Results 1  10
of
30
Elliptic Curve Paillier Schemes
, 2001
"... . This paper is concerned with generalisations of Paillier's probabilistic encryption scheme from the integers modulo a square to elliptic curves over rings. Paillier himself described two public key encryption schemes based on anomalous elliptic curves over rings. It is argued that these schem ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
. This paper is concerned with generalisations of Paillier's probabilistic encryption scheme from the integers modulo a square to elliptic curves over rings. Paillier himself described two public key encryption schemes based on anomalous elliptic curves over rings. It is argued that these schemes are not secure. A more natural generalisation of Paillier's scheme to elliptic curves is given.
Do all elliptic curves of the same order have the same difficulty of discrete log
 Advances in Cryptology — ASIACRYPT 2005, Lecture Notes in Computer Science
"... Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.
Average Frobenius distributions for elliptic curves with nontrivial rational torsion
 TO APPEAR IN ACTA ARITHMETICA
, 2005
"... In this paper we consider the LangTrotter conjecture (Conjecture 1 below) for various families of elliptic curves with prescribed torsion structure. We prove that the LangTrotter conjecture holds in an average sense for these families of curves (see Theorem 3). ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
In this paper we consider the LangTrotter conjecture (Conjecture 1 below) for various families of elliptic curves with prescribed torsion structure. We prove that the LangTrotter conjecture holds in an average sense for these families of curves (see Theorem 3).
Subtleties in the distribution of the numbers of points on elliptic curves over a finite prime field
 Journal of the London Mathematical Society
, 1999
"... Three questions concerning the distribution of the numbers of points on elliptic curves over a finite prime field are considered. First, the previously published bounds for the distribution are tightened slightly. Within these bounds, there are wild fluctuations in the distribution, and some heurist ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Three questions concerning the distribution of the numbers of points on elliptic curves over a finite prime field are considered. First, the previously published bounds for the distribution are tightened slightly. Within these bounds, there are wild fluctuations in the distribution, and some heuristics are discussed (supported by numerical evidence) which suggest that numbers of points with no large prime divisors are unusually prevalent. Finally, allowing the prime field to vary while fixing the field of fractions of the endomorphism ring of the curve, the order of magnitude of the average order of the number of divisors of the number of points is determined, subject to assumptions about primes in quadratic progressions. There are implications for factoring integers by Lenstra’s elliptic curve method. The heuristics suggest that (i) the subtleties in the distribution actually favour the elliptic curve method, and (ii) this gain is transient, dying away as the factors to be found tend to infinity. 1.
Generating Elliptic Curves of Prime Order
 in Cryptographic Hardware and Embedded Systems – CHES 2001, LNCS
, 2001
"... Abstract. Avariation of the Complex Multiplication (CM) method for generating elliptic curves of known order over finite fields is proposed. We give heuristics and timing statistics in the mildly restricted setting of prime curve order. These may be seen to corroborate earlier work of Koblitz in the ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Avariation of the Complex Multiplication (CM) method for generating elliptic curves of known order over finite fields is proposed. We give heuristics and timing statistics in the mildly restricted setting of prime curve order. These may be seen to corroborate earlier work of Koblitz in the class number one setting. Our heuristics are based upon a recent conjecture by R. Gross and J. Smith on numbers of twin primes in algebraic number fields. Our variation precalculates class polynomials as a separate offline process. Unlike the standard approach, which begins with a prime p and searches for an appropriate discriminant D, we choose a discriminant and then search for appropriate primes. Our online process is quick and can be compactly coded. In practice, elliptic curves with near prime order are used. Thus, our timing estimates and data can be regarded as upper estimates for practical purposes. 1
Ron was wrong, Whit is right
, 2012
"... Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is th ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for “multiplesecrets ” cryptosystems such as RSA is significantly riskier than for “singlesecret ” ones such as ElGamal or (EC)DSA which are based on DiffieHellman.
Efficient SIMD arithmetic modulo a Mersenne number
 20TH IEEE SYMPOSIUM ON COMPUTER ARITHMETIC
, 2011
"... This paper describes carryless arithmetic operations modulo an integer 2 M −1 in the thousandbit range, targeted at single instruction multiple data platforms and applications where overall throughput is the main performance criterion. Using an implementation on a cluster of PlayStation 3 game con ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
This paper describes carryless arithmetic operations modulo an integer 2 M −1 in the thousandbit range, targeted at single instruction multiple data platforms and applications where overall throughput is the main performance criterion. Using an implementation on a cluster of PlayStation 3 game consoles a new record was set for the elliptic curve method for integer factorization.
FINDING ECMFRIENDLY CURVES THROUGH A STUDY OF GALOIS PROPERTIES
"... Abstract. In this paper we prove some divisibility properties of the cardinality of elliptic curves modulo primes. These proofs explain the good behavior of certain parameters when using Montgomery or Edwards curves in the setting of the elliptic curve method (ECM) for integer factorization. The ide ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we prove some divisibility properties of the cardinality of elliptic curves modulo primes. These proofs explain the good behavior of certain parameters when using Montgomery or Edwards curves in the setting of the elliptic curve method (ECM) for integer factorization. The ideas of the proofs help us to nd new families of elliptic curves with good division properties which increase the success probability of ECM. 1.
Ramanujan Graphs and the Random Reducibility of Discrete Log on Isogenous Elliptic Curves
 IACR CRYPTOLOGY EPRINT ARCHIVE 2004/312
, 2004
"... Cryptographic applications using an elliptic curve over a finite field filter curves for suitability using their order as the primary criterion: e.g. checking that their order has a large prime divisor before accepting it. It is therefore natural to ask whether the discrete log problem (dlog) has th ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Cryptographic applications using an elliptic curve over a finite field filter curves for suitability using their order as the primary criterion: e.g. checking that their order has a large prime divisor before accepting it. It is therefore natural to ask whether the discrete log problem (dlog) has the same difficulty for all curves with the same order; if so it would justify the above practice. We prove that this is essentially true by showing random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). Our reduction proof works for curves with (nearly) the same endomorphism rings, but it is unclear if such a reduction exists in general. This suggests that in addition to the order, the conductor of its endomorphism ring may play a role. The random selfreducibility for dlog over finite fields is well known; the nontrivial part here is that one must relate nonisomorphic algebraic groups of two isogenous curves. We construct certain expander graphs with elliptic curves as nodes and low degree isogenies as edges, and utilize the rapid mixing of random walks on this graph. We also briefly look at some recommended curves, compare “random ” type NIST FIPS 1862 curves to other special curves from this standpoint, and suggest a parameter to measure how generic a given curve is.
ECM at Work
"... Abstract. The performance of the elliptic curve method (ECM) for integer factorization plays an important role in the security assessment of RSAbased protocols as a cofactorization tool inside the number field sieve. The efficient arithmetic for Edwards curves found an application by speeding up EC ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The performance of the elliptic curve method (ECM) for integer factorization plays an important role in the security assessment of RSAbased protocols as a cofactorization tool inside the number field sieve. The efficient arithmetic for Edwards curves found an application by speeding up ECM. We propose techniques based on generating and combining addition chains to optimize Edwards ECM in terms of both performance and memory requirements. This makes our approach very suitable for memoryconstrained devices such as graphics processing units. For commonly used ECM parameters we are able to lower the required memory up to a factor 55 compared to the stateoftheart Edwards ECM approach.