This contains the References of the Handbook of Elliptic and Hyperelliptic Curve , Henri Cohen, Christophe Doche, and Gerhard Frey, Editors, CRC Press 2006.

CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve a copy of this chapter for personal use. This permission does not extend to binding multiple chap- ters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press.

The standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy- ing, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher.

The consent of CRC Press does not extend to copying for general distribu- tion, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying.

c 2006 by CRC Press, LLC. References

Numbers in the margin specify the pages where citations occur

+



ĺ ź ÐÑ Ò Âº Å ÖÖ × Åº¹º ÀÙ Ò ½¾¸ ½¸ ½ [ 1999] , ,& , A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q), Theoret. Com-

put. Sci. 226 (1999), 7–18.



¼½ ĺ ź ÐÑ Ò Åº¹º ÀÙ Ò [ÀÙ 1992] & , Primality testing and Abelian varieties over finite

fields, Lecture Notes in Math., vol. 1512, Springer-Verlag, Berlin, 1992.

 ¾¾ [ÀÙ 1996] , Counting rational points on curves and abelian varieties over finite fields, Algo- rithmic Number Theory Symposium – ANTS II, Lecture Notes in Comput. Sci., vol. 1122,

Springer-Verlag, Berlin, 1996, 1–16.

 ¾¾ [ÀÙ 2001] , Counting points on curves and abelian varieties over finite fields, J. Symbolic Comput. 32 (2001), 171–189.

+



 ĺ ÐÑ Ò º ÈÓÑÖ Ò ʺ ÊÙÑÐÝ [ÈÓ 1983] , ,& , On distinguishing prime numbers from composite numbers, Ann. of Math. 117 (1983), 173–206.

+



Ö º Ö Û Ð º Ö Ñ ÙÐØ Âº ʺ Ê Ó Èº ÊÓ Ø [ 2003] , , ,& , The EM Side-  ¾ Channel(s), Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2003, 29.

+



¼½ à ź Ö Û Ð Æº Ã Ý Ð Æº Ë ÜÒ [ 2002] , ,& , PRIMES is in P, preprint, date Aug. 6th, 2002.

http://www.cse.iitk.ac.in/primality.pdf



"Ì Ìº " × Ø Ìº Ì "  [ 2003] & , Zero-value point attacks on elliptic curve ,  ¾ Information Security Conference – ISC 2003, Lecture Notes in Comput. Sci., vol. 2851, Springer-Verlag, Berlin, 2003, 218–233.

+



 ¿ ʺ Ð%ÓÖ º $Ö ÒÚ ÐÐ º ÈÓÑÖ Ò [Ð$Ö 1994] , ,& , There are infinitely many Carmichael numbers, Ann. of Math. 139 (1994), 703–722.

+



'º й ÓÙ ʺ Å ÑÓ ź ÊÙ× Ò º à РÑ Ò ¾ ¿ [ÐÅ 2002] , , ,& , A new addition formula for elliptic curves over GF(2n), IEEE Trans. on Computers 51 No8 (2002), 972– 975.

+



½ Áº Ò×Рź Ò×Ð º $ÓÐ%Ð [ÒÒ 1999] , ,& , An algebraic method for public cryp-

tography, Math. Res. Lett. 6 (1999), 287–291.



½¿¸  ¼ ÆËÁ )*º+¾¹½*** [Ò× )*º+¾- , Public key cryptography for the financial services industry: The

elliptic curve algorithm (ECDSA), 1999.



Ô×- Áº ÅÓÒÒÐÐ [ , Maple programs. ¾

ftp://ftp.math.mcgill.ca/pub/apecs



Ø" º Ǻ ĺ Ø" Ò ½¸ ¾½ [ 1988] , The number of points on an elliptic curve modulo a prime, 1988.

E-mail on the Number Theory Mailing List.



Ø" ½¸ ½ [ 1991] , The number of points on an elliptic curve modulo a prime, 1991. E-mail on the

Number Theory Mailing List.



ØÅÓ º Ǻ ĺ Ø" Ò 1º ÅÓÖ Ò  ¸  [ 1993] & , Elliptic curves and primality proving, Math. Comp. 61 (1993), 29–68.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC 737

738 References



Ú Êº ź Ú ÒÞ ½ [ 2002] , On multi-exponentiation in cryptography, Tech. Report 154, AREHCC, 2002.

http://citeseer.nj.nec.com/545130.html



Ú ¾ ¸ ¿¾¸ ¼ [ 2004a] , Aspects of hyperelliptic curves over large prime fields in software implementa- tions, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes in

Comput. Sci., vol. 3156, Springer-Verlag, 2004, 148–162.



Ú ¼¼ ¼ [ 2004b] , Countermeasures against Differential Power Analysis for hyperelliptic curve , Cryptographic Hardware and Embedded Systems – CHES 2003, Lecture

Notes in Comput. Sci., vol. 2779, Springer-Verlag, Berlin, 2004, 366–381.



½¿¸ ½ Ú [ 2005a] , A note on the signed sliding window integer recoding and a left-to-right analogue, Selected Areas in Cryptography – SAC 2004, Lecture Notes in Comput. Sci., vol. 3357,

Springer-Verlag, Berlin, 2005, 130–143.



Ú [ 2005b] , On the complexity of certain multi-exponentiation techniques in cryptography,J. ½

Cryptology (2005), to appear.



Ú  ¸ ¼ [ 2005c] , Side channel attacks on implementations of curve-based cryptographic primi- tives, preprint, extended version of AREHCC-report, 2005.

http://eprint.iacr.org/2005/017/



Ú ʺ ź Ú ÒÞ 'º ×Ò ¿ ¿ [ 2005] & , Trace zero varieties over binary fields for cryptography, preprint, 2005.

+



Ú ʺ ź Ú ÒÞ Åº  Ø 1º Ë  ¿¼½¸ ¿ [ 2004] , ,& , Faster scalar multiplication on Koblitz curves combining point halving with the Frobenius endomorphism, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci., vol. 2947, Springer-Verlag, 2004, 28–40.

+



¿ ¸ ¿ ÚÀ ʺ ź Ú ÒÞ º ÀÙÖÖ Àº ÈÖÓ ÒÖ [ 2004] , ,& , Scalar multiplication on Koblitz curves using the Frobenius endomorphism and its combination with point halving: exten- sions and mathematical analysis, preprint, 2004.

http://finanz.math.tu-graz.ac.at/~cheub/publications/tauext.pdf



½¿¸ ¿ ¿¸ ¿  ÚÄ Êº ź Ú ÒÞ Ìº Ä Ò [ 2005] & , Cryptographic applications of trace zero varieties,

preprint, 2005.



ÚŠʺ ź Ú ÒÞ Èº Å 3 Ð×Ù ½ ¾¸ ¾¿¼¸ ¾¿ [ 2004] & , Generic efficient arithmetic algorithms for PAFFs (Processor Adequate Finite Fields) and related algebraic structures, Selected Areas in Cryptography – SAC 2003, Lecture Notes in Comput. Sci., vol. 3006, Springer-Verlag,

Berlin, 2004, 320–334.



ÚÌ ʺ ź Ú ÒÞ Æº Ì4Ö ÙÐØ [ 2004] & , Random walks and filtering strategies for index  ¸ ¼¸ ½ calculus, Manuscripts, 2004.

+



  Àº  Ö¹'Ð Àº ÓÙ"Ö º Æ   ź ÌÙÒ×Ø ÐÐ º ÏÐ Ò [ 2004] , , , ,& , The   sorcerer’s apprentice guide to fault attacks, Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC 2004, 2004. http://www.elet.polimi.it/res/FDTC04/Naccache.pdf

+



ʺ  Ö٠ʺ ÙØØ Èº Ë Ö" Ö   [ Ù 2004] , ,& , Provably secure authenticated tree based group key agreement protocol using pairing, preprint, 2004. http://eprint.iacr.org/2004/90/

+



º  × Ö º 'Ò º¹º 1 Ù6Ö ƺ $7ÖÐ ¿¾ [ 'Ò 2002] , , ,& , The arithmetic of Jacobian groups of superelliptic cubics, Tech. report, INRIA – RR-4618, 2002.

+

 ¿¾ [ 'Ò 2004] , Implementing the arithmetic of C3,4 curves, Algorithmic Number Theory Sym- posium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, Berlin,

2004, 87–101.



ʺ º  "Ö $º À ÖÑ Ò  ¿ [ À 1998] & , Shifted primes without large prime factors, Acta Arith. 83 No4 (1998), 331–361.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 739



Àº  Ö ¿ [ 2003] , A fast Java implementation of a provably secure pseudo random bit generator based on the elliptic curve problem, Tech. Report TI 7/03, University of Darmstadt, 2003.

+

¿ ¸  ¼¸  ¿¸ Ⱥ˺ĺź ÖÖØÓÀº 8º Ã Ñ º ÄÝÒÒ Åº ËÓØØ

[ Ã 2002] , , ,& , Efficient algorithms  for pairing-based cryptosystems, Advances in Cryptology – Crypto 2002, Lecture Notes 

in Comput. Sci., vol. 2442, Springer-Verlag, Berlin, 2002, 354–368.

Ó Êº  Ð ×ÙÖ Ñ Ò Ò Æº ÃÓÐ ØÞ ¿ ¸ ¸  ¸

[ Ã 1998] & , The improbability that an elliptic curve has  a sub-exponential discrete log problem under the MenezesÐOkamotoÐVanstone algorithm,   J. Cryptology 11 (1998), 141–145.

+



Ý Èº ˺ ĺ ź  ÖÖØÓ º ÄÝÒÒ Åº ËÓØØ  ¸  [ Ä 2003] , ,& , Constructing elliptic curves with prescribed embedding degrees, Security in Communication Networks – SCN 2002, Lec- ture Notes in Comput. Sci., vol. 2576, Springer-Verlag, Berlin, 2003, 257–267.

+



 ÄÝ [ 2004a] , Efficient implementation of pairing-based cryptosystems, J. Cryptology 17  ¸  (2004), 321–334.

+



Ý ¿ [ Ä 2004b] , On the selection of pairing-friendly groups, Selected Areas in Cryptography – SAC 2003, Lecture Notes in Comput. Sci., vol. 3006, Springer-Verlag, Berlin, 2004, 17–

25.



º κ  ÐÝ º È Ö ¾¾ [ È 1998] & , Optimal extension fields for fast arithmetic in public key algorithms, Advances in Cryptology – Crypto 1998, Lecture Notes in Comput. Sci., vol.

1462, Springer-Verlag, Berlin, 1998.



¿ ¸  ¿ Ⱥ ˺ ĺ ź  ÖÖØÓ [ Ö- , The pairing-based crypto lounge.

http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html



 Ö Èº  ÖÖØØ [ 1987] , Implementing the Rivest Shamir and Adleman public key al- ½ gorithm on a standard digital signal processor, Advances in Cryptology – Crypto 1986,

Lecture Notes in Comput. Sci., vol. 263, Springer-Verlag, Berlin, 1987, 311–323.



 Ï Êº  ÐÐ  ËºËºÏ ×Ø %%¸ ÂÖº [ 1980] & , Lucas pseudoprimes, Math. Comp. 35 (1980),  

1391–1417.



 ; º  " 8º ;Ò [ 2004] & , Identity-based threshold decryption, Public Key Cryptography  – PKC 2004, Lecture Notes in Comput. Sci., no. 2947, Springer-Verlag, 2004, 262–276.

+



 1º ÖÖÓÒ Âº Ö×ØР˺ ÖÐ" º ÙÓ [ 1989] , , ,& , Addition chains using con- ½½¸ ½ tinued fractions, J. Algorithms 10 No3 (1989), 403–412.

+



 1º ÖÖÓÒ Âº Ö×ØР˺ ÖÐ" [ 1994] , ,& , Efficient computation of addition chains, ½¾

J. Théor. Nombres Bordeaux 6 (1994), 21–38.



 1º " [ 1998] , Integrated circuit failure analysis Ð a guide to preparation techniques, John  ½

Wiley & Sons, Ltd., 1998.



Ó Èº Àº ̺ ÐÒ Âº ź ÓÙÑÒ [ 2002] & , Pseudorandom sequences from elliptic curves, ¿¾¸ ¿¿ Finite fields with applications to coding theory, cryptography and related areas, Springer- Verlag, 2002, 37–52.

+



¾¾½ ̺ Ø Ϻ $ ×ÐÑ ÒÒ 1º ÅÝÖ [$ 1991] , ,& , Finding (good) normal basis in finite fields, International Symposium on Symbolic and Algebraic Computations – ISSAC 1991, ACM Press, Bonn, 1991, 173–178.

+



$Ó Åº ÐÖ Êº Ϻ $Ó×ÔÖ Êº ËÖÓÔÔÐ [ 1972] , ,& , HAKMEM, Memo 239, Mas-  

sachusetts Institute of Technology Artificial Intelligence Laboratory, February 1972.



ÃÒ Êº Ú Ò 'º Ϻ ÃÒÙ×Ò [ 2003] & , Ways to enhance differential power analysis, Infor-  ¼ mation Security and Cryptology – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587, Springer-Verlag, 2003, 327–342.

+



½ 'º ʺ ÖÐ" ÑÔ Êº º Å'Ð  Àº º Ú Ò Ì ÐÓÖ [Å 1978] , ,& , On the inherent intractability of certain coding problems, IEEE Trans. Inform. Theory 24 No3 (1978), 384–386.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

740 References



'º ʺ ÖÐ" ÑÔ ¼ [Ö 1967] , Factoring over finite fields, Bell System Tech. J. 46

(1967), 1853–1859.



Ⱥ ÖØÐÓØ ½¿ [Ö 1974] , Cohomologie cristalline des schémas de caractéristique p>0, Lecture

Notes in Math., vol. 407, Springer-Verlag, Berlin, 1974.



'º ʺ ÖÐ" ÑÔ ¿ [Ö 1982] , Bit-serial ReedÐSolomon encoder, IEEE Trans. Inform. Theory

IT-28 (1982), 869–874.



Ⱥ ÖØÐÓØ ½¿ [Ö 1986] , Géométrie rigide et cohomologie des variétés algébriques de carac- téristique p, Mém. Soc. Math. France (N.S.) No23 (1986), 3, 7–32, Introductions aux

cohomologies p-adiques (Luminy, 1984).



º º ÖÒ×Ø Ò ½ ¸ ½ [Ö 1998] , Detecting perfect powers in essentially linear time, Math. Comp. 67

No223 (1998), 1253–1283.

 ½  [Ö 2001a] , Multidigit multiplication for mathematicians, 2001.

http://cr.yp.to/papers.html



Ö Èº ÖÖ Þ Ø [ 2001b] , Sharpening “primes in P” for a large family of numbers, preprint, ¼½ 2001.

http://lanl.arxiv.org/abs/math.NT/0211334

º º ÖÒ×Ø Ò ½¸ ½¸ ½ ¸

[Ö 2002] , Pippenger’s exponentiation algorithm, 2002. preprint. 

http://cr.yp.to/papers.html ½

 ¼½ [Ö 2004a] , Proving primality in essentially quartic random time, preprint, 2004.

http://cr.yp.to/papers.html

 ½  [Ö 2004b] , Scaled remainder trees, preprint, 2004.

http://cr.yp.to/papers.html



½ º¹º ÀÖÚ4 º ËÖÔØØ º ÎÙ ÐÐÑ Ò [ ÆÙÑ- , ,& , BigNum: A portable and efficient package for arbitrary-precision arithmetic, Tech. report, Digital Paris Research Labora-

tory, 1989, available via e-mail from [email protected].



