General Attacks on
Elliptic Curve Based
Cryptosystems
Merabi Chicvashvili
Ron Ryvchin
Project Advisor: Barukh Ziv
Spring 2014
Elliptic Curves


Point addition can be defined geometrically and
algebraically
Algebraic Approach
Point Addition




R=P+Q
s = (Py – Qy) / (Px – Qx)
Rx = s2 – Px – Qx
Ry = s*(Px – Rx) - Py
Point Doubling




R = 2·P
s = (3·Px2 + a) / (2·Py)
Rx = s2 – 2·Px
Ry = s*(Px – Rx) - Py
Cryptography with Elliptic Curves
Elliptic Curve Encryption
Attacking ECC
Best possible way is a ‘collision attack’ known as
Pollard’s rho attack ,taking O(n1/2) curve
additions, where n is the order of the base point

The Pohlig-Hellman algorithm reduces the size of the
problem.
 ECDLP is reduced to ECDLP modulo each prime factor of n



As field size increases, the attack becomes harder at
an exponential rate
ECC key of 163 bits is equivalent to RSA key of 1024
bits
ECC key of 256 bits is equivalent to RSA key of 3072
bits
Pollard rho Algorithm
Pollard rho Algorithm
Additive walks
Cycle detection
Performance Analysis - Speed
Attack performance dependents on:



Field arithmetic speed – provided by NTL
library
Curve arithmetic speed – selection of
coordinates
Algorithmic level – partition function, cycle
detection
Performance Analysis – additive
walk and partition function
Performance Analysis coordinates
Affine point addition:


1 squaring, 2 multiplications, 1 inverse
Inverse is expensive!
Jacobian coordinates: x, y, z
Jacobian point addition:

12 squarings, 4 multiplications, no inverse!
Performance Analysis coordinates
Performance Analysis – cycle
detection
Brent’s cycle detection algorithm does less
function evaluations than Floyd’s. In his work
Brent claims that his algorithm improved Pollard
Rho performance by 24%, on average.
Brent’s algorithm counts number of steps. At the
end, we know the length of the cycle.

We used this counter to improve the algorithm for
some cases of “rho” shape, staying with O(1) space
complexity
Performance Analysis – cycle
detection
“Perfect” cycle detection:
• Tail = 2i - 1
• Cycle = 2i
• No redundant steps
Performance Analysis – cycle
detection
“Worse” case:
•
•
•
•
•
Tail = 2i
Cycle = 2i -1
Same number of steps to collision
The algorithm does (tail-1) + 2i + cycle steps
Redundant steps: ~50%
Performance Analysis – cycle
detection
Worst case 1:
• Very short or no tail
• An iteration finishes just one step
short of the possible collision point
• Could finish in about 2i steps, will
take twice more
Worst case 2:
• After finishing the tail in ~2i steps, we waste the same number
of steps before we get the first green point on the cycle
Performance Analysis – cycle
detection
“Middle point” improvement:
•
•
•
•
•
Remember the point after 2i-1 steps
Compare new points to both last “green” and “yellow”
Collision found after (tail – 1) + 2i-1 + cycle steps
Saving: 2i-1, which is ~1/6th of the original result
The saving is up to 1/4th
• Experimental measurements: ~50% of attacks were shortened, for each
challenge (key size) there was an attack that found middle point collision,
speedup: 14-24%
Results
Previous best results: 64 bits challenge in ~16
hours (1,993,844,576 function calls)
Our best result:


64 bits in ~42 minutes (436,215,366 function calls)
70 bits in ~5 hours (4,924,092,173 function calls)
Full Results
challenge
size
(bits)
function evaluations
min
max
average
time (min)
time (max)
30
24,176
77,424
37,974
0.05 sec
0.2 sec
40
365,389
2,200,397
1,125,607
1 sec
6 sec
50
5,471,207
54,876,055
25,661,003
18 sec
197 sec
64
436,215,366
6,261,487,497
3,499,239,651
2507 sec (42 min)
23917 sec (~7 hours)
70
4,924,092,173 90,946,847,050 38,666,966,411 17878 sec (~5 hours) 328611 sec (~4 days)
Special Challenge
Special Challenge
Special Challenge
Special Challenge
Since the order of the curve is not a prime
number we applied Pohlig-Hellman reduction to
this challenge.
 Although n is large, its largest prime factor is
28202267.
 The whole attack finished in about 3 minutes.
Bibliography
 V. Shoup, "NTL: A Library for doing Number Theory"
http://www.shoup.net/ntl/
 Darrel Hankerson, Alfred Menezes, Scott Vanstone,
“Guide to Elliptic Curve Cryptography”.
 I. Duursma, P. Gaudry, and F. Morain, “Speeding up the
Discrete Log Computation on Curves with
Automorphisms”
 R´obert L´orencz, “New Algorithm for Classical Modular
Inverse”.