2012 Third International Conference on Emerging Intelligent Data and Web Technologies
On the Attacks over the Elliptic Curve-based Cryptosystems
Gabriela Moise
Information Technology, Mathematics and Physics
Petroleum-Gas University
Ploiesti, Romania
gmoise@upg-ploiesti.ro
Abstract—The aim of this paper is to a present survey of
attacks on the elliptic curve cryptosystems. We propose a
taxonomy for these attacks, and a brief presentation for each
type of attack and its complexity. The attacks’ complexity
demonstrates the high security level of the elliptic curve-based
cryptosystems. Also, there are presented the most known
elliptic curves-based cryptographic protocols: the Elliptic
Curves-based Diffie-Hellman Key Exchange, ElGamal Public
Key Cryptosystem and Elliptic Curve Digital Signature
Algorithm.
Keywords-elliptic curve cryptography, cryptographic attack,
discrete logarithm problem
I. INTRODUCTION
Elliptic curves cryptosystems are based on the Discrete
Logarithm Problem using elliptic curves defined over a finite
field (ECDLP). The Elliptic Curve Cryptography (ECC) was
first proposed by Miller [1] and Koblitz [2] in 1985. Since
then, a lot of cryptographic schemes have been proposed,
thus proving the efficiency of elliptic curves in cryptography:
public key encryption schemes, signature schemes, key
establishment protocols. The power of the ECC derives from
the intractability of the elliptic curve discrete logarithm
problem. A complete description of the ECC can be found in
literature [3, 4, 5]. Even if it uses shorter parameters (160–
256 bit instead of 1024–3072 bit key length), the ECC has
the same security level as RSA, as far as its cryptographic
performances are concerned, as shown in Table I [6].
TABLE I. KEYS’ LENGTHS NEDDED IN SIM/RSA/ECC
Simmetric Encryption Key RSA/DH Key ECC Key
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 512
The security of ECC is mainly due to the difficulty of
solving the elliptic curve discrete logarithm problem
(ECDLP), so the attacks over ECC try to solve ECDLP
problem.
ECC is implemented in wireless communications,
wireless sensor networks, smart cards, security protocols
used on web, secure electronic transactions, and operating
978-0-7695-4734-3/12 $26.00 © 2012 IEEE
DOI 10.1109/EIDWT.2012.36
systems. Moreover, its range of applicability continues to
grow.
This paper surveys the main attack technique on ECC,
along with a possible taxonomy. We present: in section 2,
the elliptic curve-based cryptographic protocols, and
mathematical description of elliptic curves; in section 3 a
taxonomy of the attacks on ECC is given, along with short
descriptions of different types of attacks; in section 4 there
are presented secure elliptic curves according to FIPS PUB
186-2 [7], and in the final part of this paper the future
developments of the ECC are pointed out.
II. ELLIPTIC CURVES-BASED CRYPTOGRAPHIC
PROTOCOLS
The most known elliptic curves-based cryptographic
protocols are the Elliptic Curves-based Diffie-Hellman Key
Exchange, ElGamal Public Key Cryptosystems, and Elliptic
Curve Digital Signature Algorithm. Miller and Koblitz had
the idea to use the finite group of elliptic curves arguing that,
in this case, the discrete logarithm problem is more
intractable than using the finite Fp.
A. Mathematical background of the elliptic curves
An elliptic curve (E) over a field K is defined by
Weierstrass equation
y2+a1xy+a3y = x3+a2x2+a4x+a6, where a1, a2, a3, a4,
a6 ∈ K and discriminant   0 (1)
The set of points with coordinates in K together with an
imaginary point (called point at the infinity and denoted by
) form K-rational points of E.
The discriminant  is defined as
 = -b22b8-8b43-27b62+9b2b4b6, b2 = a12+4a2, b4 = 2a4+a1a3,
b6 = a32+4a6, b8 = a12a6+4a2a6-a1a3a4+a2a32-a42. (2)
If the characteristic of K is different from 2 or 3, an
admissible change of variables transforms (1) in
y2 = x3+ax+b, a,b ∈ K (3)
with discriminant
 = -16(4a3+27b2)  0. (4)
The elliptic curves over a finite field with characteristic
different from 2 or 3 are the most suitable for cryptography.