 ÂÓ Çº  ÐÐØ Åº ÂÓÝ [ 2003] & , The Jacobi model of an elliptic curve and Side-Channel Anal-   ysis, Applicable Algebra, Algebraic Algorithms and Error-Correcting Codes – AAECC 2003, Lecture Notes in Comput. Sci., vol. 2643, Springer-Verlag, Berlin, 2003, 34–42.

+

 Å Áº  Ð º ÅÝÖ Îº Å7ÐÐÖ

[ 2000] , ,& , Differential fault attacks on elliptic curve cryp-  ¸  ¸  tosystems, Advances in Cryptology – Crypto 2000, Lecture Notes in Comput. Sci., vol. ¼ ¼

1880, Springer-Verlag, Berlin, 2000, 131–146.



º º  Ö ¼ [ Ö 1968] , How the number of points of an elliptic curve over a fixed prime field

varies, J. London Math. Soc. 43 (1968), 57–60.



 Ë 'º   Ñ º Ë Ñ Ö [ 1997] & , Differential fault analysis of secret key cryptosystems, Ad-  ¿ vances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294, Springer-

Verlag, 1997, 513–525.



Ð $º Ð Ý [ 2002] , Die Weil-Restriktion elliptischer Kurven in der Kryptographie, Master’s the- ¿ ¿ sis, Universität-Gesamthochschule Essen, 2002.

+



ĺ ÐÙÑ Åº ÐÙÑ Åº ËÙ ¾½ [ÐÐ 1986] , ,& , A simple unpredictable pseudo-random number

generator, SIAM J. Comput. 15 (1986), 364–383.



º Ð Ò Ö º 1Ð ÑÑÒ" ÑÔ ½ [Ð1Ð- & , An efficient algorithm for computing shortest addition chains. http://www.uni-bielefeld.de/~achim/ac.dvi

+



¼ Áº 1º Ð " ʺ 1Ù< ¹À Ö Êº º ÅÙÐÐ Ò ËººÎ Ò×ØÓÒ [Ð1Ù 1984] , , ,& , Computing logarithms in finite fields of characteristic two, SIAM J. Algebraic Discrete Methods 5 No2 (1984), 276–285.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC References 741

+



Áº 1º Ð " ˺ $ Ó Êº º Ä ÑÖØ ¾½ [Ð$ 1994a] , ,& , Constructive problems for irreducible polynomials over finite fields, Proceedings of the 1993 Information Theory and Applica- tions Conference, Lecture Notes in Comput. Sci., vol. 793, Springer-Verlag, Berlin, 1994, 1–23.

+



Ð$ Áº 1º Ð " ˺$ Ó Êº º ÅÙÐÐ Ò [ 1994b] , ,& , Normal and self dual normal bases from ¿ factorization of cxq+1 + dxq − ax − b, SIAM J. Discrete Math. 7 No3 (1994), 499–512.

+



Áº 1º Ð " ˺$ Ó Êº º Ä ÑÖØ ¾½ [Ð$ 1996] , ,& , Construction and distribution problems for irreducible trinomials over finite fields, Applications of Finite Fields, Oxford University Press, New York, 1996, 19–32.

+



ÐÅÙ Áº 1º Ð " ʺ º ÅÙÐÐ Ò ËººÎ Ò×ØÓÒ F [ 1984] , ,& , Computing logarithms in 2n , ¼ Advances in Cryptology – Crypto 1984, Lecture Notes in Comput. Sci., vol. 196, Springer- Verlag, 1984, 73–82.

+



Áº 1º Ð " ú ÅÙÖØÝ $º )Ù ¼½ [ÐÅÙ 2004] , ,& , Refinements of Miller’s algorithm for computing Weil/Tate pairing, preprint, 2004. http://eprint.iacr.org/2004/065/

+



º Ð=ÑÖ Åº ÇØØÓ Âº¹Èº Ë %ÖØ ¼ [ÐÇØ 2004] , ,& , Sign change fault attacks on elliptic curve cryptosystems, preprint, 2004. http://eprint.iacr.org/2004/227/

+ n



¾½ ¸ ¾¾½ Ó Áº 1º Ð " ʺ ź ÊÓØ $º ËÖÓÙ×× [ÐÊ 1998] , ,& , Efficient arithmetic in GF(2 ) through palindromic representation, Tech. Report HPL-98-134, Hewlett–Packard, August 1998. http://www.hpl.hp.com/techreports/98/HPL-98-134.pdf

+



½ Áº 1º Ð " $º ËÖÓÙ×× Æº Ⱥ ËÑ ÖØ [ÐË 1999] , ,& , Elliptic curves in cryptography, Lon- don Mathematical Society Lecture Note Series, vol. 265, Cambridge University Press, Cambridge, 1999.

+

  [ÐË 2005] , Advances in elliptic curve cryptography, London Mathematical Society Lecture Note Series, vol. 317, Cambridge University Press, Cambridge, 2005.

+



ÓÓ º ÓÒ )º ÓÝÒ 'º¹Âº $Ó [ 2005] , ,& , Hierarchical Identity Based encryption with  constant size , preprint, 2005.

http://eprint.iacr.org/2005/015/



½¾¸ ½¿ º Ó× Åº º Ó×ØÖ [ÓÓ 1990] & , Addition chain heuristics, Advances in Cryptology – Crypto 1989, Lecture Notes in Comput. Sci., vol. 435, Springer-Verlag, Berlin, 1990, 400–407.

+



 ¿¸ ¼ º ÓÒ ʺ Å ÐÐÓ Êº Ä ÔØÓÒ [Ó 1997] , ,& , On the importance of checking crypto- graphic protocols faults, Advances in Cryptology – Eurocrypt 1997, Lecture Notes in Comput. Sci., vol. 1233, Springer-Verlag, Berlin, 1997, 37–51.

+



Ó Áº ÓÙÛ º  Ñ Âº ËÓÐØÒ F [ 2004] , ,& , Ordinary elliptic curves of high rank over p ½¿½

with constant j-invariant, Manuscripta Math. 114 (2004), 487–501.

º ÓÒ ź 1Ö Ò"Ð Ò ¿ ¸  ¸  ¿¸

[Ó1Ö 2001] & , Identity based encryption from the Weil pairing, Advances  in Cryptology – Crypto 2001, Lecture Notes in Comput. Sci., vol. 2139, Springer-Verlag,  ¸  ¼ Berlin, 2001, 213–229.

o

 Ó1Ö [ 2003] , Identity based encryption from the Weil pairing, SIAM J. Comput. 32 N 3  ¸  ¸  ¿ (2003), 586–615.

+



º Ó×Ø Ò Èº $ ÙÖÝ >º ËÓ×Ø ½¾ [Ó$ 2004] , ,& , Linear recurrences with coeffi- cients and application to and CartierÐManin operator, Proceedings of Fq7, Lecture Notes in Comput. Sci., vol. 2948, Springer-Verlag, Berlin, 2004, 40–58.

+



º Ó×× Ð Ö× Êº $ÓÚ ÖØ× Âº Î ÒÛ ÐÐ ½ ¸ ½ ¾ [Ó$Ó 1994] , ,& , Comparison of three modular reduction functions, Advances in Cryptology – Crypto 1993, Lecture Notes in Comput.

Sci., vol. 773, Springer-Verlag, Berlin, 1994, 175–186.



¼ Ϻ Ó×Ñ º ú ÄÒ×ØÖ

[ÓÄ 1995] & , An implementation of the elliptic curve integer factor-

º Ú Ò Ö

ization method, Computational algebra and number theory (Ϻ Ó×Ñ & ØÒ ÈÓÓÖ , eds.), Kluwer Academic Publishers, 1995.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC 742 References

+



Ý º ÓÒ º ÄÝÒÒ Àº Ë  Ñ  ¸  ¸  [ÓÄ 2002] , ,& , Short signatures from the Weil pairing, Advances in Cryptology – Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag, Berlin, 2002, 514–532.

+



Ý  ¸  ¸ 

[ÓÄ 2004] , Short signatures from the Weil pairing, J. Cryptology 17 (2004), 297–319.



ÓÓ º º ÓÓØ [ 1951] , A signed binary multiplication technique, Quarterly J. Mech. Appl. Math. ½½

4 (1951), 236–240.



Ϻ Ó×Ñ ½½ [Ó× 2001] , Signed bits and fast exponentiation, J. Théor. Nombres Bordeaux 13 (2001),

27–41.



¿ ¸  º ÓÒ ʺ ÎÒ" Ø× Ò [ÓÎ 1996] & , Hardness of computing the most significant bits of se- cret keys in Diffie–Hellman and related schemes, Advances in Cryptology – Crypto 1996,

Lecture Notes in Comput. Sci., vol. 1109, Springer-Verlag, Berlin, 1996, 129–142.



Ö º Ö ÙÖ

[ 1939] , On addition chains, Bull. Amer. Math. Soc. 45 (1939), 736–739. ½ ¸ ½



$º Ö ×× Ò Ⱥ Ö ØÐÝ  [ÖÖ 1996] & , Fundamentals of Algorithmics, Prentice-Hall, Inc., Englewood Cliffs NJ, 1996, first published as Algorithmics — Theory & Practice, 1988.

+



>º Ö Ö º Ð Ú Ö 1º ÇÐ Ú Ö  ¼ [ÖÐ 2004] , ,& , Correlation power analysis with a leakage model, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes in Comput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004, 16–29.

+



ÖÙ Àº ÖÙÒÒÖ º ÙÖ Ö Åº ÀÓ%×ØØØÖ [ 1993] , ,& , On computing multiplicative in- ¾¾¿ verses in GF(2m), IEEE Trans. on Computers 42 No8 (1993), 1010–1015.

+



  >º Ö Ö Áº 46Ò ź ÂÓÝ [Ö4 2004] , ,& , Unified point addition formulæ for elliptic curve cryptosystems, Embedded Cryptographic Hardware: Methodologies & Architec-

tures, Nova Science Publishers, 2004.



  ʺ Ⱥ ÖÒØ [Ö 1980] , An improved Monte Carlo factorization algorithm, BIT 20 (1980), 176–

184. The paper can be obtained as a series of .gif bitmaps from [ÖÒØ].

 ½¸ ¾ [ÖÒØ- , homepage, Oxford University Computing Laboratory. http://web.comlab.ox.ac.uk/oucl/work/richard.brent

+



½ 'º 1º Ö "ÐÐ º ź $ÓÖÓÒ Ãº ˺ ÅÙÖÐÝ º º Ï Ð×ÓÒ [Ö$Ó 1993] , , ,& , Fast exponentiation with precomputation, Advances in Cryptology – Eurocrypt 1992, Lecture

Notes in Comput. Sci., vol. 658, Springer-Verlag, Berlin, 1993, 200–207.



¾  >º Ö Ö Åº ÂÓÝ [ÖÂÓ 2002] & , Weierstra§ elliptic curves and side channels attacks, Public Key Cryptography – PKC 2002, Lecture Notes in Comput. Sci., vol. 2274, Springer-Verlag,

2002, 335–345.

 ¾ ¾¸  ¸ ¼ [ÖÂÓ 2003] , Fast point multiplication on elliptic curves through isogenies, Applicable Alge- bra, Algebraic Algorithms and Error-Correcting Codes – AAECC 2003, Lecture Notes in

Comput. Sci., vol. 2643, Springer-Verlag, Berlin, 2003, 43–50.



ÖÃ٠ʺ Ⱥ ÖÒØ Àº ̺ ÃÙÒ [ 1978] & , Fast algorithms for manipulating formal power series, ¾¾

J. Assoc. Comput. Mach. 25 No4 (1978), 581–595.

 ¾¼¸ ¾¾¿ [ÖÃÙ 1983] , Systolic VLSI arrays for linear-time GCD computation, VLSI 1983, Elsevier Science Publishers B. V., 1983, 145–154.

+



ÖÅÝ 'º ÖÓÛÒ º ̺ ÅÝÖ× Âº º ËÓÐ Ò × [ 2001] , ,& , Elliptic curves with compact param- ¿ ¾¸ ¿ ¿ eters, Combinatorics and Optimization Research Report CORR 2001-68, University of Waterloo, 2001.

http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-68.ps



ʺ Ö="Ö Èº ËØÚÒ Ò  [ÖËØ 2004] & , Elliptic curves with a given number of points, Al- gorithmic Number Theory Symposium – ANTS VI, vol. 3076, Springer-Verlag, Berlin,

2004, 117–131.



٠ƺ $º  ÖÙ <Ò  ¼ [Ö 1966] , On the number of positive integers x and free of prime factors >y,II, Indag. Math. 38 (1966), 239–247.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 743



٠Ⱥ ˺ ÖÙ"Ñ Ò  

[Ö 1994] , Lucas pseudoprimes are odd, Fib. Quart. 32 (1994), 155–157.



1º ÖÞ Ò º ÏÒ  [ÖÏ 2004] & , Elliptic curves suitable for pairing based cryptography, preprint, 2004.

http://eprint.iacr.org/2003/143/



¾½ ʺ Ⱥ ÖÒØ Èº ; ÑÑÖÑ ÒÒ [Ö; 2003] & , Random number generators with period divisible by a Mersenne prime, Computational Science and its Applications – ICCSA 2003, vol.

2667, Springer-Verlag, Berlin, 2003, 1–10.



ź ÙÖÑ×ØÖ 8º ×ÑØ ½¿¸   [Ù 1995] & , A secure and efficient conference key distribution system, Advances in Cryptology – Eurocrypt 1994, Lecture Notes in Comput. Sci., vol.

950, Springer-Verlag, Berlin, 1995, 275–286.

 ½¿¸   [Ù 1997] , Efficient and secure conference key distribution, Proceedings of the 1996 Work- shop on Security Protocols, Lecture Notes in Comput. Sci., vol. 1189, Springer-Verlag,

Berlin, 1997, 119–130.

   [Ù 2004] , Identity based key infrastructures, Proceedings of the IFIP 2004 World Computer Congress, Kluwer Academic Publishers, 2004.

+



Ù$Ó º Ϻ ÙÖ"× Àº Àº $ÓÐ×Ø Ò º ÚÓÒ ÆÙÑ ÒÒ [ 1946] , ,& , Preliminary discussion ¿¾ of the logical design of an electronic computing instrument, Tech. Report Princeton, NJ, Institute for Advanced Study, 1946.

+



º ÙÑ ÒÒ Åº º  Ó×ÓÒ¸ ÂÖº 'º Ì×"  ½ [Ù 1997] , ,& , On some computational prob-

lems in finite abelian groups, Math. Comp. 66 (1997), 1663–1687.



 º ÙÖ×"Ý [ÙÖ 1999] , Flash and EEPROM storage boost 8-bit mcu flexibility, Electronic Design

47 No5 (1999).



 º ÙÑ ÒÒ Àº º Ï ÐÐ Ñ× [ÙÏ 1988] & , A key-exchange system based on imaginary

quadratic fields, J. Cryptology 1 No2 (1988), 107–118.



Ù; º ÙÖÒ "Рº ; ÐÖ [ 1998] & , Fast recursive division, Tech. Report MPI-I-98-1-022, ½ Max Planck Institut für Informatik, October 1998.

http://data.mpi-sb.mpg.de/internet/reports.nsf/



º ÝÖ Ñ< ˺ ÙÕÙ×Ò F ¿¿ [ÝÙ 2004] & , Classification of genus 2 curves over 2n and opti- mization of their arithmetic, preprint, 2004. http://eprint.iacr.org/2004/107/

+



 'Ö 'º ʺ  Ò% Ð Ⱥ 'Ö@× º ÈÓÑÖ Ò [ 1983] , ,& , On a problem of Oppenheim ¼

concerning factorizatio numerorum, J. Number Theory 17 (1983), 1–28.



