The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.

Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.

The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...

. This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarithm problem for G is to find, given g 2 G and y 2 hgi, the smallest nonnegative integer x such that y = g x . This integer x is called the discrete logarithm of y to the base g, and is written x = log g y. The discrete log problem has been studied by number theorists for a long time. The main reason for the intense current interest in it, though, is that many public key cryptosystems depend for their security on the assumption that it is hard, at least for suitably chosen groups. With the proposed adoption of the NIST digital signature algorithm [28] (based on the ElGamal [10] and Schnorr [35] proposals), even more attention is likely to be drawn to this area. There are already several su...

. We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an n-digit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algorithm that employs elliptic curve factorization techniques (this result depends on an unproved but plausible number-theoretic conjecture). An analogous computational problem concerning discrete logarithms is directly relevant to some proposed cryptosystem implementations. Our result suggests caution about implementations which fix a parameter such as the size or Hamming weight of keys. We show that several parameterized problems of relevance to cryptography, including k-Subset Sum, k-Perfect Code, and k-Subset Product are likely to be intractable with respect to fixed-parameter complexity. In particular, we show that they cannot be solved in time f(k)n ff , where ff is independent...

. We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal [8]. 1 Introduction 1.1 Motivation The security of many cryptographic protocols (see for example [7], [8], [12]) is based on the difficulty of solving the discrete logarithm problem (DL-problem) in the multiplicative group GF (p) of prime fields GF (p) of characteristic p ? 0. Recently, Gordon [9] has shown that under reasonable assumptions the discrete DL-problem in GF(p) can be solved in expected time L p [1=3; c] = exp((c + o(1)) \Delta (log p) 1=3 \Delta (log log p) 2=3 ) by means of the number field sieve (NFS), thereby lowering the best known asymptotically upper bound considerably. Experience with similar integer factoring algorithms shows that the NFS can be expected to ...

Abstract. We propose new schemes for Certificates of Recoverability (CRs). These consist of a user’s public key and attributes, its private key encrypted in such a way that it is recoverable by one or more Key Recovery Agents (KRAs), plus a publicly verifiable proof of this (the CR). In the original schemes, the level of cryptographic security employed by the KRA and the users is necessarily the same. In our schemes the level of cryptographic security employed by the KRA can be set higher, in a scalable fashion, than that being employed by the users. Among the other improvements of our schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems. Also, the size of the constructed proofs of knowledge can be taken smaller than in the original schemes. We also present several new constructions and results on the hardness of small parts, in the setting of Diffie-Hellman keys in extension fields. 1

Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\Delta) of an imaginary quadratic order O \Delta . This ring is isomorphic to the endomorphism ring of a non-supersingular elliptic curve over a finite field. While in the meantime there was found a subexponential algorithm for the computation of discrete logarithms in Cl(\Delta) [16], this algorithm only has running time L \Delta [ 1 2 ; c] and is far less efficient than the number field sieve with L p [ 1 3 ; c] to compute logarithms in IF p . Thus one may choose the parameters smaller to obtain the same level of security. It is an open question whether there is an L \Delta [ 1 3 ; c] algorithm to compute discrete logarithms in arbitrary Cl(\Delta). Recently there were proposed cry...

We give a comparison of the performance of the recently proposed torus-based public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve a compression factor of three for all data transmissions, the arithmetic performed in each is fundamentally different. In its inception, the designers of CEILIDH were reluctant to claim it offers any particular advantages over XTR other than its exact compression and decompression technique. From both an algorithmic and arithmetic perspective, we develop an e#cientversion of CEILIDH and show that while it seems bound to be inherently slower than XTR, the difference in performance is much smaller than what one might infer from the original description. Also, thanks to CEILIDH's simple group law, it provides a greater flexibility for applications, and maythus be considered a worthwhile alternative to XTR.

Bilinear pairings derived from supersingular elliptic curves of embedding degrees 4 and 6 over finite fields F2 m and F3m, respectively, have been used to implement pairing-based cryptographic protocols. The pairing values lie in certain prime-order subgroups of the cyclotomic subgroups of orders 22m + 1 and 32m − 3m + 1, respectively, of the multiplicative groups F ∗ 24m and F ∗ 36m. It was previously known how to compress the pairing values over characteristic two fields by a factor of 2, and the pairing values over characteristic three fields by a factor of 6. In this paper, we show how the pairing values over characteristic two fields can be compressed by a factor of 4. Moreover, we present and compare several algorithms for performing exponentiation in the prime-order subgroups using the compressed representations. In particular, in the case where the base is fixed, we expect to gain at least a 54 % speed up over the fastest previously known exponentiation algorithm that uses factor-6 compressed representations.