## Hardware factorization based elliptic curve method (2005)

Venue: | IEEE Symposium on Field-Programmable Custom Computing Machines - FCCM’05 |

Citations: | 9 - 5 self |

### BibTeX

@INPROCEEDINGS{Pelzl05hardwarefactorization,

author = {Jan Pelzl and Thorsten Kleinjung and Jens Franke and Christine Priplata and Colin Stahlke and Viktor Fischer and Christof Paar},

title = {Hardware factorization based elliptic curve method},

booktitle = {IEEE Symposium on Field-Programmable Custom Computing Machines - FCCM’05},

year = {2005}

}

### OpenURL

### Abstract

The security of the most popular asymmetric cryptographic scheme RSA depends on the hardness of factoring large numbers. The best known method for factorization large integers is the General Number Field Sieve (GNFS). Recently, architectures for special purpose hardware for the GNFS have been proposed [5, 12]. One important step within the GNFS is the factorization of mid-size numbers for smoothness testing, an efficient algorithm for which is the Elliptic Curve Method (ECM). Since the smoothness testing is also suitable for parallelization, it is promising to improve ECM via special-purpose hardware. We show that massive parallel and cost efficient ECM hardware engines can improve the cost-time product of the RSA moduli factorization via the GNFS considerably. The computation of ECM is a classical example for an algorithm that can be significantly accelerated through special-purpose hardware. In this work, we present an efficient hardware implementation of ECM to factor numbers up to 200 bits, which is also scalable to other bit lengths. For proof-ofconcept purposes, ECM is realized as a softwarehardware co-design on an FPGA and an embedded microcontroller. This appears to be the first pub-

### Citations

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ...method to efficiently factor lots of smaller numbers (factorization of the rests). An appropriate choice for this task is Multiple Polynomial Quadratic Sieve (MPQS) or Elliptic Curve Method (ECM, see =-=[8]-=-). The current world record in factoring a random RSA modulus is 576 bits and was achieved with a complete software implementation of the GNFS in 2003 [4], using MPQS for the factorization of the rest... |

126 |
The Development of the Number Field Sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...Up to now, several efficient algorithms for factoring integers have been proposed. Each algorithm is appropriate for a different situation. For instance, the Generalized Number Field Sieve (GNFS, see =-=[7]-=-) is the best for factoring numbers with large factors (hundreds of bits) and, hence, can be used for attacking the RSA cryptosystem. As an intermediate step, the GNFS requires a method to efficiently... |

46 | Some integer factorization algorithms using elliptic curves
- Brent
- 1986
(Show Context)
Citation Context ...puted with p0 being the smallest prime in that interval and the corresponding table entries are added successively to obtain pQ for the next prime p. Two major improvements have been proposed for ECM =-=[2, 9]-=-. Using Montgomery’s form, the procedure is difficult to implement but can be improved as follows. The improved standard continuation uses a parameter 2 < D < B1. First, a table T of multiples kQ of Q... |

42 | Factoring large numbers with the twirl device,”in Crypto 2003
- Shamir
(Show Context)
Citation Context ...ng large numbers. The best known method for factorization large integers is the General Number Field Sieve (GNFS). Recently, architectures for special purpose hardware for the GNFS have been proposed =-=[5, 12]-=-. One important step within the GNFS is the factorization of mid-size numbers for smoothness testing, an efficient algorithm for which is the Elliptic Curve Method (ECM). Since the smoothness testing ... |

35 | A Scalable Architecture for Modular Multiplication Based on Montgomery’s Algorithm
- Tenca, Koç
(Show Context)
Citation Context ... with length of currently used minimum 1024 bits. 2 find factors of up to about 40 bits. For the implementation, a highly efficient modular multiplication architecture described by Tenca and Koç (see =-=[13]-=-) is used. We describe a controlling unit that synchronously feeds multiple ECM units with programming steps, such that the ECM algorithm does not need to be stored in every single unit. In this way w... |

14 |
Speeding up the Pollard and elliptic curve methods of factorization
- Montgomery
- 1987
(Show Context)
Citation Context ...reduce this to 10[log 2 k] multiplications. By handling each prime factor of k separately and using optimal addition chains the number of multiplications can be decreased to roughly 9.3[log 2 k] (see =-=[9]-=-). The addition chains can be precalculated. 2.4 The Second Phase The standard way to calculate the points pQ for all primes B1 < p ≤ B2 is to precompute a (small) table of multiples kQ where k runs t... |

