Abstract. This paper explains the design and implementation of a highsecurity elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1

Whether the discrete logarithm problem can be reduced to the Diffie–Hellman problem is a celebrated open question. The security of Diffie–Hellman key exchange and other cryptographic protocols rests on the assumed difficulty of the computational Diffie–Hellman problem; such a reduction would show that this is equivalent to assuming that computing discrete logarithms is hard. What is known is that a near-reduction exists for general groups, assuming that a conjecture about the existence of smooth numbers in an interval is true. Given access to a Diffie–Hellman oracle, and a small amount of additional information (this being the parameters of certain elliptic curves with smooth order), it is possible to compute discrete logarithms using a polylogarithmic number of calls to the oracle. 1