Results 1  10
of
18
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 439 (18 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
Extending the GHS Weil descent attack
 Advances in CryptologyEUROCRYPT 2002, LNCS 2332
, 2002
"... Abstract. In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for whic ..."
Abstract

Cited by 39 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for which the GHS attack is effective. The discrete logarithm problem on the target curve can be transformed into a discrete logarithm problem on the isogenous curve. A further contribution of the paper is to give an improvement to an algorithm of Galbraith for constructing isogenies between elliptic curves, and this is of independent interest in elliptic curve cryptography. We show that a larger proportion than previously thought of elliptic curves over F 2 155 should be considered weak. 1
A generalized method for constructing subquadratic complexity GF(2 k ) multipliers
 IEEE Transactions on Computers
, 2004
"... We introduce a generalized method for constructing subquadratic complexity multipliers for even characteristic field extensions. The construction is obtained by recursively extending short convolution algorithms and nesting them. To obtain the short convolution algorithms the Winograd short convolu ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
We introduce a generalized method for constructing subquadratic complexity multipliers for even characteristic field extensions. The construction is obtained by recursively extending short convolution algorithms and nesting them. To obtain the short convolution algorithms the Winograd short convolution algorithm is reintroduced and analyzed in the context of polynomial multiplication. We present a recursive construction technique that extends any d point multiplier into an n = d k point multiplier with area that is subquadratic and delay that is logarithmic in the bitlength n. We present a thorough analysis that establishes the exact space and time complexities of these multipliers. Using the recursive construction method we obtain six new constructions, among which one turns out to be identical to the Karatsuba multiplier. All six algorithms have subquadratic space complexities and two of the algorithms have significantly better time complexities than the Karatsuba algorithm. Keywords: Bitparallel multipliers, finite fields, Winograd convolution 1
An Elliptic Curve Processor Suitable For RFIDTags. Cryptology ePrint Archive, Report 2006/227, July 4th, 2006. Available at http://eprint.iacr.org
"... Abstract. RFIDTags are small devices used for identication purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the lin ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract. RFIDTags are small devices used for identication purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the line of re when their security and privacy is concerned. It is widely believed that devices with such constrained resources can not carry out sucient cryptographic operations to guarantee security in new applications. In this paper, we show that identication of RFIDTags can reach high security levels. In particular, we show how secure identication protocols based on the DL problem on elliptic curves are implemented on a constrained device such as an RFIDTag requiring between 8,500 and 14,000 gates, depending on the implementation characteristics. We investigate the case of elliptic curves over F2p with p prime and over composite elds F22p. The implementations in this paper make RFIDTags suitable for anticounterfeiting purposes even in the oline setting. Key Words: RFID, counterfeiting, authentication, ECC, small area implementations
Weak Fields for ECC
, 2003
"... We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho meth ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.
Constructing Composite Field Representations for Efficient Conversion
 IEEE Transactions on Computers
, 2003
"... Abstract—This paper describes a method of construction of a composite field representation from a given binary field representation. We derive the conversion (change of basis) matrix. The special case of when the degree of the ground field is relatively prime to the extension degree, where the irred ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract—This paper describes a method of construction of a composite field representation from a given binary field representation. We derive the conversion (change of basis) matrix. The special case of when the degree of the ground field is relatively prime to the extension degree, where the irreducible polynomial generating the composite field has its coefficients from the binary prime field rather than the ground field, is also treated. Furthermore, certain generalizations of the proposed construction method, e.g., the use of nonprimitive elements and the construction of composite fields with special irreducible polynomials, are also discussed. Finally, we give storageefficient conversion algorithms between the binary and composite fields when the degree of the ground field is relatively prime to the extension degree. Index Terms—Composite and binary fields, primitive element, change of basis, AES. æ 1
COMPUTING DISCRETE LOGARITHMS IN THE JACOBIAN OF HIGHGENUS HYPERELLIPTIC CURVES OVER EVEN CHARACTERISTIC FINITE FIELDS
"... Abstract. We describe improved versions of indexcalculus algorithms for solving discrete logarithm problems in Jacobians of highgenus hyperelliptic curves de ned over even characteristic elds. Our rst improvement is to incorporate several ideas for the lowgenus case by Gaudry and Theriault, inclu ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We describe improved versions of indexcalculus algorithms for solving discrete logarithm problems in Jacobians of highgenus hyperelliptic curves de ned over even characteristic elds. Our rst improvement is to incorporate several ideas for the lowgenus case by Gaudry and Theriault, including the large prime variant and using a smaller factor base, into the largegenus algorithm of Enge and Gaudry. We extend the analysis in [24] to our new algorithm, allowing us to predict accurately the number of random walk steps required to nd all relations, and to select optimal degree bounds for the factor base. Our second improvement is the adaptation of sieving techniques from Flassenberg and Paulus, and Jacobson to our setting. The new algorithms are applied to concrete problem instances arising from the Weil descent attack methodology for solving the elliptic curve discrete logarithm problem, demonstrating signi cant improvements in practice. 1.
