## Pgp in constrained wireless devices (2000)

### Cached

### Download Links

Venue: | in Proceedings of the 9th USENIX Security Symposium |

Citations: | 33 - 2 self |

### BibTeX

@INPROCEEDINGS{Brown00pgpin,

author = {Michael Brown and Donny Cheung and Darrel Hankerson and Julio Lopez Hern and Michael Kirkup and Alfred Menezes},

title = {Pgp in constrained wireless devices},

booktitle = {in Proceedings of the 9th USENIX Security Symposium},

year = {2000},

pages = {247--261}

}

### Years of Citing Articles

### OpenURL

### Abstract

Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

### Citations

1233 | A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...of PGP 2, and “it was easier to explain why three became five than to explain why three was the new program and four the old one.” ing DSA [34] for signatures, an ElGamal public-key encryption scheme =-=[12]-=-, the Secure Hash Algorithm (SHA-1) [35] with 160-bit message digests, and the symmetric-key ciphers CAST and Triple-DES (64bit block ciphers with key sizes of 128 and 168 bits, respectively). In Augu... |

781 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...be divided into several libraries in order to accommodate the Palm. 5 Elliptic Curve Cryptography 5.1 Introduction Elliptic curve cryptography (ECC) was proposed independently in 1985 by Neal Koblitz =-=[27]-=- and Victor Miller [33]. For an introduction to ECC, the reader is referred to Chapter 6 of Koblitz’s book [29], or the recent book by Blake, Seroussi and Smart [7]. The primary reason for the attract... |

588 |
Uses of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ... libraries in order to accommodate the Palm. 5 Elliptic Curve Cryptography 5.1 Introduction Elliptic curve cryptography (ECC) was proposed independently in 1985 by Neal Koblitz [27] and Victor Miller =-=[33]-=-. For an introduction to ECC, the reader is referred to Chapter 6 of Koblitz’s book [29], or the recent book by Blake, Seroussi and Smart [7]. The primary reason for the attractiveness of ECC over RSA... |

449 |
The Official PGP User’s Guide
- Zimmermann
- 1995
(Show Context)
Citation Context ...Internet Mail Extensions) Internet email format standard. PGP (Pretty Good Privacy) [8, 16] is an email security standard that has been widely used since it was first introduced by Zimmermann in 1991 =-=[52]-=-. While it appears that S/MIME will emerge as the industry standard for commercial and organizational use, it also appears that PGP will remain the choice for personal email security for many users in... |

381 | Why Johnny can’t encrypt: A usability evaluation of PGP 5.0
- Whitten, Tygar
- 1999
(Show Context)
Citation Context ...mplementation 7.1 User interface PGP in any form has not been an easy application for novices to manage properly, in part due to the sophistication required, but also because of poor interface design =-=[47]-=-. The goals for our user interface 5 During our work on this project, BlackBerry modified the API to provide some of the access needed to smoothly integrate PGP into their mail application. design wer... |

317 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1991
(Show Context)
Citation Context ...d rho attack [36] against general curves, and its improvements [15, 48] which apply to Koblitz curves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack =-=[32]-=- and the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resistance to the Semaev attack [43]. 4. All binary fields F2m chosen have the property that m is prime, thereby circumventing recent atta... |

277 | Selecting cryptographic key sizes
- Lenstra, Verheul
- 2001
(Show Context)
Citation Context ... factorization and discrete logarithm problems have the same expected running times. These estimates are roughly the same as the estimates provided by Lenstra and Verheul in their very thorough paper =-=[31]-=-. The advantages that may be gained from smaller ECC parameters include speed (faster computation) and smaller keys and certificates. These advantages are especially important in environments where pr... |

207 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Ruck
- 1976
(Show Context)
Citation Context ... curves, and its improvements [15, 48] which apply to Koblitz curves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack [32] and the Tate pairing attack =-=[13]-=-. 3. #E(Fq) �= q, confirming resistance to the Semaev attack [43]. 4. All binary fields F2m chosen have the property that m is prime, thereby circumventing recent attacks [14, 17] on the ECDLP for ell... |

