Knowledge

Elliptic-curve cryptography

Source 📝

5215: 4310: 3084:, 19 September 2013. "Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used." 1172:
which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or
311:
in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG. In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic
2663:
algorithm requires 4098 qubits and 5.2 trillion Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a
2682:
key exchanges. This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems. However, new classical attacks undermined the security of this protocol.
4140:
The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware's private DH
1218:
If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:
2509:, there can be an order of magnitude speed-up. The speed-up here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with 597:
and the inability to compute the multiplicand given the original point and product point. The size of the elliptic curve, measured by the total number of discrete integer pairs satisfying the curve equation, determines the difficulty of the problem.
3608: 1214:
SECG test vectors are also available. NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name.
3227: 1703:
The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200
556: 4233:, Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009. (archived 4214:
K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007
2690:
attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."
2503: 978: 2636:
The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.
355:
elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing those patents.
227:, which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information. 1708:
game consoles and could have been finished in 3.5 months using this cluster when running continuously. The binary field case was broken in April 2004 using 2600 computers over 17 months.
1700:, where the private key should be just as large. However, the public key may be smaller to accommodate efficient encryption, especially when processing power is limited (e.g. in Africa). 661: 3616: 2633:
standard. One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.
3179: 1539: 1824: 1789: 2164: 2087: 2047: 1444: 1287: 198: 2290: 1482: 910: 435: 860: 2543: 2124: 1965: 1932: 1746: 1686: 1653: 1568: 1400: 152: 1156: 2347: 2222: 1624: 4046: 1094: 2386: 2296:-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used. 2007: 1899: 1855:) is one to two orders of magnitude slower than multiplication. However, points on a curve can be represented in different coordinate systems which do not require an 1335: 1012: 212:
The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.
2601:; this is a special family of elliptic curves for which doubling and addition can be done with the same operation. Another concern for ECC-systems is the danger of 775: 1853: 585:
a large integer composed of two or more large prime factors which are far apart. For later elliptic-curve-based protocols, the base assumption is that finding the
1038: 2556:
According to Bernstein and Lange, many of the efficiency-related decisions in NIST FIPS 186-2 are suboptimal. Other curves are more secure and run just as fast.
1626:
steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over
1363: 5195: 5025: 77: 4640: 4223: 3044: 5255: 4350: 3904: 2745: 2740: 3145: 593:): this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute a 2659:. For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security). In comparison, using Shor's algorithm to break the 2597:) using, for example, fixed pattern window (a.k.a. comb) methods (note that this does not increase computation time). Alternatively one can use an 2573:
systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (
339:
While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme (
1235: 4768: 477: 228: 4863: 1719:
A close examination of the addition rules shows that in order to add two points, one needs not only several additions and multiplications in
3021: 1711:
A current project is aiming at breaking the ECC2K-130 challenge by Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.
4763: 3183: 3211: 590: 244: 17: 4492: 4198: 3114:(5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." See 2880: 2804: 2686:
In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to
2391: 1161:
Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters
686: 240: 5678: 3649: 2825: 1590: 4671: 4665: 4265: 3721:
Brown, M.; Hankerson, D.; Lopez, J.; Menezes, A. (2001). "Software Implementation of the NIST Elliptic Curves over Prime Fields".
3432: 4038: 352: 3344: 321:
Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about
3547:
Satoh, T.; Araki, K. (1998). "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves".
250:
Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the
5770: 5407: 5367: 5248: 4789: 4343: 4119: 3872: 3750: 3705: 3319: 3286: 2960: 1228: 3269:
Lay, Georg-Johann; Zimmer, Horst G. (1994). "Constructing elliptic curves with given group order over large finite fields".
5861: 3241: 919: 913: 96: 2820: 594: 4208: 3379:
Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve logarithms to logarithms in a finite field".
2625:
backdoor into at least one elliptic curve-based pseudo random generator. Internal memos leaked by former NSA contractor
570: 5836: 5458: 5357: 4407: 2850: 2667: 1580: 1169: 53:. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in 2651:. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 5826: 4856: 4475: 4432: 3856: 3115: 2798: 668: 574: 236: 4397: 3566: 5866: 5536: 5241: 4387: 4336: 2830: 3846:
Biehl, Ingrid; Meyer, Bernd; Müller, Volker (2000). "Differential Fault Attacks on Elliptic Curve Cryptosystems".
624: 605:, reducing storage and transmission requirements. For example, a 256-bit elliptic curve public key should provide 449: 4551: 4465: 4412: 4234: 4230: 4220:
A New Parallel Window-Based Implementation of the Elliptic Curve Point Multiplication in Multi-Core Architectures
3579: 682:(ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme, 3053: 5683: 5604: 5594: 5531: 5074: 5005: 4576: 4219: 1856: 1753: 1749: 118:
In 1999, NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4 has ten recommended finite fields:
4294: 3094: 1692:) which requires 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g., 5281: 4460: 4245: 4164: 4069: 3681: 1490: 750:
of the scheme. The size of the field used is typically either prime (and denoted as p) or is a power of two (
1168:
The generation of domain parameters is not usually done by each participant because this involves computing
5501: 5397: 4849: 4717: 4650: 1794: 1759: 679: 464: 158:
of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.
2129: 2052: 2012: 1413: 1256: 167: 5760: 5724: 5423: 5336: 5190: 5145: 4948: 4814: 4556: 4470: 4392: 3977:; Lauter, Kristin (2017). "Quantum resource estimates for computing elliptic curve discrete logarithms". 3137: 2602: 2231: 1689: 1449: 877: 719: 690: 381: 3165: 3076: 5734: 5372: 5069: 4566: 4455: 4437: 2835: 1370: 832: 601:
The primary benefit promised by elliptic curve cryptography over alternatives such as RSA is a smaller
2519: 2096: 1937: 1904: 1722: 1658: 1629: 1544: 1376: 463:, with the point at infinity as an identity element. The structure of the group is inherited from the 128: 5780: 5185: 4819: 4799: 2671: 1099: 806: 259: 243:(ECDSA) for digital signature. The NSA allows their use for protecting information classified up to 4702: 4023: 3817: 2647:
can be used to break elliptic curve cryptography by computing discrete logarithms on a hypothetical
2319: 2173: 1596: 5693: 5673: 5609: 5526: 5428: 5387: 5175: 5165: 5020: 4758: 4529: 3733: 3516: 2618: 1043: 278: 220: 3008: 589:
of a random elliptic curve element with respect to a publicly known base point is infeasible (the
5584: 5392: 5170: 5160: 4953: 4913: 4906: 4891: 4886: 4712: 4359: 3029: 2840: 2352: 1234:
Select a random curve from a family which allows easy calculation of the number of points (e.g.,
746:
To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the
566: 85: 38: 307:, which had included a deliberate weakness in the algorithm and the recommended elliptic curve. 5871: 5377: 4958: 4901: 4794: 4645: 4584: 4519: 4314: 3847: 3728: 3511: 2730: 5491: 1208: 5755: 5453: 5402: 5291: 5218: 5064: 5010: 4660: 4417: 4374: 4222:, International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234–241 (archived 4010: 3804: 2984: 2855: 2735: 2170:
system the same relations are used but four coordinates are stored and used for calculations
1974: 1866: 1307: 1224: 1185: 991: 708: 582: 456: 204:
equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one
89: 3052: 2888: 5831: 5703: 5362: 5180: 5104: 4571: 4382: 3470: 2845: 2308:(which is needed for addition and multiplication) can be executed much faster if the prime 1586: 818: 753: 726: 5614: 3664: 1829: 8: 5668: 5546: 5511: 5468: 5448: 4933: 4677: 4289: 3355: 2644: 2590: 1017: 348: 271: 42: 3474: 1541:
are vulnerable to the attack that maps the points on the curve to the additive group of
303:(or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of 277:
Elliptic curve cryptography is used successfully in numerous popular protocols, such as
5798: 5589: 5569: 5382: 5049: 5033: 4975: 4524: 4447: 4427: 4422: 4402: 3978: 3529: 3429: 3325: 2966: 2925: 2788: 2679: 2660: 2589:) depending on the coordinate system used. Consequently, it is important to counteract 2570: 1407: 1348: 672: 618: 586: 578: 295: 62: 58: 5541: 3302:
Galbraith, S. D.; Smart, N. P. (1999). "A Cryptographic Application of Weil Descent".
1241:
Select the number of points and generate a curve with this number of points using the
5698: 5645: 5516: 5331: 5326: 5109: 5099: 4965: 4784: 4727: 4655: 4541: 4295:
Interactive introduction to elliptic curves and elliptic curve cryptography with Sage
4070:"Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies" 3868: 3746: 3701: 3688:; Ono, T. (1998). "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates". 3499: 3315: 3282: 2970: 2956: 2687: 2648: 2510: 2506: 1174: 863: 704: 468: 441: 375:(rather than the real numbers) which consists of the points satisfying the equation: 322: 73: 3533: 3329: 5688: 5574: 5551: 5044: 4896: 4630: 4242:
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
3860: 3738: 3693: 3521: 3478: 3388: 3307: 3274: 3080: 2988: 2948: 2915: 2755: 2549:
are recommended by NIST. Yet another advantage of the NIST curves is that they use
1200: 867: 112: 4285: 4127: 3650:"Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card" 3483: 3450: 115:
in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.
5803: 5619: 5561: 5463: 5286: 5265: 4204: 3436: 3215: 2700: 1693: 4298: 3252: 1204: 5486: 5311: 5296: 5273: 5119: 5039: 4995: 4938: 4923: 3111: 2768: 2750: 2725: 2720: 2715: 2626: 2594: 2313: 1223:
Select a random curve and use a general point-counting algorithm, for example,
606: 581:'s 1983 patent, based their security on the assumption that it is difficult to 452:
not equal to 2 or 3, or the curve equation would be somewhat more complicated.
216: 46: 805:
used in its defining equation. Finally, the cyclic subgroup is defined by its
312:
curves, suggesting a return to encryption based on non-elliptic-curve groups.
