O

onte
udo do presente relat
orio e de 
uni a responsabilidade do(s) autor(es).
The ontents of this report are the sole responsibility of the author(s).

An Overview of Ellipti Curve Cryptography

Julio Lopez Ri ardo Dahab
Relat
orio Te ni o IC{00-10

Maio de 2000
 An Overview of Ellipti Curve Cryptography
opez
Julio L Ri ardo Dahaby

Institute of Computing
State University of Campinas
Campinas, 13081-970 S~ao Paulo, Brazil
fjulioher,rdahabgd .uni amp.br
May 22, 2000
Abstra t

Ellipti urve ryptography (ECC) was introdu ed by Vi tor Miller and Neal Koblitz
in 1985. ECC proposed as an alternative to established publi -key systems su h as DSA
and RSA, have re ently gained a lot attention in industry and a ademia. The main rea-
son for the attra tiveness of ECC is the fa t that there is no sub-exponential algorithm
known to solve the dis rete logarithm problem on a properly hosen ellipti urve. This
means that signi antly smaller parameters an be used in ECC than in other ompet-
itive systems su h RSA and DSA, but with equivalent levels of se urity. Some benets
of having smaller key sizes in lude faster omputations, and redu tions in pro essing
power, storage spa e and bandwidth. This makes ECC ideal for onstrained environ-
ments su h as pagers, PDAs, ellular phones and smart ards. The implementation of
ECC, on the other hand, requires several hoi es su h as the type of the underlying
nite eld, algorithms for implementing the nite eld arithmeti , the type of ellip-
ti urve, algorithms for implementing the ellipti group operation, and ellipti urve
proto ols. Many of these sele tions may have a major impa t on the overall perfor-
man e. In this paper we present a sele tive overview of the main methods and te h-
niques used for pra ti al implementations of ellipti urve ryptosystems. We also
present a summary of the most re ent reported software implementations of ECC.

Key words. Ellipti urve ryptography, nite elds, ellipti s alar multipli ation.

1 Introdu tion
In 1985, Vi tor Miller [56℄ and N. Koblitz [36℄, independently, proposed a publi -key ryp-
tosystem analogue of the ElGamal s hemes [21℄ in whi h the group Zp is repla ed by the
group of points on an ellipti urve dened over a nite eld. The main attra tion of ellip-
ti urve ryptography (ECC) over ompeting te hnologies su h as RSA and DSA is that
the best algorithm known for solving the underlying hard mathemati al problem in ECC
 Institute of Computing, State University of Campinas, 13081-970 Campinas, SP, Brazil, and Dept. of
Computer S ien e, University of Valle, Cali, Colombia.
y Institute of Computing, State University of Campinas, 13081-970 Campinas, SP, Brazil. Resear h
partially supported by a Pronex-Finep grant 107/97.

1
An Overview of Ellipti Curve Cryptography 2

(the ellipti urve dis rete logarithm problem (ECDLP)) takes fully exponential time. On
the other hand, the best algorithms known for solving the underlying hard mathemati al
problems in RSA and DSA (the integer fa torization problem, and the dis rete logarithm
problem, respe tively) take sub-exponential time. This means that signi antly smaller
parameters an be used in ECC than in other systems su h as RSA and DSA, but with
equivalent levels of se urity. A typi al example of the size in bits of the keys used in dierent
publi -key systems, with a omparable level of se urity (against known atta ks), is that a
160-bit ECC key is equivalent to RSA and DSA with a modulus of 1024 bits.
The la k of a sub-exponential atta k on ECC oers potential redu tions in pro essing
power, storage spa e, bandwidth and ele tri al power. These advantages are spe ially im-
portant in appli ations on onstrained devi es su h as smart ards, pagers, and ellular
phones.
From a pra ti al point of view, the performan e of ECC depends mainly on the eÆ-
ien y of nite eld omputations and fast algorithms for ellipti s alar multipli ations. In
addition to the numerous known algorithms for these omputations, the performan e of
ECC an be sped up by sele ting parti ular underlying nite elds and/or ellipti urves.
Examples of nite elds are F 2m (for hardware and software implementations) and F p ,
where p is a spe ial prime (e.g., a Mersenne prime or a generalized Mersenne prime, see
[79℄). Examples of families of urves that oer omputational advantages for omputing
a s alar multipli ation in lude Koblitz urves over F 2m . Thus, a fast implementation of a
se urity appli ation based on ECC requires several hoi es, any of whi h an have a major
impa t on the overall performan e.
The remainder of this paper is organized as follows. A short introdu tion to nite eld
arithmeti is provided in Se tion 2. A brief introdu tion to ellipti urves is presented
in Se tion 3. A list of the main known atta ks on the ellipti urve dis rete logarithm
problem (ECDLP) is provided in Se tion 4. In Se tion 5, we des ribe several algorithms
for omputing a s alar multipli ation whi h is the entral operation of ECC. Finally, some
implementation issues are onsidered in Se tion 6.

2 Finite elds
In this se tion we present the denition of groups and nite elds. These mathemati al
stru tures are fundamental for the onstru tion of an ellipti urve ryptosystem.
A group is an algebrai system onsisting of a set G together with a binary operation 
dened on G satisfying the following axioms:
 losure: for all x; y in G we have x  y 2 G;
 asso iativity: for all x; y and z in G we have (x  y)  z = x  (y  z );
 identity: there exists an e in G su h that x  e = e  x = x for all x in G;
 inverse: for all x in G there exists y in G su h that x  y = y  x = e:
If in addition, the binary operation  satises the abelian property:
 abelian: for all x; y in G we have x  y = y  x;
An Overview of Ellipti Curve Cryptography 3

then we say that the group G is abelian.

A nite eld is an algebrai system onsisting of a nite set F together with two binary
operations + and , dened on F , satisfying the following axioms:
 F is an abelian group with respe t to \+";
 F n f0g is an abelian group with respe t to \";
 distributive: for all x; y and z in F we have:
x  (y + z ) = (x  y) + (x  z )
(x + y)  z = (x  z ) + (y  z ):

The order of a nite eld is the number of elements in the eld. A fundamental result on
the theory of nite elds (see [51℄), hara terizes the existen e of nite elds: there exists a
nite eld of order q if and only if q is a prime power. In addition, if q is a prime power, then
there is essentially only one nite eld of order q; this eld is denoted by F q or GF (q). There
are, however, many ways of representing the elements of F q , and some representations may
lead to more eÆ ient implementations of the eld arithmeti in hardware or in software.
If q = pm , where p is a prime and m is a positive integer, then p is alled the hara ter-
isti of F q and m is alled the extension degree of F q . Most standards whi h spe ify ECC
restri t the order of the underlying nite eld to be an odd prime (q = p) or a power of 2
(q = 2m ).

2.1 The nite eld F p

Let p be a prime number. The nite eld F p, alled a prime eld, onsists of the set of
integers
f0; 1; 2; : : : ; p 1g
with the following arithmeti operations:
 Addition: If a; b 2 F p , then a + b = r, where r is the remainder of the division of a + b
by p and 0  r  p 1. This operation is alled addition modulo p.
 Multipli ation: If a; b 2 F p, then a
b = s, where s is the remainder of the division of
a
b by p and 0  s  p 1. This operation is alled multipli ation modulo p.
There are ertain primes p for whi h the modular redu tion an be omputed very
eÆ iently. For example, let p be the prime 2192 264 1. To redu e a positive integer
n < p2 , write
X5

n= Aj
264j :
j =0
Then
n  T + S1 + S2 + S3 (mod p);
where
An Overview of Ellipti Curve Cryptography 4

T = A2
2128 + A1
264 + A0
S1 = A3
264 + A3
S2 = A4
2128 + A4
264
S3 = A5
2128 + A5
264 + A5 .
Thus, the integer redu tion by p an be repla ed by three additions (mod p), whi h are mu h
faster. The prime number p is an example of a family of primes alled generalized Mersene
numbers, re ently introdu ed by Solinas [79℄. For more examples of primes that are well
suited for ma hine implementation, see [79℄ and [59℄. Several te hniques for implementing
the nite eld arithmeti in F p are des ribed in [35, 54, 12, 32, 19, 30℄.

2.2 The nite eld F 2 m

The nite eld F 2m , alled a binary nite eld, an be viewed as a ve tor spa e of dimension
m over F 2 . That is, there exists a set of m elements f0 ; 1 ; : : : ; m 1 g in F 2m su h that
ea h a 2 F 2m an be written uniquely in the form
X
m 1

a= ai i ; where ai 2 f0; 1g:

i=0

The set f0 ; 1 ; : : : ; m 1 g is alled a basis of F 2m over F2 . We an then represent a as a

binary ve tor (a0 ; a1 ; : : : ; am 1 ). We now introdu e two of the most ommon bases of F 2m
over F 2 : polynomial bases and normal bases.
P
Polynomial basis. Let f (x) = xm + im=01 fixi (where fi 2 f0; 1g; for i = 0; 1 : : : ; m 1)
be an irredu ible polynomial of degree m over F 2 ; f (x) is alled the redu tion polynomial.
For ea h redu tion polynomial, there exists a polynomial basis representation. In su h a
representation, ea h element of F 2m orresponds to a binary polynomial of degree less than
m. That is, for a 2 F 2m there exist m numbers ai 2 f0; 1g su h that
a = am 1 xm 1 +


+ a1 x + a0 :
The eld element a 2 F 2m is usually denoted by the bit string (am 1 : : : a1 a0 ) of length
m. The following operations are dened on the elements of F 2m when using a polynomial
representation with redu tion polynomial f (x): Assume that a = (am 1 : : : a1 a0 ) and b =
(bm 1 : : : b1 b0 ).
 Addition: a + b = = ( m 1 : : : 1 0 ), where i = (ai + bi ) mod 2. That is, addition
orresponds to bitwise ex lusive-or.
 P
Multipli ation: a
b = = ( m 1 : : : 1 0 ), where (x) = im=01 i xi is the remainder of
P P
the division of the polynomial ( im=01 ai xi )( im=01 bi xi ) by f (x).

