Armadillo ECDSA-113

[contextrax]

Here is the link to a stripped down source code if anyone wants to have a look.
A GPU version and or Linux version would be great

If any questions then just shoot

ECC Source

[oracle009]

Quote:

Originally Posted by contextrax

Here is the link to a stripped down source code if anyone wants to have a look.
A GPU version and or Linux version would be great

If any questions then just shoot

ECC Source

Thanks for sharing! The version of ECC Source is 1.00, would you like to share 1.47 or higher version? Thank you very much!

[cjack]

Hey everyone,

I've been working on a GPU-accelerated ECDLP solver specifically targeting Armadillo's ECDSA-113 protection (binary Koblitz curve over GF(2^113)).
The goal: crack the ECDSA-113 certificates used by Encryptionizer (protected with Armadillo) via distributed Pollard's Rho with distinguished points.

Live dashboard: https://ecdlp.protect.cx/

The dashboard shows real-time progress — connected agents, iteration speed, DPs collected, collision probability, ETA, leaderboard with podium for top contributors, and it will display a celebration banner when the curve is solved.

How it works:

Pollard's Rho with Frobenius + negation canonicalization (226x search space reduction)
Table-free GF(2^113) multiplication — 80 registers, zero spills
Lopez-Dahab projective coordinates (no per-step inversions)
~3.5 billion iterations/sec on RTX 5090, ~1.0 G/s on RTX 3060 Ti
Expected solve time: ~19 days on a single RTX 5090 (birthday bound ~6×10^15 iterations)
More GPUs = faster solve. Every GPU contributing brings the ETA down proportionally.

How to join:

Download the agent (Version 1.4.4):
https://ecdlp.protect.cx/download/ArmadilloSolver.zip


Extract and run:
solver_fast.exe --server ecdlp.protect.cx --worker-name "YourName" --worker-notes "Your GPU model"

That's it — zero dependencies, zero install. The agent auto-connects, receives work parameters from the server, and starts grinding.

You can limit GPU usage with --gpu-limit 50 (percentage).
You can stop the agent at any time with Ctrl+C — it saves a checkpoint automatically. When you restart it, it will resume exactly where it left off.

The zip includes both pre-built binaries (ready to run) and full source code with CMake build scripts, so you can review and compile it yourself if you prefer.

Requirements: Any NVIDIA GPU from Maxwell (GTX 900) onwards. The binary includes PTX for universal compatibility — it will JIT-compile for your specific GPU architecture on first launch.
Your contribution shows up on the dashboard leaderboard in real time. When the key is found, everyone who participated gets credited.
Shout-out to this community for all the Armadillo research over the years — this project wouldn't exist without it.

[WhoCares]

can be done in 3 days if 10 cards of RTX 4090?

I ask Gemini (Antigravity) to read the project source code and doc, it gives the following estimation.

Quote:

The total computational power required for this project can be estimated very precisely mathematically. By combining the theoretical baseline with the optimizations mentioned in the

README.md
, we can calculate the exact requirements.

1. Baseline Mathematical Scale
This system targets ECDSA-113, which is based on a binary Koblitz curve over the finite field $GF(2^{113})$.

Group Order (Total Points): For a 113-bit curve, the order of its large prime subgroup $n \approx 2^{112}$.
Original Pollard's Rho Difficulty: Theoretically, to find a collision in a group of size $n$, the expected average number of steps is $\sqrt{\frac{\pi \cdot n}{2}}$.
Here, $\sqrt{n} = \sqrt{2^{112}} = 2^{56} \approx 7.2 \times 10^{16}$ (about 72 quadrillion iterations).
2. Massive Dimensionality Reduction via Optimization
According to the

README.md
, this project utilizes extremely powerful mathematical optimizations: "Frobenius + negation canonicalization — 226x search space reduction".

Frobenius Endomorphism: On Koblitz curves over $GF(2^{113})$, this mapping can compress 113 different points into a single equivalence class.
Negation: Utilizing the fact that $P$ and $-P$ belong to the same group, the space is halved again (reduced by a factor of 2).
Total Search Space Reduction: $113 \times 2 = 226$ times smaller.
It's crucial to note that reducing the search space by a factor of 226 means the required number of iteration steps is reduced by a factor of $\sqrt{226} \approx 15.03$.

3. Absolute Computing Power Required (Total Steps)
Combining the above two conditions:

Expected Total Steps $\approx \frac{\sqrt{\frac{\pi \cdot 2^{112}}{2}}}{\sqrt{226}}$
Estimated Result: $\approx 6.0 \times 10^{15}$ steps (That is 6,000 Tera-steps or 6 quadrillion steps).
This is the expected value of the total steps required to break this curve.