5855: 5818: 5599: 5579: 5506: 5301: 5233: 5200: 5155: 5114: 5094: 4985: 4943: 4918: 3742: 3685: 3311: 3278: 2952: 2622: 2598: 1705: 460: 267: 69: 4120:"AMD-SEV: Platform DH key recovery via invalid curve attack (CVE-2019-9836)" 3864: 3697: 2993: 1585:
Because all the fastest known algorithms that allow one to solve the ECDLP (
1446:
are at least as difficult to compute as discrete logs on the elliptic curve
1369:
are vulnerable to Menezes–Okamoto–Vanstone (MOV) attack which applies usual
258:, have been introduced. Schemes based on these primitives provide efficient 5765: 5739: 5729: 5719: 5521: 5341: 5150: 4990: 4980: 4970: 4928: 4872: 4824: 4804: 3974: 3831: 2656: 2630: 1294: 621:-based protocols have been adapted to elliptic curves, replacing the group 445: 372: 344: 308: 300: 263: 255: 251: 205: 162: 123: 108: 54: 50: 3905:"Government Announces Steps to Restore Confidence on Encryption Standards" 3887: 3722: 3525: 2703:, an attacker may use an invalid curve to get a complete PDH private key. 107:
The use of elliptic curves in cryptography was suggested independently by
5640: 5478: 5129: 4722: 4599: 3930: 3767: 2793: 781:, and this case necessitates the choice of an auxiliary curve denoted by 551:{\displaystyle \mathrm {Div} ^{0}(E)\to \mathrm {Pic} ^{0}(E)\simeq E,\,} 368: 334: 232: 224: 3999: 3832:"Cr.yp.to: 2014.03.23: How to design an elliptic-curve signature system" 3345:"Constructive and destructive facets of Weil descent on elliptic curves" 1859:
operation to add two points. Several such systems were proposed: in the
5635: 5089: 5059: 5054: 5015: 4748: 4480: 3727:. Lecture Notes in Computer Science. Vol. 2020. pp. 250–265. 2929: 2773: 2606: 2293: 81: 3793: 3587: 3392: 3273:. Lecture Notes in Computer Science. Vol. 877. pp. 250–263. 3166:
Commercial National Security Algorithm Suite and Quantum Computing FAQ
5496: 5079: 4502: 3931:"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng" 3692:. Lecture Notes in Computer Science. Vol. 1514. pp. 51–65. 2947:. Lecture Notes in Computer Science. Vol. 85. pp. 417–426. 2675: 92: 4256: 4252: 4188:, London Mathematical Society 317, Cambridge University Press, 2005. 4181:, London Mathematical Society 265, Cambridge University Press, 1999. 4100: 3794:"A comb method to render ECC resistant against Side Channel Attacks" 3198: 2920: 2903: 2292:. Note that there may be different naming conventions, for example, 5124: 5084: 4809: 4743: 4614: 4609: 4604: 4507: 4485: 4077: 3983: 3120: 2783: 797:
in the binary case. The elliptic curve is defined by the constants
602: 4251:
Gustavo Banegas, Daniel J. Bernstein, Iggy Van Hoof, Tanja Lange,
4241: 4160: 3953:"SafeCurves: choosing safe curves for elliptic-curve cryptography" 3772:"SafeCurves: choosing safe curves for elliptic-curve cryptography" 3407: 3306:. Lecture Notes in Computer Science. Vol. 1746. p. 799. 3077:
RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
2553: = −3, which improves addition in Jacobian coordinates. 1194: 5808: 5793: 4635: 4594: 3630: 3609:"Certicom Announces Elliptic Curve Cryptography Challenge Winner" 2498:{\displaystyle p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1.} 282: 3500:"The discrete logarithm problem on elliptic curves of trace one" 696:
The deformation scheme using Harrison's p-adic Manhattan metric,
444:, denoted ∞. The coordinates here are to be chosen from a fixed 5788: 5000: 4753: 4309: 4302: 3998:
Banegas, G.; Bernstein, D. J.; Hoof, I. van; Lange, T. (2020).
3771: 2652: 1688:. This can be contrasted with finite-field cryptography (e.g., 3952: 2987:. National Institute of Standards and Technology. 2013-07-19. 4589: 4546: 4514: 4497: 2943:
Miller, V. (1986). "Use of Elliptic Curves in Cryptography".
2815: 2810: 2778: 1040:. To summarize: in the prime case, the domain parameters are 715: 700: 340: 3647: 4156: 3972: 3888:"Did NSA Put a Secret Backdoor in New Encryption Standard?" 3648:
Hitchcock, Y.; Dawson, E.; Clark, A.; Montague, P. (2002).
3043:
Perlroth, Nicole; Larson, Jeff; Shane, Scott (2013-09-05).
1190: 1181: 4000:"Concrete quantum cryptanalysis of binary elliptic curves" 3765: 3720: 1249:
Several classes of curves are weak and should be avoided:
980:
is an integer. In cryptographic applications, this number
4682: 4536: 3997: 304: 4253:
Concrete quantum cryptanalysis of binary elliptic curves
3045:"N.S.A. Able to Foil Basic Safeguards of Privacy on Web" 2711:
Alternative representations of elliptic curves include:
3455:-torsion points of an elliptic curve in characteristic 2617:
Cryptographic experts have expressed concerns that the
301:
Dual Elliptic Curve Deterministic Random Bit Generation
231:(NIST) has endorsed elliptic curve cryptography in its 5026:
Cryptographically secure pseudorandom number generator
4201:, National Security Agency (archived January 17, 2009) 3378: 1863:
system each point is represented by three coordinates
2522: 2394: 2355: 2322: 2234: 2176: 2132: 2099: 2055: 2015: 1977: 1940: 1907: 1869: 1832: 1797: 1762: 1725: 1661: 1632: 1599: 1547: 1493: 1452: 1416: 1379: 1351: 1310: 1259: 1102: 1046: 1020: 994: 973:{\displaystyle h={\frac {1}{n}}|E(\mathbb {F} _{p})|} 922: 880: 835: 756: 627: 480: 384: 170: 131: 4320: 4111: 3791: 2674:
secure form of elliptic curve cryptography by using
3199:"Irrelevant patents on elliptic-curve cryptography" 3042: 1971:a point is also represented with three coordinates 1195:
SEC 2: Recommended Elliptic Curve Domain Parameters
738:Some common implementation considerations include: 3549:Commentarii Mathematici Universitatis Sancti Pauli 3180:"6.3.4 Are elliptic curve cryptosystems patented?" 3116:Are the NIST Standard Elliptic Curves Back-doored? 2537: 2497: 2380: 2341: 2284: 2216: 2158: 2118: 2081: 2041: 2001: 1959: 1926: 1893: 1847: 1818: 1783: 1740: 1680: 1647: 1618: 1562: 1533: 1476: 1438: 1394: 1357: 1329: 1281: 1209:ECC Brainpool Standard Curves and Curve Generation 1150: 1088: 1032: 1006: 972: 904: 854: 769: 655: 550: 429: 192: 146: 80:and other tasks. Indirectly, they can be used for 4157:Standards for Efficient Cryptography Group (SECG) 3567:Recommendation for Key Management—Part 1: general 2668:Supersingular Isogeny Diffie–Hellman Key Exchange 1581:Discrete logarithm records § Elliptic curves 5853: 3845: 3451:"Evaluation of discrete logarithm in a group of 95:that have applications in cryptography, such as 4193:Elliptic Curves: Number Theory and Cryptography 4067: 3408:"On an Improved Definition of Embedding Degree" 3342: 3304:A cryptographic application of the Weil descent 3228:"Elliptic Curve Cryptography "Made in Germany"" 2945:Advances in Cryptology — CRYPTO '85 Proceedings 2299: 5263: 4184:I. Blake, G. Seroussi, and N. Smart, editors, 3680: 3301: 3138:"Commercial National Security Algorithm Suite" 2706: 1186:Recommended Elliptic Curves for Government Use 561: 229:National Institute of Standards and Technology 5249: 4857: 4344: 4170:D. Hankerson, A. Menezes, and S.A. Vanstone, 4039:"RSA in a "Pre-Post-Quantum" Computing World" 3792:Hedabou, M.; Pinel, P.; Beneteau, L. (2004). 3352:Hewlett Packard Laboratories Technical Report 3132: 3130: 316: 3177: 3168:U.S. National Security Agency, January 2016. 671:(ECDH) key agreement scheme is based on the 656:{\displaystyle (\mathbb {Z} _{p})^{\times }} 235:set of recommended algorithms, specifically 4358: 4205:Online Elliptic Curve Cryptography Tutorial 3569:, Special Publication 800-57, August 2005. 