The following pro edure is ommonly used to hoose a redu tion polynomial: if an irre-
du ible trinomial xm + xk + 1 exists over F 2 , then the redu tion polynomial f (x) is hosen
An Overview of Ellipti Curve Cryptography 5

to be the irredu ible trinomial with the lowest-degree middle term xk .1 If no irredu ible
trinomial exists, then sele t instead a pentanomial xm + xk3 + xk2 + xk1 + 1, su h that k1
has the minimal value; the value of k2 is minimal for the given k1 ; and k3 is minimal for
the given k1 and k2 .
1
Normal basis. A normal basis of F 2m over F 2 is a basis of the form f;  2 ; : : : ;  2 g,
m

where  2 F 2m . It is well known (see [51℄) that P su h a basis always exists. Therefore,
every element a 2 F 2m an be written as a = im=01 ai  2 , where ai 2 f0; 1g. The eld
i

element a is usually denoted by the bit string (a0 a1 : : : am 1 ) of length m. A normal

basis representation of F 2m has the omputational advantage that squaring an element is a
simple y li shift of the ve tor representation, an operation that is eÆ iently implemented
in hardware. Multipli ation of dierent elements, on the other hand, is in general a more
ompli ated operation. Fortunately, for the parti ular lass of normal bases alled Gaussian
normal bases (GNB), the eld arithmeti operations an be implemented very eÆ iently [31℄.
The type T of a GNB is a positive integer measuring the omplexity of the multipli ation
operation with respe t to that basis; the smaller the type, the faster the multipli ation.
The existen e of a Gaussian normal basis has been hara terized in [58℄ and [6℄. In
parti ular, a GNB exists whenever m is not divisible by 8. In addition, if m is divisible by
8 and T is a positive integer, then a type T GNB for F 2m exists if and only if p = T m + 1
is prime and g d(T m=k; m) = 1, where k is the multipli ative order of 2 modulo p.
The nite eld operations in F 2m , using a Gaussian normal basis of type T , are dened
as follows. Assume that a = (a0 a1 : : : am 1 ) and b = (b0 b1 : : : bm 1 ). Then:
 Addition: a + b = = ( 0 1 : : : m 1 ), where i = (ai + bi ) mod 2. That is, eld addition
is performed bitwise.
 Squaring: Sin e squaring is a linear operation in F 2m ,
X
m 1
X
m 1
+1 X
m 1

a2 = ( ai  2 )2 = ai  2 ai m = (am 1 a0 a1 : : : am 2 ):
i i
2i
= 1 mod
i=0 i=0 i=0
Hen e squaring a nite eld element is a simple rotation of the ve tor representation.
 Multipli ation: Let p = T m + 1 and let u 2 F p be an element of order T . Dene the
sequen e F (1); F (2); : : : ; F (p 1) by
F (2i uj mod p) = i for 0  i  m 1; 0  j  T 1:
For ea h l, 0  l  m 1, dene Al and Bl by
X
p 2

Al = aF (k+1)+l bF (p k)+l ; and

k=1
X
m=2
Bl = (ak+l 1 bm=2+k+l 1 + am=2+k+l 1 bk+l 1 ) + Al :
k=1
1 Although this sele tion may ae t the speed of the almost inverse algorithm (see [19℄), it allows for
faster redu tion modulo f(x).
An Overview of Ellipti Curve Cryptography 6

Then a
b = = ( 0 1 : : : m 1 ), where

l = Al if T is even;
Bl if T is odd;
for ea h l; 0  l  m 1, where indi es are redu ed modulo m.
See [31℄ for a good survey on nite eld algorithms using a normal basis in F 2m . Consult Ag-
new, Mullin and Vanstone [2℄ and Rosing [67℄ for a hardware and software implementation,
respe tively, of a normal basis in F 2m .

2.3 Finite eld arithmeti in F 2 using a polynomial basis

m

In this se tion we des ribe various bit-level algorithms for performing omputations in the
nite eld F 2m using a polynomial basis representation. These algorithms an be easily
modied to obtain word-level algorithms, whi h are well suited for software implementa-
tions.

Addition. Addition in F 2m is the usual addition of ve tors over F 2 . That is, add the orre-
sponding bits modulo 2.

Algorithm 1: bit-level method for addition in F 2m

Input:a = (am 1 : : : a1 a0 ) 2 F 2 and b = (bm 1 : : : b1 b0 ) 2 F 2
m m

Output: = a + b = ( m 1 : : : 1 0 )

1. for j from 0 to m 1 do
Set j (aj + bj ) mod 2
2. return( ).

Modular redu tion. By the denition of multipli ation in F 2m , the result of a polynomial
multipli ation or squaring has to be redu ed modulo an irredu ible polynomial of degree m.
This redu tion operation is parti ularly eÆ ient when the irredu ible polynomial f (x) is a
trinomial or a pentanomial. The following algorithm for omputing a(x) mod f (x) works
by redu ing the degree of a(x) until it is less than m.

Algorithm 2: bit-level method for modular redu tion in F 2m

Input:a = (a2m 2 : : : a1 a0 ) and f = (fm fm 1 : : : f1 f0 )
Output: = a mod f

1. for i from 2m 2 to m do
for j from 0 to m 1 do
if fj 6= 0 then ai m+j ai m+j + ai
2. return( (am 1 : : : a1 a0 )).
An Overview of Ellipti Curve Cryptography 7

Squaring. This operation an be al ulated in an eÆ ient way by observing that the square
of a polynomial a is given by
X
m 1
X
m 1

a(x)2 = ( ai xi )2 = a2i x2i :

i=0 i=0
This equation yields a simple algorithm:
Algorithm 3: bit-level method for squaring in F 2m
Input:a = (am 1 : : : a1 a0 ) and f = (fm fm 1 : : : f1 f0 )
Output: = a2 mod f
Pm 1 2 2i
1. Set t i=0 ai x
2. Set t mod f //Use Algorithm 2
3. return( ).
A known te hnique for speeding up the omputation in step 1 is to use a table lookup (see
S hroeppel et al [70℄ for details).

Multipli ation. The basi method for performing a multipli ation in F 2m is the \shift-and-
add" method. It is analogous to the binary method for exponentiation, with the square and
multipli ation operations being repla ed by the multipli ation of a eld element by x and
eld addition operations, respe tively. Given a 2 F 2m , the shift-left operation xa(x) mod
f (x) an be performed as follows
( Pm
aj x j 1
if am = 0;
xa(x) mod f (x) = Pmj =1 1 1

(aj + fj )xj + f0 if am 1 6= 0:
1
j =1 1

Then the steps of the \shift-and-add" method are given below.

Algorithm 4: \shift-and-add" method
Input:a 2 F 2 ; b 2 F 2 and f = (fm fm 1 : : : f1 f0 )
m m

Output: = ab mod f

1. Set (x) 0
2. for j from m 1 to 0 do
Set (x) x (x) mod f (x)
if aj 6= 0 then Set (x) (x) + b(x)
3. return( ).

This method requires m 1 shift-left operations and m eld additions on average. The
speed of this method an be improved by using programming tri ks su h as separated name
variables and loop-unrolled ode. In [50℄ we have proposed a fast algorithm for multipli ation
that is signi antly faster than the \shift-and-add" method, but requires some temporary
storage.
An Overview of Ellipti Curve Cryptography 8

Inversion. The basi algorithm for omputing multipli ative inverses is the extended Eu-
lidean algorithm. A high level des ription of this method is the following:

Algorithm 5: Extended Eu lidean algorithm

Input:a 2 F 2 (a 6= 0) and f = (fm fm 1 : : : f1 f0 )
m

Output: = a mod f
1

1. Set b1 (x) 1; b2 (x) 0

Set p1 (x) a(x); p2 (x) f (x)
2. while degree(p1) 6= 0 do
if degree(p1) < degree(p2) then
ex hange p1 ; p2 and b1 ; b2
Set j degree(p1)-degree(p2)
Set p1 (x) p1 (x) + xj p2 (x); b1 (x) b1 (x) + xj b2 (x)
3. return( (x) b1 (x)).

An alternative method for omputing inverses, alled the almost inverse algorithm, was
proposed by S hroeppel et al [70℄. This method works quite well when the redu tion poly-
nomial is a trinomial of the form xm + xk + 1 with k > w and m k > w, where w is the
word size of the omputer used. The authors suggested a number of implementation tri ks
that an be used for improving the speed of this method; many of these tri ks also work for
the extended Eu lidean algorithm. Note that in the ontext of ellipti urve omputations
over F 2m , most of the inversions required an be avoided by using a proje tive s heme [47℄.
In this ase, we trade inversions for multipli ations and other nite eld operations.

3 Ellipti urves over nite elds

In this se tion we give a short introdu tion to the theory of ellipti urves dened over nite
elds. Additional information on ellipti urves and its appli ations to ryptography an
be found in Blake et al [12℄, Menezes [52℄, Chapter 6 of Koblitz's book [38℄, and [73℄.
There are several ways of dening equations for ellipti urves, whi h depend on whether
the eld is a prime nite eld or a hara teristi two nite eld. The Weierstrass equations
for both nite elds F p and F 2m are des ribed in the next two se tions.

3.1 Ellipti urves over F p

Let p > 3 be an odd prime and let a; b 2 F p satisfy 4a3 + 27b2 6= 0 (mod p). Then an ellipti
urve E (F p ) over F p dened by the parameters a; b 2 F p onsists of the set of solutions or
points P = (x; y) for x; y 2 F p to the equation:
y2 = x3 + ax + b (1)
together with a spe ial point O alled the point at innity. For a given point P = (xP ; yP ),
xP is alled the x- oordinate of P , and yP is alled the y- oordinate of P .
An Overview of Ellipti Curve Cryptography 9

An addition operation + an be dened on the set E (F p) su h that (E (F p ); +) forms

an abelian group with O a ting as its identity. It is this algebrai group that is used to
onstru t ellipti urve ryptosystems. The addition operation in E (F p ) is spe ied as
follows:
1. P + O = O + P = P for all P 2 E (F p).
2. If P = (x; y) 2 E (F p ), then (x; y) + (x; y) = O. (The point (x; y) 2 E (F p) is
denoted P , and is alled the negative of P .)
3. Let P = (x1 ; y1 ) 2 E (F p) and Q = (x2 ; y2 ) 2 E (F p), where P =
6 Q. Then P + Q =
(x3 ; y3 ), where
y2 y1
x3 = 2 x1 x2 ; y3 = (x1 x3 ) y1 ; and  = :
x2 x1
4. Let P = (x1 ; y1 ) 2 E (F p ). Then P + P = 2P = (x3 ; y3 ), where
3x2 + a
x3 = 2 2x1 ; y3 = (x1 x3 ) y1 and  = 1 :
2y1
This operation is alled the doubling of a point.
Noti e that the addition of two dierent ellipti urve points in E (F p ) requires the fol-
lowing arithmeti operations in F p: one inversion, two multipli ations, one squaring and
six additions. Similarly, doubling an ellipti urve point in E (F p ) requires one inversion,
two multipli ations, two squarings and eight additions. Sin e inversion in F p is, in general,
an expensive operation, an alternative method to ompute the sum of two ellipti points
is to use proje tive oordinates. In this ase, the inversion operation is traded for more
multipli ations and other less expensive nite eld operations. See [16℄ for several proposed
proje tive s hemes.

