We provide the first cryptographically interesting instance of the elliptic curve discrete logarithm problem which resists all previously known attacks, but which can be solved with modest computer resources using the Weil descent attack methodology of Frey. We report on our implementation of index-calculus methods for hyperelliptic curves over characteristic two finite fields, and discuss the cryptographic implications of our results.

RFID-Tags are small devices used for identification purposes in many applications nowadays.

We describe a fast hash algorithm that maps arbitrary messages onto points of an elliptic curve de ned over a nite eld of characteristic 3. Our new scheme runs in time O(m 2 ) for curves over F3 m . The best previous algorithm for this task runs in time O(m 3 ). Experimental data con rms the speedup by a factor O(m), or approximately a hundred times for practical m values. Our results apply for both standard and normal basis representations of F3 m . 1

The performance of elliptic curve based public key cryptosystems is mainly appointed by the efficiency of the underlying finite field arithmetic. This work describes two generic and scalable architectures of finite field coprocessors, which are implemented within the latest family of Field Programmable System Level Integrated Circuits FPSLIC from Atmel, Inc. The HW architectures are adapted from Karatsuba’s divide and conquer algorithm and allow for a reasonable speedup of the top-level elliptic curve algorithms. The VHDL hardware models are automatically generated based on an eligible operand size, which permits the optimal utilization of a particular FPSLIC device.

Abstract For cryptographic applications, normal bases have received considerable attention, especially for hardware implementation. In this document, we consider fast software algorithms for normal basis multiplication over the extended binary o/eld GF(2m). We present a vector-level algorithm which essentially eliminates the bit-wise inner products needed in the conventional approach to the normal basis multiplication. We then present another algorithm which signio/cantly reduces the dynamic instruction counts. Both algorithms utilize the full width of the data-path of the general purpose processor on which the software is to be executed. We also consider composite o/elds and present an algorithm which can provide further speed-ups and an added AEexibility toward hardware-software codesign of processors for very large o/nite o/elds.

Among the basic arithmetic operations over nite elds, the computation of a multiplicative inverse is the most time consuming operation. In this report, a number of methods are presented to eciently compute the inverse using the extended Euclidean algorithm. The proposed methods can signicantly reduce the computation time over large elds where the eld elements are represented using a multi-precision format. A hardware structure for the inverter is also presented. The structure is area ecient and is suitable for resource constrained systems. Index Terms: Computer arithmetic, Galois (or nite) elds, multiplicative inversion, elliptic curve cryptography, Euclidean algorithm. Most of the work was done during the author's sabbatical leave with the Motorola Labs., Schaumburg, IL, USA. The author wishes to thank Larry Puhl for his encouragement to pursue this work. The author is grateful to Ezzy Dabbish and Tom Messerges for their useful comments on the draft of the manuscri...

. The technique of Weil restriction of scalars has significant implications for elliptic curve cryptography. In this paper we apply these ideas to the case of the discrete logarithm problem in the Jacobian of a curve of genus greater than one over a finite field F q n where n ? 1. 1.

Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higher-level protocols. Groups featuring a computable bilinear map are particularly well suited for signature-related primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinear-map–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the Boneh-Lynn-Shacham (BLS) short signature scheme. BLS signatures with 1024-bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.

This paper shows that many of elliptic curve cryptosystems over quartic extension fields of odd characteristics are reduced to genus two hyperelliptic curve cryptosystems over quadratic extension fields. Moreover, it shows that almost all of the genus two hyperelliptic curve cryptosystems over quadratic extension fields of odd characteristics come under Weil descent attack. This means that many of elliptic curve cryptosystems over quartic extension fields of odd characteristics can be attacked by Weil descent uniformly.

We present a kind of group suitable for cryptographic applications: the trace zero subvariety. The construction is based on Weil descent from curves of genus two over extension fields F p n , n = 3.