3343:Gaudry, P.; Hess, F.; Smart, N. P. (2000). 2639: 2629:suggest that the NSA put a backdoor in the 1373:(DLP) in a small-degree extension field of 1365:for a binary field) for sufficiently small 5256: 5242: 4864: 4850: 4351: 4337: 4074:Cryptology ePrint Archive, Report 2011/506 3950: 3928: 3546: 3127: 2881:"The Case for Elliptic Curve Cryptography" 2805:Elliptic Curve Digital Signature Algorithm 2595:simple/differential power analysis attacks 687:Elliptic Curve Digital Signature Algorithm 241:Elliptic Curve Digital Signature Algorithm 3982: 3732: 3515: 3482: 3268: 2992: 2919: 2826:Homomorphic signatures for network coding 2746:Tripling-oriented Doche–Icart–Kohel curve 2741:Doubling-oriented Doche–Icart–Kohel curve 2525: 1806: 1771: 1728: 1714: 1635: 1550: 1507: 1461: 1419: 1382: 1262: 952: 889: 701:Edwards-curve Digital Signature Algorithm 633: 547: 426: 173: 134: 4199:The Case for Elliptic Curve Cryptography 3159: 612: 358: 4186:Advances in Elliptic Curve Cryptography 3381:IEEE Transactions on Information Theory 2901: 2694: 2564: 1534:{\displaystyle |E(\mathbb {F} _{q})|=q} 825:, that is the smallest positive number 591:computational Diffie–Hellman assumption 14: 5854: 5679:Clifford's theorem on special divisors 4098: 4036: 3448: 2942: 455:This set of points, together with the 88:scheme. They are also used in several 84:by combining the key agreement with a 5237: 4845: 4332: 4240:Luca De Feo, David Jao, Jerome Plut, 4177:I. Blake, G. Seroussi, and N. Smart, 4117: 3973:Roetteler, Martin; Naehrig, Michael; 3690:Advances in Cryptology — ASIACRYPT'98 3497: 3196: 3022:"Fact Sheet NSA Suite B Cryptography" 1819:{\displaystyle y\in \mathbb {F} _{q}} 1784:{\displaystyle x\in \mathbb {F} _{q}} 1696:) which requires a 3072-bit value of 817:. For cryptographic application, the 718:key agreement scheme is based on the 363:For the purposes of this article, an 262:as well as pairing-based signatures, 4672:Naccache–Stern knapsack cryptosystem 4172:Guide to Elliptic Curve Cryptography 4163:, Version 1.0, September 20, 2000. ( 3951:Bernstein, Daniel J.; Lange, Tanja. 3859:. Vol. 1880. pp. 131–146. 3849:Advances in Cryptology — CRYPTO 2000 3580:"112-bit prime ECDLP solved – LACAL" 3405: 2875: 2873: 2871: 2159:{\displaystyle y={\frac {Y}{Z^{2}}}} 2082:{\displaystyle y={\frac {Y}{Z^{3}}}} 2042:{\displaystyle x={\frac {X}{Z^{2}}}} 2009:, but a different relation is used: 1439:{\displaystyle \mathbb {F} _{p^{B}}} 1341:is the characteristic of the field: 1282:{\displaystyle \mathbb {F} _{2^{m}}} 741: 577:. Early public-key systems, such as 288: 193:{\displaystyle \mathbb {F} _{2^{m}}} 97:Lenstra elliptic-curve factorization 4037:Holmes, David (September 7, 2021). 2821:Elliptic curve point multiplication 2285:{\displaystyle (X,Y,Z,Z^{2},Z^{3})} 1477:{\displaystyle E(\mathbb {F} _{q})} 1177:defined in the standard documents: 905:{\displaystyle E(\mathbb {F} _{p})} 430:{\displaystyle y^{2}=x^{3}+ax+b,\,} 68:Elliptic curves are applicable for 27:Approach to public-key cryptography 24: 5837:Vector bundles on algebraic curves 5771:Weber's theorem (Algebraic curves) 5368:Hasse's theorem on elliptic curves 5358:Counting points on elliptic curves 4270:, Société Mathématique de France, 4161:SEC 1: Elliptic Curve Cryptography 4101:"Breaking SIDH in polynomial time" 3724:Topics in Cryptology — CT-RSA 2001 2985:"Digital Signature Standard (DSS)" 2851:Supersingular isogeny key exchange 847: 789:in the prime case and the pair of 519: 516: 513: 489: 486: 483: 457:group operation of elliptic curves 25: 5883: 4279: 4195:, Chapman & Hall / CRC, 2003. 3857:Lecture Notes in Computer Science 2868: 2228:system five coordinates are used 855:{\displaystyle nG={\mathcal {O}}} 733: 5214: 5213: 4871: 4308: 4068:De Feo, Luca; Jao, Plut (2011). 3615:. April 27, 2004. Archived from 3009:Digital Signature Standard (DSS) 2831:Hyperelliptic curve cryptography 2538:{\displaystyle \mathbb {F} _{p}} 2119:{\displaystyle x={\frac {X}{Z}}} 1960:{\displaystyle y={\frac {Y}{Z}}} 1927:{\displaystyle x={\frac {X}{Z}}} 1741:{\displaystyle \mathbb {F} _{q}} 1681:{\displaystyle q\approx 2^{256}} 1648:{\displaystyle \mathbb {F} _{q}} 1563:{\displaystyle \mathbb {F} _{q}} 1395:{\displaystyle \mathbb {F} _{p}} 785:. Thus the field is defined by 147:{\displaystyle \mathbb {F} _{p}} 5459:Hurwitz's automorphisms theorem 4703:Discrete logarithm cryptography 4179:Elliptic Curves in Cryptography 4092: 4061: 4049:from the original on 2020-08-08 4030: 3991: 3966: 3944: 3922: 3897: 3881: 3838: 3824: 3785: 3759: 3714: 3674: 3641: 3623: 3601: 3572: 3559: 3540: 3491: 3442: 3422: 3399: 3372: 3336: 3295: 3262: 3242:"GEC 2: Test Vectors for SEC 1" 3234: 3220: 3205: 3190: 3171: 3148:from the original on 2019-06-04 3105: 1170:the number of points on a curve 1151:{\displaystyle (m,f,a,b,G,n,h)} 1096:; in the binary case, they are 317:§ Quantum computing attack 5684:Gonality of an algebraic curve 5595:Differential of the first kind 5075:Information-theoretic security 4231:"Elliptic Curve Cryptosystems" 3929:Shumow, Dan; Ferguson, Niels. 3087: 3069: 3036: 3014: 3001: 2977: 2936: 2904:"Elliptic curve cryptosystems" 2895: 2342:{\displaystyle p\approx 2^{d}} 2279: 2235: 2217:{\displaystyle (X,Y,Z,aZ^{4})} 2211: 2177: 1996: 1978: 1901:using the following relation: 1888: 1870: 1619:{\displaystyle O({\sqrt {n}})} 1613: 1603: 1521: 1517: 1502: 1495: 1471: 1456: 1145: 1103: 1083: 1047: 966: 962: 947: 940: 899: 884: 644: 628: 609:to a 3072-bit RSA public key. 535: 529: 508: 505: 499: 13: 1: 5827:Birkhoff–Grothendieck theorem 5537:Nagata's conjecture on curves 5408:Schoof–Elkies–Atkin algorithm 5282:Five points determine a conic 4149: 3484:10.1090/S0025-5718-98-00887-4 3026:U.S. National Security Agency 2799:Elliptic-curve Diffie–Hellman 2605:, especially when running on 1229:Schoof–Elkies–Atkin algorithm 1089:{\displaystyle (p,a,b,G,n,h)} 874:is the size of a subgroup of 777:); the latter case is called 669:Elliptic-curve Diffie–Hellman 237:elliptic-curve Diffie–Hellman 5398:Supersingular elliptic curve 4718:Non-commutative cryptography 4118:Cohen, Cfir (25 June 2019). 3230:(Press release). 2014-06-25. 2612: 2300:Fast reduction (NIST curves) 1574: 870:), is normally prime. Since 729:implicit certificate scheme. 680:Integrated Encryption Scheme 239:(ECDH) for key exchange and 7: 5862:Elliptic curve cryptography 5605:Riemann's existence theorem 5532:Hilbert's sixteenth problem 5424:Elliptic curve cryptography 5337:Fundamental pair of periods 5191:Message authentication code 5146:Cryptographic hash function 4949:Cryptographic hash function 4815:Identity-based cryptography 4708:Elliptic-curve cryptography 4255:, Springer 2020. (archived 4244:, Springer 2011. (archived 4207:, Certicom Corp. (archived 2761: 2707:Alternative representations 2559: 2381:{\displaystyle p=2^{521}-1} 1402:to solve ECDLP. The bound 691:Digital Signature Algorithm 562:Application to cryptography 440:along with a distinguished 31:Elliptic-curve cryptography 18:Elliptic curve cryptography 10: 5888: 5735:Moduli of algebraic curves 5070:Harvest now, decrypt later 4229:Christof Paar, Jan Pelzl, 3766:Daniel J. Bernstein & 3463:Mathematics of Computation 2908:Mathematics of Computation 2836:Pairing-based cryptography 1578: 1371:discrete logarithm problem 332: 328: 314: 102: 5817: 5779: 5748: 5712: 5661: 5654: 5628: 5560: 5477: 5441: 5416: 5350: 5319: 5310: 5272: 5209: 5186:Post-quantum cryptography 5138: 4879: 4841: 4820:Post-quantum cryptography 4777: 4769:Post-Quantum Cryptography 4736: 4695: 4623: 4565: 4446: 4373: 4366: 4328: 4324: 4268:Courbes elliptiques (...) 