¸ ¿¾ º Ϻ ˺  ××Ð× 'º κ 1ÐÝÒÒ [ 1Ð 1996] & , Prolegomena to a middlebrow arithmetic of curves of genus 2, London Mathematical Society Lecture Note Series, vol. 230, Cambridge University Press, 1996.

+



 ¼ Ó Âº  Ø ÐÓ 1º ÃÓÙÒ º¹Âº ÉÙ ×ÕÙ ØÖ [ à 2003] , ,& , A new type of timing attack: appli- cations to GPS, Cryptographic Hardware and Embedded Systems – CHES 2003, Lecture

Notes in Comput. Sci., vol. 2779, Springer-Verlag, Berlin, 2003, 291–303.



Ⱥ  Ñ ÓÒ F ¼ [ Ñ 1981] , Factorisation des polynômes de q[X], Tech. Report RR-0093, INRIA,

September 1981, in French.

  Ñ [ 1983] , Improving an algorithm for factoring polynomials over a finite field and con- ¼ structing large irreducible polynomials, IEEE Trans. Inform. Theory 29 No3 (1983), 378–

385.



 Ñ-  ÑÖ  ÍÒ ÚÖ× ØÝ [ , TAMPER Lab homepage.  ¼

http://www.cl.cam.ac.uk/Research/Security/tamper/



º $º  ÒØÓÖ ¿¼ [ Ò 1987] , Computing in the Jacobian of a hyperelliptic curve, Math. Comp. 48 (1987), 95–101.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

744 References



ĺ  ÖÐ ØÞ ¿ [ Ö 1932] , The arithmetic of a polynomial in a Galois field, Amer. J. of Math. 54

(1932), 39–50.



¾¼ 'º 1º  ÖØÖ [ Ö 1994] , The generation and application of random numbers, Forth Dimensions

XVI No1 & 2 (1994).



½¿ ¸ ¼ ʺ  ÖÐ× [ Ö 2003] , Generalized AGM sequences and approximation of canonical lifts, September

2003.



¾ ¼¸ ¾  º Ϻ ˺  ××Ð× [ × 1991] , Lectures on elliptic curves, Cambridge University Press, New York,

1991.



Ú Ëº  Ú ÐÐ Ö ¼¸ ¼ [ 2000] , Strategies in filtering in the Number Field Sieve, Algorithmic Number Theory Symposium – ANTS IV,Lecture Notes in Comput. Sci., no. 1838, Springer-Verlag,

2000, 209–232.



¼ º $º  ÒØÓÖ Àº ; ××Ò Ù× [ ; 1981] & , A new algorithm for factoring polynomials over

finite fields, Math. Comp. 36 No154 (1981), 587–592.



'º ×Ò ¿ ¿ [× 2005] , Varietá a traccia zero su campi binari: Applicazioni crittografiche, Master’s

thesis, Universitá degli Studi di Milano, 2005.



 º¹8º Ò º¹º  Ò [ 1999] & , Fast modular multiplication algorithm for calculating ¾¼¾ the product AB modulo N, Inform. Process. Lett. 72 (1999), 77–81.

+



 ¼  ¾ º Ú ÐÐ ֹŠÑ× Åº  Ø Åº ÂÓÝ [ 2004] , ,& , Low-cost solutions for preventing simple Side-Channel Analysis: Side-Channel Atomicity, IEEE Trans. on Computers 53 (2004), 760–768.

+



Ó Äº ˺  ÖÐ Ô Êº ÓÐÝ º Ⱥ ÊÓ Ò× [ 1991] , ,& , Enumeration of rational points on ¾¾

elliptic curves over finite fields, Draft, 1991.



 ;º Ò [ 2000] , Java card technology for smart cards: Architecture and programmers guide, 

Addison-Wesley Publishing Company, Reading, MA, 2000.



¼½ ɺ Ò [ 2003] , Primality proving via one round ECPP and one iteration in AKS, preprint, 2003.

+



ú 8º Ó Âº 8º ÀÛ Ò º Àº Ä   [ÀÛ 2004] , ,& , Efficient ID-based group key agreement with bilinear maps, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci.,

vol. 2947, Springer-Verlag, 2004, 130–144.



½ º Àº ÓÒ º ÂÙÒ [ÂÙ 2003] & , A polynomial time algorithm for the braid Diffie–Hellman conjugacy problem, Advances in Cryptology – Crypto 2003, Lecture Notes in Comput.

Sci., vol. 2729, IACR and Springer-Verlag, 2003, 212–225.



8Ù 8º Ó  º 8ÙÒ [ 2002] & , Isomorphism classes of hyperelliptic curves of genus 2 over ¿¿¸ ¿¿ Fq, Australasian Conference on Information Security and Privacy – ACISP 2002, Lecture

Notes in Comput. Sci., vol. 2384, Springer-Verlag, Berlin, 2002, 190–202.



  ź  Ø [  2003] , Aspects of fast and secure arithmetics for elliptic curve cryptography, PhD. Thesis, Université Catholique de Louvain, 2003.

+



 ÂÓ Åº  Ø Åº ÂÓÝ ú Ä ÙØÖ Èº ĺ ÅÓÒØÓÑÖÝ [ 2003] , , ,& , Trading inversions for ¾ ½¸ ¾ ¾ multiplications in elliptic curve cryptography, preprint, 2003. http://eprint.iacr.org/2003/257/

+



¿¸ ¿ ½¸ ¿ ¾ ź  Ø Ìº Ä Ò 1º Ë  º¹Âº ÉÙ ×ÕÙ ØÖ [ Ä 2003] , , ,& , Improved algorithms for efficient arithmetic on elliptic curves using fast endomorphisms, Advances in Cryptology – Eurocrypt 2003, Lecture Notes in Comput. Sci., vol. 2656, Springer-Verlag, 2003, 388– 400.

+



 É٠ź  Ø Âº¹Âº ÉÙ ×ÕÙ ØÖ 1º Ë  [ 2002] , ,& , Preventing differential analysis in GLV ½¿ elliptic curve scalar multiplication, Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 540–550.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC References 745

+



ƺ ÓÙÖØÓ × Åº 1 Ò ×Þ Æº ËÒÖ Ö ½ [Ó1 2001] , ,& , How to achieve a McEliece-based digital signature scheme, Advances in Cryptology – Asiacrypt 2001, Lecture Notes in

Comput. Sci., no. 2248, Springer-Verlag, 2001, 157–174.



 Àº ÓÒ [Ó- , Diophantine Equations, p-adic Numbers and L-functions, Springer-Verlag,

to appear.

Ó [ 2000] , A course in Computational Algebraic Number Theory, Graduate Texts in ¸ ½ ¸ ½ ¼¸

Mathematics, vol. 138, Springer-Verlag, Berlin, 2000, fourth edition. ½ ¼¸½ ½¸½ ¸

½ ¸½ ¸¾¼ ¸

¿ ¸½¼¸ ¸

 ¸ ¸ ¾¸

  ¸¼¾¸½½

o

 ½¿¸ ½ [Ó 2005] , Analysis of the flexible window powering algorithm, J. Cryptology 18 N 1 (2005), 63–76.

+



ź º Ó×ØÖ º ÂÓÙÜ º º Ä Å  º ź ÇÐÝÞ"Ó º¹Èº ¿ 

[ÓÂÓ 1992] , , , , º ËØÖÒ ËÒÓÖÖ,& , Improved low-density subset sum algorithms, Comput. Com- plexity 2 (1992), 111–128.

+



Ó Âº¹Ëº ÓÖÓÒ Èº ÃÓÖ º Æ    ¼ [Óà 2001] , ,& , Statistics and secret leakage, Finan- cial Cryptography – FC 2000, Lecture Notes in Comput. Sci., vol. 1962, Springer-Verlag,

2001, 157–173.



$º 'º ÓÐÐ Ò× ¾¼ [ÓÐ 1969] , Computing multiplicative inverses in GF(p), Math. Comp. 23 (1969),

197–200.

 ÓÐ

[ 1980] , Lecture notes on arithmetic algorithms, 1980. University of Wisconsin. ½ ¾



Àº ÓÒ Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº  [ÓÄ 1984] & , Primality testing and Jacobi sums, Math. Comp.

42 (1984), 297–330.



Àº ÓÒ º ú ÄÒ×ØÖ  [ÓÄ 1987] & , Implementation of a new primality test, Math. Comp. 48 (1987), 103–121.

+



½¿ Àº ÓÒ º Å Ý < ̺ ÇÒÓ [ÓÅ 1997] , ,& , Efficient elliptic curve exponentiation, Information and Communication Security – ICICS 1997, Lecture Notes in Comput. Sci., vol. 1334, Springer-Verlag, Berlin, 1997, 282–290.

+

ÓÅ [ 1998] , Efficient elliptic curve exponentiation using mixed coordinates, Advances in ¾ ¸ ¾ ¼¸ ¾ ¾¸

Cryptology – Asiacrypt 1998, Lecture Notes in Comput. Sci., vol. 1514, Springer-Verlag, ¾ ¿¸¾ ¸¾ ¸

 ¿¾½¸¿¾ ¸¿¾

Berlin, 1998, 51–65.



˺ ÓÒØ Ò [ÓÒ 2005] , FactorWorld: General purpose factoring records, 2005.

http://www.crypto-world.com/FactorRecords.html



¾½¸  ¸  º ÓÔÔÖ×Ñ Ø [ÓÔ 1984] , Fast evaluation of logarithms in fields of characteristic two, IEEE

Trans. Inform. Theory 30 No4 (1984), 587–594.

 ½¿

[ÓÔ 1993] , Modifications to the Number Field Sieve, J. Cryptology 6 (1993), 169–180.

º¹Ëº ÓÖÓÒ  ¸  ¼¸  ¾¸

[ÓÖ 1999] , Resistance against differential power analysis for elliptic curve cryptosys-  tems, Cryptographic Hardware and Embedded Systems – CHES 1999, Lecture Notes in  ¸ ¼¼¸ ½½

Comput. Sci., vol. 1717, Springer-Verlag, Berlin, 1999, 392–302.



ÓË º ÓÔÔÖ×Ñ Ø º Ë Ñ Ö [ 1997] & , Lattice attacks on NTRU, Advances in Cryptology – ½ Eurocrypt 1997, Lecture Notes in Comput. Sci., vol. 1233, Springer-Verlag, Berlin, 1997,

52–61.



ź º Ó×ØÖ ½¾ [Ó×ØÖ- , homepage.

http://www.coster.demon.nl/



º ź ÓÙÚ Ò× ¾½ [ÓÙ 1996] , Computing l-isogenies with the p-torsion, Algorithmic Number Theory Symposium – ANTS II, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag,

1996, 59–65.



¾½ - ÖÝÔØÓÖ ÔÝ Ê× Ö¸ ÁÒº [Ê 2003 , Evaluation of VIA C3 Nehemiah Random Number Generator, Tech. report, 2003. http://www.cryptography.com/resources/whitepapers/VIA_rng.pdf

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

746 References



ʺ Ö Ò ÐÐ ½ ¾ [Ö 1992] , Method and apparatus for public in a cryptographic sys-

tem, United States Patent 5, 159, 632, Date: Oct. 27th 1992.



¼ Ó 'º ˺ ÖÓÓØ ÁÁÁ [Ö 2003] , Smooth numbers in short intervals, preprint, 2003.

http://www.math.gatech.edu/~ecroot/papers.html

ʺ Ö Ò ÐÐ º ÈÓÑÖ Ò ½ ¼¸ ½ ¸ ½ ¾¸

[ÖÈÓ 2001] & , Prime numbers, a computational perspective, 

Springer-Verlag, Berlin, 2001. ¾¼ ¸ ½



Ú Êº  Ú × ¾½ [ 2000] , Hardware random number generators, New Zealand Statistics Conference,

2000.



РȺ Ð Ò [ 1974] , La conjecture de Weil. I, Inst. Hautes Études Sci. Publ. Math. 43 (1974), ½¿

273–307.



8º ×ÑØ Ìº Ä Ò  [Ä 2004a] & , Pairing based threshold cryptography improving on Libert,

Quisquater, Baek, and Zheng, preprint, 2004.

   [Ä 2004b] , Pairing variants of BurmesterÐDesmedt I and KatzÐYung, preprint, 2004.

+



8º ×ÑØ Ìº Ä Ò ź ÙÖÑ×ØÖ  ¸   [Ä 2004] , ,& , Exponential improvement on KatzÐ Yung’s constant round authenticated group key exchange and tripartite variants, preprint,

2004.



ź ÙÖ Ò ½¿ ¸ ¾¿ [Ù 1941] , Die Typen der Multiplikatorenringe elliptischer Funktionenkörper, Abh.

Math. Sem. Hansischen Univ. 14 (1941), 197–272.



Î º Ò% 1º ÎÖ ÙØÖÒ [ 2002] & , An extension of Kedlaya’s algorithm to ArtinÐSchreier ¿ curves in characteristic 2, Algorithmic Number Theory Symposium – ANTS V, Lecture

Notes in Comput. Sci., vol. 2369, Springer-Verlag, Berlin, 2002, 308–323.

 Î [ 2005] , An extension of Kedlaya’s algorithm to hyperelliptic curves in characteristic 2, ¿

J. Cryptology (2005), to appear.



¾¼¿¸ ¾¼ º¹1º Ñ [ 1998] , Design of an efficient public key cryptographic library for RISC-based smart cards, PhD. Thesis, Faculté des sciences appliquées, Laboratoire de microélectron- ique, Université catholique de Louvain-la-Neuve, Belgique, 1998. http://users.belgacom.net/dhem/these/these_public.pdf

+



 ¸ ¼ Ó Âº¹1º Ñ 1º ÃÓÙÒ Ⱥ¹º ÄÖÓÙÜ Èº Å×ØÖ º¹Âº ÉÙ ×ÕÙ ØÖ [à 2000] , , , , ,&

º¹Äº Ï ÐÐÑ×, A practical implementation of the timing attack, Smart Card Research and Advanced Application – CARDIS 1998, Lecture Notes in Comput. Sci., vol. 1820,

Springer-Verlag, 2000, 167–182.

½¾¸ ¿ ¿¸ ¿¸ º  Ñ

[  2001] , A study on theoretical and practical aspects of Weil-restriction of varieties,  PhD. Thesis, Universität Gesamthochschule Essen, 2001. ¿¸ ¿

o

 

[ 2003] , The GHS-attack in odd characteristic, J. Ramanujan Math. Soc. 18 N 1 (2003), ¿½¸ ¿¾¸ ¿¸ 

1–32. ¿

 ½¸ ¿¸   [  2004] , On the discrete logarithm problem in elliptic curves over non-prime finite fields,

2004. preprint.

 ¿ [  2005] , Index calculus in class groups of plane curves of small degree, preprint, 2005.

http://eprint.iacr.org/2005/119/



 À Ϻ  %%  ź 'º ÀÐÐÑ Ò [ 1976] & , New directions in cryptography, IEEE Trans. Inform. ÜÜܸ ½¼

Theory 22 No6 (1976), 644–654.

º  Ñ Âº ËÓÐØÒ ¿ ¿¸ ¿ ¸ ¼¸

[ Ë 2003] & , Cover Attacks Ð A report for the AREHCC project, 2003. 

http://www.arehcc.com 



Ó º Ó [ 2005] , Redundant trinomials for finite fields of characteristic 2, Australasian Con- ¾½ ference on Information Security and Privacy – ACISP 2005, Lecture Notes in Comput.

Sci., vol. 3574, Springer-Verlag, Berlin, 2005, 122–133.

