Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in public-key cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, high-speed software and hardware implementations, and offer the highest strength-per-key-bit of any known public-key scheme.

Most cryptographic key exchange protocols make use of the presumed difficulty of solving the discrete logarithm problem (DLP) in a certain finite group as the basis of their security. Recently, real quadratic number fields have been proposed for use in the development of such protocols. Breaking such schemes is known to be at least as difficult a problem as integer factorization; furthermore, these are the first discrete logarithm based systems to utilize a structure which is not a group, specifically the collection of reduced ideals which belong to the principal class of the number field. For this structure the DLP is essentially that of determining a generator of a given principal ideal. Unfortunately, there are a few implementation-related disadvantages to these schemes, such as the need for high precision floating point arithmetic and an ambiguity problem that requires a short, second round of communication. In this paper we describe work that has led to the resolution of some of these difficulties. Furthermore, we discuss the security of the system, concentrating on the most recent techniques for solving the DLP in a real quadratic number field.

In this paper, we present a new algorithm for computing the reduced sum of two divisors of an arbitrary hyperelliptic curve. Our formulas and algorithms are generalizations of Shanks’s NUCOMP algorithm, which was suggested earlier for composing and reducing positive definite binary quadratic forms. Our formulation of NUCOMP is derived by approximating the irrational continued fraction expansion used to reduce a divisor by a rational continued fraction expansion, resulting in a relatively simple and efficient presentation of the algorithm as compared to previous versions. We describe a novel, unified framework for divisor reduction on an arbitrary hyperelliptic curve using the theory of continued fractions, and derive our formulation of NUCOMP based on these results. We present numerical data demonstrating that our version of NUCOMP is more efficient than Cantor’s algorithm for most hyperelliptic curves, except those of very small genus defined over small finite fields.

Abstract. To date, the only non-group structure that has been suitably employed as the key space for Diffie-Hellman type cryptographic key exchange is the infrastructure of a real quadratic (number or function) field. We present an implementation of a Diffie-Hellman type protocol based on real quadratic number field arithmetic that provides a significant improvement in performance over previous versions of this scheme. This dramatic speed-up is achieved by replacing the ordinary multiplication and reduction procedures for reduced ideals by a new version of the NUCOMP algorithm due to Shanks.

This paper gives a survey on cryptographic primitives based on class groups of imaginary quadratic orders (IQ cryptography, IQC). We present IQC versions of several well known cryptographic primitives, and we explain, why these primitives are secure if one assumes the hardness of the underlying problems. We give advice on the selection of the cryptographic parameters and show the impact of this advice on the eciency of some IQ cryptosystems.