Results 1  10
of
146
Elliptic Curves And Primality Proving
 Math. Comp
, 1993
"... The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm. ..."
Abstract

Cited by 162 (22 self)
 Add to MetaCart
The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm.
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 58 (20 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
Faster addition and doubling on elliptic curves
 In Asiacrypt 2007 [10
, 2007
"... Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and r ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for nonmixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular “a4 = −3 Jacobian ” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for nonmixed addition; and use 10M + 4S for nonmixed addition when one input has been added before. The explicit formulas for nonmixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against sidechannel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a nonbinary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, nonmixed addition, and unified addition) as well as higherlevel operations such as multiscalar multiplication.
Factoring by electronic mail
, 1990
"... In this paper we describe our distributed implementation of two factoring algorithms. the elliptic curve method (ecm) and the multiple polynomial quadratic sieve algorithm (mpqs). Since the summer of 1987. our ermimplementation on a network of MicroVAX processors at DEC’s Systems Research Center h ..."
Abstract

Cited by 52 (8 self)
 Add to MetaCart
In this paper we describe our distributed implementation of two factoring algorithms. the elliptic curve method (ecm) and the multiple polynomial quadratic sieve algorithm (mpqs). Since the summer of 1987. our ermimplementation on a network of MicroVAX processors at DEC’s Systems Research Center has factored several most and more wanted numbers from the Cunningham project. In the summer of 1988. we implemented the multiple polynomial quadratic sieve algorithm on rhe same network On this network alone. we are now able to factor any!@I digit integer, or to find 35 digit factors of numbers up to 150 digits long within one month. To allow an even wider distribution of our programs we made use of electronic mail networks For the distribution of the programs and for interprocessor communicatton. Even during the mitial stage of this experiment machines all over the United States and at various places in Europe and Ausnalia conhibuted 15 percent of the total factorization effort. At all the sites where our program is running we only use cycles that would otherwise have been idle. This shows that the enormous computational task of factoring 100 digit integers with the current algoritluns can be completed almost for free. Since we use a negligible fraction of the idle cycles of alI the machines on the worldwide elecnonic mail networks. we could factor 100 digit integers within a few days with a little more help.
Parallel Algorithms for Integer Factorisation
"... The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends o ..."
Abstract

Cited by 41 (17 self)
 Add to MetaCart
The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiplepolynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.
A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks
, 2002
"... Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an add ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table lookup (or a very small number of precomputed points) and a prominent property is that it can be implemented in parallel. The computing time for nbit scalar multiplication is one ECDBL + (n − 1) ECADDs in the parallel case and (n − 1) ECDBLs + (n − 1) ECADDs in the single case. We also propose faster addition formulas which only use the xcoordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37 % for two processors and 5.7 % for a single processor. Our scalar multiplication is suitable for the implementation on smart cards. 1
Algorithms for computing isogenies between elliptic curves
 Math. Comp
, 2000
"... Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes sh ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes showed how to compute isogenies in small characteristic. The aim of this paper is to describe the first successful implementation of Couveignes’s algorithm. In particular, we describe the use of fast algorithms for performing incremental operations on series. We also insist on the particular case of the characteristic 2. 1.
Finding Suitable Curves For The Elliptic Curve Method Of Factorization
 Math. Comp
, 1993
"... Using the parametrizations of Kubert, we show how to produce infinite families of elliptic curves which have prescribed nontrivial torsion over Q and rank at least one. These curves can be used to speed up the ECM factorization algorithm of Lenstra. We also briefly discuss curves with complex multip ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
Using the parametrizations of Kubert, we show how to produce infinite families of elliptic curves which have prescribed nontrivial torsion over Q and rank at least one. These curves can be used to speed up the ECM factorization algorithm of Lenstra. We also briefly discuss curves with complex multiplication in this context. 1 Introduction 1.1 The ECM method of Lenstra [5] for finding a prime factor p of a number N uses a "random" elliptic curve E : y 2 = f(x) = x 3 + ax + b: If the number k of points on E modulo p is smooth, the method succeeds. Suyama [9] and Montgomery [7] developed infinite classes of curves E for which k has some prescribed small factors; on reasonable probabilistic assumptions (borne out in practice) this should lead to a slight improvement in the method. Specifically, Montgomery and Suyama each force a factor of 12 in k, and Montgomery forces a factor of 16 but only on the assumption that p is congruent to 1 modulo 4. In this paper, we show how to force a...
Trading Inversions for Multiplications in Elliptic Curve Cryptography
 in Designs, Codes and Cryptography
, 2003
"... Recently, Eisentrager et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formul for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formul save a field mu ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
Recently, Eisentrager et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formul for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formul save a field multiplication each time the operation is performed.
An Overview of Elliptic Curve Cryptography
, 2000
"... Elliptic curve cryptography (ECC) was introduced by Victor Miller and Neal Koblitz in 1985. ECC proposed as an alternative to established publickey systems such as DSA and RSA, have recently gained a lot attention in industry and academia. The main reason for the attractiveness of ECC is the fact t ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
Elliptic curve cryptography (ECC) was introduced by Victor Miller and Neal Koblitz in 1985. ECC proposed as an alternative to established publickey systems such as DSA and RSA, have recently gained a lot attention in industry and academia. The main reason for the attractiveness of ECC is the fact that there is no subexponential algorithm known to solve the discrete logarithm problem on a properly chosen elliptic curve. This means that significantly smaller parameters can be used in ECC than in other competitive systems such RSA and DSA, but with equivalent levels of security. Some benefits of having smaller key sizes include faster computations, and reductions in processing power, storage space and bandwidth. This makes ECC ideal for constrained environments such as pagers, PDAs, cellular phones and smart cards. The implementation of ECC, on the other hand, requires several choices such as the type of the underlying finite field, algorithms for implementing the finite field arithmetic and so on. In this paper we give we presen an selective overview of the main methods.