Use of elliptic curves in cryptography
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Conductance and the rapid mixing property for Markov chains: the approximation of permanent resolved
STOC '88 Proceedings of the twentieth annual ACM symposium on Theory of computing
Explicit bounds for primes in residue classes
Mathematics of Computation
Elliptic curves in cryptography
Elliptic curves in cryptography
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Extending the GHS Weil Descent Attack
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
ANTS-II Proceedings of the Second International Symposium on Algorithmic Number Theory
Isogeny Volcanoes and the SEA Algorithm
ANTS-V Proceedings of the 5th International Symposium on Algorithmic Number Theory
Random Cayley graphs and expanders
Random Structures & Algorithms
Bits Security of the Elliptic Curve Diffie---Hellman Secret Keys
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
On the bits of elliptic curve Diffie-Hellman Keys
INDOCRYPT'07 Proceedings of the cryptology 8th international conference on Progress in cryptology
Trading one-wayness against chosen-ciphertext security in factoring-based encryption
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Efficient scalar multiplication by isogeny decompositions
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
MV3: a new word based stream cipher using rapid mixing and revolving buffers
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
| Hi-index | 0.00 |
The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.