International Journal of Parallel Programming

, Volume 40, Issue 5, pp 532–550 | Cite as

Low-Latency Elliptic Curve Scalar Multiplication

  • Joppe W. Bos


This paper presents a low-latency algorithm designed for parallel computer architectures to compute the scalar multiplication of elliptic curve points based on approaches from cryptographic side-channel analysis. A graphics processing unit implementation using a standardized elliptic curve over a 224-bit prime field, complying with the new 112-bit security level, computes the scalar multiplication in 1.9 ms on the NVIDIA GTX 500 architecture family. The presented methods and implementation considerations can be applied to any parallel 32-bit architecture.


Elliptic curve cryptography Elliptic curve scalar multiplication Parallel computing Low-latency algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AMD: ATI CTM reference guide. Technical reference manual (2006)Google Scholar
  2. 2.
    Antao, S., Bajard, J.C., Sousa, L.: Elliptic curve point multiplication on GPUs. In: 21st IEEE International Conference on Application-Specific Systems Architectures and Processors (ASAP), 2010, pp. 192–199 (2010)Google Scholar
  3. 3.
    Bernstein, D.J., Chen, H.C., Chen, M.S., Cheng, C.M., Hsiao, C.H., Lange, T., Lin, Z.C., Yang, B.Y.: The billion-mulmod-per-second PC. In: Special-Purpose Hardware for Attacking Cryptographic Systems—SHARCS 2009, pp. 131–144 (2009)Google Scholar
  4. 4.
    Bernstein, D.J., Chen, H.C., Cheng, C.M., Lange, T., Niederhagen, R., Schwabe, P., Yang, B.Y.: ECC2K-130 on NVIDIA GPUs. In: Gong, G., Gupta, K.C. (eds.) Indocrypt 2010, Lecture Notes in Computer Science, vol. 6498, pp. 328–346. Springer, Berlin, Heidelberg (2010)Google Scholar
  5. 5.
    Bernstein, D.J., Chen, T.R., Cheng, C.M., Lange, T., Yang, B.Y.: ECM on graphics cards. In: Joux, A. (ed.) Eurocrypt 2009, Lecture Notes in Computer Science, vol. 5479, pp. 483–501. Springer, Heidelberg (2009)Google Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) Asiacrypt, Lecture Notes in Computer Science, vol. 4833, pp. 29–50. Springer, Heidelberg (2007)Google Scholar
  7. 7.
    Bernstein D.J., Lange T.: Analysis and optimization of elliptic-curve single-scalar multiplication. In: Mullen, G.L., Panario, D., Shparlinski, I.E. (eds.) Finite Fields and Applications, Contemporary Mathematics Series, vol. 461, pp. 1–119. American Mathematical Society, Providence, RI (2008)Google Scholar
  8. 8.
    Bevand, M.: MD5 Chosen-Prefix Collisions on GPUs. Whitepaper, Black Hat (2009)Google Scholar
  9. 9.
    Blythe D.: The Direct3D 10 system. ACM Trans. Graph. 25(3), 724–734 (2006)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Bos, J.W.: High-performance modular multiplication on the cell processor. In: Hasan, M.A., Helleseth, T. (eds.) Arithmetic of Finite Fields—WAIFI 2010, Lecture Notes in Computer Science, vol. 6087, pp. 7–24. Springer, Heidelberg (2010)Google Scholar
  11. 11.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: On the security of 1024-bit RSA and 160-bit elliptic curve cryptography. Cryptology ePrint archive, report 2009/389. (2009)
  12. 12.
    Bos, J.W., Stefan, D.: Performance analysis of the SHA-3 candidates on exotic multi-core architectures. In: Mangard, S., Standaert, F.X. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2010, Lecture Notes in Computer Science, vol. 6225, pp. 279–293. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) Public Key Cryptography—PKC 2002, Lecture Notes in Computer Science, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)Google Scholar
  14. 14.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: Naccache, D. (ed.) CT-RSA, Lecture Notes in Computer Science, vol. 2020, pp. 250–265. Springer, Heidelberg (2001)Google Scholar
  15. 15.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) Asiacrypt 1998, Lecture Notes in Computer Science, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)Google Scholar
  16. 16.
    Edwards H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)zbMATHCrossRefGoogle Scholar
  17. 17.
    Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.P.: Parallel scalar multiplication on general elliptic curves over \({\mathbb{F}_p}\) hedged against non-differential side-channel attacks. Cryptology ePrint archive, report 2002/007. (2002)
  18. 18.
    Garland M., Grand S.L., Nickolls J., Anderson J., Hardwick J., Morton S., Phillips E., Zhang Y., Volkov V.: Parallel computing experiences with CUDA. IEEE Micro 28(4), 13–27 (2008)CrossRefGoogle Scholar
  19. 19.
    Garner H.L.: The residue number system. IRE Trans. Electron. Comput. 8, 140–147 (1959)CrossRefGoogle Scholar
  20. 20.
    Granlund, T.: GMP small operands optimization. In: Software Performance Enhancement for Encryption and Decryption—SPEED 2007 (2007)Google Scholar
  21. 21.
    Group, K.: OpenCL—the open standard for parallel programming of heterogeneous systems.
  22. 22.
    Harrison, O., Waldron, J.: AES encryption implementation and analysis on commodity graphics processing units. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007, Lecture Notes in Computer Science, vol. 4727, pp. 209–226. Springer, Heidelberg (2007)Google Scholar
  23. 23.
    Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In: Proceedings of the 17th Conference on Security Symposium, pp. 195–209. USENIX Association (2008)Google Scholar
  24. 24.
    Harrison, O., Waldron, J.: Efficient acceleration of asymmetric cryptography on graphics hardware. In: Preneel, B. (ed.) Africacrypt 2009, Lecture Notes in Computer Science, vol. 5580, pp. 350–367. Springer, Heidelberg (2009)Google Scholar