244
Thus, the most used finite fields are Fp with p prime, p>3,
where all arithmetic is done modulo p.
The set of points of the E(Fp) together with the abstract
point at infinity ( as neutral element) and the addition
operation forms an abelian finite group with the number of
the elements (noted #E(Fp)) approximated by the Hasse
theorem: Considering a non-singular elliptic curve over a
prime field Fp, the #E(Fp) satisfies the beneath equation
|#E(Fp)-(p+1)|2p. (5)
The algebraic form of the group laws for the elliptic
curve E(Fp), where p is a prime number, p>3 is as follows
[6]:
• The identity element is “”: P+ = +P = P for all
P ∈ E(Fp).
• The negative element of the element P(x,y) ∈ E(Fp)
is –P, and has the coordinates (x,-y):
P+(-P)=(-P)+P= (6)
• The addition of two distinct points P(x1,y1) and
Q(x2,y2) (P±Q). The sum of two points P and Q,
R=P+Q, R(x3,y3) is given in:
x3  2-x1-x2 (mod p)
y3  (x1-x3)-y1 (mod p)
  (y2-y1)/(x2-x1) (mod p) . (7)
• The double of a point P(x1,y1), where P-P, R=2P,
R(x3,y3), is given in:
x3  2-2x1 (mod p)
y3  (x1-x3)-y1 (mod p)
  (3x12+a)/(2y1) (mod p) (8)
The points of the elliptic curve together with the point 
(the group’s law are stated in 6-8) form an abelian group
with cyclic subgroups that is used to elliptic discrete
logarithm problems. A detailed description of the arithmetic
of the elliptic curves can be found in [8].
B. Elliptic curve discrete logarithm problem
The ECC is based on the difficulty of solving the Elliptic
Curve Discrete Logarithm Problem (ECDLP).
Let us consider an elliptic curve E over a finite field and
a point P of order n. Considering an element Q (QP,
Q ∈ <P> the subgroup generated by P), the problem is to find
an integer d with the property Q = dP. The number d is
bounded: 1 d n-1.The number d = logPQ is called the
discrete logarithm of Q to the base P.
In this paper we present ECDLP based on elliptic curve
over Fp. The problem may be formulated based on the
245
GF(2m) field as well. One considers that the ECC over prime
finite groups is more popular than ECC over GF(2m) [9].
Due to increasing performance of computers, the ECC over
prime finite groups are more secure. The equation of the
curve used in this paper is the simplified Weierstrass
equation stated in (3).
In the cryptographic protocols, the integer d is the private
key, and the point Q is the public key.
C. Diffie-Hellman Key Exchange with Elliptic Curves
The Diffie-Hellman Key Exchange Scheme was
published in 1976 in [10], and allows users to securely
exchange information. The procedure consists in the
following steps:
• Alice and Bob choose a prime number p, the finite
field Fp, the parameters a,b of E(Fp), and a rational
base point P;
• Alice selects her private key kprA and computes
A=kprAP in E(Fp);
• Bob selects his private key kprB and computes
B=kprBP in E(Fp);
• Alice and Bob exchange the values points A and B
using an insecure communication canal;
• Alice computes kprAB and Bob computes kprBA in
E(Fp). The shared secret is k=kprAB= kprBA.
To discover the shared secret k, an attacker has to
discover the private key kprA knowing the public points P and
A. So, the security of the Diffie-Hellman schema is based on
the hard difficulty to solve ECDLP problem.
D. ElGamal Public Key Cryptosystem with Elliptic Curves
A practical public-key cryptosystem was proposed by
ElGamal in 1984 [11]. N. Koblitz and V. Miller suggested
the usage the elliptic curve groups because the discrete
logarithm problem was believed to be harder for elliptic
curves than for finite fields. Setting an elliptic curve E(Fp) of
order n and a rational base point P, the algorithm has the
following steps:
• Bob picks a random private key kprB, computes
B=kprBP in E(Fp) and publishes E(Fp), P, p, B;
• Alice picks up a random private key kprA;
• Alice obtains the Bob’s authentic public key;
• Alice enciphers a message m (we suppose m is a
point on the elliptic curve): computes kprAP and
m+kprAB in E(Fp) and sends the cipher (kprAP,
m+kprAB);
• Bob receives the cipher and decrypts it using his
private key kprB: decryption(kprAP, m+kprAB)=
m+kprAB- kprB(kprAP)= m+kprA(kprBP)- kprB(kprAP)=m.
