Results 1  10
of
144
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 52 (16 self)
 Add to MetaCart
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
Computational strategies for the Riemann zeta function
, 2000
"... We provide a compendium of evaluation methods for the Riemann zeta function, presenting formulae ranging from historical attempts to recently found convergent series to curious oddities old and new. We concentrate primarily on practical computational issues, such issues depending on the domain of th ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
We provide a compendium of evaluation methods for the Riemann zeta function, presenting formulae ranging from historical attempts to recently found convergent series to curious oddities old and new. We concentrate primarily on practical computational issues, such issues depending on the domain of the argument, the desired speed of computation, and the incidence of what we call “value recycling”.
The Montgomery Powering Ladder
, 2002
"... This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of prese ..."
Abstract

Cited by 32 (3 self)
 Add to MetaCart
This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protected against a large variety of implementation attacks.
Implementing the asymptotically fast version of the elliptic curve primality proving algorithm
 Math. Comp
"... Abstract. The elliptic curve primality proving (ECPP) algorithm is one of the current fastest practical algorithms for proving the primality of large numbers. Its running time cannot be proven rigorously, but heuristic arguments show that it should run in time Õ((log N)5) to prove the primality of N ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Abstract. The elliptic curve primality proving (ECPP) algorithm is one of the current fastest practical algorithms for proving the primality of large numbers. Its running time cannot be proven rigorously, but heuristic arguments show that it should run in time Õ((log N)5) to prove the primality of N. An asymptotically fast version of it, attributed to J. O. Shallit, runs in time Õ((log N)4). The aim of this article is to describe this version in more details, leading to actual implementations able to handle numbers with several thousands of decimal digits. 1.
Harald Cramér and the distribution of prime numbers
 Scandanavian Actuarial J
, 1995
"... “It is evident that the primes are randomly distributed but, unfortunately, we don’t know what ‘random ’ means. ” — R. C. Vaughan (February 1990). After the first world war, Cramér began studying the distribution of prime numbers, guided by Riesz and MittagLeffler. His works then, and later in the ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
“It is evident that the primes are randomly distributed but, unfortunately, we don’t know what ‘random ’ means. ” — R. C. Vaughan (February 1990). After the first world war, Cramér began studying the distribution of prime numbers, guided by Riesz and MittagLeffler. His works then, and later in the midthirties, have had a profound influence on the way mathematicians think about the distribution of prime numbers. In this article, we shall focus on how Cramér’s ideas have directed and motivated research ever since. One can only fully appreciate the significance of Cramér’s contributions by viewing his work in the appropriate historical context. We shall begin our discussion with the ideas of the ancient Greeks, Euclid and Eratosthenes. Then we leap in time to the nineteenth century, to the computations and heuristics of Legendre and Gauss, the extraordinarily analytic insights of Dirichlet and Riemann, and the crowning glory of these ideas, the proof the “Prime Number Theorem ” by Hadamard and de la Vallée Poussin in 1896. We pick up again in the 1920’s with the questions asked by Hardy and Littlewood,
It Is Easy to Determine Whether a Given Integer Is Prime
, 2004
"... The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be super ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length. Nevertheless we must confess that all methods that have been proposed thus far are either restricted to very special cases or are so laborious and difficult that even for numbers that do not exceed the limits of tables constructed by estimable men, they try the patience of even the practiced calculator. And these methods do not apply at all to larger numbers... It frequently happens that the trained calculator will be sufficiently rewarded by reducing large numbers to their factors so that it will compensate for the time spent. Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated... It is in the nature of the problem
Faster Pairings using an Elliptic Curve with an Efficient Endomorphism
 IN INDOCRYPT 2005
, 2005
"... The most significant pairingbased cryptographic protocol to be proposed so far is undoubtedly the IdentityBased Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
The most significant pairingbased cryptographic protocol to be proposed so far is undoubtedly the IdentityBased Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special nonsupersingular curves for the same level of security. An obvious question to be answered is  which is most e#cient? Motivated by the work of Gallant, Lambert and Vanstone [12] we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the nonsupersingular families of curves recently discovered and proposed for use in pairingbased cryptography can also benefit (to an extent) from the same technique.
Generating more MNT elliptic curves
, 2004
"... In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairingbased cryptosystems on ordinary (nonsupersingular) elliptic curves. ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairingbased cryptosystems on ordinary (nonsupersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.
VSH, an efficient and provable collisionresistant hash function
 of Lecture
"... Abstract. We introduce VSH, very smooth hash, a new Sbit hash function that is provably collisionresistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an Sbit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial f ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. We introduce VSH, very smooth hash, a new Sbit hash function that is provably collisionresistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an Sbit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the Sbit composite per Ω(S) messagebits (as opposed to O(log S) messagebits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as CramerShoup) and designatedverifier signatures.