Journal of Cryptographic Engineering

, Volume 6, Issue 4, pp 287–297 | Cite as

Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs

  • Erich WengerEmail author
  • Paul Wolfger
Regular Paper


Computing discrete logarithms takes time. It takes time to develop new algorithms, choose the best algorithms, implement these algorithms correctly and efficiently, keep the system running for several months, and, finally, publish the results. In this paper, we present a highly performant architecture that can be used to compute discrete logarithms of Weierstrass curves defined over binary fields and Koblitz curves using FPGAs. We used the architecture to compute for the first time a discrete logarithm of the elliptic curve sect113r1, a previously standardized binary curve, using 10 Kintex-7 FPGAs. To achieve this result, we investigated different iteration functions, used a negation map, dealt with the fruitless cycle problem, built an efficient FPGA design that processes 900 million iterations per second, and we tended for several months the optimized implementations running on the FPGAs.


Elliptic curve cryptography Discrete logarithm problem Pollard rho Hardware design FPGA Negation map 



The authors are grateful to the University of Applied Sciences Upper Austria who provided 16 ML605 boards, the companies so-logic GmbH Co KG and Xilinx, Inc. who provided us with several Kintex-7 FPGAs, and colleagues who recommended to take advantage of the simultaneous inversion technique. This work has been supported by the European Commission through the FP7 program under project number 610436 (project MATTHEW), and the Secure Information Technology Center-Austria (A-SIT).


