Abstract. A novel portable hardware architecture for the Elliptic Curve Method of factoring, designed and optimized for application in the relation collection step of the Number Field Sieve, is described and analyzed. A comparison with an earlier proof-of-concept design by Pelzl,Šimka, et al. has been performed, and a substantial improvement has been demonstrated in terms of both the execution time and the area-time product. The ECM architecture has been ported across three different families of FPGA devices in order to select the family with the best performance to cost ratio. A timing comparison with a highly optimized software implementation, GMP-ECM, has been performed. Our results indicate that low-cost families of FPGAs, such as Xilinx Spartan 3, offer at least an order of magnitude improvement over the same generation of microprocessors in terms of the performance to cost ratio.
Introduction
The fastest known method for factoring large integers is the Number Field Sieve (NFS), invented by Pollard in 1991 [1, 2] . It has since been improved substantially and developed from its initial "special" form (which was only used to factor numbers close to perfect powers, such as Fermat numbers) to a general purpose factoring algorithm. Using the Number Field Sieve, an RSA modulus of 663 bits was successfully factored by Bahr, Boehm, Franke and Kleinjung in May 2005 [3] . The cost of implementing the Number Field Sieve and the time it takes for such an implementation to factor a b-bit RSA modulus provide an upper bound on the security of b-bit RSA.
In order to factor a big integer N , such as an RSA modulus, NFS requires the factorization of a large number of moderately sized integers created at run time, perhaps of size 200 bits. Such numbers can be routinely factored in very little time. However, because an estimated 10 10 such factorizations are necessary for NFS to succeed in factoring a 1024 bit RSA modulus, it is of crucial importance to perform these auxiliary factorizations as fast and efficiently as possible. Even tiny improvements, once multiplied by 10 10 factorizations, would make a significant difference in how big an RSA modulus we can factor. The Elliptic Curve Method (ECM), which is the main subject of this paper, is a sub-exponential factoring algorithm, with expected run time of O(exp(c √ log p log log p) M (N )) where c > 0, p is a factor we aim to find, and M (N ) denotes the cost of multiplication (mod N ). ECM is the best method to perform the kind of factorizations needed by NFS, for integers in the 200-bit range, with prime factors of up to about 40 bits [16, 17] .
The contribution of this paper is an implementation of the elliptic curve method in hardware (FPGAs). We describe in detail how to optimize the design and compare our work both to an existing software implementation (GMP-ECM) [4, 5] and an earlier hardware implementation [6, 7] .
Elliptic Curve Method

ECM Algorithm
Let K be a field with characteristic different from 2, 3. An elliptic curve can be represented by a homogeneous equation Y 2 Z = X 3 + AXZ 2 + BZ 3 with X, Y, Z ∈ K not all zero, where A, B are in K with 4A
3 + 27B 2 = 0, together with a special point O = (0, 1, 0) called a "point at infinity". Points of the curve E together with the addition operation form an abelian group which is denoted by E(K), where O is the identity element of the group [8] .
The Elliptic Curve Method of factoring was originally proposed by Lenstra [9] and subsequently extended by Brent [10] and Montgomery [11, 12] . The original part of the algorithm proposed by Lenstra is typically referred to as Phase 1 (or Stage 1), and the extension by Brent and Montgomery is called Phase 2 (or Stage 2). The pseudocode of both phases is given below as Algorithm 1.
Algorithm 1 ECM Algorithm
Require: N : composite number to be factored, E: elliptic curve, P0 = (x0, y0, z0) ∈ E(ZN ): initial point, B1: smoothness bound for Phase 1, B2: smoothness bound for Phase 2, B2 > B1. Ensure: q: factor of N, 1 < q ≤ N , or FAIL. 
12: 
Implementation Issues
An efficient algorithm for computing scalar multiplication was proposed by Montgomery [11] in 1987, and is known as the Montgomery ladder algorithm.
This algorithm is especially efficient when an elliptic curve is expressed in the Montgomery form, E : by 2 = x 3 + ax 2 + x. This form is obtained by a suitable change of variables [4] from the standard Weierstrass form. The corresponding expression in projective coordinates is
with b(a 2 − 4) = 0.