The following algorithm implements the addition of two points on E (F p ) in terms of

aÆne oordinates.
Algorithm 6: Addition on E (F p )
Input:An ellipti urve E (F p ) with parameters a; b 2 F p , and
points P1 = (x1 ; y1 ) and P2 = (x2 ; y2 ).
Output: Q = P1 + P2 :

1. if P1 = O, then return(Q P2 )
2. if P2 = O, then return(Q P1 )
3. if x1 = x2 then
if y1 = y2 then  (3x21 + a)=(2y1 ) mod p
else return(Q O) // y1 = y2 //
else  (y2 y1 )=(x2 x1 ) mod p
4. Set x3 2 x1 x2 mod p
5. Set y3 (x1 x3 ) y1 mod p
6. return(Q (x3 ; y3 )).
An Overview of Ellipti Curve Cryptography 10

3.2 Ellipti urves over F 2 m

A (non-supersingular) ellipti urve E (F 2m ) over F 2m dened by the parameters a; b 2

F 2m ; b 6= 0, onsists of the set of solutions or points P = (x; y ) for x; y 2 F 2m to the
equation:
y2 + xy = x3 + ax2 + b (2)
together with a spe ial point O alled the point at innity.
As in the ase of ellipti urves over F p, the set of points on E (F 2m ) an be equipped
with an abelian group stru ture. This addition operation is spe ied as follows:
1. P + O = O + P = P for all P 2 E (F 2m ).
2. If P = (x; y) 2 E (F 2m ), then (x; y) + (x; y) = O. (The point (x; y) 2 E (F 2m ) is
denoted P , and is alled the negative of P .)
3. Let P = (x1 ; y1 ) 2 E (F 2m ) and Q = (x2 ; y2 ) 2 E (F 2m 6
), where P = Q. Then
P + Q = (x3 ; y3 ), where
y2 + y1
x3 = 2 +  + x1 + x2 + a; y3 = (x1 + x3 ) + x3 + y1 and  = :
x2 + x1
4. Let P = (x1 ; y1 ) 2 E (F 2m ). Then P + P = 2P = (x3 ; y3 ), where
x1
x3 = 2 +  + a; y3 = (x1 + x3 ) + x3 + y1 and  = x1 + :
y1
Noti e that the addition of two dierent ellipti urve points in E (F 2m ) requires one
inversion, two multipli ations, one squaring and eight additions in F 2m . Doubling2 a point
in E (F 2m ) requires one inversion, two multipli ations, one squaring and six additions. For
situations3 where the omputation of an inversion operation is relatively expensive ompared
to a multipli ation, proje tive s hemes oer omputational advantages. Fast algorithms for
the arithmeti of ellipti urves over F 2m in proje tive oordinates are des ribed in [47℄.

The following algorithm implements the addition of two points on E (F 2m ) in terms of

aÆne oordinates.
2 An alternative method for omputing 2P is des ribed in [47℄.
3 See [2℄ for a hardware implementation and [29℄ for a software implementation of F 2m where an inversion
osts about 24 and 10 multipli ations, respe tively.
An Overview of Ellipti Curve Cryptography 11

Algorithm 7: Addition on E (F 2m )
Input:An ellipti urve E (F 2m ) with parameters a; b 2 F 2m , and
points P1 = (x1 ; y1 ) and P2 = (x2 ; y2 ).
Output: Q = P1 + P2 :

1. if P1 = O, then return(Q P2 )
2. if P2 = O, then return(Q P1 )
3. if x1 = x2 then
if y1 = y2 then  x1 + y1 =x1 ; x3 2 +  + a
else return(Q O) // y2 = y1 + x1 //
else  (y2 + y1 )=(x2 + x1 ); x3 2 +  + x1 + x2 + a
4. Set y3 (x1 + x3 ) + x3 + y1
5. return(Q (x3 ; y3 )).

3.3 Denitions and basi results

S alar multipli ation. The entral operation of ryptographi s hemes based on ECC is the
ellipti s alar multipli ation (operation analogue of the exponentiation in multipli ative
groups). Given an integer k and a point P 2 E (F q ), the ellipti s alar multipli ation kP
is the result of adding P to itself k times. In Se tion 5, we will des ribe some eÆ ient
algorithms for al ulating kP .

Orders. The order of a point P on an ellipti urve is the smallest positive integer r su h
that rP = O. If k and l are integers, then kP = lP if and only if k  l (mod r).

Curve order. The number of points of E (F q ), denoted by #E (F q ), is alled the urve order
of the urve. This number an be omputed in polynomial time by S hoof's algorithm
[69℄. This algorithm is required for setting up an ellipti urve system based on random
urves. In this ase, one sele ts parameters a and b with the property that the urve order
of the resulting urve be divisible by a large prime (see Se tion 4 for an explanation of this
ondition).
Basi fa ts. Let E be an ellipti urve over a nite eld F q . Then:
 p
Hasse's theorem states that #E (F q ) = q +1 t, where jtj  2 q. That is, the number
of points in E (F q ) is approximately q.
 If q is a power of 2, then #E (F q ) is even. More spe i ally, #E (F q ) = 0 (mod 4) if
T r(a) = 0,4 and #E (F q ) = 2 (mod 4) if T r(a) = 1:
 E (F q ) is an abelian group of rank 1 or 2. That is, E (F q ) is isomorphi to Zn1  Zn2 ,
where n2 divides n1 and q 1.
 If q is a power of two and P = (x; y) 2 E (F q ) is a point of odd order, then the tra e of
the x- oordinate of all multiples of P is equal to the tra e of the parameter a. That
is, T r(x(kP )) = T r(a) for ea h integer k. This result, due to Seroussi [75℄, is the basis
of an eÆ ient algorithm for a ompa t representation of points on ellipti urves over
4 The tra e T r(
) is a linear map from F 2m to F 2 dened by T r(a) = P =01 a2 .
m
i
i
An Overview of Ellipti Curve Cryptography 12

F 2m . Knudsen's method [34℄ for omputing ellipti s alar multipli ations is also based
on this result.

3.4 ECC domain parameters

The operation of publi -key ryptographi s hemes involves arithmeti operations on an
ellipti urve over a nite eld determined by some ellipti urve domain parameters. In
this se tion, we des ribe the ellipti urve parameters over the nite elds F p and F 2m .
ECC domain parameters over F q are a septuple:
T = (q; F R; a; b; G; n; h)
onsisting of a number q spe ifying a prime power (q = p or q = 2m ), an indi ation FR (eld
representation) of the method used for representing eld elements 2 F q , two eld elements a
and b 2 F q that spe ify the equation of the ellipti urve E over F q (i.e., y2 = x3 + ax + b in
the ase p > 3, and y2 + xy = x3 + ax2 + b when p = 2), a base point G = (xG ; yG ) on E (F q ),
a prime n whi h is the order of G, and an integer h whi h is the ofa tor h = #E (F q )=n.
Several algorithms for the generation and validation of ellipti urve domain parameters
have been proposed (see for example [59℄ and [26℄). Sin e the primary se urity parameter
is n, the ECC key length is thus dened to be the bit-length of n. For example, NIST
urves [59℄ are des ribed by parameters whi h avoid all known atta ks. The se urity level
provided by these urves is at least as mu h as symmetri -key iphers with key lengths 80
to 256 bits. In Table 1 we ompare key sizes of dierent ryptosystems with a omparable
level of se urity (against known atta ks).

Symmetri ipher Example ECC key length for DSA/RSA key length for
key length algorithm equivalent se urity equivalent se urity
80 SKIPJACK 160 1024
112 Triple-DES 224 2048
128 128-bit AES 256 3072
192 192-bit AES 384 7680
256 256-bit AES 512 15360
Table 1: ECC, DSA and RSA key length omparisons.

3.5 Ellipti urve proto ols: ECDH, ECDSA, ECAES

In this se tion, we give a short des ription of three fundamental proto ols based on ellipti
urves: the Ellipti Curve DiÆe-Hellman (ECDH), the Ellipti Curve Digital Signature
Algorithm (ECDSA) and the Ellipti Curve Authenti ated En ryption S heme (ECAES).
The ECDH is the ellipti version of the well-known DiÆe-Hellman key agreement method;
the ECDSA is the ellipti urve analogue of the DSA, proposed by S ott Vanstone [81℄ in
1992; and the ECAES is a variant of the ElGamal publi -key en ryption s heme, proposed
An Overview of Ellipti Curve Cryptography 13

by Abdalla, Bellare and Rogaway [1℄ in 1999.

Key generation. An entity A's publi and private key pair is asso iated with a parti ular
set of ellipti urve domain parameters (q; F R; a; b; G; n; h)5 .
To generate a key pair, entity A does the following:

1. Sele t a random or pseudo-random integer d in the interval [1,n 1℄.

2. Compute Q = dG.
3. A's publi key is Q; A's private key is d.

Publi key validation. This pro ess ensures that a publi key satises the arithmeti require-
ments of ellipti urve publi key (see [73℄). A publi key Q = (xQ ; yQ) asso iated with
a domain parameter (q; F R; a; b:G; n; h) is validated using the following pro edure ( alled
expli it validation):

1. Che k that Q 6= O:
2. Che k that xQ and yQ are properly represented elements of F q :
3. Che k that Q lies on the ellipti urve dened by a and b:
4. Che k that nQ = O:
Publi key validation with step 4 omitted is alled partial publi -key validation.