E. Elliptic Curve Digital Signature Algorithm
Elliptic Curve Digital Signature Algorithm (ECDSA) is
the elliptic curve analogue of the Digital Signature
Algorithm (DSA) [7]. ECDSA signature generation is [3]:
• Select an integer k, 1kn-1;
• Compute Q = kP, Q = (xQ,yQ) and convert xQ to an
integer xQ;
 • Compute r = xQ mod p. If r=0 then select another k,
and go to step 2;
• Compute e = Hash(m), where m=message;
• Compute s = k-1(e+kprr), where kpr is the private key;
• The signature is (r,s).
ECDSA signature verification is [3]:
• Verify that r,s are integers with the property1r,sn-
1. If the verification fails then the signature is
rejected;
• Compute e = Hash(m);
• Compute w = s-1 mod n;
• Compute u1 = ew mod n and u2 = rw mod n;
• Compute W = u1P+ u2Q, where W = (xW,yW) and Q is
the public key;
• If X =  the signature is rejected;
• Convert xW to an integer xW and compute v = xW mod
n;
• If v = r then signature is accepted else signature is
rejected.
and compute and store the Baby-Step
III. TAXONOMY OF THE ATTACKS ON ECC
The security of ECC is based on the intractability of
ECDLP problem. Although an efficient algorithm to solve
ECDLP has not been discovered yet, one cannot prove that
such an efficient algorithm does not exist. The attacks on the
cryptosystems can be hardware- or software-based attacks.
The generic methods to solve ECDLP are the following:
brute-force attack, Baby-Step-Giant-Step method, Pohlig-
Hellman attack, Pollard’s rho, Pollard’s lambda methods,
and attacks derived from all that were mentioned here. All
these methods have an exponential complexity. There are
some weak curves which allow attacks with subexponential
complexity. These curves are called insecure curves and their
features are listed in the final part of this section. Also, it is
presented a list of recommended elliptic curves which should
be used in cryptosystems. Another category of attacks are
nongeneric attacks, among which we mention index-calculus
attack, and isomorphism attack. In the end, an idea of a
parallel attack based on a grid of isogeny classes of the
elliptic curves is exposed. A taxonomy of the attacks on ECC
is provided in table II.
A. Generic Attack
1. Brute-Force Method
The brute-force method is the naive method and it
consists in an exhaustive search in the keys’ space of all
integers t, 0tn. This method is unfeasible for large groups
(with the number of elements bigger than 280).
2. Pohlig-Hellman attack
The Pohlig-Hellman attack reduces the discrete logarithm
problem to a prime order subgroup of <P> . The method uses
the factorization of n and the Chinese Reminder Theorem.
The complexity of this method is n with better results if n is
smooth.
Suppose the prime factorization of n=p1e1p2e2….prer. The
Pohlig-Hellman algorithm consists in:
246
• Compute xi = x (mod piei), i=1…r;
• Solve the system x = xi (mod piei), ), i=1…r using
Chinese Remainder Theorem.
All xi = z0+z1pi+z2pi2+…+zei-1piei-1, i=1…r and zj ∈ [0,pi-
1] are calculated using the following algorithm:
• Compute P0 = (n/pi)P and Q0 = (n/pi)Q. Q0 = z0P0.
So, z0=logP0Q0 can be obtained solving ECDLP in
<P0>;
• Having z0, z1, …, zk-1 computed, zk can be obtained
as zk = logP0Qk, where Qk = (n/pik+1)(Q-z0P-z1piP-
z2pi2P…-zk-1pik-1P).
3. Collison search attack
Baby-Step-Giant-Step algorithm
Baby-Step-Giant-Step (BSGS) algorithm was proposed
by Schank in [12], and its complexity in time is the same
with the complexity in memory (n). A complete description
of the method can be found in [5, 13].
