Abstract
Since the introduction of public-key cryptography by Diffie and Hellman in 1976, the potential for the use of the discrete logarithm problem in public-key cryptosystems has been recognized. Although the discrete logarithm problem as first employed by Diffie and Hellman was defined explicitly as the problem of finding logarithms with respect to a generator in the multiplicative group of the integers modulo a prime, this idea can be extended to arbitrary groups and, in particular, to elliptic curve groups. The resulting public-key systems provide relatively small block size, high speed, and high security. This paper surveys the development of elliptic curve cryptosystems from their inception in 1985 by Koblitz and Miller to present day implementations.
Similar content being viewed by others
References
L. Adleman, J. DeMarrais and M. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields, Algorithmic Number Theory, Lecture Notes in Computer Science, Springer-Verlag, 877 (1994) pp. 28–40.
G. Agnew, R. Mullin, I. Onyszchuk and S. Vanstone, An implementation for a fast public-key cryptosystem, Journal of Cryptology, Vol. 3 (1991) pp. 63–79.
G. Agnew, R. Mullin and S. Vanstone, An implementation of elliptic curve cryptosystems over F 2 155, IEEE Journal on Selected Areas in Communications, Vol. 11 (1993) pp. 804–813.
D. Bailey C. Paar, Optimal extension fields for fast arithmetic in public-key algorithms, Advances in Cryptology-CRYPTO '98, Lecture Notes in Computer Science, Springer-Verlag, 1462 (1998) pp. 472–485.
R. Balasubramanian and N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm, Journal of Cryptology, Vol. 11 (1998) pp. 141–145.
M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener, Minimal key lengths for symmetric ciphers to provide adequate commercial security, January 1996, available from http://theory.lcs.mit.edu/»rivest/publications.html.
D. Bleichenbacher, On the security of the KMOV public key cryptosystem, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 235–248.
D. Boneh and R. Lipton, Algorithms for black-box fields and their applications to cryptography, Advances in Cryptology-CRYPTO '96, Lecture Notes in Computer Science, Springer-Verlag, 1109 (1996) pp. 283–297.
J. Buchmann and H. Williams, A key-exchange system based on imaginary quadratic fields, Journal of Cryptology, Vol. 1 (1988) pp. 107–118.
L. Charlap and D. Robbins, An Elementary Introduction to Elliptic Curves, CRD Expository Report No. 31, Institute for Defense Analysis, Princeton (December 1988).
L. Charlap and D. Robbins, An Elementary Introduction to Elliptic Curves II, CRD Expository Report No. 34, Institute for Defense Analysis, Princeton (December 1988).
D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Transactions on Information Theory, Vol. 30 (1984) pp. 587–594.
R. Crandall, Method and apparatus for public key exchange in a cryptographic system, U.S. patent number 5,159,632 (October 1992).
W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, Vol. 22 (1976) pp. 644–654.
Y. Driencourt and J. Michon, Elliptic codes over a field of characteristic 2, Journal of Pure and Applied Algebra, Vol. 45 (1987) pp. 15–39.
T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory, Vol. 31 (1985) pp. 469–472.
G. Frey and H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Mathematics of Computation, Vol. 62 (1994) pp. 865–874.
R. Gallant, R. Lambert and S. Vanstone, Improving the parallelized Pollard lambda search on binary anomalous curves, to appear in Mathematics of Computation.
G. van der Geer, Codes and elliptic curves, Effective Methods in Algebraic Geometry, Birkhäuser (1991) pp. 159–168.
S. Goldwasser and J. Kilian, Almost all primes can be quickly certified, Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, (1986) pp. 316–329
D. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM Journal on Discrete Mathematics, Vol. 6 (1993) pp. 124–138.
J. Guajardo and C. Paar, Efficient algorithms for elliptic curve cryptosystems, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 342–356.
G. Harper, A. Menezes and S. Vanstone, Public-key cryptosystems with very small key lengths, Advances in Cryptology-EUROCRYPT '92, Lecture Notes in Computer Science, Springer-Verlag, 658 (1993) pp. 163–173.
P. Ivey, S. Walker, J. Stern and S. Davidson, An ultra-high speed public key encryption processor, Proceedings of IEEE Custom Integrated Circuits Conference, Boston (1992) 19.6.1–19.6.4.
M. Jacobson, N. Koblitz, J. Silverman, A. Stein and E. Teske, Analysis of the xedni calculus attack, to appear in Designs, Codes and Cryptography.
B. Kaliski, A pseudorandom bit generator based on elliptic logarithms, Advances in Cryptology-CRYPTO '86, Lecture Notes in Computer Science, Springer-Verlag, 293 (1987) pp. 84–103.
