Results 1  10
of
21
On the Performance of Signature Schemes based on Elliptic Curves
, 1998
"... . This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have t ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
. This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have to be made for the operations in the underlying field and the operations on elliptic curve points. In particular, we conclude that it is a good idea to use projective coordinates for GF(p), but not for GF(2 n ). We also extend a number of exponentiation algorithms, that result in considerable speed gains for DSA, to ECDSA, using a signed binary representation. Finally, we present timing results for both types of fields on a PPro200 based PC, for a C/C++ implementation with small assemblylanguage optimizations, and make comparisons to other signature algorithms, such as RSA and DSA. We conclude that for practical sizes of fields and moduli, GF(p) is roughly twice as fast as GF(2 ...
Constructing Isogenies Between Elliptic Curves Over Finite Fields
 LMS J. Comput. Math
, 1999
"... Let E 1 and E 2 be ordinary elliptic curves over a finite field Fp such that #E1 (Fp ) = #E2 (Fp ). Tate's isogeny theorem states that there is an isogeny from E1 to E2 which is defined over Fp . The goal of this paper is to describe a probabilistic algorithm for constructing such an isogeny. ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Let E 1 and E 2 be ordinary elliptic curves over a finite field Fp such that #E1 (Fp ) = #E2 (Fp ). Tate's isogeny theorem states that there is an isogeny from E1 to E2 which is defined over Fp . The goal of this paper is to describe a probabilistic algorithm for constructing such an isogeny.
ECM on Graphics Cards
"... Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers using all four cores of a 2.4GHz Core 2 Quad Q6600. The extra speed takes advantage of extra hardware, specifically two NVIDIA GTX 280 graphics cards, using a new ECM implementation introduced in this paper. Our implementation uses Edwards curves, relies on new parallel addition formulas, and is carefully tuned for the highly parallel GPU architecture. On a single GTX 280 the implementation performs 22.66 million modular multiplications per second for a general 280bit modulus. GMPECM, using all four cores of a Q6600, performs 17.91 million multiplications per second. This paper also reports speeds on other graphics processors: for example,
Elliptic Curve Public Key Cryptosystems  an introduction
 Course, LNCS
, 1997
"... . In this paper we give an introduction to elliptic curve public key cryptosystems. We explain how the discrete logarithm in an elliptic curve group can be used to construct cryptosystems. We also focus on practical aspects such as implementation, standardization and intellectual property. 1 In ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
. In this paper we give an introduction to elliptic curve public key cryptosystems. We explain how the discrete logarithm in an elliptic curve group can be used to construct cryptosystems. We also focus on practical aspects such as implementation, standardization and intellectual property. 1 Introduction Elliptic curves have been studied by mathematicians for more than a century. An extremely rich theory has been developed around them, and they have in turn been at the basis of new developments in mathematics, the proof of Fermat's last theorem being the most notable one. As far as cryptography is concerned, elliptic curves have been used for factoring [L87] and primality proving [AM93]. Elliptic curve public key cryptosystems (ECPKCs) were proposed independently by Victor Miller [M85] and Neil Koblitz [K87] in the mideighties. As with all cryptosystems, and especially with public key cryptosystems, it takes years of public evaluation before a reasonable level of confidence in a...
Computing canonical heights with little (or no) factorization
 Math. Comp
, 1997
"... Abstract. Let E/Q be an elliptic curve with discriminant ∆, and let P ∈ E(Q). The standard method for computing the canonical height ˆh(P)isas a sum of local heights ˆh(P) = ˆ λ∞(P)+ ∑ p ˆ λp(P). There are wellknown series for computing the archimedean height ˆ λ∞(P), and the nonarchimedean heig ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. Let E/Q be an elliptic curve with discriminant ∆, and let P ∈ E(Q). The standard method for computing the canonical height ˆh(P)isas a sum of local heights ˆh(P) = ˆ λ∞(P)+ ∑ p ˆ λp(P). There are wellknown series for computing the archimedean height ˆ λ∞(P), and the nonarchimedean heights ˆ λp(P) are easily computed as soon as all prime factors of ∆ have been determined. However, for curves with large coefficients it may be difficult or impossible to factor ∆. In this note we give a method for computing the nonarchimedean contribution to ˆh(P) which is quite practical and requires little or no factorization. We also give some numerical examples illustrating the algorithm. Let E be an elliptic curve defined over a number field K, saygivenbyaWeierstrass equation E: y 2 + a1xy + a3y = x 3 + a2x 2 (1) + a4x + a6. The canonical height on E is a quadratic form ˆh: E(K) − → R. The canonical height is an extremely important theoretical and computational tool in the arithmetic study of elliptic curves. See [18, Chapter VIII, Section 9] for the definition and basic properties of ˆ h, and [20], [21], and [23] for some discussion of how to compute ˆ h in practice. In this paper, which may be considered as a continuation of our earlier note [20], we will discuss the computation of the canonical height for curves E whose coefficients a1,...,a6 are large. We note that this is not a mere intellectual exercise, since curves with huge integer coefficients have already made their appearance in the search for curves whose MordellWeil group E(Q) has large rank [5], [11], [12], [13], [14], and the standard tool for proving that a set of points P1,...,Pr ∈ E(Q) is linearly independent is to check the nonvanishing of the height regulator matrix det ( 〈Pi,Pj 〉 ). Here the height pairing 〈·, · 〉 is defined (up to a normalizing factor) by the formula 〈P, Q 〉 = ˆ h(P + Q) − ˆ h(P) − ˆ h(Q). Tate’s definition ˆ h(P) = limn→ ∞ 4 −n h ( x(2 n P) ) of the canonical height is not practical for numerical computations. Instead, one uses the NéronTate decomposition of the canonical height into a sum of local heights, one for each distinct Received by the editor October 24, 1995.