BGSG consists in the following steps:
• Set m= n
list: {, P, 2P, …, (m-1)P};
• Compute the Giant-Step list: {Q, Q-mP, … Q-
jmP,…}, for j=0…m-1 until we found a match,
iP=Q-jmP;
• Conclude Q=kP where k  i+jm (mod n).
Pollard’s Rho attack
The most well-known algorithms are Pollard’s rho and
Pollard’s lambda method [14]. The Pollard’s rho needs
(n/2)½ , while the Pollard’s lambda needs 2n steps.
The Pollard’s rho algorithm is based on the birthday
paradox. In this algorithm, there are found two distinct pairs
of integers modulo n , (a`,b`) and (a``,b``), satisfying
a`P+b`Q = a``P+b``Q. (9)
Substituting Q=dP , the following relations result:
a`P+b`dP = a``P+b``dP
(a`-a``)P = (b``-b`)dP
(a`-a``)  (b``-b`)d(mod n). (10)
Hence d = (a`-a``)(b``-b`)-1(mod n). The pairs (a`,b`) and
(a``,b``) are found using an iterating function.
The steps of the Pollards’rho method are:
1. Let us consider a random partition of the <P> into
sets of roughly the same size: <P>=S1 ∪ S2 ∪ S3.
2. Choose an iteration function of a random walk:
Xi+1 = f(Xi) (11)
f(Xi) = Xi+Q if Xi ∈ S1
f(Xi) = 2Xi if Xi ∈ S2
f(Xi) = Xi+P if Xi ∈ S3.
 TABLE II. A TAXONOMY OF ECC ATTACK

Naïve method: Brute-force attack

Baby-Step-Giant-Step
Pollard’s rho
Generic attack Pollard’s lambda
Collision Search attack
Parallelized Pollard’s rho
ECC and lambda
attack Parallel Collision Search

Index Calculus attack

Nongeneric attack Isomorphism attack

Grid of Isogeny Classes of EC attack

3. An arbitrary point X0 ∈ <P> determines the Li and all studied the problem of solving the multi-
sequence {Xi}, i0, where Xi = aiP+biQ discrete logarithm problem over the elliptic curve groups
[16]. The problem consists in finding d1 and d2 from the
ai+1 = ai (mod n) if Xi ∈ S1 relations Q1=d1P and Q2=d2P. The results they have obtained
are the following:
ai+1 = 2ai (mod n) if Xi ∈ S2 • In the case of Pollards’ rho algorithm, when having
the problem Q1=d1P solved with Pollards’ rho
ai+1 = ai+1 (mod n) if Xi ∈ S3 algorithm, the expected number of steps for solving
the problem Q2=d2P with the same algorithm is
(n/2).
bi+1 = bi+1(mod n) if Xi ∈ S1
• In the case of Parallel Collision Search algorithm,
the expected number of steps for each processor is
bi+1 = 2bi (mod n) if Xi ∈ S2
§∞ ·
bi+1 = bi (mod n) if Xi ∈ S3 (12)
π ¨ ¸
e 4 ¨ ³ e − y dy ¸. 2n / m + 1 .
2
(13)
¨¨ n ¸¸ θ
4. Use the Floyd’s cycle-finding algorithm to get a
collision (Xi=Xj, ij). We shall obtain a collision because © 2 ¹
<P> is a finite group. Furthermore, one computes pair The conclusion that follows is that one may built multi-
(Xi,X2i) until Xi=X2i, i1.
5. Obtain d: Xi = aiP+biQ, that implies aiP+biQ =
a2iP+b2iQ and d = (a2i-ai)(b2i-bi)-1(mod n).
The probability to have b2i = bi(mod n) is very small when n
is very large. The number of expected steps to solve the
ECDLP is (n/2).
Parallel collision search algorithm
In [15], von Oorschot and Wiener introduced the parallel
collision search technique, which reduced the attack time.
The method uses more processors, and each processor
computes a sequence {Xi} starting from different points until
a distinguished point is reached (Xd is called a distinguished
point if it has some distinguishing property). The
distinguished point Xd and the pair (ad, bd) are added to a list
common to all processors. The procedure continues with a
new start point. A collision occurs if the same distinguished
point appears twice in the list. The expected steps for each
processor to solve ECDLP using the parallel collision
algorithm is (n/2)/m+1/
, where m is the number of ai+1=ai+h(Ti), and for wild kangaroo is bi, where
processors and
represents the proportion of points that bi+1=bi+h(Wi), b0=0. So, Wi=(d+bi)P.
satisfies the property.