When one uses the Montgomery ladder algorithm with the Montgomery form of elliptic curve given in (1), all intermediate computations can be carried on using only x and z coordinates. As a result, we denote the starting point P 0 by (x 0 : : z 0 ), intermediate points P , Q, by (x P : : z P ), (x Q : : z Q ), and the final point kP 0 by (x kP0 : : z kP0 ). The pseudocode of the Montgomery ladder algorithm is shown below as Algorithm 2, and its basic step is defined in detail as Algorithm 3.
Algorithm 2 Montgomery Ladder Algorithm
Require: P0 = (x0 : : z0) on E with x0 = 0, an s-bit positive integer k = (ks−1ks−2 · · · k1k0)2
with ks−1 = 1 Ensure: kP0 = (x kP 0 : :
if ki = 1 then 4:
5:
else 6:
end if 8: end for 9: return Q
Algorithm 3 Addition and Doubling using the Montgomery's Form of Elliptic Curve
Require: P = (xP : : zP ), Q = (xQ : : zQ) with xP xQ(xP − xQ) = 0, P0 = (x0 : : z0) = (xP −Q : :
, where a is a parameter of the curve E in (1) Ensure: P + Q = (xP +Q : : zP +Q ), 2P = (x2P : : z2P )
A careful analysis of formulas in Algorithm 3 indicates that point addition P +Q requires 6 multiplications, and point doubling 5 multiplications. Therefore, a total of 11 multiplications are required in each step of the Montgomery ladder algorithm. In Phase 1 of ECM, the initial point, P 0 , can be chosen arbitrarily. Choosing z 0 = 1 implies z P −Q = 1 throughout the entire algorithm, and thus reduces the total number of multiplications from 11 to 10 per one step of the algorithm, independent of the i-th bit k i of k. This optimization is not possible in Phase 2, where the initial point Q 0 is the result of computations in Phase 1, and thus cannot be chosen arbitrarily.
Implementation of Phase 2
Phase 1 computes one scalar multiplication kP 0 , and the implementation issues are relatively easy compared with Phase 2. For Phase 2, we follow the basic idea of the standard continuation [11] and modify it appropriately for efficient FPGA implementation. Choose 2 < D < B 2 , and let every prime p, B 1 < p ≤ B 2 , be expressed in the form . Then, the condition pQ 0 = O, implies (mD ± j)Q 0 = O, and thus mDQ 0 = ±jQ 0 .
Writing mDQ 0 = (x mDQ0 : : z mDQ0 ) and jQ 0 = (x jQ0 : : z jQ0 ), the condition mDQ 0 = ±jQ 0 ∈ E(Z q ) is satisfied if and only if x mDQ0 z jQ0 − x jQ0 z mDQ0 ≡ 0 (mod q). Therefore existence of such pair m and j implies that one can find a factor of N by computing
In order to speed up these computations, one precomputes one of the sets S = {jQ 0 : j ∈ J S } or T = {mDQ 0 : m ∈ M T }. Typically, the first of these sets, S, is smaller, and thus only this set is precomputed. One then computes the product d in the (3) for a current value of mDQ 0 , and all precomputed points jQ 0 , for which either mD + j or mD − j is prime. For each pair, (m, j), where j ∈ J S and m ∈ M T , we can precompute a bit value: prime log q log log q where q is unknown prime we want to find, and the value B 2 is between 50B 1 and 100B 1 depending on the computational resources for Phase 2. In our case, likeŠimka et al. [6, 7] , we choose B 1 = 960 and B 2 = 57000 to find a 40-bit prime divisor of 200-bit integers. Note that one has e √ 1 2 log q log log q ≈ 988 by setting q = 2 41 which is close to 960, and the ratio B 2 /B 1 is 57000/960 ≈ 59. In general, the larger values of B 1 and B 2 increase the probability of success in Phase 1 and Phase 2 respectively (and thus decrease the expected number of trials), but at the same time, increase the execution time of these phases. Values of D = 30 = 2 · 3 · 5 and D = 210 = 2 · 3 · 5 · 7 are the two most natural choices for D as they minimize the size of sets J S and S and as a result of the amount of memory storage and computations required for Phase 2. The larger D, the larger the amount of Precomputations in Algorithm 4, but the smaller M N , and thus the smaller number of iterations of the outer loop during Main computations in Algorithm 4. A theoretical analysis of the optimal parameter choices is given in [19] , with a view towards software implementations. The techniques developed there -which use Dickman's function to estimate the probability of success of the Elliptic Curve Method -can be adapted to a hardware setting and make it possible to determine optimal parameter choices via numerical approximations to Dickman's function. While our choices are not strictly optimal, they are fairly good and allow for direct comparsion withŠimka et al. [6, 7] .
