Results 11  20
of
422
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 58 (20 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
A General Framework for Subexponential Discrete Logarithm Algorithms in Groups of Unknown Order
, 2000
"... We develop a generic framework for the computation of logarithms in nite class groups. The model allows to formulate a probabilistic algorithm based on collecting relations in an abstract way independently of the specific type of group to which it is applied, and to prove a subexponential running ti ..."
Abstract

Cited by 54 (9 self)
 Add to MetaCart
We develop a generic framework for the computation of logarithms in nite class groups. The model allows to formulate a probabilistic algorithm based on collecting relations in an abstract way independently of the specific type of group to which it is applied, and to prove a subexponential running time if a certain smoothness assumption is verified. The algorithm proceeds in two steps: First, it determines the abstract group structure as a product of cyclic groups; second, it computes an explicit isomorphism, which can be used to extract discrete logarithms.
Software Implementation of the NIST Elliptic Curves Over Prime Fields
 TOPICS IN CRYPTOLOGY – CTRSA 2001, VOLUME 2020 OF LNCS
, 2001
"... ..."
Sizzle: A standardsbased endtoend security architecture for the embedded internet
, 2005
"... According to popular perception, publickey cryptography is beyond the capabilities of highly constrained, “mote”like, embedded devices. We show that elliptic curve cryptography not only makes publickey cryptography feasible on these devices, it allows one to create a complete secure web server st ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
According to popular perception, publickey cryptography is beyond the capabilities of highly constrained, “mote”like, embedded devices. We show that elliptic curve cryptography not only makes publickey cryptography feasible on these devices, it allows one to create a complete secure web server stack that runs efficiently within very tight resource constraints. Our smallfootprint HTTPS stack, nicknamed Sizzle, has been implemented on multiple generations of the Berkeley/Crossbow motes where it runs in less than 4KB of RAM, completes a full SSL handshake in 1 second (session reuse takes 0.5 seconds) and transfers 1 KB of application data over SSL in 0.4 seconds. Sizzle is the world’s smallest secure web server and can be embedded inside home appliances, personal medical devices, etc., allowing them to be monitored and controlled remotely via a web browser without sacrificing endtoend security.
A Fast Software Implementation for Arithmetic Operations in GF(2^n)
, 1996
"... . We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a s ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
. We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a standard basis or an optimal normal basis to perform field operations, we represent the field elements as polynomials with coefficients in the smaller field GF(2 16 ). Calculations in this smaller field are carried out using precalculated lookup tables. This results in rather simple routines matching the structure of computer memory very well. The use of an irreducible trinomial as the field polynomial, as was proposed at Crypto'95 by R. Schroeppel et al., can be extended to this representation. In our implementation, the resulting routines are slightly faster than standard basis routines. 1 Introduction Elliptic curve public key cryptosystems are rapidly gaining popularity [M93]. The use...
Efficient Arithmetic in Finite Field Extensions with Application in Elliptic Curve Cryptography
 Journal of Cryptology
, 2000
"... . This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. I ..."
Abstract

Cited by 46 (7 self)
 Add to MetaCart
. This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particular, we use the facts that the action of the Frobenius map in GF (p m ) can be computed with only m 1 subfield multiplications and that inverses in GF (p) may be computed cheaply using known techniques. As a result, we show that one extension field inversion can be computed with a logarithmic number of extension field multiplications. In addition, we provide new extension field multiplication formulas which give a performance increase. Further, we provide an OEF construction algorithm together with tables of Type I and Type II OEFs along with statistics on the number of pseudoMersenne primes and OEFs. We apply this new work to provide implementation results using these me...
Speeding Up Pollard's Rho Method For Computing Discrete Logarithms
, 1998
"... . In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their pe ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a realtime speedup of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least nonnegative number x such that g x = h. This problem is the discre...
Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
 Workshop on Cryptographic Hardware and Embedded Systems — CHES 2003
, 2003
"... For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements ha ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the stateoftheart considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.
On the Performance of Signature Schemes based on Elliptic Curves
, 1998
"... . This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have t ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
. This paper describes a fast software implementation of the elliptic curve version of DSA, as specified in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the fields GF(2 n ), using a standard basis, and GF(p). We discuss various design decisions that have to be made for the operations in the underlying field and the operations on elliptic curve points. In particular, we conclude that it is a good idea to use projective coordinates for GF(p), but not for GF(2 n ). We also extend a number of exponentiation algorithms, that result in considerable speed gains for DSA, to ECDSA, using a signed binary representation. Finally, we present timing results for both types of fields on a PPro200 based PC, for a C/C++ implementation with small assemblylanguage optimizations, and make comparisons to other signature algorithms, such as RSA and DSA. We conclude that for practical sizes of fields and moduli, GF(p) is roughly twice as fast as GF(2 ...
The Relationship Between Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1998
"... Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that re ..."
Abstract

Cited by 38 (3 self)
 Add to MetaCart
Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the DiffieHellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the DiffieHellman problem and the discrete logarithm problem are polynomialtime equivalent in G. Second, it is proved that the DiffieHellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...