247
elliptic curve cryptosystems using the same elliptic curve.
Pollards’ kangaroo method
Another randomized method due to Pollard is the
Pollards’ lambda [17]. Also known as Pollards’ lambda, the
method consists in observing several way of walking: the
walk of a tame kangaroo T, and the walk of a wild kangaroo
W. In the former case, the starting point is known a0P and in
the latter case, the starting is an unknown point Q (so it is
unknown from where it comes). One of the following
situations may occur: a collision between walks of the tame
and wild kangaroos, a crossing between the paths of the
kangaroos or the tame kangaroo setting a trap for the wild
kangaroo with the wild kangaroo falling into the trap.
Let h:<P>->J be a hash function, and J is a set of jump
size. Kangaroos jump according the formulas
Ti+1=Ti+h(Ti)P (for tame kangaroo) and
Wi+1=Wi+h(Wi)P (for wild kangaroo). (14)
The travelled distance for tame kangaroo is ai-a0, where
When a collision between walks happens, then the wild
kangaroo continues jumping followed by the tame one until
he reaches him. So, there exists m therefore TN=Wm, where
N is number of steps for tame kangaroo. We have
aNP=(d+bm)P, so d=aN-bm. The number of expected steps to
solve the problem is 2n.
B. Nongeneric attacks
1. Index calculus method
The method can be used to solve the problem of discrete
logarithm over the multiplicative groups Fp* in
subexponential time. In [1], Miller stated that it is “unlikely
that an index calculus attack on the elliptic curve method will
ever be able to work”. The algorithm consists of four steps:
1. Select a factor base of the elements of the group. In
the case of ECC the elements of the group are the points of
the elliptic curve over the finite groups: F={f1, f2, …, fN}.
2. Generate relations for random integers ai of the
form aiP=j=1,N ci,jfi .
3. Linear algebra
Having enough relations (so, k has to be large), construct
the linear system CX=A, where C=(ci,j)i=1,k;j=1,N, A=(ai)i=1,k
and solve it.
4. Extract solution
Find an equation aP+bQ=j=1,Ncjfj, b0, and deduce
lgPQ.
The complete description of the algorithm may be found
in [5], [18]. In the case of the elliptic curve, the index
calculus is not feasible. An analysis of the feasibility of the
classical index-calculus method was performed by Silverman
and Suzuki in [19], where they concluded that “it is very
unlikely that there is an index calculus for elliptic curve
discrete logarithms which is directly analogous to the
classical index calculus for the multiplicative group”.
2. Isomorphism attack
This type of attack is based on the remark: if there is an
isomorphism (one to one and computable) from a group G2
where DLP is hard, to a group G1, where the DLP is weak
(the DLP can be solved in sub-exponential time) then hard
DLP can be reduced to a weak DLP. Techniques of this type
are based on the pairing techniques (Weil paring [20], Tate
pairing, Menezes-Okamoto-Vanstone's attack, Eta pairing) to
convert the discrete logarithm problem [21], [22], [3]. The
attack on the prime-field-anomalous curves converts ECDLP
on elliptic curve of order p of the prime field Fp to DLP in
the additive group F+p of integers modulo p. The Weil and
Tate’s pairing attacks reduces the problem of some special
curves to DLP in F+pk (with known sub-exponential time
algorithm). The GHS Weil descent attack reduces the
ECDLP in an elliptic curve defined over F2m to DLP in the
jacobian variety of a curve of a hyperelliptic curve defined
over subfield of F2m.
3. A grid of isogeny classes of the elliptic curves-
based attack
A method of ECC attack is a parallel attack based on a
grid of isogeny classes of the elliptic curves.
An isogeny is a subjective morphism ϕ : E1(Fp) E2(Fp)
satisfying ϕ ()=. Two elliptic curves are isogenous if
248
there is a isogeny from E1(Fp) to E2(Fp) with
ϕ (E1(Fp)){} [8].