 ¾½ [Ó- , homepage. http://www.math.u-bordeaux.fr/~cdoche/

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 747



º Ó×ÓÒ º ú ÄÒ×ØÖ ¼ ¸ ½¿ [ÓÄ 1995] & , NFS with four large primes: an explosive experiment, Advances in Cryptology – Crypto 1995, Lecture Notes in Comput. Sci., vol. 963, Springer- Verlag, Berlin, 1995, 372–385.

+



Ⱥ ÓÛÒÝ º ÄÓÒ ʺ ËØ ½ [ÓÄ 1981] , ,& , Computing sequences with addition chains,

SIAM J. Comput. 10 (1981), 638–646.



8º Ó × Åº 8ÙÒ  [Ó8Ù 2003] & , Exposure-resilience for free: Hierarchical ID-based encryption case, IEEE Security in Storage 2003, 2003, 45–52.

+



ʺ ÙÔÓÒØ º 'Ò 1º ÅÓÖ Ò  ¸  [Ù'Ò 2005] , ,& , Building curves with arbitrary small MOV degree over finite prime fields, J. Cryptology 18 No2 (2005), 79–89.

+



Áº ÙÙÖ×Ñ Èº $ ÙÖÝ 1º ÅÓÖ Ò  ½ [Ù$ 1999] , ,& , Speeding up the discrete log computation on curves with automorphisms, Advances in Cryptology – Asiacrypt 1999, Lecture Notes

in Comput. Sci., vol. 1716, Springer-Verlag, Berlin, 1999, 103–121.



˺ ʺ Ù××4 º ˺ à Р×" ¸ ÂÖº ½ ½ [Ùà 1990] & , A cryptographic library for the Motorola DSP56000, Advances in Cryptology – Eurocrypt 1990, Lecture Notes in Comput. Sci.,

vol. 478, Springer-Verlag, Berlin, 1990, 230–244.



¿¾ ¸ ¿¿¸  ˺ ÙÕÙ×Ò [ÙÕ 2004] , Montgomery scalar multiplication for genus 2 curves, Algorithmic Num- ber Theory Symposium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer- Verlag, 2004, 153–168.

+



)º Ù 8º Ï Ò º $ 8º Ï Ò   [ÙÏ 2003] , , ,& , An improved ID-based authenticated group key agreement scheme, preprint, 2003.

http://eprint.iacr.org/2003/260/



ÛÓ º ÛÓÖ" [ 1960] , On the rationality of the zeta function of an algebraic variety, Amer. J. Math. ½¿¸ ½¿ ¸ ¾¾

82 (1960), 631–648.



'٠Ⱥ ij 'ÙÝÖ [ 1998] , Uniform random number generators, Proceedings of the 1998 Winter ½

Simulation Conference (1998), 97–104.

 'Ù [ 2001] , Software for uniform : Distinguishing the good and ½

the bad, Proceedings of the 2001 Winter Simulation Conference (2001), 95–105.



¾ º ' ÜÓÚÒ [' 2003] , Point counting after Kedlaya, EIDMA-Stieltjes graduate course Leiden, 2003.

+



¾ ½¸ ¾ ¾ ú ' ×ÒØÖDÖ Ãº Ä ÙØÖ Èº ĺ ÅÓÒØÓÑÖÝ [' Ä 2003] , ,& , Fast elliptic curve arith- metic and improved Weil pairing evaluation, Topics in Cryptology – CT-RSA 2003, Lec-

ture Notes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin, 2003, 343–354.



½ ̺ 'Ð$ Ñ Ð ['Ð$ 1985] , A public key cryptosystem and a signature scheme based on discrete logarithms, Advances in Cryptology – Crypto 1984, Lecture Notes in Comput. Sci., vol.

196, Springer-Verlag, Berlin, 1985, 10–18.



'Ð" ƺ º 'Ð" ×

[ 1991] , Explicit isogenies, Draft, 1991. ½¸ ½



ʺ 'Ð"ÒÖ عÀÙ Þ Ò ½ ['Ð" 1996] , An implementation of the Number Field Sieve, Experi-

ment. Math. 5 No3 (1996), 231–253.



'º 'Ð Å  ××Ò Áº 'º ËÔ ÖÐ Ò×" ¿¾ ['ÐË 2002] & , On the uniformity of distribution of con- gruential generators over elliptic curves, Sequences and their Applications – SETA 2001, Discrete Mathematics and Theoretical Computer Science, Springer-Verlag, 2002, 257–

264.



'Ò º 'Ò [ 2002] , Computing discrete logarithms in high-genus hyperelliptic Jacobians in prov- ½¸ 

ably subexponential time, Math. Comp. 71 No238 (2002), 729–742.

'Ò$ º 'Ò Ⱥ $ ÙÖÝ

[ 2002] & , A general framework for subexponential discrete logarithm  ¸  ¸ ¼¼¸ 

algorithms, Acta Arith. 102 No1 (2002), 83–103. ½¸ 



º 'Ò º ËØ Ò ½¸  ['ÒËØ 2002] & , Smooth ideals in hyperelliptic function fields, Math. Comp. 71 (2002), 1219–1230.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

748 References



ú 'ÒØ Ö ¾¼¸ ¾ ['ÒØ 1998] , Bad subsequences of well-known linear congruential pseudorandom number generators, ACM Transactions on Modeling and Computer Simulation 8 No1

(1998), 61–70.



Ⱥ 'Ö@×  ¿ ['Ö 1956] , On pseudoprimes and Carmichael numbers, Publ. Math. Debrecen 4 (1956), 201–206.

+



'×Ë º 'º '×ÓØØ Âº º Ë Ö º Ⱥ ĺ ËÐ" Ö" º Ì× Ô "  × [ 1998] , , ,& , Attack-  ¼¸  ½ ing elliptic curve cryptosystems using the parallel Pollard rho method, CryptoBytes (The technical newsletter of RSA laboratories) 4 No2 (1998), 15–19.

http://www.rsa.com/rsalabs/pubs/cryptobytes



½ ÂÓ Âº¹º 1 Ù6Ö º ÂÓÙÜ [1 2003] & , Algebraic of Hidden Field Equations (HFE) using Gröbner bases, Advances in Cryptology – Crypto 2003, Lecture Notes in Comput.

Sci., vol. 2729, IACR and Springer-Verlag, 2003, 44–60.



1 Ï )º 1 Ò 8º Ï Ò [ 2004] & , Inversion-free arithmetic on genus 3 hyperelliptic curves, preprint, ¿ 2004. http://eprint.iacr.org/2004/223/

+



˺ 1 ×Рº ÚÓÒ ÞÙÖ $ ØÒ Åº º ËÓ"ÖÓÐÐ  ¿ [1$ 1999] , ,& , Normal bases via general Gau§ periods, Math. Comp. 68 No225 (1999), 271–290.

+



ʺ 1ÖÖ Ö Êº Å ÐÞ Ò Èº Å Ö ××Ò Âº¹Âº ÉÙ ×ÕÙ ØÖ Ìº Ï ÐÐ ¾¼ [1Å 1996] , , , ,& , FAME: A 3rd generation coprocessor for optimising public key cryptosystems in smart card applications, Smart Card Research and Advanced Application – CARDIS 1996, Stichting Mathematisch Centrum, CWI, Amsterdam, 1996.

+



1 $ Ϻ 1 ×Ö º $ Ö Ù 'º Ϻ ÃÒÙ×Ò ÂºÈº Ë %ÖØ [ 2002] , , ,& , Parallel scalar ¾ ¸  multiplication on general elliptic curves over Fp hedged against non-differential side- channel attacks, preprint, January 2002.

http://eprint.iacr.org/2002/007/



1ÁÈË ½E¼¹¾ ¾¼ [1 Ô× ½E¼¹¾- , Security requirements for cryptographic modules, Federal Information Processing Standards Publication 140-2, 1999.

http://csrc.nist.gov



1 Ô× ½G+¹¾- 1ÁÈ˽G+¹¾ [ , Digital signature standard, Federal Information Processing Standards Pub- ½ ¿¸ ¾½ lication 186-2, 2000.

http://csrc.nist.gov



¾ 1ÁÈ˽*H [1 Ô× ½*H- , Advanced encryption standard (AES), Federal Information Processing Stan- dards Publication 197, 2001.

http://csrc.nist.gov



1ÐÇÝ Ëº 1ÐÓÒ Êº ÇÝÓÒÓ [ 2004] & , Fast arithmetic on Jacobians of Picard curves, Public Key ¿¾ Cryptography – PKC 2004, Lecture Notes in Comput. Sci., vol. 2947, Springer-Verlag, Berlin, 2004, 55–68.

+



1ÐÇÝ Ëº 1ÐÓÒ Êº ÇÝÓÒÓ º Ê ØÞÒØ ÐÖ [ 2004] , ,& , Fast addition on non-hyperelliptic genus ¿¾ 3 curves, preprint, 2004.

http://eprint.iacr.org/2004/118/



Ⱥ 1Ð <ÓÐØ º Ë ÐÚÝ ½¾ [1ÐË 1997] & , The SIGSAM challenges: Symbolic asymptotics in practice,

SIGSAM Bulletin 31 No4 (1997), 36–47.



Ý- 'º κ 1ÐÝÒÒ ¿¿¼ [1Ð , Formulas for the Kummer surface of a genus 2 curve.

ftp://ftp.liv.ac.uk/pub/genus2/kummer



Ý ¿¾ [1Ð 1993] , The group law on the Jacobian of a curve of genus 2, J. Reine Angew. Math. 439 (1993), 45–69.

+



Ó$ ź 1ÓÙÕÙØ Èº $ ÙÖÝ Êº À ÖÐÝ ¿¾ [1 2000] , ,& , An extension of Satoh’s algorithm and its implementation, J. Ramanujan Math. Soc. 15 No4 (2000), 281–318.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 749



$º 1ÖÝ ½¾¸ ¿ ¿ [1Ö 1998] , How to disguise an elliptic curve, Talk at Waterloo workshop on the ECDLP, 1998.

http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html

 ½¿½¸ ¿ ¿ [1Ö 2001] , Applications of arithmetical geometry to cryptographic constructions, Proceed- ings of the 1998 Finite Fields and Applications Conference, Springer, Berlin, 2001, 128–

161.



½ º ú ÄÒ×ØÖ Èº ÄÝÐ Ò

[1ÖÄ Ô- & , Free version of the LIP package, 1996.



Àº ʺ 1Ö ÙÑ ¾ ¸ ¾  [1Ö 2001] , The group law on elliptic curves on Hesse form, Sixth International Conference on Finite Fields and Applications, Springer-Verlag, Berlin, 2001. See also the technical report CORR 2001-09. http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-09.ps

+



1ÖÃРº 1Ö Ò" ̺ ÃÐ Ò<ÙÒ 1º ÅÓÖ Ò Ìº Ï ÖØ [ 2004] , , ,& , Proving the primality of  very large numbers with fast ECPP, Algorithmic Number Theory Symposium – ANTS

VI, vol. 3076, Springer-Verlag, Berlin, 2004, 194–207.



1ÖÄ $º 1ÖÝ Ìº Ä Ò [ 2003] & , Mathematical background of public key cryptography, Tech.  Report 10, IEM Essen, 2003, To appear in Séminaires et Congrès.

+

$º 1ÖÝ Åº Å7ÐÐÖ Àº¹$º Ê7" ¿ ¸ ¿ ¸ ¿¼¸

[1ÖÅ7 1999] , ,& , The Tate pairing and the discrete logarithm  applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 No5 (1999), 1717–  ¾

1719.



$º 1ÖÝ Àº¹$º Ê7" ¿¿¸ ¿¼ [1ÖÊ7 1994] & , A remark concerning m-divisibility and the discrete loga-

rithm problem in the divisor class group of curves, Math. Comp. 62 (1994), 865–874.



1ÖÌ º 1Ö=Ð  ź Ì ÝÐÓÖ [ 1991] & , Algebraic number theory, Cambridge Studies in Adv. ½

Math., vol. 27, Cambridge Univ. Press, 1991.



1Ù< Ø×Ù- 1Ù< Ø×Ù Ä Ñ Ø [ , Fram guide book. 

http://www.fujitsu.com/global/services/microelectronics/technical/



1ÙРϺ 1ÙÐØÓÒ [ 1969] , Algebraic curves: An introduction to algebraic geometry, Benjamin, 1969. 

+



$ $ ˺$ Ó Âº ÚÓÒ ÞÙÖ $ ØÒ º È Ò Ö Ó Îº ËÓÙÔ [ 2000] , , ,& , Algorithms for expo- ¿¸ ¾¾¸ ¾¾

nentiation in finite fields, J. Symbolic Comput. 29 (2000), 879–889.



$ $ - º ÚÓÒ ÞÙÖ $ ØÒ Âº $Ö Ö [ 1996 & , Arithmetic and factorization of polynomi- ¾¾¼ als over F2, International Symposium on Symbolic and Algebraic Computation – ISSAC

1996, 1–9.

 ¿

[$ $ 1999] , Modern computer algebra, Cambridge University Press, 1999.



Ⱥ $ ÙÖÝ Êº À ÖÐÝ ¾¾ [$ À 2000] & , Counting points on hyperelliptic curves over finite fields, Algorithmic Number Theory Symposium – ANTS IV, vol. 1838, Springer-Verlag, Berlin, 2000, 313–332.

+

$ À ˺ º $ ÐÖ Ø ú À ÖÖ ×ÓÒ º ËÓÐÖ [ 2002] , ,& , Implementing the Tate pairing, ¿ ¸ ¿ ¿¸ ¼¼¸

Algorithmic Number Theory Symposium – ANTS V, Lecture Notes in Comput. Sci., vol. ¼½¸ ¼¸ ½¸

  ¿¸   2369, Springer-Verlag, Berlin, 2002, 324–337.

+



˺ $ ÐÖ Ø 1º À×× Æº ËÑ ÖØ ¿½¸ ¿ [$ À 2002a] , ,& , Extending the GHS Weil-descent attack, Advances in Cryptology – Eurocrypt 2002, Lecture Notes in Comput. Sci., vol. 2332, Springer-Verlag, Berlin, 2002, 29–44.

+



Ⱥ $ ÙÖÝ 1º À×× Æº Ⱥ ËÑ ÖØ ¿½¸ ¿ [$ À 2002b] , ,& , Constructive and destructive facets of Weil

descent on elliptic curves, J. Cryptology 15 No1 (2002), 19–46.

˺º$ ÐÖ Ø ½¾¸ ¿¿¸  ¸

[$ Ð 2001a] , Supersingular curves in cryptography, Advances in Cryptology –  Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag, Berlin, 2001,  ¼

495–513.

 ¿½ [$ Ð 2001b] , Weil descent of Jacobians, Workshop on Coding and Cryptography, 2001, Elec- tronic Notes in Discrete Mathematics, vol. 6, Elsevier Science Publishers, 2001.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC 750 References

+



ʺ Ⱥ $ ÐÐ ÒØ Êº º Ä ÑÖØ ËººÎ Ò×ØÓÒ  ½ [$ Ä 2000] , ,& , Improving the parallelized Pollard lambda search on anomalous binary curves, Math. Comp. 69 (2000), 1699–1705.

+

 ¿  ¿ [$ Ä 2001] , Faster point multiplication on elliptic curves with efficient endomorphisms, Ad- vances in Cryptology – Crypto 2001, Lecture Notes in Comput. Sci., vol. 2139, Springer-

Verlag, Berlin, 2001, 190–200.



˺ $ Ó Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº ¾½ [$ Ä 1992] & , Optimal normal bases, Des. Codes Cryptogr. 2

(1992), 315–323.



˺ º $ ÐÖ Ø º ÅÃ ¾ ¾ [$ Å 2000] & , The probability that the number of points on an elliptic curve over a finite field is a prime, J. London Math. Soc. (2) 62 No3 (2000), 671– 684.

