Results 1  10
of
42
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 519 (19 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
Supersingular abelian varieties in cryptology
 Advances in Cryptology  CRYPTO 2002
"... Abstract. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large. Supersingular abelian varieties are natural candidates for these applications. This ..."
Abstract

Cited by 49 (7 self)
 Add to MetaCart
(Show Context)
Abstract. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large. Supersingular abelian varieties are natural candidates for these applications. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties (in terms of the dimension of the abelian variety and the size of the finite field), and gives constructions of supersingular abelian varieties that are optimal for use in cryptography. 1
Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults
 DESIGNS, CODES AND CRYPTOGRAPHY
, 2003
"... Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But ..."
Abstract

Cited by 38 (3 self)
 Add to MetaCart
Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But these two latter models are less `practical' in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location. This paper
An Elliptic Curve Processor Suitable For RFID Tags
"... RFIDTags are small devices used for identification purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the line of re ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
RFIDTags are small devices used for identification purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the line of re when their security and privacy is concerned. It is widely believed that devices with such constrained resources can not carry out sufficient cryptographic operations to guarantee security in new applications. In this paper, we show that identification of RFIDTags can reach high security levels. In particular, we show how secure identification protocols based on the DL problem on elliptic curves are implemented on a constrained device such as an RFIDTag requiring between 8,500 and 14,000 gates, depending on the implementation characteristics. We investigate the case of elliptic curves over F2p with p prime and over composite fields F22p. The implementations in this paper make RFIDTags suitable for anticounterfeiting purposes even in the offline setting.
Analyzing the GalbraithLinScott Point Multiplication Method for Elliptic Curves over Binary Fields
 IEEE Transactions on Computers
, 2009
"... Abstract. Galbraith, Lin and Scott recently constructed efficientlycomputable endomorphisms for a large family of elliptic curves defined over Fq 2 and showed, in the case where q is prime, that the GallantLambertVanstone point multiplication method for these curves is significantly faster than p ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Abstract. Galbraith, Lin and Scott recently constructed efficientlycomputable endomorphisms for a large family of elliptic curves defined over Fq 2 and showed, in the case where q is prime, that the GallantLambertVanstone point multiplication method for these curves is significantly faster than point multiplication for general elliptic curves over prime fields. In this paper, we investigate the potential benefits of using GalbraithLinScott elliptic curves in the case where q is a power of 2. The analysis differs from the q prime case because of several factors, including the availability of the point halving strategy for elliptic curves over binary fields. Our analysis and implementations show that GalbraithLinScott offers significant acceleration for curves over binary fields, in both doubling and halvingbased approaches. Experimentally, the acceleration surpasses that reported for prime fields (for the platform in common), a somewhat counterintuitive result given the relative costs of point addition and doubling in each case. 1.
On the relations between noninteractive key distribution, identitybased encryption and trapdoor discrete log groups. Cryptology ePrint Archive, Report 2007/453
, 2007
"... Abstract. This paper investigates the relationships between identitybased noninteractive key distribution (IDNIKD) and identitybased encryption (IBE). It provides a new security model for IDNIKD, and a generic construction that converts a secure IDNIKD scheme into a secure IBE scheme. This con ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper investigates the relationships between identitybased noninteractive key distribution (IDNIKD) and identitybased encryption (IBE). It provides a new security model for IDNIKD, and a generic construction that converts a secure IDNIKD scheme into a secure IBE scheme. This conversion is used to explain the relationship between the IDNIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of IDNIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure IDNIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally wellresourced, but clients performing encryption/decryption are highly constrained. Keywords: Identitybased encryption; identitybased noninteractive key distribution; trapdoor discrete logs. 1
Do all elliptic curves of the same order have the same difficulty of discrete log
 Advances in Cryptology — ASIACRYPT 2005, Lecture Notes in Computer Science
"... Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.
MODULAR POLYNOMIALS VIA ISOGENY VOLCANOES
, 2010
"... We present a new algorithm to compute the classical modular polynomial Φl in the rings Z[X, Y] and (Z/mZ)[X, Y], for a prime l and any positive integer m. Our approach uses the graph of lisogenies to efficiently compute Φl mod p for many primes p of a suitable form, and then applies the Chinese R ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
We present a new algorithm to compute the classical modular polynomial Φl in the rings Z[X, Y] and (Z/mZ)[X, Y], for a prime l and any positive integer m. Our approach uses the graph of lisogenies to efficiently compute Φl mod p for many primes p of a suitable form, and then applies the Chinese Remainder Theorem (CRT). Under the Generalized Riemann Hypothesis (GRH), we achieve an expected running time of O(l3 (log l) 3 log log l), and compute Φl mod m using O(l2 (log l) 2 + l2 log m) space. We have used the new algorithm to compute Φl with l over 5000, and Φl mod m with l over 20000. We also consider several modular functions g for which Φ g l is smaller than Φl, allowing us to handle l over 60000.
Weak Fields for ECC
, 2003
"... We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho meth ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.
Cover and Decomposition Index Calculus on Elliptic Curves made practical. Application to a seemingly secure curve over Fp6. Cryptology ePrint Archive, Report 2011/020, 2011. http: //eprint.iacr.org
"... Abstract. We present a new “cover and decomposition ” attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decompositionbased index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new “cover and decomposition ” attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decompositionbased index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly wellsuited for curves defined over F p 6. We give a realsize example 3 of discrete logarithm computations on a curve over a 151bit degree 6 extension field, which would not have been practically attackable using previously known algorithms. Key words: elliptic curve, discrete logarithm, index calculus, Weil descent, decomposition attack 1