IEEE (2011)

  26. Mastrovito, E.D.: VLSI designs for multiplication over finite fields GF(\(2^m\)). In: Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, pp. 297–309. Springer, Berlin (1988)

  27. Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. Trans. Inf. Theory 39(5), 1639–1646 (1993)

    Article  MathSciNet  MATH  Google Scholar 

  28. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  29. Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance. Trans. Inf. Theory 24(1), 106–110 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  30. Pollard, J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  31. Rodríguez-Henríquez, F., Koç, Ç.: On fully parallel Karatsuba multipliers for GF(\(2^m\)). J. Comput. Sci. Technol. 1, 405–410 (2003)

  32. Teske, E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Algorithmic Number Theory, LNCS, vol. 1423, pp. 541–554. Springer, Berlin (1998)

  33. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  34. Wenger, E., Wolfger, P.: ECC Breaker source code. http://www.iaik.tugraz.at/content/research/opensource/ecc_breaker/. Accessed Feb 2015

  35. Wenger, E., Wolfger, P.: Solving the discrete logarithm of a 113-bit Koblitz curve with an FPGA cluster. In: Selected Areas in Cryptography—SAC, LNCS, vol. 8781, pp. 363–379. Springer, Berlin (2014)

  36. Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Selected Areas in Cryptography—SAC, LNCS, vol. 1556, pp. 190–200. Springer, Berlin (1999)

  37. Xilinx Inc. Xilinx Kintex-7 FPGA KC705 Evaluation Kit. http://www.xilinx.com/products/boards-and-kits/ek-k7-kc705-g.html. Accessed Feb (2015)

Download references

Acknowledgments

The authors are grateful to the University of Applied Sciences Upper Austria who provided 16 ML605 boards, the companies so-logic GmbH Co KG and Xilinx, Inc. who provided us with several Kintex-7 FPGAs, and colleagues who recommended to take advantage of the simultaneous inversion technique. This work has been supported by the European Commission through the FP7 program under project number 610436 (project MATTHEW), and the Secure Information Technology Center-Austria (A-SIT).

Author information

Authors and Affiliations

  1. Graz University of Technology, Inffeldgasse 16a/I, Graz, 8010, Austria

    Erich Wenger

  2. So-Logic GmbH Co KG, Lustkandlgasse 52/22, Vienna, 1090, Austria

    Paul Wolfger

Authors
  1. Erich Wenger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paul Wolfger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Erich Wenger.

Appendices

Appendix A: Targeted curve and target point pair selection

figure a

To proof that the discrete logarithm was actually computed without knowing it in advance, a point generation function was needed. The Sage code in Listing 1 was used to deterministically and pseudo-randomly generate two points with order n using Sage. As P and Q are generated pseudo-randomly, their discrete logarithm is unknown. The Sage script also checks the point orders and the validity of the computed result. Table 5 summarizes all parameters needed for the discrete logarithm computation.

Table 5 Curve parameters of targeted elliptic curve sect113r1
Full size table

Appendix B: Binary Karatsuba \(\mathbb {F}_{2^{113}}\) multiplier

Algorithm 1 gives the top-level \(\mathbb {F}_{2^{113}}\) multiplier formulas. KS64, KS32, and KS16 are 64-bit, 32-bit, and 16-bit binary Karatsuba multipliers, respectively.

figure b

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wenger, E., Wolfger, P. Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J Cryptogr Eng 6, 287–297 (2016). https://doi.org/10.1007/s13389-015-0108-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-015-0108-z

Keywords

Search

Navigation