Table Of ContentP1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
This page intentionally left blank
viii
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
LONDONMATHEMATICALSOCIETYLECTURENOTESERIES
ManagingEditor:ProfessorN.J.Hitchin,MathematicalInstitute,
UniversityofOxford,24–29StGiles,OxfordOX13LB,UnitedKingdom
Thetitlesbelowareavailablefrombooksellers,orfromCambridgeUniversityPressatwww.cambridge.org
152 Oligomorphicpermutationgroups, P.CAMERON
153 L-functionsandarithmetic, J.COATES&M.J.TAYLOR(eds)
155 Classificationtheoriesofpolarizedvarieties, TAKAOFUJITA
158 GeometryofBanachspaces, P.F.X.MU¨LLER&W.SCHACHERMAYER(eds)
159 GroupsStAndrews1989volume1, C.M.CAMPBELL&E.F.ROBERTSON(eds)
160 GroupsStAndrews1989volume2, C.M.CAMPBELL&E.F.ROBERTSON(eds)
161 Lecturesonblocktheory, BURKHARDKU¨LSHAMMER
163 Topicsinvarietiesofgrouprepresentations, S.M.VOVSI
164 Quasi-symmetricdesigns, M.S.SHRIKANDE&S.S.SANE
166 Surveysincombinatorics,1991, A.D.KEEDWELL(ed)
168 Representationsofalgebras, H.TACHIKAWA&S.BRENNER(eds)
169 Booleanfunctioncomplexity, M.S.PATERSON(ed)
170 ManifoldswithsingularitiesandtheAdams-Novikovspectralsequence, B.BOTVINNIK
171 Squares, A.R.RAJWADE
172 Algebraicvarieties, GEORGER.KEMPF
173 Discretegroupsandgeometry, W.J.HARVEY&C.MACLACHLAN(eds)
174 Lecturesonmechanics, J.E.MARSDEN
175 Adamsmemorialsymposiumonalgebraictopology1, N.RAY&G.WALKER(eds)
176 Adamsmemorialsymposiumonalgebraictopology2, N.RAY&G.WALKER(eds)
177 Applicationsofcategoriesincomputerscience, M.FOURMAN,P.JOHNSTONE&A.PITTS(eds)
178 LowerK-andL-theory, A.RANICKI
179 Complexprojectivegeometry, G.ELLINGSRUDetal
180 LecturesonergodictheoryandPesintheoryoncompactmanifolds, M.POLLICOTT
181 GeometricgrouptheoryI, G.A.NIBLO&M.A.ROLLER(eds)
182 GeometricgrouptheoryII, G.A.NIBLO&M.A.ROLLER(eds)
183 Shintanizetafunctions, A.YUKIE
184 Arithmeticalfunctions, W.SCHWARZ&J.SPILKER
185 Representationsofsolvablegroups, O.MANZ&T.R.WOLF
186 Complexity:knots,colouringsandcounting, D.J.A.WELSH
187 Surveysincombinatorics,1993, K.WALKER(ed)
188 Localanalysisfortheoddordertheorem, H.BENDER&G.GLAUBERMAN
189 Locallypresentableandaccessiblecategories, J.ADAMEK&J.ROSICKY
190 Polynomialinvariantsoffinitegroups, D.J.BENSON
191 Finitegeometryandcombinatorics, F.DECLERCKetal
192 Symplecticgeometry, D.SALAMON(ed)
194 Independentrandomvariablesandrearrangementinvariantspaces, M.BRAVERMAN
195 Arithmeticofblowupalgebras, WOLMERVASCONCELOS
196 Microlocalanalysisfordifferentialoperators, A.GRIGIS&J.SJO¨STRAND
197 Two-dimensionalhomotopyandcombinatorialgrouptheory, C.HOG-ANGELONIetal
198 Thealgebraiccharacterizationofgeometric4-manifolds, J.A.HILLMAN