  1. 1.
    Babbage, S., Catalano, D., Cid, C., de Weger, B., Dunkelman, O., Gehrmann, C., Granboulan, L., Güneysu, T., Hermans, J., Lange, T. Lenstra, A., Mitchell, C., Näslund, M., Nguyen, P., Paar, C., Paterson, K., Pelzl, J., Pornin, T., Preneel, B., Rechberger, C., Rijmen, V., Robshaw, M., Rupp, A., Schläffer, M., Vaudenay, S., Vercauteren, F., Ward, M.: ECRYPT II yearly report on algorithms and keysizes (2011-2012). Available online at (2012)
  2. 2.
    Bailey, D.V., Baldwin, B., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., van Damme, G., de Meulenaer, G., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L.: The Certicom Challenges ECC2-X. IACR Cryptology ePrint Archive, Report 2009/466 (2009)Google Scholar
  3. 3.
    Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.-Y.: Breaking ECC2K-130. IACR Cryptology ePrint Archive, Report 2009/541 (2009)Google Scholar
  4. 4.
    Barker, E., Roginsky, A.: Recommendation for cryptographic key generation. NIST Special Publ. 800, 133 (2012)Google Scholar
  5. 5.
    Bernstein, D.J.: Batch binary edwards. In: Advances in Cryptology-CRYPTO 2009, LNCS, vol. 5677, pp. 317–336. Springer, Berlin (2009)Google Scholar
  6. 6.
    Bernstein, D.J.: Binary batch edwards 113-bit multiplier. (2009). Accessed Oct 2013
  7. 7.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Public Key Cryptography—PKC 2011, LNCS, vol. 6571, pp. 128–146. Springer, Berlin (2011)Google Scholar
  8. 8.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptogr. 2(3), 212–228 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bos, J.W., Kleinjung, T., Lenstra, A.K.: On the use of the negation map in the Pollard rho method. In: Algorithmic Number Theory—ANTS-IX, LNCS, vol. 6197, pp. 66–82. Springer, Berlin (2010)Google Scholar
  10. 10.
    Certicom Research. The Certicom ECC challenge. Available online at (1997)
  11. 11.
    Certicom Research. Standards for efficient cryptography, SEC 1: elliptic curve cryptography, Version 1.0. Available online at (2000)
  12. 12.
    Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and its Applications. Chapman & Hall/CRC, Boca Raton (2006)Google Scholar
  13. 13.
    de Dormale, G.M., Bulens, P., Quisquater, J.-J.: Collision search for elliptic curve discrete logarithm over GF(\(2^m\)) with FPGA. In: Cryptographic Hardware and Embedded Systems—HES, LNCS, pp. 378–393. Springer, Berlin (2007)Google Scholar
  14. 14.
    Engels, S.: Breaking ECC2-113: efficient implementation of an optimized attack on a reconfigurable hardware cluster. Master’s thesis, Ruhr Universityät Bochum (2014)Google Scholar
  15. 15.
    Fan, J., Bailey, D.V., Batina, L., Güneysu, T., Paar, C., Verbauwhede, I.: Breaking elliptic curve cryptosystems using reconfigurable hardware. In: Field Programmable Logic and Applications (FPL), pp. 133–138. IEEE (2010)Google Scholar
  16. 16.
    Frey, G., Rück, H.-G.: A remark concerning \(m\)-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994)Google Scholar
  17. 17.
    Gallant, R., Lambert, R., Vanstone, S.: Improving the parallelized Pollard lambda search on anomalous binary curves. Math. Comput. Am. Math. Soc. 69(232), 1699–1705 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Giry, D.: BlueKrypt—v28.4—Cryptographic key length recommendation. Accessed Feb 2015
  20. 20.
    Güneysu, T., Paar, C., Pelzl, J.: Attacking elliptic curve cryptosystems with Special-Purpose Hardware. In: ACM/SIGDA Symposium on Field Programmable Gate Arrays (FPGA), pp. 207–215. ACM Press (2007)Google Scholar
  21. 21.
    Hankerson, D., Vanstone, S., Menezes, A.J.: Guide to Elliptic Curve Cryptography. Springer, Berlin (2004)zbMATHGoogle Scholar
  22. 22.
    Harley, R.: Elliptic curve discrete logarithms: ECC2K-108. Available online at (2000)
  23. 23.
    Itoh, T., Tsujii, S.: A fast algorithm for computing multiplicative inverses in gf(\(2^m\)) using normal bases. Inf. Comput. 78(3), 171–177 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Judge, L., Mane, S., Schaumont, P.: A Hardware-accelerated ECDLP with high-performance modular multiplication. Int. J. Reconfigurable Comput 2012 (2012)Google Scholar
  25. 25.
    Mane, S., Judge, L., Schaumont, P.: An integrated prime-field ECDLP hardware accelerator with high-performance modular arithmetic units. In: Reconfigurable Computing and FPGAs—ReConFig, pp. 198–203. IEEE (2011)Google Scholar
  26. 26.
    Mastrovito, E.D.: VLSI designs for multiplication over finite fields GF(\(2^m\)). In: Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, pp. 297–309. Springer, Berlin (1988)Google Scholar
  27. 27.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. Trans. Inf. Theory 39(5), 1639–1646 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance. Trans. Inf. Theory 24(1), 106–110 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Pollard, J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Rodríguez-Henríquez, F., Koç, Ç.: On fully parallel Karatsuba multipliers for GF(\(2^m\)). J. Comput. Sci. Technol. 1, 405–410 (2003)Google Scholar
  32. 32.
    Teske, E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Algorithmic Number Theory, LNCS, vol. 1423, pp. 541–554. Springer, Berlin (1998)Google Scholar
  33. 33.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Wenger, E., Wolfger, P.: ECC Breaker source code. Accessed Feb 2015
  35. 35.
    Wenger, E., Wolfger, P.: Solving the discrete logarithm of a 113-bit Koblitz curve with an FPGA cluster. In: Selected Areas in Cryptography—SAC, LNCS, vol. 8781, pp. 363–379. Springer, Berlin (2014)Google Scholar
  36. 36.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Selected Areas in Cryptography—SAC, LNCS, vol. 1556, pp. 190–200. Springer, Berlin (1999)Google Scholar
  37. 37.
    Xilinx Inc. Xilinx Kintex-7 FPGA KC705 Evaluation Kit. Accessed Feb (2015)

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.Graz University of TechnologyGrazAustria
  2. 2.So-Logic GmbH Co KGViennaAustria

Personalised recommendations