## The Elliptic Curve Digital Signature Algorithm (ECDSA) (1999)

Citations: | 118 - 5 self |

### BibTeX

@TECHREPORT{Johnson99theelliptic,

author = {Don Johnson and Alfred Menezes},

title = {The Elliptic Curve Digital Signature Algorithm (ECDSA)},

institution = {},

year = {1999}

}

### Years of Citing Articles

### OpenURL

### Abstract

The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.

### Citations

2683 | Handbook of Applied Cryptography
- Menezes, Ooschot, et al.
- 1997
(Show Context)
Citation Context ...or SHA-1. She then � � signs , and later claims to have signed ���(note that every signature � for is also a signature � for �). IDEAL SECURITY. A�-bit hash function is said to be have ideal security =-=[65]-=- if both: (i) given a hash output, producing a preimage requires approximately ���operations; and (ii) producing a collision ����£ requires approximately operations. SHA-1 is a 160bit hash function an... |

1218 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...ture schemes. 2. Discrete Logarithm (DL) schemes, which base their security on the intractability of the (ordinary) discrete logarithm problem in a finite field. Examples of these include the ElGamal =-=[23]-=-, Schnorr [90], DSA [70], and Nyberg-Rueppel [78, 79] signature schemes. 3. Elliptic Curve (EC) schemes, which base their security on the intractability of the elliptic curve discrete logarithm proble... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ... message itself. SECURITY. Ideally, a digital signature scheme should be existentially unforgeable under chosen-message attack. This notion of security was introduced by Goldwasser, Micali and Rivest =-=[33]-=-. Informally, it asserts that an adversary who is able to obtain entity � ’s signatures for any messages of its choice is unable to successfully forge � ’s signature on a single other message. APPLICA... |

794 | Differential Power Analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ...uld be launched against implementations of ECDSA such as timing attacks (Kocher [53]), differential fault analysis (Boneh, DeMillo and Lipton [13]), differential power analysis (Kocher, Jaffe and Jun =-=[54]-=-), and attacks which exploit weak random or pseudorandom number generators (Kelsey et al. [48]). 9 Implementation Considerations Before implementing ECDSA, several basic choices have to be made includ... |

767 |
Elliptic Curve Cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ... Its security is based on the computational intractability of the discrete logarithm problem (DLP) in prime-order subgroups ¦¨§ © of . Elliptic curve cryptosystems (ECC) were invented by Neal Koblitz =-=[49]-=- and Victor Miller [67] in 1985. They can be viewed as elliptic curve analogues of the older discrete logarithm (DL) cryptosystems in which the subgroup ¦ § © of is replaced by the group of points on ... |

477 | Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems
- Kocher
- 1996
(Show Context)
Citation Context ...auditing domain parameter and public key generation. IMPLEMENTATION ATTACKS. ANSI X9.62 does not address attacks that could be launched against implementations of ECDSA such as timing attacks (Kocher =-=[53]-=-), differential fault analysis (Boneh, DeMillo and Lipton [13]), differential power analysis (Kocher, Jaffe and Jun [54]), and attacks which exploit weak random or pseudorandom number generators (Kels... |

441 |
Introduction to finite fields and their applications
- Lidl, Niederreiter
- 1994
(Show Context)
Citation Context ...ed security methods. 3 Finite Fields We provide a brief introduction to finite fields. For further information, see Chapter 3 of Koblitz [52], or the books by McEliece [61] and Lidl and Niederreitter =-=[59]-=-. A finite field consists of a finite set of elements � together with two binary operations on � , called addition and multiplication, that satisfy certain arithmetic properties. The order of a finite... |

324 | On the Importance of Checking Cryptographic Protocols for Faults
- Boneh, DeMillo, et al.
- 1997
(Show Context)
Citation Context ...ATION ATTACKS. ANSI X9.62 does not address attacks that could be launched against implementations of ECDSA such as timing attacks (Kocher [53]), differential fault analysis (Boneh, DeMillo and Lipton =-=[13]-=-), differential power analysis (Kocher, Jaffe and Jun [54]), and attacks which exploit weak random or pseudorandom number generators (Kelsey et al. [48]). 9 Implementation Considerations Before implem... |

