Abstract
The use of elliptic curves in cryptography relies on the ability to count the number of points on a given curve. Before 1999, the SEA algorithm was the only efficient method known for random curves. Then Satoh proposed a new algorithm based on the canonical p-adic lift of the curve for p ≥ 5. In an earlier paper, the authors extended Satoh's method to the case of characteristics two and three. This paper presents an implementation of the Satoh-FGH algorithm and its application to the problem of findingcurv es suitable for cryptography. By combining Satoh-FGH and an early-abort strategy based on SEA, we are able to find secure random curves in characteristic two in much less time than previously reported. In particular we can generate curves widely considered to be as secure as RSA-1024 in less than one minute each on a fast workstation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
FIPS 186-2. Digital Signature Standard. Federal Information Processing Standards publication, january 2000. U.S. Departement of Commerce/National Institute of Standards and Technology. Available at http://csrc.nist.gov/cryptval/dss.htm.
IEEE P1363. Standard specifications for public key cryptography. Available at http://www.manta.ieee.org/groups/1363/.
A. O. L. Atkin. The number of points on an elliptic curve modulo a prime. Series of e-mails to the NMBRTHRY mailinglist, 1992.
I. Blake, G. Seroussi, and N. Smart. Elliptic curves in cryptography, volume 265 of London Math. Soc. Lecture Note Ser. Cambridge University Press, 1999.
H. Cohen. A course in algorithmic algebraic number theory, volume 138 of Graduate Texts in Mathematics. Springer-Verlag, 1996. Third printing.
J.-M. Couveignes. Quelques calculs en théorie des nombres. Thése, Université de Bordeaux I, July 1994.
J.-M. Couveignes. Computing l-isogenies using the p-torsion. In H. Cohen, editor, Algorithmic Number Theory, volume 1122 of Lecture Notes in Comput. Sci., pages 59–65. Springer Verlag, 1996. Second International Symposium, ANTS-II, Talence, France, May 1996, Proceedings.
L. Dewaghe. Remarks on the Schoof-Elkies-Atkin algorithm. Math. Comp., 67(223):1247–1252, July 1998.
I. Duursma, P. Gaudry, and F. Morain. Speeding up the discrete log computation on curves with automorphisms. In Kwok Yan Lam, Eiji Okamoto, and Chaoping Xing, editors, Advances in Cryptology-ASIACRYPT '99, volume 1716 of Lecture Notes in Comput. Sci., pages 103–121. Springer-Verlag, 1999. International Conference on the Theory and Applications of Cryptology and Information Security, Singapore, November 1999, Proceedings.
N. Elkies. Elliptic and modular curves over finite fields and related computational issues. In D.A. Buell and eds. J.T. Teitelbaum, editors, Computational Perspectives on Number Theory, pages 21–76. AMS/International Press, 1998. Proceedings of a Conference in Honor of A.O.L. Atkin.
M. Fouquet, P. Gaudry, and R. Harley. An extension of Satoh’s algorithm and its implementation. J. Ramanujan Math. Soc., 15:281–318, 2000.
G. Frey and H.-G. Rück. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp., 62(206):865–874, April 1994.
P. Gaudry, F. Hess, and N. Smart. Constructive and destructive facets of Weil descent on elliptic curves. Submitted to J. Crypt. and available at http://www.cs.bris.ac.uk/~nigel/weil_descent.html, 2000.
R. Gallant, R. Lambert, and S. Vanstone. Improving the parallelized Pollard lambda search on binary anomalous curves. To appear in Math. Comp.
R. Harley. http://cristal.inria.fr/~harley/ecdl7/q, 2000.
H. Hasse. Beweis des Analogons der Riemannschen Vermutung für die Artinschen und F. K. Smidtschen Kongruenzzetafunktionen in gewissen elliptischen Fällen. Ges. d. Wiss. Narichten. Math.-Phys. Klasse, pages 253–262, 1933.
T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Efficient implementation of Schoof’s algorithm. In K. Ohta and D. Pei, editors, Advances in Cryptology-ASIACRYPT '98, volume 1514 of Lecture Notes in Comput. Sci., pages 66–79. Springer-Verlag, 1998. International Conference on the theory and application of cryptology and information security, Beijing, China, October 1998.
