[...]... break certain elliptic curve systems defined over “composite fields” of characteristic two Pairing-Based Cryptography The use of the Weil and Tate pairings was until recently confined to breaking elliptic curve protocols But since the advent of Joux’s tripartite Diffie–Hellman protocol there has been an interest in using pairings on elliptic curves to construct protocols which cannot be implemented in another... Digital Signature Standard Elliptic Curve Decision Diffie–Hellman problem Elliptic Curve Diffie–Hellman protocol Elliptic Curve Diffie–Hellman Problem Elliptic Curve Discrete Logarithm Problem Elliptic Curve Digital Signature Algorithm Elliptic Curve Integrated Encryption Scheme Elliptic Curve Menezes–Qu–Vanstone protocol Gaudry–Hess–Smart attack Generalized Riemann Hypothesis Hyperelliptic Curve Discrete Logarithm... years since we started working on the book Elliptic Curves in Cryptography and more than four years since it was published We therefore thought it was time to update the book since a lot has happened in the intervening years However, it soon became apparent that a simple update would not be sufficient since so much has been developed in this area We therefore decided to develop a second volume by inviting... power and timing analysis against cryptographic tokens, such as smart cards, is particularly relevant to elliptic curves since elliptic curves are meant to be particularly suited to the constrained environment of smart cards We shall describe what side-channel analysis is and how one can use properties of elliptic curves to defend against it Point Counting In 1999 the only method for computing the group... given security level In addition, by recommending curves it means that not every one who wishes to deploy elliptic curve based solutions needs to implement a point counting method like those in Chapter VI or [ECC, Chapter VII] Indeed, since many 3 4 I ECC PROTOCOLS curves occur in more than one standard, if one selects a curve from the intersection then, your system will more likely interoperate with... point P by σ fσ Galois conjugation of coefficients of function f by σ xiv ABBREVIATIONS AND STANDARD NOTATION Curve Theoretic Notation E elliptic curve (equation) (xP , yP ) coordinates of the point P x(P ) the x-cordinate of the point P y(P ) the y-cordinate of the point P E(K) group of K-rational points on E [m]P multiplication-by-m map applied to the point P E[m] group of m-torsion points on the elliptic. .. also the problem of checking whether a given curve is suitable for use The following checks should be performed before a set of domain parameters is accepted; however, this is likely to be carried out only once for each organization deploying elliptic curve based solutions Algorithm I.15: Elliptic Curve Validation INPUT: A set of domain parameters (K, E, q, h, G) OUTPUT: Valid or Invalid 1 Let l ← #K =... Of particular relevance to elliptic curve cryptography are the following standards: • IEEE 1363: This standard contains virtually all public-key algorithms In particular, it covers ECDH, ECDSA, ECMQV and ECIES, all of which we discuss in this chapter In addition, this standard contains a nice appendix covering all the basic number-theoretic algorithms required for public-key cryptography • ANSI X9.62... [y]G −→ [y]G [b]G [b]G ←− b In this attack, Alice agrees a key KA = [a]([x]G) with Eve, thinking it is agreed with Bob, and Bob agrees a key KB = [b]([y]G) with Eve, thinking it is agreed with Alice Eve can now examine communications as they pass through her by essentially acting as a router The problem is that when performing ECDH we obtain no data-origin authentication In other words, Alice does not... m-torsion points on the elliptic curve E End(E) endormorphism ring of E O point at in nity (on an elliptic curve) ℘ Weierstraß ‘pay’ function ϕ Frobenius map P, Q n Tate pairing of P and Q en (P, Q) Weil pairing of P and Q e(P, Q) pairing of P and Q e(P, Q) modified pairing of P and Q ˆ Tr(P ) trace map T trace zero subgroup Authors We would like to acknowledge the following people who contributed chapters . properties of elliptic curves to defend against it. Point Counting. In 1999 the only method for computing the group order of an elliptic curve was the Schoof-Elkies-Atkin algorithm. However, for curves over. recently confined to breaking elliptic curve protocols. But since the advent of Joux’s tripartite Diffie–Hellman protocol there has been an interest in using pairings on elliptic curves to construct. NOTATION Curve Theoretic Notation E elliptic curve (equation) (x P ,y P )coordinatesof the point P x(P )thex-cordinate of the point P y(P)they-cordinate of the point P E(K)groupofK-rational points