312 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...e co-factor is defined to ��� � � � be ��� �¢� . so� Some further precautions should be exercised when selecting the elliptic curve. To avoid the reduction algorithms of Menezes, Okamoto and Vanstone =-=[64]-=- and � � � Frey � � and Rück [29], the curve should be non-supersingular � (i.e., should not (��� divide �� � ��� � � � )). More generally, one should verify that � � � does � � ��� not divide for all... |

300 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...ck introduction to the theory of elliptic curves. Chapter 6 of Koblitz’s book [52] provides an introduction to elliptic curves and elliptic curve systems. For a more detailed account, consult Menezes =-=[63]-=- or Blake, Seroussi and Smart [9]. Some advanced books on elliptic curves are Enge [24] and Silverman [94]. 4.1 Elliptic Curves Over � © Let ����� be an odd prime. An elliptic curve� over � © is defin... |

277 | Authentication and authenticated key exchanges
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...thenticated key transport (e.g., Blake-Wilson and Menezes [10], ANSI X9.63 [4], and ISO/IEC 11770-3 [41]), and authenticated key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wiener =-=[21]-=-, and Bellare, Canetti and Krawczyk [8]). CLASSIFICATION. The digital signature schemes in use today can be classified according to the hard underlying mathematical problem which provides the basis fo... |

233 | A modular approach to the design and analysis of authentication and key exchange protocols
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...ilson and Menezes [10], ANSI X9.63 [4], and ISO/IEC 11770-3 [41]), and authenticated key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wiener [21], and Bellare, Canetti and Krawczyk =-=[8]-=-). CLASSIFICATION. The digital signature schemes in use today can be classified according to the hard underlying mathematical problem which provides the basis for their security: �s1. Integer Factoriz... |

215 |
A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields
- Adleman, DeMarrais, et al.
- 1994
(Show Context)
Citation Context ...ptic curves are a family of algebraic curves of arbitrary genus that includes elliptic curves. Hence, an elliptic curve can be viewed as a hyperelliptic curve of genus 1. Adleman, DeMarrais and Huang =-=[1]-=- (see also Stein, Müller and Thiel [106]) presented a subexponential-time algorithm for the discrete logarithm problem in the jacobian of a large genus hyperelliptic curve over a finite field. However... |

205 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Ruck
- 1994
(Show Context)
Citation Context ...defined to be h = #E(F q )=n. Some further precautions should be exercised when selecting the elliptic curve. To avoid the reduction algorithms of Menezes, Okamoto and Vanstone [55] and Frey and Ruck =-=[21]-=-, the curve should be non-supersingular (i.e., p should not divide (q + 1 \Gamma #E(F q ))). More generally, one should verify that n does not divide q k \Gamma 1 for all 1sksC, where C is large enoug... |

169 | A survey of fast exponentiation methods
- Gordon
- 1996
(Show Context)
Citation Context ...ELECTED REFERENCES TO THE LITERATURE. The most detailed and comprehensive reference available on techniques for efficient finite field and elliptic curve arithmetic is IEEE 1363-2000 [39]. See Gordon =-=[36]-=- for a detailed survey of various methods for scalar multiplication. For an implementation report of elliptic curve operations over � © and � £¢� , see Schroeppel et al. [92], De Win et al. [112], Has... |

161 | Software Implementation of Elliptic Curve Cryptography over Binary Fields
- Hankerson, Hernandez, et al.
- 1965
(Show Context)
Citation Context ...port of elliptic curve operations over � © and � £¢� , see Schroeppel et al. [92], De Win et al. [112], Hasegawa, Nakajima and Matsui [38], Brown et al. [16, 17], and Hankerson, Hernandez and Menezes =-=[37]-=-. 10 Interoperability Considerations The goals of cryptographic standards are twofold: 1. To facilitate the widespread use of cryptographically sound and well-specified techniques. 2. To promote inter... |

143 | Constructive and destructive facets of Weil descent on elliptic curves
- Gaudry, Hess, et al.
- 2002
(Show Context)
Citation Context ...he Weil descent might be used to solve the ECDLP for elliptic curves defined � £¢� over � where is composite (such fields are sometimes called composite fields). More recently, Gaudry, Hess and Smart =-=[32]-=- refined these ideas to provide some evidence that � � �, when has a e.g.��� small divisor�, the ECDLP for elliptic curves � £ � defined over can be solved faster than with Pollard’s rho algorithm. Se... |