Algorithm 4 Standard Continuation Algorithm of Phase 2
Require: N : number to be factored, E: elliptic curve, Q0 = kP0: initial point for Phase 2 calculated as a result of Phase 1, B1: smoothness bound for Phase 1, B2: smoothness bound for Phase 2, B2 > B1, D: parameter determining a trade-off between the computation time and the amount of memory required; D is assumed even in this version of the algorithm. Ensure: q: factor of N , 1 < q ≤ N or FAIL
Precomputations:
1: 
5:
if gcd(j, D) = 1 then
6:
GCD 
13:
if (mD + j or mD − j is prime) then
14:
prime 
21:
store Q in S {Q = jQ0 = (xjQ 0 : : zjQ 0 )}
22:
end if 23:
24: end for
Main computations:
for each j ∈ JS do 28:
29:
retrieve jQ0 from table S 30:
end if
32:
end for 33: 
Top-level view: ECM units
Our ECM system consists of multiple ECM units working independently in parallel, as shown in Figure 1 . Each unit performs the entire ECM algorithm for one number N, one curve E and one initial point P 0 . All units share the same global control unit and the same global memory. All components of the system are located on the same integrated circuit, either an FPGA or an ASIC, depending on the choice of an implementation technology. The exact number of ECM units per integrated circuit depends on the amount of resources available in the given integrated circuit. Multiple integrated circuits may work independently in parallel, on factoring a single number, or factoring different numbers. All integrated circuits are connected to a central host computer, which distributes tasks among the individual ECM systems, and collects and interprets results. The operation of the system starts by loading all parameters required for Phase 1 of ECM from the host computer to the global memory on the chip. These parameters include:
1. Number to be factored, N , coordinates of the starting point P 0 , and the parameter a 24 dependent on the coefficient a of the curve E -all of which can be separate for each ECM unit. 2. Integer k, used as an input in the ECM Phase 1 (see Algorithm 1), its size k N , and the parameter n = log 2 N M AX + 2, related to the size of the largest N, N M AX , processed by the ECM units -all of which are common for all ECM units. In the next step, N , the coordinates of P 0 , and the parameters a 24 and n are loaded to the local memories of the respective ECM units, and the operation of these units is started. All units operate synchronously, on different data sets, performing all intermediate calculations exactly at the same time.
The results of these calculations are the coordinates x Q0 and z Q0 of the ending point Q 0 = kP 0 , separate for each ECM unit. These coordinates are downloaded to the host computer, which performs the final calculations of Phase 1, q = gcd(z Q0 , N ).
If no factor of N was found, the ECM system is ready for Phase 2. The values of N , the parameters a 24 and n, and the coordinates of the points Q 0 obtained as a result of Phase 1 are already in the local memories of each ECM unit. The host computer calculates and downloads to the global memory of the ECM system the following parameters dependent on B 2 and D: M M IN , M N , GCD table, and prime table, defined in Section 2.3. The Phase 2 is then started simultaneously in all ECM units, and produces as final results, the accumulated product d (see (3) ). These final results are then downloaded to the host computer, where the final calculations q = gcd(d, N ) are performed. Note that with this top level organization, there is no need to compute greatest common divisor or division in hardware. Additionally, the overhead associated with the transfer of data between the ECM system and the host computer, and the time of computations in software are both typically insignificant compared to the time used for ECM computations in hardware, even in the case of a relatively slow interface and/or a slow microprocessor.
Medium-level View: Operations of the ECM Unit
Medium-level operations The primary operation constituting Phase 1 of ECM is a scalar multiplication Q 0 = kP 0 . As discussed in Section 2.2, this operation can be efficiently implemented in projective coordinates using Algorithm 2.
