research-article

Special-Purpose Hardware for Solving the Elliptic Curve Discrete Logarithm Problem

Authors:

Jan PelzlAuthors Info & Claims

ACM Transactions on Reconfigurable Technology and Systems (TRETS), Volume 1, Issue 2

Article No.: 8, Pages 1 - 21

https://doi.org/10.1145/1371579.1371580

Published: 01 June 2008 Publication History

Abstract

The resistance against powerful index-calculus attacks makes Elliptic Curve Cryptosystems (ECC) an interesting alternative to conventional asymmetric cryptosystems, like RSA. Operands in ECC require significantly less bits at the same level of security, resulting in a higher computational efficiency compared to RSA. With growing computational capabilities and continuous technological improvements over the years, however, the question of the security of ECC against attacks based on special-purpose hardware arises. In this context, recently emerged low-cost FPGAs demand for attention in the domain of hardware-based cryptanalysis: the extraordinary efficiency of modern programmable hardware devices allow for a low-budget implementation of hardware-based ECC attacks---without the requirement of the expensive development of ASICs.

With focus on the aspect of cost-efficiency, this contribution presents and analyzes an FPGA-based architecture of an attack against ECC over prime fields. A multi-processing hardware architecture for Pollard's Rho method is described. We provide results on actually used key lengths of ECC (128 bits and above) and estimate the expected runtime for a successful attack.

As a first result, currently used elliptic curve cryptosystems with a security of 160 bit and above turn out to be infeasible to break with available computational and financial resources. However, some of the security standards proposed by the Standards for Efficient Cryptography Group (SECG) become subject to attacks based on low-cost FPGAs.

References

[1]

Blake, I., Seroussi, G., and Smart, N. 1999. Elliptic Curves in Cryptography. Cambridge University Press.]]

Digital Library

[2]

Certicom. 1997. Certicom ECC Challenge. http://www.certicom.com.]]

[3]

Certicom research. 2000a. Standards for Efficient Cryptography---SEC 1: Elliptic Curve Cryptography v1.0. http://www.secg.org/secg_docs.htm.]]

[4]

Certicom research. 2000b. Standards for Efficient Cryptography---SEC 1: Recommended Elliptic Curve Domain Parameters v1.0. http://www.secg.org/secg_docs.htm.]]

[5]

Daly, A., Marnane, W., Kerins, T., and Popovici, E. 2004. An FPGA implementation of a GF(p) ALU for encryption processors. Elsevier Microproces. Microsyst. 28, 5--6, 253--260.]]

[6]

Daly, A., Marnaney, L., and Popovici, E. 2004. Fast modular inversion in the Montgomery Domain on reconfigurable logic. Tech. rep., University College Cork, Cork, Ireland.]]

[7]

de Dormale, G., Bulens, P., and Quisquater, J. 2007. Collision search for elliptic curve discrete logarithm over GF (2^m) with FPGA. In Proceedings of Workshop on Cryptograpic Hardware and Embedded Systems (CHES'07). LNCS Vol. 4727. Springer, 378.]]

Digital Library

[8]

Diffie, W. and Hellman, M. 1976. New directions in cryptography. IEEE Trans. Inform. Theory 22, 644--654.]]

Digital Library

[9]

ElGamal, T. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory 31, 469--472.]]

Digital Library

[10]

Franke, J., Kleinjung, T., Paar, C., Pelzl, J., Priplata, C., and Stahlke, C. 2005. SHARK---A realizable special hardware sieving device for factoring 1024-bit integers. In Proceedings of Workshop on Cryptograpic Hardware and Embedded Systems (CHES'05). Lecture Notes in Computer Science, vol. 3659. Springer, 119--130.]]

Digital Library

[11]

Güneysu, T., Paar, C., and Pelzl, J. 2007. Attacking elliptic curve cryptosystems with special-purpose hardware. In Proceedings of the ACM/SIGDA 15th International Symposium on Field Programmable Gate Arrays (FPGA'07), ACM Press, New York, NY, USA, 207--215.]]

Digital Library

[12]

Hankerson, D., Menezes, A., and Vanstone, S. 2004. Guide to Elliptic Curve Cryptography. Springer Verlag, Berlin, Germany.]]

Digital Library

[13]

Koblitz, N. 1987. Elliptic curve cryptosystems. Math. Comput. 48, 203--209.]]

[14]

Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., and Schimmler, M. 2006. Breaking ciphers with COPACOBANA - A cost-optimized parallel code breaker. In Proceedings of Workshop on Cryptograpic Hardware and Embedded Systems (CHES'06). Springer-Verlag.]]

Digital Library

[15]

Lenstra, A. and Verheul, E. 2001. Selecting Cryptographic key sizes. J. Cryptol. 14, 4, 255--293.]]

Digital Library

[16]

Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A. 1996. Handbook of Applied Cryptography. CRC Press, New York, NY.]]

Digital Library

[17]

Miller, V. 1986. Uses of elliptic curves in cryptography. In Advances in Cryptology---(CRYPTO'85), H. C. Williams, Ed. Vol. Lecture Notes in Computer Science, 218. Springer, 417--426.]]

Digital Library

[18]

Orlando, G. and Paar, C. 2001. A scalable GF(p) elliptic curve processor architecture for programmable hardware. In Proceedings of Workshop on Cryptograpic Hardware and Embedded Systems (CHES'01). 356--371.]]

Digital Library

[19]

Örs, S., Batina, L., Preneel, B., and Vandewalle, J. 2003. Hardware implementation of elliptic curve processor over GF(p). In Proceedings of the Application-Specific Systems, Architectures, and Processors (ASAP), 433--443.]]

[20]

Pollard, J. 1978. Monte Carlo methods for index computation mod p. Math. Comput. 32, 143, 918--924.]]