ECDH. The basi idea of this primitive is to generate a shared se ret value from a pri-
vate key owned by one entity A and a publi key owned by another entity B so if both
entities exe ute the primitive simultaneously with orresponding keys as input, they will
re over the same shared se ret value. We assume that entity A has domain parameters
D = (q; F R; a; b; G; n; h) and a private key dA . We also suppose that entity B has a publi
key QB asso iated with D. The publi key QB should at least be partially valid.

Entity A uses the following pro edure to al ulate a shared se ret value with B :

1. Compute P = dA QB = (xP ; yP ).
2. Che k that P 6= O.
3. The shared se ret value is z = xP .
If step 1 is omputed as P = hdA QB = (xP ; yP ), then we all this primitive ellipti urve
ofa tor DiÆe-Hellman. The in orporation of the ofa tor h into the al ulation of the
se ret value is to provide eÆ ient resistan e to atta ks su h as small subgroup atta ks (see
[73℄).

ECAES. The setup for en ryption and de ryption is the following. We suppose that re eiver
B has domain parameters D = (q; F R; a; b; G; n; h) and publi key QB . We also suppose
5 This asso iation an be assured ryptographi ally (i.e., with erti ates) or by ontext (e.g., all entities
use the same domain parameters)
An Overview of Ellipti Curve Cryptography 14

that sender A has authenti opies of D and QB . In the following, MAC denotes a message
authenti ation ode (MAC) algorithm su h as HMAC [43℄, ENC a symmetri en ryption
s heme su h as Triple-DES, and KDF a key derivation fun tion whi h derives ryptographi
keys from a shared se ret point.
To en rypt a message m for B , A performs:

1. Sele t a random integer r from [1,n 1℄.

2. Compute R = rG.
3. 6 O:
Compute K = hrQB = (Kx ; Ky ). Che k that K =
4. Compute k1 jjk2 = KDF(Kx ).
5. Compute = ENCk1 (m).
6. Compute t = MACk2 ( ).
7. Send (R; ; t) to B .
To de rypt a iphertext (R; ; t), B does:

8. Perform a partial key validation on R.

9. 6 O.
Compute K = hdB R = (Kx ; Ky ). Che k that K =
10. Compute k1 jjk2 = KDF(Kx ).
11. Verify that t = MACk2 ( ).
12. Compute m = ENCk11 ( ).

The time onsuming operations in en ryption and de ryption are the s alar multipli a-
tions in steps 3 and 9.

ECDSA. The setup for generating and verifying signatures using the ECDSA is the follow-
ing. We suppose that signer A has domain parameters D = (q; F R; a; b; G; n; h) and publi
key QA. We also suppose that B has authenti opies of D and QA . In the following SHA-1
denotes the 160-bit hash fun tion [60℄.

To sign a message m, A does the following:

1. Sele t a random integer k from [1,n 1℄.
2. Compute kG = (x1 ; y1 ) and r = x1 mod n.
If r = 0 then go to step 1.
3. Compute k 1 mod n.
4. Compute e = SHA-1(m).
5. Compute s = k 1 fe + dA
rg mod n.
If s = 0 then go to step 1.
6. A's signature for the message m is (r; s).
To verify A's signature (r; s) on m, B performs the following steps:

7. Verify that r and s are integers in [1,n 1℄.

8. Compute e = SHA-1(m).
An Overview of Ellipti Curve Cryptography 15

9. Compute w = s 1 mod n.
10. Compute u1 = ew mod n and u2 = rw mod n.
11. Compute u1 G + u2 QA = (x1 ; y1 ).
12. Compute v = x1 mod n.
13. A ept the signature if and only if v = r.
The time onsuming operations in signature generation and signature veri ation are the
s alar multipli ations in steps 2 and 11.

4 Dis rete logarithm problem

The se urity of ECC is based on the apparent intra tability of the following ellipti urve
dis rete logarithm problem (ECDLP): given an ellipti urve E (F q ), a point P 2 E (F q ) of
order n, and a point Q 2 E (F q ), determine the integer k, 0  k  n 1, su h that Q = kP ,
provided that su h an integer exists.
The Pohlig and Hellman algorithm [61℄ redu es the omputation of l to the problem of
omputing l modulo ea h of the prime fa tors of n. Therefore, n should be sele ted prime
to obtain the maximum level of se urity. In pra ti e, one must sele t an ellipti urve E (F q )
su h that #E (F q ) = h
n where n is a prime and h is a small integer.
The most eÆ ient general algorithm known to date is the Pollard- method [62℄, and its
re ent modi ations by Gallant,
p Lambert, and Vanstone [24℄, and Wiener and Zu herato
[82℄, whi h requires about n=2 ellipti group operations. Van Oors hot and Wiener [63℄
showed that the Pollard- method an be parallelized,
p and that the expe ted running time
of this algorithm, using r pro essors, is roughly n=(2r) groups operations. This runtime
is exponential in n.
Although no general subexponential algorithms to solve the ECDLP are known, there
are fast algorithms for solving the ECDLP on spe ial urves (e.g., urves for whi h the
number of points has spe ial properties). We list next some of these known atta ks and
explain how they an be avoided in pra ti e.
 Supersingular ellipti urves. Menezes, Okamato and Vanstone [55℄ and Frey and Ru k
[22℄ showed that, under mild assumptions, the ECDLP an be redu ed to the tradi-
tional dis rete logarithm problem in some extension eld Fqk , for some integer k.
This redu tion algorithm is only pra ti al if k is small. For the lass of supersingular6
ellipti urves it is known that k  6. Hen e, this redu tion algorithm gives a sub-
exponential time algorithm for the ECDLP. However, Balasubramanian and Koblitz
[8℄ have shown that for most randomly generated ellipti urves we have k > log2 q.
To avoid this atta k in a parti ular urve, one needs to he k that n, the largest prime
fa tor of the urve order, does not divide qk 1 for all small k for whi h the ordinary
logarithm problem in F qk is tra table. In pra ti e this he king is done for all k,
1  k  30.
6 An ellipti urve over F q is said to be supersingular if the tra e of E, t(E) = q + 1 #E(F q ), is divisible
by the hara teristi of F q .
An Overview of Ellipti Curve Cryptography 16

 Prime-eld anomalous urves. An ellipti urve E over F p is said to be prime-eld-
anomalous if #E (F p) = p. Semaev [74℄, Smart [76℄ and Satoh and Araki [68℄ in-
dependently proposed a polynomial-time algorithm for the ECDLP in E (F p). This
atta k does not appear to extend to any other lass of ellipti urves. In pra ti e this
atta k is avoided by verifying that the urve order does not equal the ardinality of
the underlying nite eld.
 Binary omposite nite elds. Suppose that E is an ellipti urve dened over the
omposite nite eld F 2m , where m = r
s. Re ently, Galbraith and Smart [23℄,
and Gaundry, Hess and Smart [25℄ have showed that the omplexity of the dis rete
logarithm problem on a signi ant portion of ellipti urves dened over F 24s is smaller
than the Pollard-rho method. The authors on luded that this atta k does not appear
to be a threat to ellipti urves dened over F 2m , for m prime, but that only urves
that satisfy an additional ondition (see [12, pp. 18℄), should be used for setting up
an ellipti urve ryptosystem.

Additional information on other atta ks for the ECDLP as well for atta ks on ellipti urve
proto ols an be found in ANSI X9.62 [3℄, ANSI X9.63 [4℄, Blake, Seroussi and Smart [12℄,
Johnson and Menezes [33℄, Koblitz, Menezes and Vanstone [40℄, Araki, Satoh and Miura
[5℄, and Certi om's ECC hallenge [15℄.

5 Algorithms for ellipti s alar multipli ation

The implementation of publi key proto ols of ECC su h as ECDH, ECDSA and ECAES,
requires ellipti s alar multipli ations. That is, al ulations of the form
Q = kP = P| +
{z

+ P}
k times

where P is a urve point, and k is an integer in the range 1  k  order(P ). Depending on

the proto ol, the point P is either a xed point that generates a large, prime order subgroup
of E (F q ), or P is an arbitrary point in su h a subgroup.
Many authors have dis ussed methods for exponentiation in a multipli ative group,
whi h an, therefore, be extended to omputing ellipti s alar multipli ation [27, 54, 41, 42℄.
However, ellipti urve groups have spe ial properties that allow for some extra optimiza-
tions. In this se tion we will des ribe some eÆ ient algorithms for omputing kP . These
algorithms, depending on the ellipti urve and the hara teristi of the nite eld, an
be further optimized. Finally, we summarize re ent te hniques suitable for hardware or
software implementation of ECC.
An Overview of Ellipti Curve Cryptography 17

5.1 Basi methods

Binary method. The simplest (and oldest) method for omputing kP is based on the binary
P
representation of k. If k = li=01 kj 2j , where ea h kj 2 f0; 1g, then kP an be omputed as
X
l 1

kP = kj 2j P = 2(


2(2kl 1 P + kl 2 P ) +


) + k0 P:
j =0
This method requires l doublings and wk 1 additions, where wk is the weight (the number
of ones) of the binary representation of k.
An improved method for omputing kP an be obtained from the following fa ts:
 Every integer k has a unique representation of the form k = Plj=01 kj 2j , where ea h
kj 2 f 1; 0; 1g, su h that no two onse utive digits are nonzero. This representation,
known as non-adja ent form (NAF), was rst des ribed by Reitwiesner [65℄ (see also
[12℄).
 The expe ted weight of a NAF of length l is l=3, see [12℄.
 The omputation of the negation of a point P = (x; y) 2 E (F q ) ( P = (x; y) or
P = (x; x + y)) is virtually free, so the ost of addition or subtra tion is pra ti ally
the same.
There are, however, several algorithms for omputing the NAF of k from its binary rep-
resentation (see for example [54℄). The following method, from Solinas [78℄, omputes the
NAF of an integer k.

