## Fast Key Exchange with Elliptic Curve Systems (1995)

### Cached

### Download Links

- [coast.cs.purdue.edu]
- [pdf.aminer.org]
- [ftp.cs.arizona.edu]
- [ftp.cs.arizona.edu]
- [saluc.engr.uconn.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 106 - 2 self |

### BibTeX

@INPROCEEDINGS{Schroeppel95fastkey,

author = {Richard Schroeppel and Hilarie Orman},

title = {Fast Key Exchange with Elliptic Curve Systems},

booktitle = {},

year = {1995},

pages = {43--56},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The Diffie-Hellman key exchange algorithm can be implemented using the group of points on an elliptic curve over the field F 2 n . A software version of this using n = 155 can be optimized to achieve computation rates that are significantly faster than non-elliptic curve versions with a similar level of security. The fast computation of reciprocals in F 2 n is the key to the highly efficient implementation described here. March 31, 1995 Department of Computer Science The University of Arizona Tucson, AZ 1 Introduction The Diffie-Hellman key exchange algorithm [10] is a very useful method for initiating a conversation between two previously unintroduced parties. It relies on exponentiation in a large group, and the software implementation of the group operation is usually computationally intensive. The algorithm has been proposed as an Internet standard [13], and the benefit of an efficient implementation would be that it could be widely deployed across a variety of platforms, greatl...

### Citations

3006 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...o the highly efficient implementation described here. March 31, 1995 Department of Computer Science The University of Arizona Tucson, AZ 85721 1 Introduction The Diffie-Hellman key exchange algorithm =-=[10]-=- is a very useful method for initiating a conversation between two previously unintroduced parties. It relies on exponentiation in a large group, and the software implementation of the group operation... |

1246 | Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...RC times. Both machines have a 32-bit word size. 6 Other Applications The elliptic curve improvements will be helpful in implementing not only DH key exchange, but also make El Gamal style encryption =-=[11]-=- more attractive. The total effort of signing and checking a signature is less with elliptic curve methods than with RSA. The new reciprocal algorithm is useful for doing arithmetic in other finite fi... |

796 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...otivated our research into faster software implementations of the basic operations behind the protocol. Elliptic curve systems, first suggested by Victor Miller [23] and independently by Neal Koblitz =-=[17]-=-, were a natural choice because they are (insofar as is known today) immune to the index calculus attack. This means that smaller numbers can be used to achieve the same degree of security for the Dif... |

468 |
Algebraic Coding Theory
- BERLEKAMP
- 1971
(Show Context)
Citation Context ...a simple, but relatively slow, recursive solution, exactly analogous to the related algorithm for integers. We have developed an algorithm that is considerably faster. It borrows ideas from Berlekamp =-=[4]-=- and from the low-end GCD algorithm of Roland Silver, John Terzian, and J. Stein (described in Knuth [16] p. 297). Our Almost Inverse algorithm computes Bu and k such that AB u k modM degB de... |

305 |
Elliptic Curve Public Key Cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ... We include here brief descriptions of the field and elliptic curve manipulations; this material is from draft document [22]. See Silverman [29] for a general introduction to elliptic curves; Menezes =-=[21]-=- provides a cookbook approach and an 1 introduction to the cryptographic methods. Other good references are [1, 2, 3, 5]. For our purposes, an elliptic curve E is a set of points x y with coordinat... |

110 |
Use of Elliptic Curves
- Miller
- 1986
(Show Context)
Citation Context ... 20 key exchanges per hour. This work motivated our research into faster software implementations of the basic operations behind the protocol. Elliptic curve systems, first suggested by Victor Miller =-=[23]-=- and independently by Neal Koblitz [17], were a natural choice because they are (insofar as is known today) immune to the index calculus attack. This means that smaller numbers can be used to achieve ... |

105 |
An Implementation of Elliptic Curve Cryptosystems over F 155
- Agnew, Mullin, et al.
- 1993
(Show Context)
Citation Context ...ocument [22]. See Silverman [29] for a general introduction to elliptic curves; Menezes [21] provides a cookbook approach and an 1 introduction to the cryptographic methods. Other good references are =-=[1, 2, 3, 5]-=-. For our purposes, an elliptic curve E is a set of points x y with coordinates x and y lying in the field F and satisfying the equation y xy x ax b. a and b are constants, field el... |

105 |
A fast algorithm for computing multiplicative inverses in GF (2m) using normal bases
- Itoh, Tsujii
- 1988
(Show Context)
Citation Context ... 100-199, 43 have no irreducible trinomial. Menezes’ inversion scheme for a field element Au, computes Au as Au mod T u. This can be done with 10 multiplications and 154 squarings =-=[14]-=-. 6 The algorithm will work whenever Au and Mu are relatively prime, Au s, Mu is odd, and degM s. The Almost Inverse Algorithm Initialize integer k=0, and polynomials B=1,C=0,F=A,G=M. loo... |