199 InvariantpotentialtheoryintheunitballofCn, MANFREDSTOLL
200 TheGrothendiecktheoryofdessinsd’enfant, L.SCHNEPS(ed)
201 Singularities, JEAN-PAULBRASSELET(ed)
202 Thetechniqueofpseudodifferentialoperators, H.O.CORDES
203 HochschildcohomologyofvonNeumannalgebras, A.SINCLAIR&R.SMITH
204 Combinatorialandgeometricgrouptheory, A.J.DUNCAN,N.D.GILBERT&J.HOWIE(eds)
205 Ergodictheoryanditsconnectionswithharmonicanalysis, K.PETERSEN&I.SALAMA(eds)
207 GroupsofLietypeandtheirgeometries, W.M.KANTOR&L.DIMARTINO(eds)
208 Vectorbundlesinalgebraicgeometry, N.J.HITCHIN,P.NEWSTEAD&W.M.OXBURY(eds)
209 Arithmeticofdiagonalhypersurfacesoverfinitefields, F.Q.GOUVE´A&N.YUI
210 HilbertC*-modules, E.C.LANCE
211 Groups93Galway/StAndrewsI, C.M.CAMPBELLetal(eds)
212 Groups93Galway/StAndrewsII, C.M.CAMPBELLetal(eds)
214 GeneralisedEuler-Jacobiinversionformulaandasymptoticsbeyondallorders, V.KOWALENKOetal
215 Numbertheory1992–93, S.DAVID(ed)
216 Stochasticpartialdifferentialequations, A.ETHERIDGE(ed)
217 Quadraticformswithapplicationstoalgebraicgeometryandtopology, A.PFISTER
218 Surveysincombinatorics,1995, PETERROWLINSON(ed)
220 Algebraicsettheory, A.JOYAL&I.MOERDIJK
221 Harmonicapproximation, S.J.GARDINER
222 Advancesinlinearlogic, J.-Y.GIRARD,Y.LAFONT&L.REGNIER(eds)
223 Analyticsemigroupsandsemilinearinitialboundaryvalueproblems, KAZUAKITAIRA
224 Computability,enumerability,unsolvability, S.B.COOPER,T.A.SLAMAN&S.S.WAINER(eds)
225 Amathematicalintroductiontostringtheory, S.ALBEVERIOetal
226 Novikovconjectures,indextheoremsandrigidityI, S.FERRY,A.RANICKI&J.ROSENBERG(eds)
227 Novikovconjectures,indextheoremsandrigidityII, S.FERRY,A.RANICKI&J.ROSENBERG(eds)
228 ErgodictheoryofZdactions, M.POLLICOTT&K.SCHMIDT(eds)
229 Ergodicityforinfinitedimensionalsystems, G.DAPRATO&J.ZABCZYK
230 Prolegomenatoamiddlebrowarithmeticofcurvesofgenus2, J.W.S.CASSELS&E.V.FLYNN
i
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
231 Semigrouptheoryanditsapplications, K.H.HOFMANN&M.W.MISLOVE(eds)
232 ThedescriptivesettheoryofPolishgroupactions, H.BECKER&A.S.KECHRIS
233 Finitefieldsandapplications, S.COHEN&H.NIEDERREITER(eds)
234 Introductiontosubfactors, V.JONES&V.S.SUNDER
235 Numbertheory1993–94, S.DAVID(ed)
236 TheJamesforest, H.FETTER&B.GAMBOADEBUEN
237 Sievemethods,exponentialsums,andtheirapplicationsinnumbertheory, G.R.H.GREAVESetal
238 Representationtheoryandalgebraicgeometry, A.MARTSINKOVSKY&G.TODOROV(eds)
240 Stablegroups, FRANKO.WAGNER
241 Surveysincombinatorics,1997, R.A.BAILEY(ed)
242 GeometricGaloisactionsI, L.SCHNEPS&P.LOCHAK(eds)
243 GeometricGaloisactionsII, L.SCHNEPS&P.LOCHAK(eds)