4. Conversion to Physical Time
We can plug this astronomical number into the GPU performance benchmarks provided in the

README.md
:

1x RTX 5090 has an approximate speed of ~3.5 G/s (3.5 billion steps per second).
$6,000,000,000,000,000 \div 3,500,000,000 \approx 1,714,285$ seconds $\approx$ 19.8 days.
1x RTX 4090 has a speed of ~2.5 G/s (2.5 billion steps per second).
Estimated time $\approx$ 27.7 days.
1x RTX 3060 Ti has a speed of ~1.0 G/s (1.0 billion steps per second).
Estimated time $\approx$ 69.4 days.
Summary
In the face of modern computing power, a 113-bit elliptic curve has completely lost its security.

Since this is a distributed system, if dozens of hackers or security researchers participate and pool together the equivalent computing power of ten RTX 4090 GPUs, it would take less than 3 days (around 66 hours) to compute the required 6 quadrillion steps globally, triggering a hash collision and capturing the private key.

Quote:

Originally Posted by cjack

Hey everyone,

I've been working on a GPU-accelerated ECDLP solver specifically targeting Armadillo's ECDSA-113 protection (binary Koblitz curve over GF(2^113)).
The goal: crack the ECDSA-113 certificates used by Encryptionizer (protected with Armadillo) via distributed Pollard's Rho with distinguished points.

Live dashboard: https://ecdlp.protect.cx/

[cjack]

Hey WhoCares,

Great analysis! Gemini nailed the math — the numbers are spot on.

To confirm:

Expected steps: ~6.0 × 10^15 (this matches our server's calculation)
10x RTX 4090 at ~2.5 G/s each = 25 G/s total
6.0 × 10^15 / 25 × 10^9 ≈ 240,000 seconds ≈ ~2.8 days (~67 hours)
So yes, 10 RTX 4090s would crack it in roughly 3 days on average.

One small caveat worth mentioning: Pollard's Rho is probabilistic, so the actual time follows a geometric distribution. You could get lucky and find it at 50% of the expected steps, or unlucky and need 2-3x more. But on average, the estimate is correct.

And I can see you're already on the dashboard with your RTX 4070 — welcome aboard and thanks for contributing! Right now we have 4 agents running at a combined ~3.25 G/s, with ~163 trillion iterations done and 6% probability reached. The hunt is on!

[WhoCares]

congrats, there are more full speed RTX 5090s joined.

Quote:

Originally Posted by cjack

Hey WhoCares,

Great analysis! Gemini nailed the math — the numbers are spot on.

To confirm:

Expected steps: ~6.0 × 10^15 (this matches our server's calculation)
10x RTX 4090 at ~2.5 G/s each = 25 G/s total
6.0 × 10^15 / 25 × 10^9 ≈ 240,000 seconds ≈ ~2.8 days (~67 hours)
So yes, 10 RTX 4090s would crack it in roughly 3 days on average.

One small caveat worth mentioning: Pollard's Rho is probabilistic, so the actual time follows a geometric distribution. You could get lucky and find it at 50% of the expected steps, or unlucky and need 2-3x more. But on average, the estimate is correct.

And I can see you're already on the dashboard with your RTX 4070 — welcome aboard and thanks for contributing! Right now we have 4 agents running at a combined ~3.25 G/s, with ~163 trillion iterations done and 6% probability reached. The hunt is on!

[cjack]

Thank's for sharing ECC Source contextrax!
Excuse me for my ignorance but, how to calculate the 8 ecc_curve_array[] parameters of an armadillo protected application?

[contextrax]

Quote:

Originally Posted by cjack

Thank's for sharing ECC Source contextrax!
Excuse me for my ignorance but, how to calculate the 8 ecc_curve_array[] parameters of an armadillo protected application?

The first four of them does not need to be changed for a amradillo protected target.
They are the hamming weight, A in the koblitz curve equation (y^2 + xy = x^3 + Ax^2 + B), point order and cofactor.
The last four is the x,y coordinate for the base point and public point in polynomial base.
Armadillo uses a 32 bit's seed for the base point so you will have to use arma source code to calc these values. They are however i the Type 2 Optimal Normal Base and you will have to do base conversion of them to go to x^113+x^9+1
But for testing speed or making a linux or GPU version then this is not necessary.

The test curve that I use have A in the equation set to "0". This result in a different curve used for testing only. The order of this curve is 0x2000000000000000480DCA1242B1C and contains the factors:
Prime factor : 2 - (2 bits)
Prime factor : 2 - (2 bits)
Prime factor : 18B9 - (13 bits)
Prime factor : 1A89A0F - (25 bits)
Prime factor : 31F1F2A998BD31AF391 - (74 bits)
(Found by schoof2 from miracl library. "schoof2.exe 0 1 113 9")

This makes is pretty good for testing (coz of the low order) and the test curve base point has a order of 0x31F1F2A998BD31AF391. (74 bit)
You will also notice that the equivalence classes is maintained in all these subgroup (They all contain 113*2 as factors of p-1) which of course is typical for a koblitz curve.

For base conversion you could make a matrix B=[1, b, b^2....,b^(m-1)] (m=113 for this base)
Multiplying b^m*B^-1 should give you a polynomial base and to go from this base to x^113+x^9+1 you can use one of the 113 roots.
For root finding you can use magma or sage or some other algo if you want to make one yourself.

