Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in public-key cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, high-speed software and hardware implementations, and offer the highest strength-per-key-bit of any known public-key scheme.

We present the design and implementation of an end-to-end architecture for Internet host mobility using dynamic updates to the Domain Name System (DNS) to track host location. Existing TCP connections are retained using secure and efficient connection migration, enabling established connections to seamlessly negotiate a change in endpoint IP addresses without the need for a third party. Our architecture is secure---name updates are effected via the secure DNS update protocol, while TCP connection migration uses a novel set of Migrate options---and provides a pure end-system alternative to routing-based approaches such as Mobile IP. Mobile IP was

. This paper considers the computational complexity of the discrete logarithm and related problems in the context of "generic algorithms"---that is, algorithms which do not exploit any special properties of the encodings of group elements, other than the property that each group element is encoded as a unique binary string. Lower bounds on the complexity of these problems are proved that match the known upper bounds: any generic algorithm must perform\Omega (p 1=2 ) group operations, where p is the largest prime dividing the order of the group. Also, a new method for correcting a faulty Diffie-Hellman oracle is presented. 1 Introduction The discrete logarithm problem plays an important role in cryptography. The problem is this: given a generator g of a cyclic group G, and an element g x in G, determine x. A related problem is the Diffie-Hellman problem: given g x and g y , determine g xy . In this paper, we study the computational power of "generic algorithms"--- that is, ...

This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security.

Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q - 1, for which u = g k . The well-known problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...

Abstract. We present an index-calculus algorithm for the computation of discrete logarithms in the Jacobian of hyperelliptic curves defined over finite fields. The complexity predicts that it is faster than the Rho method for genus greater than 4. To demonstrate the efficiency of our approach, we describe our breaking of a cryptosystem based on a curve of genus 6 recently proposed by Koblitz. 1

Abstract. The best algorithm known for finding logarithms on an elliptic curve (E) is the (parallelized) Pollard lambda collision search. We show how to apply a Pollard lambda search on a set of equivalence classes derived from E, which requires fewer iterations than the standard approach. In the case of anomalous binary curves over F2m, the new approach speeds up the standard algorithm by a factor of √ 2m. 1.

Consider the well-known oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete log-based schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most Diffie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...

The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's ae-method. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically defined over GF (p) or GF (2 m ), the attack time can be reduced by a factor or p 2, a small improvement. For subfield curves, those defined over GF (2 ed ) with coefficients defining the curve restricted to GF (2 e ), the attack time can be reduced by a factor of p 2d. In particular for curves over GF (2 m ) with coefficients in GF (2), called anomalous binary curves or Koblitz curves, the attack time can be reduced by a factor of p 2m. These curves have structure which allows faster cryptosystem computations. Unfortunately, this structure also helps the attacker. In an example, the time required to compute an elliptic curve logarithm on an anomalous binary curve over GF (2 163 ) is reduced from 2 ...

. We describe some algorithms for computing the cardinality of hyperelliptic curves and their Jacobians over finite fields. They include several methods for obtaining the result modulo small primes and prime powers, in particular an algorithm `a la Schoof for genus 2 using Cantor 's division polynomials. These are combined with a birthday paradox algorithm to calculate the cardinality. Our methods are practical and we give actual results computed using our current implementation. The Jacobian groups we handle are larger than those previously reported in the literature. Introduction In recent years there has been a surge of interest in algorithmic aspects of curves. When presented with any curve, a natural task is to compute the number of points on it with coordinates in some finite field. When the finite field is large this is generally difficult to do. Ren'e Schoof gave a polynomial time algorithm for counting points on elliptic curves i.e., those of genus 1, in his ground-...