Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction

International Journal of Applied Cryptography

Volumn 2, Issue 3, 2012, Pages 212-228

  Bos, Joppe W ^a   Kaihara, Marcelo E ^a   Kleinjung, Thorsten ^a   Lenstra, Arjen K ^a   Montgomery, Peter L ^b  

^a EPFL   (Switzerland)

^b MICROSOFT RESEARCH   (United States)

Author keywords

Cell processor; Elliptic curve discrete logarithm; Negation map; Pollard's rho method; SIMD; Single instruction multiple data

Indexed keywords

EID: 84857706133     PISSN: 17530563     EISSN: 17530571     Source Type: Journal    
DOI: 10.1504/IJACT.2012.045590     Document Type: Article

References (52)

1. Anderson, D.P. (2004) 'Boinc: a system for public-resource computing and storage', in GRID '04: Proceedings of the 5th IEEE/ACM International Workshop on Grid Computing, pp.4-10, IEEE Computer Society
2. Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H-C., Cheng, C-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., G uneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V. and Yang, B-Y. (2009) 'Breaking ECC2K-130', Cryptology ePrint Archive, Report 2009/541, available at http://eprint.iacr.org/2009/541.
3. Bajard, J-C., Meloni, N. and Plantard, T. (2005) 'Efficient RNS bases for cryptography', in IMACS'05: World Congress: Scientific Computation Applied Mathematics and Simulation.
4. Bender, A. and Castagnoli, G. (1990) 'On the implementation of elliptic curve cryptosystems', in Crypto 1989, Lecture Notes in Computer Science, Vol. 435, pp.186-192, Springer.
5. Bernstein, D.J. (2006) 'Curve25519: new Diffie-Hellman speed records', in Public Key Cryptography - PKC 2006, Lecture Notes in Computer Science, Vol. 3958, pp.207-228, Springer. (Pubitemid 44055063)
6. Bernstein, D.J., Chen, H-C., Chen, M-S., Cheng, C-M., Hsiao, C-H., Lange, T., Lin, Z-C. and Yang, B-Y. (2009) 'The billion-mulmod-per-second PC', in Workshop record of SHARCS'09, pp.131-144, available at http://www.hyperelliptic. org/tanja/SHARCS/record2.pdf.
7. Bernstein, D.J. and Lange, T. (2007) 'Faster addition and doubling on elliptic curves', in Asiacrypt 2007, Lecture Notes in Computer Science, Vol. 4833, pp.29-50, Springer.
8. Bernstein, D.J., Lange, T. and Schwabe, P. (2011) 'On the correct use of the negation map in the Pollard rho method', in Public Key Cryptography - PKC 2011, Lecture Notes in Computer Science, Vol. 6571, pp.128-146, Springer.
9. Bos, J.W. (2010) 'High-performance modular multiplication on the cell processor', in International Workshop on the Arithmetic of Finite Fields - WAIFI 2010, Lecture Notes in Computer Science, Vol. 6087, pp.7-24, Springer.
10. Bos, J.W. and Kaihara, M.E. (2010) 'Montgomery multiplication on the cell', in Parallel Processing and Applied Mathematics 2009, Lecture Notes in Computer Science, Vol. 6067, pp.477-485, Springer.
11. Bos, J.W., Kaihara, M.E. and Montgomery, P.L. (2009) 'Pollard rho on the PlayStation 3', in Workshop Record of SHARCS'09, pp.35-50, available at http://www.hyperelliptic.org/tanja/SHARCS/record2.pdf.
12. Bos, J.W., Kleinjung, T. and Lenstra, A.K. (2010a) 'On the use of the negation map in the Pollard rho method', in Ninth Algorithmic Number Theory Symposium - ANTS-IX, Lecture Notes in Computer Science, Vol. 6197, pp.67-83, Springer.
13. Bos, J.W., Kleinjung, T., Niederhagen, R. and Schwabe, P. (2010b) 'ECC2K-130 on cell CPUs', in Africacrypt 2010, Lecture Notes in Computer Science, Vol. 6055, pp.225-242, Springer.
