Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.

We provide a compendium of evaluation methods for the Riemann zeta function, presenting formulae ranging from historical attempts to recently found convergent series to curious oddities old and new. We concentrate primarily on practical computational issues, such issues depending on the domain of the argument, the desired speed of computation, and the incidence of what we call "value recycling".

This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protected against a large variety of implementation attacks.

Abstract. The elliptic curve primality proving (ECPP) algorithm is one of the current fastest practical algorithms for proving the primality of large numbers. Its running time currently cannot be proven rigorously, but heuristic arguments show that it should run in time Õ((log N)5) to prove the primality of N. An asymptotically fast version of it, attributed to J. O. Shallit, is expected to run in time Õ((log N)4). We describe this version in more details, leading to actual implementations able to handle numbers with several thousands of decimal digits. 1.

Abstract not found

The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special nonsupersingular curves for the same level of security. An obvious question to be answered is -- which is most e#cient? Motivated by the work of Gallant, Lambert and Vanstone [12] we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the nonsupersingular families of curves recently discovered and proposed for use in pairing-based cryptography can also benefit (to an extent) from the same technique.

Dedicated to the memory of W. ‘Red ’ Alford, friend and colleague Abstract. “The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length. Nevertheless we must confess that all methods that have been proposed thus far are either restricted to very special cases or are so laborious and difficult that even for numbers that do not exceed the limits of tables constructed by estimable men, they try the patience of even the practiced calculator. And these methods do not apply at all to larger numbers... It frequently happens that the trained calculator will be sufficiently rewarded by reducing large numbers to their factors so that it will compensate for the time spent. Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated... It is in the nature of the problem

Abstract. Schönhage-Strassen’s algorithm is one of the best known algorithms for multiplying large integers. Implementing it efficiently is of utmost importance, since many other algorithms rely on it as a subroutine. We present here an improved implementation, based on the one distributed within the GMP library. The following ideas and techniques were used or tried: faster arithmetic modulo 2 n + 1, improved cache locality, Mersenne transforms, Chinese Remainder Reconstruction, the √ 2 trick, Harley’s and Granlund’s tricks, improved tuning. We also discuss some ideas we plan to try in the future.

In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairing-based cryptosystems on ordinary (non-supersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.

Abstract. We have shown by machine proof that F24 =2224 +1iscomposite. The rigorous Pépin primality test was performed using independently developed programs running simultaneously on two different, physically separated processors. Each program employed a floating-point, FFT-based discrete weighted transform (DWT) to effect multiplication modulo F24. The final, respective Pépin residues obtained by these two machines were in complete agreement. Using intermediate residues stored periodically during one of the floating-point runs, a separate algorithm for pure-integer negacyclic convolution verified the result in a “wavefront ” paradigm, by running simultaneously on numerous additional machines, to effect piecewise verification of a saturating set of deterministic links for the Pépin chain. We deposited a final Pépin residue for possible use by future investigators in the event that a proper factor of F24 should be discovered; herein we report the more compact, traditional Selfridge-Hurwitz residues. For the sake of completeness, we also generated a Pépin residue for F23, and via the Suyama test determined that the known cofactor of this number is composite. 1. Computational history of Fermat numbers It is well known that P. Fermat, in the early part of the 17th century, described the numbers Fn =2 2n