## Compressing and Disguising Elements in Discrete Logarithm Cryptography (2008)

### BibTeX

@MISC{Nicholas08compressingand,

author = {Philip Nicholas and James Eagle},

title = {Compressing and Disguising Elements in Discrete Logarithm Cryptography},

year = {2008}

}

### OpenURL

### Abstract

In the modern world, the ubiquity of digital communication is driven by the constantly evolving world of cryptography. Consequently one must efficiently implement asymmetric cryptography in environments which have limited resources at their disposal, such as smart–cards, ID cards, vehicular microchips and many more. It is the primary purpose of this thesis to investigate methods for reducing the bandwidth required by these devices. Part I of this thesis considers compression techniques for elliptic curve cryptography (ECC). We begin this by analysing how much data is actually required to establish domain parameters for ECC. Following the widely used cryptographic standards (for example: SEC 1), we show that naïvely implemented systems use extensively more data than is actually required and suggest a flexible and compact way to better implement these. This is especially of use in a multi–curve environment. We then investigate methods for reducing the inherent redundancy in the point representation of Koblitz systems; a by–product of the best known Pollard–ρ based attacks by Wiener & Zuccherato and Gallant, Lambert & Vanstone. We present methods which allow such systems to operate (with a high confidence) as efficiently as generic ones whilst maintaining all of their com-

### Citations

2966 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...larly bandwidth efficient and thus suitable for multi–curve environments. These results can be applied to many different applications, for example when using the Diffie–Hellman Key– Agreement (DHKA), =-=[26]-=- In Chapter 7 we consider the message bandwidth of Koblitz systems: Koblitz curves are elliptic curves over F2 and one uses the group E(F2n) for ECC. It is well known that Koblitz curves offer various... |

1233 | public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...7 Cryptographic Schemes Based on the DLP Here we present two cryptographic schemes based on the discrete logarithm problem; the Diffie–Hellman key–agreement protocol [26] and the ElGamal cryptosystem =-=[28]-=-. This presentation is made for an arbitrary finite abelian group (G, +) where we assume we work in the maximal prime order subgroup 〈P 〉 of order ℓ. 2.7.1 DHKA–Protocol The Diffie–Hellman key–agreeme... |

781 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ntity O under point addition, see §4.1.1. Since Fq is finite, E(Fq) is necessarily a finite abelian group and may be used for DL–based cryptosystems. This was first suggested independently by Koblitz =-=[54]-=- and Miller [71] in 1985. Definition 4.1.6. Let E/Fq. Then the qth –power Frobenius map is ⎧ ⎪⎨ E(Fq) ψ : ⎪⎩ → E(Fq) (x, y) ↦→ (x q , y q ), O ↦→ O. The map ψ is a group endomorphism of E(Fqn) for any... |

731 |
The art of Computer Programming, volume 2 Seminumerical Algorithms
- Knuth
- 1968
(Show Context)
Citation Context ...for a given a, b ∈ Zℓ. This is trivial as it only requires us to calculate a modular inverse which can be computed in O(lg 2 ℓ) bit operations (polynomial–time) using the extended Euclidean algorithm =-=[53]-=-. Instead however; if we let (G, ⊕) = E(Fq) be the group of rational points on an elliptic curve defined over a finite field Fq, generically the best known algorithm for solving this DLP is fully expo... |

571 |
Finite Fields
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ...of this thesis is applications in cryptography, most of our work requires finite fields. A good background to this material is the excellent Introduction to Finite Fields by H. Lidl & H. Niederreiter =-=[62]-=-, S. Lang’s Algebra [56] and Z. Wan’s Lectures on Finite Fields and Galois Rings [107]. 3.1 Notation Definition 3.1.1. Throughout this thesis: • lg denotes logarithms to the base 2: lg x = log 2 x. • ... |

439 | Guide to Elliptic Curve Cryptography
- Hankerson, Menezes, et al.
- 2004
(Show Context)
Citation Context ...r the underlying theory our research references the excellent books by Silverman [92, 93] and Washington [108]. For implementation issues of ECC, we utilise the books by Hankerson, Menezes & Vanstone =-=[47]-=-, Enge [30], The Handbook of Elliptic and Hyperelliptic Curve Cryptography [19] and the excellent duo; Elliptic Curves in Cryptography and Advances in Elliptic Curve Cryptography [11, 96]. We present ... |