132 |
CM curves with good cryptographic properties
- Koblitz
- 1992
(Show Context)
Citation Context ...an elliptic curve � � over order� ���� of Let��� £ . ��� Let� � � ����������� KOBLITZ CURVES. These curves, also known as anomalous binary curves, were first proposed for cryptographic use by Koblitz =-=[51]-=-. They are elliptic curves � £ � over whose defining equations have coefficients � £ in . Thus, there are two Koblitz curves � £¢� over � ��������� ��� : � ��������� ��� ��� and . Solinas [100, 102], ... |

120 | RIPEMD-160: a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...h all present signature schemes with appendix since the only hash functions that are widely accepted as being both secure and practical are SHA-1 and RIPEMD-160 (see Dobbertin, Bosselaers and Preneel =-=[17]-=-), both of which are 160-bit hash functions. Variable Output Length Hash Functions. It is envisioned that SHA-1 will eventually be replaced by a family of hash functions H l , where H l is an l-bit ha... |

117 |
Finite Fields for Computer Scientists and Engineers
- McEliece
- 1987
(Show Context)
Citation Context ...rithms, or any other FIPS-approved security methods. 3 Finite Fields We provide a brief introduction to finite fields. For further information, see Chapter 3 of Koblitz [52], or the books by McEliece =-=[61]-=- and Lidl and Niederreitter [59]. A finite field consists of a finite set of elements � together with two binary operations on � , called addition and multiplication, that satisfy certain arithmetic p... |

101 |
Use of elliptic curves
- Miller
- 1985
(Show Context)
Citation Context ...on the computational intractability of the discrete logarithm problem (DLP) in prime-order subgroups ¦¨§ © of . Elliptic curve cryptosystems (ECC) were invented by Neal Koblitz [49] and Victor Miller =-=[67]-=- in 1985. They can be viewed as elliptic curve analogues of the older discrete logarithm (DL) cryptosystems in which the subgroup ¦ § © of is replaced by the group of points on an elliptic curve over ... |

82 |
The improbability that an elliptic curve has sub-exponential discrete log problem under the MenezesOkamoto-Vanstone algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...���� , where the number field sieve algorithm applies. The reduction algorithm is only practical if � is small — this is not the case for most elliptic curves, as shown by Balasubramanian and Koblitz =-=[6]-=-. To ensure that the reduction algorithm does not apply to a particular curve, one only needs to check that � , the order of the point�, does not � � ��� divide for all � small for which the DLP � in ... |

74 |
Standard specifications for public key cryptography
- IEEE
- 2000
(Show Context)
Citation Context ...hod. Over � © the CM method is also called the Atkin-Morain method [68]; over � £¢� it is also called the Lay-Zimmer method [55]. A detailed description of the CM method can be found in IEEE 13632000 =-=[39]-=-. £ where� and write��� is a Then� squarefree integer. is said to have by� complex multiplication . knows� If one for a given curve, then one can efficiently compute the order of the curve. The CM met... |

69 |
Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA
- 62
- 1999
(Show Context)
Citation Context ...enerally, one should verify that � � � does � � ��� not divide for all where� ���������, is large enough so that it is computationally infeasible to find discrete logarithms � in suffices in practice =-=[3]-=-). Finally, to avoid the attack �§� (������� of Semaev [93], Smart [98], and Satoh and Araki [88] � � on -anomalous curves, � the curve should � not (i.e.,� be � � ��� ��� -anomalous ). � A prudent wa... |

69 | Improving the parallelized pollard lambda search on anomalous binary curves
- Gallant, Lambert, et al.
- 2000
(Show Context)
Citation Context .... It has roughly the same � ex��� pected running time ( steps) as the baby-step giant-step algorithm, but is superior in that it requires a negligible amount of storage. Gallant, Lambert and Vanstone =-=[31]-=-, and Wiener and Zuccherato [111] showed how Pollard’s rho algorithm can be sped of� � up by a factor . Thus the expected running time of Pollard’s rho method with this speedup is �� � � �¢��� steps. ... |

66 | Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric Ciphers - ISOIEC - 2004 |