4105:Cryptology ePrint Archive 3271:Algorithmic Number Theory 1406:should be chosen so that 1165:be validated before use. 260:identity-based encryption 5502:Cayley–Bacharach theorem 5429:Elliptic curve primality 5176:Quantum key distribution 5166:Authenticated encryption 5021:Random number generation 4174:, Springer-Verlag, 2004. 3743:10.1007/3-540-45353-9_19 3312:10.1007/3-540-46665-7_23 3279:10.1007/3-540-58691-1_64 2953:10.1007/3-540-39799-X_31 2862: 2640:Quantum computing attack 2619:National Security Agency 2581:) and general addition ( 689:(ECDSA) is based on the 663:with an elliptic curve: 573:of certain mathematical 279:Transport Layer Security 221:National Security Agency 78:pseudo-random generators 5867:Public-key cryptography 5761:Riemann–Hurwitz formula 5725:Gromov–Witten invariant 5585:Compact Riemann surface 5373:Mazur's torsion theorem 5171:Public-key cryptography 5161:Symmetric-key algorithm 4954:Key derivation function 4914:Cryptographic primitive 4907:Authentication protocol 4892:Outline of cryptography 4887:History of cryptography 4713:Hash-based cryptography 4360:Public-key cryptography 4099:Robert, Damien (2022). 3865:10.1007/3-540-44598-6_8 3698:10.1007/3-540-49649-1_6 2994:10.6028/NIST.FIPS.186-4 2841:Public-key cryptography 2002:{\displaystyle (X,Y,Z)} 1894:{\displaystyle (X,Y,Z)} 1330:{\displaystyle p^{B}-1} 1007:{\displaystyle h\leq 4} 567:Public-key cryptography 39:public-key cryptography 5378:Modular elliptic curve 4959:Secure Hash Algorithms 4902:Cryptographic protocol 4076:. IACR. Archived from 4018:Cite journal requires 3812:Cite journal requires 3635:www.ecc-challenge.info 2731:Twisted Hessian curves 2539: 2499: 2382: 2343: 2286: 2218: 2160: 2120: 2083: 2043: 2003: 1961: 1928: 1895: 1849: 1820: 1785: 1742: 1715:Projective coordinates 1682: 1649: 1620: 1564: 1535: 1478: 1440: 1396: 1359: 1345:for a prime field, or 1331: 1283: 1243:complex multiplication 1152: 1090: 1034: 1008: 974: 906: 866:of the curve, and the 856: 771: 709:twisted Edwards curves 657: 552: 431: 194: 148: 5292:Rational normal curve 5065:End-to-end encryption 5011:Cryptojacking malware 4375:Integer factorization 4274:, 1-152, Paris, 1978. 4237:as of April 20, 2016) 3526:10.1007/s001459900052 3504:Journal of Cryptology 2856:BLS digital signature 2736:Twisted Edwards curve 2670:claimed to provide a 2664:decade or more away. 2545:with pseudo-Mersenne 2540: 2500: 2383: 2344: 2287: 2219: 2161: 2121: 2084: 2044: 2004: 1962: 1929: 1896: 1850: 1821: 1786: 1743: 1683: 1650: 1621: 1565: 1536: 1479: 1441: 1397: 1360: 1332: 1284: 1153: 1091: 1035: 1009: 975: 907: 857: 772: 770:{\displaystyle 2^{m}} 722:key agreement scheme, 658: 613:Cryptographic schemes 553: 432: 359:Elliptic curve theory 351:have argued that the 315:Further information: 195: 149: 90:integer factorization 5832:Stable vector bundle 5704:Weil reciprocity law 5694:Riemann–Roch theorem 5674:Brill–Noether theory 5610:Riemann–Roch theorem 5527:Genus–degree formula 5388:Mordell–Weil theorem 5363:Division polynomials 5181:Quantum cryptography 5105:Trusted timestamping 4317:at Wikimedia Commons 4226:as of March 4, 2016) 4211:as of March 3, 2016) 3909:NY Times – Bits Blog 3631:"Breaking ECC2K-130" 3124:, 11 September 2013. 2902:Koblitz, N. (1987). 2846:Quantum cryptography 2699:When ECC is used in 2695:Invalid curve attack 2591:side-channel attacks 2565:Side-channel attacks 2520: 2392: 2353: 2320: 2232: 2174: 2130: 2097: 2053: 2013: 1975: 1938: 1905: 1867: 1848:{\displaystyle xy=1} 1830: 1795: 1760: 1723: 1659: 1630: 1597: 1587:baby-step giant-step 1545: 1491: 1450: 1414: 1377: 1349: 1308: 1257: 1100: 1044: 1018: 992: 920: 878: 833: 754: 703:(EdDSA) is based on 625: 595:point multiplication 478: 382: 168: 129: 86:symmetric encryption 63:ElGamal cryptosystem 37:) is an approach to 5655:Structure of curves 5547:Quartic plane curve 5469:Hyperelliptic curve 5449:De Franchis theorem 5393:Nagell–Lutz theorem 4934:Cryptographic nonce 4678:Three-pass protocol 4290:Stanford University 4259:as of June 1, 2020) 4167:as of Nov 11, 2014) 3475:1998MaCom..67..353S 3449:Semaev, I. (1998). 2226:Chudnovsky Jacobian 1408:discrete logarithms 1033:{\displaystyle h=1} 1014:) and, preferably, 678:The Elliptic Curve 607:comparable security 349:Daniel J. Bernstein 272:proxy re-encryption 247:with 384-bit keys. 208:curve was selected. 154:for certain primes 43:algebraic structure 5662:Divisors on curves 5454:Faltings's theorem 5403:Schoof's algorithm 5383:Modularity theorem 5050:Subliminal channel 5034:Pseudorandom noise 4976:Key (cryptography) 4448:Discrete logarithm 4248:as of May 7, 2012) 3844:See, for example, 3498:Smart, N. (1999). 3435:2007-02-13 at the 3412:IACR ePrint Report 3214:2018-04-17 at the 3178:RSA Laboratories. 3144:. 19 August 2015. 2789:RSA (cryptosystem) 2569:Unlike most other 2535: 2511:bitwise operations 2495: 2378: 2339: 2282: 2214: 2156: 2116: 2091:López–Dahab system 2079: 2039: 1999: 1957: 1924: 1891: 1845: 1816: 1781: 1738: 1678: 1645: 1616: 1560: 1531: 1474: 1436: 1392: 1355: 1327: 1293:are vulnerable to 1279: 1225:Schoof's algorithm 1148: 1086: 1030: 1004: 970: 914:Lagrange's theorem 902: 852: 767: 653: 619:discrete logarithm 587:discrete logarithm 548: 467:of the underlying 427: 296:The New York Times 190: 144: 74:digital signatures 5849: 5848: 5845: 5844: 5756:Hasse–Witt matrix 5699:Weierstrass point 5646:Smooth completion 5615:Teichmüller space 5517:Cubic plane curve 5437: 5436: 5351:Arithmetic theory 5332:Elliptic integral 5327:Elliptic function 5231: 5230: 5227: 5226: 5110:Key-based routing 5100:Trapdoor function 4966:Digital signature 4837: 4836: 4833: 4832: 4785:Digital signature 4728:Trapdoor function 4691: 4690: 4408:Goldwasser–Micali 4313:Media related to 3874:978-3-540-67907-3 3752:978-3-540-41898-6 3707:978-3-540-65109-3 3406:Hitt, L. (2006). 3393:10.1109/18.259647 3321:978-3-540-66887-9 3288:978-3-540-58691-3 3197:Bernstein, D. J. 2962:978-3-540-16463-0 2756:Montgomery curves 2593:(e.g., timing or 2507:Barrett reduction 2304:Reduction modulo 2168:modified Jacobian 2154: 2114: 2077: 2037: 1955: 1922: 1611: 1487:Curves such that 1358:{\displaystyle 2} 1300:Curves such that 1175:object identifier 988:, must be small ( 937: 864:point at infinity 748:domain parameters 742:Domain parameters 705:Schnorr signature 469:algebraic variety 442:point at infinity 323:quantum computing 289:Security concerns 16:(Redirected from 5879: 5689:Jacobian variety 5659: 5658: 5562:Riemann surfaces 5552:Real plane curve 5512:Cramer's paradox 5492:Bézout's theorem 5317: 5316: 5266:algebraic curves 5258: 5251: 5244: 5235: 5234: 5217: 5216: 5045:Insecure channel 4897:Classical cipher 4866: 4859: 4852: 4843: 4842: 4674: 4575: 4570: 4530:signature scheme 4433:Okamoto–Uchiyama 4371: 4370: 4353: 4346: 4339: 4330: 4329: 4326: 4325: 4322: 4321: 4312: 4144: 4143: 4137: 4135: 4126:. Archived from 4115: 4109: 4108: 4096: 4090: 4089: 4087: 4085: 4065: 4059: 4058: 4056: 4054: 4034: 4028: 4027: 4021: 4016: 4014: 4006: 4004: 3995: 3989: 3988: 3986: 3975:Svore, Krysta M. 3970: 3964: 3963: 3961: 3959: 3948: 3942: 3941: 3935: 3926: 3920: 3919: 3917: 3916: 3901: 3895: 3892:www.schneier.com 3885: 3879: 3878: 3854: 3842: 3836: 3835: 3828: 3822: 3821: 3815: 3810: 3808: 3800: 3798: 3789: 3783: 3782: 3780: 3778: 3763: 3757: 3756: 3736: 3718: 3712: 3711: 3678: 3672: 3671: 3669: 3663:. Archived from 3654: 3645: 3639: 3638: 3627: 3621: 3620: 3605: 3599: 3598: 3596: 3595: 3586:. Archived from 3576: 3570: 3563: 3557: 3556: 3544: 3538: 3537: 3519: 3495: 3489: 3488: 3486: 3469:(221): 353–356. 