  25. 25.
    Hisil, H., Wong, K.K.H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) Asiacrypt 2008, Lecture Notes in Computer Science, vol. 5350, pp. 326–343. Springer, Heidelberg (2008)Google Scholar
  26. 26.
    Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) Public Key Cryptography—PKC 2002, Lecture Notes in Computer Science, vol. 2274, pp. 371–374. Springer, Heidelberg (2002)Google Scholar
  27. 27.
    Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski, B.S. Jr., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol. 2523, pp. 1–11. Springer, Heidelberg (2003)Google Scholar
  28. 28.
    Karatsuba, A.A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. In: Proceedings of the USSR Academy of Science, vol. 145, pp. 293–294 (1962)Google Scholar
  29. 29.
    Käsper, E.: Fast elliptic curve cryptography in OpenSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) The 2nd Workshop on Real-Life Cryptographic Protocols and Standardization, Lecture Notes in Computer Science, vol. 7126. Springer. (2012, to appear)
  30. 30.
    Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  31. 31.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) Crypto 1996, Lecture Notes in Computer Science, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  32. 32.
    Lenstra A.K., Verheul E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)MathSciNetzbMATHGoogle Scholar
  33. 33.
    Lenstra H.W. Jr: Factoring integers with elliptic curves. Ann. Math. 126(3), 649–673 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  34. 34.
    Lindholm E., Nickolls J., Oberman S., Montrym J.: NVIDIA tesla: a unified graphics and computing architecture. IEEE Micro 28(2), 39–55 (2008)CrossRefGoogle Scholar
  35. 35.
    Manavski, S.: CUDA compatible GPU as an efficient hardware accelerator for AES cryptography. In: IEEE International Conference on Signal Processing and Communications, 2007. ICSPC 2007, pp. 65–68 (2007)Google Scholar
  36. 36.
    Merrill R.D.: Improving digital computer performance using residue number theory. IEEE Trans. Electron. Comput. EC-13(2), 93–101 (1964)CrossRefGoogle Scholar
  37. 37.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) Crypto 1985, Lecture Notes in Computer Science, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  38. 38.
    Montgomery P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)zbMATHCrossRefGoogle Scholar
  39. 39.
    Moss, A., Page, D., Smart, N.P.: Toward acceleration of RSA using 3D graphics hardware. In: Galbraith, S.D. (ed.) Proceedings of the 11th IMA International Conference on Cryptography and Coding, Cryptography and Coding 2007, pp. 364–383. Springer (2007)Google Scholar
  40. 40.
    National Security Agency: Fact sheet NSA suite B cryptography. (2009)
  41. 41.
    Nickolls J., Dally W.J.: The GPU computing era. IEEE Micro 30(2), 56–69 (2010)CrossRefGoogle Scholar
  42. 42.
    NVIDIA: NVIDIA’s next generation CUDA compute architecture: Fermi (2009)Google Scholar
  43. 43.
    NVIDIA: NVIDIA CUDA programming guide 3.2 (2010)Google Scholar
  44. 44.
    OpenSSL: The open source toolkit for SSL/TLS. (2012)
  45. 45.
    Osvik, D.A., Bos, J.W., Stefan, D., Canright, D.: Fast software AES encryption. In: Hong, S., Iwata, T. (eds.) Fast software encryption—FSE 2010, Lecture Notes in Computer Science, vol. 6147, pp. 75–93. Springer, Heidelberg (2010)Google Scholar
  46. 46.
    Owens, J.: GPU architecture overview. In: Special Interest Group on Computer Graphics and Interactive Techniques—SIGGRAPH 2007, p. 2. ACM (2007)Google Scholar
  47. 47.
    Patterson D.A., Hennessy J.L.: Computer Organization and Design: The Hardware/Software Interface, 4th edn. Morgan Kaufmann, San Francisco, CA (2009)zbMATHGoogle Scholar
  48. 48.
    Rivest R.L., Shamir A., Adleman L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  49. 49.
    Segal M., Akeley K.: The OpenGL Graphics System: A Specification (Version 2.0). Silicon Graphics, Mountain View, CA (2004)Google Scholar
  50. 50.
    Silverman J.H.: The Arithmetic of Elliptic Curves, Gradute Texts in Mathematics, vol. 106. Springer, Berlin (1986)Google Scholar
  51. 51.
    Solinas, J.A.: Generalized Mersenne numbers. Technical report CORR 99-39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  52. 52.
    National Institute of Standards and Technology: Special publication 800-57: recommendation for key management part 1: general (revised).
  53. 53.
    Szerwinski, R., Güneysu, T.: Exploiting the power of GPUs for asymmetric cryptography. In: Oswald, E., Rohatgi, P. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2008, Lecture Notes in Computer Science, vol. 5154, pp. 79–99. Springer, Heidelberg (2008)Google Scholar
  54. 54.
    US Department of Commerce and National Institute of Standards and Technology: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography. See (2007)
  55. 55.
    US Department of Commerce/National Institute of Standards and Technology: Digital signature standard (DSS). FIPS-186-3. (2009)
  56. 56.
    Yang, J., Goodman, J.: Symmetric key cryptography on modern graphics hardware. In: Kurosawa, K. (ed.) Asiacrypt, Lecture Notes in Computer Science, vol. 4833, pp. 249–264. Springer, Heidelberg (2007)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.Laboratory for Cryptologic AlgorithmsÉcole Polytechnique Fédérale de Lausanne (EPFL)LausanneSwitzerland

Personalised recommendations