317 |
Reducing elliptic curves logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... and Weierstraß forms. Instead using the work of Bernstein & Lange in [9], we consider point addition being directly evaluated on the Edwards curve. 274.4 Specific Attacks on Elliptic Curves: MOV In =-=[68]-=- Menezes, Okamoto & Vanstone gave a method to map an ECDLP on an E/Fq to an ordinary DLP in the multiplicative group of an extension field Fqk, for some k ≥ 1, where index–calculus attacks can then be... |

183 |
Multiplication of multidigit numbers on automata
- Karatsuba, Ofman
- 1963
(Show Context)
Citation Context ... complexity of O(log 3 q). Here the constant µ ∈ R>0 is such that multiplication of two m–bit integers can be computed in O(m µ ) time, ([96], p103): For example µ = lg 3 for Karatsuba multiplication =-=[51, 53]-=- and µ = 1 + ɛ with ɛ ∈ R>0 for Schönhage–Strassen multiplication [86]. Elkies [29] and Atkin [5] improved the efficiency of Schoof’s algorithm to give a heuristically estimated time complexity of O(l... |

164 | Software implementation of elliptic curve cryptography over binary fields
- Hankerson, Hernandez, et al.
(Show Context)
Citation Context ...using Jacobian projective coordinates, ([19], p282). Similarly, since the arithmetic performance of Fp depends on the underlying prime p, one is often recommended to use primes of certain forms (viz. =-=[6, 17, 46, 73, 94, 98, 110]-=-). Since we assume here that one cannot embed an ECDLP into an Fq–DLP, improved SNFS attacks for these primes (e.g. the Frey–Rück attack [36]) are not relevant. Hence there are no known weaknesses in ... |

144 | Constructive and Destructive Facets of Weil Descent on Elliptic Curves
- Gaudry, Hess, et al.
- 2000
(Show Context)
Citation Context ...weight 3 and when not, of weight 5. Hence for the range of security parameters given in Table 6.2, we know that W(f) ≤ 5 can always be achieved. Due to work by Frey, Galbraith, Gaudry, Heß & Smart in =-=[38, 43]-=- on using Weil decent as an attack, one is recommended to choose only prime extensions n (see [66]). Thus for prime n, Table 6.7 gives 60 low–weight polynomials (viz. 60 fields) contained within the c... |

104 |
Use of Elliptic Curves
- Miller
- 1986
(Show Context)
Citation Context ...int addition, see §4.1.1. Since Fq is finite, E(Fq) is necessarily a finite abelian group and may be used for DL–based cryptosystems. This was first suggested independently by Koblitz [54] and Miller =-=[71]-=- in 1985. Definition 4.1.6. Let E/Fq. Then the qth –power Frobenius map is ⎧ ⎪⎨ E(Fq) ψ : ⎪⎩ → E(Fq) (x, y) ↦→ (x q , y q ), O ↦→ O. The map ψ is a group endomorphism of E(Fqn) for any n ≥ 1 since it ... |

82 |
The improbability that an elliptic curve has sub-exponential discrete log problem under the MenezesOkamoto-Vanstone algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...probably easier than directly solving the ECDLP on E/Fq, reducing the security of the original problem. However k here is the embedding degree from Definition 4.1.14, and Balasubramanian & Koblitz in =-=[7]-=- showed that the probability of a random elliptic curve having a low embedding–degree is very low. Due to these attacks it is often recommended that one tests that the order ℓ of the largest prime sub... |

75 | Faster point multiplication on elliptic curves with efficient endomorphisms
- Gallant, Lambert, et al.
- 2001
(Show Context)
Citation Context ...urther in the 52sequel. An additional advantage with both compact curves, is by construction they admit improved group operation performance through automorphisms from Gallant, Lambert & Vanstone in =-=[41]-=-. The case for hyperelliptic and other non genus–one curves has been considered by Brown, Myers & Solinas [15]. This is an extension of [14] however, and is not discussed as it contains no relevant re... |

69 | Optimal Extension Fields for Fast Arithmetic in PublicKey Algorithms
- Bailey, Paar
- 1998
(Show Context)
Citation Context ...using Jacobian projective coordinates, ([19], p282). Similarly, since the arithmetic performance of Fp depends on the underlying prime p, one is often recommended to use primes of certain forms (viz. =-=[6, 17, 46, 73, 94, 98, 110]-=-). Since we assume here that one cannot embed an ECDLP into an Fq–DLP, improved SNFS attacks for these primes (e.g. the Frey–Rück attack [36]) are not relevant. Hence there are no known weaknesses in ... |