Elliptic Curve Cryptography (ECC) for Host Identity Protocol (HIP)
"... Abstract—We compare computational resources required for handling control plane of the Host Identity Protocol (HIP) using RivestShamirAdleman (RSA) versus Elliptic Curve Cryptography (ECC) encryption algorithms with keys of equivalent strength. We show that servers would establish almost three tim ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract—We compare computational resources required for handling control plane of the Host Identity Protocol (HIP) using RivestShamirAdleman (RSA) versus Elliptic Curve Cryptography (ECC) encryption algorithms with keys of equivalent strength. We show that servers would establish almost three times more HIP connections per second when ECC is used for generating the session key. For devices with low computational power such as Nokia N810 Internet Tablet, the use of ECC would notably reduce the delay to establish a HIP association. Unless compatibility with legacy RSA/DSAonly systems is needed, the Host Identity may be an ECC key as well, but such a modification would bring only 50 percent additional performance with the current default keys. However the situation becomes different under higher security requirements when employing ECC for the host identification boosts the performance more than four times, and we consider ECC Host Identities desirable in that case. I.
Chapter X A DESIGN FRAMEWORK FOR SCALABLE AND UNIFIED MULTIPLIERS IN GF(p) AND GF(2 m)
"... The design of multiplication units that are reusable and scalable is of interest for cryptographic applications, where the operand size in bits is usually large, and may significantly change depending on the required level of security or the specific cryptosystem (e.g., RSA or Elliptic Curve). The u ..."
Abstract
 Add to MetaCart
(Show Context)
The design of multiplication units that are reusable and scalable is of interest for cryptographic applications, where the operand size in bits is usually large, and may significantly change depending on the required level of security or the specific cryptosystem (e.g., RSA or Elliptic Curve). The use of the Montgomery multiplication (MM) method combined with techniques for time and space scheduling generates efficient and general solutions in this arena. MM has proven to be useful in both GF(p) and GF(2 m), and opened up the door for unified architectures designed to accommodate both fields. The scalable design does not rely on particular characteristics of the fields, it is adjustable for the silicon area available, and it does not limit the precision of the operands (variable precision). This way, the design lasts longer. This paper presents a generalization of the concept of scalable and unified architectures for multiplication in GF(p) and GF(2 m). A design framework is initially presented, and followed by a design example of a radix8 processing element for a scalable and unified MM architecture. Experimental results show the potential of this method.
Elliptic Curves: The state of the art
, 2002
"... this paper is to investigate the applicability of the GHS attack on the ECDLP for cryptographycally interesting elliptic curves over F 2 n for composite n 2 [160; 600] ..."
Abstract
 Add to MetaCart
(Show Context)
this paper is to investigate the applicability of the GHS attack on the ECDLP for cryptographycally interesting elliptic curves over F 2 n for composite n 2 [160; 600]