66 | A key recovery attack on discrete log-based schemes using a prime order subgroup
- LIM, LEE
- 1997
(Show Context)
Citation Context ... Use of an invalid public key can void all expected security properties. An example of a concrete attack that can be launched if public key validation is not performed was demonstrated by Lim and Lee =-=[60]-=-. The attack is on a Diffie-Hellmanbased key agreement protocol. METHODS FOR VALIDATING PUBLIC KEYS. The assurance that a public key� is valid can be provided to an entity � using one of the following... |

59 | Software Implementation of the NIST Elliptic Curves over Prime Fields
- Brown, Hankerson, et al.
(Show Context)
Citation Context ...scalar multiplication. For an implementation report of elliptic curve operations over � © and � £¢� , see Schroeppel et al. [92], De Win et al. [112], Hasegawa, Nakajima and Matsui [38], Brown et al. =-=[16, 17]-=-, and Hankerson, Hernandez and Menezes [37]. 10 Interoperability Considerations The goals of cryptographic standards are twofold: 1. To facilitate the widespread use of cryptographically sound and wel... |

58 |
Standard specifications for public-key cryptography
- P1363
- 1998
(Show Context)
Citation Context ... method. Over F p the CM method is also called the AtkinMorain method [58]; over F 2 m it is also called the Lay-Zimmer method [46]. A detailed description of the CM method can be found in IEEE P1363 =-=[30]-=-. Let E be an elliptic curve over F q of order N . Let Z = 4q \Gamma (q + 1 \Gamma N) 2 and write Z = DV 2 where D is a squarefree integer. Then E is said to have complex multiplication by D. If one k... |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ...sion can be accomplished by a variety of means, for example by requiring � to sign a message � ����� . �sof the CA’s choice, or by using zero-knowledge techniques (see Chaum, Evertse and van de Graaf =-=[19]-=-). Note that proof of possession of a private key provides different assurances from public key validation. The former demonstrates possession of a private key even though it may correspond to an inva... |

50 | Unknown key-share attacks on the station-to-station (STS) protocol”, Public Key Cryptography
- Blake-Wilson, Menezes
- 1999
(Show Context)
Citation Context ...operties. An example of a concrete (albeit far-fetched) attack that can be launched if domain parameter validation for a signature scheme is not performed was demonstrated by Blake-Wilson and Menezes =-=[11]-=-. The attack is on a key agreement protocol which employs the ElGamal signature scheme. METHODS FOR VALIDATING DOMAIN PARAMETERS. The assurance that a set� � � � , ��� of EC domain parameters is valid... |

50 | Cryptanalytic attacks on pseudorandom number generators
- Kelsey, Schneier, et al.
(Show Context)
Citation Context ...ntial fault analysis (Boneh, DeMillo and Lipton [13]), differential power analysis (Kocher, Jaffe and Jun [54]), and attacks which exploit weak random or pseudorandom number generators (Kelsey et al. =-=[48]-=-). 9 Implementation Considerations Before implementing ECDSA, several basic choices have to be made including: 1. Type of underlying finite field � � (� © or � £¢� ). 2. Field representation (e.g., po... |

45 |
Constructing elliptic curves with given group order over large In: \Algorithmic Number Theory
- Lay, Zimmer
- 1994
(Show Context)
Citation Context ...thod for generating cryptographically suitable elliptic curves is the CM method. Over � © the CM method is also called the Atkin-Morain method [68]; over � £¢� it is also called the Lay-Zimmer method =-=[55]-=-. A detailed description of the CM method can be found in IEEE 13632000 [39]. £ where� and write��� is a Then� squarefree integer. is said to have by� complex multiplication . knows� If one for a give... |

43 | Applications of arithmetical geometry to cryptographic constructions, Finite Fields and Applications
- Frey
(Show Context)
Citation Context ... when doing a security analysis of elliptic curves whose coefficients lie in a small subfield. 11. CURVES DEFINED � £ � OVER � , COMPOSITE. Galbraith and Smart [30], expanding on earlier work of Frey =-=[27, 28]-=-, discuss how the Weil descent might be used to solve the ECDLP for elliptic curves defined � £¢� over � where is composite (such fields are sometimes called composite fields). More recently, Gaudry, ... |