Cryptographically speaking, an isogeny is a function
defined between two elliptic curves (E1(Fp), E2(Fp)) which
allows the reduction of DLP over E1(Fp) to DLP over
E2(Fp),. The Tate’s theorem states that there is an isogeny
between E1(Fp) and E2(Fp) if and only if #E1(Fp)= #E2(Fp). In
the space of all elliptic curves over Fp, one can define
isogeny classes. Solving the ECDLP over a curve that
belongs to a particular class, generates the solution of
ECDLP over any curve from the same class. The set of
curves that are isogenous to E(Fp) forms the isogeny class of
E(Fp) [23] (figure 1).
Figure 1. Isogeny classes-based attack
The attack using a grid of isogeny classes consists of the
following steps:
• Starting from the space of the EC over Fp, build a
grid of isogeny classes over elliptic curves;
• Select from each class an „easy” elliptic curve and
resolve the DLP using grid computing;
• Save the solutions obtained from step 2 into
distributed system;
• Considering an arbitrary curve over Fp, identify the
correspondent classes and select the solution from
the distributed system;
• Translate the solution obtained at step 4 into a
solution for the proposed elliptic curve.
One may consider that the method is futurist, but
considering the difficulty of breaking elliptic curve based
cryptosystems, this can be an option to be taken into account.
This idea outlines the author’s future research direction in
the field of elliptic curve-based cryptosystems.
IV. SECURE ELLIPTIC CURVES
Regarding the ECC attacks, there are several weak
elliptic curves which should be avoided in the cryptosystems.
The curves used in the ECC have to be selected according to
the following criteria:
• The curves groups should have the order prime or
almost prime. It means that the #E(Fp) is prime or
#E(Fp) can be written as #E(Fp)=r*s, where r is a
large prime number and s is a small cofactor [24].
• The curves have to be non supersingular. A curve is
called supersingular if #E(Fp)=p+1+t and t0 (mod
p) [24].
 • The curves should not be anomalous. A curve is
called anomalous if #E(Fp)=p.
In the FIPS PUB 186-2, a list of recommended elliptic
curves (15 elliptic curves over 10 finite fields) is presented
[7]. These curves may be divided into: pseudo-random
curves over Fp; pseudo-random curves over F2m; Koblitz
special curves over F2m.
Considering an elliptic curve defined as in (3), the
parameter a is selected so that the doubling points can be
computed faster (a = -3)
y2  x3-3x+b (mod p).
The parameters given in [7] are: p- the order of the
prime field Fp; the order n; the input seed s (160 bit) to SHA-
1 algorithm used to generate the coefficients of the elliptic
curve; the output c of the SHA-1 based algorithm; the
coefficient b with b2c  -27 (mod p); the coordinates of the
base point P.
As example, for curve p-192, the values of the
parameters (FIPS PUB 186-2) are:
p=2192-264-1
n=62771017353866807638357894231760590137671947
73182842284081
s=3045ae6fc8422f64ed579528d38120eae12196d5
c=3099d2bbbfcb2538542dcd5fb078b6ef5f3d6fe2c745de
65
b=64210519e59c80e70fa7e9ab72243049feb8deecc146b
9b
PX=188da80eb03090f67cbf20eb43a18800f4ff0afd8ff101
2 Logarithm Problems over a Group of Elliptic Curves with Prime
PY=07192b95ffc8da78631011ed6b24cdd573f977a11e79
4811
V. CONCLUSIONS
The main advantage of the ECC is its high security level
with a smaller key size. Since ECC was issued, a lot of
research papers have been written in order to improve the
security of ECC or to attack ECC. As a possible drawback,
one may mention the fact that the implementation of the
elliptic curve cryptosystems is more sophisticated and it
requires more theoretical knowledge of Mathematics.
The elliptic curve-based cryptographic protocols have a
lot of applications in the signature and authentication
schemes, public-key encryption scheme, hash functions, key
establishment, ID-based cryptosystems, signcryption, etc.
Future public cryptosystems will be based on elliptic
curves, fact which will trigger the migration of older
cryptosystems to these, due their higher security level.
REFERENCES
[1] V. S. Miller, “Uses of Elliptic Curves in Cryptography”, Proc. of
CRYPTO’85, Lecture Notes in Computer Science, vol. 218, 1986, pp.