B. Kaliski, One-way permutations on elliptic curves, Journal of Cryptology, Vol. 3 (1991) pp. 187–199.
B. Kaliski, A chosen message attack on Demytko's elliptic curve cryptosystem, Journal of Cryptology, Vol. 10 (1997) pp. 71–72.
N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, Vol. 48 (1987) pp. 203–209.
N. Koblitz, Primality of the number of points on an elliptic curve over a finite field, Pacific Journal of Mathematics, Vol. 131 (1988) pp. 157–165.
N. Koblitz, Hyperelliptic cryptosystems, Journal of Cryptology, Vol. 1 (1989) pp. 139–150.
N. Koblitz, Constructing elliptic curve cryptosystems in characteristic 2, Advances in Cryptology-CRYPTO '90, Lecture Notes in Computer Science, Springer-Verlag, 537 (1991) pp. 156–167.
N. Koblitz, Elliptic curve implementation of zero-knowledge blobs, Journal of Cryptology, Vol. 4 (1991) pp. 207–213.
N. Koblitz, CM-curves with good cryptographic properties, Advances in Cryptology-CRYPTO'91, Lecture Notes in Computer Science, Springer-Verlag, 576 (1992) pp. 279–287.
N. Koblitz, Introduction to Elliptic Curves and Modular Forms, 2nd edition, Springer-Verlag (1993).
N. Koblitz, A Course in Number Theory and Cryptography, 2nd edition, Springer-Verlag (1994).
N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag (1998).
K. Koyama, U. Maurer, T. Okamoto and S. Vanstone, New public-key schemes based on elliptic curves over the ring Z n, Advances in Cryptology-CRYPTO '91, Lecture Notes in Computer Science, Springer-Verlag, 576 (1993) pp. 252–266.
K. Kurosawa, K. Okada and S. Tsujii, Low exponent attack against elliptic curve RSA, Advances in Cryptology-ASIACRYPT '94, Lecture Notes in Computer Science, Springer-Verlag, 917 (1995) pp. 376–383.
G. Lay and H. Zimmer, Constructing elliptic curves with given group order over large finite fields, Algorithmic Number Theory, Lecture Notes in Computer Science, Springer-Verlag, 877 (1994) pp. 250–263.
H. W. Lenstra, Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126 (1987) pp. 649–673.
R. Lercier, Computing isogenies in F2 n, Algorithmic Number Theory, Proceedings Second Intern. Symp., ANTS-II, (Henri Cohen, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1122 (1996) pp. 197–212.
R. Lercier, Finding good random elliptic curves for cryptosystems defined F2 n, Advances in Cryptology-EUROCRYPT '97, Lecture Notes in Computer Science, Springer-Verlag, 1233 (1997) pp. 379–392.
R. Lercier and F. Morain, Counting the number of points on elliptic curves over finite fields: strategies and performances, Advances in Cryptology-EUROCRYPT '95, Lecture Notes in Computer Science, Springer-Verlag, 921 (1995) pp. 79–94.
B. Mazur, Modular curves and the Eisenstein ideal, Inst. Hautes Études Sci. Publ. Math., Vol. 47 (1977) pp. 33–186.
K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, Vol. 1 (1988) pp. 95–105.
W. Meier and O. Staffelbach, Efficient multiplication on certain nonsupersingular elliptic curves, Advances in Cryptology-CRYPTO '92, Lecture Notes in Computer Science, Springer-Verlag, 740 (1993) pp. 333–344.
A. Menezes, it Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston (1993).
A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, Vol. 39 (1993) pp. 1639–1646.
A. Menezes and S. Vanstone, Elliptic curve cryptosystems and their implementation, Journal of Cryptology, Vol. 6 (1993) pp. 209–224.
J. F. Mestre, Formules explicites et minoration de conducteurs de variétés algébriques, Compositio Math., Vol. 58 (1986) pp. 209–232.
V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology-CRYPTO '85, Lecture Notes in Computer Science, Springer-Verlag, 218 (1986) pp. 417–426.
F. Morain, Building cyclic elliptic curves modulo large primes, Advances in Cryptology-EUROCRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, 547 (1991) pp. 328–336.
V. Müller, S. Vanstone and R. Zuccherato, Discrete logarithm based cryptosystems in quadratic function fields of characteristic 2, Designs, Codes and Cryptography, Vol. 14 (1998) pp. 159–178.
R. Mullin, I. Onyszchuk, S. Vanstone and R. Wilson, Optimal normal bases in GF(p n), Discrete Applied Mathematics, Vol. 22 (1988/89) pp. 149–161.
National Institute for Standards and Technology, Digital signature standard, FIPS Publication 186 (1993).
