Results 1  10
of
31
Extending the GHS Weil descent attack
 Advances in CryptologyEUROCRYPT 2002, LNCS 2332
, 2002
"... Abstract. In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for whic ..."
Abstract

Cited by 39 (1 self)
 Add to MetaCart
Abstract. In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for which the GHS attack is effective. The discrete logarithm problem on the target curve can be transformed into a discrete logarithm problem on the isogenous curve. A further contribution of the paper is to give an improvement to an algorithm of Galbraith for constructing isogenies between elliptic curves, and this is of independent interest in elliptic curve cryptography. We show that a larger proportion than previously thought of elliptic curves over F 2 155 should be considered weak. 1
Cryptographic hash functions from expander graphs
"... Abstract. We propose constructing provable collision resistant hash functions from expander graphs. As examples, we investigate two specific families of optimal expander graphs for provable hash function constructions: the families of Ramanujan graphs constructed by LubotzkyPhillipsSarnak and Pize ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Abstract. We propose constructing provable collision resistant hash functions from expander graphs. As examples, we investigate two specific families of optimal expander graphs for provable hash function constructions: the families of Ramanujan graphs constructed by LubotzkyPhillipsSarnak and Pizer respectively. When the hash function is constructed from one of Pizer’s Ramanujan graphs, (the set of supersingular elliptic curves over Fp2 with ℓisogenies, ℓ a prime different from p), then collision resistance follows from hardness of computing isogenies between supersingular elliptic curves. We estimate the cost per bit to compute these hash functions, and we implement our hash function for several members of the LPS graph family and give actual timings. 1
Computing modular polynomials in quasilinear time
 Mathematics of Computation
"... Abstract. We analyse and compare the complexity of several algorithms for computing modular polynomials. Under the assumption that rounding errors do not influence the correctness of the result, which appears to be satisfied in practice, we show that an algorithm relying on floating point evaluation ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. We analyse and compare the complexity of several algorithms for computing modular polynomials. Under the assumption that rounding errors do not influence the correctness of the result, which appears to be satisfied in practice, we show that an algorithm relying on floating point evaluation of modular functions and on interpolation has a complexity that is up to logarithmic factors linear in the size of the computed polynomials. In particular, it obtains the classical modular polynomial Φℓ of prime level ℓ in time O ( ℓ 2 log 3 ℓM(ℓ) ) ⊆ O ( ℓ 3 log 4+ε ℓ), where M(ℓ) is the time needed to multiply two ℓbit numbers. Besides treating modular polynomials for Γ0 (ℓ), which are an important ingredient in many algorithms dealing with isogenies of elliptic curves, the algorithm is easily adapted to more general situations. Composite levels are handled just as easily as prime levels, as well as polynomials between a modular function and its transform of prime level, such as the Schläfli polynomials and their generalisations.
Do all elliptic curves of the same order have the same difficulty of discrete log
 Advances in Cryptology — ASIACRYPT 2005, Lecture Notes in Computer Science
"... Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.
Analyzing the GalbraithLinScott Point Multiplication Method for Elliptic Curves over Binary Fields
 IEEE Transactions on Computers
, 2009
"... Abstract. Galbraith, Lin and Scott recently constructed efficientlycomputable endomorphisms for a large family of elliptic curves defined over Fq 2 and showed, in the case where q is prime, that the GallantLambertVanstone point multiplication method for these curves is significantly faster than p ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Abstract. Galbraith, Lin and Scott recently constructed efficientlycomputable endomorphisms for a large family of elliptic curves defined over Fq 2 and showed, in the case where q is prime, that the GallantLambertVanstone point multiplication method for these curves is significantly faster than point multiplication for general elliptic curves over prime fields. In this paper, we investigate the potential benefits of using GalbraithLinScott elliptic curves in the case where q is a power of 2. The analysis differs from the q prime case because of several factors, including the availability of the point halving strategy for elliptic curves over binary fields. Our analysis and implementations show that GalbraithLinScott offers significant acceleration for curves over binary fields, in both doubling and halvingbased approaches. Experimentally, the acceleration surpasses that reported for prime fields (for the platform in common), a somewhat counterintuitive result given the relative costs of point addition and doubling in each case. 1.
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
EASY DECISIONDIFFIEHELLMAN GROUPS
 LONDON MATHEMATICAL SOCIETY JOURNAL OF COMPUTATIONAL MATHEMATICS
, 2004
"... The decisionDiffieHellman problem (DDH) is an important computational problem in cryptography. It is known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. Distortion maps are an important tool for solving DDH problems using pairings and it is known that d ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The decisionDiffieHellman problem (DDH) is an important computational problem in cryptography. It is known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. Distortion maps are an important tool for solving DDH problems using pairings and it is known that distortion maps exist for all supersingular elliptic curves. We present an algorithm to construct suitable distortion maps. The algorithm is efficient on the curves usable in practice, and hence all DDH problems on these curves are easy. We also discuss the issue of which DDH problems on ordinary curves are easy.
Weak Fields for ECC
, 2003
"... We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho meth ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.
Cryptographic Implications of Hess' Generalized GHS Attack
 Applicable Algebra in Engineering, Communication and Computing
, 2004
"... A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil desc ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are potentially partially weak. Finally, we argue that the other fields F 2 N where N is not divisible by 3, 5, 6, 7 or 8, are not weak under Hess' generalized GHS attack.