244 Modeltheoryofgroupsandautomorphismgroups, D.EVANS(ed)
245 Geometry,combinatorialdesignsandrelatedstructures, J.W.P.HIRSCHFELDetal
246 p-Automorphismsoffinitep-groups, E.I.KHUKHRO
247 Analyticnumbertheory, Y.MOTOHASHI(ed)
248 Tametopologyando-minimalstructures, LOUVANDENDRIES
249 Theatlasoffinitegroups:tenyearson, ROBERTCURTIS&ROBERTWILSON(eds)
250 Charactersandblocksoffinitegroups, G.NAVARRO
251 Gro¨bnerbasesandapplications, B.BUCHBERGER&F.WINKLER(eds)
252 Geometryandcohomologyingrouptheory, P.KROPHOLLER,G.NIBLO,R.STO¨HR(eds)
253 Theq-Schuralgebra, S.DONKIN
254 Galoisrepresentationsinarithmeticalgebraicgeometry, A.J.SCHOLL&R.L.TAYLOR(eds)
255 Symmetriesandintegrabilityofdifferenceequations, P.A.CLARKSON&F.W.NIJHOFF(eds)
256 AspectsofGaloistheory, HELMUTVO¨LKLEINetal
257 Anintroductiontononcommutativedifferentialgeometryanditsphysicalapplications2ed, J.MADORE
258 Setsandproofs, S.B.COOPER&J.TRUSS(eds)
259 Modelsandcomputability, S.B.COOPER&J.TRUSS(eds)
260 GroupsStAndrews1997inBath,I, C.M.CAMPBELLetal
261 GroupsStAndrews1997inBath,II, C.M.CAMPBELLetal
262 Analysisandlogic, C.W.HENSON,J.IOVINO,A.S.KECHRIS&E.ODELL
263 Singularitytheory, BILLBRUCE&DAVIDMOND(eds)
264 Newtrendsinalgebraicgeometry, K.HULEK,F.CATANESE,C.PETERS&M.REID(eds)
265 Ellipticcurvesincryptography, I.BLAKE,G.SEROUSSI&N.SMART
267 Surveysincombinatorics,1999, J.D.LAMB&D.A.PREECE(eds)
268 Spectralasymptoticsinthesemi-classicallimit, M.DIMASSI&J.SJO¨STRAND
269 Ergodictheoryandtopologicaldynamics, M.B.BEKKA&M.MAYER
270 AnalysisonLiegroups, N.T.VAROPOULOS&S.MUSTAPHA
271 Singularperturbationsofdifferentialoperators, S.ALBEVERIO&P.KURASOV
272 Charactertheoryfortheoddordertheorem, T.PETERFALVI
273 Spectraltheoryandgeometry, E.B.DAVIES&Y.SAFAROV(eds)
274 TheMandlebrotset,themeandvariations, TANLEI(ed)
275 Descriptivesettheoryanddynamicalsystems, M.FOREMANetal
276 Singularitiesofplanecurves, E.CASAS-ALVERO
277 Computationalandgeometricaspectsofmodernalgebra, M.D.ATKINSONetal
278 Globalattractorsinabstractparabolicproblems, J.W.CHOLEWA&T.DLOTKO
279 Topicsinsymbolicdynamicsandapplications, F.BLANCHARD,A.MAASS&A.NOGUEIRA(eds)
280 CharactersandautomorphismgroupsofcompactRiemannsurfaces, THOMASBREUER
281 Explicitbirationalgeometryof3-folds, ALESSIOCORTI&MILESREID(eds)
282 Auslander-Buchweitzapproximationsofequivariantmodules, M.HASHIMOTO
283 Nonlinearelasticity, Y.FU&R.W.OGDEN(eds)
284 Foundationsofcomputationalmathematics, R.DEVORE,A.ISERLES&E.SU¨LI(eds)
285 Rationalpointsoncurvesoverfinitefields, H.NIEDERREITER&C.XING
286 Cliffordalgebrasandspinors2ed, P.LOUNESTO
287 TopicsonRiemannsurfacesandFuchsiangroups, E.BUJALANCE,A.F.COSTA&E.MART`INEZ(eds)
