Elliptic curve cryptography (ECC) has become a popular public key cryptography standard. The security of ECC is due to the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). In this paper, we demonstrate a successful attack on ECC over prime field using the Pollard rho algorithm implemented on a hardware-software cointegrated platform. We propose a high-performance architecture for multiplication over prime field using specialized DSP blocks in the FPGA. We characterize this architecture by exploring the design space to determine the optimal integer basis for polynomial representation and we demonstrate an efficient mapping of this design to multiple standard prime field elliptic curves. We use the resulting modular multiplier to demonstrate low-latency multiplications for curves secp112r1 and P-192. We apply our modular multiplier to implement a complete attack on secp112r1 using a Nallatech FSB-Compute platform with Virtex-5 FPGA. The measured performance of the resulting design is 114 cycles per Pollard rho step at 100?MHz, which gives 878?K iterations per second per ECC core. We extend this design to a multicore ECDLP implementation that achieves 14.05?M iterations per second with 16 parallel point addition cores. 1. Introduction Elliptic curve cryptosystems (ECC), independently introduced by Miller [1] and Koblitz [2], have now found significant place in the academic literature, practical applications, and security standards. Their popularity is mainly because their shorter key sizes offer high levels of security relative to other public key cryptosystems, such as RSA. The security of ECC relies on the difficulty of elliptic curve discrete logarithmic problem (ECDLP) [3]. By definition, ECDLP is to find an integer for two points and on an elliptic curve defined over a finite field such that Here, denotes the scalar multiplication with . The Pollard rho method [4] is the strongest known attack against ECC today. This method solves ECDLP by generating points on the curve iteratively using a pseudorandom iteration function such that . Since the elliptic curve is defined over a finite field, is finite and the walk will eventually encounter the same point twice resulting in a collision. When a collision occurs, the ECDLP is solved (for well-chosen form of ; see Section 3). Several optimizations to the Pollard rho method have been proposed to allow independent parallel walks [5], better iteration functions [6, 7], and more efficient collision detection [8]. There have been several different approaches to implement Pollard rho
References
[1]
V. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology CRYPTO 85 Proceedings, H. Williams, Ed., vol. 218 of Lecture Notes in Computer Science, pp. 417–426, Springer, Berlin, Germany, 1986.
[2]
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
[3]
I. Blake, G. Seroussi, N. Smart, and J. W. S. Cassels, Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Note Series, Cambridge University Press, New York, NY, USA, 2005.
[4]
J. M. Pollard, “Monte carlo methods of index computation (mod p),” Mathematics of Computation, vol. 32, no. 143, pp. 918–924, 1978.
[5]
P. C. Van Oorschot and M. J. Wiener, “Parallel collision search with cryptanalytic applications,” Journal of Cryptology, vol. 12, no. 1, pp. 1–28, 1999.
[6]
E. Teske, “On random walks for Pollard's rho method,” Mathematics of Computation, vol. 70, no. 234, pp. 809–825, 2001.
[7]
E. Teske, “Speeding up Pollard’s rho method for computing discrete logarithms,” in Algorithmic Number Theory, J. Buhler, Ed., vol. 1423 of Lecture Notes in Computer Science, pp. 541–554, Springer, Berlin, Germany, 1998.
[8]
R. P. Brent, “An improved Monte Carlo factorization algorithm,” BIT Numerical Mathematics, vol. 20, pp. 176–184, 1980.
[9]
J. W. Bos, M. E. Kaihara, T. Kleinjung, A. K. Lenstra, and P. L. Montgomery, “On the security of 1024-bit RSA and 160-bit elliptic curve cryptography,” Report 2009/389, IACR Cryptology ePrint Archive, 2009, http://eprint.iacr.org/2009/389.
[10]
J. Bos, T. Kleinjung, R. Niederhagen, and P. Schwabe, “ECC2K-130 on cell CPUs,” in Progress in Cryptology—AFRICACRYPT 2010, D. Bernstein and T. Lange, Eds., vol. 6055 of Lecture Notes in Computer Science, pp. 225–242, Springer, Berlin, Germany, 2010.
[11]
D. V. Bailey, L. Batina, D. J. Bernstein, et al., “Breaking ECC2K-130,” Report 2009/541, IACR Cryptology ePrint Archive, 2009, http://eprint.iacr.org/2009/541.
