Results 1  10
of
24
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 560 (31 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Efficient algorithms for pairingbased cryptosystems
, 2002
"... Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in ..."
Abstract

Cited by 291 (23 self)
 Add to MetaCart
Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairingbased cryptography. 1
Supersingular curves in cryptography
, 2001
"... Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic ..."
Abstract

Cited by 88 (9 self)
 Add to MetaCart
Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic curve case it is known that for supersingular curves one ¥§¦© ¨ has. In this paper curves of higher genus are studied. Bounds on the possible values ¥ for in the case of supersingular curves are given. Ways to ensure that a curve is not supersingular are also given. 1.
Efficient arithmetic on Koblitz curves
 Designs, Codes, and Cryptography
, 2000
"... Abstract. It has become increasingly common to implement discretelogarithm based publickey protocols on elliptic curves over finite fields. The basic operation is scalar multiplication: taking a given integer multiple of a given point on the curve. The cost of the protocols depends on that of the ..."
Abstract

Cited by 79 (0 self)
 Add to MetaCart
Abstract. It has become increasingly common to implement discretelogarithm based publickey protocols on elliptic curves over finite fields. The basic operation is scalar multiplication: taking a given integer multiple of a given point on the curve. The cost of the protocols depends on that of the elliptic scalar multiplication operation. Koblitz introduced a family of curves which admit especially fast elliptic scalar multiplication. His algorithm was later modified by Meier and Staffelbach. We give an improved version of the algorithm which runs 50 % faster than any previous version. It is based on a new kind of representation of an integer, analogous to certain kinds of binary expansions. We also outline further speedups using precomputation and storage.
Evidence that XTR is more secure than supersingular elliptic curve cryptosystems
 J. Cryptology
, 2001
"... Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidenc ..."
Abstract

Cited by 77 (4 self)
 Add to MetaCart
Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by S. Vanstone and A. Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision DiffieHellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision DiffieHellman problem is simple, while the DiffieHellman and discrete logarithm problem are presumably not. The cryptanalytical tools we use also lead to cryptographic applications of independent interest. These applications are an improvement of Joux’s one round protocol for tripartite DiffieHellman key exchange and a non refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields. 1
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 77 (2 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
 Design, Codes and Cryptography
, 2000
"... Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of ..."
Abstract

Cited by 34 (10 self)
 Add to MetaCart
Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1/2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).
C.: Itoh–Tsujii inversion in standard basis and its application in cryptography and codes
 Des. Codes Cryptogr
, 2002
"... Abstract. This contribution is concerned with a generalization of Itoh and Tsujii’s algorithm for inversion in extension fields GF (q m). Unlike the original algorithm, the method introduced here uses a standard (or polynomial) basis representation. The inversion method is generalized for standard b ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract. This contribution is concerned with a generalization of Itoh and Tsujii’s algorithm for inversion in extension fields GF (q m). Unlike the original algorithm, the method introduced here uses a standard (or polynomial) basis representation. The inversion method is generalized for standard basis representation and relevant complexity expressions are established, consisting of the number of extension field multiplications and exponentiations. As the main contribution, for three important classes of fields we show that the Frobenius map can be explored to perform the exponentiations required for the inversion algorithm efficiently. As an important consequence, Itoh and Tsujii’s inversion method shows almost the same practical complexity for standard basis as for normal basis representation for the field classes considered.
Fast Elliptic Curve Algorithm Combining Frobenius Map and Table Reference to Adapt to Higher Characteristic
, 1999
"... . A new elliptic curve scalar multiplication algorithm is proposed. The algorithm offers about twice the troughput of some conventional OEFbase algorithms because it combines the Frobenius map with the table reference method based on baseOE expansion. Furthermore, since this algorithm suits conven ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
. A new elliptic curve scalar multiplication algorithm is proposed. The algorithm offers about twice the troughput of some conventional OEFbase algorithms because it combines the Frobenius map with the table reference method based on baseOE expansion. Furthermore, since this algorithm suits conventional computational units such as 16, 32 and 64 bits, its base field Fp m is expected to enhance elliptic curve operation efficiency more than Fq (q is a prime) or F2 n . Keywords: elliptic curve cryptosystem, scalar multiplication, OEF, finite field, Frobenius map, table reference method 1 Introduction While speeding up modular exponentiation has been a prime approach to speeding up the RSA scheme, scalar multiplication of an elliptic curve point can speed up elliptic curve schemes such as ECDSA and ECElGamal. In particular, elliptic curves over F q (q is a prime) or F 2 n have been implemented by many companies and standardized by several organizations such as IEEE P1363 and ISO/IEC ...
Fast Hashing Onto Elliptic Curves Over Fields of Characteristic 3
, 2001
"... We describe a fast hash algorithm that maps arbitrary messages onto points of an elliptic curve de ned over a nite eld of characteristic 3. Our new scheme runs in time O(m 2 ) for curves over F3 m . The best previous algorithm for this task runs in time O(m 3 ). Experimental data con rms the speedup ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We describe a fast hash algorithm that maps arbitrary messages onto points of an elliptic curve de ned over a nite eld of characteristic 3. Our new scheme runs in time O(m 2 ) for curves over F3 m . The best previous algorithm for this task runs in time O(m 3 ). Experimental data con rms the speedup by a factor O(m), or approximately a hundred times for practical m values. Our results apply for both standard and normal basis representations of F3 m . 1