. We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a standard basis or an optimal normal basis to perform field operations, we represent the field elements as polynomials with coefficients in the smaller field GF(2 16 ). Calculations in this smaller field are carried out using pre-calculated lookup tables. This results in rather simple routines matching the structure of computer memory very well. The use of an irreducible trinomial as the field polynomial, as was proposed at Crypto'95 by R. Schroeppel et al., can be extended to this representation. In our implementation, the resulting routines are slightly faster than standard basis routines. 1 Introduction Elliptic curve public key cryptosystems are rapidly gaining popularity [M93]. The use...

Abstract not found

We develop a generic framework for the computation of logarithms in nite class groups. The model allows to formulate a probabilistic algorithm based on collecting relations in an abstract way independently of the specific type of group to which it is applied, and to prove a subexponential running time if a certain smoothness assumption is verified. The algorithm proceeds in two steps: First, it determines the abstract group structure as a product of cyclic groups; second, it computes an explicit isomorphism, which can be used to extract discrete logarithms.

For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the state-of-the-art considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.

According to popular perception, public-key cryptography is beyond the capabilities of highly constrained, “mote”-like, embedded devices. We show that elliptic curve cryptography not only makes public-key cryptography feasible on these devices, it allows one to create a complete secure web server stack that runs efficiently within very tight resource constraints. Our smallfootprint HTTPS stack, nick-named Sizzle, has been implemented on multiple generations of the Berkeley/Crossbow motes where it runs in less than 4KB of RAM, completes a full SSL handshake in 1 second (session reuse takes 0.5 seconds) and transfers 1 KB of application data over SSL in 0.4 seconds. Sizzle is the world’s smallest secure web server and can be embedded inside home appliances, personal medical devices, etc., allowing them to be monitored and controlled remotely via a web browser without sacrificing end-to-end security.

. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least non-negative number x such that g x = h. This problem is the discre...

. This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have to be made for the operations in the underlying field and the operations on elliptic curve points. In particular, we conclude that it is a good idea to use projective coordinates for GF(p), but not for GF(2 n ). We also extend a number of exponentiation algorithms, that result in considerable speed gains for DSA, to ECDSA, using a signed binary representation. Finally, we present timing results for both types of fields on a PPro-200 based PC, for a C/C++ implementation with small assembly-language optimizations, and make comparisons to other signature algorithms, such as RSA and DSA. We conclude that for practical sizes of fields and moduli, GF(p) is roughly twice as fast as GF(2 ...

. This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particular, we use the facts that the action of the Frobenius map in GF (p m ) can be computed with only m- 1 subfield multiplications and that inverses in GF (p) may be computed cheaply using known techniques. As a result, we show that one extension field inversion can be computed with a logarithmic number of extension field multiplications. In addition, we provide new extension field multiplication formulas which give a performance increase. Further, we provide an OEF construction algorithm together with tables of Type I and Type II OEFs along with statistics on the number of pseudo-Mersenne primes and OEFs. We apply this new work to provide implementation results using these me...

Abstract. This paper explains the design and implementation of a highsecurity elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1

We discuss new algorithms for multiplying points on elliptic curves over small finite fields of characteristic two. This algorithm is an extension of previous results by Koblitz, Meier and Staffelbach. Practical timings show that the new methods can give a running time improvement of up to 50% compared to the ordinary binary algorithm for multiplication. Finally, we present a table of elliptic curves, which are well suited for elliptic curve public key cryptosystems, and for which the new algorithm can be used. 1 Introduction Elliptic curves over finite fields have gained a lot of attention in public key cryptography in recent years ([4], [10]). For practical reasons, elliptic curves over fields of characteristic two are of special interest. Diffie-Hellman type cryptosystems using elliptic curves over IF 2 155 were implemented and compared to RSA (see [12]). The most time consuming operation of these cryptosystems is multiplication of a point on the elliptic curve with an integer, wh...