Results 1  10
of
97
The complexity of class polynomial computation via floating point approximations. ArXiv preprint
, 601
"... Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest one of the presented approaches uses a technique devised by Dupont to evaluate modular functions by Newton iterations on an expression involving the arithmeticgeometric mean. Under the heuristic assumption, justified by experiments, that the correctness of the result is not perturbed by rounding errors, the algorithm runs in time “p “p ”” 3 2 O Dlog D  M Dlog D  ⊆ O ` Dlog 6+ε D  ´ ⊆ O ` h 2+ε´ for any ε> 0, where D is the CM discriminant, h is the degree of the class polynomial and M(n) is the time needed to multiply two nbit numbers. Up to logarithmic factors, this running time matches the size of the constructed polynomials. The estimate also relies on a new result concerning the complexity of enumerating the class group of an imaginary quadratic order and on a rigorously proven upper bound for the height of class polynomials. 1. Motivation and
Algorithms for computing isogenies between elliptic curves
 Math. Comp
, 2000
"... Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes sh ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes showed how to compute isogenies in small characteristic. The aim of this paper is to describe the first successful implementation of Couveignes’s algorithm. In particular, we describe the use of fast algorithms for performing incremental operations on series. We also insist on the particular case of the characteristic 2. 1.
Average Frobenius Distribution of Elliptic Curves
 Internat. Math. Res. Notices
, 1998
"... this paper average estimates related to the LangTrotter conjecture. The average distribution fits the one predicted by the conjecture, and the conjectural constant C E,r of Lang and Trotter is confirmed by our results, as seen in Section 2. Average estimates for the case r 0 were already obtained ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
this paper average estimates related to the LangTrotter conjecture. The average distribution fits the one predicted by the conjecture, and the conjectural constant C E,r of Lang and Trotter is confirmed by our results, as seen in Section 2. Average estimates for the case r 0 were already obtained by Fouvry and Murty [6], and we obtain a generalization of their results for any r Z. The techniques of Fouvry and Murty do not seem to extend to the general case r Z. Our proof then differs significantly from theirs. In the following, we fix r Z, and we denote by E(a, b) the elliptic curve Y b with a, b Z. Then . Following [11], we define 2 # t log t # . Theorem 1.2. Let r be an integer,A,B# 1. For every c>0, we have 1 , (2) where . (3) The constants in the Osymbol depend only on c and r. As the infinite product of (3) converges to a positive number, the constant C r is nonzero, even if some C E,r can be zero, as mentioned above. From the last theorem, we immediately obtain that the LangTrotter conjecture is true "on average." Corollary 1.3. Let #>0. If A,B>x , we have as x ##, . In analogy with the classical terminology, we can say that the average order of E(a,b) (x)isC r ( # x/ log x). Using the same techniques, we can also prove that the normal order of # E(a,b) (x)isC r ( # x/log x). Then,# C r ( # x/ log x) for "almost all" E(a, b) rather than on average (see Corollary 1.5). We are grateful to A. Granville for suggesting this application of our techniques
Computing Hilbert class polynomials with the Chinese Remainder Theorem
, 2010
"... We present a spaceefficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(D  1/2+ɛ log P) space and has an expected running time of O ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
We present a spaceefficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(D  1/2+ɛ log P) space and has an expected running time of O(D  1+ɛ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with D  as large as 1013 and h(D) up to 106. We apply these results to construct pairingfriendly elliptic curves of prime order, using the CM method.
Building Cyclic Elliptic Curves Modulo Large Primes
 Advances in Cryptology  EUROCRYPT '91, Lecture Notes in Computer Science
, 1987
"... Elliptic curves play an important role in many areas of modern cryptology such as integer factorization and primality proving. Moreover, they can be used in cryptosystems based on discrete logarithms for building oneway permutations. For the latter purpose, it is required to have cyclic elliptic cu ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Elliptic curves play an important role in many areas of modern cryptology such as integer factorization and primality proving. Moreover, they can be used in cryptosystems based on discrete logarithms for building oneway permutations. For the latter purpose, it is required to have cyclic elliptic curves over finite fields. The aim of this note is to explain how to construct such curves over a finite field of large prime cardinality, using the ECPP primality proving test of Atkin and Morain. 1 Introduction Elliptic curves prove to be a powerful tool in modern cryptology. Following the original work of H. W. Lenstra, Jr. [18] concerning integer factorization, many researchers have used this new idea to work out primality proving algorithms [8, 14, 2, 4, 22] as well as cryptosystems [21, 16] generalizing those of [12, 1, 9]. Recent work on these topics can be found in [20, 19]. More recently, Kaliski [15] has used elliptic curves in the design of oneway permutations. For this, the autho...
Constructing Elliptic Curve Cryptosystems in Characteristic 2
, 1998
"... Since the group of an elliptic curve defined over a finite field F_q... The purpose of this paper is to describe how one can search for suitable elliptic curves with random coefficients using Schoof's algorithm. We treat the important special case of characteristic 2, where one has certain simplific ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Since the group of an elliptic curve defined over a finite field F_q... The purpose of this paper is to describe how one can search for suitable elliptic curves with random coefficients using Schoof's algorithm. We treat the important special case of characteristic 2, where one has certain simplifications in some of the algorithms.
Factorization of the tenth and eleventh Fermat numbers
, 1996
"... . We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
. We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a new 27decimal digit factor of the thirteenth Fermat number. This number has four known prime factors and a 2391decimal digit composite factor. All the new factors reported here were found by the elliptic curve method (ECM). The 40digit factor of the tenth Fermat number was found after about 140 Mflopyears of computation. We discuss aspects of the practical implementation of ECM, including the use of specialpurpose hardware, and note several other large factors found recently by ECM. 1. Introduction For a nonnegative integer n, the nth Fermat number is F n = 2 2 n + 1. It is known that F n is prime for 0 n 4, and composite for 5 n 23. Also, for n 2, the factors of F n are of th...
Sign Change Fault Attacks on Elliptic Curve Cryptosystems
 Fault Diagnosis and Tolerance in Cryptography 2006 (FDTC ’06), volume 4236 of Lecture Notes in Computer Science
, 2004
"... We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit di#erent number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to out ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit di#erent number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to output points which are on a cryptographically weak curve. Such attacks can easily be defended against. Our attack produces points which do not leave the curve and are not easily detected. The paper also presents a revised scalar multiplication algorithm that provably protects against Sign Change Attacks.
Do all elliptic curves of the same order have the same difficulty of discrete log
 Advances in Cryptology — ASIACRYPT 2005, Lecture Notes in Computer Science
"... Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.
Average Frobenius distribution of elliptic curves
, 2005
"... The SatoTate conjecture asserts that given an elliptic curve without complex multiplication, the primes whose Frobenius elements have their trace in a given interval (2α √ p, 2β √ p) 1 − t2 dt. We prove that this conjecture is true on average in a have density given by 2 π more general setting. ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
The SatoTate conjecture asserts that given an elliptic curve without complex multiplication, the primes whose Frobenius elements have their trace in a given interval (2α √ p, 2β √ p) 1 − t2 dt. We prove that this conjecture is true on average in a have density given by 2 π more general setting.