Algorithm 8: Computation of NAF(k)

Input: An integer k
Output: The non-adja ent form of k, NAF(k)= (ul 1 : : : u1 u0 )
1. Set k, l 0
2. while > 0 do
if odd then
Set ul 2 ( mod 4)
Set ul
else Set ul 0
Set =2; l l + 1
3. return(NAF(k ) (ul 1 : : : u1 u0 )).
Addition-Subtra tion method. This algorithm, analogue of the binary method, performs an
addition or subtra tion depending on the sign of ea h digit of k, s anned from left to
right.7 The details are given in Algorithm 9. This algorithm requires l doublings and l=3
additions on average. This implies, for example, that for ellipti urves over F p , using the
proje tive oordinates given in [31℄, we obtain an improvement of about 14% over the binary
method.
7 This algorithm an be modied to obtain a right-to-left version, whi h does not need storage for the
NAF(k), see [78℄ for more details.
An Overview of Ellipti Curve Cryptography 18

Algorithm 9: Addition-Subtra tion method

Input:An integer k and a point P = (x; y) 2 E (F q )
Output: The point Q = kP 2 E (F q )

1. Compute NAF(k ) = (ul 1 : : : u1 u0 )

2. Set Q O
3. for j from l 1 downto 0 do
Set Q 2Q
if uj = 1 then Set Q Q + P
if uj = 1 then Set Q Q P
4. return(Q).

Window method. Several generalizations of the binary method su h as the m-ary method,
sliding method, et ., work by pro essing simultaneously a blo k of digits. In these methods,
depending on the size of the blo ks (or windows) a number of pre omputed points are
required. We des ribe a typi al window method alled the width-w window method (see
[78℄).
Let w be an integerPgreater than 1. Then every positive number k has a unique width-w
nonadja ent form k = lj =01 uj 2j where:

 ea h nonzero uj is odd and less than 2w 1 in absolute value;

 among any w onse utive oeÆ ients, at most one is nonzero.
The width-w NAF is written NAFw (k) = (ul 1 : : : u1 u0 ). A generalization of Algorithm 8
for omputing NAFw (k) is des ribed in Algorithm 10. Given the width-w NAF of an integer
k, and a point P 2 E (F q ), the al ulation of kP an be arried out by Algorithm 11.
Algorithm 10: Computation of NAFw (k)
Input:An integer k
Output: NAFw (k )= (ul 1 : : : u 1 u0 )
1. Set k, l 0
2. while > 0 do
if odd then
Set ul 2 ( mod 2w )
w
if ul > 2 1 then Set ul ul 2w
Set ul
else Set ul 0
Set =2; l l + 1
3. return(NAFw (k ) (ul 1 : : : u1 u0 )).
An Overview of Ellipti Curve Cryptography 19

Algorithm 11: The width-w window method

Input:Integers k and w, and a point P = (x; y) 2 E (F q )
Output: The point Q = kP 2 E (F q )

// Pre omputation:
// Compute uP for u odd and 2 < u < 2w 1

1. Set P0 P; T 2P
2. for i from 1 to 2w 2 1 do
Set Pi Pi 1 + T
// Main Computation:
3. Compute NAFw (k ) = (ul 1 : : : u1 u0 )
4. Set Q O
5. for j from l 1 downto 0 do
Set Q 2Q
6 0 then
if uj =
Set i (juj j 1)=2
if uj > 0 then Set Q Q + Pi
else Set Q Q Pi
6. return(Q).

The number of nonzero digits in the NAFw (k) is on average l=(w + 1) [80℄. Therefore,
Algorithm 11 requires 2w 2 1 additions and one doubling for the pre omputation step,
and l=(w + 1) additions and l 1 doublings for the main omputation. Note that although
the number of additions an be redu ed by sele ting an apropriate width w, the number
of doublings is the same as in the previous methods. The total number of nite eld op-
erations required for omputing kP depends mainly on the algorithms used for the ellipti
operations (aÆne or proje tive oordinates), the ost-ratio of inversion to multipli ation,
and the width w.

Comb method. This method, developed by Lim and Lee [46℄, an be used for omputing kP
when P is a xed point, known in advan e of the omputation. In order to ompute kP ,
the l-bit integer k is divided into h blo ks Kr , ea h one of length a = dl=he. In addition,
ea h blo k Kr is subdivided into v blo ks of size b = da=ve. Thus, k an be written as
XX
hv X
b1 1 1

k= kvbr+bs+t 2vbr+bs+t :
r=0 s=0 t=0

Then, Lim/Lee's method uses the following expression for omputing kP :

X
b
t
X
v
1 1

kP = 2( G[s℄[Is;t ℄);
t=0 s=0

where the pre omputation array G[s℄[u℄ for 0  s < v, 0  u < 2h , and u = (uh 1 : : : u0 )2 ,
An Overview of Ellipti Curve Cryptography 20

is dened by the following equations:

X
h 1

G[0℄[u℄ = ur 2rvb P;
r=0
G[s℄[u℄ = 2sb G[0℄[u℄;
and the number Is;t , for 0  s < v 1 and 0  t < b is dened by
X
h 1

Is;t = kvbr+bs+t 2r :
r=0

A detailed des ription of Lim/Lee's method is given in Algorithm 12. This algorithm
requires v(2h 1) ellipti points of storage, and the average number of operations to perform
a s alar multipli ation is b 1 doublings and (2h 1)=2h vb 1 additions on average, but vb 1
additions in the worst ase. The sele tion of both parameters h and v presents a trade-o
between pre omputation (memory) and online omputations (speed). Some improvements
to this algorithm are dis ussed in [17℄. For other algorithms for omputing kP when P is a
known point, see [54℄.

Algorithm 12: Lim/Lee method

Input: Integers k; h; v and an array of points G[s℄[u℄, with 0  s < v
and 1  u < 2h .
// The array G is omputed as:
for u from 1 to 2h 1 do
for s from 0 to v 1 do
Set u (uh 1 : : :P u1 u0 )2
Set G[s℄[u℄ 2 sb h 1 u 2vbi P:
i=0 i

Output: The point Q = kP 2 E (F q ).

// Main Computation:
1. Set Q O
2. for t from b 1 downto 0 do
Set Q 2Q
for s from v 1Pdownto 0 do
Set Is;t h 1 2i k
i=0 vbi+bs+t
if Is;t 6= 0 then Q Q + G[s℄[Is;t ℄
3. return(Q).

5.2 Faster methods

In re ent years, the study of fast methods for omputing a s alar multipli ation has been
an a tive resear h area. In this se tion we summarize some of these re ent methods.
An Overview of Ellipti Curve Cryptography 21

 An algorithm for omputing repeated doublings (i.e., 2i P ), for ellipti urves dened
over F 2m was proposed by Lopez and Dahab [47℄. This algorithm, an improvement
over the formulas presented by Guajardo and Paar [28℄, omputes 2i P with only one
inversion, and it is faster than the usual method for omputing 2i P (i onse utive
doublings) if the ost-ratio of inversion to multipli ation is at least 2.5. This method
an be used to speed up window methods su h as the one des ribed in the previous
se tion.
 Another algorithm for omputing repeated doublings, for ellipti urves over F 2m ,
was proposed by S hroeppel [72℄. This algorithm is useful for situations where the
omputation of an inverse is relatively fast ompared to a multipli ation. A slightly
improved version of this method is the following:

Algorithm 13: Repeated doublings on E (F 2m )

Input: An integer i and a point P = (x; y) 2 E (F 2m )
Output: The point Q = 2i P
1. Set  x + y=x
2. for j from 1 to i-1 do
Set x2 2 +  + a
b
Set 2 2 + a + 4
x +b
Set x x2 ;  2
3. Set x2 2 +  + a; y2 x2 + ( + 1)
x2
4. return(Q (x2 ; y2 )).

This method is based on the observation that doubling a point using the representation
(x; )8 is faster than using the aÆne representation (x; y). Thus, we save one eld
multipli ation in ea h iteration of Algorithm 13. A further optimization is to use a
fast routine to multiply by the onstant b. This method an be used for speeding up
window methods in aÆne oordinates.
 For ellipti urves over F p, Itoh et al [32℄ proposed fast formulas for omputing re-
peated doublings in proje tive oordinates, whi h redu e both the number of eld
multipli ations and the number of eld additions. This te hnique works in ombina-
tion with window methods.
 An optimized version of an algorithm developed by Montgomery [57℄, was proposed by
Lopez and Dahab [48℄. This algorithm works for every ellipti urve dened over F 2m ,
is faster than the addition-subtra tion method, and it is suitable for both hardware
and software implementations. In addition, this algorithm has the property that in
ea h iteration the same amount of omputation (an addition followed by a doubling)
is performed. This may help to prevent timing atta ks [39℄.
 An algorithm for omputing ellipti s alar multipli ations whi h repla es the doubling
operation by the halving operation (i.e., the omputation of Q su h that 2Q = P )
8 Every point P = (x; y) 2 E(F 2m ); x 6= 0, an be represented as the pair (x; );  = x + y=x, but (x; )
is not a point on E(F 2m ).
An Overview of Ellipti Curve Cryptography 22

was proposed by Knudsen [34℄. This algorithm works for half of the ellipti urves
dened over F 2m (i.e., urves whose ellipti urve parameter a satises T r(a) = 1).
The implementation of this method requires fast routines for the following operations
in F 2m : the square root of a eld element, the tra e of a eld element, and the
solution of quadrati equations of the form x2 + x = s, for s 2 F 2m . Sin e these
operations an be arried out very eÆ iently using a normal basis, this approa h is
suitable for hardware implementations. The implementation of Knudsen's method,
using a polynomial basis, presents a trade o between memory and speed for both
implementations hardware and software.