164 | Software implementation of elliptic curve cryptography over binary fields
- Hankerson, Hernandez, et al.
(Show Context)
Citation Context ... is very likely that significant performance improvements could be obtained by optimizing the ECC (and DL and RSA) code for these platforms. Further details of our ECC implementations are reported in =-=[23]-=-. For other ECC implementation reports, see [42] for a C implementation of elliptic curve arithmetic over F 2 155, [49] for a C/C++ of elliptic curve arithmetic over F 2 191 and over a 191-bit prime f... |

159 | Parallel collision search with cryptanalytic applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...s E(Fq) chosen resist all known attacks on the ECDLP. Specifically: 1. The number of points, #E(Fq), is divisible by a prime n that is sufficiently large to resist the parallelized Pollard rho attack =-=[36]-=- against general curves, and its improvements [15, 48] which apply to Koblitz curves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack [32] and the Tate... |

144 | Constructive and Destructive Facets of Weil Descent on Elliptic Curves
- Gaudry, Hess, et al.
- 2000
(Show Context)
Citation Context ... the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resistance to the Semaev attack [43]. 4. All binary fields F2m chosen have the property that m is prime, thereby circumventing recent attacks =-=[14, 17]-=- on the ECDLP for elliptic curves over binary fields F2m where m is composite. Security of ECAES. The ECAES modifies the ElGamal encryption scheme by using the one-time Diffie-Hellman shared secret, h... |

134 |
CM-curves with good cryptographic properties, in
- Koblitz
- 1991
(Show Context)
Citation Context ...ments. Such a representation is defined by a reduction polynomial f(x), which is an irreducible binary polynomial of degree m. For each field F2m, we chose a random curve over F2m and a Koblitz curve =-=[28]-=- over F2m from the list of elliptic curves recommended by NIST for US federal government use [34]. The salient features of the Koblitz curves are provided in Table 2. Koblitz curves have special struc... |

119 | The elliptic curve digital signature algorithm (ECDSA
- Johnson, Menezes
- 1999
(Show Context)
Citation Context ...CDSA. ECDSA is the straightforward elliptic curve analogue of the DSA, which has been extensively scrutinized since it was proposed in 1991. For a summary of the security properties of the ECDSA, see =-=[26]-=-. Our implementation used the 160-bit hash function SHA-1 for all 3 choices of ECC key lengths (163, 233 and 283). As with the ECAES, a future version of our ECDSA implementation should allow for a va... |

106 | Fast key exchange with elliptic curve systems
- Schroeppel, Orman, et al.
- 1995
(Show Context)
Citation Context ...rovements could be obtained by optimizing the ECC (and DL and RSA) code for these platforms. Further details of our ECC implementations are reported in [23]. For other ECC implementation reports, see =-=[42]-=- for a C implementation of elliptic curve arithmetic over F 2 155, [49] for a C/C++ of elliptic curve arithmetic over F 2 191 and over a 191-bit prime field, and [22] for an assembly language implemen... |

104 |
Use of Elliptic Curves
- Miller
- 1986
(Show Context)
Citation Context ...s still represent 80% of all palmtop sales.”s5 Elliptic Curve Cryptography 5.1 Introduction Elliptic curve cryptography (ECC) was proposed independently in 1985 by Neal Koblitz [27] and Victor Miller =-=[33]-=-. For an introduction to ECC, the reader is referred to Chapter 6 of Koblitz’s book [29], or the recent book by Blake, Seroussi and Smart [7]. The primary reason for the attractiveness of ECC over RSA... |

