5215:
4310:
3084:, 19 September 2013. "Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."
1172:
which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or
311:
in
September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG. In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic
2663:
algorithm requires 4098 qubits and 5.2 trillion
Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a
2682:
key exchanges. This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems. However, new classical attacks undermined the security of this protocol.
4140:
The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware's private DH
1218:
If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:
2509:, there can be an order of magnitude speed-up. The speed-up here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with
597:
and the inability to compute the multiplicand given the original point and product point. The size of the elliptic curve, measured by the total number of discrete integer pairs satisfying the curve equation, determines the difficulty of the problem.
3608:
1214:
SECG test vectors are also available. NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name.
3227:
1703:
The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200
556:
4233:, Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009. (archived
4214:
K. Malhotra, S. Gardner, and R. Patz, Implementation of
Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007
2690:
attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."
2503:
978:
2636:
The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.
355:
elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing those patents.
227:, which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.
1708:
game consoles and could have been finished in 3.5 months using this cluster when running continuously. The binary field case was broken in April 2004 using 2600 computers over 17 months.
1700:, where the private key should be just as large. However, the public key may be smaller to accommodate efficient encryption, especially when processing power is limited (e.g. in Africa).
661:
3616:
2633:
standard. One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.
3179:
1539:
1824:
1789:
2164:
2087:
2047:
1444:
1287:
198:
2290:
1482:
910:
435:
860:
2543:
2124:
1965:
1932:
1746:
1686:
1653:
1568:
1400:
152:
1156:
2347:
2222:
1624:
4046:
1094:
2386:
2296:-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used.
2007:
1899:
1855:) is one to two orders of magnitude slower than multiplication. However, points on a curve can be represented in different coordinate systems which do not require an
1335:
1012:
212:
The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.
2601:; this is a special family of elliptic curves for which doubling and addition can be done with the same operation. Another concern for ECC-systems is the danger of
775:
1853:
585:
a large integer composed of two or more large prime factors which are far apart. For later elliptic-curve-based protocols, the base assumption is that finding the
1038:
2556:
According to
Bernstein and Lange, many of the efficiency-related decisions in NIST FIPS 186-2 are suboptimal. Other curves are more secure and run just as fast.
1626:
steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over
1363:
5195:
5025:
77:
4640:
4223:
3044:
5255:
4350:
3904:
2745:
2740:
3145:
593:): this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute a
2659:. For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security). In comparison, using Shor's algorithm to break the
2597:) using, for example, fixed pattern window (a.k.a. comb) methods (note that this does not increase computation time). Alternatively one can use an
2573:
systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (
339:
While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme (
1235:
4768:
477:
228:
4863:
1719:
A close examination of the addition rules shows that in order to add two points, one needs not only several additions and multiplications in
3021:
1711:
A current project is aiming at breaking the ECC2K-130 challenge by
Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.
4763:
3183:
3211:
590:
244:
17:
4492:
4198:
3114:(5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." See
2880:
2804:
2686:
In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to
2391:
1161:
Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters
686:
240:
5678:
3649:
2825:
1590:
4671:
4665:
4265:
3721:
Brown, M.; Hankerson, D.; Lopez, J.; Menezes, A. (2001). "Software
Implementation of the NIST Elliptic Curves over Prime Fields".
3432:
4038:
352:
3344:
321:
Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about
3547:
Satoh, T.; Araki, K. (1998). "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves".
250:
Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the
5770:
5407:
5367:
5248:
4789:
4343:
4119:
3872:
3750:
3705:
3319:
3286:
2960:
1228:
3269:
Lay, Georg-Johann; Zimmer, Horst G. (1994). "Constructing elliptic curves with given group order over large finite fields".
5861:
3241:
919:
913:
96:
2820:
594:
4208:
3379:
Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve logarithms to logarithms in a finite field".
2625:
backdoor into at least one elliptic curve-based pseudo random generator. Internal memos leaked by former NSA contractor
570:
5836:
5458:
5357:
4407:
2850:
2667:
1580:
1169:
53:. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in
2651:. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330
5826:
4856:
4475:
4432:
3856:
3115:
2798:
668:
574:
236:
4397:
3566:
5866:
5536:
5241:
4387:
4336:
2830:
3846:
Biehl, Ingrid; Meyer, Bernd; Müller, Volker (2000). "Differential Fault
Attacks on Elliptic Curve Cryptosystems".
624:
605:, reducing storage and transmission requirements. For example, a 256-bit elliptic curve public key should provide
449:
4551:
4465:
4412:
4234:
4230:
4220:
A New
Parallel Window-Based Implementation of the Elliptic Curve Point Multiplication in Multi-Core Architectures
3579:
682:(ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
3053:
5683:
5604:
5594:
5531:
5074:
5005:
4576:
4219:
1856:
1753:
1749:
118:
In 1999, NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4 has ten recommended finite fields:
4294:
3094:
1692:) which requires 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g.,
5281:
4460:
4245:
4164:
4069:
3681:
1490:
750:
of the scheme. The size of the field used is typically either prime (and denoted as p) or is a power of two (
1168:
The generation of domain parameters is not usually done by each participant because this involves computing
5501:
5397:
4849:
4717:
4650:
1794:
1759:
679:
464:
158:
of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.
2129:
2052:
2012:
1413:
1256:
167:
5760:
5724:
5423:
5336:
5190:
5145:
4948:
4814:
4556:
4470:
4392:
3977:; Lauter, Kristin (2017). "Quantum resource estimates for computing elliptic curve discrete logarithms".
3137:
2602:
2231:
1689:
1449:
877:
719:
690:
381:
3165:
3076:
5734:
5372:
5069:
4566:
4455:
4437:
2835:
1370:
832:
601:
The primary benefit promised by elliptic curve cryptography over alternatives such as RSA is a smaller
2519:
2096:
1937:
1904:
1722:
1658:
1629:
1544:
1376:
463:, with the point at infinity as an identity element. The structure of the group is inherited from the
128:
5780:
5185:
4819:
4799:
2671:
1099:
806:
259:
243:(ECDSA) for digital signature. The NSA allows their use for protecting information classified up to
4702:
4023:
3817:
2647:
can be used to break elliptic curve cryptography by computing discrete logarithms on a hypothetical
2319:
2173:
1596:
5693:
5673:
5609:
5526:
5428:
5387:
5175:
5165:
5020:
4758:
4529:
3733:
3516:
2618:
1043:
278:
220:
3008:
589:
of a random elliptic curve element with respect to a publicly known base point is infeasible (the
5584:
5392:
5170:
5160:
4953:
4913:
4906:
4891:
4886:
4712:
4359:
3029:
2840:
2352:
1234:
Select a random curve from a family which allows easy calculation of the number of points (e.g.,
746:
To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the
566:
85:
38:
307:, which had included a deliberate weakness in the algorithm and the recommended elliptic curve.
5871:
5377:
4958:
4901:
4794:
4645:
4584:
4519:
4314:
3847:
3728:
3511:
2730:
5491:
1208:
5755:
5453:
5402:
5291:
5218:
5064:
5010:
4660:
4417:
4374:
4222:, International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234–241 (archived
4010:
3804:
2984:
2855:
2735:
2170:
system the same relations are used but four coordinates are stored and used for calculations
1974:
1866:
1307:
1224:
1185:
991:
708:
582:
456:
204:
equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one
89:
3052:
2888:
5831:
5703:
5362:
5180:
5104:
4571:
4382:
3470:
2845:
2308:(which is needed for addition and multiplication) can be executed much faster if the prime
1586:
818:
753:
726:
5614:
3664:
1829:
8:
5668:
5546:
5511:
5468:
5448:
4933:
4677:
4289:
3355:
2644:
2590:
1017:
348:
271:
42:
3474:
1541:
are vulnerable to the attack that maps the points on the curve to the additive group of
303:(or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of
277:
Elliptic curve cryptography is used successfully in numerous popular protocols, such as
5798:
5589:
5569:
5382:
5049:
5033:
4975:
4524:
4447:
4427:
4422:
4402:
3978:
3529:
3429:
3325:
2966:
2925:
2788:
2679:
2660:
2589:) depending on the coordinate system used. Consequently, it is important to counteract
2570:
1407:
1348:
672:
618:
586:
578:
295:
62:
58:
5541:
3302:
Galbraith, S. D.; Smart, N. P. (1999). "A Cryptographic
Application of Weil Descent".
1241:
Select the number of points and generate a curve with this number of points using the
5698:
5645:
5516:
5331:
5326:
5109:
5099:
4965:
4784:
4727:
4655:
4541:
4295:
Interactive introduction to elliptic curves and elliptic curve cryptography with Sage
4070:"Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies"
3868:
3746:
3701:
3688:; Ono, T. (1998). "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates".
3499:
3315:
3282:
2970:
2956:
2687:
2648:
2510:
2506:
1174:
863:
704:
468:
441:
375:(rather than the real numbers) which consists of the points satisfying the equation:
322:
73:
3533:
3329:
5688:
5574:
5551:
5044:
4896:
4630:
4242:
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
3860:
3738:
3693:
3521:
3478:
3388:
3307:
3274:
3080:
2988:
2948:
2915:
2755:
2549:
are recommended by NIST. Yet another advantage of the NIST curves is that they use
1200:
867:
112:
4285:
4127:
3650:"Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card"
3483:
3450:
115:
in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.
5803:
5619:
5561:
5463:
5286:
5265:
4204:
3436:
3215:
2700:
1693:
4298:
3252:
1204:
5486:
5311:
5296:
5273:
5119:
5039:
4995:
4938:
4923:
3111:
2768:
2750:
2725:
2720:
2715:
2626:
2594:
2313:
1223:
Select a random curve and use a general point-counting algorithm, for example,
606:
581:'s 1983 patent, based their security on the assumption that it is difficult to
452:
not equal to 2 or 3, or the curve equation would be somewhat more complicated.
216:
46:
805:
used in its defining equation. Finally, the cyclic subgroup is defined by its
312:
curves, suggesting a return to encryption based on non-elliptic-curve groups.