288 Surveysincombinatorics,2001, J.HIRSCHFELD(ed)
289 AspectsofSobolev-typeinequalities, L.SALOFF-COSTE
290 QuantumgroupsandLietheory, A.PRESSLEY(ed)
291 Titsbuildingsandthemodeltheoryofgroups, K.TENT(ed)
292 Aquantumgroupsprimer, S.MAJID
293 SecondorderpartialdifferentialequationsinHilbertspaces, G.DAPRATO&J.ZABCZYK
294 Introductiontothetheoryofoperatorspaces, G.PISIER
295 Geometryandintegrability, LIONELMASON&YAVUZNUTKU(eds)
296 Lecturesoninvarianttheory, IGORDOLGACHEV
297 Thehomotopycategoryofsimplyconnected4-manifolds, H.-J.BAUES
299 Kleiniangroupsandhyperbolic3-manifolds, Y.KOMORI,V.MARKOVIC,&C.SERIES(eds)
300 IntroductiontoMo¨biusdifferentialgeometry, UDOHERTRICH-JEROMIN
301 StablemodulesandtheD(2)-problem, F.E.A.JOHNSON
302 DiscreteandcontinuousnonlinearSchro¨dingersystems, M.J.ABLOWITZ,B.PRINARI,&A.D.TRUBATCH
303 Numbertheoryandalgebraicgeometry, MILESREID&ALEXEISKOROBOGATOV(eds)
304 GroupsStAndrews2001inOxfordVol.1, COLINCAMPBELL,EDMUNDROBERTSON&GEOFFSMITH(eds)
305 GroupsStAndrews2001inOxfordVol.2, C.M.CAMPBELL,E.F.ROBERTSON&G.C.SMITH(eds)
307 Surveysincombinatorics2003, C.D.WENSLEY(ed)
309 Coringsandcomodules, TOMASZBRZEZINSKI&ROBERTWISBAUER
310 Topicsindynamicsandergodictheory, SERGEYBEZUGLYI&SERGIYKOLYADA(eds)
312 Foundationsofcomputationalmathematics,Minneapolis2002, FELIPECUCKERetal(eds)
ii
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
LondonMathematicalSocietyLectureNoteSeries.317
Advances in Elliptic Curve
Cryptography
Edited by
Ian F. Blake
UniversityofToronto
Gadiel Seroussi
Hewlett-PackardLaboratories
Nigel P. Smart
UniversityofBristol
iii
cambridge university press
Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo
Cambridge University Press
The Edinburgh Building, Cambridge cb2 2ru, UK
Published in the United States of America by Cambridge University Press, New York
www.cambridge.org
Information on this title: www.cambridge.org/9780521604154
© Cambridge University Press 2005
This book is in copyright. Subject to statutory exception and to the provision of
relevant collective licensing agreements, no reproduction of any part may take place
without the written permission of Cambridge University Press.
First published in print format 2005
isbn-13 978-0-511-11161-7 eBook (MyiLibrary)
isbn-10 0-511-11161-4 eBook (MyiLibrary)
isbn-13 978-0-521-60415-4 paperback
isbn-10 0-521-60415-x paperback
Cambridge University Press has no responsibility for the persistence or accuracy of
urls for external or third-party internet websites referred to in this book, and does not
guarantee that any content on such websites is, or will remain, accurate or appropriate.