[12]
D. Bernstein, H.-C. Chen, C.-M. Cheng et al., “ECC2K-130 on Nvidia GPUs,” in Progress in Cryptology—INDOCRYPT 2010, G. Gong and K. Gupta, Eds., vol. 6498 of Lecture Notes in Computer Science, pp. 328–346, Springer, Berlin, Germany, 2010.
[13]
FIPS 186-3: Digital Signature Standard (DSS), National Institute of Standards and Technology (NIST), June 2009, http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf.
[14]
SEC 2: Recommended Elliptic Curve Domain Parameters, Standards for Efficient Cryptography Group (SECG), January 2010, http://www.secg.org/download/aid-784/sec2-v2.pdf.
[15]
D. Bernstein, T. Lange, and P. Schwabe, “On the correct use of the negation map in the Pollard rho method,” in Public Key Cryptography—PKC 2011, D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, Eds., vol. 6571 of Lecture Notes in Computer Science, pp. 128–146, Springer, Berlin, Germany, 2011.
[16]
J. Fan, D. V. Bailey, L. Batina, T. Güneysu, C. Paar, and I. Verbauwhede, “Breaking elliptic curve cryptosystems using reconfigurable hardware,” in Proceedings of the 20th International Conference on Field Programmable Logic and Applications (FPL '10), pp. 133–138, IEEE Computer Society, September 2010.
[17]
S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, and M. Schimmler, “Breaking ciphers with COPACOBANA a cost-optimized parallel code breaker,” in Cryptographic Hardware and Embedded Systems—CHES 2006, L. Goubin and M. Matsui, Eds., vol. 4249 of Lecture Notes in Computer Science, pp. 101–118, Springer, Berlin, Germany, 2006.
[18]
T. Gueneysu, C. Paar, and J. Pelzl, “Attacking elliptic curve cryptosystems with special-purpose hardware,” in Proceedings of the 15th ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA '07), pp. 207–215, ACM, New York, NY, USA, February 2007.
[19]
T. Güneysu, C. Paar, and J. Pelzl, “Special-purpose hardware for solving the elliptic curve discrete logarithm problem,” ACM Transactions on Reconfigurable Technology and Systems, vol. 1, no. 2, pp. 8:1–8:21, 2008.
[20]
G. Meurice de Dormale, P. Bulens, and J.-J. Quisquater, “Collision search for elliptic curve discrete logarithm over GF( ) with FPGA,” in Cryptographic Hardware and Embedded Systems—CHES 2007, P. Paillier and I. Verbauwhede, Eds., vol. 4727 of Lecture Notes in Computer Science, pp. 378–393, Springer, Berlin, Germany, 2007.
[21]
P. Majkowski, T. Wojciechowski, M. Wojtyński, M. Rawski, and Z. Kotulski, “Heterogenic distributed system for cryptanalysis of elliptic curve based cryptosystems,” in Proceedings of the 19th International Conference on Systems Engineering (ICSEng '08), pp. 300–305, August 2008.
[22]
J. W. Bos, M. E. Kaihara, T. Kleinjung, A. K. Lenstra, and P. L. Montgomery, “Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction,” International Journal of Applied Cryptography, vol. 2, no. 3, pp. 212–228, 2012.
[23]
P. L. Montgomery, “Speeding the Pollard and elliptic curve methods of factorization,” Mathematics of Computation, vol. 48, no. 177, pp. 243–264, 1987.
[24]
D. R. Hankerson, S. A. Vanstone, and A. J. Menezes, Guide to Elliptic Curve Cryptography, Springer, New York, NY, USA, 2004.
[25]
T. Güneysu and C. Paar, “Ultra high performance ECC over NIST primes on commercial FPGAs,” in Cryptographic Hardware and Embedded Systems—CHES 2008, E. Oswald and P. Rohatgi, Eds., vol. 5154 of Lecture Notes in Computer Science, pp. 62–78, Springer, Berlin, Germany, 2008.
[26]
Virtex-5 FPGA XtremeDSP Design Considerations, Xilinx, Inc., January 2010, http://www.xilinx.com/support/documentation/ user guides/ug193.pdf.
[27]
S. Mane, L. Judge, and P. Schaumont, “An integrated prime-field ECDLP hardware accelerator with high-performance modular arithmetic units,” in Proceedings of the International Conference on Reconfigurable Computing and FPGAs (ReConFig '11), P. M. Athanas, J. Becker, and R. Cumplido, Eds., pp. 198–203, IEEE Computer Society, December 2011.
