<<

. 10
( 10)



decision Di¬e“Hellman problem, see DDH fault attacks, 72
problem side-channel analysis on, 70
degree of a function, 212 elliptic curves
DEM, 15, 17, 62“66 constructing with given embedding de-
DHAES, 12 grees, 208“212
DHIES, 12 division polynomial, 109, 110, 112, 113
di¬erential side-channel analysis generating with CM method, 210
point multiplication, 84 embedding degree, 189
Di¬e“Hellman problem, 14 endomorphism ring, 168
Di¬e“Hellman protocol, 8“10, 221, 241, ephemeral public keys, 8
242 ephemeral secret, 7
Digital Signature Algorithm, see DSA error-message attacks, 74
Digital Signature Scheme, see DSA exponent, 183
distance-of-mean test, 76, 85 external authenticate, 71
distortion map, 194
divisor, 184 fault attacks, 71“72
class group, 152, 153, 184 FIPS
de¬ned over K, 184 FIPS-140-1, 70
degree, 134, 184 FIPS-186, 4
equivalent, 184 FIPS-186.2, 4
evaluation of function at, 185 forger, 23
group, 134 active, 24
of a function, 184 existential, 24
of function, 134 passive, 24
principal, 134, 184
selective, 24
reduced, 135, 137, 139, 142“144, 146,
forgery, 23
148, 149
Forking Lemma, 22
weight, 135
forward secrecy, 10
smooth, 142“143, 149
forward secure encryption, 238
support, 184
Frey“R¨ck attack, 19, 141, 197“199
u
domain parameters, 5, 6, 8, 12, 16
Frobenius
attack, 26, 27
automorphism, 152, 154, 160, 164, 165
DSA, 4“7, 21, 229, 231
endomorphism, 99“100, 136
dual isogeny, 166
map, 199
FS-PKE, 238“240
ECDDH problem, 202, see also DDH prob-
Fujisaki“Okamoto hybridization, 225, 237,
lem
247
ECDH protocol, 4, 8“10, 18, 47, 48, 220,
FullIdent, 224
see also DH protocol
function, 184
ECDHP, 8, 202, 231, see also CDH prob-
de¬ned over K, 184
lem
on a curve, 212
ECDLP, 8, 151“179
function ¬eld, 134, 152
ECDSA, 4“9, 12, 21“40, 57, 77, see also
DSA
Galois theory, 152
ECIES, 4, 12“18, 41“66
gap Di¬e“Hellman
ECIES-KEM, 4, 15“17, 61“66
group, 229, 230
ECMQV, 4, 10“12, 18
problem, 47, 50, 54“56
electromagnetic radiation leakage, 69, 74
Gauss™s algorithm, 136, 137
ElGamal encryption, 223
Gauss™s composition, 136
elliptic curve cryptosystems
attacks on, 70 Gaussian Normal Basis, 122, 126, 129
SUBJECT INDEX 279

generic group model, 7, 31“35, 56“58, 65, key agreement, 240“242
141 non-interactive key distribution, 218“
genus, 133, 135“137, 140“143, 146, 148“ 220
150, 153“157, 159, 160, 162, 165, 172“ ring signature, 232
174 signatures, 218, 228“229, see also IBS
GHS attack, 152“175 signcryption, 233“234
isogenies, 165“172 undeniable signature, 232
GMR Security, 23“24 ideal group model, see generic group model
GNB, 122 ideal hash model, see random oracle model
GRH, 171 IEEE 1363, 4
IETF, 173
Hagelin machine, 72 IKE, 249
Hamming weight, 205 ILA, 69
Harley™s algorithm, 127“128 IND-CCA2, 46, 50, 51, 54, 55, 57, 61, 64“
hash Di¬e“Hellman problem, 50“54 66, 224, 226, 238, 239
hash function IND-ID-CCA, 225, 226
collision resistant, 28, 30 index-calculus, 153, 156, 157, 159, 171,
e¬ective, 27, 32 173
one-way, 28, 30, 32 indistinguishability game, 43“46, 49, 50,
preimage-resistant, 28 63, 64, see also IND-CCA2 and IND-
second-preimage resistant, 28, 32 ID-CCA
smooth, 30“31 information leakage analysis, 69
uniform, 30“31 internal authenticate, 71
zero-resistant, 27, 32 IPSec, 249
Hasse interval, 200 ISO, 4
Hasse™s Theorem, 103, 114 isogeny, 165
HCDLP, 140“142, 151“179 class, 166“167
index-calculus algorithm, 142, 144“150 computing, 168
Hensel cycles, 106
lemma, 110 dual, 166
lifting, 110
Jacobi form, 90“91
Hessian form, 90
Jacobian, 134“136, 142, 144, 148, 152
HIBE, 235“240
Gentry and Silverberg Scheme, 235“237
Karatsuba multiplication, 103
hybrid encryption, 42, 61
KEM, 15“17, 61“66
hyperelliptic curve, 133“150
KEM-DEM cipher, 17, 62“66
group law, 136“140
key agreement
Cantor™s algorithm, 136
tripartite, 215
Lagrange™s algorithm, 136
key con¬rmation, 12
Jacobian, 134“135
key derivation function, 50, 51, 56
hyperelliptic involution, 134
idealized, 54“56
key distribution
IBE, 215, 216, 221“230, 235, 237, 239,
Di¬e“Hellman, 8“10
240, 243“245, 247, 249, 250
ECMQV, 10
IBS, 228“230, 240
EQMQV, 12
ID based
from pairings, 218“221, 240“242
blind signature, 232
multi-party, 242
encryption, 215, 218, 221“228, see also
IBE non-interactive ID based, 218“220
security of, 224“226 tripartite, 220“221, 242
hierarchical cryptography, 235“240 Key Encapsulation Mechanism, see KEM
280 SUBJECT INDEX