3446: 3440: 3439:, section A.12.1 3426: 3420: 3419: 3403: 3397: 3396: 3387:(5): 1639–1646. 3376: 3370: 3369: 3367: 3366: 3360: 3354:. Archived from 3349: 3340: 3334: 3333: 3299: 3293: 3292: 3266: 3260: 3259: 3257: 3251:. Archived from 3246: 3238: 3232: 3231: 3224: 3218: 3209: 3203: 3202: 3194: 3188: 3187: 3182:. Archived from 3175: 3169: 3163: 3157: 3156: 3154: 3153: 3134: 3125: 3109: 3103: 3102: 3091: 3085: 3073: 3067: 3066: 3064: 3062: 3056: 3051:. Archived from 3040: 3034: 3033: 3028:. Archived from 3018: 3012: 3007:FIPS PUB 186-3, 3005: 2999: 2998: 2996: 2981: 2975: 2974: 2940: 2934: 2933: 2923: 2914:(177): 203–209. 2899: 2893: 2892: 2887:. Archived from 2877: 2701:virtual machines 2655:and 126 billion 2649:quantum computer 2645:Shor's algorithm 2544: 2542: 2541: 2536: 2534: 2533: 2528: 2516:The curves over 2504: 2502: 2501: 2496: 2488: 2487: 2475: 2474: 2462: 2461: 2449: 2448: 2436: 2435: 2423: 2422: 2410: 2409: 2387: 2385: 2384: 2379: 2371: 2370: 2348: 2346: 2345: 2340: 2338: 2337: 2291: 2289: 2288: 2283: 2278: 2277: 2265: 2264: 2223: 2221: 2220: 2215: 2210: 2209: 2165: 2163: 2162: 2157: 2155: 2153: 2152: 2140: 2125: 2123: 2122: 2117: 2115: 2107: 2093:the relation is 2088: 2086: 2085: 2080: 2078: 2076: 2075: 2063: 2048: 2046: 2045: 2040: 2038: 2036: 2035: 2023: 2008: 2006: 2005: 2000: 1966: 1964: 1963: 1958: 1956: 1948: 1933: 1931: 1930: 1925: 1923: 1915: 1900: 1898: 1897: 1892: 1854: 1852: 1851: 1846: 1825: 1823: 1822: 1817: 1815: 1814: 1809: 1790: 1788: 1787: 1782: 1780: 1779: 1774: 1747: 1745: 1744: 1739: 1737: 1736: 1731: 1687: 1685: 1684: 1679: 1677: 1676: 1654: 1652: 1651: 1646: 1644: 1643: 1638: 1625: 1623: 1622: 1617: 1612: 1607: 1569: 1567: 1566: 1561: 1559: 1558: 1553: 1540: 1538: 1537: 1532: 1524: 1516: 1515: 1510: 1498: 1483: 1481: 1480: 1475: 1470: 1469: 1464: 1445: 1443: 1442: 1437: 1435: 1434: 1433: 1432: 1422: 1401: 1399: 1398: 1393: 1391: 1390: 1385: 1364: 1362: 1361: 1356: 1336: 1334: 1333: 1328: 1320: 1319: 1288: 1286: 1285: 1280: 1278: 1277: 1276: 1275: 1265: 1157: 1155: 1154: 1149: 1095: 1093: 1092: 1087: 1039: 1037: 1036: 1031: 1013: 1011: 1010: 1005: 979: 977: 976: 971: 969: 961: 960: 955: 943: 938: 930: 916:that the number 912:it follows from 911: 909: 908: 903: 898: 897: 892: 868:identity element 861: 859: 858: 853: 851: 850: 776: 774: 773: 768: 766: 765: 662: 660: 659: 654: 652: 651: 642: 641: 636: 569:is based on the 557: 555: 554: 549: 528: 527: 522: 498: 497: 492: 436: 434: 433: 428: 407: 406: 394: 393: 345:RSA Laboratories 325:attacks on ECC. 223:(NSA) announced 199: 197: 196: 191: 189: 188: 187: 186: 176: 153: 151: 150: 145: 143: 142: 137: 113:Victor S. Miller 59:RSA cryptosystem 21: 5887: 5886: 5882: 5881: 5880: 5878: 5877: 5876: 5852: 5851: 5850: 5841: 5813: 5804:Delta invariant 5775: 5744: 5708: 5669:Abel–Jacobi map 5650: 5624: 5620:Torelli theorem 5590:Dessin d'enfant 5570:Belyi's theorem 5556: 5542:Plücker formula 5473: 5464:Hurwitz surface 5433: 5412: 5346: 5320:Analytic theory 5312:Elliptic curves 5306: 5287:Projective line 5274:Rational curves 5268: 5262: 5232: 5223: 5205: 5134: 4875: 4870: 4829: 4773: 4737:Standardization 4732: 4687: 4670: 4619: 4567:Lattice/SVP/CVP 4561: 4442: 4388:Blum–Goldwasser 4362: 4357: 4299:Maike Massierer 4286:Elliptic Curves 4282: 4262: 4215:Page(s):239–244 4191:L. Washington, 4152: 4147: 4133: 4131: 4116: 4112: 4097: 4093: 4083: 4081: 4066: 4062: 4052: 4050: 4035: 4031: 4019: 4017: 4008: 4007: 4002: 3996: 3992: 3971: 3967: 3957: 3955: 3949: 3945: 3933: 3927: 3923: 3914: 3912: 3903: 3902: 3898: 3886: 3882: 3875: 3852: 3843: 3839: 3830: 3829: 3825: 3813: 3811: 3802: 3801: 3796: 3790: 3786: 3776: 3774: 3764: 3760: 3753: 3719: 3715: 3708: 3679: 3675: 3667: 3652: 3646: 3642: 3629: 3628: 3624: 3607: 3606: 3602: 3593: 3591: 3578: 3577: 3573: 3564: 3560: 3545: 3541: 3496: 3492: 3447: 3443: 3437:Wayback Machine 3427: 3423: 3404: 3400: 3377: 3373: 3364: 3362: 3358: 3347: 3341: 3337: 3322: 3300: 3296: 3289: 3267: 3263: 3255: 3244: 3240: 3239: 3235: 3226: 3225: 3221: 3216:Wayback Machine 3210: 3206: 3195: 3191: 3176: 3172: 3164: 3160: 3151: 3149: 3136: 3135: 3128: 3110: 3106: 3095:"Search – CSRC" 3093: 3092: 3088: 3074: 3070: 3060: 3058: 3041: 3037: 3020: 3019: 3015: 3006: 3002: 2983: 2982: 2978: 2963: 2941: 2937: 2921:10.2307/2007884 2900: 2896: 2879: 2878: 2869: 2865: 2860: 2764: 2709: 2697: 2642: 2621:has inserted a 2615: 2567: 2562: 2529: 2524: 2523: 2521: 2518: 2517: 2483: 2479: 2470: 2466: 2457: 2453: 2444: 2440: 2431: 2427: 2418: 2414: 2405: 2401: 2393: 2390: 2389: 2366: 2362: 2354: 2351: 2350: 2349:; for example, 2333: 2329: 2321: 2318: 2317: 2302: 2273: 2269: 2260: 2256: 2233: 2230: 2229: 2205: 2201: 2175: 2172: 2171: 2148: 2144: 2139: 2131: 2128: 2127: 2106: 2098: 2095: 2094: 2071: 2067: 2062: 2054: 2051: 2050: 2031: 2027: 2022: 2014: 2011: 2010: 1976: 1973: 1972: 1969:Jacobian system 1947: 1939: 1936: 1935: 1914: 1906: 1903: 1902: 1868: 1865: 1864: 1831: 1828: 1827: 1810: 1805: 1804: 1796: 1793: 1792: 1775: 1770: 1769: 1761: 1758: 1757: 1752:operation. The 1732: 1727: 1726: 1724: 1721: 1720: 1717: 1672: 1668: 1660: 1657: 1656: 1639: 1634: 1633: 1631: 1628: 1627: 1606: 1598: 1595: 1594: 1583: 1577: 1554: 1549: 1548: 1546: 1543: 1542: 1520: 1511: 1506: 1505: 1494: 1492: 1489: 1488: 1465: 1460: 1459: 1451: 1448: 1447: 1428: 1424: 1423: 1418: 1417: 1415: 1412: 1411: 1386: 1381: 1380: 1378: 1375: 1374: 1350: 1347: 1346: 1315: 1311: 1309: 1306: 1305: 1289:with non-prime 1271: 1267: 1266: 1261: 1260: 1258: 1255: 1254: 1199:ECC Brainpool ( 1101: 1098: 1097: 1045: 1042: 1041: 1019: 1016: 1015: 993: 990: 989: 965: 956: 951: 950: 939: 929: 921: 918: 917: 893: 888: 887: 879: 876: 875: 846: 845: 834: 831: 830: 779:the binary case 761: 757: 755: 752: 751: 744: 736: 647: 643: 637: 632: 631: 626: 623: 622: 615: 564: 523: 512: 511: 493: 482: 481: 479: 476: 475: 402: 398: 389: 385: 383: 380: 379: 361: 337: 331: 319: 291: 182: 178: 177: 172: 171: 169: 166: 165: 138: 133: 132: 130: 127: 126: 105: 47:elliptic curves 28: 23: 22: 15: 12: 11: 5: 5885: 5875: 5874: 5869: 5864: 5847: 5846: 5843: 5842: 5840: 5839: 5834: 5829: 5823: 5821: 5819:Vector bundles 5815: 5814: 5812: 5811: 5806: 5801: 5796: 5791: 5785: 5783: 5777: 5776: 5774: 5773: 5768: 5763: 5758: 5752: 5750: 5746: 5745: 5743: 5742: 5737: 5732: 5727: 5722: 5716: 5714: 5710: 5709: 5707: 5706: 5701: 5696: 5691: 5686: 5681: 5676: 5671: 5665: 5663: 5656: 5652: 5651: 5649: 5648: 5643: 5638: 5632: 5630: 5626: 5625: 5623: 5622: 5617: 5612: 5607: 5602: 5597: 5592: 5587: 5582: 5577: 5572: 5566: 5564: 5558: 5557: 5555: 5554: 5549: 5544: 5539: 5534: 5529: 5524: 5519: 5514: 5509: 5504: 5499: 5494: 5489: 5483: 5481: 5475: 5474: 5472: 5471: 5466: 5461: 5456: 5451: 5445: 5443: 5439: 5438: 5435: 5434: 5432: 5431: 5426: 5420: 5418: 5414: 5413: 5411: 5410: 5405: 5400: 5395: 5390: 5385: 5380: 5375: 5370: 5365: 5360: 5354: 5352: 5348: 5347: 5345: 5344: 5339: 5334: 5329: 5323: 5321: 5314: 5308: 5307: 5305: 5304: 5299: 5297:Riemann sphere 5294: 5289: 5284: 5278: 5276: 5270: 5269: 