40 | Generating El-Gamal signatures without knowing the secret key, in
- Bleichenbacher
- 1996
(Show Context)
Citation Context ... performed very efficiently, and are prudent measures in light of known attacks on related ElGamal signature schemes which do not perform these checks (for example of such attacks, see Bleichenbacher =-=[12]-=-). The following is a plausi) is � � ����� � ble attack � � on � ��� ECDSA £ if � the check (and, � � more generally, � � ��� © � ��������� � � � � � ��� ��� ���� not performed. Suppose that is using ... |

40 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ...��s� . This speedup should be considered when doing a security analysis of elliptic curves whose coefficients lie in a small subfield. 11. CURVES DEFINED � £ � OVER � , COMPOSITE. Galbraith and Smart =-=[30]-=-, expanding on earlier work of Frey [27, 28], discuss how the Weil descent might be used to solve the ECDLP for elliptic curves defined � £¢� over � where is composite (such fields are sometimes calle... |

36 |
Elliptic curves and their applications to cryptography, an introduction
- Enge
- 1999
(Show Context)
Citation Context ...ides an introduction to elliptic curves and elliptic curve systems. For a more detailed account, consult Menezes [63] or Blake, Seroussi and Smart [9]. Some advanced books on elliptic curves are Enge =-=[24]-=- and Silverman [94]. 4.1 Elliptic Curves Over � © Let ����� be an odd prime. An elliptic curve� over � © is defined by an equation of the form £ � ��� ��� ����������� � � £ ����� � ����� � ��� ��� whe... |

35 |
A course in Number Theory and Cryptography, 2nd edition Springer-Verlag-1994
- Koblitz
(Show Context)
Citation Context ... mandates the use of these algorithms, or any other FIPS-approved security methods. 3 Finite Fields We provide a brief introduction to finite fields. For further information, see Chapter 3 of Koblitz =-=[52]-=-, or the books by McEliece [61] and Lidl and Niederreitter [59]. A finite field consists of a finite set of elements � together with two binary operations on � , called addition and multiplication, th... |

35 | Counting the number of points on elliptic curves over finite fields: strategies and performances
- Lercier, Morain
- 1995
(Show Context)
Citation Context ...terest (i.e. ). In the last few years a lot of work has been done on improving and refining Schoof’s algorithm, now called the Schoof-Elkies-Atkin (SEA) algorithm; for example, see Lercier and Morain =-=[58]-=- and Lercier [56]. With these £¢�¢� improvements, cryptographically suitable elliptic curves over fields whose orders are as � large as can be randomly generated in a few hours on a workstation (see L... |

33 | Entity authentication and authenticated key transport protocols employing asymmetric techniques
- Blake-Wilson, Menezes
- 1997
(Show Context)
Citation Context ... schemes are commonly used as primitives in cryptographic protocols that provide other services including entity authentication (e.g., FIPS 196 [72], ISO/IEC 9798-3 [40], and Blake-Wilson and Menezes =-=[10]-=-), authenticated key transport (e.g., Blake-Wilson and Menezes [10], ANSI X9.63 [4], and ISO/IEC 11770-3 [41]), and authenticated key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wi... |

32 |
A Practical Implementation of Elliptic Curve Cryptosystems over GF (p) on a 16-bit Microcomputer
- Hasegawa, Nakajima, et al.
- 1998
(Show Context)
Citation Context ...arious methods for scalar multiplication. For an implementation report of elliptic curve operations over � © and � £¢� , see Schroeppel et al. [92], De Win et al. [112], Hasegawa, Nakajima and Matsui =-=[38]-=-, Brown et al. [16, 17], and Hankerson, Hernandez and Menezes [37]. 10 Interoperability Considerations The goals of cryptographic standards are twofold: 1. To facilitate the widespread use of cryptogr... |

30 |
RIPEMD-160 : A strengthened Version of
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...h all present signature schemes with appendix since the only hash functions that are widely accepted as being both secure and practical are SHA-1 and RIPEMD-160 (see Dobbertin, Bosselaers and Preneel =-=[22]-=-), both of which are 160-bit hash functions. ����� . ���sVARIABLE OUTPUT LENGTH HASH FUNCTIONS. It is expected that SHA-1 will soon be replaced by a family of functions� �, where� �is hash an�-bit has... |