In Phase 1, one coordinate of P 0 can be chosen arbitrarily, and therefore the computations can be simplified by selecting z P0 = z P −Q = 1. The remaining computations necessary to simultaneously compute P + Q and 2P can be interleaved, and assigned to three functional units working in parallel, as shown in Table 1 . The entire step of a scalar multiplication, including both point addition and doubling can be calculated in the amount of time required for 2 modular additions/subtractions and 5 modular multiplications. Please note that because the time of an addition/subtraction is much shorter than the time of a multiplication, two sequential additions/subtractions can be calculated in parallel with two multiplications. D:
A: m8 = s 2 4 A:
The storage used for temporary variables a 1 , . . . , a 4 , s 1 , . . . , s 4 , and m 1 , . . . , m 10 can be reused whenever any intermediate values are no longer needed. With the appropriate optimization, the amount of local memory required for Phase 1 has been reduced to 11 256-bit operands, i.e., 88 32-bit words. The remaining portion of this memory is used in Phase 2 of ECM. In Phase 2, the initial computation
can be performed using an algorithm similar to the one used in Phase 1. The only difference is that now, P − Q = Q 0 cannot be chosen arbitrarily, and thus, z P −Q = z Q0 = 1. As a result, the computations will take the amount of time required for 2 modular additions/subtractions and 6 modular multiplications. The second type of operation required in Phase 2 is a simple point addition P + Q. This operation can be performed in the time of 6 additions/subtractions and 3 modular multiplications. Finally, the last medium level operation required in Phase 2 is the accumulation of the product d, as defined in (3). We can rewrite the expression for d as
where, (x i , z i ) ∈ {(x, z) : (x : : z) = jQ 0 }, (x n , z n ) ∈ {(x, z) : (x : : z) = mDQ 0 } and GCD Table 2 , we show how these operations can be distributed in an optimum way among three arithmetic units working in parallel. As shown in Table 2 , after the initial delay of one multiplication, the time required to compute and accumulate any two subsequent values of a partial product x mDQ0 z jQ0 − x jQ0 z mDQ0 is equal to the time of three multiplications. (xnzi − xizn) (mod N ) in Phase 2 (for fixed n and moving i)
Instructions of the ECM unit Each ECM unit is composed of two modular multipliers, one adder/subtractor, and one local memory. The local memory size is 512 32-bit words, equivalent to 64 256-bit registers. In Phase 1, only 11 out of 64 256-bit registers are in use. In Phase 2, with D = 210, the entire memory is occupied. Every ECM unit forms a simple processor with its own instruction set. Since all ECM units perform exactly the same instructions at the same time, the instructions are stored in the global instruction memory, and are interpreted using the global control unit, as shown in Figure 1 . Three sequences of ECM instructions describe three kinds of medium-level operations:
Since only 11 256-bit registers are necessary to perform each of the sequences of instructions given above, only 4 bits are required to encode each input/output address.
The operation performed by each instruction is determined based on the position of the instruction in the instruction sequence, and thus does not need to be encoded in the instruction body. In particular, a group of four instructions corresponds to one row of Table 1 and is stored in the order: Multiplication 2, Multiplication 1, Subtraction, and Addition. These four consecutive instructions are fetched serially, but executed in parallel. The processor progresses to the next group of four instructions only when all instructions of the previous group have been completed. If the given arithmetic unit should remain inactive in the given sequence of four instructions, this inactivity is described using the zero value of a special flag in the body of the respective instruction.
Low-level View: Modular multiplication and addition/subtraction
The three low level operations implemented by the ECM unit are Montgomery modular multiplication [13] , modular addition, and modular subtraction. Modular addition and subtraction are very similar to each other, and as a result they are implemented using one functional unit, the adder/subtractor. For 256-bit operands, both addition and subtraction take 41 clock cycles. In order to simplify our Montgomery multiplier, all operations are performed on inputs X, Y in the range 0 ≤ X, Y < 2N , and return an output S in the same range, 0 ≤ S < 2N . This is equivalent to computing all intermediate results modulo 2N instead of N , which increases the size of all intermediate values by one bit, but shortens the time of computations, and leads to exactly the same final results as operations mod N .