5855:
5818:
5599:
5579:
5506:
5301:
5233:
5200:
5155:
5114:
5094:
4985:
4943:
4918:
3742:
3685:
3311:
3278:
2952:
2622:
2598:
1705:
460:
267:
69:
4120:"AMD-SEV: Platform DH key recovery via invalid curve attack (CVE-2019-9836)"
3864:
3697:
2993:
1585:
Because all the fastest known algorithms that allow one to solve the ECDLP (
1446:
are at least as difficult to compute as discrete logs on the elliptic curve
1369:
are vulnerable to
Menezes–Okamoto–Vanstone (MOV) attack which applies usual
258:, have been introduced. Schemes based on these primitives provide efficient
5765:
5739:
5729:
5719:
5521:
5341:
5150:
4990:
4980:
4970:
4928:
4872:
4824:
4804:
3974:
3831:
2656:
2630:
1294:
621:-based protocols have been adapted to elliptic curves, replacing the group
445:
372:
344:
308:
300:
263:
255:
251:
205:
162:
123:
108:
54:
50:
3905:"Government Announces Steps to Restore Confidence on Encryption Standards"
3887:
3722:
3525:
2703:, an attacker may use an invalid curve to get a complete PDH private key.
107:
The use of elliptic curves in cryptography was suggested independently by
5640:
5478:
5129:
4722:
4599:
3930:
3767:
2793:
781:, and this case necessitates the choice of an auxiliary curve denoted by
551:{\displaystyle \mathrm {Div} ^{0}(E)\to \mathrm {Pic} ^{0}(E)\simeq E,\,}
368:
334:
232:
224:
3999:
3832:"Cr.yp.to: 2014.03.23: How to design an elliptic-curve signature system"
3345:"Constructive and destructive facets of Weil descent on elliptic curves"
1859:
operation to add two points. Several such systems were proposed: in the
5635:
5089:
5059:
5054:
5015:
4748:
4480:
3727:. Lecture Notes in Computer Science. Vol. 2020. pp. 250–265.
2929:
2773:
2606:
2293:
81:
3793:
3587:
3392:
3273:. Lecture Notes in Computer Science. Vol. 877. pp. 250–263.
3166:
Commercial National Security Algorithm Suite and Quantum Computing FAQ
5496:
5079:
4502:
3931:"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng"
3692:. Lecture Notes in Computer Science. Vol. 1514. pp. 51–65.
2947:. Lecture Notes in Computer Science. Vol. 85. pp. 417–426.
2675:
92:
4256:
4252:
4188:, London Mathematical Society 317, Cambridge University Press, 2005.
4181:, London Mathematical Society 265, Cambridge University Press, 1999.
4100:
3794:"A comb method to render ECC resistant against Side Channel Attacks"
3198:
2920:
2903:
2292:. Note that there may be different naming conventions, for example,
5124:
5084:
4809:
4743:
4614:
4609:
4604:
4507:
4485:
4077:
3983:
3120:
2783:
797:
in the binary case. The elliptic curve is defined by the constants
602:
4251:
Gustavo Banegas, Daniel J. Bernstein, Iggy Van Hoof, Tanja Lange,
4241:
4160:
3953:"SafeCurves: choosing safe curves for elliptic-curve cryptography"
3772:"SafeCurves: choosing safe curves for elliptic-curve cryptography"
3407:
3306:. Lecture Notes in Computer Science. Vol. 1746. p. 799.
3077:
RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
2553: = −3, which improves addition in Jacobian coordinates.
1194:
5808:
5793:
4635:
4594:
3630:
3609:"Certicom Announces Elliptic Curve Cryptography Challenge Winner"
2498:{\displaystyle p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1.}
282:
3500:"The discrete logarithm problem on elliptic curves of trace one"
696:
The deformation scheme using Harrison's p-adic Manhattan metric,
444:, denoted ∞. The coordinates here are to be chosen from a fixed
5788:
5000:
4753:
4309:
4302:
3998:
Banegas, G.; Bernstein, D. J.; Hoof, I. van; Lange, T. (2020).
3771:
2652:
1688:. This can be contrasted with finite-field cryptography (e.g.,
3952:
2987:. National Institute of Standards and Technology. 2013-07-19.
4589:
4546:
4514:
4497:
2943:
Miller, V. (1986). "Use of Elliptic Curves in Cryptography".
2815:
2810:
2778:
1040:. To summarize: in the prime case, the domain parameters are
715:
700:
340:
3647:
4156:
3972:
3888:"Did NSA Put a Secret Backdoor in New Encryption Standard?"
3648:
Hitchcock, Y.; Dawson, E.; Clark, A.; Montague, P. (2002).
3043:
Perlroth, Nicole; Larson, Jeff; Shane, Scott (2013-09-05).
1190:
1181:
4000:"Concrete quantum cryptanalysis of binary elliptic curves"
3765:
3720:
1249:
Several classes of curves are weak and should be avoided:
980:
is an integer. In cryptographic applications, this number
4682:
4536:
3997:
304:
4253:
Concrete quantum cryptanalysis of binary elliptic curves
3045:"N.S.A. Able to Foil Basic Safeguards of Privacy on Web"
2711:
Alternative representations of elliptic curves include:
3455:-torsion points of an elliptic curve in characteristic
2617:
Cryptographic experts have expressed concerns that the
301:
Dual Elliptic Curve Deterministic Random Bit Generation
231:(NIST) has endorsed elliptic curve cryptography in its
5026:
Cryptographically secure pseudorandom number generator
4201:, National Security Agency (archived January 17, 2009)
3378:
1863:
system each point is represented by three coordinates
2522:
2394:
2355:
2322:
2234:
2176:
2132:
2099:
2055:
2015:
1977:
1940:
1907:
1869:
1832:
1797:
1762:
1725:
1661:
1632:
1599:
1547:
1493:
1452:
1416:
1379:
1351:
1310:
1259:
1102:
1046:
1020:
994:
973:{\displaystyle h={\frac {1}{n}}|E(\mathbb {F} _{p})|}
922:
880:
835:
756:
627:
480:
384:
170:
131:
4320:
4111:
3791:
2674:
secure form of elliptic curve cryptography by using
3199:"Irrelevant patents on elliptic-curve cryptography"
3042:
1971:a point is also represented with three coordinates
1195:
SEC 2: Recommended Elliptic Curve Domain Parameters
738:Some common implementation considerations include:
3549:Commentarii Mathematici Universitatis Sancti Pauli
3180:"6.3.4 Are elliptic curve cryptosystems patented?"
3116:Are the NIST Standard Elliptic Curves Back-doored?
2537:
2497:
2380:
2341:
2284:
2216:
2158:
2118:
2081:
2041:
2001:
1959:
1926:
1893:
1847:
1818:
1783:
1740:
1680:
1647:
1618:
1562:
1533:
1476:
1438:
1394:
1357:
1329:
1281:
1209:ECC Brainpool Standard Curves and Curve Generation
1150:
1088:
1032:
1006:
972:
904:
854:
769:
655:
550:
429:
192:
146:
80:and other tasks. Indirectly, they can be used for
4157:Standards for Efficient Cryptography Group (SECG)
3567:Recommendation for Key Management—Part 1: general
2668:Supersingular Isogeny Diffie–Hellman Key Exchange
1581:Discrete logarithm records § Elliptic curves
5853:
3845:
3451:"Evaluation of discrete logarithm in a group of
95:that have applications in cryptography, such as
4193:Elliptic Curves: Number Theory and Cryptography
4067:
3408:"On an Improved Definition of Embedding Degree"
3342:
3304:A cryptographic application of the Weil descent
3228:"Elliptic Curve Cryptography "Made in Germany""
2945:Advances in Cryptology — CRYPTO '85 Proceedings
2299:
5263:
4184:I. Blake, G. Seroussi, and N. Smart, editors,
3680:
3301:
3138:"Commercial National Security Algorithm Suite"
2706:
1186:Recommended Elliptic Curves for Government Use
561:
229:National Institute of Standards and Technology
5249:
4857:
4344:
4170:D. Hankerson, A. Menezes, and S.A. Vanstone,
4039:"RSA in a "Pre-Post-Quantum" Computing World"
3792:Hedabou, M.; Pinel, P.; Beneteau, L. (2004).
3352:Hewlett Packard Laboratories Technical Report
3132:
3130:
316:
3177:
3168:U.S. National Security Agency, January 2016.
671:(ECDH) key agreement scheme is based on the
656:{\displaystyle (\mathbb {Z} _{p})^{\times }}
235:set of recommended algorithms, specifically
4358:
4205:Online Elliptic Curve Cryptography Tutorial
3569:, Special Publication 800-57, August 2005.
3343:Gaudry, P.; Hess, F.; Smart, N. P. (2000).
2639:
2629:suggest that the NSA put a backdoor in the
1373:(DLP) in a small-degree extension field of
1365:for a binary field) for sufficiently small
5256:
5242:
4864:
4850:
4351:
4337:
4074:Cryptology ePrint Archive, Report 2011/506
3950:
3928:
3546:
3127:
2881:"The Case for Elliptic Curve Cryptography"
2805:Elliptic Curve Digital Signature Algorithm
2595:simple/differential power analysis attacks
687:Elliptic Curve Digital Signature Algorithm
241:Elliptic Curve Digital Signature Algorithm
3982:
3732:
3515:
3482:
3268:
2992:
2919:
2826:Homomorphic signatures for network coding
2746:Tripling-oriented Doche–Icart–Kohel curve
2741:Doubling-oriented Doche–Icart–Kohel curve
2525:
1806:
1771:
1728:
1714:
1635:
1550:
1507:
1461:
1419:
1382:
1262:
952:
889:
701:Edwards-curve Digital Signature Algorithm
633:
547:
426:
173:
134:
4199:The Case for Elliptic Curve Cryptography
3159:
612:
358:
4186:Advances in Elliptic Curve Cryptography
3381:IEEE Transactions on Information Theory
2901:
2694:
2564:
1534:{\displaystyle |E(\mathbb {F} _{q})|=q}
825:, that is the smallest positive number
591:computational Diffie–Hellman assumption
14:
5854:
5679:Clifford's theorem on special divisors
4098:
4036:
3448:
2942:
455:This set of points, together with the
88:scheme. They are also used in several
84:by combining the key agreement with a
5237:
4845:
4332:
4240:Luca De Feo, David Jao, Jerome Plut,
4177:I. Blake, G. Seroussi, and N. Smart,
4117:
3973:Roetteler, Martin; Naehrig, Michael;
3690:Advances in Cryptology — ASIACRYPT'98
3497:
3196:
3022:"Fact Sheet NSA Suite B Cryptography"
1819:{\displaystyle y\in \mathbb {F} _{q}}
1784:{\displaystyle x\in \mathbb {F} _{q}}
1696:) which requires a 3072-bit value of
817:. For cryptographic application, the
718:key agreement scheme is based on the
363:For the purposes of this article, an
262:as well as pairing-based signatures,
4672:Naccache–Stern knapsack cryptosystem
4172:Guide to Elliptic Curve Cryptography
4163:, Version 1.0, September 20, 2000. (
3951:Bernstein, Daniel J.; Lange, Tanja.