29 |
Public Key Cryptography for the Financial Services Industry: Elliptic Curve Key Agreement and Key Transport Protocols, ballot version
- 63
- 2001
(Show Context)
Citation Context ...er services including entity authentication (e.g., FIPS 196 [72], ISO/IEC 9798-3 [40], and Blake-Wilson and Menezes [10]), authenticated key transport (e.g., Blake-Wilson and Menezes [10], ANSI X9.63 =-=[4]-=-, and ISO/IEC 11770-3 [41]), and authenticated key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wiener [21], and Bellare, Canetti and Krawczyk [8]). CLASSIFICATION. The digital sign... |

29 |
Information technology – Security techniques – Key management – Part 4: Mechanisms based on weak secrets
- ISOIEC
(Show Context)
Citation Context ...ntity authentication (e.g., FIPS 196 [64], ISO/IEC 9798-3 [31], and Blake-Wilson and Menezes [9]), authenticated key transport (e.g., Blake-Wilson and Menezes [9], ANSI X9.63 [4], and ISO/IEC 11770-3 =-=[32]-=-), and authenticated key agreement (e.g., ISO/IEC 11770-3 [32], Diffie, van Oorschot and Wiener [16], and Bellare, Canetti and Krawczyk [8]). Classification. The digital signature schemes in use today... |

27 |
Discrete logarithms in GF (p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...0 bits in size. The security of the DSA relies on two distinct but related discrete logarithm problems. One is the discrete logarithm problem in Z p where the number field sieve algorithm (see Gordon =-=[27]-=- and Schirokauer [78]) applies; this algorithm has a subexponential running time. More precisely, the expected running time of the algorithm is O i exp i (c + o(1))(lnp) 1=3 (ln ln p) 2=3 jj ; (1) The... |

26 | Design validations for discrete logarithm based signature schemes
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...rong theoretical models. Slight variants of DSA and ECDSA (but not ECDSA itself) have been proven to be existentially unforgeable against chosen-message attack by Pointcheval and Stern [82] (see also =-=[14]-=-) under the assumptions that the discrete logarithm problem is hard and that the hash function employed is a random function. ECDSA itself has been proven secure by Brown [15] under the assumption tha... |

25 |
Low complexity normal bases
- Ash, Blake, et al.
- 1989
(Show Context)
Citation Context ...e multiplication. For a given � and � , the field � £ � can have at most one GNB of type � . Thus it is proper to speak of the type � GNB of � £¢� . See Mullin et al. [69] and Ash, Blake and Vanstone =-=[5]-=- for further information on GNBs. EXISTENCE OF GAUSSIAN NORMAL BASES. A Gaussian normal basis (GNB) exists � whenever is not divisible by 8. � Let be a positive integer not divisible by 8, and � let b... |

20 |
Efficient multiplication on certain non-supersingular elliptic curves
- Meier, Staffelbach
- 1993
(Show Context)
Citation Context ...ng equations have coefficients � £ in . Thus, there are two Koblitz curves � £¢� over � ��������� ��� : � ��������� ��� ��� and . Solinas [100, 102], building on earlier work of Meier and Staffelbach =-=[62]-=-, showed how one can compute very efficiently for arbitrary � where� is a point on a Koblitz curve. Since performing such scalar multiplications is the dominant computational step in ECDSA signature g... |

18 | The exact security of ECDSA
- Brown
- 2000
(Show Context)
Citation Context ...and Stern [82] (see also [14]) under the assumptions that the discrete logarithm problem is hard and that the hash function employed is a random function. ECDSA itself has been proven secure by Brown =-=[15]-=- under the assumption that the underlying group is a generic group and that the hash function employed is collision resistant. The possible attacks on ECDSA can be classified as follows: 1. Attacks on... |

18 | Constructing Elliptic Curve Cryptosystems in Characteristic 2
- KOBLITZ
- 1991
(Show Context)
Citation Context ...is odd; the algorithm was later extended to the case of ��� � � by Koblitz �� � until� � �§��.Repeat ���. POINT COUNTING. In 1985 Schoof [91] presented a polynomial-time algorithm for computing� � ��s=-=[50]-=-. Schoof’s algorithm is rather inefficient in practice for the � values of ofs��¢� practical ����� interest (i.e. ). In the last few years a lot of work has been done on improving and refining Schoof’... |