[21]

Shamir, A. and Tromer, E. 2003. Factoring large numbers with the TWIRL device. In Advances in Cryptology---(Crypto'03). Lecture Notes in Computer Science, vol. 2729. Springer, 1--26.]]

[22]

Teske, E. 1998. Speeding up Pollard's rho method for computing discrete logarithms. Algorithmic Number Theory Seminar (ANTS-III), 541--554.]]

Digital Library

[23]

van Oorschot, P. and Wiener, M. 1999. Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1--28.]]

Digital Library

Cited By

Miele AIndaco MLauri FTrotta P(2018)Efficient many-core architecture design for cryptanalytic collision search on FPGAsJournal of Information Security and Applications10.1016/j.jisa.2018.07.00441(134-143)Online publication date: Aug-2018
https://doi.org/10.1016/j.jisa.2018.07.004
Tessier RPocek KDeHon A(2015)Reconfigurable Computing ArchitecturesProceedings of the IEEE10.1109/JPROC.2014.2386883103:3(332-354)Online publication date: Mar-2015
https://doi.org/10.1109/JPROC.2014.2386883
Heyse SGüneysu T(2013)Code-based cryptography on reconfigurable hardware: tweaking Niederreiter encryption for performanceJournal of Cryptographic Engineering10.1007/s13389-013-0056-43:1(29-43)Online publication date: 14-Mar-2013
https://doi.org/10.1007/s13389-013-0056-4
Show More Cited By

Index Terms

Special-Purpose Hardware for Solving the Elliptic Curve Discrete Logarithm Problem

Recommendations

Attacking elliptic curve cryptosystems with special-purpose hardware
FPGA '07: Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays

Since their invention in the mid 1980s, Elliptic Curve Cryptosystems (ECC) have become an alternative to common Public-Key (PK) cryptosystems such as, e.g., RSA. The utilization of Elliptic Curves (EC) in cryptography is very promising because of their ...
On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem: (Extended Abstract)
Algorithms and Computation
Abstract
It has been suggested that a major obstacle in finding an index calculus attack on the elliptic curve discrete logarithm problem lies in the difficulty of lifting points from elliptic curves over finite fields to global fields. We explore the ...
Heterogenic Distributed System for Cryptanalysis of Elliptic Curve Based Cryptosystems
ICSENG '08: Proceedings of the 2008 19th International Conference on Systems Engineering

Public-key cryptosystems allow secure connections and data exchange through unsafe communication channel without the need of a previous secure key exchange. The most popular cryptosystem used nowadays is RSA. However recently a serious rival appeared – ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Reconfigurable Technology and Systems

ACM Transactions on Reconfigurable Technology and Systems Volume 1, Issue 2

June 2008

143 pages

ISSN:1936-7406

EISSN:1936-7414

DOI:10.1145/1371579

Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 June 2008

Accepted: 01 January 2008

Revised: 01 August 2007

Received: 01 May 2007

Published in TRETS Volume 1, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
606
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Miele AIndaco MLauri FTrotta P(2018)Efficient many-core architecture design for cryptanalytic collision search on FPGAsJournal of Information Security and Applications10.1016/j.jisa.2018.07.00441(134-143)Online publication date: Aug-2018
https://doi.org/10.1016/j.jisa.2018.07.004
Tessier RPocek KDeHon A(2015)Reconfigurable Computing ArchitecturesProceedings of the IEEE10.1109/JPROC.2014.2386883103:3(332-354)Online publication date: Mar-2015
https://doi.org/10.1109/JPROC.2014.2386883
Heyse SGüneysu T(2013)Code-based cryptography on reconfigurable hardware: tweaking Niederreiter encryption for performanceJournal of Cryptographic Engineering10.1007/s13389-013-0056-43:1(29-43)Online publication date: 14-Mar-2013
https://doi.org/10.1007/s13389-013-0056-4
Judge LMane SSchaumont P(2012)A hardware-accelerated ECDLP with high-performance modular multiplicationInternational Journal of Reconfigurable Computing10.1155/2012/4390212012(7-7)Online publication date: 1-Jan-2012
https://dl.acm.org/doi/10.1155/2012/439021
Ghosh SDelvaux JUhsadel LVerbauwhede I(2012)A Speed Area Optimized Embedded Co-processor for McEliece CryptosystemProceedings of the 2012 IEEE 23rd International Conference on Application-Specific Systems, Architectures and Processors10.1109/ASAP.2012.16(102-108)Online publication date: 9-Jul-2012
https://dl.acm.org/doi/10.1109/ASAP.2012.16
Heyse SGüneysu T(2012)Towards one cycle per bit asymmetric encryptionProceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems10.1007/978-3-642-33027-8_20(340-355)Online publication date: 9-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-33027-8_20
Doröz YSavaş E(2012)Constructing cluster of simple FPGA boards for cryptologic computationsProceedings of the 8th international conference on Reconfigurable Computing: architectures, tools and applications10.1007/978-3-642-28365-9_27(320-328)Online publication date: 19-Mar-2012
https://dl.acm.org/doi/10.1007/978-3-642-28365-9_27
Mane SJudge LSchaumont P(2011)An Integrated Prime-Field ECDLP Hardware Accelerator with High-Performance Modular Arithmetic UnitsProceedings of the 2011 International Conference on Reconfigurable Computing and FPGAs10.1109/ReConFig.2011.12(198-203)Online publication date: 30-Nov-2011
https://dl.acm.org/doi/10.1109/ReConFig.2011.12
Eisenbarth TGüneysu THeyse SPaar C(2009)MicroElieceProceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems10.1007/978-3-642-04138-9_4(49-64)Online publication date: 30-Aug-2009
https://dl.acm.org/doi/10.1007/978-3-642-04138-9_4

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents