#### DMCA

## ECDKG: A Distributed Key Generation Protocol Based on Elliptic Curve Discrete Logarithm

### Citations

2576 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...iptic curve cryptosystems. This is a revision to two ealier reports dated back in Dec. 2001 and May 2002.sand share secrets among a group of parties have attracted research interest for a decade also =-=[37]-=- [7]. In particular, in the Internet, in order to provide a trusted service model over a group of non-trustable entities, a model on how to distribute trust has been proposed [2]. 1.1. Motivation, Pas... |

1560 | The byzantine generals problem
- Lamport, Shostak, et al.
- 1982
(Show Context)
Citation Context ...generated by distributed key generation (DKG) can be used in many applications, e.g. multi-party digital signature. DKG can also be used solving some consensus problems, e.g. Byzantine Agreement [23] =-=[21]-=-. Existing DKG protocols are based on either discrete logarithm problem (DLP) over a finite field or integer factorization problem (IFP). In order to maintain certain level of security, key lengths in... |

1332 | R.: A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ... are allowed to have a total control on this information. It is not always possible to have a trusted party presented as this is required by many existing protocols of the wired counterpart [29] [28] =-=[1]-=-. Distributed collaborative security mechanism has been recognized as an alternative. Distributing trust ∗ The author is greatly gratitude to Prof. Ming-Deh Huang for his encouragement on this researc... |

1009 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ng players for n ≥ 2t + 1 and t eavesdropping players for n ≥ t + 1 and t static malicious adversary for n ≥ 3t + 1. Since the first proposals of using elliptic curve for cryptographic purpose, [27], =-=[17]-=-, attempts of using existing techniques or new methods to solve ECDLP in subexponential time [14] [15] [24] are still ongoing. Regardless this endeavor, no promising results have been found. Only gene... |

739 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ... halting players for n ≥ 2t + 1 and t eavesdropping players for n ≥ t + 1 and t static malicious adversary for n ≥ 3t + 1. Since the first proposals of using elliptic curve for cryptographic purpose, =-=[27]-=-, [17], attempts of using existing techniques or new methods to solve ECDLP in subexponential time [14] [15] [24] are still ongoing. Regardless this endeavor, no promising results have been found. Onl... |

736 |
How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ... be used as one of the building block. To combat a dynamic adversary, the scheme employs the permutation instead of direct use of the indices. The adversary simulation is based on zero-knowledge [12] =-=[45]-=-. The first distributed VSS version is presented in [31] which is based on Feldman VSS (where each player acts as a dealer). It specifies n parallel runs of all the players, each player selects a rand... |

735 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...e implementations of ECC have being studied from the aspect on fast arithmetic operation algorithms over GF(2 n ) [43] and over GF(p n ) [22]. ECC has been also applied to smart card applications[44] =-=[38]-=- and sub-second performance on signature verification and key generation has been reported. In summary, the advantages of using ECC compared to other schemes are given as follows: 1) Much more flexibi... |

609 | Guide to Elliptic Curve Cryptography
- Hankerson, Menezes, et al.
- 2010
(Show Context)
Citation Context ...are concerned. Small key size means saving on storage, processing time and bandwidth. Protocols based on ECDLG, e.g. ECDSA [16], have been adopted by some standards, and incorporated into many drafts =-=[19]-=-. Efficicency issue on software implementations of ECC have being studied from the aspect on fast arithmetic operation algorithms over GF(2 n ) [43] and over GF(p n ) [22]. ECC has been also applied t... |

502 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ... a simple polynomial interpolation over a finite field, GF(q), where q is a prime or power of some prime p by which it is an extension field of field Z/pZ (it is also called a Galois Field (GF)). And =-=[32]-=- extends Feldman’s non-interactive approach and presents a scheme in which each party can verify the information about the secret without communicating to other parties, and any k of these parties can... |

485 |
Kerberos: An Authentication Service for Computer Networks,
- Neuman, Ts’o
- 1994
(Show Context)
Citation Context ...ndividuals are allowed to have a total control on this information. It is not always possible to have a trusted party presented as this is required by many existing protocols of the wired counterpart =-=[29]-=- [28] [1]. Distributed collaborative security mechanism has been recognized as an alternative. Distributing trust ∗ The author is greatly gratitude to Prof. Ming-Deh Huang for his encouragement on thi... |

