GMP used during 3 and a half years to solve MIT's LCS35

Bernard Fabrot bfabrot at
Tue Apr 30 19:46:04 UTC 2019

First thanks everybody!

When I say that it's not parallelizable I simply meant that each step
depends on the result of the previous "modpow" step: so there's a limit to
fast an ASIC can be I guess. A team is working on an ASIC (not just the
cryptophage guys: but a third time, upon seeing the announcement, contacted
the MIT and asked me to check their result at 75% in).  They used a FPGA to
validate their ASIC and the LCS35 puzzle to test it all. I don't know yet
how fast they'll be with their ASIC.

> ... what I find surprising is that no HW fault occurred over such a long

> Did you do anything special to check intermediate results?

The crypto puzzle contains fancy crypto maths that allow to check
intermediate results but I didn't bother implementing that. I heavily
tested my tiny piece of code with smaller parameters and was sure it was

I also trusted GMP!  So the only thing I was concerned about was be some
random "bit flip" or something like that. So I actually ran a second,
delayed, computation, verifying the first result.

Zero error occured. Not a single one.

By the way I've got a question for you...

When I tested, for squaring, I think I remember it was slightly faster to


manually then to call the modpow function (mpz_powm).

Any idea why that'd be? That's be with 2048 bit numbers.

Once again kudos to all of you!


More information about the gmp-discuss mailing list