## Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware

Citations: | 11 - 1 self |

### BibTeX

@MISC{Gaj_implementingthe,

author = {Kris Gaj and Soonhak Kwon and Patrick Baier and Paul Kohlbrenner and Hoang Le and Mohammed Khaleeluddin and Ramakrishna Bachimanchi},

title = {Implementing the Elliptic Curve Method of Factoring in Reconfigurable Hardware},

year = {}

}

### OpenURL

### Abstract

A novel portable hardware architecture of the Elliptic Curve Method of factoring, designed and optimized for application in the relation collection step of the Number Field Sieve, is described and analyzed. A comparison with an earlier proof-of-concept design by Pelzl, Simka, et al. has been performed, and a substantial improvement has been demonstrated in terms of both the execution time and the area-time product. The ECM architecture has been ported across five different families of FPGA devices in order to select the family with the best performance to cost ratio. A timing comparison with the highly optimized software implementation, GMP-ECM, has been performed. Our results indicate that low-cost families of FPGAs, such as Spartan-3 and Spartan-3E, offer at least an order of magnitude improvement over the same generation of microprocessors in terms of the performance to cost ratio. 1.

### Citations

382 | Guide to Elliptic Curve Cryptography
- Menezes, Hankerson, et al.
- 2004
(Show Context)
Citation Context ...perations on an Elliptic Curve Scalar multiplication, kP , is a basic elliptic curve operation used in the ECM method. It is also a fundamental operation of a majority of Elliptic Curve Cryptosystems =-=[10]-=-, and therefore it has been studied extensively in the past from the point of view of efficient implementations in software and hardware. Scalar multiplication is defined as an addition, kP = P + ... ... |

233 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...E over ZN is not really an elliptic curve but we can still do point additions and doublings as if ZN was a field. 2.1. ECM Algorithm The Elliptic Curve Method (ECM) was originally proposed by Lenstra =-=[4]-=- and subsequently extended by Brent [5] and Montgomery [2]. The original part of the algorithm proposed by Lenstra is typically referred to as Phase 1 (or Stage 1), and the extension by Brent and Mont... |

186 |
Speeding the Pollard and elliptic curve methods of factorization
- Montgomery
- 1987
(Show Context)
Citation Context ...is change, (X, Y, Z) with Z �= 0 represents ( X Y Z , Z ) in affine coordinates. If Z = 0, then we have the point at infinity O which is represented by (0, 1, 0) in projective coordinates. Montgomery =-=[2]-=- studied elliptic curves of the form, E : by 2 = x 3 + ax 2 + x, to further speed up elliptic curve operations in software and hardware. This form is obtained by the change of variables, X = 3x+a 3−a ... |

47 | Some integer factorization algorithms using elliptic curves
- Brent
- 1986
(Show Context)
Citation Context ...d an addition formula for P and Q which does not need any y-coordinate information, assuming that the difference P − Q is already known. Let N be a composite integer we want to factor. The ECM Method =-=[2, 5, 7]-=- considers elliptic curves in Montgomery form, given in Eq. 2, and involves elliptic curve operations (mod N), where the elements in Z are reduced (mod N). Since N is not a prime, E over ZN is not rea... |

40 |
An FFT Extension of the Elliptic Curve Method of Factorization
- Montgomery
- 1992
(Show Context)
Citation Context ... log q log log q [4], where log is a natural logarithm. However the precise value of o(1) term is difficult to estimate. Choice of the bound B1 is closely related with Dickman-de Brujin function ρ(u) =-=[3]-=-, which gives the probability that a randomly chosen integer X is X 1 u -smooth. As with the case of B1, an optimal bound B2 is related with certain numerical integrations involving Dickman-de Brujin ... |

17 | Massively parallel elliptic curve factoring - Dixon, Lenstra - 1993 |

14 |
The Development of the Number Field
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...rmance to cost ratio. Keywords: Cipher-breaking, factoring, ECM, FPGA 1 Introduction The fastest known method for factoring large integers is the Number Field Sieve (NFS), invented by Pollard in 1991 =-=[1, 2]-=-. It has since been improved substantially and developed from its initial “special” form (which was only used to factor numbers close to perfect powers, such as Fermat numbers) to a general purpose fa... |

14 |
Fast montgomery modular multiplication and RSA cryptographic processor architectures
- Mclvor, McLoone, et al.
(Show Context)
Citation Context ... 0) ws mm N Bout(0) Figure 8. Block diagram of a Montgomery multiplier The modified algorithm, based on carry save addition (CSA) is shown as Algorithm 8. This algorithm has been described earlier in =-=[25]-=-. The block diagram of the circuit implementing Algorithm 8 is shown in Figure 8. The modulus N and the parameter n are loaded in to the multiplier once at the beginning of Phase 1, and do not need to... |

13 | SHARK : A realizable special hardware sieving device for factoring 1024-bit integers
- Franke, Kleinjung, et al.
- 2005
(Show Context)
Citation Context ...N) denotes the cost of multiplication (mod N). ECM is the best method to perform the kind of factorizations needed by NFS, for integers in the 200-bit range, with prime factors of up to about 40 bits =-=[16, 17]-=-. The contribution of this paper is an implementation of the elliptic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing softwa... |

13 |
Wagstaff,“A practical analysis of the elliptic curve factoring algorithm
- Silverman, S
- 1993
(Show Context)
Citation Context ...orithm 4, but the smaller MN , and thus the smaller number of iterations of the outer loop during Main computations in Algorithm 4. A theoretical analysis of the optimal parameter choices is given in =-=[19]-=-, with a view towards software implementations. The techniques developed there - which use Dickman’s function to estimate the probability of success of the Elliptic Curve Method - can be adapted to a ... |

