Abstract. The market for Personal Digital Assistants (PDA) is growing rapidly and PDAs are becoming increasingly interesting for commercial transactions. One requirement for further growing of eCommerce with mobile devices is the provision of security. We implemented elliptic curves over binary fields on a Palm OS device. We chose the NIST recommended random and Koblitz curves over GF(2 163) that are providing a sufficient level of security for most commercial applications. Using Koblitz curves a typical security protocol like Diffie-Hellman key exchange or ECDSA signature verification requires less than 2.4 seconds, while ECDSA signature generation can be done in less than 0.9 seconds. This should be tolerated by most users.

The paper is an examination of double-base decompositions of integers n, namely expansions loosely of the form X i,j A for some base B}. This was examined in previous works [3, 4], in the case when A, B lie in N.

Abstract. It is known that every positive integer n can be represented as a finite sum of the form n = � ai2 i, where ai ∈ {0, 1, −1} for all i, and no two consecutive ai’s are non-zero. Such sums are called nonadjacent representations. Nonadjacent representations are useful in efficiently implementing elliptic curve arithmetic for cryptographic applications. In this paper, we investigate if other digit sets of the form {0, 1, x}, where x is an integer, provide each positive integer with a nonadjacent representation. If a digit set has this property we call it a nonadjacent digit set (NADS). We present an algorithm to determine if {0, 1, x} is a NADS; and if it is, we present an algorithm to efficiently determine the nonadjacent representation of any positive integer. We also present some necessary and sufficient conditions for {0, 1, x} to be a NADS. These conditions are used to exhibit infinite families of integers x such that {0, 1, x} is a NADS, as well as infinite families of x such that {0, 1, x} is not a NADS. 1

The most common method for computing exponentiation of random elements in Abelian groups are sliding window schemes, which enhance the e#ciency of the binary method at the expense of some precomputation. In groups where inversion is easy (e.g. elliptic curves), signed representations of the exponent are meaningful because they decrease the amount of required precomputation. The asymptotic best signed method is wNAF, because it minimizes the precomputation e#ort whilst the non-zero density is nearly optimal. Unfortunately, wNAF can be computed only from the least significant bit, i.e. right-to-left. However, in connection with memory constraint devices left-to-right recoding schemes are by far more valuable.

Abstract. There are many cryptographic constructions in which one uses a random power or multiple of an element in a group or a ring. We describe a fast method to compute random powers and multiples in certain important situations including powers in the Galois field �2 n,

Abstract. In most algorithms involving elliptic curves, the most expensive part consists in computing multiples of points. This paper investigates how to extend the τ-adic expansion from Koblitz curves to a larger class of curves defined over a prime field having an efficiently-computable endomorphism φ in order to perform an efficient point multiplication with efficiency similar to Solinas ’ approach presented at CRYPTO ’97. Furthermore, many elliptic curve cryptosystems require the computation of k0P + k1Q. Following the work of Solinas on the Joint Sparse Form, we introduce the notion of φ-Joint Sparse Form which combines the advantages of a φ-expansion with the additional speedup of the Joint Sparse Form. We also present an efficient algorithm to obtain the φ-Joint Sparse Form. Then, the double exponentiation can be done using the φ endomorphism instead of doubling, resulting in an average of l applications of φ and l/2 additions, where l is the size of the ki’s. This results in an important speed-up when the computation of φ is particularly effective, as in the case of Koblitz curves. Keywords. Elliptic curves, fast endomorphisms, Joint Sparse Form. 1

Abstract. This work discusses generic arithmetic for arbitrary binary fields in the context of elliptic curve cryptography (ECC). ECC is an attractive public-key cryptosystem recently endorsed by the US government for mobile/wireless environments which are limited in terms of their CPU, power, and network connectivity. Its efficiency enables constrained, mobile devices to establish secure end-to-end connections. Hence the server side has to be enabled to perform ECC operations for a vast number of mobile devices that use variable parameters in an efficient way to reduce cost. We present algorithms that are especially suited to high-performance devices like large-scaled server computers. We show how to perform an efficient field multiplication for operands of arbitrary size, and how to achieve efficient field reduction for dense polynomials. We also give running times of our implementation for both general elliptic curves and Koblitz curves on various platforms, and analyze the results. Our new algorithms are the fastest algorithms for arbitrary binary fields in literature.

Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.

We describe and analyze new combinations of multi-exponentiation algorithms with representations of the exponents. We deal mainly but not exclusively with the case where the inversion of group elements is fast: This is true for example for elliptic curves, groups of rational divisor classes of hyperelliptic curves, trace zero varieties and XTR.

Fast algorithms for multiplication in finite fields are required for several cryptographic applications, in particular for implementing elliptic curve operations over binary fields F2m. In this paper we present new software algorithms for efficient multiplication over F2m that use a Gaussian normal basis representation. Two approaches are presented, direct normal basis multiplication, and a method that exploits a mapping to a ring where fast polynomial-based techniques can be employed. Our analysis including experimental results on an Intel Pentium family processor shows that the new algorithms are faster and can use memory more efficiently than previous methods. Despite significant improvements, we conclude that the penalty in multiplication is still sufficiently large to discourage the use of normal bases in software implementations of elliptic curve systems. Key words Multiplication in F2 m, Gaussian normal basis, elliptic curve cryptography. 1