69 | Improving the parallelized pollard lambda search on anomalous binary curves
- Gallant, Lambert, et al.
- 2000
(Show Context)
Citation Context ...ic curves over F2 and one uses the group E(F2n) for ECC. It is well known that Koblitz curves offer various implementational advantages. Both Wiener & Zuccherato [109] and Gallant, Lambert & Vanstone =-=[42]-=- showed that one can accelerate Pollard–ρ type attacks on Koblitz curves using group automorphisms. This implies that when using Koblitz systems, one has a lower security per bit than when using gener... |

68 |
Complexity of a determinate algorithm for the discrete logarithm
- Nechaev
(Show Context)
Citation Context ... where its element representation is not publicly defined or useful to a cryptanalyst, as was presented in Definition 2.3.1. 9.1.1 Generic Algorithms Shoup in [90] generalised earlier work by Nechaev =-=[72]-=- concerning generic algorithms; that is an algorithm that does not exploit any property of an elements 99representation, other than it can be uniquely represented by a bit string. Shoup clarified and... |

67 | Non-deterministlc algorithms
- FLOYD
- 1967
(Show Context)
Citation Context ...xi ∈ S3. Clearly any iterated sequence over a finite set must eventually find the same group value twice; i.e: for some i ̸= j one must find a cycle such that xi = xj. Floyd’s cycle finding algorithm =-=[33, 53]-=- detects the cycle as follows: Given the DLP above, β = α x , start with the pair (x1, x2) and iteratively compute (xi, x2i) from the previous pair (xi−1, x 2(i−1)) until xm = x2m for some m ∈ Zn. Now... |

59 | A normal form for elliptic curves
- Edwards
- 2007
(Show Context)
Citation Context ...ondarily, one is able to evaluate the lifted order of #E(F2n) very efficiently, using only arithmetic in Z. See §5.7.1 for further details. 264.3 Edwards Curves Rather excitingly in 2007, Edwards in =-=[27]-=- gave an alternative form other than the Weierstraß equation to describe an elliptic curve. This was significant, as one can give a strongly unified addition law on the curve. This is where one formul... |

56 | Faster addition and doubling on elliptic curves
- Bernstein, Lange
- 2007
(Show Context)
Citation Context ...a is resistance against side–channel attacks. This is unlike the standard Weierstraß form commonly used, and makes Edwards curves very interesting for cryptography. Subsequently, Bernstein & Lange in =-=[9, 10]-=- showed that Edwards curves have exceptionally efficient arithmetic, particularly when using small curve coefficients. We now briefly present Edwards curves, and refer the interested reader to [27], a... |

53 | The number of points on an elliptic curve modulo a prime. Series of e-mails to the NMBRTHRY mailing list - Atkin - 1992 |

39 | Extending the GHS Weil descent attack - Galbraith, Hess, et al. |

36 |
Elliptic curves and their applications to cryptography, an introduction
- Enge
- 1999
(Show Context)
Citation Context ...lying theory our research references the excellent books by Silverman [92, 93] and Washington [108]. For implementation issues of ECC, we utilise the books by Hankerson, Menezes & Vanstone [47], Enge =-=[30]-=-, The Handbook of Elliptic and Hyperelliptic Curve Cryptography [19] and the excellent duo; Elliptic Curves in Cryptography and Advances in Elliptic Curve Cryptography [11, 96]. We present the main re... |

34 | Modifications to the number field sieve - Coppersmith - 1993 |

29 | Analysis of the Weil descent attack of Gaudry, Hess and Smart
- Menezes, Qu
- 2001
(Show Context)
Citation Context ...ne tests that the order ℓ of the largest prime subgroup does not divide q k − 1 for all small k where the F q k–DLP is tractable. Currently it is recommended that one tests k in the range 1 ≤ k ≤ 20, =-=[19, 66]-=-. 4.5 Security Parameters The security of ECDLP–based cryptosystems is based on the size of the largest prime divisor ℓ of #E(Fq) and the complexity of the best known attacks. For general curves, thes... |