9 | Area-time efficient hardware architecture for factoring integers with the elliptic curve method
- Pelzl, Šimka, et al.
- 2005
(Show Context)
Citation Context ... of this paper is an implementation of the elliptic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing hardware implementation =-=[16, 18]-=- and a software implementation (GMP-ECM) [7, 15]. 2. ELLIPTIC CURVE METHOD Let K be a field with characteristic different from 2, 3. For example, K = Zq with a prime q > 3, which is a set of integers ... |

9 | Hardware Factorization Based on Elliptic Curve Method
- ˇSimka, Pelzl, et al.
- 2005
(Show Context)
Citation Context ... of this paper is an implementation of the elliptic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing hardware implementation =-=[16, 18]-=- and a software implementation (GMP-ECM) [7, 15]. 2. ELLIPTIC CURVE METHOD Let K be a field with characteristic different from 2, 3. For example, K = Zq with a prime q > 3, which is a set of integers ... |

9 | Performance and Overhead in a Hybrid Reconfigurable Computer - Fidanci1, Poznanovic, et al. - 2003 |

8 |
Factoring with cubic integers
- Pollard
- 1993
(Show Context)
Citation Context ...ration of microprocessors in terms of the performance to cost ratio. 1. INTRODUCTION The fastest known method for factoring large integers is the Number Field Sieve (NFS), invented by Pollard in 1991 =-=[14]-=-. It has since been improved substantially and developed from its initial “special” form (which was only used to factor numbers close to perfect powers, such as Fermat numbers) to a general purpose fa... |

7 | Implementation of elliptic curve cryptosystems over GF (2 n ) in optimal normal basis on — 94 — reconfigurable computer - Bajracharya, Shu, et al. |

6 | An Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method, in: Special-Purpose Hardware for Attacking Cryptographic - Franke, Kleinjung, et al. |

4 |
How to break DES for 8,980
- Kumar, Paar, et al.
(Show Context)
Citation Context ...n appropriate basic building block for cost-optimized hardware for breaking cryptographic systems, which is consistent with the conclusions of other research groups reported earlier in the literature =-=[26]-=-. Future research directions of our group include the comparison of software and FPGA implementations of ECM with the standard-cell ASICs, estimation and optimization of the time taken by ECM when use... |

3 | Implementation of elliptic curve cryptosystems on a reconfigurable computer - Nguyen, Gaj, et al. - 2003 |

2 |
Parallel implementation of elliptic curve method for integer factorization using message-passing interface
- Wolski, Filho, et al.
- 2001
(Show Context)
Citation Context ...ages such as Maple or Mathematica as well as in the educational program for learning cryptology, CrypTool [11]. On the other hand, massively parallel implementations of the ECM method are reported in =-=[8, 9]-=-. One of the most popular and powerful ECM tools is GMP-ECM [15]. It contains various optimization techniques for Phase 1 and Phase 2 and exploits many ideas known in the literature. Especially, it us... |

2 | Reconfigurable hardware implementation of mesh routing in number field sieve factorization,” in Proc. Special Purpose Hardware for Attacking Cryptographic Systems - Bajracharya, Misra, et al. - 2005 |

2 | A Simpler Sieving Device: Combining ECM and TWIRL
- Geiselmann, Januszewski, et al.
- 2006
(Show Context)
Citation Context ...N) denotes the cost of multiplication (mod N). ECM is the best method to perform the kind of factorizations needed by NFS, for integers in the 200-bit range, with prime factors of up to about 40 bits =-=[16, 17]-=-. The contribution of this paper is an implementation of the elliptic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing softwa... |

1 |
Modular multiplication without trivial division
- Montgomery
- 1985
(Show Context)
Citation Context ... many cryptosystems such as RSA, computing XY (mod N) is a crucial operation. Taking the reduction of XY (mod N) is a more time consuming step than the multiplication XY without reduction. Montgomery =-=[1]-=- introduced a method for calculating products (mod N) without the costly reduction (mod N), known as Montgomery multiplication. Montgomery multiplication of X and Y , MP (X, Y, N), is defined as XY 2 ... |

1 |
Scaled remainder trees,” preprint
- Bernstein
- 2004
(Show Context)
Citation Context ... . Moreover to use fast polynomial arithmetic, GMP-ECM uses affine coordinates with the Weierstrass form of elliptic curve 8sto compute G(x) = � (xτ ,yτ )∈T (x − xτ ) using the product tree algorithm =-=[6]-=-. Then GMP-ECM applies the POLYEVAL algorithm to compute � (xσ,yσ)∈S G(xσ) where the polynomial multiplications are done using the Schönhage-Strassen algorithm [7]. Another approach possible in Phase ... |

1 |
20 years of ECM,” preprint
- Zimmermann
(Show Context)
Citation Context ...ic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing hardware implementation [16, 18] and a software implementation (GMP-ECM) =-=[7, 15]-=-. 2. ELLIPTIC CURVE METHOD Let K be a field with characteristic different from 2, 3. For example, K = Zq with a prime q > 3, which is a set of integers {0, 1, . . . , q − 1} with addition and multipli... |

1 | Prime Numbers - A Computaional Perspective - Crandall, Pomerance - 2001 |

1 | SHARK - A realizable hardware architecture for factoring 1024-bit composites with - Franke, Kleinjung, et al. - 2005 |