5.3 Koblitz urves

These urves, also known as binary anomalous urves, were rst proposed for ryptographi
use by Koblitz [37℄. They are ellipti urves over F 2m with oeÆ ients a and b either 0 or
1. Sin e it is required that b 6= 0, then the urves must be dened by the equations:

E0 : y2 + xy = x3 + 1 and E1 : y2 + xy = x3 + x2 + 1:
Koblitz urves have the following interesting property: if (x; y) is a point on Ea ; a = 0 or
a = 1, so is the point (x2 ; y2 ). Moreover, every point P = (x; y) 2 Ea satises the relation
(x4 ; y4 ) + 2P = 
(x2 ; y2 ): (3)
where
 = ( 1)1 a :
By using the Frobenius map over F 2 :  (x; y) = (x2 ; y2 ), equation (3) an be written as
 (P ) + 2P = P; for all P 2 Ea :
p Frobenius map P an be regarded as a multipli ation by the omplex number
Then the
+ 7 satisfying  2 + 2 = :
= 2
Several methods have been proposed to take advantage of the Frobenius map, starting
with the observation of Koblitz [37℄, that four onse utive doublings of a point P = (x; y) 2
E1 an be omputed eÆ iently via the formula
16P =  2 P  4 P = (x4 ; y4 ) (x16 ; y16 ):
The fastest method known for omputing kP on Koblitz urves is due to Solinas [78℄. This
method uses an expansion for kP of the form
X
l 1

kP = ki  i P; ki 2 f 1; 0; 1g and l  log k:
i=0
Then, the al ulation of kP an be arried out by a similar method to Algorithm 9 where
the doublings are repla ed by evaluations of the Frobenius map. Before we des ribe Solinas'
method, the following sequen es a (n) and a (n) are dened:
An Overview of Ellipti Curve Cryptography 23

 a (0) = 0; a (1) = a 1; a (n + 1) = a (n) 2a (n 1) + a 2:

 a (0) = 0; a (1) = a 1; a (n + 1) = a (n) 2a (n 1):
Algorithm 14 des ribe Solinas' method for omputing an ellipti s alar multipli ation
on the Koblitz urve Ea (F 2m ).
Algorithm 14:  - adi NAF method for Koblitz urves
Input: An integer k and a point P = (x; y) 2 Ea (F 2m ).
Output: The point Q = kP 2 Ea (F 2m )
// Redu tion modulo ( m 1)=( 1)
1. Set r ba (m)
k=2m 1 , s ba (m)
k=2m
2. Set t 2a (m) + a (m), v a (m)
s
3. Set k t
r 2v; d a (m)
r 2a (m)
s
// Main omputation
4. Set Q O; D P
5. while 6= 0 or d 6= 0 do
if odd then Set u ( 2d (mod 4))
else Set u 0
Set u
if u = 1 then Set Q Q + D
if u = 1 then Set Q Q D
Set D D
Set e =2; d + e; d e
6. return(Q).
This algorithm requires, on average, m=3 ellipti additions and m evaluations of the Frobe-
nius map. For omparison, if we implement Koblitz urves over F 2163 , using a normal
basis9 with the proje tive oordinates given in [47℄, Algorithm 9 takes 972 multipli ations,
while Solinas' algorithm requires 486 multipli ations, obtaining a theoreti al improvement
of about 50%. Further speedups an be obtained by using window te hniques; see Solinas
[78℄10 for the \width-w  -addi NAF method" analogous to Algorithm 11.

6 Implementation issues
When implementing ECC, there are many fa tors that may guide the hoi es required in
the implementation of a parti ular appli ation. The fa tors in lude: se urity onsidera-
tions (the ECDLP and se urity of the proto ols), methods for implementing the nite eld
arithmeti , methods for omputing ellipti s alar multipli ations, the appli ation platform
(hardware or software), onstraints of the omputing environment (pro essor speed, ode
size, power onsumption), and onstraints of the ommuni ation environment (bandwidth,
response time). Sin e these fa tors an have a major impa t on the overall performan e of
the appli ation, it is re ommended that they all be taken together for better results.
9 For hardware implementations, the squarings are mu h faster than multipli ations.
10 Routine 6 from [78℄ fails when a = 0 and w = 6. A new version of this routine was given in [80℄.
An Overview of Ellipti Curve Cryptography 24

6.1 System setup

Setting up an ellipti urve ryptosystem requires several basi hoi es in luding:
 An underlying nite eld F q
(e.g., q = p; q = 2m or q = pm ; p > 3)
 A representation of the nite eld elements
(e.g., Montgomery residue for F p , polynomial or normal basis for F 2m )
 Algorithms for implementing the nite eld operations
(e.g., Montgomery multipli ation in F p and F 2m , the extended Eu lidean algorithm
and the almost inverse algorithm for omputing multipli ative inverses)
 An appropriate ellipti urve over F q
(e.g., the NIST urves)
 Algorithms for implementing the ellipti urve operations
(e.g., windows methods in aÆne or proje tive oordinates)
 Ellipti urve proto ols
(e.g., ECDSA, ECDH)
By an appropriate ellipti urve, we mean an ellipti urve dened over the nite eld F q
that resists all known atta ks on the ECDLP. Spe i ally:
1. The number of points, #E (F q ), is divisible by a prime n that is suÆ iently
large to resist the parallelized Pollard -atta k [63℄ againts general urves, and its
improvements [24, 82℄ whi h apply to Koblitz urves.
2. #E (F q ) 6= q, to resist the following atta ks: Semaev [74℄, Smart [76℄, and Satoh-Araki
[68℄.
3. n does not divide qk 1 for all 1  k  30, to resist the Weil paring atta k [55℄ and
the Tate paring atta k [22℄.
4. All binary elds F 2m hosen have the property that m is prime, to resist re ent atta ks
[23, 25℄ on ellipti urves dened over F 2m where m is omposite.

Examples of appropriate urves to be used in real world ryptosystems are given in [59℄ and
[26℄.

6.2 Previous software implementations of ECC

In the last ve years, there have been many reported software implementations of ellipti
urves over nite elds. Most of these implementations fo us on a single ryptographi
appli ation, su h as designing a fast implementation of ECDSA for one parti ular nite
eld. Typi al examples of nite elds used in these implementations are F 2155 [70℄, F 2167 [13℄,
F 2176 [28, 7℄, F 2191 [19℄, F p (p a 160-bit prime) [30℄, F p (p a 192-bit prime) [19℄, and F (263 25)3
[9℄. In [49℄, we have ompiled timing results of several reported software implementations
of ECC. In this se tion, we summarize three examples of software implementations of ECC
on general purpose omputers.
An Overview of Ellipti Curve Cryptography 25

 S hroppel et al. [70℄ reported an implementation of an ellipti urve analogue of DiÆe-

Hellman key ex hange algorithm over F 2155 with a trinomial basis representation.
A detailed des ription of the nite eld arithmeti in F 2155 is provided, in luding
a fast method for omputing re ipro als, alled the almost inverse algorithm. An
improved method for doubling an ellipti urve point is also presented. Two omputer
ar hite tures were used to measure performan e, a Sun Spar -IPC (25 MHz), with 32
bit word size, and a DEC Alpha 3000 (175 MHz), with a 64-bit size word. The
implementation was written in C with several programming tri ks. The performan e
results are given in Table 2.

Field and Curve Operations over F 2155 Spar IPC Alpha

Squaring 11.9 0.64
Multipli ation 116.4 7.59
Inversion 280.1 25.21
ECDH key ex hange 137,000 11,500
DH key ex hange (512 bits) 2,670,000 185,000

Table 2: Timings (in mi rose onds) for nite eld and ellipti urve operations.

 De Win et al. [19℄ des ribed an implementation of ECDSA, for both F p and F 2m ,
and made omparisons with other signature algorithms su h as RSA and DSA. The
platform used was a Pentium-Pro 200 MHz running Windows NT 4.0 and using MSVC
4.2 and maximal optimization. The ode for RSA and DSA was written in C, using
ma ros in assembly language. The ellipti urve ode was mainly written in C++ and
for F p the same multi-pre ision routines in C were alled as for RSA and DSA. The
modulus for both RSA and DSA was 1024 bits long. For the ellipti urves, the eld
sizes for F p and F 2m were approximately 191 bits. Table 3 summarizes the results of
their implementation.

ECDSA F 2m ECDSA F p RSA DSA

Key generation 11.7 5.5 1 se . 22.7
Signature 11.3 6.3 43.3 23.6
Veri ation 60 26 0.65 28.3
S alar multipli ation 50 21.1 - -
Table 3: Timing omparison of ECDSA , DSA, and RSA signature operations. All timings
in millise onds, unless otherwise indi ated.

 Bailey and Paar [9℄ introdu ed a new type of nite elds whi h an be used to a hieve
a fast software implementation of ellipti urve ryptosystems. This lass of nite
elds alled Optimal Extension Field (OEF), is of the form F pm , where p is a prime
An Overview of Ellipti Curve Cryptography 26

of spe ial form and m a positive integer. The OEFs take advantage of the fast integer
arithmeti found on modern RISC workstation pro essors. The authors provided a
list of OEFs suitable for pro essors with 8, 16, 32 and 64 bit word sizes. In [10℄, the
same authors presented further improved algorithms for the nite eld arithmeti ,
and timing results of their ellipti urve implementation on several platforms. Two
Alpha workstations DEC 21064 and 21164A, and a 233 MHz Intel Pentium/MMx
PC were used to measure performan e. The implementation for the workstations was
written in optimized C, resorting to assembly to perform polynomial multipli ations;
the implementation for the PC was written entirely in C. The sizes of hosen nite
elds were approximately 183 bits. Table 4 presents the timings to perform an ellipti
s alar multipli ation of an arbitrary point.