13 | SHARK : A realizable special hardware sieving device for factoring 1024-bit integers
- Franke, Kleinjung, et al.
- 2005
(Show Context)
Citation Context ...ng large numbers. The best known method for factorization large integers is the General Number Field Sieve (GNFS). Recently, architectures for special purpose hardware for the GNFS have been proposed =-=[5, 12]-=-. One important step within the GNFS is the factorization of mid-size numbers for smoothness testing, an efficient algorithm for which is the Elliptic Curve Method (ECM). Since the smoothness testing ... |

11 | Precise bounds for Montgomery modular multiplication and some potentially insecure RSA moduli - Walter - 2002 |

9 |
A Scalable GF (p) Elliptic Curve Processor Architecture for Programmable Hardware
- Orlando, Paar
(Show Context)
Citation Context .... Such units for modular addition and multiplication have been studied thoroughly in the last few years, e.g., for the use in cryptographic devices using Elliptic Curve Cryptography (ECC), see, e.g., =-=[6, 10]-=-. Therefore, we could exploit the well developed area of ECC architectures for our ECM design. In this work, we present an efficient hardware implementation of ECM to factor numbers up to 200 bits, wh... |

8 |
A Monte Carlo Method for Factorization,” Nordisk Tidskrift for Informationsbehandlung (BIT
- Pollard
- 1975
(Show Context)
Citation Context ...cribed in Section 3. Section 4 presents our FPGA implementation. The last section collects results and conclusions. 2 Elliptic Curve Method The principles of ECM are based on Pollard’s (p − 1)-method =-=[11]-=-. We describe H. W. Lenstra’s Elliptic Curve Method (ECM) [8]. 2.1 The Algorithm Let N be an integer without small prime factors which is divisible by at least two different primes, one of them q. Suc... |

5 | Šimka: Comparison of Two Implementations of Scalable Montgomery Coprocessor Embedded in Reconfigurable Hardware
- Drutarovský, Fischer, et al.
(Show Context)
Citation Context ... paper is optimal for implementation on any FPGA that has dedicated carry logic capability (e.g. modern Altera and Xilinx FPGAs). A detailed analysis and comparison of both structures can be found in =-=[3]-=-. The depicted hardware performs a slightly modified Multiple Word Radix-2 Montgomery Multicin1 cin2 6 plication (Algorithm 1). Instead of more expensive word-wise addition in step 3 we have used only... |

2 |
An End-to-End Systems Approach to Elliptic Curve Cryptography
- Sumit, Gupta, et al.
- 2002
(Show Context)
Citation Context .... Such units for modular addition and multiplication have been studied thoroughly in the last few years, e.g., for the use in cryptographic devices using Elliptic Curve Cryptography (ECC), see, e.g., =-=[6, 10]-=-. Therefore, we could exploit the well developed area of ECC architectures for our ECM design. In this work, we present an efficient hardware implementation of ECM to factor numbers up to 200 bits, wh... |

2 |
1.8v field programmable gate arrays production product specification
- Virtex-E
- 2002
(Show Context)
Citation Context ...2000E-6) and a control logic implemented in software on an embedded microcontroller (ARM7TDMI, 25MHz, see [1]). The ECM unit is coded in VHDL and was synthesized for a Xilinx FPGA (Virtex2000E-6, see =-=[15]-=-). For the actual VHDL implementation, memory cells have been realized with the FPGA’s internal block RAM memory. For the word width w = 32 bits 2 blocks with e = � � n+1 w words are used for each reg... |

1 |
E-mail announcement. http://www.crypto-world.com/ announcements/rsa576.txt
- Franke, Kleinjung, et al.
- 2003
(Show Context)
Citation Context ...eve (MPQS) or Elliptic Curve Method (ECM, see [8]). The current world record in factoring a random RSA modulus is 576 bits and was achieved with a complete software implementation of the GNFS in 2003 =-=[4]-=-, using MPQS for the factorization of the rests. For larger moduli it will become crucial to use special hardware for factoring. A new hardware design for the sieving step in GNFS is called SHARK [5] ... |