+



˺ º $ ÐÖ Ø º ÅÃ Ⱥ Î ÐÒ  [$ Å 2004] , ,& , Ordinary abelian varieties having small embedding degree, preprint, 2004. http://eprint.iacr.org/2004/365/

+



$ ÅÓ Ãº $ ÒÓÐ% º ÅÓÙÖØÐ 1º ÇÐ Ú Ö [ 2001] , ,& , Electronic analysis: concrete results,  ¾ Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput.

Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 251–261.



¾½¸ ¾½¸ ¾¾¼ º ÚÓÒ ÞÙÖ $ ØÒ Åº Æ="Ö [$ Æ= 2005] & , Polynomial and normal bases for finite fields, J. Cryptology (2005), to appear.

o



Ó Ëº $ Ó ¿ [$ 2001] , Abelian groups, Gau§ periods and normal bases, Finite Fields Appl. 7 N 1

(2001), 148–164.



½ Àº $ ÖÒÖ [$ Ö 1959] , The residue number system, IRE Transactions on Electronic Computers

EC-8 (1959), 140–147.

¾¾¸ ¸ ¸ Ⱥ $ ÙÖÝ >º ËÓ×Ø

[$ Ë 2004a] & , Construction of secure random curves of genus 2 over  prime fields, Advances in Cryptology – Eurocrypt 2004, Lecture Notes in Comput. Sci.,  ¸  

vol. 3027, Springer-Verlag, 2004, 239–256.

 $ Ë [ 2004b] , A low-memory parallel version of Matsuo, Chao, and Tsujii’s algorithm, Al- ½½ gorithmic Number Theory Symposium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, Berlin, 2004, 208–222.

o

 $ Ë [ 2005] , Modular equations for hyperelliptic curves, Math. Comp. 74 N 249 (2005), 429– ¾¾

454 (electronic).



$ Ë º ÚÓÒ ÞÙÖ $ ØÒ Îº ËÓÙÔ [ 1992] & , Computing Frobenius maps and factoring poly- ¼

nomials (extended abstract), ACM Symposium on Theory of Computing, 1992, 97–105.



¿½ ˺ º $ ÐÖ Ø ƺ Ⱥ ËÑ ÖØ [$ ËÑ 1999] & , A cryptographic application of Weil descent, Proceedings of the 1999 Cryptography and Coding Conference, Lecture Notes in Comput. Sci., vol. 1746, Springer-Verlag, Berlin, 1999, 191–200. A version is available as HP Technical report HPL-1999-70.

+



¾¿¸ ¾¸  Ⱥ $ ÙÖÝ Æº Ì4Ö ÙÐØ 'º ÌÓÑ4 [$ Ì 2004] , ,& , A double large prime variation for small genus hyperelliptic index calculus, preprint, 2004.

http://eprint.iacr.org/2004/153/



Ù º 1º $ ÙI ¿

[$ 1973] , Werke, Georg Olms Verlag, 1973, in German.



٠Ⱥ $ ÙÖÝ ¼ [$ 2000a] , Algorithmique des courbes hyperelliptiques et applications à la cryptologie, PhD. Thesis, École polytechnique, 2000.

http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/publis/



$ Ù [ 2000b] , An algorithm for solving the discrete log problem on hyperelliptic curves, Ad- ¼¸ ½ ¸ 

vances in Cryptology – Eurocrypt 2000, vol. 1807, Springer-Verlag, Berlin, 2000, 19–34.



¿¿¸ ½ Ù [$ 2002] , A comparison and a combination of SST and AGM algorithms for counting points of elliptic curves in characteristic 2, Advances in Cryptology – Asiacrypt 2002, Lecture Notes in Comput. Sci., vol. 2501, Springer-Verlag, Berlin, 2002, 311–327.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 751



Ù ½¸   [$ 2004] , Index calculus for abelian varieties and the elliptic curve discrete logarithm prob- lem, preprint, 2004.

http://eprint.iacr.org/2004/073/



$Ö Âº ĺ $ÖÚÖ [ 1983] , Factoring large numbers with a quadratic sieve, Math. Comp. 41 (1983), ¼

287–294.



 º $ÒØÖÝ º Ë ÐÚÖÖ [$Ë 2002] & , Hierarchical ID-based encryption, Advances in Cryp- tology – Asiacrypt 2002, Lecture Notes in Comput. Sci., no. 2501, Springer-Verlag, 2002, 548–566.

t



ú $ IÐÖ Æº Ⱥ ËÑ ÖØ ½ [$ËÑ 2003] & , Computing the M = UU integer matrix decompo- sition, Proceedings of the 2003 Cryptography and Coding Conference, Lecture Notes in

Comput. Sci., vol. 2898, Springer-Verlag, 2003, 223–233.



$  'º¹$º $ ××Ñ ÒÒ [ 2001] , Ein schneller Algorithmus zur Punktevervielfachung, der gegen  ¸ ½½ Seitenkanalattacken resistent ist, talk at Workshop über Theoretische und praktische As-

pekte von Kryptographie mit Elliptischen Kurven, Berlin, 2001.



$ Ì º $ Ö Ù Àº Ì  ÙÐ [ 2004] & , A survey on fault attacks, Smart Card Research and  

Advanced Application – CARDIS 2004, Kluwer Academic Publishers, 2004, 159–176.



Ö ËÓØÛÖ ÓÙÒ Ø ÓÒ ½ ¸ ½  [$ÅÈ- , GNU MP library, version 4.1.4, 2004. http://www.swox.com/gmp/

+



$º $ÓÒ ̺ º Ö×ÓÒ º ʺ ËØ Ò×ÓÒ ¿¾ [$Ó 2000] , ,& , Elliptic curve pseudorandom sequence generators, Selected Areas in Cryptography – SAC 1999, Lecture Notes in Comput. Sci.,

vol. 1758, Springer-Verlag, Berlin, 2000, 34–48.



$Ó º $ÓÓÑ Ò º  ÒÖ ×" Ö Ò [ 2000] & , An energy efficient reconfigurable public key  cryptography processor architecture, Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 174–191.

+



$ÓÀ º $ÓÐÐÑ Ò 8º À Ò º Å ØÐÐ [ 1996] , ,& , Redundant integer representations and fast ½¼

exponentiation, Des. Codes Cryptogr. 7 (1996), 135–151.



¿¾ $º $ÓÒ º º 8º Ä Ñ [$ÓÄ 2002] & , Recursive sequences over elliptic curves, Sequences and their Applications – SETA 2001, Discrete Mathematics and Theoretical Computer Science, Springer-Verlag, 2002, 182–196.

+



$ÓÄ ʺ º $ÓÐÐ ÚÖ º ú ÄÒ×ØÖ Ãº ˺ ÅÙÖÐÝ [ 1994] , ,& , Lattice sieving and trial ½ division, Algorithmic Number Theory Symposium – ANTS I, Lecture Notes in Comput. Sci., vol. 877, Springer-Verlag, Berlin, 1994, 18–27.

+



$ÓŠź $ÓÒ ú Å Ø×ÙÓ Ãº Ó" º  Ó Ëº Ì×Ù< [ 2005] , , , ,& , Improvements of ad- ¿ dition algorithm on genus 3 hyperelliptic curves and their implementations, IEICE Trans.

Fundamentals E88-A No1 (2005), 89–96.



¾½¸ ¼ º ź $ÓÖÓÒ Ãº ˺ ÅÙÖÐÝ [$ÓÅ 1993] & , Massively parallel computation of discrete logarithms, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput. Sci., vol.

740, Springer-Verlag, Berlin, 1993, 312–323.



º $ÓÖÓÒ ½ ¾ [$ÓÖ 1989] , Fast multiplicative inverse in modular arithmetic, Proceedings of the 1986 Cryptography and Coding Conference, Oxford University Press, New York, 1989, 269– 279.

o



º ź $ÓÖÓÒ ½ [$ÓÖ 1998] , A survey of fast exponentiation methods, J. Algorithms 27 N 1 (1998),

129–146.



$Ó٠ĺ $ÓÙ Ò [ 2003] , A refined power analysis attack on elliptic curve cryptosystems, Public Key  ¼  ¾¸ ¼¼ Cryptography – PKC 2003, Lecture Notes in Comput. Sci., vol. 2567, Springer-Verlag,

Berlin, 2003, 199–210.



º $Ö ÒØ Ñ   [$Ö 1998] , A probable prime test with high confidence, J. Number Theory 72 (1998), 32–47, MR 2000e:11160.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

752 References

  

[$Ö 2001] , Frobenius pseudoprimes, Math. Comp. 70 (2001), 873–891.



̺ $Ö ÒÐÙÒ ½ ¸ ½ [$Ö 2004] , The GNU Multiple Precision arithmetic library, version 4.1.4, 2004.

http://www.swox.com/gmp



¸ ¼ Ⱥ $Ö %% Ø× Âº À ÖÖ × [$ÖÀ 1978] & , Principles of algebraic geometry, John Wiley & Sons, Ltd., 1978.

+



$ÖÀ Ⱥ $Ö ÒÖ º ÀÙÖÖ Àº ÈÖÓ ÒÖ [ 2004] , ,& , Distribution results for low- ½ weight binary representations for pairs of integers, Theoret. Comput. Sci. 319 (2004), 307–331.

+



ʺ ĺ $Ö  Ñ º 'º ÃÒÙØ Ǻ È Ø ×Ò "  [$ÖÃÒ 1994] , ,& , Concrete Mathematics, 2nd

edition, Addison-Wesley Publishing Company, Reading, MA, 1994, first edition 1989.



$ÖÓ º $ÖÓØÒ " [ 1968] , Crystals and the de Rham cohomology of schemes, Dix Exposés ½¿

sur la Cohomologie des Schémas, North-Holland, Amsterdam, 1968, 306–358.



Ó Âº $ÖÓI×DÐ  [$Ö 2001] , A bit-serial unified multiplier architecture for finite fields GF(p) and GF(2m), Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes

in Comput. Sci., Springer-Verlag, 2001, 202–219.



$ÖÈÓ º $Ö ÒÚ ÐÐ º ÈÓÑÖ Ò [ 2002] & , Two contradictory conjectures concerning  ¿ Carmichael numbers, Math. Comp. 71 (2002), 883–908.

+



$Ùà º $ÙÝÓØ Ãº à Ú κ ź È Ø Ò" Ö [ 2004] , ,& , Explicit algorithm for the arithmetic ¿ on the hyperelliptic Jacobians of genus 3, J. Ramanujan Math. Soc. 19 (2004), 119–159.

+



¿ ¸ ¿ ¸ ¿  º $7ÒØÖ Ìº Ä Ò º ËØ Ò [$7Ä 2000] , ,& , Speeding up the arithmetic on Koblitz curves of genus two, Selected Areas in Cryptography – SAC 2000, Lecture Notes in Comput. Sci.,

vol. 2012, Springer-Verlag, Berlin, 2000, 106–117.



¾  º $Ù < ÖÓ º È Ö [$ÙÈ 1997] & , Efficient algorithms for elliptic curve cryptosystems, Ad- vances in Cryptology – Crypto 97, Lecture Notes in Comput. Sci., vol. 1294, Springer-

Verlag, Berlin, 1997, 342–356.



À Р˺ À ÐÐÖÒ [ 1994] , Linear congruential generators over elliptic curves, Tech. Report CS-94- ¿¾ 143, Carnegie Mellon Univ., 1994.

+



À ÄJ º À Ò"Ö×ÓÒ Âº ÄJÔÞ º º ÅÒÞ× [ 2000] , ,& , Software implementation of elliptic ¾ ¸ ¾ ½ curve cryptography over binary fields, Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 1–24.

+

½ ¾¸ ¾½¸ ¾½ ¸ º À Ò"Ö×ÓÒ º º ÅÒÞ× Ëº º Î Ò×ØÓÒ [À Å 2003] , ,& , Guide to elliptic curve

cryptography, Springer-Verlag, Berlin, 2003. ¾¾¿¸¾¿½¸¾¿¸

¾ ¸¿¼½¸ ¼¸



 ½



 º À ˺ ÅÓÓÒ [À ÅÓ 2002] & , Randomized signed-scalar multiplication of ECC to resist power attacks, Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in

Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 551–563.



Ϻ À Ò×Ò ½ [À Ò 1959] , Zum ScholzÐBrauerschen Problem, J. Reine Angew. Math. 202 (1959), 129–136, in German.

+



À ÉÙ $º À ÒÖÓØ Åº ÉÙÖ Ⱥ ; ÑÑÖÑ ÒÒ [ 2002] , ,& , Chronométrages d’algorithmes ½ ¸ ½ multiprécision, janvier 2002. http://www.pauillac.inria.fr/~quercia/papers/mesures2.tar

+ o

 À ÉÙ [ 2004] , The middle product algorithm, I, Appl. Algebra Engrg. Comm. Comput. 14 N 6 ½

(2004), 415–438.



º À ÖÖ ×  ¿ [À Ö 1960] , Probability distributions related to random mappings, Ann. of Math. Statis-

tics 31 (1960), 1045–1062.



ʺ À ÖØ×ÓÖÒ ¼ [À Ö 1977] , Algebraic Geometry, Graduate Texts in Mathematics, vol. 52, Springer-Verlag, 1977.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 753



- ʺ À ÖÐÝ ¿½¿ [À Ö 2000 , Fast arithmetic on genus 2 curves, 2000. See http://cristal.inria.fr/~harley/hyper for C source code and further expla-

nations.

 ½ [À Ö 2002a] , Algorithmes avancés pour l’arithmétique des courbes (Advanced algorithms for

arithmetic on curves), PhD. Thesis, Université Paris 7, 2002.

À Ö

[ 2002b] , Asymptotically optimal p-adic point-counting, e-mail to NMBRTHRY list, De- ¾¼¸ ¾¸ ¾¿¸ 

cember 2002. ¿



$º À ÖÑ Ò  ¿ [À Ö 2005] , On the number of Carmichael numbers up to x, Bull. London Math. Soc.

(2005), to appear.



¼ ¸ ½½ ź º À × Ò [À × 2000] , Power analysis attacks and algorithmic approaches to their countermea- sures for Koblitz curve cryptosystems, Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,

93–108.



½ ¼ ú ÀÒ×Ð

[ÀÒ 1908] , Theorie der algebraischen Zahlen, Leipzig, 1908.



¿¿ Àº º ÀÒÖ "×ÓÒ [ÀÒ 1961] , Fast high-accuracy binary parallel addition, IRE Trans. Elec-

tronic Computers 10 (1961), 465–468.



1º À×× ¿½¸ ¿ [À× 2003] , The GHS attack revisited, Advances in Cryptology – Eurocrypt 2003, Lecture

Notes in Comput. Sci., vol. 2656, Springer-Verlag, Berlin, 2003, 374–387.

 ½¾¾ [À× 2004] , A note on the Tate pairing of curves over finite fields, Arch. Math. (Basel) 82 (2004), 28–32.

+



ÀË 1º À×× $º ËÖÓÙ×× Æº Ⱥ ËÑ ÖØ [ 2001] , ,& , Two topics in hyperelliptic cryptography, ¿½½¸ ¿½¿ Selected Areas in Cryptography – SAC 2000, Lecture Notes in Comput. Sci., vol. 2259,

Springer-Verlag, Berlin, 2001, 181–189.



¿¾ 1º À×× Áº 'º ËÔ ÖÐ Ò×" [ÀË 2005] & , On the linear complexity and multidimensional dis- tribution of congruential generators over elliptic curves, Des. Codes Cryptogr. 35 (2005),

111–117.



À ÅÓ 8º À ØÓ" Ⱥ ÅÓÒØ Ù [ 2002] & , A new elliptic curve scalar multiplication algo-  rithm to resist simple power analysis, Australasian Conference on Information Security and Privacy – ACISP 2002, Lecture Notes in Comput. Sci., vol. 2384, Springer-Verlag,

Berlin, 2002, 214–225.



¾ ¿ º À Ù ƺ Ì "  [À Ì 2000] & , A fast addition algorithm for elliptic curve arithmetic in GF(2n) using projective coordinates, Inform. Process. Lett. 76 (2000), 101–103.

+



½ º ÀÓ%%×Ø Ò Æº ÀÓÛÖ Û¹$Ö  Ñ Âº È ÔÖ Âº Àº Ë ÐÚÖÑ Ò [ÀÓÀÓ 2003] , , , ,&

Ϻ ÏÝØ, NTRUSign: Digital Signatures Using the NTRU Lattice, Topics in Cryptol- ogy – CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin,

2003, 122–140.



º º ÀÓÐØ ¼ ¸ ¼ [ÀÓÐ 2003] , On computing Discrete Logarithms: Large prime(s) variants, PhD. Thesis, University of Bath, 2003.

+



¾¼ ˺¹Åº ÀÓÒ ˺¹8º Ç Àº 8ÓÓÒ [ÀÓÇ 1996] , ,& , New modular multiplication algorithms for fast modular exponentiation, Advances in Cryptology – Eurocrypt 1996, Lecture Notes in Comput. Sci., vol. 1070, Springer-Verlag, Berlin, 1996, 166–177.

+



ÀÓÈ Âº ÀÓ%%×Ø Ò Âº È ÔÖ Âº Àº Ë ÐÚÖÑ Ò [ 1998] , ,& , NTRU: a ring-based public key ½ cryptosystem, Algorithmic Number Theory Symposium – ANTS III, Lecture Notes in

Comput. Sci., vol. 1423, Springer-Verlag, Berlin, 1998, 267–288.



ƺ $º ÀÓÛÖ Ú¹$Ö  Ñ Æº Ⱥ ËÑ ÖØ ¿ ¸  [ÀÓËÑ 2001] & , Lattice attacks on digital signature

schemes, Des. Codes Cryptogr. 23 (2001), 283–290.



¼ Û 'º ÀÓÛ [ÀÓ 2001] , Isogeny classes of abelian varieties with no principal polarizations, Moduli of abelian varieties (Texel Island, 1999), Progr. Math., vol. 195, Birkhäuser, Basel, 2001, 203–216.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

754 References



ź¹º ÀÙ Ò º ÁÖ Ö ¾¾ [ÀÙÁ 1998] & , Counting points on curves over finite fields, J. Symbolic

Comput. 25 No1 (1998), 1–21.



ÀÙÈ )º ÀÙ Ò κ 8º È Ò [ 1998] & , Fast rectangular matrix multiplication and applications,J. ¾½

Complexity 14 No2 (1998), 257–299.



Ǻ Àº Á ÖÖ º 'º Ã Ñ ½ [Áà 1975] & , Fast approximation algorithms for the knapsack and

sum of subsets problems, J. of the ACM 22 (1975), 463–468.



½¼½ º¹Áº ÁÙ× [ÁÙ 1960] , Arithmetic variety of moduli for genus two, Ann. of Math. (2) 72 (1960), 612–649.

+



- ̺ Á < Ñ Ãº Å Ø×ÙÓ Âº  Ó Ëº Ì×Ù< ¿ [Á Å 2002 , , ,& , Construction of Frobenius maps of twists elliptic curves and its application to elliptic scalar multiplication, Symposium on Cryptography and Information Security – SCIS 2002.

+



Áº ÁÒÑ Ö××ÓÒ º ̺ Ì Ò º Ϻ ÏÓÒ   [ÁÒÌ 1982] , ,& , A conference key distribution

system, IEEE Trans. Inform. Theory 28 (1982), 714–720.



Ä ØÖØÙÖ ÔÖØÑÒØÁÒØÐ ÓÖÔ ÓÖØ ÓÒ ¾½

[ÁÒØÐ G¼K½- , Microcontroller handbook.



- ÁËÇ ÖÓÙÔ  [ÁËÇ 1995 , International Standard ISO 7810 Identification cards — Physical charac-

teristics, Tech. report, ISO/IEC Copyright Office, 1995.



-  ¸  ½ [ÁËÇ 1999 , Part 1: Physical characteristics, International Standard ISO/IEC 7816: Identifi- cation cards — Integrated circuit(s) cards with contacts, Tech. report, ISO/IEC Copyright

Office, 1995-99.

 ¸  ¸ -

[ÁËÇ 1999 , Part 2: Dimensions and location of the contacts, International Standard ISO/IEC  7816: Identification cards — Integrated circuit(s) cards with contacts, Tech. report,  ½

ISO/IEC Copyright Office, 1995-99.

 ¸ ¼¸ -

[ÁËÇ 1999 , Part 3: Electronic signals and transmission protocols, International Standard  ISO/IEC 7816: Identification cards — Integrated circuit(s) cards with contacts, Tech.  ½

report, ISO/IEC Copyright Office, 1995-99.

-  ¸  ¸

[ÁËÇ 1999 , Part 4: Interindustry commands for interchange, International Standard ISO/IEC  7816: Identification cards — Integrated circuit(s) cards with contacts, Tech. report,  ½

ISO/IEC Copyright Office, 1995-99.



ÁËÇ - [ 2000 , International Standard ISO/IEC 14443: Identification cards — Contactless inte- ¼¸  ¸ ¾

grated circuit(s) cards — Proximity cards, Tech. report, ISO/IEC Copyright Office, 2000.



 ¸ ¾ - [ÁËÇ 2000 , Part 1: Physical characteristics, International Standard ISO/IEC 14443: Iden- tification cards — Contactless integrated circuit(s) cards - Proximity cards, Tech. report,

ISO/IEC Copyright Office, 2000.



 ¸ ¾ - [ÁËÇ 2000 , Part 2: Radio frequency power and signal interface, International Standard ISO/IEC 14443: Identification cards — Contactless integrated circuit(s) cards — Prox-

imity cards, Tech. report, ISO/IEC Copyright Office, 2000.



ÁËÇ - [ 2000 , Part 3: Initialization and anticollision, International Standard ISO/IEC 14443:  ¸ ¾ Identification cards — Contactless integrated circuit(s) cards — Proximity cards, Tech.

report, ISO/IEC Copyright Office, 2000.



-  ¸ ¾ [ÁËÇ 2000 , Part 4: Transmission protocol, International Standard ISO/IEC 14443: Identi- fication cards — Contactless integrated circuit(s) cards — Proximity cards, Tech. report, ISO/IEC Copyright Office, 2000.

m



̺ ÁØÓ ˺ Ì×Ù< ¾¾¸ ¾¿ [ÁØÌ× 1988] & , A fast algorithm for computing multiplicative inverses in GF(2 ) using normal bases, Inform. and Comp. 78 No3 (1988), 171–177.

m

 ÁØÌ× [ 1989] , Structure of parallel multipliers for a class of fields GF(2 ), Inform. and Comp. ¾½ 83 (1989), 21–40.

+



 ú ÁØÓ º 8 < Ñ Åº Ì " Ò" ƺ ÌÓÖ [ÁØ8 2002] , , ,& , DPA countermeasures by im- proving the window method, Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 303–317.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 755



̺ ÁÞ٠̺ Ì "  ¾ ¸  ¼ [ÁÞÌ 2002a] & , Fast elliptic curve multiplication with SIMD operations, Infor- mation and Communication Security – ICICS 2002, Lecture Notes in Comput. Sci., vol.

2513, Springer-Verlag, 2002, 217–230.



ÁÞÌ [ 2002b] , A fast parallel elliptic curve multiplication resistant against Side-Channel At-  tacks, Public Key Cryptography – PKC 2002, Lecture Notes in Comput. Sci, vol. 2274,

Springer-Verlag, Berlin, 2002, 280–296.



ÁÞÌ [ 2003a] , Efficient computations of the Tate pairing for the large MOV degrees, Informa- ¼½ tion Security and Cryptology – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587,

Springer-Verlag, Berlin, 2003, 283–297.



 ¸ ¼ [ÁÞÌ 2003b] , Exceptional procedure attack on elliptic curve cryptosystems, Public Key Cryp- tography – PKC 2003, Lecture Notes in Comput. Sci, vol. 2567, Springer-Verlag, Berlin, 2003, 224–239.

+



¿½ ź º  Ó×ÓÒ¸ ÂÖº º º ÅÒÞ× º ËØ Ò [ Å 2001] , ,& , Solving elliptic curve discrete logarithm problems using Weil descent, J. Ramanujan Math. Soc. 16 (2001), 231–260.

o



 ̺ ÂÐ Ò [ 1993a] , An algorithm for exact division, J. Symbolic Comput. 15 N 2 (1993), ½ ¸ ½ ¼

169–180.

 ½ ¾ [Â 1993b] , Improving the multiprecision Euclidean algorithm, Design and Implementation of Symbolic Computation Systems – DISCO 1993, Lecture Notes in Comput. Sci., vol.

722, Springer-Verlag, Berlin, 1993, 45–58.



º ÂÓÙÜ Êº ÄÖ Ö  [ÂÓÄ 2002] & , The function field sieve is quite special, Algorithmic Number Theory Symposium – ANTS V,Lecture Notes in Comput. Sci., vol. 2369, Springer-Verlag,

2002, 431–445.



ÂÓÆ º ÂÓÙÜ Ãº ÆÙÝÒ [ 2003] & , Separating decision Diffie–Hellman from Diffie–Hellman in  

cryptographic groups, J. Cryptology 16 (2003), 239–247.

¾ ¸ ¾ ¸  ¸ ź ÂÓÝ º¹Âº ÉÙ ×ÕÙ ØÖ

[ÂÓÉÙ 2001] & , Hessian elliptic curves and side-channel attacks,  Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Com-   put. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 402.

+



¼ ź ÂÓÝ º¹Âº ÉÙ ×ÕÙ ØÖ Ëº¹Åº 8Ò Åº 8ÙÒ [ÂÓÉÙ 2002] , , ,& , Observability analysis Ð detecting when improved cryptosystems fail, Topics in Cryptology – CT-RSA 2002, Lec-

ture Notes in Comput. Sci., vol. 2271, Springer-Verlag, Berlin, 2002, 17–29.

ÂÓÌÝ Åº ÂÓÝ º ÌÝÑÒ

[ 2002] & , Protections against differential analysis for elliptic curve cryp-  ¼¸ ¼¼ ¼¾¸  tography Ð an algebraic approach, Cryptographic Hardware and Embedded Systems – ½¾ CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2002,

377–390.

º ÂÓÙÜ ½¿¸  ¸  ¿¸

[ÂÓÙ 2000] , A one round protocol for tripartite Diffie–Hellman, Algorithmic Number The-  ory Symposium – ANTS IV, Lecture Notes in Comput. Sci., vol. 1838, Springer-Verlag,  

2000, 385–394.

 ÂÓÙ [ 2004] , A one round protocol for tripartite Diffie–Hellman, J. Cryptology 17 (2004),  ¸  ¿

263–276.



Ý Åº ÂÓÝ  ¼ [ÂÓ 2004] , Smart-card implementation of elliptic curve cryptography and DPA-type at- tacks, Smart Card Research and Advanced Application – CARDIS 2004, Kluwer Aca-

demic Publishers, 2004, 114–125.



Ý 

[ÂÓ 2005] , Defenses against side-channel analysis, Advances in Elliptic Curve Cryptogra-

1º Ð " $º ËÖÓÙ×× Æº Ⱥ ËÑ ÖØ phy (Áº , ,& , eds.), Cambridge University

Press, 2005.

ź ÂÓÝ ˺ź8Ò ½½¸ ½¾¸ ¼½¸

[ÂÓ8 2000] & , Optimal left-to-right binary signed-digit recoding, IEEE Trans.  on Computers 49 No7 (2000), 740–748.  

+



º ÂÙÒÒ "Ð º º ÅÒÞ× ËººÎ Ò×ØÓÒ ¿ [ÂÙÅ 1990] , ,& , On the number of self dual basis of GF(qm) over GF(q), Proc. Amer. Math. Soc. 109 (1990), 23–29.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

756 References



º ÂÙÒÒ "Ð ¾¼½¸ ¾¿¼ [ÂÙÒ 1993] , Finite fields, B.I.-Wissenschaftsverlag, Manheim, Leipzig, Wien,

Zürich, 1993.



ź ÂÙ×Ø ËºÎ ÙÒ Ý   [ÂÙÎ 1996] & , Authenticated multi-party key agreement, Advances in Cryp- tology – Asiacrypt 1996, Lecture Notes in Comput. Sci., vol. 1163, Springer-Verlag, 1996, 36–49.

+



ź Ã Ø  Áº Ã Ø ÑÙÖ Ìº " × Ø Ìº Ì "   ¸ ¼ [à à 2004] , , ,& , Novel efficient implemen- tations of hyperelliptic curve cryptosystems using degenerate divisors, Workshop on In- formation Security Applications – WISA 2004, Lecture Notes in Comput. Sci., vol. 3325,

Springer-Verlag, Berlin, 2004, 347–361.



¿ º ˺ à Р×" ¸ ÂÖº [à Р1986] , A pseudorandom bit generator based on elliptic logarithms, Ad- vances in Cryptology – Crypto 1986, Lecture Notes in Comput. Sci., vol. 293, Springer- Verlag, Berlin, 1986, 84–103.

o

 ¾¼ ¸  [Ã Ð 1995] , The Montgomery inverse and its applications, IEEE Trans. on Computers 44 N 8 (1995), 1064–1065.

o



$º º à ØÓ Ëº ÄÙ" Ò ½¿ ¸ ¾¿ [à ÄÙ 1982] & , Zeta matrices of elliptic curves, J. Number Theory 15 N 3

(1982), 318–330.



½¼¸ ¾¾ Ϻ à ÑÔ"=ØØÖ [Ã Ñ 1991] , Explizite Gleichungen für Jacobische Varietäten hyperelliptischer

Kurven, PhD. Thesis, Universität Gesamthochschule Essen, 1991.



º Àº à ÖÔ Èº Å Ö"×Ø Ò ¾ [à Š1997] & , High-precision division and square root, ACM Trans.

Math. Software 23 No4 (1997), 561–589.



¾ $º Ã Ò<

[Ã Ò 1993] , 100 statistical tests, Sage Publications, 1993.



à Ç% º º Ã Ö Ø×Ù 8Ùº Ç%Ñ Ò [ 1962] & , Multiplication of multiplace numbers on au- ½ 

tomata, Dokl. Acad. Nauk SSSR 145 No2 (1962), 293–294.

 ¾ [Ã Ç% 1963] , Multiplication of multidigit numbers on automata, Soviet Physics-Doklady 7

(1963), 595–596.



º º Ã Ö Ø×Ù ØÖÒ×¹ ½ 

[Ã Ö 1995] , The complexity of computations, Trudy Mat. Inst. Steklov.  Ò

ÐØ Proc. Steklov Inst. Math. 211 (1995), 186–202.



º à ØÞ Åº 8ÙÒ   [à 8Ù 2003] & , Scalable protocols for authenticated group key exchange, Ad- vances in Cryptology – Crypto 2003, Lecture Notes in Comput. Sci., vol. 2729, Springer-

Verlag, 2003, 110–125.

½¿ ¸ ¾½¸ ¿¿¸ ú ˺ ÃÐ Ý [à 2001] , Counting points on hyperelliptic curves using MonskyÐWashnitzer

cohomology, J. Ramanujan Math. Soc. 16 (2001), 323–338.  ¸¾¸¿¸







Ã Ò º à Ò [ 2001] , An improved implementation of elliptic curves over GF(2) when using pro- ¾¾½ jective point arithmetic, Selected Areas in Cryptography – SAC 2001, Lecture Notes in Comput. Sci., vol. 2259, Springer-Verlag, Berlin, 2001, 134–150.