95 |
An improved algorithm for arithmetic on a family of elliptic curves
- Solinas
(Show Context)
Citation Context ...l government use [34]. The salient features of the Koblitz curves are provided in Table 2. Koblitz curves have special structure that enable faster elliptic curve arithmetic in some environments (see =-=[44, 45]-=-). The number of points on each of the chosen curves is almost prime; that is, #E(F2m) = nh, where n is prime and h = 2 or h = 4. Since #E(F2m) ≈ 2m , it follows that the ECC key length is approximate... |

69 | Improving the parallelized pollard lambda search on anomalous binary curves
- Gallant, Lambert, et al.
- 2000
(Show Context)
Citation Context ...LP. Specifically: 1. The number of points, #E(Fq), is divisible by a prime n that is sufficiently large to resist the parallelized Pollard rho attack [36] against general curves, and its improvements =-=[15, 48]-=- which apply to Koblitz curves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack [32] and the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resis... |

64 | Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p
- Semaev
- 1998
(Show Context)
Citation Context ...ves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack [32] and the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resistance to the Semaev attack =-=[43]-=-. 4. All binary fields F2m chosen have the property that m is prime, thereby circumventing recent attacks [14, 17] on the ECDLP for elliptic curves over binary fields F2m where m is composite. Securit... |

63 | Faster attacks on elliptic curve cryptosystems
- Wiener, Zuccherato
- 1998
(Show Context)
Citation Context ...LP. Specifically: 1. The number of points, #E(Fq), is divisible by a prime n that is sufficiently large to resist the parallelized Pollard rho attack [36] against general curves, and its improvements =-=[15, 48]-=- which apply to Koblitz curves. 2. n does not divide qk − 1 for all 1 ≤ k ≤ 30, confirming resistance to the Weil pairing attack [32] and the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resis... |

58 |
Standard specifications for public-key cryptography
- P1363
- 1998
(Show Context)
Citation Context ... 2 283 are from the list of NIST recommended curves [34]. The representations, for both field elements and for elliptic curve points, are compliant with the ANSI X9.62 [4], ANSI X9.63 [5], IEEE P1363 =-=[24]-=- and FIPS 186-2 [34] standards. In addition, the Koblitz curve over F 2 163 is explicitly listed in the WAP wTLS specification [51]. Our ECDSA implementation conforms to the security and interoperabil... |

56 | DHAES: An encryption scheme based on the Diffie-Hellman problem”, manuscript
- Abdalla, Bellare, et al.
- 1998
(Show Context)
Citation Context ...S below. Public key validation with step 4 omitted is called partial public key validation. Elliptic curve authenticated encryption scheme (ECAES). The ECAES, proposed by Abdalla, Bellare and Rogaway =-=[1]-=-, is a variant of the ElGamal public-key encryption scheme [12]. It is efficient and provides security against adaptive chosenciphertext attacks. We suppose that receiver B has domain parameters D = (... |

53 |
HMAC: Keyedhashing for message authentication. Internet Request for Comments RFC 2104
- Krawczyk, Bellare, et al.
- 1997
(Show Context)
Citation Context ...ain parameters D = (q, FR, a, b, G, n, h) and public key Q. We also suppose that A has authentic copies of D and Q. In the following, MAC is a message authentication code (MAC) algorithm such as HMAC =-=[30]-=-, ENC is a symmetric encryption scheme such as Triple-DES. KDF denotes a key derivation function which derives cryptographic keys from a shared secret point. To encrypt a message m for B, A does: 1. S... |

42 | On the performance of signature schemes based on elliptic curves
- Win, Mister, et al.
- 1998
(Show Context)
Citation Context ... for these platforms. Further details of our ECC implementations are reported in [23]. For other ECC implementation reports, see [42] for a C implementation of elliptic curve arithmetic over F 2 155, =-=[49]-=- for a C/C++ of elliptic curve arithmetic over F 2 191 and over a 191-bit prime field, and [22] for an assembly language implementation of elliptic curve arithmetic over a 160-bit prime field on a 10 ... |

