Results 1  10
of
57
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 369 (17 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
The Eta Pairing Revisited
 IEEE Transactions on Information Theory
, 2006
"... Abstract. In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves. Furthermore, we show that by swapping the arguments of the Eta pairing, one obtains a very efficient algorithm resulting in a speedup o ..."
Abstract

Cited by 89 (8 self)
 Add to MetaCart
Abstract. In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves. Furthermore, we show that by swapping the arguments of the Eta pairing, one obtains a very efficient algorithm resulting in a speedup of a factor of around six over the usual Tate pairing, in the case of curves which have large security parameters, complex multiplication by an order of Q ( √ −3), and when the trace of Frobenius is chosen to be suitably small. Other, more minor savings are obtained for 1 2 more general curves. 1
A taxonomy of pairingfriendly elliptic curves
, 2006
"... Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all ..."
Abstract

Cited by 78 (10 self)
 Add to MetaCart
Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairingfriendly elliptic curves currently existing in the literature. We also include new constructions of pairingfriendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairingfriendly curves to choose to best satisfy a variety of performance and security requirements.
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 58 (20 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
Field inversion and point halving revisited
 IEEE Transactions on Computers
, 2004
"... We present a careful analysis of elliptic curve point multiplication methods that use the point halving technique of Knudsen and Schroeppel, and compare these methods to traditional algorithms that use point doubling. The performance advantage of halving methods is clearest in the case of point mult ..."
Abstract

Cited by 55 (8 self)
 Add to MetaCart
We present a careful analysis of elliptic curve point multiplication methods that use the point halving technique of Knudsen and Schroeppel, and compare these methods to traditional algorithms that use point doubling. The performance advantage of halving methods is clearest in the case of point multiplication kP where P is not known in advance, and smaller field inversion to multiplication ratios generally favour halving. Although halving essentially operates on affine coordinate representations, we adapt an algorithm of Knuth to allow efficient use of projective coordinates with halvingbased windowing methods for point multiplication.
On Small Characteristic Algebraic Tori in PairingBased Cryptography
, 2004
"... The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmet ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identitybased cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.
Trading Inversions for Multiplications in Elliptic Curve Cryptography
 in Designs, Codes and Cryptography
, 2003
"... Recently, Eisentrager et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formul for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formul save a field mu ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
Recently, Eisentrager et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formul for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formul save a field multiplication each time the operation is performed.
Efficient Scalar Multiplication by Isogeny Decompositions
, 2005
"... On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ℓ map [ℓ] has degree ℓ², therefore the complexity to directly evaluate [ℓ](P) is O(ℓ²). For a small prime ℓ ( = 2, 3) such that the a ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ℓ map [ℓ] has degree ℓ², therefore the complexity to directly evaluate [ℓ](P) is O(ℓ²). For a small prime ℓ ( = 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curves admits an isogeny ϕ of degree ℓ then the costs of computing ϕ(P) should in contrast be O(ℓ) field operations. Since we then have a product expression [ℓ] = ˆϕϕ, the existence of an ℓisogeny ϕ on an elliptic curve yields a theoretical improvement from O(ℓ 2) to O(ℓ) operations for the evaluation of [ℓ](P) by naïve application of the defining polynomials. In this work we investigate actual improvements for small ℓ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [ℓ] = ˆϕϕ, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to nonadjacent forms for ℓadic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.
Scalar Multiplication on Koblitz Curves Using Double Bases
, 2006
"... The paper is an examination of doublebase decompositions of integers n, namely expansions loosely of the form X i,j A for some base B}. This was examined in previous works [3, 4], in the case when A, B lie in N. ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
The paper is an examination of doublebase decompositions of integers n, namely expansions loosely of the form X i,j A for some base B}. This was examined in previous works [3, 4], in the case when A, B lie in N.
Faster Pairings using an Elliptic Curve with an Efficient Endomorphism
 IN INDOCRYPT 2005
, 2005
"... The most significant pairingbased cryptographic protocol to be proposed so far is undoubtedly the IdentityBased Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
The most significant pairingbased cryptographic protocol to be proposed so far is undoubtedly the IdentityBased Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special nonsupersingular curves for the same level of security. An obvious question to be answered is  which is most e#cient? Motivated by the work of Gallant, Lambert and Vanstone [12] we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the nonsupersingular families of curves recently discovered and proposed for use in pairingbased cryptography can also benefit (to an extent) from the same technique.