Advertisement

Designs, Codes and Cryptography

, Volume 19, Issue 2–3, pp 173–193 | Cite as

The State of Elliptic Curve Cryptography

  • Neal Koblitz
  • Alfred Menezes
  • Scott Vanstone
Article

Abstract

Since the introduction of public-key cryptography by Diffie and Hellman in 1976, the potential for the use of the discrete logarithm problem in public-key cryptosystems has been recognized. Although the discrete logarithm problem as first employed by Diffie and Hellman was defined explicitly as the problem of finding logarithms with respect to a generator in the multiplicative group of the integers modulo a prime, this idea can be extended to arbitrary groups and, in particular, to elliptic curve groups. The resulting public-key systems provide relatively small block size, high speed, and high security. This paper surveys the development of elliptic curve cryptosystems from their inception in 1985 by Koblitz and Miller to present day implementations.

Elliptic curves public-key cryptography 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    L. Adleman, J. DeMarrais and M. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields, Algorithmic Number Theory, Lecture Notes in Computer Science, Springer-Verlag, 877 (1994) pp. 28–40.Google Scholar
  2. 2.
    G. Agnew, R. Mullin, I. Onyszchuk and S. Vanstone, An implementation for a fast public-key cryptosystem, Journal of Cryptology, Vol. 3 (1991) pp. 63–79.Google Scholar
  3. 3.
    G. Agnew, R. Mullin and S. Vanstone, An implementation of elliptic curve cryptosystems over F 2 155, IEEE Journal on Selected Areas in Communications, Vol. 11 (1993) pp. 804–813.Google Scholar
  4. 4.
    D. Bailey C. Paar, Optimal extension fields for fast arithmetic in public-key algorithms, Advances in Cryptology-CRYPTO '98, Lecture Notes in Computer Science, Springer-Verlag, 1462 (1998) pp. 472–485.Google Scholar
  5. 5.
    R. Balasubramanian and N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm, Journal of Cryptology, Vol. 11 (1998) pp. 141–145.Google Scholar
  6. 6.
    M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener, Minimal key lengths for symmetric ciphers to provide adequate commercial security, January 1996, available from http://theory.lcs.mit.edu/»rivest/publications.html.Google Scholar
  7. 7.
    D. Bleichenbacher, On the security of the KMOV public key cryptosystem, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 235–248.Google Scholar
  8. 8.
    D. Boneh and R. Lipton, Algorithms for black-box fields and their applications to cryptography, Advances in Cryptology-CRYPTO '96, Lecture Notes in Computer Science, Springer-Verlag, 1109 (1996) pp. 283–297.Google Scholar
  9. 9.
    J. Buchmann and H. Williams, A key-exchange system based on imaginary quadratic fields, Journal of Cryptology, Vol. 1 (1988) pp. 107–118.Google Scholar
  10. 10.
    L. Charlap and D. Robbins, An Elementary Introduction to Elliptic Curves, CRD Expository Report No. 31, Institute for Defense Analysis, Princeton (December 1988).Google Scholar
  11. 11.
    L. Charlap and D. Robbins, An Elementary Introduction to Elliptic Curves II, CRD Expository Report No. 34, Institute for Defense Analysis, Princeton (December 1988).Google Scholar
  12. 12.
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Transactions on Information Theory, Vol. 30 (1984) pp. 587–594.Google Scholar
  13. 13.
    R. Crandall, Method and apparatus for public key exchange in a cryptographic system, U.S. patent number 5,159,632 (October 1992).Google Scholar
  14. 14.
    W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, Vol. 22 (1976) pp. 644–654.Google Scholar
  15. 15.
    Y. Driencourt and J. Michon, Elliptic codes over a field of characteristic 2, Journal of Pure and Applied Algebra, Vol. 45 (1987) pp. 15–39.Google Scholar
  16. 16.
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory, Vol. 31 (1985) pp. 469–472.Google Scholar
  17. 17.
    G. Frey and H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Mathematics of Computation, Vol. 62 (1994) pp. 865–874.Google Scholar