400 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...Exchange It is not desirable to reveal the private key to any of the players during message decryption or signature signing process. We use the elliptic curve ElGamal encryption algorithm (ECElGamal) =-=[10]-=- as an example to show how ECDKG works. Assume there is a trusted information distribution source encrypts a message to send to a group which shares a secret s with the corresponding public key y. The... |

397 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ... and a point Q = xT for some x ∈ [1, p − 1], to determine the unknown x. There are the following known attacks specific to ECDLP. 1) Elliptic curves with T with a smooth order. An attack presented in =-=[33]-=- reduces the problem to find the secret key x to the problem of finding x modulo each of the prime factor of n, then use Chinese Remainder Theorem to solve for x. This algorithm can solve this type of... |

374 |
Reducing elliptic curve logarithms to logarithms in a finite fields
- Menezes, Okamoto, et al.
- 1991
(Show Context)
Citation Context ... generic exponential algorithms, i.e. square-root [42] type algorithms, are available for a broad class of ECDLP. Only in some restricted cases (see Section 1.2), such subexponential algorithms exist =-=[25]-=-, [39]. Cryptosystems based on ECDLP can use small key size to provide comparable levels of security as long as certain discretion has been taken into account to select the candidate curve and domain ... |

290 |
A practical scheme for non-interactive verifiable secret sharing
- Feldman
- 1987
(Show Context)
Citation Context ... curve cryptosystems. This is a revision to two ealier reports dated back in Dec. 2001 and May 2002.sand share secrets among a group of parties have attracted research interest for a decade also [37] =-=[7]-=-. In particular, in the Internet, in order to provide a trusted service model over a group of non-trustable entities, a model on how to distribute trust has been proposed [2]. 1.1. Motivation, Past Wo... |

235 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...f.) is divisible by the characteristic of Fq. For prime field GF(p), we need to avoid curve whose cardinality divides p k −1 for small k (k ≤ 20), since Weil pairing [24] (MOV attack) or Tate pairing =-=[34, 8]-=- can reduce ECDLP to DLP in the multiplicative group of some extension field of GF(p) where the DLP can be solved in subexponential time when k is small. For cryptographic purpose, we can check up to ... |

235 |
A threshold cryptosystem without a trusted party (extended abstract
- Pedersen
- 1991
(Show Context)
Citation Context ...ic adversary, the scheme employs the permutation instead of direct use of the indices. The adversary simulation is based on zero-knowledge [12] [45]. The first distributed VSS version is presented in =-=[31]-=- which is based on Feldman VSS (where each player acts as a dealer). It specifies n parallel runs of all the players, each player selects a random secret zi ∈ GF(q) and shares it among other players. ... |

187 | Software Implementation of Elliptic Curve Cryptography Over Binary Fields
- Hankerson, Hernandez, et al.
- 2000
(Show Context)
Citation Context ...can be avoided by multiplication. Especially, Jacobian projective coordinates [4], the projective point � x y (x : y : z) ↦→ , z2 z3 � and its variants gives superior performance for field arithmetic =-=[13]-=-. 2. System Model In this section, we present the communication model and adversary model which the protocol is based. 2.1. Communication Model We assume that there are two kinds of channels available... |

184 | Efficient Elliptic Curve Exponentiation using Mixed Coordinates
- Cohen, Miyaji, et al.
- 1998
(Show Context)
Citation Context ... coordinate representations, one is affine coordinate and the other is the projective coordinate. Some further improvement on group arithmetic can be achieved via selecting a proper coordinate system =-=[5]-=-. Using projective coordinate system, inverse can be avoided by multiplication. Especially, Jacobian projective coordinates [4], the projective point � x y (x : y : z) ↦→ , z2 z3 � and its variants gi... |

125 | Avi Wigderson. Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems - Goldreich, Micali - 1991 |