bilinear, 183“184
key transport, 10
Koblitz curve, 99, 149 bilinearity, 183
Kronecker relation, 107, 114 deducing group structure, 201
Kronecker“Hurwitz class number, 166 non-degeneracy, 183
Kummer extension, 153, 175 properties of, 183, 216“218
protocols based on, 215“251
L-polynomial, 155 symmetry of, 195
Lagrange™s algorithm, 136, 138, 140, 146 partial key exposure, 8, 26
Lagrange™s Theorem, 98 passive attack, 49, 64
Lanczos™s algorithm, 146, 147, 150 on a device, 69, 72“77
Lercier“Lubicz algorithm, 126“127 Pearson correlation coe¬cient, 76
lunchtime attacks, 46 Pell equation, 209
PKCS#1, 74
MAC, 12, 13, 15, 42, 48“54, 56, 57, 65,
Pohlig“Hellman simpli¬cation, 141
218
point blinding, 97
magic number, 155
point counting, 103“132
Markov chain, 80
point multiplication
aperiodic, 80
atomic, 94“97
irreducible, 80
binary, 79
stationary distribution, 80
double-and-add-always, 93
Markov process, 80
low Hamming weight, 206
hidden, 82
Montgomery, 93“94
meet-in-the-middle attack, 83
randomization techniques
MESD, 85
base point, 97“98
Message Authentication Code, see MAC
multiplier, 98“100
midnight attacks, 46
window methods, 206
Miller™s algorithm, 196“197, 205“207
Pollard methods, 152, 156, 157, 160, 170,
MNT criteria, 209“210
171, 173, 174
Monsky“Washnitzer cohomology, 132
lambda method, 142
MOV attack, 19, 141, 197“199, 231
rho algorithm, 18, 148, 149
multiplicity, 184
power consumption leakage, 73
multiplier
Hamming weight leakage, 73
blinding, 98“99
transition count, 73
splitting, 99
private key generator, 219
NIKDS, 218, 220, 222, 223, 228, 234 projective representation
NIST, 26 randomized, 97“98
non-degeneracy (of modi¬ed pairing), 217 provable security
non-rational endomorphism, 194 signatures, 21“40
non-repudiation, 26, 39 public key validation, 18
norm, 152 public-key encryption scheme
normal basis, 158 deterministic, 42
NUCOMP, 137“140, 146 probabilistic, 42, 43
NUDPL, 139 sound, 42
NUDUPL, 140
Quadratic Residuosity problem, 221
one-way game, see OW game
quaternion algebra, 198
ordinary, 194, 198
OW game, 43, 45, 46, 48
R¨ck attack, 141“142
u
rami¬cation index, 212
pairing, see also Tate pairing and Weil
pairing rami¬cation points, 134
SUBJECT INDEX 281

random oracle model, 32“36, 41, 54“57, tamper attacks, 70, 71
65, 219, 226, 228, 230 tamper resistant device, 70
Tate pairing, 48, 141, 183, 185“197, 206“
random walks, 142
208, 216, 217, 250
randomized isomorphism
e¬cient computation, 205“208
curve, 98
Miller™s algorithm, 196“197
¬eld, 98
over ¬nite ¬elds, 189“191
rarely zero hash, 27
properties, 187“189
Riemann“Roch theorem, 135
timing attack, 72“73
RSA, 9, 74, 97
timing variation attacks, 72
RSA-OAEP, 74
trace map, 194“195
tripartite key agreement, 220“221, 223
Satoh™s algorithm, 103“132
Trusted Authority, 218
Satoh“Skjernaa“Taguchi algorithm, 123“
125 V´lu™s formulae, 110, 111, 113
e
SCA, 69“100 Vercauteren™s algorithm, 114“115
Sch¨nhage“Strassen multiplication, 103
o Vernam cipher, 48, 49, 60
Schoof™s algorithm, 103 Verschiebung, 109
SEA algorithm, 103 Viterbi algorithm, 83
SECG, 4, 18
Weidemann™s algorithm, 150
security multiplier, 189
Weierstraß point, 133, 134
self-pairings, 193
Weil conjectures, 106, 119
SEMD, 84
Weil descent, 151“179, 208, 231
semi-logarithm, 24“26, 29, 35
Artin“Schreier constructions, 176“177
SHA-1, 5, 19
Kummer constructions, 175“176
SHA-256, 5
Weil pairing, 48, 141, 183, 185, 191“197,
SHA-384, 5
201, 206, 207, 216, 217, 250
side-channel analysis
generalized, 192
simple, 87
properties, 191
side-channel analysis, 8, 69“100
Weil reciprocity, 184“185, 212“213
combining, 74
Weil restriction, 151
di¬erential, 69, 75“76, 84
Wiedemann™s algorithm, 146
¬rst-order, 76
multiple-exponent single-data, 85 ZEMD, 85
point arithmetic, 80“83 zeta function, 155
point multiple, 77
second-order, 76
simple, 69, 74“75
point multiplication, 77“83
single-exponent multiple-data, 84
zero-exponent multiple-data, 85
side-channels, 72“74
smart cards, 71
simple attacks on, 71
SSL/TLS protocol, 242
straight line program, 197
supersingular curve, 194, 198“201
embedding degrees, 199
symmetric cipher, 48“218
symmetric encryption, 50
symmetry (of modi¬ed pairing), 217

<<

. 10
( 10)