Operation Alpha 21064 Alpha 21164A Pentium/MMX

150 MHz 600 MHz 233 MHz
kP 7.0 1.09 13.1
Table 4: Timings (in millise onds) for an ellipti s alar multipli ation.

6.3 An example of a software implementation of ECC

In this se tion we present some details of the ECC software implementation reported in [14℄.
This paper des ribes an experien e with porting PGP to the Resear h in Motion (RIM)
two-way pager, and in orporating ECC into PGP.
 Finite elds: F 2m , m = 163; 233; 283.
 Representation: A polynomial basis was used for ea h nite eld, with the following
redu tion polynomials: x163 + x7 + x6 + x3 + 1 for F 2163 , x233 + x74 + 1 for F 2233 and
x283 + x12 + x7 + x6 + 1 for F 2283 .
 Algorithms for the nite eld arithmeti : The squaring operation was sped up by
using a table lookup of 512 bytes. The multipli ation operation was arried out by
the algorithm des ribed in [50℄. The inverse operation was arried out by the extended
Eu lidean algorithm.
 Curves: The Koblitz and random urves over F 2163 ; F 2233 and F 2283 were sele ted from
the list of NIST re ommended urves [59℄.
 Algorithms for the ellipti urve group: For random urves, the method given in [48℄
was implemented for omputing s alar multipli ations when P is an arbitrary point.
Lim/Lee's method [54℄, with 16 points of pre omputation, was implemented using
the proje tive oordinates given in [47℄ for omputing s alar multipli ations when P
is a known point (e.g., for signing). For a Koblitz urve, Solinas' methods [78℄ were
implememented using proje tive oordinates, with width w = 5 for random points,
and w = 6 for a known point (in this ase, 16 points of pre omputation are required).
 EC proto ols: The proto ols implemented were: ECDSA and ECAES.
An Overview of Ellipti Curve Cryptography 27

 Multi-pre ision library: The library b from OpenSSL [64℄, written entirely in C,
was used to perform the modular arithmeti operations required in the ellipti urve
proto ols as well in Solinas' methods.
 Platforms: A Pentium II 400 MHz and a RIM pager 10 MHz.
 Language: The implementation was written entirely in C.
 RSA: The RSA ode, written entirely in C, was taken from the OpenSSL library.
 Timings: The performan e results provided are only for the ase m = 163 (see [14℄
for more timings). Table 5 shows the timings for nite eld operations in F 2163 .

Operations Pentium II RIM pager

in F 2163 400 MHz 10 MHz
Squaring 0.41 100
Multipli ation 2.97 1,515
Inversion 31.23 12,500
Table 5: Timings (in mi rose onds) for nite eld operations in F 2163 .

The performan e results for the ECC operations using Koblitz and random urves
over F 2163 are summarize in Table 6. Timings for RSA operations, with a modulus of
1024 bits, are given in Table 7.

Koblitz urve over F 2163 Random urve over F 2163

RIM pager P II RIM pager P II
Key Generation 751 1.47 1,085 2.12
ECAES en rypt 1,759 4.37 3,132 6.67
ECAES de rypt 1,065 2.85 2,114 4.69
ECDSA signing 1,011 2.11 1,335 2.64
ECDSA verifying 1,826 4.09 3,243 6.46
Table 6: Timings (in millise onds) for ECC operations overF 2163 .

 Con lusions: Sin e the two systems RSA-1024 and ECC-163 have a omparable level
of se urity, the following on lusions an be drawn from the timings:
{ RSA publi -key operations (en ryption and signature) are faster than ECC publi -
key operations.
{ ECC private key operations (de ryption and signature generation) are faster than
RSA private-key operations.
{ Koblitz urves perform better than random urves, espe ially for en rypting and
verifying.
An Overview of Ellipti Curve Cryptography 28

1024-bit modulus
RIM Pager Pentium II
RSA key generation 580,405 2,740.87
RSA en rypt (e = 3) 533 2.70
RSA en rypt (e = 216 + 1) 1,241 5.34
RSA de rypt 15,901 67.32
RSA signing 15,889 66.56
RSA verifying (e = 3) 301 1.23
RSA verifying (e = 216 + 1) 1,008 3.86
Table 7: Timings (in millise onds) for 1024-bit RSA operations.

{ With respe t to the the PGP operations Signing-and-en rypting and Verifying-
and-de ryting, the performan e of ECC (Koblitz urves) is about ve times the
performan e of RSA on the RIM pager.

7 Con lusions
In this paper, we have presented an overview of the main ideas behind the publi -key te h-
nology based on ellipti urves. We have fo used on algorithms for software implementation
of ellipti urves dened over the binary eld F 2m . We have also presented a summary of
the fastest software implementations of ECC reported on general purpose omputers.

8 A knowledgments
The authors wish to thank Guido Araujo, Claudio Lu hesi, Alfred Menezes, Daniel Panario
and Routo Terada for many helpful omments and suggestions.

Referen es
[1℄ M. Abdalla, M. Bellare and P. Rogaway. \DHAES: An en ryption s heme on the DiÆe-
Hellman problem", preprint 1999. http://www- se.u sd.edu/users/mihir/
[2℄ G. B. Agnew, R. C. Mullin and S. A. Vanstone, \An implementation of ellipti urve
ryptosystems over F 2155 ", IEEE journal on sele ted areas in ommuni ations, Vol 11,
No. 5, pp. 804-813, 1993.
[3℄ ANSI X9.62, \The ellipti urve digital signature algorithm (ECDSA)", Ameri an
Bankers Asso iation, 1999.
[4℄ ANSI X9.63, \Ellipti urve key agreement and key transport proto ols", Ameri an
Bankers Asso iation, working draft, August 1999.
An Overview of Ellipti Curve Cryptography 29

[5℄ K. Araki, T. Satoh and S. Miura, \Overview of ellipti urve ryptography". In Pro-
eeding of Publi -key Cryptography, LNCS 1431, pp. 29-49, Springer-Verlag, 1999.
[6℄ D. Ash, I. Blake and S. Vanstone, \Low omplexity normal bases", Dis rete Applied
Mathemati s, 25, pp. 191-210, 1989.
[7℄ M. Aydos, E. Savas, and C. K. Ko , \Implementing network se urity proto ols based
on ellipti urve ryptography", Pro eedings of the Fourth Symposium on Computer
Networks, pp. 130-139, Istanbul, Turkey, May 20-21, 1999.
[8℄ R. Balasubramanian and N. Koblitz, \The improbability that an ellipti urve has
a sub-exponential dis rete log problem under the Menezes-Okamoto-Vanstone algo-
rithm", Journal of Cryptology, 11, pp. 141-145, (1998).
[9℄ Daniel Bailey and Christof Paar, \Optimal extension elds for fast arithmeti in publi -
key algorithms". In Crypto'98, LNCS 1462, pp. 472-485, Springer-Verlag, 1998.
[10℄ Daniel Bailey and Christof Paar, \Inversion in optimal extension elds", Pro eedings
of the Conferen e on The Mathemati s of Publi Key Cryptography, Toronto, Canada,
June 12-17, 1999.
[11℄ Bla kberry, http://www.bla kberry.net
[12℄ I. Blake, G. Seroussi, and N. Smart, Ellipti Curves in Cryptography, Cambridge
University Press, 1999.
[13℄ Bogdan Antones u, Ellipti Curve Cryptosystems on Embedded Mi ropro essors, Mas-
ter's thesis, ECE Dept., Wor ester Polyte hni Institute, Wor ester, USA, May 1999.
[14℄ M. Brown, D. Cheung, D. Hankerson, J. Lopez, M. Kirkup and A. Menezes, \PGP
in onstrained wireless devi es", Pro eedings of the 9th USENIX Se urity Symposium,
August 2000, to appear.
[15℄ Certi om, \ECC Challenge", Details available at htpp://www. erti om. om/ hal/
[16℄ H. Cohen, A. Miyaji, and T. Ono, \EÆ ient ellipti urve exponentiation using mixed
oordinates", In Asia rypt'98, LNCS 1514, pp. 51-65, Springer-Verlag, 1998.
[17℄ Biljana Cubaleska, Andreas Rieke, and Thomas Hermann, \Improving and extending
the Lim/Lee exponentiation algorithm", Pro eeding of SAC'99, LNCS, to appear.
[18℄ E. De Win, A. Bosselaers, S. Vanderberghe, P. De Gersem and J. Vandewalle, \A fast
software implementation for arithmeti operations in GF (2n )," Advan es in Cryptology,
Pro . Asia rypt'96, LNCS 1163, pp. 65-76, Springer-Verlag, 1996.
[19℄ E. De Win, S. Mister, B. Prennel and M. Wiener, \On the performan e of signature
based on ellipti urves". In Algorithmi Number Theory, Pro eedings Third Intern.
Symp., ANTS-III, LNCS 1423, pp. 252-266, Springer-Verlag, 1998.
An Overview of Ellipti Curve Cryptography 30

[20℄ W. DiÆe and M. Hellman, \New dire tions in ryptography". IEEE Transa tions on
Information Theory, 22, pp. 644-654, 1976.
[21℄ T. ElGamal, \A publi key ryptosystems and a signature s heme based on dis rete
logarithms". IEEE Transations on Informatio Theory, 31, pp. 469-472, 1985.
[22℄ G. Frey and H. Ru k, \A remark on erning m-divisibility and the dis rete logarithm
in the divisor lass group of urves", Mathemati s of Computation, 62, pp. 865-874,
1994.
[23℄ S. Galbraith and N. Smart, \A ryptographi appli ation of Weil des ent", Codes and
Cryptography, LNCS 1746, pp. 191-200, Springer-Verlag, 1999.
[24℄ R. Gallant, R. Lambert and S. Vanstone, \Improving the parallelized Pollard lambda
sear h on binary anomalous urves", to appear in Mathemati s of Computation.
[25℄ P. Gaudry, F. Hess and N. Smart, \Constru tive and destru tive fa ets
of Weil des ent on ellipti urves", preprint, January 2000. Available at
http://www.hpl.hp. om/te hreports/2000/HPL-2000-10.html
[26℄ GEC 1. \Re ommended ellipti urve domain parameters". Standards for Ef-
 ient Cryptography Group, September, 1999. Working draft. Available at
http://www.se g.org/
[27℄ D. M. Gordon, \A survey of fast exponentiation methods", Journal of Algorithms, 27,
pp. 129-146, 1998.
[28℄ J. Guajardo and C. Paar, \EÆ ient algorithms for ellipti urve ryptosystems", Ad-
van es in Cryptology, Pro . Crypto'97, LNCS 1294, pp. 342-356, Springer-Verlag, 1997.
[29℄ D. Hankerson, J. Lopez and A. Menezes, \Software implementations of ellipti urve
ryptography over elds of hara teristi two", draft, 2000.
[30℄ T. Hasegawa, J. Nakajima and M. Matsui, \A pra ti al implementation of ellipti urve
ryptosystems over GF (p) on a 16-bit mi ro omputer", Publi Key Cryptography -
Pro eedings of PKC'98, LNCS 1431, pp. 182-194, Springer-Verlag, 1998.
[31℄ IEEE P1363, \Standard spe i ations for publi -key ryptography", ballot draft, 1999.
Drafts available at http://grouper.ieee.org/groups/1363
[32℄ K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara, \Fast implementation
of publi -key ryptography on a DSP TMS320C6201", In Pro eedings of the First
Workshop on Cryptographi Hardware and Embedded Systems (CHES'99), LNCS 1717,
pp. 61-72, Springer-Verlag, 1999.
[33℄ D. Johnson and A. Menezes, \The ellipti urve digital signature algorithm (ECDSA)",
Te hni al report CORR 99-06, Department of Combinatori s & Optimization, Univer-
sity of Waterloo, 1999. Available at http://www. a r.math.uwaterloo. a/
An Overview of Ellipti Curve Cryptography 31