In our implementation we have adopted the Radix-2 Multiplier Algorithm with Carry Save Addition, reported earlier in [14] . With this algorithm applied, the total execution time of a single Montgomery multiplication is equal to n + 16 clock cycles. For a typical use within ECM, n is greater than 100, and thus one addition followed by one subtraction can easily execute in the amount of time smaller than the time of a single Montgomery multiplication.
Implementation Results
Our ECM system has been developed entirely in RTL-level VHDL, and written in a way that provides portability among multiple families of FPGA devices and standard-cell ASIC libraries. In the case of FPGAs, the code has been synthesized using Synplicity Synplify Pro v. 8.0, and implemented on FPGAs using Xilinx ISE v. 6.3, 7.1 and 8.1. Three different families of FPGA devices have been targeted, including high-performance families, Virtex E and Virtex II, as well as a low-cost family, Spartan 3. The design has been debugged and verified using a test program written in C, and using GMP-ECM [4, 5] . The execution times of Phase 1 and Phase 2 in the ECM hardware architecture are shown in Table 3 and B 2 = 57000, assuming execution times of basic operations given in Table 3 . For D = 210, the largest contribution to Phase 2, around 80%, comes from the calculation of the accumulated product d.
In order to estimate an overhead associated with the transfer of control and data between a microprocessor and an FPGA, the ECM system with 10 ECM units has been ported to a reconfigurable computer SRC 6 from SRC Computers [18] , based on 2.8 GHZ Xeon microprocessors and Xilinx Virtex II XC2V6000-6 FPGAs running at a fixed clock frequency of 100 MHz. The data and control transfer overheads have been experimentally measured to be less than 4% of the end-to-end execution time for the combined Phase 1 and Phase 2 calculations.
In Table 4 , we compare our ECM architecture to an earlier design by Pelzl, Simka, et al., presented at SHARCS 2005, and described in subsequent publications [6, 7] . Every possible effort was made to make this comparison as fair as possible. In particular, we use an identical FPGA device, Virtex 2000E-6. We also do not take into account any limitations imposed by an external microcontroller used in the Pelzl/Šimka architecture. Instead, we assume that the system could be redesigned to include an on-chip controller, and it would operate with the maximum possible speed reported by the authors for their ALUs [6, 7] , i.e., 38 MHz (clock period = 26.3 ns). We also ignore a substantial input/output overhead reported by the authors, and caused most likely by the use of an external microcontroller.
In spite of these equalizing measures, our design outperforms the design by Pelzl,Šimka, et al. by a factor of 9.3 in terms of the execution time for Phase 1, by a factor of 7.4 in terms of the execution time for Phase 2 with the same value of parameter D, and by a factor of 15.0 for Phase 2 with the increased value of D = 210, not reported by Pelzl/Šimka. The main improvements in Phase 1 come from the more efficient design for a Montgomery multiplier (a factor of 5 improvement) and from the use of two Montgomery multipliers working in parallel (a factor of 1.9 improvement). An additional smaller factor is the ability of an adder/subtractor to work in parallel with both multipliers, as well as, the higher clock frequency.
One might expect that such improvement in speed comes at the cost of substantial sacrifices in terms of the circuit area and cost. In fact, our architecture is bigger, but only by a factor of 2.7 in terms of the number of CLB slices. Additionally, the design reported in [6, 7] has a number of ECM units per FPGA device limited not by the number of CLB slices, but by the number of internal onchip block RAMs (BRAMs). If this constraint was not removed, our design would outperform the design by Pelzl/Šimka in terms of the amount of computations per Xilinx Virtex 2000E device by a factor of 9.3 · 2.33 = 22 for Phase 1 and 35 for Phase 2. If the memory constraint is removed, the product of time by area still improves compared to the design by Pelzl andŠimka by a factor of 9.3/2.7 = 3.4 for Phase 1 and 5.6 for Phase 2.