3859:. Vol. 1880. pp. 131–146.
3849:Advances in Cryptology — CRYPTO 2000
3580:"112-bit prime ECDLP solved – LACAL"
3405:
2875:
2873:
2871:
2159:{\displaystyle y={\frac {Y}{Z^{2}}}}
2082:{\displaystyle y={\frac {Y}{Z^{3}}}}
2042:{\displaystyle x={\frac {X}{Z^{2}}}}
2009:, but a different relation is used:
1439:{\displaystyle \mathbb {F} _{p^{B}}}
1341:is the characteristic of the field:
1282:{\displaystyle \mathbb {F} _{2^{m}}}
741:
577:. Early public-key systems, such as
288:
193:{\displaystyle \mathbb {F} _{2^{m}}}
97:Lenstra elliptic-curve factorization
4037:Holmes, David (September 7, 2021).
2821:Elliptic curve point multiplication
2285:{\displaystyle (X,Y,Z,Z^{2},Z^{3})}
1477:{\displaystyle E(\mathbb {F} _{q})}
1177:defined in the standard documents:
905:{\displaystyle E(\mathbb {F} _{p})}
430:{\displaystyle y^{2}=x^{3}+ax+b,\,}
68:Elliptic curves are applicable for
27:Approach to public-key cryptography
24:
5837:Vector bundles on algebraic curves
5771:Weber's theorem (Algebraic curves)
5368:Hasse's theorem on elliptic curves
5358:Counting points on elliptic curves
4270:, Société Mathématique de France,
4161:SEC 1: Elliptic Curve Cryptography
4101:"Breaking SIDH in polynomial time"
3724:Topics in Cryptology — CT-RSA 2001
2985:"Digital Signature Standard (DSS)"
2851:Supersingular isogeny key exchange
847:
789:in the prime case and the pair of
519:
516:
513:
489:
486:
483:
457:group operation of elliptic curves
25:
5883:
4279:
4195:, Chapman & Hall / CRC, 2003.
3857:Lecture Notes in Computer Science
2868:
2228:system five coordinates are used
855:{\displaystyle nG={\mathcal {O}}}
733:
5214:
5213:
4871:
4308:
4068:De Feo, Luca; Jao, Plut (2011).
3615:. April 27, 2004. Archived from
3009:Digital Signature Standard (DSS)
2831:Hyperelliptic curve cryptography
2538:{\displaystyle \mathbb {F} _{p}}
2119:{\displaystyle x={\frac {X}{Z}}}
1960:{\displaystyle y={\frac {Y}{Z}}}
1927:{\displaystyle x={\frac {X}{Z}}}
1741:{\displaystyle \mathbb {F} _{q}}
1681:{\displaystyle q\approx 2^{256}}
1648:{\displaystyle \mathbb {F} _{q}}
1563:{\displaystyle \mathbb {F} _{q}}
1395:{\displaystyle \mathbb {F} _{p}}
785:. Thus the field is defined by
147:{\displaystyle \mathbb {F} _{p}}
5459:Hurwitz's automorphisms theorem
4703:Discrete logarithm cryptography
4179:Elliptic Curves in Cryptography
4092:
4061:
4049:from the original on 2020-08-08
4030:
3991:
3966:
3944:
3922:
3897:
3881:
3838:
3824:
3785:
3759:
3714:
3674:
3641:
3623:
3601:
3572:
3559:
3540:
3491:
3442:
3422:
3399:
3372:
3336:
3295:
3262:
3242:"GEC 2: Test Vectors for SEC 1"
3234:
3220:
3205:
3190:
3171:
3148:from the original on 2019-06-04
3105:
1170:the number of points on a curve
1151:{\displaystyle (m,f,a,b,G,n,h)}
1096:; in the binary case, they are
317:§ Quantum computing attack
5684:Gonality of an algebraic curve
5595:Differential of the first kind
5075:Information-theoretic security
4231:"Elliptic Curve Cryptosystems"
3929:Shumow, Dan; Ferguson, Niels.
3087:
3069:
3036:
3014:
3001:
2977:
2936:
2904:"Elliptic curve cryptosystems"
2895:
2342:{\displaystyle p\approx 2^{d}}
2279:
2235:
2217:{\displaystyle (X,Y,Z,aZ^{4})}
2211:
2177:
1996:
1978:
1901:using the following relation:
1888:
1870:
1619:{\displaystyle O({\sqrt {n}})}
1613:
1603:
1521:
1517:
1502:
1495:
1471:
1456:
1145:
1103:
1083:
1047:
966:
962:
947:
940:
899:
884:
644:
628:
609:to a 3072-bit RSA public key.
535:
529:
508:
505:
499:
13:
1:
5827:Birkhoff–Grothendieck theorem
5537:Nagata's conjecture on curves
5408:Schoof–Elkies–Atkin algorithm
5282:Five points determine a conic
4149:
3484:10.1090/S0025-5718-98-00887-4
3026:U.S. National Security Agency
2799:Elliptic-curve Diffie–Hellman
2605:, especially when running on
1229:Schoof–Elkies–Atkin algorithm
1089:{\displaystyle (p,a,b,G,n,h)}
874:is the size of a subgroup of
777:); the latter case is called
669:Elliptic-curve Diffie–Hellman
237:elliptic-curve Diffie–Hellman
5398:Supersingular elliptic curve
4718:Non-commutative cryptography
4118:Cohen, Cfir (25 June 2019).
3230:(Press release). 2014-06-25.
2612:
2300:Fast reduction (NIST curves)
1574:
870:), is normally prime. Since
729:implicit certificate scheme.
680:Integrated Encryption Scheme
239:(ECDH) for key exchange and
7:
5862:Elliptic curve cryptography
5605:Riemann's existence theorem
5532:Hilbert's sixteenth problem
5424:Elliptic curve cryptography
5337:Fundamental pair of periods
5191:Message authentication code
5146:Cryptographic hash function
4949:Cryptographic hash function
4815:Identity-based cryptography
4708:Elliptic-curve cryptography
4255:, Springer 2020. (archived
4244:, Springer 2011. (archived
4207:, Certicom Corp. (archived
2761:
2707:Alternative representations
2559:
2381:{\displaystyle p=2^{521}-1}
1402:to solve ECDLP. The bound
691:Digital Signature Algorithm
562:Application to cryptography
440:along with a distinguished
31:Elliptic-curve cryptography
18:Elliptic curve cryptography
10:
5888:
5735:Moduli of algebraic curves
5070:Harvest now, decrypt later
4229:Christof Paar, Jan Pelzl,
3766:Daniel J. Bernstein &
3463:Mathematics of Computation
2908:Mathematics of Computation
2836:Pairing-based cryptography
1578:
1371:discrete logarithm problem
332:
328:
314:
102:
5817:
5779:
5748:
5712:
5661:
5654:
5628:
5560:
5477:
5441:
5416:
5350:
5319:
5310:
5272:
5209:
5186:Post-quantum cryptography
5138:
4879:
4841:
4820:Post-quantum cryptography
4777:
4769:Post-Quantum Cryptography
4736:
4695:
4623:
4565:
4446:
4373:
4366:
4328:
4324:
4268:Courbes elliptiques (...)
4105:Cryptology ePrint Archive
3271:Algorithmic Number Theory
1406:should be chosen so that
1165:be validated before use.
260:identity-based encryption
5502:Cayley–Bacharach theorem
5429:Elliptic curve primality
5176:Quantum key distribution
5166:Authenticated encryption
5021:Random number generation
4174:, Springer-Verlag, 2004.
3743:10.1007/3-540-45353-9_19
3312:10.1007/3-540-46665-7_23
3279:10.1007/3-540-58691-1_64
2953:10.1007/3-540-39799-X_31
2862:
2640:Quantum computing attack
2619:National Security Agency
2581:) and general addition (
689:(ECDSA) is based on the
663:with an elliptic curve:
573:of certain mathematical
279:Transport Layer Security
221:National Security Agency
78:pseudo-random generators
5867:Public-key cryptography
5761:Riemann–Hurwitz formula
5725:Gromov–Witten invariant
5585:Compact Riemann surface
5373:Mazur's torsion theorem
5171:Public-key cryptography
5161:Symmetric-key algorithm
4954:Key derivation function
4914:Cryptographic primitive
4907:Authentication protocol
4892:Outline of cryptography
4887:History of cryptography
4713:Hash-based cryptography
4360:Public-key cryptography
4099:Robert, Damien (2022).
3865:10.1007/3-540-44598-6_8
3698:10.1007/3-540-49649-1_6
2994:10.6028/NIST.FIPS.186-4
2841:Public-key cryptography
2002:{\displaystyle (X,Y,Z)}
1894:{\displaystyle (X,Y,Z)}
1330:{\displaystyle p^{B}-1}
1007:{\displaystyle h\leq 4}
567:Public-key cryptography
39:public-key cryptography
5378:Modular elliptic curve
4959:Secure Hash Algorithms
4902:Cryptographic protocol
4076:. IACR. Archived from
4018:Cite journal requires
3812:Cite journal requires
3635:www.ecc-challenge.info
2731:Twisted Hessian curves
2539:
2499:
2382:
2343:
2286:
2218:
2160:
2120:
2083:
2043:
2003:
1961:
1928:
1895:
1849:
1820:
1785:
1742:
1715:Projective coordinates
1682:
1649:
1620:
1564:
1535:
1478:
1440:
1396:
1359:
1345:for a prime field, or
1331:
1283:
1243:complex multiplication
1152:
1090:
1034:
1008:
974:
906:
866:of the curve, and the
856:
771:
709:twisted Edwards curves
657:
552:
431:
194:
148:
5292:Rational normal curve
5065:End-to-end encryption
5011:Cryptojacking malware
4375:Integer factorization
4274:, 1-152, Paris, 1978.
4237:as of April 20, 2016)
3526:10.1007/s001459900052
3504:Journal of Cryptology
2856:BLS digital signature
2736:Twisted Edwards curve
2670:claimed to provide a
2664:decade or more away.