14. Bos, J.W., Kleinjung, T., Lenstra, A.K. and Montgomery, P.L. (2011) 'Efficient SIMD arithmetic modulo a Mersenne number', in IEEE Symposium on Computer Arithmetic - Arith-20, pp.213-221, IEEE Computer Society.
15. Brent, R.P. and Pollard, J.M. (1981) 'Factorization of the eighth Fermat number', Mathematics of Computation, Vol. 36, No. 154, pp.627-630.
16. Certicom (2002) 'Press release: Certicom announces elliptic curve cryptosystem (ECC) challenge winner', available at http://www.certicom.com/ index.php/2002-press-releases/38-2002-press-releases/340-notre-dame- mathematician-solveseccp-109-encryption-key-problem-issued-in-1997.
17. Certicom Research (2000) 'Standards for efficient cryptography 2: recommended elliptic curve domain parameters', Standard SEC2, Certicom.
18. Cheon, J.H., Hong, J. and Kim, M. (2008) 'Speeding up the Pollard rho method on prime fields', in Asiacrypt 2008, Lecture Notes in Computer Science, Vol. 5350, pp.471-488, Springer.
19. Costigan, N. and Schwabe, P. (2009) 'Fast elliptic-curve cryptography on the cell broadband engine', in Africacrypt 2009, Lecture Notes in Computer Science, Vol. 5580, pp.368-385, Springer.
20. Costigan, N. and Scott, M. (2007) 'Accelerating SSL using the vector processors in IBM's cell broadband engine for Sony's Playstation 3', Cryptology ePrint Archive, Report 2007/061, available at http://eprint.iacr.org/2007/061.
21. Crandall, R.E. (1992) 'Method and apparatus for public key exchange in a cryptographic system', October, US patent number 5,159,632.
22. Duursma, I.M., Gaudry, P. and Morain, F. (1999) 'Speeding up the discrete log computation on curves with automorphisms', in Asiacrypt 1999, Lecture Notes in Computer Science, Vol. 1716, pp.103-121, Springer.
23. Edwards, H.M. (2007) 'A normal form for elliptic curves', Bulletin of the American Mathematical Society, July, Vol. 44, pp.393-422.
24. Galbraith, S. (2010) 'Mathematics of public key cryptography (version 0.6)', available at http://www.isg.rhul.ac.uk/sdg/crypto-book/cryptobook.html (accessed on 2011 November).
25. Gallant, R.P., Lambert, R.J. and Vanstone, S.A. (2000) 'Improving the parallelized Pollard lambda search on anomalous binary curves', Mathematics of Computation, Vol. 69, No. 232, pp.1699-1705.
26. Hofstee, H.P. (2005) 'Power efficient processor architecture and the cell processor', in HPCA 2005, pp.258-262. (Pubitemid 41731505)
27. Hotz, G. (2010) 'Here's your silver plate', available at http://www.theregister.co.uk/2010/01/25/playstation cracked wide open/ (accessed on January 2010).
28. IBM (2010) 'Multi-precision math library', Example Library API Reference, available at https://www.ibm.com/developerworks/power/cell/documents.html (accessed on March 2010).
29. Kaihara, M.E. and Takagi, N. (2005) 'A hardware algorithm for modular multiplication/division', IEEE Trans. Computers, Vol. 54, No. 1, pp.12-21. (Pubitemid 40191757)
30. Kaliski, B.S. (1995) 'The Montgomery inverse and its applications', IEEE Transactions on Computers, Vol. 44, No. 8, pp.1064-1065.
31. Kim, J.H., Montenegro, R., Peres, Y. and Tetali, P. (2010) 'A birthday paradox for Markov chains, with an optimal bound for collision in the Pollard rho algorithm for discrete logarithm', The Annals of Applied Probability, Vol. 20, No. 2, pp.495-521.