In Table 5 , we show the results of porting our design to three families of Xilinx FPGAs. For each family, a representative device is selected and used in our implementation. For each device we determine the exact amount of re- sources needed per single ECM unit, the maximum number of ECM units per chip, the maximum clock frequency, and then the maximum amount of ECM computations (Phase 1 and Phase 2) per unit of time. Finally, we normalize the performance by dividing it by the cost of a respective FPGA device. From the last row in the table one can see that the low-cost FPGA devices from the Spartan 3 family outperform the high-performance Virtex II devices by a factor of 16, and thus are more suitable for cost effective code breaking computations.
In Table 6 , we compare the execution time of Phase 1 and Phase 2 between the two representative FPGA devices and a highly optimized software implementation (GMP-ECM) running on Pentium 4 Xeon, 2.8 GHz. GMP-ECM is one of the most powerful software implementations of ECM and contains multiple optimization techniques for both Phase 1 and Phase 2 [4, 5] . Additionally, we run our own test program in C that mimics almost exactly the behavior of hardware, except for using calls to the multiprecision GMP library for all low level operations, such as modular multiplication and addition. One can see that the algorithmic optimizations used in GMP-ECM matter, and reduce the overall execution time for Phase 1 from 18.3 ms to 11.3 ms (38%), and Phase 2 from 18.6 ms to 13.5 ms (27%).
Interestingly, the execution time for an ECM unit running on Virtex II, 6000E is only slightly greater than the execution time of GMP-ECM on a Pentium 4 Xeon. At the same time, since this FPGA device can hold up to 10 ECM units, its overall performance is about 8.5 times higher for combined Phase 1 and Phase 2 computations. However, the current generation of high-end FPGA devices cost about 10 times as much as comparable microprocessors. Therefore, the advantage of Virtex II over Pentium 4 disappears when cost is taken into account. In order to get an advantage in terms of the performance to cost ratio, one must use a low-cost FPGA family, such as Xilinx Spartan 3. In this case, the ratio of the amount of computations per chip is about 7 in favor of the biggest Spartan 3. Additionally this device is actually cheaper than the state-of-the-art microprocessor, so the overall improvement in terms of the performance to cost ratio exceeds a factor of 10. 
Conclusions
A novel hardware architecture for the Elliptic Curve Method of factoring has been proposed. The main differences as compared to an earlier design by Pelzl, Simka, et al. [6, 7] include the use of an on-chip optimized controller for Phase 1 and Phase 2 (in place of an external controller based on an ARM processor), substantially smaller memory requirements, an optimized architecture for the Montgomery multiplier, the use of two (instead of one) multipliers, and the ability of all arithmetic units (two multipliers and one adder/subtractor) to work in parallel. When implemented on the same Virtex 2000E-6 device, our architecture has demonstrated a speed-up by a factor of 9.3 for ECM Phase 1 and 15.0 for ECM Phase 2, compared to the design by Pelzl/Šimka, et al. At the same time, memory requirements have been reduced by a factor of 22, and the requirements for CLB slices have increased by a factor of 2.7. If the same optimizations regarding the memory usage and the use of an internal controller were applied to the design by Pelzl/Šimka, our architecture would still retain an advantage in terms of the performance to cost ratio by a factor of 3.4 for Phase 1 and 5.6 for Phase 2.
Our architecture has been implemented targeting two additional families of FPGA devices, Virtex II and Spartan 3. Our analysis revealed that the low-cost Spartan 3 devices outperformed the high-performance Virtex II devices in terms of the performance to cost ratio by a factor of about 16.
We have also compared the performance of our hardware architecture implemented using Virtex II XC2V6000-6 and Spartan 3 XC3S5000-5 with the optimized software implementation running on Pentium 4 Xeon, with a 2.8 GHz clock. Our analysis shows that the high performance FPGA device outperforms the same generation microprocessor by a factor of about 8.5, but looses its advantage when the cost of both devices is taken into account. On the other hand, the low-cost FPGA device Spartan 3 achieves about an order of magnitude advantage over the same generation Pentium 4 processor in terms of both performance and performance to cost ratio. This feature makes low-cost FPGA devices an appropriate basic building block for cost-optimized hardware for breaking cryptographic systems, which is consistent with the conclusions of other research groups reported earlier in the literature [15] .
