Cryptology ePrint Archive: Report 2012/002


Daniel J. Bernstein and Hsieh-Chung Chen and Chen-Mou Cheng and Tanja Lange and Ruben Niederhagen and Peter Schwabe and Bo-Yin Yang

Abstract: A major cryptanalytic computation is currently underway on multiple platforms, including standard CPUs, FPGAs, PlayStations and GPUs, to break the Certicom ECC2K-130 challenge. This challenge is to compute an elliptic-curve discrete logarithm on a Koblitz curve over F_2^131 . Optimizations have reduced the cost of the computation to approximately 2^77 bit operations in 2^61 iterations.

GPUs are not designed for fast binary-field arithmetic; they are designed for highly vectorizable floating-point computations that fit into very small amounts of static RAM. This paper explains how to optimize the ECC2K-130 computation for this unusual platform. The resulting GPU software performs more than 63 million iterations per second, including 320 million F_2^131 multiplications per second, on a $500 NVIDIA GTX 295 graphics card. The same techniques for finite-field arithmetic and elliptic-curve arithmetic can be reused in implementations of larger systems that are secure against similar attacks, making GPUs an interesting option as coprocessors when a busy Internet server has many elliptic-curve operations to perform in parallel.

Category / Keywords: implementation / Graphics Processing Unit (GPU), Elliptic Curve Cryptography, Pollard rho, qhasm

Publication Info: Updated version of paper at Indocrypt 2010

Date: received 2 Jan 2012

Contact author: tanja at hyperelliptic org

Available format(s): PDF | BibTeX Citation

Version: 20120102:203505 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]