Brute Force on Curve25519

Question

I was thinking about a brute force attack on Curve25519. For this, we need to solve the discrete Logarithm problem $P = [n]Q \bmod 2^{255} - 19$. $P$ and $Q$ are known Points on the elliptic curve, so we 'only' need to find $n$. The $n$ is in $ \{2^{254} + 8 \cdot \{0,1,2,\ldots,2^{251}-1 \} \}$. So there are $2^{251}$ different possibilities for n. On average the brute force attack needs to test $2^{250}$ different n.

We want to calculate how much time the best supercomputer in the world would need. Bernstein says that it needs 640383 cycles for one multiplication. 92% are floating points operations (flop) so i approximated this to 100% flop. The best supercomputer can do $148600 \cdot 10^{12}$ flops. Combining this information, I achieved the following result:

$$\dfrac{2^{250} \cdot 640838}{148600 \cdot 10^{12}} \cdot \dfrac{1}{60\cdot 60\cdot 24\cdot 365.25} \approx 2.47243\cdot 10^{56} \text{ years}$$

Do I have an error in reasoning?

Answer 1

Ok, it answer the specific question you asked:

Bernstein says that it needs 640383 cycles for one multiplication

Actually, when Dan talks about "multiplication", he is referring to a "point multiplication", that is, to the computation of $[n]P$ (given a large integer $n$ and a point $P$).

In your simple-minded brute force search, you don't need to do a full multiplication each time. Instead, when you have computed $[a]P$ (and decided it is not $Q$), you can step to the next one by computing $[a]P + P = [a+1]P$; this is a point addition (and incrementing the value $a$ you're keeping track of), this is much cheaper than the full point multiplication operation.

Now that is mentioned the obvious misstatement in your analysis, some general advice; to do a reasonably thorough security analysis, you'd need to consider:

• The various computational models that an adversary may have available; in addition to a single large computer, the adversary may have a large number of smaller computers, a set of GPUs, a set of FPGAs2 or even (if his budget allows) some ASICs. Dan used floating point in his implementation, but that's because modern CPUs have some pretty fast floating point logic, and he took advantage - however, there are a lot of gates tied up in this fast floating point logic; some of the other computational models would use different strategies.

• The various attacks; in addition to the rather naïve brute force search, you would also need to consider various "square root" attacks (such as Baby Step Giant Step and Pollard Rho (and parallelized versions), and also the MOV (which doesn't apply to Curve25519, however you'd need to learn why).

What Dan wrote is a decent starting point; however he assumes that the reader is already familiar with the basics of elliptic curves; I suspect you'd want to do some reading to catch up...