D. Johnson and A. Menezes. The elliptic curve digital signature algorithm (ECDSA). Technical Report CORR 99-34, U. Waterloo, 1999. Available at http://www.cacr.math.uwaterloo.ca/.
N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, January 1987.
R. Lercier. Algorithmique des courbes elliptiques dans les corps finis. Thése, École polytechnique, June 1997.
R. Lercier. Finding good random elliptic curves for cryptosystems defined over \( \mathbb{F}_{{\text{2}}^{\text{n}} } \) . In W. Fumy, editor, Advances in Cryptology-EUROCRYPT '97, volume 1233 of Lecture Notes in Comput. Sci., pages 379–392. Springer-Verlag, 1997. International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 1997, Proceedings.
R. Lercier and F. Morain. Counting the number of points on elliptic curves over finite fields: strategies and performances. In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology-EUROCRYPT '95, volume 921 of Lecture Notes in Comput. Sci., pages 79–94, 1995. International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 1995, Proceedings.
J. Lubin, J. P. Serre, and J. Tate. Elliptic curves and formal groups. In Lecture notes prepared in connection with the seminars held at the Summer Institute on Algebraic Geometry, Whitney Estate, Woods Hole, Massachusetts, July 6–July 31, 1964, 1964. Scanned copies available at http://www.ma.utexas.edu/users/voloch/lst.html.
A. Lenstra and E. Verheul. Selecting cryptographic key sizes, January 2000. Presented at PKC2000.
A. J. Menezes. Elliptic curve public key cryptosystems. Kluwer Academic Publishers, 1993.
V. Miller. Use of elliptic curves in cryptography. In A. M. Odlyzko, editor, Advances in Cryptology-CRYPTO '86, volume 263 of Lecture Notes in Comput. Sci., pages 417–426. Springer-Verlag, 1987. Proceedings, Santa Barbara (USA), August 11–15, 1986.
F. Morain. Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques. J. Théor. Nombres Bordeaux, 7:255–282, 1995.
A. Menezes, T. Okamoto, and S. A. Vanstone. Reducing elliptic curves logarithms to logarithms in a finite field. In Proceedings 23rd Annual ACM Symposium on Theory of Computing (STOC), pages 80–89. ACM Press, 1991. May 6–8, New Orleans, Louisiana.
V. Müller and S. Paulus. On the generation of cryptographically strong elliptic curves. Preprint, 1998.
V. Müller. Ein Algorithmus zur Bestimmung der Punktanzahl elliptischer Kurven über endlichen Körpern der Charakteristik grö̈ser drei. PhD thesis, University of Saarland, 1995.
S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inform. Theory, IT-24:106–110, 1978.
J. M. Pollard. Monte Carlo methods for index computation mod p. Math. Comp., 32(143):918–924, July 1978.
T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Paul., 47:81–92, 1998.
T. Satoh. The canonical lift of an ordinary elliptic curve over a finite field and its point counting. J. Ramanujan Math. Soc., 15:247–270, 2000.
R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., 44:483–494, 1985.
R. Schoof. Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux, 7:219–254, 1995.
I. A. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curves in characteristic p. Math. Comp., 67(221):353–356, January 1998.
J. P. Serre. Corps locaux. Hermann, 1968.
J. H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics. Springer-Verlag, 1986.
R. Silverman. A cost-based security analysis of symmetric and assymetric key lengths.. Bulletin Number 13 of RSA Security, April 2000.
B. Skjernaa. Satoh’s algorithm in characteristic 2. Copies available at http://www.imf.au.dk/~skjernaa/.
N. Smart. The discrete logarithm problem on elliptic curves of trace one. J. Cryptology, 12:193–196, 1999.
J. Vélu. Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. I Math., 273:238–241, July 1971. Série A.
P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. J. of Cryptology, 12:1–28, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fouquet, M., Gaudry, P., Harley, R. (2001). Finding Secure Curves with the Satoh-FGH Algorithm and an Early-Abort Strategy. In: Pfitzmann, B. (eds) Advances in Cryptology — EUROCRYPT 2001. EUROCRYPT 2001. Lecture Notes in Computer Science, vol 2045. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44987-6_2
Download citation
DOI: https://doi.org/10.1007/3-540-44987-6_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42070-5
Online ISBN: 978-3-540-44987-4
eBook Packages: Springer Book Archive