2545:with pseudo-Mersenne
2540:
2500:
2383:
2344:
2287:
2219:
2161:
2121:
2084:
2044:
2004:
1962:
1929:
1896:
1850:
1821:
1786:
1743:
1683:
1650:
1621:
1565:
1536:
1479:
1441:
1397:
1360:
1332:
1284:
1153:
1091:
1035:
1009:
975:
907:
857:
772:
770:{\displaystyle 2^{m}}
722:key agreement scheme,
658:
613:Cryptographic schemes
553:
432:
359:Elliptic curve theory
351:have argued that the
315:Further information:
195:
149:
90:integer factorization
5832:Stable vector bundle
5704:Weil reciprocity law
5694:Riemann–Roch theorem
5674:Brill–Noether theory
5610:Riemann–Roch theorem
5527:Genus–degree formula
5388:Mordell–Weil theorem
5363:Division polynomials
5181:Quantum cryptography
5105:Trusted timestamping
4317:at Wikimedia Commons
4226:as of March 4, 2016)
4211:as of March 3, 2016)
3909:NY Times – Bits Blog
3631:"Breaking ECC2K-130"
3124:, 11 September 2013.
2902:Koblitz, N. (1987).
2846:Quantum cryptography
2699:When ECC is used in
2695:Invalid curve attack
2591:side-channel attacks
2565:Side-channel attacks
2520:
2392:
2353:
2320:
2232:
2174:
2130:
2097:
2053:
2013:
1975:
1938:
1905:
1867:
1848:{\displaystyle xy=1}
1830:
1795:
1760:
1723:
1659:
1630:
1597:
1587:baby-step giant-step
1545:
1491:
1450:
1414:
1377:
1349:
1308:
1257:
1100:
1044:
1018:
992:
920:
878:
833:
754:
703:(EdDSA) is based on
625:
595:point multiplication
478:
382:
168:
129:
86:symmetric encryption
63:ElGamal cryptosystem
37:) is an approach to
5655:Structure of curves
5547:Quartic plane curve
5469:Hyperelliptic curve
5449:De Franchis theorem
5393:Nagell–Lutz theorem
4934:Cryptographic nonce
4678:Three-pass protocol
4290:Stanford University
4259:as of June 1, 2020)
4167:as of Nov 11, 2014)
3475:1998MaCom..67..353S
3449:Semaev, I. (1998).
2226:Chudnovsky Jacobian
1408:discrete logarithms
1033:{\displaystyle h=1}
1014:) and, preferably,
678:The Elliptic Curve
607:comparable security
349:Daniel J. Bernstein
272:proxy re-encryption
247:with 384-bit keys.
208:curve was selected.
154:for certain primes
43:algebraic structure
5662:Divisors on curves
5454:Faltings's theorem
5403:Schoof's algorithm
5383:Modularity theorem
5050:Subliminal channel
5034:Pseudorandom noise
4976:Key (cryptography)
4448:Discrete logarithm
4248:as of May 7, 2012)
3844:See, for example,
3498:Smart, N. (1999).
3435:2007-02-13 at the
3412:IACR ePrint Report
3214:2018-04-17 at the
3178:RSA Laboratories.
3144:. 19 August 2015.
2789:RSA (cryptosystem)
2569:Unlike most other
2535:
2511:bitwise operations
2495:
2378:
2339:
2282:
2214:
2156:
2116:
2091:López–Dahab system
2079:
2039:
1999:
1957:
1924:
1891:
1845:
1816:
1781:
1738:
1678:
1645:
1616:
1560:
1531:
1474:
1436:
1392:
1355:
1327:
1293:are vulnerable to
1279:
1225:Schoof's algorithm
1148:
1086:
1030:
1004:
970:
914:Lagrange's theorem
902:
852:
767:
653:
619:discrete logarithm
587:discrete logarithm
548:
467:of the underlying
427:
296:The New York Times
190:
144:
74:digital signatures
5849:
5848:
5845:
5844:
5756:Hasse–Witt matrix
5699:Weierstrass point
5646:Smooth completion
5615:Teichmüller space
5517:Cubic plane curve
5437:
5436:
5351:Arithmetic theory
5332:Elliptic integral
5327:Elliptic function
5231:
5230:
5227:
5226:
5110:Key-based routing
5100:Trapdoor function
4966:Digital signature
4837:
4836:
4833:
4832:
4785:Digital signature
4728:Trapdoor function
4691:
4690:
4408:Goldwasser–Micali
4313:Media related to
3874:978-3-540-67907-3
3752:978-3-540-41898-6
3707:978-3-540-65109-3
3406:Hitt, L. (2006).
3393:10.1109/18.259647
3321:978-3-540-66887-9
3288:978-3-540-58691-3
3197:Bernstein, D. J.
2962:978-3-540-16463-0
2756:Montgomery curves
2593:(e.g., timing or
2507:Barrett reduction
2304:Reduction modulo
2168:modified Jacobian
2154:
2114:
2077:
2037:
1955:
1922:
1611:
1487:Curves such that
1358:{\displaystyle 2}
1300:Curves such that
1175:object identifier
988:, must be small (
937:
864:point at infinity
748:domain parameters
742:Domain parameters
705:Schnorr signature
469:algebraic variety
442:point at infinity
323:quantum computing
289:Security concerns
16:(Redirected from
5879:
5689:Jacobian variety
5659:
5658:
5562:Riemann surfaces
5552:Real plane curve
5512:Cramer's paradox
5492:Bézout's theorem
5317:
5316:
5266:algebraic curves
5258:
5251:
5244:
5235:
5234:
5217:
5216:
5045:Insecure channel
4897:Classical cipher
4866:
4859:
4852:
4843:
4842:
4674:
4575:
4570:
4530:signature scheme
4433:Okamoto–Uchiyama
4371:
4370:
4353:
4346:
4339:
4330:
4329:
4326:
4325:
4322:
4321:
4312:
4144:
4143:
4137:
4135:
4126:. Archived from
4115:
4109:
4108:
4096:
4090:
4089:
4087:
4085:
4065:
4059:
4058:
4056:
4054:
4034:
4028:
4027:
4021:
4016:
4014:
4006:
4004:
3995:
3989:
3988:
3986:
3975:Svore, Krysta M.
3970:
3964:
3963:
3961:
3959:
3948:
3942:
3941:
3935:
3926:
3920:
3919:
3917:
3916:
3901:
3895:
3892:www.schneier.com
3885:
3879:
3878:
3854:
3842:
3836:
3835:
3828:
3822:
3821:
3815:
3810:
3808:
3800:
3798:
3789:
3783:
3782:
3780:
3778:
3763:
3757:
3756:
3736:
3718:
3712:
3711:
3678:
3672:
3671:
3669:
3663:. Archived from
3654:
3645:
3639:
3638:
3627:
3621:
3620:
3605:
3599:
3598:
3596:
3595:
3586:. Archived from
3576:
3570:
3563:
3557:
3556:
3544:
3538:
3537:
3519:
3495:
3489:
3488:
3486:
3469:(221): 353–356.
3446:
3440:
3439:, section A.12.1
3426:
3420:
3419:
3403:
3397:
3396:
3387:(5): 1639–1646.
3376:
3370:
3369:
3367:
3366:
3360:
3354:. Archived from
3349:
3340:
3334:
3333:
3299:
3293:
3292:
3266:
3260:
3259:
3257:
3251:. Archived from
3246:
3238:
3232:
3231:
3224:
3218:
3209:
3203:
3202:
3194:
3188:
3187:
3182:. Archived from
3175:
3169:
3163:
3157:
3156:
3154:
3153:
3134:
3125:
3109:
3103:
3102:
3091:
3085:
3073:
3067:
3066:
3064:
3062:
3056:
3051:. Archived from
3040:
3034:
3033:
3028:. Archived from
3018:
3012:
3007:FIPS PUB 186-3,
3005:
2999:
2998:
2996:
2981:
2975:
2974:
2940:
2934:
2933:
2923:
2914:(177): 203–209.
2899:
2893:
2892:
2887:. Archived from
2877:
2701:virtual machines
2655:and 126 billion
2649:quantum computer
2645:Shor's algorithm
2544:
2542:
2541:
2536:
2534:
2533:
2528:
2516:The curves over
2504:
2502:
2501:
2496:
2488:
2487:
2475:
2474:
2462:
2461:
2449:
2448:
2436:
2435:
2423:
2422:
2410:
2409:
2387:
2385:
2384:
2379:
2371:
2370:
2348:
2346:
2345:
2340:
2338:
2337:
2291:
2289:
2288:
2283:
2278:
2277:
2265:
2264:
2223:
2221:
2220:
2215:
2210:
2209:
2165:
2163:
2162:
2157:
2155:
2153:
2152:
2140:
2125:
2123:
2122:
2117:
2115:
2107:
2093:the relation is
2088:
2086:
2085:
2080:
2078:
2076:
2075:
2063:
2048:
2046:
2045:
2040:
2038:
2036:
2035:
2023:
2008:
2006:
2005:
2000:
1966:
1964:
1963:
1958:
1956:
1948:
1933:
1931:
1930:
1925:
1923:
1915:
1900:
1898:
1897:
1892:
1854:
1852:
1851:
1846:
1825:
1823:
1822:
1817:
1815:
1814:
1809:
1790:
1788:
1787:
1782:
1780:
1779:
1774:
1747:
1745:
1744:
1739:
1737:
1736:
1731:
1687:
1685:
1684:
1679:
1677:
1676:
1654:
1652:
1651:
1646:
1644:
1643:
1638:
1625:
1623:
1622:
1617:
1612:
1607:
1569:
1567:
1566:
1561:
1559:
1558:
1553:
1540:
1538:
1537:
1532:
1524:
1516:
1515:
1510:
1498:
1483:
1481:
1480:
1475:
1470:
1469:
1464:
1445:
1443:
1442:
1437:
1435:
1434:
1433:
1432:
1422:
1401:
1399:
1398:
1393:
1391:
1390:
1385:
1364:
1362:
1361:
1356:
1336:
1334:
1333:
1328:
1320:
1319:
1288:
1286:
1285:
1280:
1278:
1277:
1276:
1275:
1265:
1157:
1155:
1154:
1149:
1095:
1093:
1092:
1087:
1039:
1037:
1036:
1031:
1013:
1011:
1010:
1005:
979:
977:
976:
971:
969:
961:
960:
955:
943:
938:
930:
916:that the number
912:it follows from
911:
909:
908:
903:
898:
897:
892:
868:identity element
861:
859:
858:
853:
851:
850:
776:
774:
773:
768:
766:
765:
662:
660:
659:
654:
652:
651:
642:
641:
636:
569:is based on the
557:
555:
554:
549:
528:
527:
522:
498:
497:
492:
436:
434:
433:
428:
407:
406:
394:
393:
345:RSA Laboratories
325:attacks on ECC.
223:(NSA) announced
199:
197:
196:
191:
189:
188:
187:
186:
176:
153:
151:
150:
145:
143:
142:
137:
113:Victor S. Miller
59:RSA cryptosystem
21:
5887:
5886:
5882:
5881:
5880:
5878:
5877:
5876:
5852:
5851:
5850:
5841:
5813:
5804:Delta invariant
5775:
5744:
5708:
5669:Abel–Jacobi map
5650:
5624:
5620:Torelli theorem
5590:Dessin d'enfant
5570:Belyi's theorem
5556:
5542:Plücker formula
5473:
5464:Hurwitz surface
5433:
5412:
5346:
5320:Analytic theory
5312:Elliptic curves
5306:
5287:Projective line
5274:Rational curves
5268:
5262:
5232:
5223:
5205:
5134:
4875:
4870:
4829:
4773:
4737:Standardization
4732:
4687:
4670:
4619:
4567:Lattice/SVP/CVP
4561:
4442:
4388:Blum–Goldwasser
4362:
4357:
4299:Maike Massierer
4286:Elliptic Curves
4282:
4262:
4215:Page(s):239–244
4191:L. Washington,
4152:
4147:
4133:
4131:
4116:
4112:
4097:
4093:
4083:
4081:
4066:
4062:
4052:
4050:
4035:
4031:
4019:
4017:
4008:
4007:
4002:
3996:
3992:
3971:
3967:
3957:
3955:
3949:
3945:
3933:
3927:
3923:
3914:
3912:
3903:
3902:
3898:
3886:
3882:
3875:
3852:
3843:
3839:
3830:
3829:
3825:
3813:
3811:
3802:
3801:
3796:
3790:
3786:
3776:
3774:
3764:
3760:
3753:
3719:
3715:
3708:
3679:
3675:
3667:
3652:
3646:
3642:
3629:
3628:
3624:
3607:
3606:
3602:
3593:
3591:
3578:
3577:
3573:
3564:
3560:
3545:
3541:
3496:
3492:
3447:
3443:
3437:Wayback Machine
3427:
3423:
3404:
3400:
3377:
3373:
3364:
3362:
3358:
3347:
3341:
3337:
3322:
3300:
3296:
3289:
3267:
3263:
3255:
3244:
3240:
3239:
3235:
3226:
3225:
3221:
3216:Wayback Machine
3210:
3206:
3195:
3191:
3176:
3172:
3164:
3160:
3151:
3149:
3136:
3135:
3128:
3110:
3106:
3095:"Search – CSRC"
3093:
3092:
3088:
3074:
3070:
3060:
3058:
3041:
3037:
3020:
3019:
3015:
3006:
3002:
2983:
2982:
2978:
2963:
2941:
2937:
2921:10.2307/2007884
2900:
2896:
2879:
2878:
2869:
2865:
2860:
2764:
2709:
2697:
2642:
2621:has inserted a
2615:
2567:
2562:
2529:
2524:
2523:
2521:
2518:
2517:
2483:
2479:
2470:
2466:
2457:
2453:
2444:
2440:
2431:
2427:
2418:
2414:
2405:
2401:
2393:
2390:
2389:
2366:
2362:
2354:
2351:
2350:
2349:; for example,
2333:
2329:
2321:
2318:
2317:
2302:
2273:
2269:
2260:
2256:
2233:
2230:
2229:
2205:
2201:
2175:
2172:
2171:
2148:
2144:
2139:
2131:
2128:
2127:
2106:
2098:
2095:
2094:
2071:
2067:
2062:
2054:
2051:
2050:
2031:
2027:
2022:
2014:
2011:
2010:
1976:
1973:
1972:
1969:Jacobian system
1947:
1939:
1936:
1935:
1914:
1906:
1903:
1902:
1868:
1865:
1864:
1831:
1828:
1827:
1810:
1805:
1804:
1796:
1793:
1792:
1775:
1770:
1769:
1761:
1758:
1757:
1752:operation. The
1732:
1727:
1726:
1724:
1721:
1720:
1717:
1672:
1668:
1660:
1657:
1656:
1639:
1634:
1633:
1631:
1628:
1627:
1606:
1598:
1595:
1594:
1583:
1577:
1554:
1549:
1548:
1546:
1543:
1542:
1520:
1511:
1506:
1505:
1494:
1492:
1489:
1488:
1465:
1460:
1459:
1451:
1448:
1447:
1428:
1424:
1423:
1418:
1417:
1415:
1412:
1411:
1386:
1381:
1380:
1378:
1375:
1374:
1350:
1347:
1346:
1315:
1311:
1309:
1306:
1305:
1289:with non-prime
1271:
1267:
1266:
1261:
1260:
1258:
1255:
1254:
1199:ECC Brainpool (
1101:
1098:
1097:
1045:
1042:
1041:
1019:
1016:
1015:
993:
990:
989:
965:
956:
951:
950:
939:
929:
921:
918:
917:
893:
888:
887:
879:
876:
875:
846:
845:
834:
831:
830:
779:the binary case
761:
757:
755:
752:
751:
744:
736:
647:
643:
637:
632:
631:
626:
623:
622:
615:
564:
523:
512:
511:
493:
482:
481:
479:
476:
475:
402:
398:
389:
385:
383:
380:
379:
361:
337:
331:
319:
291:
182:
178:
177:
172:
171:
169:
166:
165:
138:
133:
132:
130:
127:
126:
105:
47:elliptic curves
28:
23:
22:
15:
12:
11:
5:
5885:
5875:
5874:
5869:
5864:
5847:
5846:
5843:
5842:
5840:
5839:
5834:
5829:
5823:
5821:
5819:Vector bundles
5815:
5814:
5812:
5811:
5806:
5801:
5796:
5791:
5785:
5783:
5777:
5776:
5774:
5773:
5768:
5763:
5758:
5752:
5750:
5746:
5745:
5743:
5742:
5737:
5732:
5727:
5722:
5716:
5714:
5710:
5709:
5707:
5706:
5701:
5696:
5691:
5686:
5681:
5676:
5671:
5665:
5663:
5656:
5652:
5651:
5649:
5648:
5643:
5638:
5632:
5630:
5626:
5625:
5623:
5622:
5617:
5612:
5607:
5602:
5597:
5592:
5587:
5582:
5577:
5572:
5566:
5564:
5558:
5557:
5555:
5554:
5549:
5544:
5539:
5534:
5529:
5524:
5519:
5514:
5509:
5504:
5499:
5494:
5489:
5483:
5481:
5475:
5474:
5472:
5471:
5466:
5461:
5456:
5451:
5445:
5443:
5439:
5438:
5435:
5434:
5432:
5431:
5426:
5420:
5418:
5414:
5413:
5411:
5410:
5405:
5400:
5395:
5390:
5385:
5380:
5375:
5370:
5365:
5360:
5354:
5352:
5348:
5347:
5345:
5344:
5339:
5334:
5329:
5323:
5321:
5314:
5308:
5307:
5305:
5304:
5299:
5297:Riemann sphere
5294:
5289:
5284:
5278:
5276:
5270:
5269:
5261:
5260:
5253:
5246:
5238:
5229:
5228:
5225:
5224:
5222:
5221:
5210:
5207:
5206:
5204:
5203:
5198:
5196:Random numbers
5193:
5188:
5183:
5178:
5173:
5168:
5163:
5158:
5153:
5148:
5142:
5140:
5136:
5135:
5133:
5132:
5127:
5122:
5120:Garlic routing
5117:
5112:
5107:
5102:
5097:
5092:
5087:
5082:
5077:
5072:
5067:
5062:
5057:
5052:
5047:
5042:
5040:Secure channel
5037:
5031:
5030:
5029:
5018:
5013:
5008:
5003:
4998:
4996:Key stretching
4993:
4988:
4983:
4978:
4973:
4968:
4963:
4962:
4961:
4956:
4951:
4941:
4939:Cryptovirology
4936:
4931:
4926:
4924:Cryptocurrency
4921:
4916:
4911:
4910:
4909:
4899:
4894:
4889:
4883:
4881:
4877:
4876:
4869:
4868:
4861:
4854:
4846:
4839:
4838:
4835:
4834:
4831:
4830:
4828:
4827:
4822:
4817:
4812:
4807:
4802:
4797:
4792:
4787:
4781:
4779:
4775:
4774:
4772:
4771:
4766:
4761:
4756:
4751:
4746:
4740:
4738:
4734:
4733:
4731:
4730:
4725:
4720:
4715:
4710:
4705:
4699:
4697:
4693:
4692:
4689:
4688:
4686:
4685:
4680:
4675:
4668:
4666:Merkle–Hellman
4663:
4658:
4653:
4648:
4643:
4638:
4633:
4627:
4625:
4621:
4620:
4618:
4617:
4612:
4607:
4602:
4597:
4592:
4587:
4581:
4579:
4563:
4562:
4560:
4559:
4554:
4549:
4544:
4539:
4534:
4533:
4532:
4522:
4517:
4512:
4511:
4510:
4505:
4495:
4490:
4489:
4488:
4483:
4473:
4468:
4463:
4458:
4452:
4450:
4444:
4443:
4441:
4440:
4435:
4430:
4425:
4420:
4415:
4413:Naccache–Stern
4410:
4405:
4400:
4395:
4390:
4385:
4379:
4377:
4368:
4364:
4363:
4356:
4355:
4348:
4341:
4333:
4319:
4318:
4315:Elliptic curve
4306:
4292:
4281:
4280:External links
4278:
4277:
4276:
4266:Jacques Vélu,
4261:
4260:
4249:
4238:
4227:
4216:
4212:
4202:
4196:
4189:
4182:
4175:
4168:
4153:
4151:
4148:
4146:
4145:
4130:on 2 July 2019
4110:
4091:
4060:
4029:
4020:|journal=
3990:
3965:
3943:
3921:
3896:
3880:
3873:
3837:
3823:
3814:|journal=
3784:
3758:
3751:
3734:10.1.1.25.8619
3713:
3706:
3673:
3670:on 2006-03-27.
3657:ANZIAM Journal
3640:
3622:
3619:on 2011-07-19.
3600:
3571:
3558:
3539:
3517:10.1.1.17.1880
3510:(3): 193–196.
3490:
3441:
3421:
3398:
3371:
3335:
3320:
3294:
3287:
3261:
3258:on 2013-06-06.
3256:(PDF download)
3233:
3219:
3204:
3189:
3186:on 2016-11-01.
3170:
3158:
3126:
3112:Bruce Schneier
3104:
3086:
3068:
3049:New York Times
3035:
3032:on 2009-02-07.
3013:
3000:
2976:
2961:
2935:
2894:
2891:on 2009-01-17.
2866:
2864:
2861:
2859:
2858:
2853:
2848:
2843:
2838:
2833:
2828:
2823:
2818:
2813:
2808:
2802:
2796:
2791:
2786:
2781:
2776:
2771:
2769:Cryptocurrency
2765:
2763:
2760:
2759:
2758:
2753:
2751:Jacobian curve
2748:
2743:
2738:
2733:
2728:
2726:Twisted curves
2723:
2721:Edwards curves
2718:
2716:Hessian curves
2708:
2705:
2696:
2693:
2680:Diffie–Hellman
2641:
2638:
2627:Edward Snowden
2614:
2611:
2566:
2563:
2561:
2558:
2532:
2527:
2494:
2491:
2486:
2482:
2478:
2473:
2469:
2465:
2460:
2456:
2452:
2447:
2443:
2439:
2434:
2430:
2426:
2421:
2417:
2413:
2408:
2404:
2400:
2397:
2377:
2374:
2369:
2365:
2361:
2358:
2336:
2332:
2328:
2325:
2314:Mersenne prime
2301:
2298:
2281:
2276:
2272:
2268:
2263:
2259:
2255:
2252:
2249:
2246:
2243:
2240:
2237:
2213:
2208:
2204:
2200:
2197:
2194:
2191:
2188:
2185:
2182:
2179:
2151:
2147:
2143:
2138:
2135:
2113:
2110:
2105:
2102:
2074:
2070:
2066:
2061:
2058:
2034:
2030:
2026:
2021:
2018:
1998:
1995:
1992:
1989:
1986:
1983:
1980:
1954:
1951:
1946:
1943:
1921:
1918:
1913:
1910:
1890:
1887:
1884:
1881:
1878:
1875:
1872:
1844:
1841:
1838:
1835:
1813:
1808:
1803:
1800:
1778:
1773:
1768:
1765:
1735:
1730:
1716:
1713:
1675:
1671:
1667:
1664:
1642:
1637:
1615:
1610:
1605:
1602:
1593:, etc.), need
1576:
1573:
1572:
1571:
1557:
1552:
1530:
1527:
1523:
1519:
1514:
1509:
1504:
1501:
1497:
1485:
1473:
1468:
1463:
1458:
1455:
1431:
1427:
1421:
1389:
1384:
1354:
1326:
1323:
1318:
1314:
1298:
1274:
1270:
1264:
1247:
1246:
1239:
1236:Koblitz curves
1232:
1212:
1211:
1197:
1188:
1173:by the unique
1147:
1144:
1141:
1138:
1135:
1132:
1129:
1126:
1123:
1120:
1117:
1114:
1111:
1108:
1105:
1085:
1082:
1079:
1076:
1073:
1070:
1067:
1064:
1061:
1058:
1055:
1052:
1049:
1029:
1026:
1023:
1003:
1000:
997:
968:
964:
959:
954:
949:
946:
942:
936:
933:
928:
925:
901:
896:
891:
886:
883:
849:
844:
841:
838:
764:
760:
743:
740:
735:
734:Implementation
732:
731:
730:
723:
712:
697:
694:
683:
676:
673:Diffie–Hellman
650:
646:
640:
635:
630:
614:
611:
571:intractability
563:
560:
559:
558:
546:
543:
540:
537:
534:
531:
526:
521:
518:
515:
510:
507:
504:
501:
496:
491:
488:
485:
450:characteristic
438:
437:
425:
422:
419:
416:
413:
410:
405:
401:
397:
392:
388:
365:elliptic curve
360:
357:
333:Main article:
330:
327:
290:
287:
217:RSA Conference
210:
209:
185:
181:
175:
159:
141:
136:
104:
101:
57:, such as the
26:
9:
6:
4:
3:
2:
5884:
5873:
5872:Finite fields
5870:
5868:
5865:
5863:
5860:
5859:
5857:
5838:
5835:
5833:
5830:
5828:
5825:
5824:
5822:
5820:
5816:
5810:
5807:
5805:
5802:
5800:
5797:
5795:
5792:
5790:
5787:
5786:
5784:
5782:
5781:Singularities
5778:
5772:
5769:
5767:
5764:
5762:
5759:
5757:
5754:
5753:
5751:
5747:
5741:
5738:
5736:
5733:
5731:
5728:
5726:
5723:
5721:
5718:
5717:
5715:
5711:
5705:
5702:
5700:
5697:
5695:
5692:
5690:
5687:
5685:
5682:
5680:
5677:
5675:
5672:
5670:
5667:
5666:
5664:
5660:
5657:
5653:
5647:
5644:
5642:
5639:
5637:
5634:
5633:
5631:
5629:Constructions
5627:
5621:
5618:
5616:
5613:
5611:
5608:
5606:
5603:
5601:
5600:Klein quartic
5598:
5596:
5593:
5591:
5588:
5586:
5583:
5581:
5580:Bolza surface
5578:
5576:
5575:Bring's curve
5573:
5571:
5568:
5567:
5565:
5563:
5559:
5553:
5550:
5548:
5545:
5543:
5540:
5538:
5535:
5533:
5530:
5528:
5525:
5523:
5520:
5518:
5515:
5513:
5510:
5508:
5507:Conic section
5505:
5503:
5500:
5498:
5495:
5493:
5490:
5488:
5487:AF+BG theorem
5485:
5484:
5482:
5480:
5476:
5470:
5467:
5465:
5462:
5460:
5457:
5455:
5452:
5450:
5447:
5446:
5444:
5440:
5430:
5427:
5425:
5422:
5421:
5419:
5415:
5409:
5406:
5404:
5401:
5399:
5396:
5394:
5391:
5389:
5386:
5384:
5381:
5379:
5376:
5374:
5371:
5369:
5366:
5364:
5361:
5359:
5356:
5355:
5353:
5349:
5343:
5340:
5338:
5335:
5333:
5330:
5328:
5325:
5324:
5322:
5318:
5315:
5313:
5309:
5303:
5302:Twisted cubic
5300:
5298:
5295:
5293:
5290:
5288:
5285:
5283:
5280:
5279:
5277:
5275:
5271:
5267:
5259:
5254:
5252:
5247:
5245:
5240:
5239:
5236:
5220:
5212:
5211:
5208:
5202:
5201:Steganography
5199:
5197:
5194:
5192:
5189:
5187:
5184:
5182:
5179:
5177:
5174:
5172:
5169:
5167:
5164:
5162:
5159:
5157:
5156:Stream cipher
5154:
5152:
5149:
5147:
5144:
5143:
5141:
5137:
5131:
5128:
5126:
5123:
5121:
5118:
5116:
5115:Onion routing
5113:
5111:
5108:
5106:
5103:
5101:
5098:
5096:
5095:Shared secret
5093:
5091:
5088:
5086:
5083:
5081:
5078:
5076:
5073:
5071:
5068:
5066:
5063:
5061:
5058:
5056:
5053:
5051:
5048:
5046:
5043:
5041:
5038:
5035:
5032:
5027:
5024:
5023:
5022:
5019:
5017:
5014:
5012:
5009:
5007:
5004:
5002:
4999:
4997:
4994:
4992:
4989:
4987:
4986:Key generator
4984:
4982:
4979:
4977:
4974:
4972:
4969:
4967:
4964:
4960:
4957:
4955:
4952:
4950:
4947:
4946:
4945:
4944:Hash function
4942:
4940:
4937:
4935:
4932:
4930:
4927:
4925:
4922:
4920:
4919:Cryptanalysis
4917:
4915:
4912:
4908:
4905:
4904:
4903:
4900:
4898:
4895:
4893:
4890:
4888:
4885:
4884:
4882:
4878:
4874:
4867:
4862:
4860:
4855:
4853:
4848:
4847:
4844:
4840:
4826:
4823:
4821:
4818:
4816:
4813:
4811:
4808:
4806:
4803:
4801:
4798:
4796:
4793:
4791:
4788:
4786:
4783:
4782:
4780:
4776:
4770:
4767:
4765:
4762:
4760:
4757:
4755:
4752:
4750:
4747:
4745:
4742:
4741:
4739:
4735:
4729:
4726:
4724:
4721:
4719:
4716:
4714:
4711:
4709:
4706:
4704:
4701:
4700:
4698:
4694:
4684:
4681:
4679:
4676:
4673:
4669:
4667:
4664:
4662:
4659:
4657:
4654:
4652:
4649:
4647:
4644:
4642:
4639:
4637:
4634:
4632:
4629:
4628:
4626:
4622:
4616:
4613:
4611:
4608:
4606:
4603:
4601:
4598:
4596:
4593:
4591:
4588:
4586:
4583:
4582:
4580:
4578:
4573:
4568:
4564:
4558:
4555:
4553:
4550:
4548:
4545:
4543:
4540:
4538:
4535:
4531:
4528:
4527:
4526:
4523:
4521:
4518:
4516:
4513:
4509:
4506:
4504:
4501:
4500:
4499:
4496:
4494:
4491:
4487:
4484:
4482:
4479:
4478:
4477:
4474:
4472:
4469:
4467:
4464:
4462:
4459:
4457:
4454:
4453:
4451:
4449:
4445:
4439:
4438:Schmidt–Samoa
4436:
4434:
4431:
4429:
4426:
4424:
4421:
4419:
4416:
4414:
4411:
4409:
4406:
4404:
4401:
4399:
4398:Damgård–Jurik
4396:
4394:
4393:Cayley–Purser
4391:
4389:
4386:
4384:
4381:
4380:
4378:
4376:
4372:
4369:
4365:
4361:
4354:
4349:
4347:
4342:
4340:
4335:
4334:
4331:
4327:
4323:
4316:
4311:
4307:
4304:
4300:
4296:
4293:
4291:
4287:
4284:
4283:
4275:
4273:
4269:
4264:
4263:
4258:
4254:
4250:
4247:
4243:
4239:
4236:
4232:
4228:
4225:
4221:
4218:Saikat Basu,
4217:
4213:
4210:
4206:
4203:
4200:
4197:
4194:
4190:
4187:
4183:
4180:
4176:
4173:
4169:
4166:
4162:
4158:
4155:
4154:
4142:
4129:
4125:
4121:
4114:
4106:
4102:
4095:
4080:on 2014-05-03
4079:
4075:
4071:
4064:
4048:
4044:
4040:
4033:
4025:
4012:
4001:
3994:
3985:
3980:
3976:
3969:
3954:
3947:
3939:
3932:
3925:
3910:
3906:
3900:
3893:
3889:
3884:
3876:
3870:
3866:
3862:
3858:
3851:
3850:
3841:
3833:
3827:
3819:
3806:
3795:
3788:
3773:
3769:
3762:
3754:
3748:
3744:
3740:
3735:
3730:
3726:
3725:
3717:
3709:
3703:
3699:
3695:
3691:
3687:
3683:
3677:
3666:
3662:
3658:
3651:
3644:
3636:
3632:
3626:
3618:
3614:
3610:
3604:
3590:on 2009-07-15
3589:
3585:
3584:lacal.epfl.ch
3581:
3575:
3568:
3562:
3554:
3550:
3543:
3535:
3531:
3527:
3523:
3518:
3513:
3509:
3505:
3501:
3494:
3485:
3480:
3476:
3472:
3468:
3464:
3460:
3458:
3454:
3445:
3438:
3434:
3431:
3425:
3417:
3413:
3409:
3402:
3394:
3390:
3386:
3382:
3375:
3361:on 2006-12-06
3357:
3353:
3346:
3339:
3331:
3327:
3323:
3317:
3313:
3309:
3305:
3298:
3290:
3284:
3280:
3276:
3272:
3265:
3254:
3250:
3243:
3237:
3229:
3223:
3217:
3213:
3208:
3200:
3193:
3185:
3181:
3174:
3167:
3162:
3147:
3143:
3139:
3133:
3131:
3123:
3122:
3117:
3113:
3108:
3100:
3099:csrc.nist.gov
3096:
3090:
3083:
3082:
3078:
3072:
3057:on 2022-01-01
3055:
3050:
3046:
3039:
3031:
3027:
3023:
3017:
3010:
3004:
2995:
2990:
2986:
2980:
2972:
2968:
2964:
2958:
2954:
2950:
2946:
2939:
2931:
2927:
2922:
2917:
2913:
2909:
2905:
2898:
2890:
2886:
2882:
2876:
2874:
2872:
2867:
2857:
2854:
2852:
2849:
2847:
2844:
2842:
2839:
2837:
2834:
2832:
2829:
2827:
2824:
2822:
2819:
2817:
2814:
2812:
2809:
2806:
2803:
2800:
2797:
2795:
2792:
2790:
2787:
2785:
2782:
2780:
2777:
2775:
2772:
2770:
2767:
2766:
2757:
2754:
2752:
2749:
2747:
2744:
2742:
2739:
2737:
2734:
2732:
2729:
2727:
2724:
2722:
2719:
2717:
2714:
2713:
2712:
2704:
2702:
2692:
2689:
2684:
2681:
2678:to implement
2677:
2673:
2669:
2665:
2662:
2658:
2657:Toffoli gates
2654:
2650:
2646:
2637:
2634:
2632:
2628:
2624:
2623:kleptographic
2620:
2610:
2608:
2604:
2603:fault attacks
2600:
2599:Edwards curve
2596:
2592:
2588:
2584:
2580:
2576:
2572:
2557:
2554:
2552:
2548:
2530:
2514:
2512:
2508:
2492:
2489:
2484:
2480:
2476:
2471:
2467:
2463:
2458:
2454:
2450:
2445:
2441:
2437:
2432:
2428:
2424:
2419:
2415:
2411:
2406:
2402:
2398:
2395:
2375:
2372:
2367:
2363:
2359:
2356:
2334:
2330:
2326:
2323:
2315:
2311:
2307:
2297:
2295:
2274:
2270:
2266:
2261:
2257:
2253:
2250:
2247:
2244:
2241:
2238:
2227:
2224:; and in the
2206:
2202:
2198:
2195:
2192:
2189:
2186:
2183:
2180:
2169:
2149:
2145:
2141:
2136:
2133:
2111:
2108:
2103:
2100:
2092:
2072:
2068:
2064:
2059:
2056:
2032:
2028:
2024:
2019:
2016:
1993:
1990:
1987:
1984:
1981:
1970:
1952:
1949:
1944:
1941:
1919:
1916:
1911:
1908:
1885:
1882:
1879:
1876:
1873:
1862:
1858:
1842:
1839:
1836:
1833:
1811:
1801:
1798:
1776:
1766:
1763:
1755:
1751:
1733:
1712:
1709:
1707:
1706:PlayStation 3
1701:
1699:
1695:
1691:
1673:
1669:
1665:
1662:
1640:
1608:
1600:
1592:
1591:Pollard's rho
1588:
1582:
1555:
1528:
1525:
1512:
1499:
1486:
1466:
1453:
1429:
1425:
1410:in the field
1409:
1405:
1387:
1372:
1368:
1352:
1344:
1340:
1324:
1321:
1316:
1312:
1303:
1299:
1296:
1292:
1272:
1268:
1252:
1251:
1250:
1244:
1240:
1237:
1233:
1230:
1226:
1222:
1221:
1220:
1216:
1210:
1206:
1202:
1198:
1196:
1192:
1189:
1187:
1183:
1180:
1179:
1178:
1176:
1171:
1166:
1164:
1159:
1142:
1139:
1136:
1133:
1130:
1127:
1124:
1121:
1118:
1115:
1112:
1109:
1106:
1080:
1077:
1074:
1071:
1068:
1065:
1062:
1059:
1056:
1053:
1050:
1027:
1024:
1021:
1001:
998:
995:
987:
984:, called the
983:
957:
944:
934:
931:
926:
923:
915:
894:
881:
873:
869:
865:
842:
839:
836:
828:
824:
820:
816:
812:
808:
804:
800:
796:
792:
788:
784:
780:
762:
758:
749:
739:
728:
724:
721:
717:
713:
710:
706:
702:
698:
695:
692:
688:
684:
681:
677:
674:
670:
666:
665:
664:
648:
638:
620:
610:
608:
604:
599:
596:
592:
588:
584:
580:
576:
572:
568:
544:
541:
538:
532:
524:
502:
494:
474:
473:
472:
470:
466:
465:divisor group
462:
461:abelian group
458:
453:
451:
447:
443:
423:
420:
417:
414:
411:
408:
403:
399:
395:
390:
386:
378:
377:
376:
374:
370:
366:
356:
354:
353:US government
350:
346:
342:
336:
326:
324:
318:
313:
310:
306:
302:
298:
297:
286:
284:
280:
275:
273:
269:
268:key agreement
265:
261:
257:
256:Tate pairings
253:
248:
246:
242:
238:
234:
230:
226:
222:
218:
213:
207:
203:
183:
179:
164:
163:binary fields
160:
157:
139:
125:
121:
120:
119:
116:
114:
110:
100:
98:
94:
91:
87:
83:
79:
75:
71:
70:key agreement
66:
64:
60:
56:
55:Galois fields
52:
51:finite fields
48:
44:
41:based on the
40:
36:
32:
19:
5766:Prym variety
5740:Stable curve
5730:Hodge bundle
5720:ELSV formula
5522:Fermat curve
5479:Plane curves
5442:Higher genus
5417:Applications
5342:Modular form
5151:Block cipher
4991:Key schedule
4981:Key exchange
4971:Kleptography
4929:Cryptosystem
4873:Cryptography
4825:OpenPGP card
4805:Web of trust
4707:
4461:Cramer–Shoup
4271:
4267:
4192:
4185:
4178:
4171:
4139:
4132:. Retrieved
4128:the original
4123:
4113:
4104:
4094:
4082:. Retrieved
4078:the original
4073:
4063:
4051:. Retrieved
4042:
4032:
4011:cite journal
3993:
3968:
3956:. Retrieved
3946:
3937:
3924:
3913:. Retrieved
3911:. 2013-09-10
3908:
3899:
3891:
3883:
3848:
3840:
3826:
3805:cite journal
3787:
3775:. Retrieved
3761:
3723:
3716:
3689:
3676:
3665:the original
3660:
3656:
3643:
3634:
3625:
3617:the original
3612:
3603:
3592:. Retrieved
3588:the original
3583:
3574:
3561:
3552:
3548:
3542:
3507:
3503:
3493:
3466:
3462:
3456:
3452:
3444:
3424:
3415:
3411:
3401:
3384:
3380:
3374:
3363:. Retrieved
3356:the original
3351:
3338:
3303:
3297:
3270:
3264:
3253:the original
3249:www.secg.org
3248:
3236:
3222:
3207:
3192:
3184:the original
3173:
3161:
3150:. Retrieved
3141:
3119:
3107:
3098:
3089:
3079:
3075:Kim Zetter,
3071:
3059:. Retrieved
3054:the original
3048:
3038:
3030:the original
3025:
3016:
3003:
2979:
2944:
2938:
2911:
2907:
2897:
2889:the original
2884:
2710:
2698:
2685:
2672:post-quantum
2666:
2643:
2635:
2631:Dual EC DRBG
2616:
2586:
2582:
2578:
2574:
2568:
2555:
2550:
2546:
2515:
2505:Compared to
2312:is a pseudo-
2309:
2305:
2303:
2225:
2167:
2090:
1968:
1860:
1748:but also an
1718:
1710:
1702:
1697:
1584:
1403:
1366:
1342:
1338:
1301:
1295:Weil descent
1290:
1253:Curves over
1248:
1242:
1217:
1213:
1167:
1162:
1160:
985:
981:
871:
826:
822:
814:
810:
802:
798:
794:
790:
786:
782:
778:
747:
745:
737:
616:
600:
565:
454:
446:finite field
439:
373:finite field
364:
362:
343:). However,
338:
320:
309:RSA Security
299:stated that
294:
292:
276:
264:signcryption
249:
214:
211:
201:
155:
124:prime fields
117:
109:Neal Koblitz
106:
67:
34:
30:
29:
5641:Polar curve
5139:Mathematics
5130:Mix network
4795:Fingerprint
4759:NSA Suite B
4723:RSA problem
4600:NTRUEncrypt
4124:Seclist Org
3768:Tanja Lange
3142:www.nsa.gov
2794:ECC patents
2607:smart cards
1756:(for given
369:plane curve
335:ECC patents
5856:Categories
5636:Dual curve
5264:Topics in
5090:Ciphertext
5060:Decryption
5055:Encryption
5016:Ransomware
4749:IEEE P1363
4367:Algorithms
4150:References
3984:1706.06752
3958:October 1,
3915:2015-11-06
3777:1 December
3686:Miyaji, A.
3594:2009-07-11
3365:2006-01-02
3152:2020-01-08
3061:28 October
2774:Curve25519
2316:, that is
2294:IEEE P1363
1861:projective
1826:such that
1579:See also:
1245:technique.
829:such that
811:base point
245:top secret
219:2005, the
93:algorithms
82:encryption
5749:Morphisms
5497:Bitangent
5080:Plaintext
4053:March 16,
3938:Microsoft
3729:CiteSeerX
3682:Cohen, H.
3512:CiteSeerX
2971:206617984
2676:isogenies
2613:Backdoors
2490:−
2477:−
2464:−
2451:−
2438:−
2425:−
2412:−
2373:−
2327:≈
2166:; in the
2089:; in the
1967:; in the
1857:inversion
1802:∈
1767:∈
1754:inversion
1750:inversion
1666:≈
1575:Key sizes
1322:−
999:≤
807:generator
707:and uses
649:×
539:≃
509:→
293:In 2013,
5219:Category
5125:Kademlia
5085:Codetext
5028:(CSPRNG)
5006:Machines
4810:Key size
4744:CRYPTREC
4661:McEliece
4615:RLWE-SIG
4610:RLWE-KEX
4605:NTRUSign
4418:Paillier
4303:CrypTool
4301:and the
4165:archived
4047:Archived
3613:Certicom
3534:24368962
3433:Archived
3330:15134380
3212:Archived
3146:Archived
3121:Slashdot
2784:DNSCurve
2762:See also
2560:Security
1655:, where
1304:divides
1297:attacks.
986:cofactor
809:(a.k.a.
617:Several
603:key size
575:problems
459:, is an
5809:Tacnode
5794:Crunode
4880:General
4656:Lamport
4636:CEILIDH
4595:NewHope
4542:Schnorr
4525:ElGamal
4503:Ed25519
4383:Benaloh
4141:scalar.
3471:Bibcode
2930:2007884
2807:(ECDSA)
2688:quantum
1337:(where
1227:or the
675:scheme,
371:over a
329:Patents
283:Bitcoin
233:Suite B
225:Suite B
215:At the
206:Koblitz
103:History
5789:Acnode
5713:Moduli
5001:Keygen
4778:Topics
4754:NESSIE
4696:Theory
4624:Others
4481:X25519
4134:4 July
3871:
3749:
3731:
3704:
3565:NIST,
3532:
3514:
3328:
3318:
3285:
2969:
2959:
2928:
2801:(ECDH)
2653:qubits
1203:
583:factor
270:, and
5036:(PRN)
4590:Kyber
4585:BLISS
4547:SPEKE
4515:ECMQV
4508:Ed448
4498:EdDSA
4493:ECDSA
4423:Rabin
4084:3 May
4003:(PDF)
3979:arXiv
3934:(PDF)
3853:(PDF)
3797:(PDF)
3668:(PDF)
3653:(PDF)
3530:S2CID
3430:P1363
3428:IEEE
3359:(PDF)
3348:(PDF)
3326:S2CID
3245:(PDF)
3081:Wired
2967:S2CID
2926:JSTOR
2863:Notes
2816:ECMQV
2811:EdDSA
2779:FourQ
1791:find
1238:), or
862:(the
819:order
716:ECMQV
367:is a
341:ECMQV
161:Five
122:Five
49:over
5799:Cusp
4790:OAEP
4764:CNSA
4641:EPOC
4486:X448
4476:ECDH
4305:team
4257:here
4246:here
4235:here
4224:here
4209:here
4136:2019
4086:2014
4055:2021
4024:help
3960:2016
3869:ISBN
3818:help
3779:2013
3747:ISBN
3702:ISBN
3316:ISBN
3283:ISBN
3063:2018
2957:ISBN
1205:5639
1191:SECG
1182:NIST
1163:must
801:and
793:and
727:ECQV
725:The
714:The
699:The
685:The
667:The
347:and
281:and
254:and
252:Weil
200:for
111:and
61:and
4800:PKI
4683:XTR
4651:IES
4646:HFE
4577:SIS
4572:LWE
4557:STS
4552:SRP
4537:MQV
4520:EKE
4471:DSA
4456:BLS
4428:RSA
4403:GMR
4297:by
4288:at
3861:doi
3739:doi
3694:doi
3522:doi
3479:doi
3416:415
3389:doi
3308:doi
3275:doi
2989:doi
2949:doi
2916:doi
2885:NSA
2661:RSA
2571:DLP
2407:256
2388:or
2368:521
1694:RSA
1690:DSA
1674:256
1207:),
1201:RFC
821:of
720:MQV
579:RSA
448:of
305:NSA
45:of
35:ECC
5858::
4631:AE
4466:DH
4272:57
4159:,
4138:.
4122:.
4103:.
4072:.
4045:.
4043:f5
4041:.
4015::
4013:}}
4009:{{
3936:.
3907:.
3890:.
3867:.
3855:.
3809::
3807:}}
3803:{{
3770:.
3745:.
3737:.
3700:.
3684:;
3661:44
3659:.
3655:.
3633:.
3611:.
3582:.
3553:47
3551:.
3528:.
3520:.
3508:12
3506:.
3502:.
3477:.
3467:67
3465:.
3461:.
3414:.
3410:.
3385:39
3383:.
3350:.
3324:.
3314:.
3281:.
3247:.
3140:.
3129:^
3118:,
3097:.
3047:.
3024:.
2965:.
2955:.
2924:.
2912:48
2910:.
2906:.
2883:.
2870:^
2609:.
2585:≠
2577:=
2513:.
2493:1.
2420:32
2126:,
2049:,
1934:,
1589:,
1193:,
1184:,
1158:.
813:)
471::
285:.
274:.
266:,
99:.
76:,
72:,
65:.
5257:e
5250:t
5243:v
4865:e
4858:t
4851:v
4574:/
4569:/
4352:e
4345:t
4338:v
4107:.
4088:.
4057:.
4026:)
4022:(
4005:.
3987:.
3981::
3962:.
3940:.
3918:.
3894:.
3877:.
3863::
3834:.
3820:)
3816:(
3799:.
3781:.
3755:.
3741::
3710:.
3696::
3637:.
3597:.
3555:.
3536:.
3524::
3487:.
3481::
3473::
3459:"
3457:p
3453:p
3418:.
3395:.
3391::
3368:.
3332:.
3310::
3291:.
3277::
3201:.
3155:.
3101:.
3065:.
3011:.
2997:.
2991::
2973:.
2951::
2932:.
2918::
2587:Q
2583:P
2579:Q
2575:P
2551:a
2547:p
2531:p
2526:F
2485:4
2481:2
2472:6
2468:2
2459:7
2455:2
2446:8
2442:2
2433:9
2429:2
2416:2
2403:2
2399:=
2396:p
2376:1
2364:2
2360:=
2357:p
2335:d
2331:2
2324:p
2310:p
2306:p
2280:)
2275:3
2271:Z
2267:,
2262:2
2258:Z
2254:,
2251:Z
2248:,
2245:Y
2242:,
2239:X
2236:(
2212:)
2207:4
2203:Z
2199:a
2196:,
2193:Z
2190:,
2187:Y
2184:,
2181:X
2178:(
2150:2
2146:Z
2142:Y
2137:=
2134:y
2112:Z
2109:X
2104:=
2101:x
2073:3
2069:Z
2065:Y
2060:=
2057:y
2033:2
2029:Z
2025:X
2020:=
2017:x
1997:)
1994:Z
1991:,
1988:Y
1985:,
1982:X
1979:(
1953:Z
1950:Y
1945:=
1942:y
1920:Z
1917:X
1912:=
1909:x
1889:)
1886:Z
1883:,
1880:Y
1877:,
1874:X
1871:(
1843:1
1840:=
1837:y
1834:x
1812:q
1807:F
1799:y
1777:q
1772:F
1764:x
1734:q
1729:F
1698:n
1670:2
1663:q
1641:q
1636:F
1614:)
1609:n
1604:(
1601:O
1570:.
1556:q
1551:F
1529:q
1526:=
1522:|
1518:)
1513:q
1508:F
1503:(
1500:E
1496:|
1484:.
1472:)
1467:q
1462:F
1457:(
1454:E
1430:B
1426:p
1420:F
1404:B
1388:p
1383:F
1367:B
1353:2
1343:q
1339:p
1325:1
1317:B
1313:p
1302:n
1291:m
1273:m
1269:2
1263:F
1231:,
1146:)
1143:h
1140:,
1137:n
1134:,
1131:G
1128:,
1125:b
1122:,
1119:a
1116:,
1113:f
1110:,
1107:m
1104:(
1084:)
1081:h
1078:,
1075:n
1072:,
1069:G
1066:,
1063:b
1060:,
1057:a
1054:,
1051:p
1048:(
1028:1
1025:=
1022:h
1002:4
996:h
982:h
967:|
963:)
958:p
953:F
948:(
945:E
941:|
935:n
932:1
927:=
924:h
900:)
895:p
890:F
885:(
882:E
872:n
848:O
843:=
840:G
837:n
827:n
823:G
815:G
803:b
799:a
795:f
791:m
787:p
783:f
763:m
759:2
711:,
693:,
645:)
639:p
634:Z
629:(
545:,
542:E
536:)
533:E
530:(
525:0
520:c
517:i
514:P
506:)
503:E
500:(
495:0
490:v
487:i
484:D
424:,
421:b
418:+
415:x
412:a
409:+
404:3
400:x
396:=
391:2
387:y
202:m
184:m
180:2
174:F
156:p
140:p
135:F
33:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.