22 | Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects
- Faugère, Perret
- 2006
(Show Context)
Citation Context ...em would be of an impracticable size, due to work by Faugère & Perret at Eurocrypt 2006. Here Faugère used his own F5 algorithm to attack the Polynomial Isomorphism Problem with One Secret, (IP1S) in =-=[31, 75]-=-. These Gröbner based attacks are not known to affect the general problem of a disguised elliptic group, but do affect the hidden pairings problem which was presented in [23]. 1039.1.6 Our Contributi... |

22 |
Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields
- Lenstra
- 1997
(Show Context)
Citation Context ... (8.1.1) & (8.1.2), in Fq[x]; x n − 1 = ∏ Φd(x). From Corollary 8.1.7 one has Φn(x)|(xn −1). Hence, there exists a subgroup of Fqn of order Φn(q). Moreover when one has Φn(q) > n, Lenstra observed in =-=[57]-=- that for a prime q this subgroup cannot be embedded in any other proper subfield of Fqn. For cryptographically useful groups, this always happens and motivates us to formally define this group: d|n 9... |

20 | A kilobit special number field sieve factorization - Aoki, Franke, et al. - 2007 |

18 |
An invitation to modern number theory
- Miller, Takloo-Bighash
- 2006
(Show Context)
Citation Context ...s modulo p. For a restricted device, this computation is probably too laboursome and so here, one must transmit ω in the definition of F. We can use a by–product of the generalised Riemann Hypothesis =-=[70]-=- which states that there always exists a primitive root ω such that ω < 70(ln p) 2 < 33.7(lg p) 2 (6.5.3) modulo a prime p. The details of this are beyond the scope of this thesis, but the result for ... |

18 |
Recommended elliptic curves for federal government use
- NIST
- 1999
(Show Context)
Citation Context ...he families constructible. The alternative is to restrict the families definable to popular choices, where one uses certain fields and curves which allow faster group arithmetic. For example; NIST in =-=[73]-=- recommends fixing a = −3 in the Weierstraß form for curves over non–binary fields. This is because it accelerates the group arithmetic when using Jacobian projective coordinates, ([19], p282). Simila... |

15 |
The Development of the Number Field
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...90’s. 2 Since the computational complexity for the SNFS to factor an integer n is Ln[(1/3), (32/9) 1 3 ] = O ` ( 32 e 9 ln n) 1 3 (ln ln n) 2 3 ´ this was equivalent to approximately 68–bits of work, =-=[58]-=-. Hence this result is reasonable. 7Definition 2.3.1. Let (G, ⊕) be a finite cyclic group of prime order ℓ and let P be a generator of G. The (additive) map ϕ : Zℓ → G t ↦→ [t]P = P ⊕ P ⊕ · · · ⊕ P }... |

13 | A Study on Theoretical and Practical Aspects of Weil Restrictions of Varieties. http://www.math.uni-leipzig.de/~diem/preprints/ english.html - Diem - 2001 |

12 |
X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve
- ANSI
- 1998
(Show Context)
Citation Context ... y1 , µ ← x x1 2 1. x3 = λ 2 + λ + a + x1 + x2, y3 = (λ + 1)x3 + µ = (x1 + x3)λ + x3 + y1. Lemma 4.1.16. In an odd prime order subgroup ℓ of E(F2n), all points P = (x2, y2) ̸= O may be written as P = =-=[2]-=-R where R = (x1, y1) and x2 = x 2 1 + bx −2 1 . Proof. If we are working in a prime order subgroup, for an R ∈ 〈P 〉, R ̸= O one has ∃b ∈ [1, ℓ] such that P = [b]R. Since ℓ is odd it is coprime to two,... |

12 | Hidden pairings and trapdoor ddh groups
- Dent, Galbraith
- 2006
(Show Context)
Citation Context ...ructure which can be exploited by algorithms. Such groups could have interesting cryptographic applications. There has been limited research into finding group representations which behave like BBGs, =-=[23, 34, 37, 65]-=-. One possible approach is to disguise a group representation such that it is hard to recover a natural mathematical representation of the original group. Dent & Galbraith in [23] (building on the wor... |

10 | Searching for Elements in Black Box Fields and Applications
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...There has been limited research on whether or not it is possible to implement effective black–box cryptography by utilising so–called black–box groups and a disguised representation of their elements =-=[12, 23, 34, 37, 65]-=-. As a motivational example for this research, let us recall the definition of the generic DLP from Definition 2.3.1 which is independent of the specific representation of a group: Definition. 2.3.1. ... |