  18. 18.
    R. Gallant, R. Lambert and S. Vanstone, Improving the parallelized Pollard lambda search on binary anomalous curves, to appear in Mathematics of Computation.Google Scholar
  19. 19.
    G. van der Geer, Codes and elliptic curves, Effective Methods in Algebraic Geometry, Birkhäuser (1991) pp. 159–168.Google Scholar
  20. 20.
    S. Goldwasser and J. Kilian, Almost all primes can be quickly certified, Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, (1986) pp. 316–329Google Scholar
  21. 21.
    D. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM Journal on Discrete Mathematics, Vol. 6 (1993) pp. 124–138.Google Scholar
  22. 22.
    J. Guajardo and C. Paar, Efficient algorithms for elliptic curve cryptosystems, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 342–356.Google Scholar
  23. 23.
    G. Harper, A. Menezes and S. Vanstone, Public-key cryptosystems with very small key lengths, Advances in Cryptology-EUROCRYPT '92, Lecture Notes in Computer Science, Springer-Verlag, 658 (1993) pp. 163–173.Google Scholar
  24. 24.
    P. Ivey, S. Walker, J. Stern and S. Davidson, An ultra-high speed public key encryption processor, Proceedings of IEEE Custom Integrated Circuits Conference, Boston (1992) 19.6.1–19.6.4.Google Scholar
  25. 25.
    M. Jacobson, N. Koblitz, J. Silverman, A. Stein and E. Teske, Analysis of the xedni calculus attack, to appear in Designs, Codes and Cryptography.Google Scholar
  26. 26.
    B. Kaliski, A pseudorandom bit generator based on elliptic logarithms, Advances in Cryptology-CRYPTO '86, Lecture Notes in Computer Science, Springer-Verlag, 293 (1987) pp. 84–103.Google Scholar
  27. 27.
    B. Kaliski, One-way permutations on elliptic curves, Journal of Cryptology, Vol. 3 (1991) pp. 187–199.Google Scholar
  28. 28.
    B. Kaliski, A chosen message attack on Demytko's elliptic curve cryptosystem, Journal of Cryptology, Vol. 10 (1997) pp. 71–72.Google Scholar
  29. 29.
    N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, Vol. 48 (1987) pp. 203–209.Google Scholar
  30. 30.
    N. Koblitz, Primality of the number of points on an elliptic curve over a finite field, Pacific Journal of Mathematics, Vol. 131 (1988) pp. 157–165.Google Scholar
  31. 31.
    N. Koblitz, Hyperelliptic cryptosystems, Journal of Cryptology, Vol. 1 (1989) pp. 139–150.Google Scholar
  32. 32.
    N. Koblitz, Constructing elliptic curve cryptosystems in characteristic 2, Advances in Cryptology-CRYPTO '90, Lecture Notes in Computer Science, Springer-Verlag, 537 (1991) pp. 156–167.Google Scholar
  33. 33.
    N. Koblitz, Elliptic curve implementation of zero-knowledge blobs, Journal of Cryptology, Vol. 4 (1991) pp. 207–213.Google Scholar
  34. 34.
    N. Koblitz, CM-curves with good cryptographic properties, Advances in Cryptology-CRYPTO'91, Lecture Notes in Computer Science, Springer-Verlag, 576 (1992) pp. 279–287.Google Scholar
  35. 35.
    N. Koblitz, Introduction to Elliptic Curves and Modular Forms, 2nd edition, Springer-Verlag (1993).Google Scholar
  36. 36.
    N. Koblitz, A Course in Number Theory and Cryptography, 2nd edition, Springer-Verlag (1994).Google Scholar
  37. 37.
    N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag (1998).Google Scholar
  38. 38.
    K. Koyama, U. Maurer, T. Okamoto and S. Vanstone, New public-key schemes based on elliptic curves over the ring Z n, Advances in Cryptology-CRYPTO '91, Lecture Notes in Computer Science, Springer-Verlag, 576 (1993) pp. 252–266.Google Scholar
  39. 39.
    K. Kurosawa, K. Okada and S. Tsujii, Low exponent attack against elliptic curve RSA, Advances in Cryptology-ASIACRYPT '94, Lecture Notes in Computer Science, Springer-Verlag, 917 (1995) pp. 376–383.Google Scholar
  40. 40.
    G. Lay and H. Zimmer, Constructing elliptic curves with given group order over large finite fields, Algorithmic Number Theory, Lecture Notes in Computer Science, Springer-Verlag, 877 (1994) pp. 250–263.Google Scholar
