Breaking ECC2K-130

Elliptic-curve cryptography is becoming the standard public-key primitive not only for mobile devices but also for high-security applications. Advantages are the higher crypto- graphic strength per bit in comparison with RSA and the higher speed in implementations. To improve understanding of the exact strength of the elliptic-curve discrete-logarithm problem, Certicom has published a series of challenges. This paper describes breaking the ECC2K-130 challenge using a parallelized version of Pollard's rho method. This is a major computation bringing together the contributions of several clusters of conventional computers, PlayStation 3 clusters, computers with powerful graphics cards and FPGAs. We also give estimates for an ASIC design. In particular we present - our choice and analysis of the iteration function for the rho method; - our choice of finite field arithmetic and representation; - detailed descriptions of the implementations on a multitude of platforms: CPUs, Cells, GPUs, FPGAs, and ASICs; - timings for CPUs, Cells, GPUs, and FPGAs; and

[1]  James Demmel,et al.  Benchmarking GPUs to tune dense linear algebra , 2008, 2008 SC - International Conference for High Performance Computing, Networking, Storage and Analysis.

[2]  Soonhak Kwon,et al.  A low complexity and a low latency bit parallel systolic multiplier over GF(2/sup m/) using an optimal normal basis of type II , 2003, Proceedings 2003 16th IEEE Symposium on Computer Arithmetic.

[3]  Marcelo E. Kaihara,et al.  Pollard Rho on the PlayStation 3 , 2009 .

[4]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[5]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[6]  Arjen K. Lenstra,et al.  On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography , 2009, IACR Cryptol. ePrint Arch..

[7]  Reza Mohammadi,et al.  Implementing a feasible attack against ECC2K-130 certicom challenge (abstract only) , 2008, ACM Commun. Comput. Algebra.

[8]  Jamshid Shokrollahi,et al.  Efficient implementation of elliptic curve cryptography on FPGAs , 2006 .

[9]  H. Peter Hofstee,et al.  Power efficient processor architecture and the cell processor , 2005, 11th International Symposium on High-Performance Computer Architecture.

[10]  Joachim von zur Gathen,et al.  Polynomial and Normal Bases for Finite Fields , 2005, Journal of Cryptology.

[11]  Tanja Lange,et al.  ECM on Graphics Cards , 2009, IACR Cryptol. ePrint Arch..

[12]  Christof Paar,et al.  Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker , 2006, CHES.

[13]  E. Groves A Dissertation ON , 1928 .

[14]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[15]  Martin Novotný,et al.  General Digit Width Normal Basis Multipliers with Circular and Linear Structure , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[16]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[17]  Alfred Menezes,et al.  Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields , 2009, IEEE Transactions on Computers.

[18]  Tim Güneysu,et al.  Exploiting the Power of GPUs for Asymmetric Cryptography , 2008, CHES.

[19]  Joachim von zur Gathen,et al.  Efficient Multiplication Using Type 2 Optimal Normal Bases , 2007, WAIFI.

[20]  Daniel J. Bernstein,et al.  Batch Binary Edwards , 2009, CRYPTO.

[21]  Jean-Jacques Quisquater,et al.  Collision Search for Elliptic Curve Discrete Logarithm over GF(2 m ) with FPGA , 2007, CHES.

[22]  Chen,et al.  The billion-mulmod-per-second PC , 2009 .

[23]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[24]  G. Seroussi Compact Representation of Elliptic Curve Points over F 2 , 1998 .

[25]  Martin Novotný,et al.  Two Architectures of a General Digit-Serial Normal Basis Multiplier , 2006, 9th EUROMICRO Conference on Digital System Design (DSD'06).

[26]  R. Brent,et al.  Factorization of the eighth Fermat number , 1981 .

[27]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .