Results 1  10
of
32
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 369 (17 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
An algorithm for solving the discrete log problem on hyperelliptic curves
, 2000
"... Abstract. We present an indexcalculus algorithm for the computation of discrete logarithms in the Jacobian of hyperelliptic curves defined over finite fields. The complexity predicts that it is faster than the Rho method for genus greater than 4. To demonstrate the efficiency of our approach, we de ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
Abstract. We present an indexcalculus algorithm for the computation of discrete logarithms in the Jacobian of hyperelliptic curves defined over finite fields. The complexity predicts that it is faster than the Rho method for genus greater than 4. To demonstrate the efficiency of our approach, we describe our breaking of a cryptosystem based on a curve of genus 6 recently proposed by Koblitz. 1
Improving the parallelized Pollard lambda search on anomalous binary curves
 Mathematics of Computation
"... Abstract. The best algorithm known for finding logarithms on an elliptic curve (E) is the (parallelized) Pollard lambda collision search. We show how to apply a Pollard lambda search on a set of equivalence classes derived from E, which requires fewer iterations than the standard approach. In the ca ..."
Abstract

Cited by 67 (2 self)
 Add to MetaCart
Abstract. The best algorithm known for finding logarithms on an elliptic curve (E) is the (parallelized) Pollard lambda collision search. We show how to apply a Pollard lambda search on a set of equivalence classes derived from E, which requires fewer iterations than the standard approach. In the case of anomalous binary curves over F2m, the new approach speeds up the standard algorithm by a factor of √ 2m. 1.
Faster Attacks on Elliptic Curve Cryptosystems
 Selected Areas in Cryptography, LNCS 1556
, 1998
"... The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's aemethod. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically defined over GF (p) or G ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's aemethod. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically defined over GF (p) or GF (2 m ), the attack time can be reduced by a factor or p 2, a small improvement. For subfield curves, those defined over GF (2 ed ) with coefficients defining the curve restricted to GF (2 e ), the attack time can be reduced by a factor of p 2d. In particular for curves over GF (2 m ) with coefficients in GF (2), called anomalous binary curves or Koblitz curves, the attack time can be reduced by a factor of p 2m. These curves have structure which allows faster cryptosystem computations. Unfortunately, this structure also helps the attacker. In an example, the time required to compute an elliptic curve logarithm on an anomalous binary curve over GF (2 163 ) is reduced from 2 ...
Security analysis of the strong DiffieHellman problem
, 2006
"... Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are pr ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( √ p/d + d)) group operations using O(max { √ p/d, √ d}) memory. This implies that the strong DiffieHellman problem and its related problems have computational complexity reduced by O ( √ d) from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the DiffieHellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from O ( √ p) to O ( √ p/d) for Boldyreva’s blind signature and the original ElGamal scheme when p − 1 (resp. p + 1) has a divisor d ≤ p 1/2 (resp. d ≤ p 1/3) and d signature or decryption queries are allowed.
On Random Walks For Pollard's Rho Method
 Mathematics of Computation
, 2000
"... . We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performa ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard's rho method for prime group orders about 20% faster than before. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. We define the discrete logarithm problem (DLP) as follows: given a group element h, find the least nonnegative integer x such that h = g x . We write x = log g h and call it the discrete logarithm of h...
SquareRoot Algorithms For The Discrete Logarithm Problem (a Survey)
 In Public Key Cryptography and Computational Number Theory, Walter de Gruyter
, 2001
"... The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the babystep giantstep method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speedup. In this paper, we present the state of the art in these methods.
Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent
 JOURNAL OF THE RAMANUJAN MATHEMATICAL SOCIETY
, 2001
"... We provide the first cryptographically interesting instance of the elliptic curve discrete logarithm problem which resists all previously known attacks, but which can be solved with modest computer resources using the Weil descent attack methodology of Frey. We report on our implementation of index ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
We provide the first cryptographically interesting instance of the elliptic curve discrete logarithm problem which resists all previously known attacks, but which can be solved with modest computer resources using the Weil descent attack methodology of Frey. We report on our implementation of indexcalculus methods for hyperelliptic curves over characteristic two finite fields, and discuss the cryptographic implications of our results.
The full cost of cryptanalytic attacks
 Journal of Cryptology
"... Abstract. An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanks ’ method for computing discrete logarithms in cyclic groups of prime order n, which requires n 1/2+o(1) processor steps, but when all factors are taken into account, has full cost n 2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over wellknown generic attacks.