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
Contents
Preface page ix
AbbreviationsandStandardNotation xi
Authors xv
Part1. Protocols
ChapterI. EllipticCurveBasedProtocols
N.P.Smart 3
I.1. Introduction 3
I.2. ECDSA 4
I.3. ECDH/ECMQV 8
I.4. ECIES 12
I.5. OtherConsiderations 18
ChapterII. OntheProvableSecurityofECDSA
D.Brown 21
II.1. Introduction 21
II.2. DefinitionsandConditions 23
II.3. ProvableSecurityResults 32
II.4. ProofSketches 33
II.5. FurtherDiscussion 36
ChapterIII. ProofsofSecurityforECIES
A.W.Dent 41
III.1. DefinitionsandPreliminaries 42
III.2. SecurityProofsforECIES 50
III.3. OtherAttacksAgainstECIES 58
III.4. ECIES-KEM 61
v
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
vi Contents
Part2. ImplementationTechniques
ChapterIV. Side-ChannelAnalysis
E.Oswald 69
IV.1. CryptographicHardware 70
IV.2. ActiveAttacks 71
IV.3. PassiveAttacks 72
IV.4. SimpleSCAAttacksonPointMultiplications 77
IV.5. DifferentialSCAAttacksonPointMultiplications 84
ChapterV. DefencesAgainstSide-ChannelAnalysis
M.Joye 87
V.1. Introduction 87
V.2. IndistinguishablePointAdditionFormulæ 88
V.3. RegularPointMultiplicationAlgorithms 93
V.4. Base-PointRandomizationTechniques 97
V.5. MultiplierRandomizationTechniques 98
V.6. PreventingSide-ChannelAnalysis 100
Part3. MathematicalFoundations
ChapterVI. AdvancesinPointCounting
F.Vercauteren 103
VI.1. p-adicFieldsandExtensions 104
VI.2. Satoh’sAlgorithm 105
VI.3. ArithmeticGeometricMean 115
VI.4. GeneralizedNewtonIteration 121
VI.5. NormComputation 128
VI.6. ConcludingRemarks 132
ChapterVII. HyperellipticCurvesandtheHCDLP
P.Gaudry 133
VII.1. GeneralitiesonHyperellipticCurves 133
VII.2. AlgorithmsforComputingtheGroupLaw 136
VII.3. ClassicalAlgorithmsforHCDLP 140
VII.4. SmoothDivisors 142
VII.5. Index-CalculusAlgorithmforHyperellipticCurves 144
VII.6. ComplexityAnalysis 146
VII.7. PracticalConsiderations 149
ChapterVIII. WeilDescentAttacks
F.Hess 151
VIII.1. Introduction–theWeilDescentMethodology 151
VIII.2. TheGHSAttack 153
VIII.3. ExtendingtheGHSAttackUsingIsogenies 166
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
Contents vii
VIII.4. SummaryofPracticalImplications 173
VIII.5. FurtherTopics 175
Part4. PairingBasedTechniques
ChapterIX. Pairings
S.Galbraith 183
IX.1. BilinearPairings 183
IX.2. DivisorsandWeilReciprocity 184
IX.3. DefinitionoftheTatePairing 185
IX.4. PropertiesoftheTatePairing 187
IX.5. TheTatePairingoverFiniteFields 189
IX.6. TheWeilPairing 191
IX.7. Non-degeneracy,Self-pairingsandDistortionMaps 192
IX.8. ComputingtheTatePairingUsingMiller’sAlgorithm 196
IX.9. TheMOV/Frey–Ru¨ckAttackontheECDLP 197
IX.10. SupersingularEllipticCurves 198
IX.11. ApplicationsandComputationalProblemsfromPairings 201
IX.12. ParameterSizesandImplementationConsiderations 203
IX.13. SuitableSupersingularEllipticCurves 204
IX.14. EfficientComputationoftheTatePairing 205
IX.15. UsingOrdinaryCurves 208
Appendix:ProofofWeilReciprocity 212
ChapterX. CryptographyfromPairings
K.G.Paterson 215
X.1. Introduction 215
X.2. KeyDistributionSchemes 218
X.3. Identity-BasedEncryption 221
X.4. SignatureSchemes 228
X.5. HierarchicalIdentity-BasedCryptographyandRelatedTopics 235
X.6. MoreKeyAgreementProtocols 240
X.7. ApplicationsandInfrastructures 242
X.8. ConcludingRemarks 250
Bibliography 253
SummaryofMajorLNCSProceedings 271
AuthorIndex 273
SubjectIndex 277
P1:GCV
CY546/Blake-FM 052160415X October19,2004 14:14
viii
