Skip to main content
SpringerLink
Log in

Computational hardness of IFP and ECDLP

  • Original Paper
  • Published:
Applicable Algebra in Engineering, Communication and Computing Aims and scope

Abstract

The RSA cryptosystem and elliptic curve cryptography (ECC) have been used practically and widely in public key cryptography. The security of RSA and ECC respectively relies on the computational hardness of the integer factorization problem (IFP) and the elliptic curve discrete logarithm problem (ECDLP). In this paper, we give an estimate of computing power required to solve each problem by state-of-the-art of theory and experiments. By comparing computing power required to solve the IFP and the ECDLP, we also estimate bit sizes of the two problems that can provide the same security level.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. The authors in [8] reported that it needs 218.75 cycles for \(5{\mathbf {M}}\) with their software, which costs more almost 20 cycles than our implementation. This difference is due to the property that our software has much faster processing performance of the multiplication operation than their software (the CPU used in their implementation only has the 16-bit \(\times \) 16-bit \(\rightarrow \) 32-bit multiplication operation).

  2. The authors in [5] reported that it needs 94 cycles per multiplication and hence \(94 \times 5 = 470\) cycles for \(5 {\mathbf {M}}\) with their software. Their implementation costs more almost 90 cycles than our implementation. This seems to be mainly due to the fact that the CPU used in our implementation has three throughputs while the CPU used in their implementation has only two throughputs.

References

  1. ANSI X9.62: Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA) (1999)

  2. Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Advances in Cryptology-ASIACRYPT 2007. Springer LNCS 4833, pp. 1-12 (2007)

  3. Aoki, K., Kida, Y., Shimoyama T., Ueda, H.: GNFS factoring statistics of RSA-100, 110, ..., 150, IACR ePrint Archive, 2004/095. Available at https://eprint.iacr.org/2004/095 (2004)

  4. Bailey, D., Baldwin, B., Batina, L., Bernstein, D., Birkner, P., Bos, J., van Damme, G., de Meulenaer, G., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Paar, C., Regazzoni, F., Schwabe P., Uhsadel, L.: The Certicom challenges ECC2-X, IACR ePrint Archive, 2009/466. Available at http://eprint.iacr.org/2009/466 (2009)

  5. Bailey et al., D.: Breaking ECC2K-130, IACR ePrint Archive, 2009/541. Available at http://eprint.iacr.org/2009/541 (2009)

  6. Bahr, F., Böhm, M., Franke J., Kleinjung, T.: Factorization of RSA-200. Available at http://www.loria.fr/ zimmerma/records/rsa200 (2005)

  7. Bernstein, D., Chen, H., Cheng, C., Lange, T., Niederhagen, R., Schwabe, P., Yang, B.: ECC2K-130 on NVIDIA GPUs. In: Progress in Cryptology-INDOCRYPT 2010. Springer LNCS 6498, pp. 328-344 (2010)

  8. Bernstein, D., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Public Key Cryptography-PKC 2011. Springer LNCS 6571, pp. 128-146 (2011)

  9. Blake, I., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)

    Book  MATH  Google Scholar 

  10. Brent, R., Pollard, J.: Factorization of the eighth Fermat number. Math. Comput. 36, 627–630 (1981)

    Article  MathSciNet  MATH  Google Scholar 

  11. Canfield, E.R., Erdos, P., Pomerance, C.: On a problem of Oppenheim concerning factorisatio numerorum. J. Number Theory 17, 1–28 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  12. Certicom: Certicom ECC challenge. Available at http://www.certicom.jp/images/pdfs/cert_ecc_challenge (1997)

  13. Certicom: Curves list. Available at http://www.certicom.jp/index.php/curves-list (1997)

  14. Childers, G.: Factorization of a \(1061\)-bit number by the special number field sieve. In: IACR ePrint Archive, 2012/144. Available at http://eprint.iacr.org/2012/444 (2012)

