Results 11  20
of
542
Evaluation of discrete logarithms in a group of ptorsion points of an elliptic curve in characteristic p
 Mathematics of Computation
, 1998
"... Abstract. We show that to solve the discrete log problem in a subgroup of order p of an elliptic curve over the finite field of characteristic p one needs O(ln p) operations in this field. Let Fq be the finite field of q = p l elements. We define an elliptic curve E over Fq to be an equation of the ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
Abstract. We show that to solve the discrete log problem in a subgroup of order p of an elliptic curve over the finite field of characteristic p one needs O(ln p) operations in this field. Let Fq be the finite field of q = p l elements. We define an elliptic curve E over Fq to be an equation of the form y 2 = x 3 + Ax + B. We suppose p ̸ = 2,3. Let E(Fq) bethesetofpointsErational over Fq. Itisknown that Nq − q − 1  ≤2q 1/2 with Nq = E(Fq). The set E(Fq) is a finite abelian group with the “infinite point ” P ∞ as the identity element. The discrete logarithm problem is to compute an integer n such that Q = nP, where Q, P ∈ E(Fq), if such an n exists. This problem is of great significance in cryptology [1], [2]. Suppose that the point P generates a subgroup 〈P 〉 of order m. If (m, p) = 1, then the subgroup 〈P 〉 is isomorphic to some multiplicative subgroup of an extension F q k where q k ≡ 1(modm). The values of the isomorphism from 〈P 〉 to F ∗ q can be evaluated in a very simple manner. The complexity of the algorithm is
A General Framework for Subexponential Discrete Logarithm Algorithms in Groups of Unknown Order
, 2000
"... We develop a generic framework for the computation of logarithms in nite class groups. The model allows to formulate a probabilistic algorithm based on collecting relations in an abstract way independently of the specific type of group to which it is applied, and to prove a subexponential running ti ..."
Abstract

Cited by 55 (9 self)
 Add to MetaCart
We develop a generic framework for the computation of logarithms in nite class groups. The model allows to formulate a probabilistic algorithm based on collecting relations in an abstract way independently of the specific type of group to which it is applied, and to prove a subexponential running time if a certain smoothness assumption is verified. The algorithm proceeds in two steps: First, it determines the abstract group structure as a product of cyclic groups; second, it computes an explicit isomorphism, which can be used to extract discrete logarithms.
Software Implementation of the NIST Elliptic Curves Over Prime Fields
 TOPICS IN CRYPTOLOGY – CTRSA 2001, VOLUME 2020 OF LNCS
, 2001
"... ..."
Sizzle: A standardsbased endtoend security architecture for the embedded internet
, 2005
"... According to popular perception, publickey cryptography is beyond the capabilities of highly constrained, “mote”like, embedded devices. We show that elliptic curve cryptography not only makes publickey cryptography feasible on these devices, it allows one to create a complete secure web server st ..."
Abstract

Cited by 53 (0 self)
 Add to MetaCart
According to popular perception, publickey cryptography is beyond the capabilities of highly constrained, “mote”like, embedded devices. We show that elliptic curve cryptography not only makes publickey cryptography feasible on these devices, it allows one to create a complete secure web server stack that runs efficiently within very tight resource constraints. Our smallfootprint HTTPS stack, nicknamed Sizzle, has been implemented on multiple generations of the Berkeley/Crossbow motes where it runs in less than 4KB of RAM, completes a full SSL handshake in 1 second (session reuse takes 0.5 seconds) and transfers 1 KB of application data over SSL in 0.4 seconds. Sizzle is the world’s smallest secure web server and can be embedded inside home appliances, personal medical devices, etc., allowing them to be monitored and controlled remotely via a web browser without sacrificing endtoend security.
Efficient Arithmetic in Finite Field Extensions with Application in Elliptic Curve Cryptography
 Journal of Cryptology
, 2000
"... . This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEF ..."
Abstract

Cited by 47 (8 self)
 Add to MetaCart
. This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particular, we use the facts that the action of the Frobenius map in GF (p m ) can be computed with only m 1 subfield multiplications and that inverses in GF (p) may be computed cheaply using known techniques. As a result, we show that one extension field inversion can be computed with a logarithmic number of extension field multiplications. In addition, we provide new extension field multiplication formulas which give a performance increase. Further, we provide an OEF construction algorithm together with tables of Type I and Type II OEFs along with statistics on the number of pseudoMersenne primes and OEFs. We apply this new work to provide implementation results using these me...
A Fast Software Implementation for Arithmetic Operations in GF(2^n)
, 1996
"... . We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a s ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
. We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a standard basis or an optimal normal basis to perform field operations, we represent the field elements as polynomials with coefficients in the smaller field GF(2 16 ). Calculations in this smaller field are carried out using precalculated lookup tables. This results in rather simple routines matching the structure of computer memory very well. The use of an irreducible trinomial as the field polynomial, as was proposed at Crypto'95 by R. Schroeppel et al., can be extended to this representation. In our implementation, the resulting routines are slightly faster than standard basis routines. 1 Introduction Elliptic curve public key cryptosystems are rapidly gaining popularity [M93]. The use...
Speeding Up Pollard's Rho Method For Computing Discrete Logarithms
, 1998
"... . In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare the ..."
Abstract

Cited by 45 (7 self)
 Add to MetaCart
. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a realtime speedup of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least nonnegative number x such that g x = h. This problem is the discre...
On the Performance of Signature Schemes based on Elliptic Curves
, 1998
"... . This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have t ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
. This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have to be made for the operations in the underlying field and the operations on elliptic curve points. In particular, we conclude that it is a good idea to use projective coordinates for GF(p), but not for GF(2 n ). We also extend a number of exponentiation algorithms, that result in considerable speed gains for DSA, to ECDSA, using a signed binary representation. Finally, we present timing results for both types of fields on a PPro200 based PC, for a C/C++ implementation with small assemblylanguage optimizations, and make comparisons to other signature algorithms, such as RSA and DSA. We conclude that for practical sizes of fields and moduli, GF(p) is roughly twice as fast as GF(2 ...
Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
 Workshop on Cryptographic Hardware and Embedded Systems — CHES 2003
, 2003
"... For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements ha ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the stateoftheart considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.
Compressed Pairings
 In Advances in cryptology – Crypto’2004
, 2004
"... Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit f ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.