Hope this helps.

[alekine322]

Quote:

Originally Posted by contextrax

The first four of them does not need to be changed for a amradillo protected target.
They are the hamming weight, A in the koblitz curve equation (y^2 + xy = x^3 + Ax^2 + B), point order and cofactor.
The last four is the x,y coordinate for the base point and public point in polynomial base.
Armadillo uses a 32 bit's seed for the base point so you will have to use arma source code to calc these values. They are however i the Type 2 Optimal Normal Base and you will have to do base conversion of them to go to x^113+x^9+1
But for testing speed or making a linux or GPU version then this is not necessary.

The test curve that I use have A in the equation set to "0". This result in a different curve used for testing only. The order of this curve is 0x2000000000000000480DCA1242B1C and contains the factors:
Prime factor : 2 - (2 bits)
Prime factor : 2 - (2 bits)
Prime factor : 18B9 - (13 bits)
Prime factor : 1A89A0F - (25 bits)
Prime factor : 31F1F2A998BD31AF391 - (74 bits)
(Found by schoof2 from miracl library. "schoof2.exe 0 1 113 9")

This makes is pretty good for testing (coz of the low order) and the test curve base point has a order of 0x31F1F2A998BD31AF391. (74 bit)
You will also notice that the equivalence classes is maintained in all these subgroup (They all contain 113*2 as factors of p-1) which of course is typical for a koblitz curve.

For base conversion you could make a matrix B=[1, b, b^2....,b^(m-1)] (m=113 for this base)
Multiplying b^m*B^-1 should give you a polynomial base and to go from this base to x^113+x^9+1 you can use one of the 113 roots.
For root finding you can use magma or sage or some other algo if you want to make one yourself.

Hope this helps.

I see that you have a mathematical or physical profile.
You have tried to use your models to find the protection system of flex_LM
It also uses an ECC protection system.
(If I'm wrong, please correct me)

[RedLord]

Quote:

Originally Posted by alekine322

I see that you have a mathematical or physical profile.
You have tried to use your models to find the protection system of flex_LM
It also uses an ECC protection system.
(If I'm wrong, please correct me)

Yes, but flex uses more stronger ECC

[cjack]

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

[Megin]

Quote:

Originally Posted by cjack

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

Maybe you share the target with us so we can check?

[cjack]

Yes sure! Here the link:

h**ps://mega.nz/#!V8RFxCDL!7JYuUUybRoJelyZwNvp8yB-LmkBGKEeJA_uUjfmxNls

I've put into the zip just the registration app and a trial key (expired on november 2017 but if you set the clock back it'll work).
As serial number use the string "Evaluation".

Hope to start the bruteforcing soon Curious to see how many time will take!

[Apuromafo]

Quote:

Originally Posted by cjack

Yes sure! Here the link:

h**ps://mega.nz/#!V8RFxCDL!7JYuUUybRoJelyZwNvp8yB-LmkBGKEeJA_uUjfmxNls

I've put into the zip just the registration app and a trial key (expired on november 2017 but if you set the clock back it'll work).
As serial number use the string "Evaluation".

Hope to start the bruteforcing soon Curious to see how many time will take!

im think there is not necesary do many with that app , i will send some private msj
x64dbg (no plugins)
hide command
bp in 00402A90 as hw bp and start to check
is posible use the values (provided) or any fake.
here must be the end:

Quote:

00403251 68 50714100 PUSH reg3.00417150
00403256 6A 06 PUSH 6
00403258 8B0D 18714100 MOV ECX,DWORD PTR DS:[417118]
0040325E 51 PUSH ECX
0040325F E8 EC2B0000 CALL reg3.00405E50
00403264 83C4 0C ADD ESP,0C
00403267 B9 06000000 MOV ECX,6
0040326C BE 40584100 MOV ESI,reg3.00415840 ; ASCII "Thank you for registering."
00403271 8DBD E0FEFFFF LEA EDI,DWORD PTR SS:[EBP-120]
00403277 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00403279 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
0040327B A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040327C 6A 00 PUSH 0
0040327E 68 00534100 PUSH reg3.00415300 ; ASCII "Encryptionizer Key Registration"
00403283 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00403289 52 PUSH EDX
0040328A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040328D 50 PUSH EAX
0040328E FF15 74214100 CALL DWORD PTR DS:[412174]
00403294 C705 BC6C4100 00>MOV DWORD PTR DS:[416CBC],0
0040329E 6A FF PUSH -1
004032A0 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004032A3 51 PUSH ECX
004032A4 FF15 64214100 CALL DWORD PTR DS:[412164]
004032AA C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1

if not have the program, will call to program regedit values , im think there not must be a normal app with armadillo (minimum protection)

BR, Apuromafo

[contextrax]

Quote:

Originally Posted by cjack

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

You want to break 4 113 bit's ECC curves by solving ECDSA?
We used like 6 months last time so unless you have access to a lot of CPU's this will take forever.