Peter L. Montgomery

Speeding the Pollard and elliptic curve methods of factorization

Since 1974, several algorithms have been developed that attempt to factor a large number N by doing extensive computations module N and occasionally taking GCDs with N. These began with Pollards p 1 and Monte Carlo methods. More recently, Williams published a p + 1 method, and Lenstra discovered an elliptic curve method (ECM). We present ways to speed all of these. One improvement uses two tables during the second phases of p ? 1 and ECM, looking for a match. Polynomial preconditioning lets us search a fixed table of size n with n/2 + o(n) multiplications. A parametrization of elliptic curves lets Step 1 of ECM compute the x-coordinate of nP from that of P in about 9.3 1og2 n multiplications for arbitrary P.

Factorization of a 768-bit RSA modulus

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Factorization of RSA-140 Using the Number Field Sieve

We propose a mathematical problem, and show how to solve it elegantly. This problem is related with elliptic curve cryptosystems (ECC). The solving methods can be applied to a new paradigm of key generations of the ECC.

Five, six, and seven-term Karatsuba-like formulae

The Karatsuba-Ofman algorithm starts with a way to multiply two 2-term (i.e., linear) polynomials using three scalar multiplications. There is also a way to multiply two 3-term (i.e., quadratic) polynomials using six scalar multiplications. These are used within recursive constructions to multiply two higher-degree polynomials in subquadratic time. We present division-free formulae, which multiply two 5-term polynomials with 13 scalar multiplications, two 6-term polynomials with 17 scalar multiplications, and two 7-term polynomials with 22 scalar multiplications. These formulae may be mixed with the 2-term and 3-term formulae within recursive constructions, leading to improved bounds for many other degrees. Using only the 6-term formula leads to better asymptotic performance than standard Karatsuba. The new formulae work in any characteristic, but simplify in characteristic 2. We describe their application to elliptic curve arithmetic over binary fields. We include some timing data.

Trading Inversions for Multiplications in Elliptic Curve Cryptography

Recently, Eisenträger et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formulas for evaluating S=(2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formulas save a field multiplication each time the operation is performed. This paper proposes a variant which is faster whenever a field inversion is more expensive than six field multiplications. We also give an improvement when tripling a point, and present a ternary/binary method to perform efficient scalar multiplication.

Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction

We describe a cell processor implementation of Pollards rho method to solve discrete logarithms in groups of elliptic curves over prime fields. The implementation was used on a cluster of PlayStation 3 game consoles to set a new record. We present in detail the underlying single instruction multiple data modular arithmetic.

An analysis of affine coordinates for pairing computation

In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, e. g. when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coordinates. This observation relies on two known techniques for speeding up field inversions which we analyze in the context of pairing computation. We give detailed performance numbers for a pairing implementation based on these ideas, including timings for base field and extension field arithmetic with relative ratios for inversion-to-multiplication costs, timings for pairings in both affine and projective coordinates, and average timings for multiple pairings and products of pairings. Keywords: Pairing computation - affine coordinates - optimal ate pairing - finite field inversions - pairing cost - multiple pairings - pairing products.

AN FFT EXTENSION TO THE P - 1 FACTORING ALGORITHM

J. M. Pollard, in 1974, presented the P — \ integer factoring al- gorithm. His paper couched the algorithm in theoretical terms based upon use of Fast Fourier Transform techniques, but he was unable to say whether the method could be made practical. We discuss the mathematical basis of the al- gorithm and show how it can work in practice. The practical implementation depends, for its success, upon the use of Residue Number Systems. We also present an open problem as to how the method could be made to work for the Elliptic Curve factoring algorithm.

Fast elliptic curve arithmetic and improved weil pairing evaluation

The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory -- we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Moller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 +1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0x|0..0x|...|0..0x|, where x is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-w NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Mollers scheme for w = 2, 3, 4, 5, which are relevant choices in the sense of efficiency for 160-bit ECC.

Improved Weil and Tate Pairings for Elliptic and Hyperelliptic Curves

We present algorithms for computing the squared Weil and Tate pairings on elliptic curves and the squared Tate pairing on hyperelliptic curves. The squared pairings introduced in this paper have the advantage that our algorithms for evaluating them are deterministic and do not depend on a random choice of points. Our algorithm to evaluate the squared Weil pairing is about 20% more efficient than the standard Weil pairing. Our algorithm for the squared Tate pairing on elliptic curves matches the efficiency of the algorithm given by Barreto, Lynn, and Scott in the case of arbitrary base points where their denominator cancellation technique does not apply. Our algorithm for the squared Tate pairing for hyperelliptic curves is the first detailed implementation of the pairing for general hyperelliptic curves of genus 2, and saves an estimated 30% over the standard algorithm.