116 | The discrete logarithm problem on elliptic curves of trace one
- Smart
- 1999
(Show Context)
Citation Context ...e-field anomalous curve. An elliptic curve is called anomalous if the trace of the Frobenius map is equal to 1. In this case, | E/GF(p) |= p, and ECDLP can be reduced to DLP in an additive group [39] =-=[40]-=- [35]. 4) Curves over field GF(2 m ), m is composite. Weil descent [9] GHS attack might be used to solve the ECDLP over binary field. Weil descent reduces ECDLP in GF(2 m ) to a DLP in an abelian vari... |

99 |
An improved algorithm for arithmetic on a family of elliptic curves",
- Solinas
- 1997
(Show Context)
Citation Context ...view, one type of curve so called anomalous binary curve (ABC) of the form y 2 + xy = x 3 + ax 2 + 1, where a ∈ GF(2). There are some efficient implementations of ECC systems based on ABC curves [18] =-=[41]-=-. The ground field is GF(2 n ), when n is prime, there exists a larger subgroup for cryptographic use, the cofactor is either 2 or 4 (very small) for a = 1 or 0 respectively. For elliptic curve, the i... |

90 |
Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves
- Satoh, Araki
- 1998
(Show Context)
Citation Context ...ld anomalous curve. An elliptic curve is called anomalous if the trace of the Frobenius map is equal to 1. In this case, | E/GF(p) |= p, and ECDLP can be reduced to DLP in an additive group [39] [40] =-=[35]-=-. 4) Curves over field GF(2 m ), m is composite. Weil descent [9] GHS attack might be used to solve the ECDLP over binary field. Weil descent reduces ECDLP in GF(2 m ) to a DLP in an abelian variety o... |

72 | The Tate Pairing and the Discrete Logarithm Applied to Elliptic Curve Cryptosystems.
- Frey, Muller, et al.
- 1999
(Show Context)
Citation Context ...f.) is divisible by the characteristic of Fq. For prime field GF(p), we need to avoid curve whose cardinality divides p k −1 for small k (k ≤ 20), since Weil pairing [24] (MOV attack) or Tate pairing =-=[34, 8]-=- can reduce ECDLP to DLP in the multiplicative group of some extension field of GF(p) where the DLP can be solved in subexponential time when k is small. For cryptographic purpose, we can check up to ... |

71 | Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p
- Semaev
- 1998
(Show Context)
Citation Context ...ic exponential algorithms, i.e. square-root [42] type algorithms, are available for a broad class of ECDLP. Only in some restricted cases (see Section 1.2), such subexponential algorithms exist [25], =-=[39]-=-. Cryptosystems based on ECDLP can use small key size to provide comparable levels of security as long as certain discretion has been taken into account to select the candidate curve and domain parame... |

45 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ...race of the Frobenius map is equal to 1. In this case, | E/GF(p) |= p, and ECDLP can be reduced to DLP in an additive group [39] [40] [35]. 4) Curves over field GF(2 m ), m is composite. Weil descent =-=[9]-=- GHS attack might be used to solve the ECDLP over binary field. Weil descent reduces ECDLP in GF(2 m ) to a DLP in an abelian variety over a proper subfield of GF(2 m ), then one can use algorithms fo... |

42 | Distributing trust on the internet.
- Cachin
- 2001
(Show Context)
Citation Context ...st for a decade also [37] [7]. In particular, in the Internet, in order to provide a trusted service model over a group of non-trustable entities, a model on how to distribute trust has been proposed =-=[2]-=-. 1.1. Motivation, Past Work and Our Contribution Motivation: Since the seminal work [37] and later [7] on the proposed (k, n) (where n is the number of shares of a secret and k is the threshold) thre... |

38 |
Computing sequences with addition chains
- Downey, Leony, et al.
(Show Context)
Citation Context ...ain of numbers to generate the final point using doublings and addition. Shorter chain length gives better performance, however, the general problem to find the shortest addition chain is NP-complete =-=[6]-=-. This type of algorithms are very practical for elliptic curve since the inverse is almost “free”, i.e. −(x, y) = (x, −y) in prime field GF(p), or −(x, y) = (x, x + y) (because −(x, x + y) = (x, x + ... |