  15. CRYPTREC: CRYPTREC Report 2006. Available at http://www.cryptrec.go.jp/report/c06_wat_final (2006)

  16. ECRYPT II: ECRYPT II report on key sizes. Available at http://www.keylength.com/en/3/ (2011)

  17. EPFL IC LACAL.: PlayStation 3 computing breaks \(2^{60}\) barrier 112-bit prime ECDLP solved. Available at http://lacal.epfl.ch/112bit_prime (2009)

  18. Faugère, J.C., Perret, L., Petit, C., Renault, G.: Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In: Advances in Cryptology-EUROCRYPT 2012 Springer LNCS 7237, pp. 27-44 (2012)

  19. Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)

    Book  MATH  Google Scholar 

  20. Galbraith, S.D., Ruprail, R.S.: Using equivalence classes to accelerate solving the discrete logarithm problem in a short interval. In: Public Key Cryptography-PKC 2010. Springer LNCS 6056, pp. 368-386 (2010)

  21. Gallant, R., Lambert, R., Vanstone, S.: Improving the parallelized Pollard lambda search on binary anomalous curves. Math. Comput. 69, 1699–1705 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  22. Güneysu, T., Kasper, T., Novotný, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. Trans. Comput. 57, 1498–1513 (2008)

    Article  MathSciNet  Google Scholar 

  23. Granlund, T.: Instruction latencies and throughput for AMD and Intel x86 processors (2012-02-13 version). Available at http://gmplib.org/ tege/x86-timing

  24. Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing, New York (2004)

    MATH  Google Scholar 

  25. Harley, R.: Elliptic curve discrete logarithms project. Available at http://pauillac.inria.fr/ harley/ecdl/

  26. Izu, T., Kogure, J., Shimoyama, T.: CAIRN 2: an FPGA implementation of the sieving step in the number field sieve method. Cryptogr. Hardw. Embed. Syst. 2007, 364–377 (2007)

    Google Scholar 

  27. Kleinjung, T.: Estimates for factoring 1024-bit integers. In: Securing Cyberspace: Applications and Foundations of Cryptography and Computer Security, Workshop IV: Special purpose hardware for cryptography: Attacks and Applications, slides are available at http://www.ipam.ucla.edu/schedule.aspx?pc=scws4 (2006)

  28. Kleinjung, T.: Evaluation of complexity of mathematical algorithms. CRYPTREC technical report No. 0601 in FY2006. Available at http://www.cryptrec.jp/estimation.html (2007)

  29. Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-bit RSA modulus, Advances in Cryptology-CRYPTO 2010. Springer LNCS 6223, pp. 333-350 (2010)

  30. Kleinjung, T., Bos, J.W., Lenstra, A.K., Osvik, D.A., Aoki, K., Contini, S., Franke, J., Thomé, E., Jermini, P., Thiémard, M., Leyland, P., Montgomery, P., Timofeev, A., Stockinger, H.: A heterogeneous computing environment to solve the 768-bit RSA. Clust. Comput. 15(1), 53–68 (2012)

    Article  Google Scholar 

  31. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  32. Lenstra, A., Lenstra, H., Manasse M., Pollard, J.: The number field sieve. In: Symposium on Theory of Computing-STOC 1990, ACM, pp. 564-572 (1990)

  33. Lenstra, A., Verheul, E.: Selecting cryptographic key sizes. J. Cryptol. 14, 255–293 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  34. Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)

    Article  MathSciNet  MATH  Google Scholar 

  35. Miller, V.S.: Use of elliptic curves in cryptography. In: Advances in Cryptology-CRYPTO 1985. Springer LNCS 218, pp. 417-426 (1986)

  36. NESSIE: NESSIE security report, February 2003

  37. NIST Special publication 800-57. Available at http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007

  38. Orman, H., Hoffman, P.: Determining strengths for public keys used for exchanging symmetric keys. IETF RFC 3766/BCP 86, April 2004