32. Kleinjung, T., Aoki, K., Franke, J., Lenstra, A., Thomé, E., Bos, J., Gaudry, P., Kruppa, A., Montgomery, P., Osvik, D.A., Riele, H.t.,Timofeev, A. and Zimmermann, P. (2010) 'Factorization of a 768-bit RSA modulus', in Crypto 2010, Lecture Notes in Computer Science, Vol. 6223, pp.333-350, Springer.
33. Knuth, D.E. (1997) Seminumerical Algorithms. The Art of Computer Programming, 3rd ed., Addison-Wesley, Reading, Massachusetts, USA.
34. Knuth, D.E. (1998) Sorting and Searching. The Art of Computer Programming, 2nd ed., Addison-Wesley, Reading, Massachusetts, USA.
35. Koblitz, N. (1987) 'Elliptic curve cryptosystems', Mathematics of Computation, Vol. 48, No. 117, pp.203-209.
36. Koblitz, N. (1992) 'CM-curves with good cryptographic properties', in Crypto 1991, Lecture Notes in Computer Science, Vol. 576, pp.279-287, Springer.
37. Lenstra, A.K. and Lenstra, H.W., Jr. (1993) 'The development of the number field sieve', Lecture Notes in Mathematics, Vol. 1554, Springer.
38. Lenstra, H.W., Jr. (1987) 'Factoring integers with elliptic curves', Annals of Mathematics, Vol. 126, No. 3, pp.649-673.
39. Miller, V.S. (1986) 'Use of elliptic curves in cryptography', in Crypto 1985, Lecture Notes in Computer Science, Vol. 218, pp.417-426, Springer.
40. Montgomery, P.L. (1985) 'Modular multiplication without trial division', Mathematics of Computation, April, Vol. 44, No. 170, pp.519-521.
41. Montgomery, P.L. (1987) 'Speeding the Pollard and elliptic curve methods of factorization', Mathematics of Computation, Vol. 48, No. 117, pp.243-264.
42. Nivasch, G. (2004) 'Cycle detection using a stack', Information Processing Letters, Vol. 90, No. 3, pp.135-140.
43. Pollard, J.M. (1978) 'Monte Carlo methods for index computation (mod p)', Mathematics of Computation, Vol. 32, No. 143, pp.918-924.
44. RSA the Security Division of EMC (2010) 'The RSA challenge numbers', available at formerly on http://www.rsa.com/rsalabs/node.asp?id=2093, now on http://en.wikipedia.org/wiki/RSA numbers.
45. Schulte-Geers, E. (2000) 'Collision search in a random mapping: some asymptotic results', Talk at ECC 2000, The Fourth Workshop on Elliptic Curve Cryptography, Essen, Germany, available at http://www.cacr.math.uwaterloo.ca/ conferences/2000/ecc2000/slides.html.
46. Solinas, J.A. (1999) 'Generalized Mersenne numbers', Technical Report CORR 99-39, Centre for Applied Cryptographic Research, University of Waterloo.
47. Solinas, J.A. (2005) 'Cryptographic identification and digital signature method using efficient elliptic curve', May, US patent number 6,898,284.
48. Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A.K., Molnar, D., Osvik, D.A. and de Weger, B. (2009) 'Short chosen prefix collisions for MD5 and the creation of a rogue CA certificate', in Crypto 2009, Lecture Notes in Computer Science, Vol. 5677, pp.55-69, Springer.
49. Teske, E. (2001) 'On random walks for Pollard's rho method', Mathematics of Computation, Vol. 70, No. 234, pp.809-825. (Pubitemid 33570519)
50. van Oorschot, P.C. and Wiener, M.J. (1999) 'Parallel collision search with cryptanalytic applications', Journal of Cryptology, Vol. 12, No. 1, pp.1-28.
51. Wedeniwski, S. (2010) 'Piologie - an exact arithmetic library in C++', available at http://www.zetagrid.net/zeta/sourcecode.html (accessed on March 2010), iPhone application:http://itunes.apple.com/app/piologie/id387334278?mt=8 (accessed on March 2010).
52. Wiener, M.J. and Zuccherato, R.J. (1998) 'Faster attacks on elliptic curve cryptosystems', in Selected Areas in Cryptography, Lecture Notes in Computer Science, Vol. 1556, pp.190-200, Springer.