National Institute for Standards and Technology, Secure hash standard, FIPS Publication 180–1 (1995).
A. Odlyzko, The future of integer factorization, CryptoBytes-The Technical Newsletter of RSA Laboratories, Vol. 1, No. 2 (Summer 1995) pp. 5–12.
P. van Oorschot and M. Wiener, Parallel collision search with application to hash functions and discrete logarithms, Proceedings of the 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia (2–4 November 1994) pp. 210–218.
P. van Oorschot and M. Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, Vol. 12 (1999) pp. 1–28.
R. Pinch, Extending the Wiener attack to RSA-type cryptosystems, Electronics Letters, Vol. 31 (1995) pp. 1736–1738.
S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24 (1978) pp. 106–110.
J. Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, Vol. 32 (1978) pp. 918–924.
T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Commentarii Mathematici Universitatis Sancti Pauli, Vol. 47 (1998) pp. 81–92.
R. Scheidler, J. Buchmann and H. Williams, A key-exchange protocol using real quadratic fields, Journal of Cryptology, Vol. 7 (1994) pp. 171–199.
R. Scheidler, A. Stein and H. Williams, Key-exchange in real quadratic congruence function fields, Designs, Codes and Cryptography, Vol. 7 (1996) pp. 153–174.
O. Schirokauer, Discrete logarithms and local units, Philosophical Transactions of the Royal Society of London A, Vol. 345 (1993) pp. 409–423.
C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, Vol. 4 (1991) pp. 161–174.
R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p, Mathematics of Computation, Vol. 44 (1985) pp. 483–494.
R. Schoof, Nonsingular plane cubic curves, Journal of Combinatorial Theory, Series A, Vol. 46 (1987) pp. 183–211.
R. Schroeppel, H. Orman, S. O'Malley and O. Spatscheck, Fast key exchange with elliptic curve systems, Advances in Cryptology-CRYPTO '95, Lecture Notes in Computer Science, Springer-Verlag, 963 (1995) pp. 43–56.
I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Mathematics of Computation, Vol. 67 (1998) pp. 353–356.
J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, New York (1986).
J. Silverman, Advanced Topics in the Arithmetic of Elliptic Curves, Springer-Verlag, New York (1994).
J. Silverman, The xedni calculus and the elliptic curve discrete logarithm problem, to appear in it Designs, Codes and Cryptography.
J. Silverman and J. Suzuki, Elliptic curve discrete logarithms and the index calculus, to appear in Advances in Cryptology-ASIACRYPT '98, Lecture Notes in Computer Science, Springer-Verlag (1998).
N. Smart, The discrete logarithm problem on elliptic curves of trace one, to appear in Journal of Cryptology.
J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Advances in Cryptology-CRYPTO '97, Lecture Notes in Computer Science, Springer-Verlag, 1294 (1997) pp. 357–371.
A. Stein, Equivalences between elliptic curves and real quadratic congruence function fields, Journal de Théorie des Nombres de Bordeaux, Vol. 9 (1997) pp. 75–95.
A. Stein, V. Müller and C. Thiel, Computing discrete logarithms in real quadratic congruence function fields of large genus, Mathematics of Computation, Vol. 68 (1999) pp. 807–822.
W. Waterhouse, Abelian varieties over finite fields, Ann. Sci. École Norm. Sup., 4e série, Vol. 2 (1969) pp. 521–560.
M. Wiener and R. Zuccherato, Fast attacks on elliptic curve cryptosystems," to appear in Fifth Annual Workshop on Selected Areas in Cryptography-SAC '98, Lecture Notes in Computer Science, Springer-Verlag (1999).
E. DeWin, A. Bosselaers, S. Vandenberghe, P. De Gersem and J. Vandewalle, A fast software implementation for arithmetic operations inGF(2n), Advances in Cryptology-ASIACRYPT'96, Lecture Notes in Computer Science, Springer-Verlag, 1163 (1996) pp. 65–76.
E. De Win, S. Mister, B. Preneel and M. Wiener, On the performance of signature schemes based on elliptic curves, Algorithmic Number Theory, Proceedings Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1423 (1998) pp. 252–266.
R. Zuccherato, The equivalence between elliptic curve and quadratic function field discrete logarithms in characteristic 2, Algorithmic Number Theory, Proceedings Third Intern. Symp., ANTS-III (J. P. Buhler, ed.), Lecture Notes in Computer Science, Springer-Verlag, 1423 (1998) pp. 621–638.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Koblitz, N., Menezes, A. & Vanstone, S. The State of Elliptic Curve Cryptography. Designs, Codes and Cryptography 19, 173–193 (2000). https://doi.org/10.1023/A:1008354106356
Issue Date:
DOI: https://doi.org/10.1023/A:1008354106356