40 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ... the Tate pairing attack [13]. 3. #E(Fq) �= q, confirming resistance to the Semaev attack [43]. 4. All binary fields F2m chosen have the property that m is prime, thereby circumventing recent attacks =-=[14, 17]-=- on the ECDLP for elliptic curves over binary fields F2m where m is composite. Security of ECAES. The ECAES modifies the ElGamal encryption scheme by using the one-time Diffie-Hellman shared secret, h... |

35 |
A course in Number Theory and Cryptography, 2nd edition Springer-Verlag-1994
- Koblitz
(Show Context)
Citation Context ...ion Elliptic curve cryptography (ECC) was proposed independently in 1985 by Neal Koblitz [27] and Victor Miller [33]. For an introduction to ECC, the reader is referred to Chapter 6 of Koblitz’s book =-=[29]-=-, or the recent book by Blake, Seroussi and Smart [7]. The primary reason for the attractiveness of ECC over RSA and discrete log (DL 3 ) public-key systems is that the best algorithm known for solvin... |

34 | Software generation of practically strong random numbers
- Gutmann
- 1999
(Show Context)
Citation Context ...ms implement a “random gathering device” which attempts to use environmental noise (keyboard data, system timers, disk characteristics, etc.) to build a cryptographically secure source of random bits =-=[21]-=-. Our pager application used only a rather simple (and most likely not sufficiently secure) seeding process involving the clock and a few other sources. A more sophisticated solution is essential, per... |

32 |
A practical implementation of elliptic curve cryptosystems over GF (p) on a 16-bit microcomputer
- Hasegawa, Nakajima, et al.
- 1998
(Show Context)
Citation Context ...r ECC implementation reports, see [42] for a C implementation of elliptic curve arithmetic over F 2 155, [49] for a C/C++ of elliptic curve arithmetic over F 2 191 and over a 191-bit prime field, and =-=[22]-=- for an assembly language implementation of elliptic curve arithmetic over a 160-bit prime field on a 10 MHz 16-bit microcomputer. Tables 3, 4 and 5 present timings of our implementation for ECC opera... |

15 |
The Elliptic Curve Digital Signature Algorithm
- 62
- 1998
(Show Context)
Citation Context ...rves over F 2 163, F 2 233 and F 2 283 are from the list of NIST recommended curves [34]. The representations, for both field elements and for elliptic curve points, are compliant with the ANSI X9.62 =-=[4]-=-, ANSI X9.63 [5], IEEE P1363 [24] and FIPS 186-2 [34] standards. In addition, the Koblitz curve over F 2 163 is explicitly listed in the WAP wTLS specification [51]. Our ECDSA implementation conforms ... |

11 |
Elliptic Curve Key Agreement and Key Transport Protocols
- 63
- 1999
(Show Context)
Citation Context ...3, F 2 233 and F 2 283 are from the list of NIST recommended curves [34]. The representations, for both field elements and for elliptic curve points, are compliant with the ANSI X9.62 [4], ANSI X9.63 =-=[5]-=-, IEEE P1363 [24] and FIPS 186-2 [34] standards. In addition, the Koblitz curve over F 2 163 is explicitly listed in the WAP wTLS specification [51]. Our ECDSA implementation conforms to the security ... |

8 | Improved algorithms for arithmetic on anomalous binary curves
- Solinas
- 1999
(Show Context)
Citation Context ...l government use [34]. The salient features of the Koblitz curves are provided in Table 2. Koblitz curves have special structure that enable faster elliptic curve arithmetic in some environments (see =-=[44, 45]-=-). The number of points on each of the chosen curves is almost prime; that is, #E(F2m) = nh, where n is prime and h = 2 or h = 4. Since #E(F2m) ≈ 2m , it follows that the ECC key length is approximate... |