+



Ã È º à ÔÒ × Âº È Ø Ö Ò Äº $ÓÙ Ò [ 1999] , ,& , Unbalanced oil and vinegar signature ½¸  schemes, Advances in Cryptology – Eurocrypt 1999, Lecture Notes in Comput. Sci., vol.

+

1592, Springer-Verlag, 1999, 206–222. Extended version: [Ã È 2003].

+



Àº 8º Ã Ñ Âº 8º È Ö" º Àº ÓÒ Âº Àº È Ö" º Àº à Ѻ ˺ $º ¾¼¸ ¿¿ [Ã È 2002] , , , , ,&

À Ò, Fast elliptic curve point counting using Gaussian Normal Basis, Algorithmic Number Theory Symposium – ANTS V, Lecture Notes in Comput. Sci., vol. 2369, Springer-Verlag, 2002, 292–307.

+



º à ÔÒ × Âº È Ø Ö Ò Äº $ÓÙ Ò ½¸  [Ã È 2003] , ,& , Unbalanced oil and vinegar signature

+

schemes, extended version of [Ã È 1999], 2003.

http://citeseer.nj.nec.com/231623.html



º ÃÒÓÔ%Ñ Ö   [ÃÒÓ 1975] , Abstract analytic number theory, North–Holland Mathematical Li- brary, vol. 12, North–Holland, Amsterdam, 1975.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 757



º 'º ÃÒÙØ º Àº È Ô  Ñ ØÖ ÓÙ ½ [ÃÒÈ 1981] & , Duality in addition chains, Bull. Eur. Assoc.

Theoret. Comput. Sci. 13 (1981), 2–4.



º 'º ÃÒÙØ ½ [ÃÒÙ 1981] , The art of computer programming. Vol. 2, Seminumerical algorithms, second ed., Addison-Wesley Publishing Company, Reading, MA, 1981, Addison-Wesley

Series in Computer Science and Information Processing.

ÃÒÙ [ 1997] , The art of computer programming. Vol. 2, Seminumerical algorithms, third ed., ½¸ ½¼¸ ½¾¸

Addison-Wesley Publishing Company, Reading, MA, 1997, Addison-Wesley Series in ½ ¼¸½ ¸½ ¸ ¾¾¸ ¼¸ ¸

Computer Science and Information Processing. ¼¾¸ ½¸ ½ ¸



¾¼



'º Ϻ ÃÒÙ×Ò ¾¾ ¸ ¾ ¸ ¿¼¼ [ÃÒÙ 1999] , Elliptic scalar multiplication using point halving, Advances in Cryp- tology – Asiacrypt 1999, Lecture Notes in Comput. Sci., vol. 1716, Springer-Verlag, Berlin, 1999, 135–149.

k



Ó Lº ú ÃÓM ̺  Ö ¾½ ¸  [à 1998] & , Montgomery multiplication in GF(2 ), Des. Codes Cryptogr. 14 No1 (1998), 57–69.

+



ÃÓ Lº ú ÃÓM ̺  Ö º ˺ à Р×" ¸ ÂÖº [ 1996] , ,& , Analyzing and comparing Mont- ¾¼¸ ¿

gomery multiplication algorithms, IEEE Micro 16 No3 (1996), 26–33.



¿¼ ¸ ¿ Ó ƺ ÃÓÐ ØÞ

[Ã 1989] , Hyperelliptic cryptosystems, J. Cryptology 1 (1989), 139–150.



Ó ¿¸ ¿ ¸ ¿  [à 1992] , CM-curves with good cryptographic properties, Advances in Cryptology – Crypto 1991, Lecture Notes in Comput. Sci., vol. 576, Springer-Verlag, Berlin, 1992,

279–287.



Ó ¾½¾ [Ã 1994] , A course in Number Theory and Cryptography, Graduate Texts in Mathematics,

vol. 114, Springer-Verlag, 1994, second edition.



 ¸ ¼ Ó Ⱥ ÃÓÖ [à 1996] , Timings attacks on implementations of Diffie–Hellman, RSA, DSS and other systems, Advances in Cryptology – Crypto 1996, Lecture Notes in Comput. Sci., vol. 1109,

Springer-Verlag, Berlin, 1996, 104–113.



ÃÓ 1º ÃÓÙÒ [ 2001] , Careful design and integration of cryptographic primitives, with contri-   bution to timing attack, padding schemes and random number generators, PhD. Thesis, Katholieke Universiteit Leuven, 2001.

http://www.dice.ucl.ac.be/~fkoeune/thesis.ps.gz



ÃÓ º ʺ ÃÓÐ [ 2003] , The AGM-X0(N) Heegner point lifting algorithm and elliptic curve ¾ point counting, Advances in Cryptology Proceedings – Asiacrypt 2003, Lecture Notes in Comput. Sci., vol. 2894, Springer-Verlag, Berlin, 2003, 124–136.

+



 ¸  ¼¸ ¼ Ó Ⱥ ÃÓÖ Âº  %% º ÂÙÒ [à 1999] , ,& , Differential power analysis, Advances in Cryp- tology – Crypto 1999, Lecture Notes in Comput. Sci., vol. 1666, Springer-Verlag, Berlin,

1999, 388–397.



Ã=Ã٠Ǻ Ã=ÑÑÖÐ Ò ź $º ÃÙÒ [ 1999] & , Design principles for tamper-resistant smartcard  ¼ processors, Proceedings of the 1999 USENIX Workshop on Smartcard Technology, 1999, 9–20.

+



½ ÓÄ ú Àº ÃÓ Ëº º Ä º Àº ÓÒ Âº Ϻ À Ò Âº à Ò º È Ö" [à 2000] , , , , ,& , New public key cryptosystem using braid groups, Advances in Cryptology – Crypto 2000, Lecture Notes in Comput. Sci., vol. 1880, Springer-Verlag, Berlin, 2000, 166–183.

+



ÃÓÅÓ Ìº ÃÓ Ý × Àº ÅÓÖ Ø Ãº ÃÓ Ý × 1º ÀÓ× ÒÓ [ 1999] , , ,& , Fast elliptic curve ¾¿ algorithm combining Frobenius map and table reference to adapt to higher characteristic,

Theory and Application of Cryptographic Techniques, 1999, 176–189.



ÓÖ Áº ÃÓÖÒ ½ ¸ ¿

[Ã 2002] , Computer arithmetic algorithms, A. K. Peters, 2002.



ÓË º ʺ ÃÓÐ Áº 'º ËÔ ÖÐ Ò×" ¿¾ [à 2000] & , Exponential sums and group generators for elliptic curves over finite fields, Algorithmic Number Theory Symposium – ANTS IV,

Lecture Notes in Comput. Sci., vol. 1838, Springer-Verlag, Berlin, 2000, 395–404.



ÓËÙ Lº ú ÃÓM º ËÙÒ Ö ¿ [à 1998] & , Low-complexity bit-parallel canonical and normal basis multipliers for a class of finite fields, IEEE Trans. on Computers 47 No3 (1998), 353–356.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

758 References



ÓÌ× Ãº ÃÓÝ Ñ 8º Ì×ÙÖÙÓ" ½¾¸ ¿¼¾ [à 1993] & , Speeding up elliptic cryptosystems by using a signed binary window method, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput. Sci., vol. 740, Springer-Verlag, Berlin, 1993, 345–357.

o



ÓÏ ú ÃÓ " º ÏÒ  ¿ [à 2005] & , Construction of CM-Picard curves, Math. Comp. 74 N 249

(2005), 499–518.



  ź ÃÖ Ø "

[ÃÖ 1922] , Théorie des nombres, vol. 1, Gauthier-Villars, 1922.

 ÃÖ

[ 1924] , Recherches sur la théorie des nombres, Gauthier-Villars, 1924.  



ͺ ÃÖ Ö ¿½¿ [ÃÖ 1997] , Anwendung hyperelliptischer Kurven in der Kryptographie, Master’s the-

sis, Universität Gesamthochschule Essen, 1997.



ÃÖÂ Ϻ ÃÖ Ò " ̺ ÂÐ Ò [ 1996] & , Bidirectional exact integer division, J. Symbolic ½ ¼ Comput. 21 No4–6 (1996), 441–445.

+



- º ÃÙÖÓ" ź $ÓÒ ú Å Ø×ÙÓ Âº  Ó Ëº Ì×Ù< ¿ [ÃÙ$Ó 2002 , , , ,& , Fast genus three hyperelliptic curve cryptosystems, Symposium on Cryptography and Information Security – SCIS 2002, 503–507.

http://lab.iisec.ac.jp/~matsuo_lab/pub/pdf/8b-2_1244.pdf



Ã7 Àº Ã7Ò [ 1902] , Eine Wechselbeziehung zwischen Funktionen mehrerer Unbestimmten, die ¿

zu Reciprocitätsgesetzen führt, J. Reine Angew. Math. 124 (1902), 121–133.



ÃÙ8 ƺ ÃÙÒ  ÖÓ Àº 8 Ñ ÑÓØÓ [ 1998] & , Window and extended window methods for addition ½¼ chain and addition-subtraction chain, IEICE Trans. Fundamentals E81-A No1 (1998),

72–81.



¿  º ĺ Ä Ö Ò

[Ä 1973] , Îuvres, Georg Olms Verlag, 1973, in French.



¼½ ʺ º Ä ÑÖØ [Ä Ñ 1996] , Computational aspects of Discrete Logarithms, PhD. Thesis, Univer-

sity of Waterloo, Ontario, Canada, 1996.



  ̺ Ä Ò Ⱥ ú Å ×Ö [Ä Å 2004] & , SCA resistant parallel explicit formula for addition and

doubling of divisors in the Jacobian of hyperelliptic curves of genus 2, preprint, 2004.



Ä Ò ËºÄ Ò

[ 1973] , Elliptic functions, Addison-Wesley Publishing Company, Reading, MA, 1973. ¸ ½¾¿

 Ä Ò [ 1982] , Introduction to algebraic and abelian functions, 2nd edition ed., Springer-Verlag, ½¼¼¸ ½¼

Berlin, 1982.

¿½¿¸ ¿½¸ ¿ ¸ ̺ Ä Ò [Ä Ò 2001a] , Efficient arithmetic on hyperelliptic curves, PhD. Thesis, Universität-Gesam-

thochschule Essen, 2001. ¿ ¸¿ ¸¿ ¿¸



½¼¸ ½¾

 Ä Ò [ 2001b] , Efficient arithmetic on hyperelliptic Koblitz curves, Tech. Report 2-2001, ¿

Universität-Gesamthochschule Essen, 2001.

 Ä Ò [ 2001c] , Hyperelliptic curves allowing fast arithmetic, webpage, 2001. ¿ ¸ ¿ ½

http://www.ruhr-uni-bochum.de/itsc/tanja/KoblitzC.html



½ ¸ ¾¸ ¾ ˺ Ä Ò [Ä Ò 2002a] , Algebra, Graduate Texts in Mathematics, vol. 211, Springer-Verlag, Berlin,

2002, third edition.



Ä Ò Ìº Ä Ò [ 2002b] , Efficient arithmetic on genus 2 hyperelliptic curves over finite fields via ex- ¿½ plicit formulae, preprint, 2002.

http://eprint.iacr.org/2002/121/

 Ä Ò [ 2002c] , Inversion-free arithmetic on genus 2 hyperelliptic curves, preprint, 2002. ¿¾½

http://eprint.iacr.org/2002/147/

 ¿¾¿¸ ¿¾¸ ¿¾ [Ä Ò 2002d] , Weighted coordinates on genus 2 hyperelliptic curves, preprint, 2002.

http://eprint.iacr.org/2002/153/

 ¿¾ ¸ ¿¾ ¸  [Ä Ò 2004a] , Montgomery addition for genus two curves, Algorithmic Number Theory Sym- posium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, 2004, 309–317.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 759

 ¾  [Ä Ò 2004b] , A note on López–Dahab coordinates, preprint, 2004.

http://eprint.iacr.org/2004/323/

½¿½¸ ¿ ¿¸ ¿ ¸

[Ä Ò 2004c] , Trace zero subvarieties of genus 2 curves for cryptosystems, J. Ramanujan Math. 

Soc. 19 No1 (2004), 15–33. ¿ 

 ¿½¿¸ ¿¸ ¿

[Ä Ò 2005a] , Arithmetic on binary genus 2 curves suitable for small devices, preprint, 2005.

 ¿¿ ¸ ¿¾¸ ¿ [Ä Ò 2005b] , Formulae for arithmetic on genus 2 hyperelliptic curves, Appl. Algebra Engrg. Comm. Comput. 15 No5 (2005), 295–328.

o

 ¿ ¸ ¿ ¼¸ ¿ 

[Ä Ò 2005c] , Koblitz curve cryptosystems, Finite Fields Appl. 11 N 2 (2005), 220–229.



Ù Àº Ä Ò Ϻ ÊÙÔÔÖØ  [Ä Ê 1985] & , Complete systems of addition laws on abelian varieties,

Invent. Math. 79 (1985), 603–610.



Ä Ë ̺ Ä Ò Áº 'º ËÔ ÖÐ Ò×" [ 2005a] & , Certain exponential sums and random walks on ¿¿¸ ¿

elliptic curves, Canad. J. Math. 57 (2005), 338–350.

 ¿ ¸ ¿ [Ä Ë 2005b] , Collisions in fast generation of ideal classes and points on hyperelliptic and

elliptic curves, Appl. Algebra Engrg. Comm. Comput. 15 No5 (2005), 329–337.

̺ Ä Ò ź ËØÚÒ× ¿¿¸ ¿¿¸ ¿¿ ¸

[Ä ËØ 2005] & , Efficient doubling for genus two curves over binary fields,  Selected Areas in Cryptography – SAC 2004, Lecture Notes in Comput. Sci., vol. 3357, ¿¾

Springer-Verlag, Berlin, 2005, 170–181.



Ù º $º º Ä ÙÖ ½¿ [Ä 2004] , Deformation theory and the computation of zeta functions, Proc.

London Math. Soc. (3) 88 No3 (2004), 565–602.



½¿ ¸ ¿ º $º º Ä ÙÖ º Ï Ò [Ä Ï 2002a] & , Computing zeta functions of ArtinÐSchreier curves

over finite fields, LMS J. Comput. Math. 5 (2002), 34–55 (electronic).



Ä Ï [ 2002b] , Counting points on varieties over finite fields of small characteristic, Algorith- ½¿ mic Number Theory: Lattices, Number Fields, Curves and Cryptography, Mathematical Sciences Research Institute Publications, 2002. Proceedings of an MSRI workshop. To

appear.



Ä Ï [ 2004] , Computing zeta functions of Artin-Schreier curves over finite fields II, J. Com- ½¿ ¸ ¿

plexity 20 No2-3 (2004), 331–349.



̺ Ä Ò º Ï ÒØÖÓ%  [Ä Ï 2002] & , Polynomial interpolation of the elliptic curve and XTR discrete logarithm, Computing and Combinatorics – COCOON 2002, Lecture Notes in

Comput. Sci., vol. 2387, Springer-Verlag, Berlin, 2002, 137–143.

 Ä Ï [ 2003] , Interpolation of the elliptic curve Diffie–Hellman mapping, Applicable Alge-  bra, Algebraic Algorithms and Error-Correcting Codes – AAECC 2003, Lecture Notes in

Comput. Sci., Springer-Verlag, Berlin, 2003, 51–60.