72 |
Seminumerical algorithms, The Art of
- Knuth
- 1973
(Show Context)
Citation Context ...n.) Although the number of doubling steps is roughly fixed, it is possible to reduce considerably the number of addition steps needed. This problem is studied in a large literature on addition chains =-=[16, 6, 7, 27]-=-. We mention a few points: Menezes [21] discusses the idea of using a low Hamming weight multiplier. If one is content to select from among smultipliers, while allowing multipliers up to about ... |

52 |
An Implementation for a Fast Public-Key Cryptosystem
- Agnew, Mullin, et al.
- 1991
(Show Context)
Citation Context ...ocument [22]. See Silverman [29] for a general introduction to elliptic curves; Menezes [21] provides a cookbook approach and an 1 introduction to the cryptographic methods. Other good references are =-=[1, 2, 3, 5]-=-. For our purposes, an elliptic curve E is a set of points x y with coordinates x and y lying in the field F and satisfying the equation y xy x ax b. a and b are constants, field el... |

48 |
Addition chain heuristics
- Bos, Coster
(Show Context)
Citation Context ...n.) Although the number of doubling steps is roughly fixed, it is possible to reduce considerably the number of addition steps needed. This problem is studied in a large literature on addition chains =-=[16, 6, 7, 27]-=-. We mention a few points: Menezes [21] discusses the idea of using a low Hamming weight multiplier. If one is content to select from among smultipliers, while allowing multipliers up to about ... |

46 |
Constructing elliptic curves with given group order over large finite fields
- Lay, Zimmer
- 1994
(Show Context)
Citation Context ...ith a s, the best possible order is p (with p a prime near ) [18]. (If we select a s, the order can have the form p with p near , giving a small amount of extra security.) Lay and Zimmer =-=[20]-=- give a method for creating a curve with a given order, but we are reluctant to use their scheme, since it produces curves closely related to rational curves with an extra structural property called c... |

43 |
Public-Key Cryptosystems with Very Small Key Lengths
- Harper, Menezes, et al.
- 1993
(Show Context)
Citation Context ... b from the equation y xy x b. The best known methods for computing elliptic curve discrete logarithms take time proportional to the square-root of the largest prime factor of the group order =-=[25, 26, 12]-=-. In our case, the largest prime factor will be about , so finding discrete logarithms will take about operations. 3.3 Choosing a Multiplier The number of additions and doublings nece... |

24 |
Computation of Discrete Logarithms
- MACCHIA, ODLYZKO
- 1991
(Show Context)
Citation Context ...ines. The Diffie-Hellman algorithm was implemented several years ago as part of the Sun SecureRPC system used by Sun Microsystems, and the implementation used numbers of a size that was determined in =-=[19]-=- to be attackable using a method described in [8]. This work indicated that instead of using a 192-bit modulus, which could be “cracked” in only about 3 months of effort (including software developmen... |

21 |
Fast Exponentiation with Precomputation (Extended Abstract
- BRICKELL, GORDON, et al.
- 1993
(Show Context)
Citation Context ...n.) Although the number of doubling steps is roughly fixed, it is possible to reduce considerably the number of addition steps needed. This problem is studied in a large literature on addition chains =-=[16, 6, 7, 27]-=-. We mention a few points: Menezes [21] discusses the idea of using a low Hamming weight multiplier. If one is content to select from among smultipliers, while allowing multipliers up to about ... |

19 | Constructing elliptic curve cryptosystems in characteristic 2
- Koblitz
- 1990
(Show Context)
Citation Context ... to the number of field elements. For maximum security, the order should have as large a prime factor as possible. In our equation, with a s, the best possible order is p (with p a prime near ) =-=[18]-=-. (If we select a s, the order can have the form p with p near , giving a small amount of extra security.) Lay and Zimmer [20] give a method for creating a curve with a given order, but we are ... |

11 | Arithmetic operations in GF(2 m - Agnew, Beth, et al. - 1993 |

9 |
Non Supersingular Elliptic Curves for Public Key Cryptosystems
- Beth, Schaefer
- 1991
(Show Context)
Citation Context ...ocument [22]. See Silverman [29] for a general introduction to elliptic curves; Menezes [21] provides a cookbook approach and an 1 introduction to the cryptographic methods. Other good references are =-=[1, 2, 3, 5]-=-. For our purposes, an elliptic curve E is a set of points x y with coordinates x and y lying in the field F and satisfying the equation y xy x ax b. a and b are constants, field el... |

1 |
Doklady Akademiia Nauk SSSR
- KARATSUBA
- 1962
(Show Context)
Citation Context ...lication routines and found that different architectures had different optimal routines. (Our timings are done with the optimal routines for each architecture.) 4 We explored the use of the Karatsuba =-=[15]-=- method (see Knuth [16] p. 259 and 536) for multiplication. It turned out to be slightly worse for our particular cases. Some of the programming tricks used to speed up the multiplication are: Use a... |