7 |
Triple Data Encryption Algorithm Modes of Operation
- 52
- 1998
(Show Context)
Citation Context ...to the security and interoperability requirements of ANSI X9.63. The cryptographic components HMAC and Triple-DES (in CBC mode) of ECAES are compliant, respectively, with RFC 2104 [30] and ANSI X9.52 =-=[3]-=-. 6 Porting PGP to the Pager There are now a number of cryptographic libraries and PGP applications which have received extensive development and for which source code is available; see, for example, ... |

5 |
Experimenting with Electronic commerce on
- Daswani, Boneh
- 1999
(Show Context)
Citation Context ...g’s well-known SSLeay library (now OpenSSL [37]) for use on the PalmPilot [19]. The resulting library was used by Zerucha in building a Palm version of his reference OpenPGP, and by Daswani and Boneh =-=[11]-=- in their paper on electronic commerce. We used Palm development tools based on the GNU C compiler (gcc-2.7.2.2). Timings were done on a Palm V running PalmOS 3.0. There are code segment and stack res... |

2 |
The digital signature algorithm (DSA) (revised)”, American Bankers Association, working draft
- 30-1
- 1999
(Show Context)
Citation Context ...hm known for the ECDLP takes ( √ π2 k )/2 steps for k-bit ECC keys, while exhaustive key search on a symmetric cipher with l-bit keys takes 2 l steps. The estimates for DL security were obtained from =-=[2]-=-. The estimates for RSA security are the same as those for DL security because the best algorithms known for the integer factorization and discrete logarithm problems have the same expected running ti... |

2 |
S/MIME version 3 message specification”, Internet RFC 2633
- Ramsdell
- 1999
(Show Context)
Citation Context ...g PGP for providing secure and interoperable email communications between constrained wireless devices and desktop machines. There are two popular standards for email security: S/MIME and PGP. S/MIME =-=[40]-=- provides confidentiality and authentication services to the MIME (Multipurpose Internet Mail Extensions) Internet email format standard. PGP (Pretty Good Privacy) [8, 16] is an email security standar... |

1 |
OpenPGP Specification and Sample
- Callas
- 1999
(Show Context)
Citation Context ...ecurity: S/MIME and PGP. S/MIME [40] provides confidentiality and authentication services to the MIME (Multipurpose Internet Mail Extensions) Internet email format standard. PGP (Pretty Good Privacy) =-=[8, 16]-=- is an email security standard that has been widely used since it was first introduced by Zimmermann in 1991 [52]. While it appears that S/MIME will emerge as the industry standard for commercial and ... |

1 |
OpenPGP message format”, Internet RFC 2440
- Callas, Donnerhacke, et al.
- 1998
(Show Context)
Citation Context ...ed to correct the alignment bugs and portability problems mentioned above, and necessary changes were made for the elliptic curve schemes (public-key algorithms 18 and 19 in the OpenPGP specification =-=[9]-=-). The compatibility library, along with a few stream-tomemory conversion functions allowed fairly direct use of the OpenPGP sources on the pager. The only code tested exclusively in the pager environ... |

1 |
Pilot stuff from
- Goldberg
(Show Context)
Citation Context ...ed from two AAA batteries common in the Palm series is used to power the radio. Ian Goldberg had adapted portions of Eric Young’s well-known SSLeay library (now OpenSSL [37]) for use on the PalmPilot =-=[19]-=-. The resulting library was used by Zerucha in building a Palm version of his reference OpenPGP, and by Daswani and Boneh [11] in their paper on electronic commerce. We used Palm development tools bas... |

1 |
PalmPilot: The Ultimate Guide, 2nd edition, O’Reilly & Associates
- Poguet
- 1999
(Show Context)
Citation Context ...at the algorithms for solving the ECDLP become infeasible much more rapidly as the problem size increases than those algorithms for the integer factorization and discrete logarithm prob2 According to =-=[39]-=-, “Even after two rounds of Microsoft’s best Windows CE efforts, PalmPilot OS devices still represent 80% of all palmtop sales.” 3 Examples of DL systems are the ElGamal public-key encryption scheme a... |