5261: 5260: 5253: 5246: 5238: 5229: 5228: 5225: 5224: 5222: 5221: 5210: 5207: 5206: 5204: 5203: 5198: 5196:Random numbers 5193: 5188: 5183: 5178: 5173: 5168: 5163: 5158: 5153: 5148: 5142: 5140: 5136: 5135: 5133: 5132: 5127: 5122: 5120:Garlic routing 5117: 5112: 5107: 5102: 5097: 5092: 5087: 5082: 5077: 5072: 5067: 5062: 5057: 5052: 5047: 5042: 5040:Secure channel 5037: 5031: 5030: 5029: 5018: 5013: 5008: 5003: 4998: 4996:Key stretching 4993: 4988: 4983: 4978: 4973: 4968: 4963: 4962: 4961: 4956: 4951: 4941: 4939:Cryptovirology 4936: 4931: 4926: 4924:Cryptocurrency 4921: 4916: 4911: 4910: 4909: 4899: 4894: 4889: 4883: 4881: 4877: 4876: 4869: 4868: 4861: 4854: 4846: 4839: 4838: 4835: 4834: 4831: 4830: 4828: 4827: 4822: 4817: 4812: 4807: 4802: 4797: 4792: 4787: 4781: 4779: 4775: 4774: 4772: 4771: 4766: 4761: 4756: 4751: 4746: 4740: 4738: 4734: 4733: 4731: 4730: 4725: 4720: 4715: 4710: 4705: 4699: 4697: 4693: 4692: 4689: 4688: 4686: 4685: 4680: 4675: 4668: 4666:Merkle–Hellman 4663: 4658: 4653: 4648: 4643: 4638: 4633: 4627: 4625: 4621: 4620: 4618: 4617: 4612: 4607: 4602: 4597: 4592: 4587: 4581: 4579: 4563: 4562: 4560: 4559: 4554: 4549: 4544: 4539: 4534: 4533: 4532: 4522: 4517: 4512: 4511: 4510: 4505: 4495: 4490: 4489: 4488: 4483: 4473: 4468: 4463: 4458: 4452: 4450: 4444: 4443: 4441: 4440: 4435: 4430: 4425: 4420: 4415: 4413:Naccache–Stern 4410: 4405: 4400: 4395: 4390: 4385: 4379: 4377: 4368: 4364: 4363: 4356: 4355: 4348: 4341: 4333: 4319: 4318: 4315:Elliptic curve 4306: 4292: 4281: 4280:External links 4278: 4277: 4276: 4266:Jacques Vélu, 4261: 4260: 4249: 4238: 4227: 4216: 4212: 4202: 4196: 4189: 4182: 4175: 4168: 4153: 4151: 4148: 4146: 4145: 4130:on 2 July 2019 4110: 4091: 4060: 4029: 4020:|journal= 3990: 3965: 3943: 3921: 3896: 3880: 3873: 3837: 3823: 3814:|journal= 3784: 3758: 3751: 3734:10.1.1.25.8619 3713: 3706: 3673: 3670:on 2006-03-27. 3657:ANZIAM Journal 3640: 3622: 3619:on 2011-07-19. 3600: 3571: 3558: 3539: 3517:10.1.1.17.1880 3510:(3): 193–196. 3490: 3441: 3421: 3398: 3371: 3335: 3320: 3294: 3287: 3261: 3258:on 2013-06-06. 3256:(PDF download) 3233: 3219: 3204: 3189: 3186:on 2016-11-01. 3170: 3158: 3126: 3112:Bruce Schneier 3104: 3086: 3068: 3049:New York Times 3035: 3032:on 2009-02-07. 3013: 3000: 2976: 2961: 2935: 2894: 2891:on 2009-01-17. 2866: 2864: 2861: 2859: 2858: 2853: 2848: 2843: 2838: 2833: 2828: 2823: 2818: 2813: 2808: 2802: 2796: 2791: 2786: 2781: 2776: 2771: 2769:Cryptocurrency 2765: 2763: 2760: 2759: 2758: 2753: 2751:Jacobian curve 2748: 2743: 2738: 2733: 2728: 2726:Twisted curves 2723: 2721:Edwards curves 2718: 2716:Hessian curves 2708: 2705: 2696: 2693: 2680:Diffie–Hellman 2641: 2638: 2627:Edward Snowden 2614: 2611: 2566: 2563: 2561: 2558: 2532: 2527: 2494: 2491: 2486: 2482: 2478: 2473: 2469: 2465: 2460: 2456: 2452: 2447: 2443: 2439: 2434: 2430: 2426: 2421: 2417: 2413: 2408: 2404: 2400: 2397: 2377: 2374: 2369: 2365: 2361: 2358: 2336: 2332: 2328: 2325: 2314:Mersenne prime 2301: 2298: 2281: 2276: 2272: 2268: 2263: 2259: 2255: 2252: 2249: 2246: 2243: 2240: 2237: 2213: 2208: 2204: 2200: 2197: 2194: 2191: 2188: 2185: 2182: 2179: 2151: 2147: 2143: 2138: 2135: 2113: 2110: 2105: 2102: 2074: 2070: 2066: 2061: 2058: 2034: 2030: 2026: 2021: 2018: 1998: 1995: 1992: 1989: 1986: 1983: 1980: 1954: 1951: 1946: 1943: 1921: 1918: 1913: 1910: 1890: 1887: 1884: 1881: 1878: 1875: 1872: 1844: 1841: 1838: 1835: 1813: 1808: 1803: 1800: 1778: 1773: 1768: 1765: 1735: 1730: 1716: 1713: 1675: 1671: 1667: 1664: 1642: 1637: 1615: 1610: 1605: 1602: 1593:, etc.), need 1576: 1573: 1572: 1571: 1557: 1552: 1530: 1527: 1523: 1519: 1514: 1509: 1504: 1501: 1497: 1485: 1473: 1468: 1463: 1458: 1455: 1431: 1427: 1421: 1389: 1384: 1354: 1326: 1323: 1318: 1314: 1298: 1274: 1270: 1264: 1247: 1246: 1239: 1236:Koblitz curves 1232: 1212: 1211: 1197: 1188: 1173:by the unique 1147: 1144: 1141: 1138: 1135: 1132: 1129: 1126: 1123: 1120: 1117: 1114: 1111: 1108: 1105: 1085: 1082: 1079: 1076: 1073: 1070: 1067: 1064: 1061: 1058: 1055: 1052: 1049: 1029: 1026: 1023: 1003: 1000: 997: 968: 964: 959: 954: 949: 946: 942: 936: 933: 928: 925: 901: 896: 891: 886: 883: 849: 844: 841: 838: 764: 760: 743: 740: 735: 734:Implementation 732: 731: 730: 723: 712: 697: 694: 683: 676: 673:Diffie–Hellman 650: 646: 640: 635: 630: 614: 611: 571:intractability 563: 560: 559: 558: 546: 543: 540: 537: 534: 531: 526: 521: 518: 515: 510: 507: 504: 501: 496: 491: 488: 485: 450:characteristic 438: 437: 425: 422: 419: 416: 413: 410: 405: 401: 397: 392: 388: 365:elliptic curve 360: 357: 333:Main article: 330: 327: 290: 287: 217:RSA Conference 210: 209: 185: 181: 175: 159: 141: 136: 104: 101: 57:, such as the 26: 9: 6: 4: 3: 2: 5884: 5873: 5872:Finite fields 5870: 5868: 5865: 5863: 5860: 5859: 5857: 5838: 5835: 5833: 5830: 5828: 5825: 5824: 5822: 5820: 5816: 5810: 5807: 5805: 5802: 5800: 5797: 5795: 5792: 5790: 5787: 5786: 5784: 5782: 5781:Singularities 5778: 5772: 5769: 5767: 5764: 5762: 5759: 5757: 5754: 5753: 5751: 5747: 5741: 5738: 5736: 5733: 5731: 5728: 5726: 5723: 5721: 5718: 5717: 5715: 5711: 5705: 5702: 5700: 5697: 5695: 5692: 5690: 5687: 5685: 5682: 5680: 5677: 5675: 5672: 5670: 5667: 5666: 5664: 5660: 5657: 5653: 5647: 5644: 5642: 5639: 5637: 5634: 5633: 5631: 5629:Constructions 5627: 5621: 5618: 5616: 5613: 5611: 5608: 5606: 5603: 5601: 5600:Klein quartic 5598: 5596: 5593: 5591: 5588: 5586: 5583: 5581: 5580:Bolza surface 5578: 5576: 5575:Bring's curve 5573: 5571: 5568: 5567: 5565: 5563: 5559: 5553: 5550: 5548: 5545: 5543: 5540: 5538: 5535: 5533: 5530: 5528: 5525: 5523: 5520: 5518: 5515: 5513: 5510: 5508: 5507:Conic section 5505: 5503: 5500: 5498: 5495: 5493: 5490: 5488: 5487:AF+BG theorem 5485: 5484: 5482: 5480: 5476: 5470: 5467: 5465: 5462: 5460: 5457: 5455: 5452: 5450: 5447: 5446: 5444: 5440: 5430: 5427: 5425: 5422: 5421: 5419: 5415: 5409: 5406: 5404: 5401: 5399: 5396: 5394: 5391: 5389: 5386: 5384: 5381: 5379: 5376: 5374: 5371: 5369: 5366: 5364: 5361: 5359: 5356: 5355: 5353: 5349: 5343: 5340: 5338: 5335: 5333: 5330: 5328: 5325: 5324: 5322: 5318: 5315: 5313: 5309: 5303: 5302:Twisted cubic 5300: 5298: 5295: 5293: 5290: 5288: 5285: 5283: 5280: 5279: 5277: 5275: 5271: 5267: 5259: 5254: 5252: 5247: 5245: 5240: 5239: 5236: 5220: 5212: 5211: 5208: 5202: 5201:Steganography 5199: 5197: 5194: 5192: 5189: 5187: 5184: 5182: 5179: 5177: 5174: 5172: 5169: 5167: 5164: 5162: 5159: 5157: 5156:Stream cipher 5154: 5152: 5149: 5147: 5144: 5143: 5141: 5137: 5131: 5128: 5126: 5123: 5121: 5118: 5116: 5115:Onion routing 5113: 5111: 5108: 5106: 5103: 5101: 5098: 5096: 5095:Shared secret 5093: 5091: 5088: 5086: 5083: 5081: 5078: 5076: 5073: 5071: 5068: 5066: 5063: 5061: 5058: 5056: 5053: 5051: 5048: 5046: 5043: 5041: 5038: 5035: 5032: 5027: 5024: 5023: 5022: 5019: 5017: 5014: 5012: 5009: 5007: 5004: 5002: 4999: 4997: 4994: 4992: 4989: 4987: 4986:Key generator 4984: 4982: 4979: 4977: 4974: 4972: 4969: 4967: 4964: 4960: 4957: 4955: 4952: 4950: 4947: 4946: 4945: 4944:Hash function 4942: 4940: 4937: 4935: 4932: 4930: 4927: 4925: 4922: 4920: 4919:Cryptanalysis 4917: 4915: 4912: 4908: 4905: 4904: 4903: 4900: 4898: 4895: 4893: 4890: 4888: 4885: 4884: 4882: 4878: 4874: 4867: 4862: 4860: 4855: 4853: 4848: 4847: 4844: 4840: 4826: 4823: 4821: 4818: 4816: 4813: 4811: 4808: 4806: 4803: 4801: 4798: 4796: 4793: 4791: 4788: 4786: 4783: 4782: 4780: 4776: 4770: 4767: 4765: 4762: 4760: 4757: 4755: 4752: 4750: 4747: 4745: 4742: 4741: 