35 | Square-root Algorithms for the Discrete Logarithm Problem (A survey). Public Key Cryptography and Computational Number Theory, 283–301, Walter de Gruyter
- Teske
- 2001
(Show Context)
Citation Context ...w methods to solve ECDLP in subexponential time [14] [15] [24] are still ongoing. Regardless this endeavor, no promising results have been found. Only generic exponential algorithms, i.e. square-root =-=[42]-=- type algorithms, are available for a broad class of ECDLP. Only in some restricted cases (see Section 1.2), such subexponential algorithms exist [25], [39]. Cryptosystems based on ECDLP can use small... |

30 | Randomized initialization protocols for ad hoc networks,"
- Nakano, Olariu
- 2000
(Show Context)
Citation Context ...ssume each player has a unique random identification number pi in GF(q) and players know these numbers of each other. (There exist algorithmssto generate these random numbers in a distributed setting =-=[30]-=- and the session initiator can be used to facilitate this random number generation.) Let n be the total number of players who want to form a secure group, and they are identified as (p1, p2, · · · , p... |

24 |
Using Encryption for Authentication in
- Needham, Schroeder
- 1978
(Show Context)
Citation Context ...duals are allowed to have a total control on this information. It is not always possible to have a trusted party presented as this is required by many existing protocols of the wired counterpart [29] =-=[28]-=- [1]. Distributed collaborative security mechanism has been recognized as an alternative. Distributing trust ∗ The author is greatly gratitude to Prof. Ming-Deh Huang for his encouragement on this res... |

20 | Solving elliptic curve discrete logarithm problems using Weil descent.
- Jacobson, Menezes, et al.
- 2001
(Show Context)
Citation Context ...≥ 3t + 1. Since the first proposals of using elliptic curve for cryptographic purpose, [27], [17], attempts of using existing techniques or new methods to solve ECDLP in subexponential time [14] [15] =-=[24]-=- are still ongoing. Regardless this endeavor, no promising results have been found. Only generic exponential algorithms, i.e. square-root [42] type algorithms, are available for a broad class of ECDLP... |

18 | Fast Implementation of Elliptic Curve Arithmetic
- Lim, Hwang
- 2000
(Show Context)
Citation Context ...ncorporated into many drafts [19]. Efficicency issue on software implementations of ECC have being studied from the aspect on fast arithmetic operation algorithms over GF(2 n ) [43] and over GF(p n ) =-=[22]-=-. ECC has been also applied to smart card applications[44] [38] and sub-second performance on signature verification and key generation has been reported. In summary, the advantages of using ECC compa... |

18 |
A Fast Software Implementation for Arithmetic Operations
- Win, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...y some standards, and incorporated into many drafts [19]. Efficicency issue on software implementations of ECC have being studied from the aspect on fast arithmetic operation algorithms over GF(2 n ) =-=[43]-=- and over GF(p n ) [22]. ECC has been also applied to smart card applications[44] [38] and sub-second performance on signature verification and key generation has been reported. In summary, the advant... |

7 |
Tal Rabin, “Secure Distributed Key Generation for DiscreteLog Based Cryptosystems”, Proceeding Eurocrpt
- Gennaro, Jarecki, et al.
- 1999
(Show Context)
Citation Context ...e in [7] g Fi is put in public. It has been seeing some progresses on applying this threshold scheme for various security purposes, e.g. distributed digital signature [18], distributed key generation =-=[11]-=-. Encryption using keys generated by distributed key generation (DKG) can be used in many applications, e.g. multi-party digital signature. DKG can also be used solving some consensus problems, e.g. B... |

7 | Lifting elliptic curves and solving the elliptic curve discrete logarithm problem
- Huang, Kueh, et al.
- 2000
(Show Context)
Citation Context ...ary for n ≥ 3t + 1. Since the first proposals of using elliptic curve for cryptographic purpose, [27], [17], attempts of using existing techniques or new methods to solve ECDLP in subexponential time =-=[14]-=- [15] [24] are still ongoing. Regardless this endeavor, no promising results have been found. Only generic exponential algorithms, i.e. square-root [42] type algorithms, are available for a broad clas... |

