Special-Purpose Hardware for Solving the Elliptic Curve Discrete Logarithm Problem

Abstract

The resistance against powerful index-calculus attacks makes Elliptic Curve Cryptosystems (ECC) an interesting alternative to conventional asymmetric cryptosystems, like RSA. Operands in ECC require significantly less bits at the same level of security, resulting in a higher computational efficiency compared to RSA. With growing computational capabilities and continuous technological improvements over the years, however, the question of the security of ECC against attacks based on special-purpose hardware arises. In this context, recently emerged low-cost FPGAs demand for attention in the domain of hardware-based cryptanalysis: the extraordinary efficiency of modern programmable hardware devices allow for a low-budget implementation of hardware-based ECC attacks---without the requirement of the expensive development of ASICs. With focus on the aspect of cost-efficiency, this contribution presents and analyzes an FPGA-based architecture of an attack against ECC over prime fields. A multi-processing hardware architecture for Pollard's Rho method is described. We provide results on actually used key lengths of ECC (128 bits and above) and estimate the expected runtime for a successful attack. As a first result, currently used elliptic curve cryptosystems with a security of 160 bit and above turn out to be infeasible to break with available computational and financial resources. However, some of the security standards proposed by the Standards for Efficient Cryptography Group (SECG) become subject to attacks based on low-cost FPGAs.