4739: 4735: 4729: 4726: 4724: 4721: 4719: 4716: 4714: 4711: 4709: 4706: 4704: 4701: 4700: 4698: 4694: 4684: 4681: 4679: 4676: 4673: 4669: 4667: 4664: 4662: 4659: 4657: 4654: 4652: 4649: 4647: 4644: 4642: 4639: 4637: 4634: 4632: 4629: 4628: 4626: 4622: 4616: 4613: 4611: 4608: 4606: 4603: 4601: 4598: 4596: 4593: 4591: 4588: 4586: 4583: 4582: 4580: 4578: 4573: 4568: 4564: 4558: 4555: 4553: 4550: 4548: 4545: 4543: 4540: 4538: 4535: 4531: 4528: 4527: 4526: 4523: 4521: 4518: 4516: 4513: 4509: 4506: 4504: 4501: 4500: 4499: 4496: 4494: 4491: 4487: 4484: 4482: 4479: 4478: 4477: 4474: 4472: 4469: 4467: 4464: 4462: 4459: 4457: 4454: 4453: 4451: 4449: 4445: 4439: 4438:Schmidt–Samoa 4436: 4434: 4431: 4429: 4426: 4424: 4421: 4419: 4416: 4414: 4411: 4409: 4406: 4404: 4401: 4399: 4398:Damgård–Jurik 4396: 4394: 4393:Cayley–Purser 4391: 4389: 4386: 4384: 4381: 4380: 4378: 4376: 4372: 4369: 4365: 4361: 4354: 4349: 4347: 4342: 4340: 4335: 4334: 4331: 4327: 4323: 4316: 4311: 4307: 4304: 4300: 4296: 4293: 4291: 4287: 4284: 4283: 4275: 4273: 4269: 4264: 4263: 4258: 4254: 4250: 4247: 4243: 4239: 4236: 4232: 4228: 4225: 4221: 4218:Saikat Basu, 4217: 4213: 4210: 4206: 4203: 4200: 4197: 4194: 4190: 4187: 4183: 4180: 4176: 4173: 4169: 4166: 4162: 4158: 4155: 4154: 4142: 4129: 4125: 4121: 4114: 4106: 4102: 4095: 4080:on 2014-05-03 4079: 4075: 4071: 4064: 4048: 4044: 4040: 4033: 4025: 4012: 4001: 3994: 3985: 3980: 3976: 3969: 3954: 3947: 3939: 3932: 3925: 3910: 3906: 3900: 3893: 3889: 3884: 3876: 3870: 3866: 3862: 3858: 3851: 3850: 3841: 3833: 3827: 3819: 3806: 3795: 3788: 3773: 3769: 3762: 3754: 3748: 3744: 3740: 3735: 3730: 3726: 3725: 3717: 3709: 3703: 3699: 3695: 3691: 3687: 3683: 3677: 3666: 3662: 3658: 3651: 3644: 3636: 3632: 3626: 3618: 3614: 3610: 3604: 3590:on 2009-07-15 3589: 3585: 3584:lacal.epfl.ch 3581: 3575: 3568: 3562: 3554: 3550: 3543: 3535: 3531: 3527: 3523: 3518: 3513: 3509: 3505: 3501: 3494: 3485: 3480: 3476: 3472: 3468: 3464: 3460: 3458: 3454: 3445: 3438: 3434: 3431: 3425: 3417: 3413: 3409: 3402: 3394: 3390: 3386: 3382: 3375: 3361:on 2006-12-06 3357: 3353: 3346: 3339: 3331: 3327: 3323: 3317: 3313: 3309: 3305: 3298: 3290: 3284: 3280: 3276: 3272: 3265: 3254: 3250: 3243: 3237: 3229: 3223: 3217: 3213: 3208: 3200: 3193: 3185: 3181: 3174: 3167: 3162: 3147: 3143: 3139: 3133: 3131: 3123: 3122: 3117: 3113: 3108: 3100: 3099:csrc.nist.gov 3096: 3090: 3083: 3082: 3078: 3072: 3057:on 2022-01-01 3055: 3050: 3046: 3039: 3031: 3027: 3023: 3017: 3010: 3004: 2995: 2990: 2986: 2980: 2972: 2968: 2964: 2958: 2954: 2950: 2946: 2939: 2931: 2927: 2922: 2917: 2913: 2909: 2905: 2898: 2890: 2886: 2882: 2876: 2874: 2872: 2867: 2857: 2854: 2852: 2849: 2847: 2844: 2842: 2839: 2837: 2834: 2832: 2829: 2827: 2824: 2822: 2819: 2817: 2814: 2812: 2809: 2806: 2803: 2800: 2797: 2795: 2792: 2790: 2787: 2785: 2782: 2780: 2777: 2775: 2772: 2770: 2767: 2766: 2757: 2754: 2752: 2749: 2747: 2744: 2742: 2739: 2737: 2734: 2732: 2729: 2727: 2724: 2722: 2719: 2717: 2714: 2713: 2712: 2704: 2702: 2692: 2689: 2684: 2681: 2678:to implement 2677: 2673: 2669: 2665: 2662: 2658: 2657:Toffoli gates 2654: 2650: 2646: 2637: 2634: 2632: 2628: 2624: 2623:kleptographic 2620: 2610: 2608: 2604: 2603:fault attacks 2600: 2599:Edwards curve 2596: 2592: 2588: 2584: 2580: 2576: 2572: 2557: 2554: 2552: 2548: 2530: 2514: 2512: 2508: 2492: 2489: 2484: 2480: 2476: 2471: 2467: 2463: 2458: 2454: 2450: 2445: 2441: 2437: 2432: 2428: 2424: 2419: 2415: 2411: 2406: 2402: 2398: 2395: 2375: 2372: 2367: 2363: 2359: 2356: 2334: 2330: 2326: 2323: 2315: 2311: 2307: 2297: 2295: 2274: 2270: 2266: 2261: 2257: 2253: 2250: 2247: 2244: 2241: 2238: 2227: 2224:; and in the 2206: 2202: 2198: 2195: 2192: 2189: 2186: 2183: 2180: 2169: 2149: 2145: 2141: 2136: 2133: 2111: 2108: 2103: 2100: 2092: 2072: 2068: 2064: 2059: 2056: 2032: 2028: 2024: 2019: 2016: 1993: 1990: 1987: 1984: 1981: 1970: 1952: 1949: 1944: 1941: 1919: 1916: 1911: 1908: 1885: 1882: 1879: 1876: 1873: 1862: 1858: 1842: 1839: 1836: 1833: 1811: 1801: 1798: 1776: 1766: 1763: 1755: 1751: 1733: 1712: 1709: 1707: 1706:PlayStation 3 1701: 1699: 1695: 1691: 1673: 1669: 1665: 1662: 1640: 1608: 1600: 1592: 1591:Pollard's rho 1588: 1582: 1555: 1528: 1525: 1512: 1499: 1486: 1466: 1453: 1429: 1425: 1410:in the field 1409: 1405: 1387: 1372: 1368: 1352: 1344: 1340: 1324: 1321: 1316: 1312: 1303: 1299: 1296: 1292: 1272: 1268: 1252: 1251: 1250: 1244: 1240: 1237: 1233: 1230: 1226: 1222: 1221: 1220: 1216: 1210: 1206: 1202: 1198: 1196: 1192: 1189: 1187: 1183: 1180: 1179: 1178: 1176: 1171: 1166: 1164: 1159: 1142: 1139: 1136: 1133: 1130: 1127: 1124: 1121: 1118: 1115: 1112: 1109: 1106: 1080: 1077: 1074: 1071: 1068: 1065: 1062: 1059: 1056: 1053: 1050: 1027: 1024: 1021: 1001: 998: 995: 987: 984:, called the 983: 957: 944: 934: 931: 926: 923: 915: 894: 881: 873: 869: 865: 842: 839: 836: 828: 824: 820: 816: 812: 808: 804: 800: 796: 792: 788: 784: 780: 762: 758: 749: 739: 728: 724: 721: 717: 713: 710: 706: 702: 698: 695: 692: 688: 684: 681: 677: 674: 670: 666: 665: 664: 648: 638: 620: 610: 608: 604: 599: 596: 592: 588: 584: 580: 576: 572: 568: 544: 541: 538: 532: 524: 502: 494: 474: 473: 472: 470: 466: 465:divisor group 462: 461:abelian group 458: 453: 451: 447: 443: 423: 420: 417: 414: 411: 408: 403: 399: 395: 390: 386: 378: 377: 376: 374: 370: 366: 356: 354: 353:US government 350: 346: 342: 336: 326: 324: 318: 313: 310: 306: 302: 298: 297: 286: 284: 280: 275: 273: 269: 268:key agreement 265: 261: 257: 256:Tate pairings 253: 248: 246: 242: 238: 234: 230: 226: 222: 218: 213: 207: 203: 183: 179: 164: 163:binary fields 160: 157: 139: 125: 121: 120: 119: 116: 114: 110: 100: 98: 94: 91: 87: 83: 79: 75: 71: 70:key agreement 66: 64: 60: 56: 55:Galois fields 52: 51:finite fields 48: 44: 41:based on the 40: 36: 32: 19: 5766:Prym variety 5740:Stable curve 5730:Hodge bundle 5720:ELSV formula 5522:Fermat curve 5479:Plane curves 5442:Higher genus 5417:Applications 5342:Modular form 5151:Block cipher 4991:Key schedule 4981:Key exchange 4971:Kleptography 4929:Cryptosystem 4873:Cryptography 4825:OpenPGP card 4805:Web of trust 4707: 4461:Cramer–Shoup 4271: 4267: 4192: 4185: 4178: 4171: 4139: 4132:. Retrieved 4128:the original 4123: 4113: 4104: 4094: 4082:. Retrieved 4078:the original 4073: 4063: 4051:. Retrieved 4042: 4032: 4011:cite journal 3993: 3968: 3956:. Retrieved 3946: 3937: 3924: 3913:. Retrieved 3911:. 2013-09-10 3908: 3899: 3891: 3883: 3848: 3840: 3826: 3805:cite journal 3787: 3775:. Retrieved 3761: 3723: 3716: 3689: 3676: 3665:the original 3660: 3656: 3643: 3634: 3625: 3617:the original 3612: 3603: 3592:. Retrieved 3588:the original 3583: 3574: 3561: 3552: 3548: 3542: 3507: 3503: 3493: 3466: 3462: 3456: 3452: 3444: 3424: 3415: 3411: 3401: 3384: 3380: 3374: 3363:. Retrieved 3356:the original 3351: 3338: 3303: 3297: 3270: 3264: 3253:the original 3249:www.secg.org 3248: 3236: 3222: 3207: 3192: 3184:the original 3173: 3161: 3150:. Retrieved 3141: 3119: 3107: 3098: 3089: 3079: 3075:Kim Zetter, 3071: 3059:. Retrieved 3054:the original 3048: 3038: 3030:the original 3025: 3016: 3003: 2979: 2944: 2938: 2911: 2907: 2897: 2889:the original 2884: 2710: 2698: 2685: 2672:post-quantum 2666: 2643: 2635: 2631:Dual EC DRBG 2616: 2586: 2582: 2578: 2574: 2568: 2555: 2550: 2546: 2515: 2505:Compared to 2312:is a pseudo- 2309: 2305: 2303: 2225: 2167: 2090: 1968: 1860: 1748:but also an 1718: 1710: 1702: 1697: 1584: 1403: 1366: 1342: 1338: 1301: 1295:Weil descent 1290: 1253:Curves over 1248: 1242: 1217: 1213: 1167: 1162: 1160: 985: 981: 871: 826: 822: 814: 810: 802: 798: 794: 790: 786: 782: 778: 747: 745: 737: 616: 600: 565: 454: 446:finite field 439: 373:finite field 364: 362: 343:). However, 338: 320: 309:RSA Security 299:stated that 294: 292: 276: 264:signcryption 249: 214: 211: 201: 155: 124:prime fields 117: 109:Neal Koblitz 106: 67: 34: 30: 29: 5641:Polar curve 5139:Mathematics 5130:Mix network 4795:Fingerprint 4759:NSA Suite B 4723:RSA problem 4600:NTRUEncrypt 4124:Seclist Org 3768:Tanja Lange 3142:www.nsa.gov 2794:ECC patents 2607:smart cards 1756:(for given 369:plane curve 335:ECC patents 5856:Categories 5636:Dual curve 5264:Topics in 5090:Ciphertext 5060:Decryption 5055:Encryption 5016:Ransomware 4749:IEEE P1363 4367:Algorithms 4150:References 3984:1706.06752 3958:October 1, 3915:2015-11-06 3777:1 December 3686:Miyaji, A. 3594:2009-07-11 3365:2006-01-02 3152:2020-01-08 3061:28 October 2774:Curve25519 2316:, that is 2294:IEEE P1363 1861:projective 1826:such that 1579:See also: 1245:technique. 829:such that 811:base point 245:top secret 219:2005, the 93:algorithms 82:encryption 5749:Morphisms 5497:Bitangent 5080:Plaintext 4053:March 16, 3938:Microsoft 3729:CiteSeerX 3682:Cohen, H. 3512:CiteSeerX 2971:206617984 2676:isogenies 2613:Backdoors 2490:− 2477:− 2464:− 2451:− 2438:− 2425:− 2412:− 2373:− 2327:≈ 2166:; in the 2089:; in the 1967:; in the 1857:inversion 1802:∈ 1767:∈ 1754:inversion 1750:inversion 1666:≈ 1575:Key sizes 1322:− 999:≤ 807:generator 707:and uses 649:× 539:≃ 509:→ 293:In 2013, 5219:Category 5125:Kademlia 5085:Codetext 5028:(CSPRNG) 5006:Machines 4810:Key size 4744:CRYPTREC 4661:McEliece 4615:RLWE-SIG 4610:RLWE-KEX 4605:NTRUSign 4418:Paillier 4303:CrypTool 4301:and the 4165:archived 4047:Archived 3613:Certicom 3534:24368962 3433:Archived 3330:15134380 3212:Archived 3146:Archived 3121:Slashdot 2784:DNSCurve 2762:See also 2560:Security 1655:, where 1304:divides 1297:attacks. 986:cofactor 809:(a.k.a. 617:Several 603:key size 575:problems 459:, is an 5809:Tacnode 5794:Crunode 4880:General 4656:Lamport 4636:CEILIDH 4595:NewHope 4542:Schnorr 4525:ElGamal 4503:Ed25519 4383:Benaloh 4141:scalar. 3471:Bibcode 2930:2007884 2807:(ECDSA) 2688:quantum 1337:(where 1227:or the 675:scheme, 371:over a 329:Patents 283:Bitcoin 233:Suite B 225:Suite B 215:At the 206:Koblitz 103:History 5789:Acnode 5713:Moduli 5001:Keygen 4778:Topics 4754:NESSIE 4696:Theory 4624:Others 4481:X25519 4134:4 July 3871:  3749:  3731:  3704:  3565:NIST, 3532:  3514:  3328:  3318:  3285:  2969:  2959:  2928:  2801:(ECDH) 2653:qubits 1203:  583:factor 270:, and 5036:(PRN) 4590:Kyber 4585:BLISS 4547:SPEKE 4515:ECMQV 4508:Ed448 4498:EdDSA 4493:ECDSA 4423:Rabin 4084:3 May 4003:(PDF) 3979:arXiv 3934:(PDF) 3853:(PDF) 3797:(PDF) 3668:(PDF) 3653:(PDF) 3530:S2CID 3430:P1363 3428:IEEE 3359:(PDF) 3348:(PDF) 3326:S2CID 3245:(PDF) 3081:Wired 2967:S2CID 2926:JSTOR 2863:Notes 2816:ECMQV 2811:EdDSA 2779:FourQ 1791:find 1238:), or 862:(the 819:order 716:ECMQV 367:is a 341:ECMQV 161:Five 122:Five 49:over 5799:Cusp 4790:OAEP 4764:CNSA 4641:EPOC 4486:X448 4476:ECDH 4305:team 4257:here 4246:here 4235:here 4224:here 4209:here 4136:2019 4086:2014 4055:2021 4024:help 3960:2016 3869:ISBN 3818:help 3779:2013 3747:ISBN 3702:ISBN 3316:ISBN 3283:ISBN 3063:2018 2957:ISBN 1205:5639 1191:SECG 1182:NIST 1163:must 801:and 793:and 727:ECQV 725:The 714:The 699:The 685:The 667:The 347:and 281:and 254:and 252:Weil 200:for 111:and 61:and 4800:PKI 4683:XTR 4651:IES 4646:HFE 4577:SIS 4572:LWE 4557:STS 4552:SRP 4537:MQV 4520:EKE 4471:DSA 4456:BLS 4428:RSA 4403:GMR 4297:by 4288:at 3861:doi 3739:doi 3694:doi 3522:doi 3479:doi 3416:415 3389:doi 3308:doi 3275:doi 2989:doi 2949:doi 2916:doi 2885:NSA 2661:RSA 2571:DLP 2407:256 2388:or 2368:521 1694:RSA 1690:DSA 1674:256 1207:), 1201:RFC 821:of 720:MQV 579:RSA 448:of 305:NSA 45:of 35:ECC 5858:: 4631:AE 4466:DH 4272:57 4159:, 4138:. 4122:. 4103:. 4072:. 4045:. 4043:f5 4041:. 4015:: 4013:}} 4009:{{ 3936:. 3907:. 3890:. 3867:. 3855:. 3809:: 3807:}} 3803:{{ 3770:. 3745:. 3737:. 3700:. 3684:; 3661:44 3659:. 3655:. 3633:. 3611:. 3582:. 3553:47 3551:. 3528:. 3520:. 3508:12 3506:. 3502:. 3477:. 3467:67 3465:. 3461:. 3414:. 3410:. 3385:39 3383:. 3350:. 3324:. 3314:. 3281:. 3247:. 3140:. 3129:^ 3118:, 3097:. 3047:. 3024:. 2965:. 2955:. 2924:. 2912:48 2910:. 2906:. 2883:. 2870:^ 2609:. 2585:≠ 2577:= 2513:. 2493:1. 2420:32 2126:, 2049:, 1934:, 1589:, 1193:, 1184:, 1158:. 813:) 471:: 285:. 274:. 266:, 99:. 76:, 72:, 65:. 5257:e 5250:t 5243:v 4865:e 4858:t 4851:v 4574:/ 4569:/ 4352:e 4345:t 4338:v 4107:. 4088:. 4057:. 4026:) 4022:( 4005:. 3987:. 3981:: 3962:. 3940:. 3918:. 3894:. 3877:. 3863:: 3834:. 3820:) 3816:( 3799:. 3781:. 3755:. 3741:: 3710:. 3696:: 3637:. 3597:. 3555:. 3536:. 3524:: 3487:. 3481:: 3473:: 3459:" 3457:p 3453:p 3418:. 3395:. 3391:: 3368:. 3332:. 3310:: 3291:. 3277:: 3201:. 3155:. 3101:. 3065:. 3011:. 2997:. 2991:: 2973:. 2951:: 2932:. 2918:: 2587:Q 2583:P 2579:Q 2575:P 2551:a 2547:p 2531:p 2526:F 2485:4 2481:2 2472:6 2468:2 2459:7 2455:2 2446:8 2442:2 2433:9 2429:2 2416:2 2403:2 2399:= 2396:p 2376:1 2364:2 2360:= 2357:p 2335:d 2331:2 2324:p 2310:p 2306:p 2280:) 2275:3 2271:Z 2267:, 2262:2 2258:Z 2254:, 2251:Z 2248:, 2245:Y 2242:, 2239:X 2236:( 2212:) 2207:4 2203:Z 2199:a 2196:, 2193:Z 2190:, 2187:Y 2184:, 2181:X 2178:( 2150:2 2146:Z 2142:Y 2137:= 2134:y 2112:Z 2109:X 2104:= 2101:x 2073:3 2069:Z 2065:Y 2060:= 2057:y 2033:2 2029:Z 2025:X 2020:= 2017:x 1997:) 1994:Z 1991:, 1988:Y 1985:, 1982:X 1979:( 1953:Z 1950:Y 1945:= 1942:y 1920:Z 1917:X 1912:= 1909:x 1889:) 1886:Z 1883:, 1880:Y 1877:, 1874:X 1871:( 1843:1 1840:= 1837:y 1834:x 1812:q 1807:F 1799:y 1777:q 1772:F 1764:x 1734:q 1729:F 1698:n 1670:2 1663:q 1641:q 1636:F 1614:) 1609:n 1604:( 1601:O 1570:. 1556:q 1551:F 1529:q 1526:= 1522:| 1518:) 1513:q 1508:F 1503:( 1500:E 1496:| 1484:. 1472:) 1467:q 1462:F 1457:( 1454:E 1430:B 1426:p 1420:F 1404:B 1388:p 1383:F 1367:B 1353:2 1343:q 1339:p 1325:1 1317:B 1313:p 1302:n 1291:m 1273:m 1269:2 1263:F 1231:, 1146:) 1143:h 1140:, 1137:n 1134:, 1131:G 1128:, 1125:b 1122:, 1119:a 1116:, 1113:f 1110:, 1107:m 1104:( 1084:) 1081:h 1078:, 1075:n 1072:, 1069:G 1066:, 1063:b 1060:, 1057:a 1054:, 1051:p 1048:( 1028:1 1025:= 1022:h 1002:4 996:h 982:h 967:| 963:) 958:p 953:F 948:( 945:E 941:| 935:n 932:1 927:= 924:h 900:) 895:p 890:F 885:( 882:E 872:n 848:O 843:= 840:G 837:n 827:n 823:G 815:G 803:b 799:a 795:f 791:m 787:p 783:f 763:m 759:2 711:, 693:, 645:) 639:p 634:Z 629:( 545:, 542:E 536:) 533:E 530:( 525:0 520:c 517:i 514:P 506:) 503:E 500:( 495:0 490:v 487:i 484:D 424:, 421:b 418:+ 415:x 412:a 409:+ 404:3 400:x 396:= 391:2 387:y 202:m 184:m 180:2 174:F 156:p 140:p 135:F 33:( 20:)

Index

Elliptic curve cryptography
public-key cryptography
algebraic structure
elliptic curves
finite fields
Galois fields
RSA cryptosystem
ElGamal cryptosystem
key agreement
digital signatures
pseudo-random generators
encryption
symmetric encryption
integer factorization
algorithms
Lenstra elliptic-curve factorization
Neal Koblitz
Victor S. Miller
prime fields
binary fields
Koblitz
RSA Conference
National Security Agency
Suite B
National Institute of Standards and Technology
Suite B
elliptic-curve Diffie–Hellman
Elliptic Curve Digital Signature Algorithm
top secret
Weil

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.