  41. 41.
    H. W. Lenstra, Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126 (1987) pp. 649–673.Google Scholar
  42. 42.
    R. Lercier, Computing isogenies in F2 n, Algorithmic Number Theory, Proceedings Second Intern. Symp., ANTS-II, (Henri Cohen, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1122 (1996) pp. 197–212.Google Scholar
  43. 43.
    R. Lercier, Finding good random elliptic curves for cryptosystems defined F2 n, Advances in Cryptology-EUROCRYPT '97, Lecture Notes in Computer Science, Springer-Verlag, 1233 (1997) pp. 379–392.Google Scholar
  44. 44.
    R. Lercier and F. Morain, Counting the number of points on elliptic curves over finite fields: strategies and performances, Advances in Cryptology-EUROCRYPT '95, Lecture Notes in Computer Science, Springer-Verlag, 921 (1995) pp. 79–94.Google Scholar
  45. 45.
    B. Mazur, Modular curves and the Eisenstein ideal, Inst. Hautes Études Sci. Publ. Math., Vol. 47 (1977) pp. 33–186.Google Scholar
  46. 46.
    K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, Vol. 1 (1988) pp. 95–105.Google Scholar
  47. 47.
    W. Meier and O. Staffelbach, Efficient multiplication on certain nonsupersingular elliptic curves, Advances in Cryptology-CRYPTO '92, Lecture Notes in Computer Science, Springer-Verlag, 740 (1993) pp. 333–344.Google Scholar
  48. 48.
    A. Menezes, it Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston (1993).Google Scholar
  49. 49.
    A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, Vol. 39 (1993) pp. 1639–1646.Google Scholar
  50. 50.
    A. Menezes and S. Vanstone, Elliptic curve cryptosystems and their implementation, Journal of Cryptology, Vol. 6 (1993) pp. 209–224.Google Scholar
  51. 51.
    J. F. Mestre, Formules explicites et minoration de conducteurs de variétés algébriques, Compositio Math., Vol. 58 (1986) pp. 209–232.Google Scholar
  52. 52.
    V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology-CRYPTO '85, Lecture Notes in Computer Science, Springer-Verlag, 218 (1986) pp. 417–426.Google Scholar
  53. 53.
    F. Morain, Building cyclic elliptic curves modulo large primes, Advances in Cryptology-EUROCRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, 547 (1991) pp. 328–336.Google Scholar
  54. 54.
    V. Müller, S. Vanstone and R. Zuccherato, Discrete logarithm based cryptosystems in quadratic function fields of characteristic 2, Designs, Codes and Cryptography, Vol. 14 (1998) pp. 159–178.Google Scholar
  55. 55.
    R. Mullin, I. Onyszchuk, S. Vanstone and R. Wilson, Optimal normal bases in GF(p n), Discrete Applied Mathematics, Vol. 22 (1988/89) pp. 149–161.Google Scholar
  56. 56.
    National Institute for Standards and Technology, Digital signature standard, FIPS Publication 186 (1993).Google Scholar
  57. 57.
    National Institute for Standards and Technology, Secure hash standard, FIPS Publication 180–1 (1995).Google Scholar
  58. 58.
    A. Odlyzko, The future of integer factorization, CryptoBytes-The Technical Newsletter of RSA Laboratories, Vol. 1, No. 2 (Summer 1995) pp. 5–12.Google Scholar
  59. 59.
    P. van Oorschot and M. Wiener, Parallel collision search with application to hash functions and discrete logarithms, Proceedings of the 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia (2–4 November 1994) pp. 210–218.Google Scholar
  60. 60.
    P. van Oorschot and M. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, Vol. 12 (1999) pp. 1–28.Google Scholar
  61. 61.
    R. Pinch, Extending the Wiener attack to RSA-type cryptosystems, Electronics Letters, Vol. 31 (1995) pp. 1736–1738.Google Scholar
  62. 62.
    S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24 (1978) pp. 106–110.Google Scholar
  63. 63.
    J. Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, Vol. 32 (1978) pp. 918–924.Google Scholar
  64. 64.
    T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Commentarii Mathematici Universitatis Sancti Pauli, Vol. 47 (1998) pp. 81–92.Google Scholar
  65. 65.