[34℄ E. W. Knudsen, \Ellipti s alar multipli ation using point halving", In Asia rypt'99,
LNCS 1716, pp. 135-149, Springer-Verlag, 1999.
[35℄ D.E. Knuth, The Art of Computer Programming, 2-Semi-numeri al Algorithms.
Addison-Wesly, 2nd edition, 1981.
[36℄ N. Koblitz, \Ellipti urve ryptosystems", Mathemati s of Computation, 48, pp. 203-
209, 1987.
[37℄ N. Koblitz, \CM- urves with good ryptographi properties". In Advan es in Cryptol-
ogy:Crypto'91, LNCS 576, pp. 279-287, Springer-Verlag, 1992.
[38℄ N. Koblitz, A Course in Number Theory and Cryptography, 2nd edition, Springer-
Verlag, 1994
[39℄ P. Ko her, \Timing atta ks on implementations of DiÆe-Hellman, RSA, DSS, and other
systems", Advan es in Cryptology-CRYPTO'96, LNCS 1109, pp. 104-113, Springer-
Verlag, 1996.
[40℄ N. Koblitz, A.J. Menezes, and S. Vanstone, \The state of ellipti urve ryptography",
Designs, Codes, and Cryptography, 19, pp. 173-193, 2000.
[41℄ C. K. Ko , \High-Speed RSA implementation", TR 201, RSA Laboratories, 73 pages,
November 1994.
[42℄ K. Koyama and Y. Tsuruoka, \Speeding up ellipti ryptosystems by using a signed
binary window method", In Advan es in Cryptography-CRYPTO'92, LNCS 740, pp.
345-357, Springer-Verlag, 1992.
[43℄ H. Kraw zyk, M. Bellare and R. Cannetti, \HMAC:Keyed-hashing for message authen-
ti ation", Internet RFC 2104, February 1997.
[44℄ A. Lenstra and E. Verheul, \Sele ting ryptographi key sizes", Pro eedings of PKC
2000, LNCS 1751, pp. 446-465, Springer-Verlag, 2000.
[45℄ LiDIA Group LiDIA v1.3- A library for omputational number theory. TH-
Darmstadt, 1998.
[46℄ C. H. Lim and P. J. Lee, \More exible exponentiation with pre omputation", In
Advan es in Cryptography-CRYPTO'94, LNCS 839, pp. 95-107, Springer-Verlag, 1994.
[47℄ J. Lopez and R. Dahab, \Improved algorithms for ellipti urve arithmeti in GF (2n )",
SAC'98, LNCS 1556, pp. 201-212, Springer-Verlag, 1998.
[48℄ J. Lopez and R. Dahab, \Fast multipli ation on ellipti urves over GF (2m ) without
pre omputation", Pro eedings of the First Workshop on Cryptographi Hardware and
Embedded Systems (CHES'99), LNCS 1717, pp. 316-327, Springer-Verlag, 1999.
An Overview of Ellipti Curve Cryptography 32

[49℄ J. Lopez and R. Dahab, \Performan e of ellipti urve ryptosystems", Te hni al re-
port, IC-00-08, May 2000. Available at
http://www.d .uni amp.br/i -main/publi ations-e.html
[50℄ J. Lopez and R. Dahab, \High-Speed software multipli ation in F 2m ", Te hni al report,
IC-00-09, May 2000. Available at
http://www.d .uni amp.br/i -main/publi ations-e.html
[51℄ R. J. M Elie e, Finite Fields for Computer S ientists and Engineers, Kluwer A ademi
Publishers, 1987.
[52℄ A. Menezes, Ellipti Curve Publi Key Cryptosystems, Kluwer A ademi Publishers,
1993.
[53℄ A. Menezes and S. Vanstone, \Ellipti urve ryptosystems and their implementation",
Journal of Cryptology, 6, pp. 209-224, 1993.
[54℄ A. Menezes, P. van Oors hot and S. Vanstone, Handbook of Applied Cryptography,
CRC Press, 1997.
[55℄ A. Menezes, T. Okamato and S. Vanstone, \Redu ing ellipti urve logarithms to
logarithms in a nite eld", IEEE Transa tions on Information Theory, 39, pp. 1639-
1646, 1993.
[56℄ V. Miller, \Uses of ellipti urves in ryptography", Advan es in Cryptology: pro eed-
ings of Crypto'85, LNCS 218, pp. 417-426, New York: Springer-Verlag, 1986.
[57℄ P. Montgomery, \Speeding the Pollard and ellipti urve methods of fa torization",
Mathemati s of Computation, vol 48, pp. 243-264, 1987.
[58℄ R. Mullin, I. Onysz huk, S. Vanstone and R. Wilson, \Optimal normal bases in
GF (pn )", Dis rete Applied Mathemati s, 22, pp. 149-161, (1988/89).
[59℄ National Institute of Standards and Te hnology, \Digital Signature Standard", FIPS
Publi ation 186-2, February 2000. Available at http:// sr .nist.gov/fips
[60℄ National Institute of Standards and Te hnology, \Se ure Hash Standard (SHS)", FIPS
Publi ation 180-1, April 1995. Available at http:// sr .nist.gov/fips
[61℄ S.C. Pohlig and M.E. Hellman, \An improved algorithm for omputing logarithms over
GF (p) and its ryptographi signi an e., IEEE Transa tions on Information Theory,
24, pp. 106-110, 1978.
[62℄ J. Pollard, \Monte Carlo methods for index omputation mod p", Mathemati s of
Computation, 32, pp. 918-924, 1978.
[63℄ P. Van Oors hot and M. Wiener, \Parallel ollision sear h with ryptanalyti appli a-
tions", Journal of Cryptology, 12, pp. 1-28, 1999.
An Overview of Ellipti Curve Cryptography 33

[64℄ OpenSSL, http://www.openssl.org

[65℄ G. Reitwiesner, \Binary arithmeti ", Advan es in Computers, 1, pp. 231-308, 1960.
[66℄ R. Rivest, A. S hamir and L. Adleman, \A method for obtaining digital signatures and
publi -key ryptosystems", Communi ations of the ACM, 21, pp. 120-126, February
1978.
[67℄ M. Rosing, Implementing Ellipti Curve Cryptography, Manning Publi ations Green-
wi h, CT (1999).
[68℄ T. Satoh and K. Araki, \Fermat quotients and the polynomial time dis rete log algo-
rithm for anomalous ellipti urves", Commentarii Mathemati i Universitatis San ti
Pauli, 47, pp. 81-92, 1998.
[69℄ R. S hoof, \Ellipti urves over nite elds and the omputation of square roots mod
p", Math. Comp., 44, pp. 483-494, 1985.
[70℄ R. S hroeppel, H. Orman, S. O'Malley and O. Spats he k, \Fast key ex hange with
ellipti urve systems," Advan es in Cryptology, Pro . Crypto'95, LNCS 963, pp. 43-56,
Springer-Verlag, 1995.
[71℄ R. S hroeppel, H. Orman, S. O'Malley and O. Spats he k, \Fast key ex hange with
ellipti urve systems", University of Arizona, C. S., Te h. report 95-03, 1995.
[72℄ R. S hroeppel, \Faster ellipti al ulations in GF (2n )," preprint, Mar h 6, 1998.
[73℄ SEC 1, \Ellipti urve ryptography", Standards for EÆ ien y Cryptography Group,
September, 1999. Working Draft. Available at http://www.se g.org
[74℄ I. Semaev, \Evaluation of dis rete logarithms in a group of p-torsion points of an ellipti
urve in hara teristi p", Mathemati s of Computation, 67, pp. 353-356, 1998.
[75℄ G. Seroussi, \Compa t representation of ellipti urve points over F 2m ". Hewlett-
Pa kard Laboratories, Te hni al report No. HPL-98-135, August 1998.
[76℄ N. Smart, \The dis rete logarithm problem on ellipti urves of tra e one", Journal of
Cryptology, 12,pp. 193-196, 1999.
[77℄ J. Solinas, \An improved algorithm for arithmeti on a family of ellipti urves," Ad-
van es in Cryptology, Pro . Crypto'97, LNCS 1294 B. Kaliski, Ed., Spring-Verlag, pp.
357-371, 1997.
[78℄ J. Solinas, \An improved algorithm for arithmeti on a family of ellipti urves (re-
vised)" Te hni al report CORR 99-06, Department of Combinatori s & Optimization,
University of Waterloo, 1999. Available at http://www. a r.math.uwaterloo. a/
[79℄ J. Solinas, \Generalized Mersenne numbers", Te hni al report CORR 99-06, Depart-
ment of Combinatori s & Optimization, University of Waterloo, 1999. Available at
http://www. a r.math.uwaterloo. a/
An Overview of Ellipti Curve Cryptography 34

[80℄ J. Solinas, \EÆ ient arithmeti on Koblitz urves", Designs, Codes and Cryptography,
19, pp. 195-249, 2000.
[81℄ S. Vanstone, \Responses to NIST's proposal", Communi ations of the ACM, 35, pp.
50-52, ( ommuni ated by John Anderson), July 1992.
[82℄ M. Wiener and R. Zu herato, \Faster atta ks on ellipti urve ryptosystems", Sele ted
Areas in Cryptography'98, LNCS 1556, pp. 190-200, Springer-Verlag, 1998.