Abstract. We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel. 1

Abstract not found

This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security.

This is the third in a series of papers in which we develop a unified method for treating the discrete logarithm problem (DLP) in various contexts. In [HR1], we described a formalism using global duality for a unified approach to the DLP for the multiplicative group and for elliptic

Abstract. We estimate the probabilities that the Menezes-Okamoto-Vanstone reduction of the discrete logarithm problem on an elliptic curve E to the discrete logarithm problem in a certain finite field succeeds for various groups on points on E. Our bounds imply that in all interesting cases these probabilities are exponentially small. This extends results of Balasubramanian and Koblitz who have treated the instance in which the order of the group of points on E is prime. 1.

We propose a reduced equation for hyperelliptic curves of genus 2 over finite fields F q of q elements with characteristic different from 2 and 5. We determine the number of isomorphism classes of genus-2 hyperelliptic curves having an F q -rational Weierstrass point. These results have applications to hyperelliptic curve cryptography.

An important component of the index calculus methods for finding discrete logarithms is the acquisition of smooth polynomial relations. Gordon and McCurley (1992) developed a sieve to aid in finding smooth Coppersmith polynomials for use in the index calculus method. We discuss their approach and some of the difficulties they found with their sieve. We present a new sieving method that can be applied to any affine subspace of polynomials over a finite field.

The first practical public key cryptosystem to be published, the Diffie-Hellman key exchange algorithm, was based on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the presumed security of a variety of other public key schemes. While there have been substantial advances in discrete log algorithms in the last two decades, in general the discrete log still appears to be hard, especially for some groups, such as those from elliptic curves. Unfortunately no proofs of hardness are available in this area, so it is necessary to rely on experience and intuition in judging what parameters to use for cryptosystems. This paper presents a brief survey of the current state of the art in discrete logs. 1. Introduction Many of the popular public key cryptosystems are based on discrete exponentiation. If G is a group, such as the multiplicative group of a finite field or the group of points on an elliptic curve, and g is an elem...

The best practical algorithm for class group computations in imaginary quadratic number fields (such as group structure, class number, discrete logarithm computations) is a variant of the quadratic sieve factoring algorithm. Paradoxical as it sounds, the principles of the number field sieve, in a strict sense, could not be applied to number field computations, yet. In this article we give an indication of the obstructions. In particular, we first present fundamental core elements of a number field sieve for number field computations of which it is absolutely unknown how to design them in a useful way. Finally, we show that the existence of a number field sieve for number field computations with a running time asymptotics similar to that of the genuine number field sieve likely implies the existence of an algorithm for elliptic curve related computational problems with subexponential running time.

Smooth numbers and the quadratic sieve