10 |
2:Recommend Elliptic Curve Domain Parameters. Standards for Efficient Cryptography
- SEC
- 2000
(Show Context)
Citation Context ...key pairs (Q = [ϕ]P, ϕ). It is often recommended that one chooses this base point at random by selecting an xi ∈R Fq and testing whether or not x 3 i +axi+b is a quadratic residue modulo p = char(Fq) =-=[2, 11, 17]-=-. A similar method is used for curves over F2 n and both have a probability of success in defining a valid curve point of a 1/2 for each trial. Once a valid point P ∈ E(Fq) has been found, it is check... |

10 | The probability that the number of points on an elliptic curve over a finite field is prime
- McKee
(Show Context)
Citation Context ...nitions 6.6.1 & 6.6.3 and generate r–small elements b ∈ F ∗ q until one has curves with the desired properties. To find an empirical bound for the size of b, we use the work of Galbraith & McKee from =-=[39]-=-: 6.6.3 Probability of Occurring Orders of #E Galbraith & McKee in [39] investigate the probability that a random curve over a finite field has prime or near prime order. They give the following conje... |

10 | An overview of the XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...or a k = g(h − h−1 ) ∈ Fqm. This occurs for approximately qm−1 elements k of Fqm for a fixed g. Hence this holds approximately 1/q of the time. 8.4 Trace Based Cryptosystems: XTR Lenstra & Verheul in =-=[59, 60]-=- proposed a natural extension of the idea behind LUC called Efficient Compact Subgroup Trace Representation which is more commonly known at XTR1 . XTR uses traces over Fp2 to represent elements of the... |

7 |
Recommendation for Key
- Barker, Barker, et al.
- 2006
(Show Context)
Citation Context ... tan largo el olvido. Pablo Neruda (1904–1973) 1 Motivation Elliptic Curve Cryptography: Kerckhoffs’ Law from 1883 states; “The strength of a cipher should only depend on its key size”, [52]. NIST in =-=[8]-=- gives examples of key sizes for equivalent strengths between different asymmetric cryptosystems and groups. These are provided for RSA, finite fields Fq, and elliptic curves over finite fields; E/Fq.... |

6 | Black-Box Extension Fields and the Inexistence of FieldHomomorphic One-Way Permutations. Asiacrypt ’07
- Maurer, Raub
(Show Context)
Citation Context ...There has been limited research on whether or not it is possible to implement effective black–box cryptography by utilising so–called black–box groups and a disguised representation of their elements =-=[12, 23, 34, 37, 65]-=-. As a motivational example for this research, let us recall the definition of the generic DLP from Definition 2.3.1 which is independent of the specific representation of a group: Definition. 2.3.1. ... |

4 |
Elliptic Curves with Compact Parameters
- Brown, Myers, et al.
(Show Context)
Citation Context ...ested reader. 6.2 Previous Research: Smart Compressing domain parameters has received little attention: We are only aware of the work by Smart in [94] precised here and that by Brown, Myers & Solinas =-=[14]-=- given in §6.3. Efficient domain parameter representation was considered by Smart in [94], where methods were suggested for binary and prime fields of size [150, 255] bits. Smart noted that for binary... |

4 |
Weak fields for ECC, Topics
- Menezes, Teske, et al.
(Show Context)
Citation Context ... y2 + xy = x 3 + ax + b (5.4.3) with b ̸= 0 represents every isomorphism class of ordinary elliptic curves over F2 n ([11], p37). With this, one recalls Lemma III.4 from ([11], p38) and Lemma 7 from (=-=[67]-=-, p12) 2 respectively given here: Lemma 5.4.3. Consider an elliptic curve defined by equation (5.4.3) over F2n. Then, { 0 (mod 4) if Tr2n #E(F2n) |2(a) = 0, ≡ (5.4.4) 2 (mod 4) if Tr2n |2(a) = 1. Lemm... |

2 |
F.: The Number Field Sieve
- Joux, Lercier, et al.
- 2006
(Show Context)
Citation Context ...persmith in [20] showed that theoretically one has a c = 1 3 (92 + 26√ 13) 1/3 ≈ 1.9. Recently Joux et al showed that c could be even smaller, with their results depending on the ratio of p and p n , =-=[50]-=-. For example: When p can be written as Lp[lp, c ′ ] with lp > 2/3 then they present an algorithm with complexity Lp n[1/3, c] where c = (64/9)1/3 ≈ 1.167. These results compare well to the generic ru... |

