• Daniel J. Bernstein
  • Hsieh-Chung Chen
  • Chen-Mou Cheng
  • Tanja Lange
  • Ruben Niederhagen
  • Peter Schwabe
  • Bo-Yin Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6498)


A major cryptanalytic computation is currently underway on multiple platforms, including standard CPUs, FPGAs, PlayStations and Graphics Processing Units (GPUs), to break the Certicom ECC2K-130 challenge. This challenge is to compute an elliptic-curve discrete logarithm on a Koblitz curve over \(\mathbb{F}_{2^{131}}\). Optimizations have reduced the cost of the computation to approximately 277 bit operations in 261 iterations.

GPUs are not designed for fast binary-field arithmetic; they are designed for highly vectorizable floating-point computations that fit into very small amounts of static RAM. This paper explains how to optimize the ECC2K-130 computation for this unusual platform. The resulting GPU software performs more than 63 million iterations per second, including 320 million \(\mathbb{F}_{2^{131}}\) multiplications per second, on a $500 NVIDIA GTX 295 graphics card. The same techniques for finite-field arithmetic and elliptic-curve arithmetic can be reused in implementations of larger systems that are secure against similar attacks, making GPUs an interesting option as coprocessors when a busy Internet server has many elliptic-curve operations to perform in parallel.


Graphics Processing Unit (GPU) Elliptic Curve Cryptography Pollard rho qhasm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Dominguez Perez, L.J., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Van Herrewege, A., Yang, B.-Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009),
  2. 2.
    Bernstein, D.J.: qhasm: tools to help write high-speed software,
  3. 3.
    Bernstein, D.J.: Batch binary Edwards. In: Halevi, S. (ed.) Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 317–336. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J.: Minimum number of bit operations for multiplication (2009), (accessed 2009-12-07)
  5. 5.
    Bernstein, D.J., Chen, H.-C., Chen, M.-S., Cheng, C.-M., Hsiao, C.-H., Lange, T., Lin, Z.-C., Yang, B.-Y.: The billion-mulmod-per-second PC. In: Workshop Record of SHARCS 2009: Special-purpose Hardware for Attacking Cryptographic Systems, pp. 131–144 (2009),
  6. 6.
    Bernstein, D.J., Chen, T.-R., Cheng, C.-M., Lange, T., Yang, B.-Y.: ECM on graphics cards. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 483–501. Springer, Heidelberg (2009), Document ID: 6904068c52463d70486c9c68ba045839 CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T.: Explicit-formulas database, (accessed 2010-09-25)
  8. 8.
    Bernstein, D.J., Lange, T.: Type-II optimal polynomial bases. In: Anwar Hasan, M., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 41–61. Springer, Heidelberg (2010) Document ID: 90995f3542ee40458366015df5f2b9de, CrossRefGoogle Scholar
  9. 9.
    Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Bos, J.W., Kleinjung, T., Niederhagen, R., Schwabe, P.: ECC2K-130 on Cell CPUs. In: Bernstein, D.J., Lange, T. (eds.) Progress in Cryptology – AFRICACRYPT 2010. LNCS, vol. 6055, pp. 225–242. Springer, Heidelberg (2010) Document ID: bad46a78a56fdc3a44fcf725175fd253, CrossRefGoogle Scholar
  11. 11.
    Certicom. Certicom ECC challenge (1997),
  12. 12.
    Fan, J., Bailey, D.V., Batina, L., Güneysu, T., Paar, C., Verbauwhede, I.: Breaking elliptic curves cryptosystems using reconfigurable hardware. In: 20th International Conference on Field Programmable Logic and Applications (FPL 2010), Milano, Italy, August 31–September 2 (2010)Google Scholar
  13. 13.
    von zur Gathen, J., Shokrollahi, A., Shokrollahi, J.: Efficient multiplication using type 2 optimal normal bases. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 55–68. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48, 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32, 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Shokrollahi, J.: Efficient implementation of elliptic curve cryptography on FPGAs. PhD thesis, Rheinische Friedrich-Wilhelms Universität (2007), Dissertation,
  17. 17.
    van der Laan, W.J.: Cubin utilities (2007),
  18. 18.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Hsieh-Chung Chen
    • 2
  • Chen-Mou Cheng
    • 3
  • Tanja Lange
    • 4
  • Ruben Niederhagen
    • 3
    • 4
  • Peter Schwabe
    • 4
  • Bo-Yin Yang
    • 2
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Institute of Information ScienceAcademia SinicaTaipeiTaiwan
  3. 3.Department of Electrical EngineeringNational Taiwan UniversityTaipeiTaiwan
  4. 4.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenNetherlands

Personalised recommendations