5 |
Minghua Qu, “Analysis of the Weil Descent Attack of Gaudry
- Menezes
- 2001
(Show Context)
Citation Context ...a proper subfield of GF(2 m ), then one can use algorithms for the hyperelliptic curve DLP that are significantly faster than the best available ones for the ECDLP [20]. However, it has been shown in =-=[26]-=- that it is infeasible of GHS attack for E/GF(2 n ) when n is a prime and n ∈ [160, 600]. With these known attacks, two types of elliptic curves are favorable for cryptography, they are GF(p) and GF(2... |

4 |
Sequences of Numbers Generated by Addition
- Chudnovsky, Chudnovsky
- 1987
(Show Context)
Citation Context ...roup arithmetic can be achieved via selecting a proper coordinate system [5]. Using projective coordinate system, inverse can be avoided by multiplication. Especially, Jacobian projective coordinates =-=[4]-=-, the projective point � x y (x : y : z) ↦→ , z2 z3 � and its variants gives superior performance for field arithmetic [13]. 2. System Model In this section, we present the communication model and adv... |

3 |
The elliptic curve digitial signature algorithm (ECDSA
- Menezes, Johnson
- 1999
(Show Context)
Citation Context ...ations, e.g. electronic commerce where computing and communication resources are concerned. Small key size means saving on storage, processing time and bandwidth. Protocols based on ECDLG, e.g. ECDSA =-=[16]-=-, have been adopted by some standards, and incorporated into many drafts [19]. Efficicency issue on software implementations of ECC have being studied from the aspect on fast arithmetic operation algo... |

3 |
Counting points on elliptic curves over finite
- SCHOOF
- 1996
(Show Context)
Citation Context ...r GF(2 p ), in order to avoid MOV attack, q should not divide q n − 1 for small n’s. Also the cardinality of E/GF(q) should not be q. There is polynomial time algorithm to count the points in E/GF(q) =-=[36]-=-. These can be checked before select the curve. From implementation efficiency point of view, one type of curve so called anomalous binary curve (ABC) of the form y 2 + xy = x 3 + ax 2 + 1, where a ∈ ... |

2 |
Which Curve to Use?,” Presentation
- Koblitz
(Show Context)
Citation Context ...to a DLP in an abelian variety over a proper subfield of GF(2 m ), then one can use algorithms for the hyperelliptic curve DLP that are significantly faster than the best available ones for the ECDLP =-=[20]-=-. However, it has been shown in [26] that it is infeasible of GHS attack for E/GF(2 n ) when n is a prime and n ∈ [160, 600]. With these known attacks, two types of elliptic curves are favorable for c... |

2 |
Elliptic Curve Cryptography on
- Woodbury, Bailey, et al.
- 2000
(Show Context)
Citation Context ...ftware implementations of ECC have being studied from the aspect on fast arithmetic operation algorithms over GF(2 n ) [43] and over GF(p n ) [22]. ECC has been also applied to smart card applications=-=[44]-=- [38] and sub-second performance on signature verification and key generation has been reported. In summary, the advantages of using ECC compared to other schemes are given as follows: 1) Much more fl... |

1 |
CM-curves with Good Cruptographic
- Koblitz
- 1992
(Show Context)
Citation Context ... in GF(q)) are put in public while in [7] g Fi is put in public. It has been seeing some progresses on applying this threshold scheme for various security purposes, e.g. distributed digital signature =-=[18]-=-, distributed key generation [11]. Encryption using keys generated by distributed key generation (DKG) can be used in many applications, e.g. multi-party digital signature. DKG can also be used solvin... |

1 |
Distributed Algorithms [Chapter 6 & 7
- Lynch
- 1997
(Show Context)
Citation Context ...keys generated by distributed key generation (DKG) can be used in many applications, e.g. multi-party digital signature. DKG can also be used solving some consensus problems, e.g. Byzantine Agreement =-=[23]-=- [21]. Existing DKG protocols are based on either discrete logarithm problem (DLP) over a finite field or integer factorization problem (IFP). In order to maintain certain level of security, key lengt... |