417-426.
[2] N. Koblitz, “Elliptic Curve Cryptosystem”, Mathematics of
Computation, vol. 48, no. 177, 1987, pp. 203-209.
[3] D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic Curve
Cryptography, Springer, 2004.
[4] P. Christof, J. Pelzl, Understanding Cryptography, A Textbook for
Students and Practitioners, Springer, 2010.
[5] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and
F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve
Cryptography Chapman & Hall/CRC Taylor & Francis Group, 2006.
[6] Certicom Research , Standards for efficient cryptography, SEC 1:
Elliptic Curve Cryptography, Version 1.0, 2000,
http://www.secg.org/collateral/sec1_final.pdf .
[7] FIPS PUB 186-2, Available:
http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/online/fips186-2.pdf.
[8] J. H. Silverman, The Arithmetic of Elliptic Curves, Sec. Ed.,
Springer Dordrecht Heidelberg London New York, 2009, DOI
10.1007/978-0-387-09494-6.
(15)
[9] J. Pelzl, “Extra Costs Estimates for ECC Attacks with Special-
Purpose Hardware”, 10th Workshop on Elliptic Curve Cryptography
ECC 2006, 2006.
[10] W. Diffie and M. E. Hellman, “New directions in cryptography”,
IEEE Transaction on Information Theory, vol. IT-22, no. 6, Nov.
1976, pp. 644–654.
[11] T. ElGamal, “A Public-Key Cryptosystem and a Signature Scheme
Based on Discrete Logarithms”, conference version appeared in Proc.
CRYPTO'84, pp. 10–18, IEEE Transactions on Information Theory,
Vol. 31, no. 4, pp. 469–472. doi:10.1109/TIT.1985.1057074.
[12] D. Shanks, “Class number, a theory of factorization and genera”,
Proc. Symp. Pure Math. 20, 1971, pp. 415-420.
[13] D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic Curve
Cryptography, Springer, 2004.
[14] J. M. Pollard, “Monte Carlo Methods for Index Computattion (mod
p)”, Mathematics of Computation, vol. 32, no. 143, 1978, pp. 918-
924.
[15] P. C. van Oorschot, M. J. Wiener, “Parallel collision search with
cryptanalytic applications”, Journal of Cryptology, vol.12, no.1, 1999,
pp.1-28.
[16] J. Q. Li, M. L. Liu, L. L. Xiao, “Solving the Multi–discrete
Order”, Acta Mathematica Sinica, vol. 21, no. 6, 2005, pp. 1443-
1450.
[17] J. M. Pollard, “Kangaroos, monopoly and discrete logarithms”,
Journal of Cryptology, vol. 13, no. 4, 2000, pp. 437-447.
[18] A. Joux and V. Vitse, “Elliptic Curve Discrete Logarithm Problem
over Small Degree Extension Fields Application to the static Diffie-
Hellman problem on E(Fq5)”, Journal of Cryptology, Nov. 2011, pp.
1-25, doi:10.1007/s00145-011-9116-z.
[19] J. H. Silverman, J. Suzuki, “Elliptic Curve Discrete Logarithms and
the Index Calculus”, Proc. ASIACRYPT’98, Lecture Notes in
Computer Science, vol. 1514, 1998, pp. 110-125.
[20] A. Weil, “Sur les fonctions algébriques à corps de constantes fini”, C.
R. Acad. Sci. Paris 210, 1940, pp. 592-594.
[21] V.S. Miller , “The Weil Pairing, and Its Efficient Calculation”,
Journal of Cryptology, vol. 17, no. 4, 2004, pp. 235–261.
[22] F. Hess, N. P. Smart, F. Vercauteren, “The Eta Pairing Revisited”,
Available: http://eprint.iacr.org/2006/110 [Accessed March 31, 2012].
[23] B. Smith, “Mappings of elliptic curves”, DIAMANT-Summer School
on Elliptic and Hyperelliptic Curve Cryptography, 2008.
[24] M. Zandra, “Eliptic Curve Cryptography, Improving the Pollard-Rho
Algorithm”, Available:
http://web.maths.unsw.edu.au/~jim/mandyseetthesis.pdf [Accessed
March 31, 2012].
249