Answers To Frequently Asked Questions About Today's Cryptography
, 1993
"... this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agre ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached. The recipient, as well as a third party, can verify both that the document did indeed originate from the person whose signature is attached and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents. Furthermore, secure digital signatures cannot be repudiated; i.e., the signer of a document cannot later disown it by claiming it was forged.
Efficient Implementation of Schoof's Algorithm
 Advances in Cryptology { ASIACRYPT '98
, 1999
"... . Schoof's algorithm is used to find a secure elliptic curve for cryptosystems, as it can compute the number of rational points on a randomly selected elliptic curve defined over a finite field. By realizing efficient combination of several improvements, such as AtkinElkies's method, the ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
. Schoof's algorithm is used to find a secure elliptic curve for cryptosystems, as it can compute the number of rational points on a randomly selected elliptic curve defined over a finite field. By realizing efficient combination of several improvements, such as AtkinElkies's method, the isogeny cycles method, and trial search by matchandsort techniques, we can count the number of rational points on an elliptic curve over GF (p) in a reasonable time, where p is a prime whose size is around 240bits. 1 Introduction When we use the elliptic curve cryptosystem [9, 17] (ECC for short), we first have to define an elliptic curve over a finite field. Then, all cryptographic operations will be performed on the group of rational points on the curve. Since all the curves are not necessarily secure, we should be very careful when we choose an elliptic curve for ECC. There are several methods to select a curve for ECC, such as Schoof's method [22], CM(Complex Multiplication) method [2, 18, 10,...
C.T.Yang, ―RSA with balanced short exponents and its application to entity authentication
 in Public Key Cryptology— PKC 2005, Lecture Notes in Computer Science. NewYork
"... Abstract. In typical RSA, it is impossible to create a key pair (e, d) such that both are simultaneously much shorter than φ(N). This is because if d is selected first, then e will be of the same order of magnitude as φ(N), and vice versa. At Asiacrypt’99, Sun et al. designed three variants of RSA u ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. In typical RSA, it is impossible to create a key pair (e, d) such that both are simultaneously much shorter than φ(N). This is because if d is selected first, then e will be of the same order of magnitude as φ(N), and vice versa. At Asiacrypt’99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N 0.25 and N 0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bitlength 1 2 log 2 N + 56. The third RSA variant is constructed by such a method that allows a tradeoff between the lengths of d and e. Unfortunately, at Asiacrypt’2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a tradeoff between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolensecret attack is presented.
APPLICATION OF ECM TO A CLASS OF RSA KEYS
, 2006
"... Let N = pq be an RSA modulus where p, q are large primes of the same bitsize and #(N) = (p 1). We study the class of the public exponents e for which there exist integers X, Y , Z satisfying eX + #(N)Y = NZ, 2 and all prime factors of are less than 10 . We show that these exponents are ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Let N = pq be an RSA modulus where p, q are large primes of the same bitsize and #(N) = (p 1). We study the class of the public exponents e for which there exist integers X, Y , Z satisfying eX + #(N)Y = NZ, 2 and all prime factors of are less than 10 . We show that these exponents are of improper use in RSA cryptosystems and that their number is at least 2 # where # is a small positive constant. Our method combines continued fractions, Coppersmith's latticebased technique for finding small roots of bivariate polynomials and H. W. Lenstra's elliptic curve method (ECM) for factoring.
How to Factor N1 and N2 When p1 = p2 mod 2 t
"... Abstract. Let N1 = p1q1 and N2 = p2q2 be two different RSA moduli. Suppose that p1 = p2 mod 2 t for some t, and q1 and q2 are α bit primes. Then May and Ritzenhofen showed that N1 and N2 can be factored in quadratic time if t ≥ 2α + 3. In this paper, we improve this lower bound on t. Namely we prove ..."
Abstract
 Add to MetaCart
Abstract. Let N1 = p1q1 and N2 = p2q2 be two different RSA moduli. Suppose that p1 = p2 mod 2 t for some t, and q1 and q2 are α bit primes. Then May and Ritzenhofen showed that N1 and N2 can be factored in quadratic time if t ≥ 2α + 3. In this paper, we improve this lower bound on t. Namely we prove that N1 and N2 can be factored in quadratic time if t ≥ 2α + 1. Further our simulation result shows that our bound is tight.