1 |
Explicit Computation of Isomorphisms between Finite Fields, Finite Fields and their
- Allombert
(Show Context)
Citation Context ...eterministic polynomial–time algorithms do exist, but gave no explicit algorithms for constructing a polynomial m ∈ Kg such that f ◦ m ≡ 0 (mod g). Better methods may be found by reading Allombert in =-=[1]-=-. We do not consider these however, as only the existence of such a polynomial–time algorithm is relevant to us here. The interested reader should consult the references for further details. 18Part I... |

1 |
coordinates, 17th Applied Algebra, Algebraic Algorithms and Error Correcting Codes
- Edwards
- 2007
(Show Context)
Citation Context ...a is resistance against side–channel attacks. This is unlike the standard Weierstraß form commonly used, and makes Edwards curves very interesting for cryptography. Subsequently, Bernstein & Lange in =-=[9, 10]-=- showed that Edwards curves have exceptionally efficient arithmetic, particularly when using small curve coefficients. We now briefly present Edwards curves, and refer the interested reader to [27], a... |

1 |
1: Elliptic Curve Cryptography (Working Draft Revision 1.7), SECG: Standards For Efficient Cryptography Group
- SEC
- 2006
(Show Context)
Citation Context ...isation of elliptic curve based cryptosystems one needs to generate, transmit and store system domain parameters. 1These domain parameters, when implemented naïvely as given in standards such as SEC =-=[18]-=-, require approximately 11 2 L–bits to represent. In Chapter 5 we will explicitly detail the bandwidth required to represent each domain parameter element under the SEC 1 standard. We then suggest met... |

1 |
How to disguise an elliptic curve (weil decent), Talk at ECC ’98
- Frey
- 1998
(Show Context)
Citation Context ...ructure which can be exploited by algorithms. Such groups could have interesting cryptographic applications. There has been limited research into finding group representations which behave like BBGs, =-=[23, 34, 37, 65]-=-. One possible approach is to disguise a group representation such that it is hard to recover a natural mathematical representation of the original group. Dent & Galbraith in [23] (building on the wor... |

1 |
A remark regarding m–divisibility and the discrete logarithm problem in the divisor class group of curves, Mathematics of Computation 62
- Frey, Rück
- 1994
(Show Context)
Citation Context ...ive group of an extension field Fqk, for some k ≥ 1, where index–calculus attacks can then be mounted. This is often denoted the MOV attack. A second similar reduction was presented by Frey & Rück in =-=[36]-=-. The key point of these attacks is that if k is small, then solving the DLP in F q k is probably easier than directly solving the ECDLP on E/Fq, reducing the security of the original problem. However... |

1 | Disguising tori and elliptic curves
- Galbraith
- 2006
(Show Context)
Citation Context ...ructure which can be exploited by algorithms. Such groups could have interesting cryptographic applications. There has been limited research into finding group representations which behave like BBGs, =-=[23, 34, 37, 65]-=-. One possible approach is to disguise a group representation such that it is hard to recover a natural mathematical representation of the original group. Dent & Galbraith in [23] (building on the wor... |

1 |
A cryptographic application of Weil descent, Codes and Cryptography 1746
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ...proposed by Frey [34, 35] where an ECDLP over a binary field F2n is reduced to a DLP in an abelian variety over a proper subfield F2l ⊂ F2n. This method was extended by Galbraith, Gaudry, Heß & Smart =-=[40, 43]-=- (the GHS–attack) where they demonstrated that many DLPs over elliptic curves could be mapped to DLPs in the Jacobian of a hyperelliptic curve over F2l. Since sub–exponential attacks exist for the hyp... |

1 |
Method for generating secure elliptic curves using an arithmetic-geometric mean iteration, United States Patent Application
- Harley, Mestre
- 2002
(Show Context)
Citation Context ...e characteristic fields. For small characteristic fields and certain parameters, p–adic methods such as Satoh’s [84, 104] and the Arithmetic–Geometric Mean (AGM) point counting 38algorithm of Harley =-=[48]-=- are more efficient. Since we do not specifically require these algorithms in our the argument here, the interested reader should consult the original papers or the excellent treatment given in ([96],... |