Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs

Computing discrete logarithms takes time. It takes time to develop new algorithms, choose the best algorithms, implement these algorithms correctly and efficiently, keep the system running for several months, and, finally, publish the results. In this paper, we present a highly performant architecture that can be used to compute discrete logarithms of Weierstrass curves defined over binary fields and Koblitz curves using FPGAs. We used the architecture to compute for the first time a discrete logarithm of the elliptic curve sect113r1, a previously standardized binary curve, using 10 Kintex-7 FPGAs. To achieve this result, we investigated different iteration functions, used a negation map, dealt with the fruitless cycle problem, built an efficient FPGA design that processes 900 million iterations per second, and we tended for several months the optimized implementations running on the FPGAs.

[1]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[2]  Jean-Jacques Quisquater,et al.  Collision Search for Elliptic Curve Discrete Logarithm over GF(2 m ) with FPGA , 2007, CHES.

[3]  Erich Wenger,et al.  Solving the Discrete Logarithm of a 113-Bit Koblitz Curve with an FPGA Cluster , 2014, Selected Areas in Cryptography.

[4]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Arjen K. Lenstra,et al.  Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction , 2012, Int. J. Appl. Cryptogr..

[6]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[7]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[8]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[9]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[10]  Susanne Engels,et al.  Breaking ecc2-113: Efficient Implementation of an Optimized Attack on a Reconfigurable Hardware Cluster , 2014 .

[11]  Tim Güneysu,et al.  Attacking elliptic curve cryptosystems with special-purpose hardware , 2007, FPGA '07.

[12]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[13]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[14]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[15]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[16]  Patrick Schaumont,et al.  An Integrated Prime-Field ECDLP Hardware Accelerator with High-Performance Modular Arithmetic Units , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[17]  Tanja Lange,et al.  On the correct use of the negation map in the Pollard rho method , 2011, IACR Cryptol. ePrint Arch..

[18]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[19]  Tanja Lange,et al.  Breaking ECC2K-130 , 2009, IACR Cryptol. ePrint Arch..

[20]  Tanja Lange,et al.  The Certicom Challenges ECC2-X , 2009, IACR Cryptol. ePrint Arch..

[21]  J. Pollard A monte carlo method for factorization , 1975 .

[22]  Vincent Rijmen,et al.  ECRYPT yearly report on algorithms and keysizes , 2009 .

[23]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[24]  Tim Güneysu,et al.  Breaking Elliptic Curve Cryptosystems Using Reconfigurable Hardware , 2010, 2010 International Conference on Field Programmable Logic and Applications.

[25]  T. Itoh,et al.  A Fast Algorithm for Computing Multiplicative Inverses in GF(2^m) Using Normal Bases , 1988, Inf. Comput..

[26]  Daniel J. Bernstein,et al.  Batch Binary Edwards , 2009, CRYPTO.

[27]  Edoardo D. Mastrovito,et al.  VLSI Designs for Multiplication over Finite Fields GF (2m) , 1988, AAECC.

[28]  Arjen K. Lenstra,et al.  On the Use of the Negation Map in the Pollard Rho Method , 2010, ANTS.

[29]  Çetin Kaya Koç,et al.  On fully parallel Karatsuba multipliers for GF(2 m) , 2003 .

[30]  Patrick Schaumont,et al.  A Hardware-Accelerated ECDLP with High-Performance Modular Multiplication , 2012, Int. J. Reconfigurable Comput..