  39. Pollard, J.: Monte Carlo methods for index computation mod \(p\). Math. Comput. 32, 918–924 (1978)

    MathSciNet  MATH  Google Scholar 

  40. Rivest, R., Shamir, A., Adelman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  41. RSA Laboratories: A cost-based security analysis of symmetric and asymmetric key lengths. RSA Labs Bulletin, no. 13, April 2000 (Revised November 2001)

  42. RSA Laboratories: The RSA challenge numbers. Available at http://japan.emc.com/emc-plus/rsa-labs/historical/the-rsa-challenge-numbers.htm

  43. Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. Sancti Pauli 47, 81–92 (1998)

    MathSciNet  MATH  Google Scholar 

  44. Semaev, I.: Evaluation of discrete logarithms in a group of \(p\)-torsion points of an elliptic curve in characteristic \(p\). Math. Comput. 67, 353–356 (1998)

    Article  MathSciNet  MATH  Google Scholar 

  45. Shamir, A.: Factoring large numbers with the TWINKLE device (extended abstract). In: Cryptographic Hardware and Embedded Systems-CHES 1999. Springer LNCS 1717, pp. 2-12 (1999)

  46. Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL Device. In: Advances in Cryptology-CRYPTO 2003. Springer LNCS 2729, pp. 1-26 (2003)

  47. Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12, 110–125 (1999)

    MathSciNet  MATH  Google Scholar 

  48. Teske, E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Algorithmic Number Theory-ANTS III. Springer LNCS 1423, pp. 541-554 (1998)

  49. Teske, E.: On random walks for Pollard’s rho method. Math. Comput. 70, 809–825 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  50. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–28 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  51. Wiener, M.J., Zuccherato, R.J.: Fast attacks on elliptic curve cryptosystems. In: Selected Areas in Cryptology-SAC 1998. Springer LNCS 1556, pp. 190-200 (1999)

  52. Yasuda, M., Izu, T., Shimoyama, T., Kogure, J.: On random walks of Pollard’s rho method for the ECDLP on Koblitz curves. J. Math. Ind. 3(2011B—-3), 107–112 (2011)

    MathSciNet  MATH  Google Scholar 

  53. Yasuda, M., Shimoyma, T., Kogure, J., Izu, T.: On the strength comparison of the ECDLP and the IFP. In: Security and Cryptography for Networks-SCN 2012. Springer LNCS 7485, pp. 302-325 (2012)

Download references

Acknowledgments

A part of this research is financially supported by a contract research with the National Institute of Information and Communications Technology (NICT), Japan.

Author information

Authors and Affiliations

  1. Institute of Mathematics for Industry, Kyushu University, 744 Motooka, Nishi-ku, Fukuoka, 819-0395, Japan

    Masaya Yasuda

  2. Fujitsu Laboratories LTD, 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki, 211-8588, Japan

    Takeshi Shimoyama & Jun Kogure

  3. Data Analytics Research Division, FUJITSU Laboratories of Europe Ltd., Hayes Park Central, Hayes End Road, Middlesex, UB4 8FE, United Kingdom

    Tetsuya Izu

Authors
  1. Masaya Yasuda
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Takeshi Shimoyama
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jun Kogure
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tetsuya Izu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Masaya Yasuda.

Additional information

This is a full version paper of the work [53] presented at SCN 2012. In [53], we only estimated computing power required to solve the IFP under the assumption of unlimited memory size. In addition to the estimation, we consider the case of limited memory size (in Sect. 2). Furthermore, we give an estimate of the strength comparison of the IFP and the ECDLP under each assumption of limited and unlimited memory sizes (in Sect. 4). This research was done when the first author belonged to Fujitsu Laboratories Ltd.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yasuda, M., Shimoyama, T., Kogure, J. et al. Computational hardness of IFP and ECDLP. AAECC 27, 493–521 (2016). https://doi.org/10.1007/s00200-016-0291-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00200-016-0291-x

Keywords

Mathematics Subject Classification

Search

Navigation