## Faster Attacks on Elliptic Curve Cryptosystems (1998)

Venue: | Selected Areas in Cryptography, LNCS 1556 |

Citations: | 61 - 1 self |

### BibTeX

@INPROCEEDINGS{Wiener98fasterattacks,

author = {Michael J. Wiener and Robert J. Zuccherato},

title = {Faster Attacks on Elliptic Curve Cryptosystems},

booktitle = {Selected Areas in Cryptography, LNCS 1556},

year = {1998},

pages = {190--200},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's ae-method. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically defined over GF (p) or GF (2 m ), the attack time can be reduced by a factor or p 2, a small improvement. For subfield curves, those defined over GF (2 ed ) with coefficients defining the curve restricted to GF (2 e ), the attack time can be reduced by a factor of p 2d. In particular for curves over GF (2 m ) with coefficients in GF (2), called anomalous binary curves or Koblitz curves, the attack time can be reduced by a factor of p 2m. These curves have structure which allows faster cryptosystem computations. Unfortunately, this structure also helps the attacker. In an example, the time required to compute an elliptic curve logarithm on an anomalous binary curve over GF (2 163 ) is reduced from 2 ...

### Citations

2696 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...hy based on elliptic curves over finite fields was proposed by Miller [7] and Koblitz [5] in 1985. Elliptic curves over finite fields have been used to implement the Diffie-Hellman key passing scheme =-=[2, 4]-=- and also the elliptic curve variant of the Digital Signature Algorithm [1, 8]. The security of these cryptosystems relies on the difficulty of solving the elliptic curve discrete logarithm problem. I... |

691 |
Elliptic curve cryptosystems
- Koblitz
- 1997
(Show Context)
Citation Context ...urve over GF (2 163 ) is reduced from 2 81 to 2 77 elliptic curve operations. 1 Introduction Public-key cryptography based on elliptic curves over finite fields was proposed by Miller [7] and Koblitz =-=[5]-=- in 1985. Elliptic curves over finite fields have been used to implement the Diffie-Hellman key passing scheme [2, 4] and also the elliptic curve variant of the Digital Signature Algorithm [1, 8]. The... |

527 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...omalous binary curve over GF (2 163 ) is reduced from 2 81 to 2 77 elliptic curve operations. 1 Introduction Public-key cryptography based on elliptic curves over finite fields was proposed by Miller =-=[7]-=- and Koblitz [5] in 1985. Elliptic curves over finite fields have been used to implement the Diffie-Hellman key passing scheme [2, 4] and also the elliptic curve variant of the Digital Signature Algor... |

230 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ... elliptic curve based cryptosystems can be broken efficiently. The best attack known on the elliptic curve discrete logarithm problem is parallel collision search [13] based on Pollard's ae algorithm =-=[9]-=- which has running time proportional to the square root of the largest prime factor dividing the curve order. This method works for any cyclic group and does not make use of any additional structure p... |

146 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...oblem can be solved efficiently, then elliptic curve based cryptosystems can be broken efficiently. The best attack known on the elliptic curve discrete logarithm problem is parallel collision search =-=[13]-=- based on Pollard's ae algorithm [9] which has running time proportional to the square root of the largest prime factor dividing the curve order. This method works for any cyclic group and does not ma... |

116 |
CM curves with good cryptographic properties
- Koblitz
- 1992
(Show Context)
Citation Context ...ic curves have been proposed for use in cryptography because of their ability to provide efficiencies in implementation. Among these have 1 been subfield curves and anomalous binary or Koblitz curves =-=[6, 11]-=-. Using the Frobenius endomorphism, we show that these curves also allow a further speed-up for the parallel collision search algorithm and therefore provide less security than was originally thought.... |

99 | Fast key exchange with elliptic curve systems
- Schroeppel, Orman, et al.
- 1995
(Show Context)
Citation Context ... of GF (2 e ), then we say that E is a subfield curve. Notice in this case that E (a;b) (GF (2 e )) ae E (a;b) (GF (2 m )). Using underlying fields of this type provide very efficient implementations =-=[3, 10]-=-. If e is small, so that the number of points in E (a;b) (GF (2 e )) can be easily counted, there is an easy way to determine the number of points in E (a;b) (GF (2 m )). Denote by #E the number of po... |

86 |
A.: An improved algorithm for arithmetic on a family of elliptic curves
- Solinas
- 1997
(Show Context)
Citation Context ...ic curves have been proposed for use in cryptography because of their ability to provide efficiencies in implementation. Among these have 1 been subfield curves and anomalous binary or Koblitz curves =-=[6, 11]-=-. Using the Frobenius endomorphism, we show that these curves also allow a further speed-up for the parallel collision search algorithm and therefore provide less security than was originally thought.... |

46 | A fast software implementation for arithmetic operations in GF(2 n
- Win, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ... of GF (2 e ), then we say that E is a subfield curve. Notice in this case that E (a;b) (GF (2 e )) ae E (a;b) (GF (2 m )). Using underlying fields of this type provide very efficient implementations =-=[3, 10]-=-. If e is small, so that the number of points in E (a;b) (GF (2 e )) can be easily counted, there is an easy way to determine the number of points in E (a;b) (GF (2 m )). Denote by #E the number of po... |

44 | Speeding up Pollardâ€™s rho method for computing discrete logarithms, in Algorithmic Number Theory Seminar ANTS-III
- Teske
- 1998
(Show Context)
Citation Context ...= Z j we have A i P+b i Q = A j P+B j Q, which gives l = A i \GammaA j B j \GammaB i mod n, unless we are very unlucky and B i j B j (mod n). Actually, Pollard's function is not an optimal choice. In =-=[12]-=- it is recommended that the points be divided into about 20 sets of equal size S 1 ; : : : ; S 20 and that the iteration function be f(Z) = 8 ? ? ? ? ! ? ? ? ? : Z + c 1 P + d 1 Q if Z 2 S 1 Z + c 2 P... |