    R. Scheidler, J. Buchmann and H. Williams, A key-exchange protocol using real quadratic fields, Journal of Cryptology, Vol. 7 (1994) pp. 171–199.Google Scholar
  66. 66.
    R. Scheidler, A. Stein and H. Williams, Key-exchange in real quadratic congruence function fields, Designs, Codes and Cryptography, Vol. 7 (1996) pp. 153–174.Google Scholar
  67. 67.
    O. Schirokauer, Discrete logarithms and local units, Philosophical Transactions of the Royal Society of London A, Vol. 345 (1993) pp. 409–423.Google Scholar
  68. 68.
    C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, Vol. 4 (1991) pp. 161–174.Google Scholar
  69. 69.
    R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p, Mathematics of Computation, Vol. 44 (1985) pp. 483–494.Google Scholar
  70. 70.
    R. Schoof, Nonsingular plane cubic curves, Journal of Combinatorial Theory, Series A, Vol. 46 (1987) pp. 183–211.Google Scholar
  71. 71.
    R. Schroeppel, H. Orman, S. O'Malley and O. Spatscheck, Fast key exchange with elliptic curve systems, Advances in Cryptology-CRYPTO '95, Lecture Notes in Computer Science, Springer-Verlag, 963 (1995) pp. 43–56.Google Scholar
  72. 72.
    I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Mathematics of Computation, Vol. 67 (1998) pp. 353–356.Google Scholar
  73. 73.
    J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, New York (1986).Google Scholar
  74. 74.
    J. Silverman, Advanced Topics in the Arithmetic of Elliptic Curves, Springer-Verlag, New York (1994).Google Scholar
  75. 75.
    J. Silverman, The xedni calculus and the elliptic curve discrete logarithm problem, to appear in it Designs, Codes and Cryptography.Google Scholar
  76. 76.
    J. Silverman and J. Suzuki, Elliptic curve discrete logarithms and the index calculus, to appear in Advances in Cryptology-ASIACRYPT '98, Lecture Notes in Computer Science, Springer-Verlag (1998).Google Scholar
  77. 77.
    N. Smart, The discrete logarithm problem on elliptic curves of trace one, to appear in Journal of Cryptology.Google Scholar
  78. 78.
    J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 357–371.Google Scholar
  79. 79.
    A. Stein, Equivalences between elliptic curves and real quadratic congruence function fields, Journal de Théorie des Nombres de Bordeaux, Vol. 9 (1997) pp. 75–95.Google Scholar
  80. 80.
    A. Stein, V. Müller and C. Thiel, Computing discrete logarithms in real quadratic congruence function fields of large genus, Mathematics of Computation, Vol. 68 (1999) pp. 807–822.Google Scholar
  81. 81.
    W. Waterhouse, Abelian varieties over finite fields, Ann. Sci. École Norm. Sup., 4e série, Vol. 2 (1969) pp. 521–560.Google Scholar
  82. 82.
    M. Wiener and R. Zuccherato, Fast attacks on elliptic curve cryptosystems," to appear in Fifth Annual Workshop on Selected Areas in Cryptography-SAC '98, Lecture Notes in Computer Science, Springer-Verlag (1999).Google Scholar
  83. 83.
    E. DeWin, A. Bosselaers, S. Vandenberghe, P. De Gersem and J. Vandewalle, A fast software implementation for arithmetic operations inGF(2n), Advances in Cryptology-ASIACRYPT'96, Lecture Notes in Computer Science, Springer-Verlag, 1163 (1996) pp. 65–76.Google Scholar
  84. 84.
    E. De Win, S. Mister, B. Preneel and M. Wiener, On the performance of signature schemes based on elliptic curves, Algorithmic Number Theory, Proceedings Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1423 (1998) pp. 252–266.Google Scholar
  85. 85.
    R. Zuccherato, The equivalence between elliptic curve and quadratic function field discrete logarithms in characteristic 2, Algorithmic Number Theory, Proceedings Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1423 (1998) pp. 621–638.Google Scholar

Copyright information

© Kluwer Academic Publishers 2000

Authors and Affiliations

  • Neal Koblitz
    • 1
  • Alfred Menezes
    • 2
  • Scott Vanstone
    • 2
  1. 1.Dept. of MathematicsUniversity of WashingtonSeattleUSA
  2. 2.Dept. of C&OUniversity of WaterlooWaterlooCanada

Personalised recommendations