½ ¾ º Àº ÄÑÖ [Ä 1938] , Euclid’s algorithm for large numbers, Amer. Math. Monthly 45 (1938),

227–233.



ÄÄ º ú ÄÒ×ØÖ Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº

[ 1990] & , Algorithms in number theory, Handbook of  Ò ÄÙÛÒ theoretical computer science, Volume A, algorithms and complexity (º Ú ,

ed.), Elsevier, Amsterdam, 1990.



ÄÄ º ú ÄÒ×ØÖ Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº [ 1993] & (eds.), The development of the Number ¼ ¸ ½ Field Sieve, Lecture Notes in Math., vol. 1554, Springer-Verlag, Berlin, 1993.

+



 º ú ÄÒ×ØÖ Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº ĺ ÄÓÚN×Þ [ÄÄ 1982] , ,& , Factoring polynomials with rational coefficients., Math. Ann. 261 (1982), 513–534.

+



º ú ÄÒ×ØÖ Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº ź ˺ Å Ò ×× º ź ÈÓÐÐ Ö ½ [ÄÄ 1990] , , ,& , The Number Field Sieve, Symposium on the Theory of Computing – STOC 1990, ACM,

1990, 564–572.



¾¿¸ ¿ ʺ ÄÖ Ö º ÄÙ Þ [ÄÄÙ 2003] & , Counting points on elliptic curves over finite fields of small characteristic in quasi quadratic time, Advances in Cryptology – Eurocrypt 2003, Lecture Notes in Comput. Sci., vol. 2656, Springer-Verlag, 2003, 360–373.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

760 References



º ú ÄÒ×ØÖ Åº ˺ Å Ò ×× ¼ ¸ ½¾ [ÄÅ 1994] & , Factoring with two large primes, Math. Comp.

63 (1994), 77–82.



Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº ¼¸ ¼ [ÄÒ 1987] , Factoring integers with elliptic curves, Ann. of Math. (2) 126

No3 (1987), 649–673.



º ú ÄÒ×ØÖ ¿ ¾ [ÄÒ 1999] , Efficient identity based parameter selection for elliptic curve cryp- tosystems, Australasian Conference on Information Security and Privacy – ACISP 1999,

Lecture Notes in Comput. Sci., vol. 1587, Springer-Verlag, 1999, 294–302.

 ¾¼¸ ½¼¸ ½¾ [ÄÒ 2002] , Computational methods in public key cryptology, 2002. http://www.win.tue.nl/~klenstra/notes.ps

n



ÄÖ Êº ÄÖ Ö [ 1996] , Computing isogenies in GF(2 ), Algorithmic Number Theory Symposium ¾½

– ANTS II, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag, 1996, 197–212.

½ ¼¸ ½ ¾¸ ½ ¸

[ÄÖ 1997] , Algorithmique des courbes elliptiques dans les corps finis, PhD. Thesis, École  polytechnique, 1997. ¾ ¸ ¾½

http://www.medicis.polytechnique.fr/~lercier/preprints/these.pdf



Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº º Ⱥ ËÒÓÖÖ   [ÄË 1984] & , A Monte Carlo factoring algorithm with

linear storage, Math. Comp. 43 No167 (1984), 289–311.



ÄÎ º ú ÄÒ×ØÖ 'º ʺ ÎÖÙÐ [ 2000] & , The XTR public key system, Advances in Cryp- tology – Crypto 2000, Lecture Notes in Comput. Sci., vol. 1880, Springer-Verlag, Berlin,

2000, 1–19.



½¼ º ÄÑÔРº ; Ú [Ä; 1978] & , Compression of individual sequences via variable rate coding,

IEEE Trans. Inform. Theory IT-24 No5 (1978), 530–536.



˺ Ä ØÒ ÙÑ ½¾¼ [Ä  1969] , Duality theorems for curves over p-adic fields, Invent. Math. 7 (1969), 120–136.

+



½ 8º )º Ä Êº Àº Ò )º ź Ï Ò [Ä  1994] , ,& , On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems, IEEE Trans. Inform. Theory 40 No1 (1994), 271–

273.



¾¼½ Ä  [Ä  - , A C++ library for computational number theory, version 2.1.3, 2004.

http://www.informatik.tu-darmstadt.de/TI/LiDIA/



½ º Àº Ä Ñ Èº º Ä [Ä Ä 1994] & , More flexible exponentiation with precomputation, Advances in Cryptology – Crypto 1994, Lecture Notes in Comput. Sci., vol. 839, Springer-Verlag,

Berlin, 1994, 95–107.

 Ä Ä [ 1997] , A key recovery attack on discrete log-based schemes using a prime order sub- ¼ group, Advances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294,

Springer-Verlag, 1997, 249–263.



Ä Æ Êº Ä Ð Àº Æ ÖÖ ØÖ [ 1997] & , Finite fields, second ed., Cambridge University Press, ½ ¸ ¿½¸ ¾¼½

1997.



Ä ÉÙ º Ä ÖØ Âº¹Âº ÉÙ ×ÕÙ ØÖ [ 2003] & , Efficient revocation and threshold pairing based 

cryptosystems, Principles of Distributed Computing – PODC 2003, ACM, 2003, 163–171.

Ä ËÑ Èº¹8º Ä ÖØ Æº Ⱥ ËÑ ÖØ

[ 2001] & , Preventing SPA/DPA in ECC systems using the ¾ ¸  ¸  ¸  Jacobi form, Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture  Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 391.

n



º ÄJÔÞ Êº    ¾ ¸ ¾ ¿¸ ¾  [ÄJ 1998] & , Improved algorithms for elliptic curve arithmetic in GF(2 ), Tech. Report IC-98-39, Relatório Técnico, October 1998.

m



¾ ¸ ¾ [ÄJ 1999] , Fast multiplication on elliptic curves over GF(2 ) without precomputation, Cryptographic Hardware and Embedded Systems – CHES 1999), Lecture Notes in Com-

put. Sci., vol. 1717, Springer-Verlag, Berlin, 1999, 316–327.



F ¾½ [ÄJ 2000a] , High-speed software multiplication in 2m , Progress in Cryptology – Indocrypt 2000, Lecture Notes in Comput. Sci., vol. 1977, Springer-Verlag, Berlin, 2000, 203–212.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 761



¾  [ÄJ 2000b] , An overview of elliptic curve cryptography, Tech. Report IC-00-10, Relatório

Técnico, May 2000.



 º ÄÓÖÒÞ Ò [ÄÓÖ 1996] , An invitation to arithmetic geometry, Graduate studies in mathematics,

vol. 9, AMS, 1996.



½¿ ˺ ÄÙ" Ò [ÄÙ 1968] , A p-adic proof of Weil’s conjectures, Ann. of Math. (2), 105-194; ibid. (2)

87 (1968), 195–255.



½¸ ¾¸ ¾ º ÄÙ Þ [ÄÙ Þ- , homepage, Sur les tests statistiques de générateurs aléatoires. http://www.math.u-bordeaux.fr/~lubicz/

+



º ÄÙ Ò Âº¹Èº ËÖÖ º Ì Ø ½¿ ¸ ¾¿ [ÄÙË 1964] , ,& , Elliptic curves and formal groups, July 1964. Lecture notes prepared in connection with the seminars held at the Summer Institute on Algebraic Geometry, Whitney State, Woods Hole, Massachusets.

http://ma.utexas.edu/users/voloch/lst.html



1º ÄÙ Áº 'º ËÔ ÖÐ Ò×"   [ÄÙË 2005] & , On the exponent of the group of points on elliptic curves in extension fields, Intern. Math. Research Notices 23 (2005), 1391–1409.

+



ú Å Ø×ÙÓ Âº  Ó Ëº Ì×Ù< ¿½ [Å  2001] , ,& , Fast genus two hyperelliptic curve cryp- tosysytems, Tech. Report ISEC2001-23, IEICE, 2001.

+

 ½½¸   [Å  2002] , An improved baby-step giant-step algorithm for point counting of hyperelliptic curves over finite fields, Algorithmic Number Theory Symposium – ANTS V, Lecture

Notes in Comput. Sci., vol. 2369, Springer-Verlag, 2002, 461–474.



¾ ź ˺ Å ×Ò [Å  2003] , A general framework for p-adic point counting and application to

elliptic curves in Legendre form, preprint, 2003.



Å Ñ - [ The Magma computational algebra system for algebra, number theory and geometry, ver- ¾¼½¸ ¾ sion 2.11-14, April 2005.

http://magma.maths.usyd.edu.au/magma/



½ ̺ Å Ø×ÙÑÓØÓ Àº ÁÑ [Å ÁÑ 1988] & , Public quadratic polynomial-tuples for efficient signature verification and message-encryption, Advances in Cryptology – Eurocrypt 1988, Lecture Notes in Comput. Sci., vol. 330, Springer-Verlag, 1988, 419–445.

+



Å Å ͺ ź Å ÙÖÖ º º ÅÒÞ× 'º Ì×" [ 2002] , ,& , Analysis of the GHS Weil descent ¿½¸ ¿ attack on the ECDLP over characteristic two finite fields of composite degree, LMS J.

Comput. Math. 5 (2002), 127–174.



Å Ò ÂÙº Áº Å Ò Ò [ 1961] , The Hasse-Witt matrix of an algebraic curve, Izv. Akad. Nauk. SSSR ½½

Ser. Mat. 25 (1961), 153–172.

 Å Ò [ 1962] , On the theory of Abelian varieties over a field of finite characteristic, Izv. Akad. ½¾

Nauk. SSSR Ser. Mat. 26 (1962), 281–292.



½½¿ º Å ×ÒÖ 'º Æ ÖØ [Å Æ 2002] & , Abelian surfaces over finite fields as Jacobians, Experiment.

Math. 11 (2002), 321–337, with an appendix by E. Howe.



$º Å Ö× Ð ¾ [Å Ö- , The diehard battery of stringent statistical randomness tests.

http://random.com.hr/products/random/manual/html/Diehard.html



º ĺ Å ××Ý ¼½ [Å × 1969] , ShiftÐregister synthesis and BCH decoding, IEEE Trans. Inform. Theory

IT-15 (1969), 122–127.



Š٠ͺ ź Å ÙÖÖ [ 1992] , A universal statistical test for random number generators, J. Cryptol- ¾¿¸ ¾

ogy 5 No2 (1992), 89–105.



Å ÏÓ Íº ź Å ÙÖÖ Ëº ÏÓÐ% [ 1998] & , Lower bounds on generic algorithms in groups, Ad-  vances in Cryptology – Eurocrypt 1998, Lecture Notes in Comput. Sci., vol. 1403,

Springer-Verlag, Berlin, 1998, 72–84.



Ó ½¼ [Å Ï 1999] , The relationship between breaking the Diffie–Hellman protocol and computing Discrete Logarithms, SIAM J. Comput. 28 No5 (1999), 1689–1721.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

762 References



ú ˺ ÅÙÖÐÝ  

[Å 1990] , The discrete logarithm problem, Cryptography and computational ÈÓÑÖ Ò number theory (º , ed.), Proc. Symp. Appl. Math., vol. 42, AMS, 1990,

49–74.



Å' ʺ º Å'Ð  [ 1969] , Factorization of polynomials over finite fields, Math. Comp. 23 ¼

(1969), 861–867.

 ½ [Å' 1978] , A public-key cryptosystem based on algebraic coding theory, Deep Space Net- work Progress Report 42-44, Jet Propulsion Lab., California Institute of Technology (1978), 114–116.

+



$º ÅÙÖ   ÓÖÑ Ð Ⱥ ÙÐÒ× Âº¹Âº ÉÙ ×ÕÙ ØÖ ¾¼ [ÅÙ 2004] , ,& , Efficient mod- ular division implementation: ECC over GF(p) affine coordinates application, Field- Programmable Logic and Applications – FPL 2004, Lecture Notes in Comput. Sci., vol. 3203, Springer-Verlag, Berlin, 2004, 231–240.

+



ÅÇ" º º ÅÒÞ× Ìº Ç" ÑÓØÓ ËººÎ Ò×ØÓÒ [ 1993] , ,& , Reducing elliptic curve loga- ¿ ¸ ¿¼¸  ¼ rithms to a finite field, IEEE Trans. on Inform. Theory 39 (1993), 1639–1646.

+

º º ÅÒÞ× Èº Ú Ò ÇÓÖ×ÓØ ËººÎ Ò×ØÓÒ ÜÜܸ ¸ ½¼¸ [ÅÇÓ 1996] , ,& , The Handbook of Ap-

plied Cryptography, CRC Press, Inc., 1996. ½¾¸ ½¿¸ ½¸ ½ ¼¸½ ¼¸½ ¿¸

http://www.cacr.math.uwaterloo.ca/hac/ ½ ¸ ¾¼¸ ¾ ¸



¾ ¸ ¿½



º º ÅÒÞ× Åº ÉÙ ¿½¸ ¿¸ ¿ [ÅÉÙ 2001] & , Analysis of the Weil descent attack of Gaudry, Hess and Smart, Topics in cryptology – CT-RSA 2001, Lecture Notes in Comput. Sci., vol. 2020,

Springer-Verlag, Berlin, 2001, 308–318.



½¼¾ º¹1º Å×ØÖ [Å× 1991] , Construction des courbes de genre 2 à partir de leurs modules, Prog.

Math., Birkhäuser 94 (1991), 313–334.



̺ ˺ Å××Ö×  ¼¸ ¼ [Å× 2000a] , Using second order power analysis to attack DPA resistant software, Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput.

Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 238–251.



½¿ ¸ ¿¿¸ ¿ º¹1º Å×ØÖ [Å× 2000b] , Lettre adressée à Gaudry et Harley, December 2000. In French.

http://www.math.jussieu.fr/~mestre/



¿¸ ¾ - [Å× 2002 , Applications de l’AGM au calcul du nombre de points d’une courbe de genre 1 ou 2 sur F2n . Talk given to the Séminaire de Cryptographie de l’Université de Rennes, March 2002.

http://www.maths.univ-rennes1.fr/crypto/2001-02/Mestre2203.html



Ϻ Å Ö Çº ËØ %%Ð  ¿ ¸ ¿¼¸ ¿¾ [ÅËØ 1993] & , Efficient multiplication on certain nonsupersingular elliptic curves, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput. Sci., vol. 740, Springer-Verlag, Berlin, 1993, 333–344.

+



º º ÅÒÞ× 'º Ì×" º ÏÒ ¿ [ÅÌ 2004] , ,& , Weak fields for ECC, Topics in Cryptology – CT-RSA 2004, Lecture Notes in Comput. Sci., vol. 2964, Springer-Verlag, 2004, 366–

386.



¿¸  ½ º º ÅÒÞ× ËººÎ Ò×ØÓÒ [ÅÎ 1990] & , The implementation of elliptic curve cryptosys- tems, Advances in Cryptology – Auscrypt 1990, Lecture Notes in Comput. Sci., vol. 453,

Springer-Verlag, Berlin, 1990, 2–13.



 ¼ [Å1 2004] Microelectronics Failure Analysis Desk Reference Fifth Edition EDFAS (Electronic De-

vice Failure Analysis Society) and ASM International editors, 2004.



Ú Èº Å 3 Ð×٠ʺ ź Ú ÒÞ ¼½ [Å 2003] & , Efficient “quasi”-deterministic primality test im- proving AKS, preprint, March 2003.

+



- 8º Å Ý ÑÓØÓ Àº Ó Ãº Å Ø×ÙÓ Âº  Ó Ëº Ì×Ù< ¿½¸ ¿¾½ [Å Ó 2002 , , , ,& , A fast addition algorithm of genus two hyperelliptic curve, Symposium on Cryptography and Information

Security – SCIS 2002, 497–502. In Japanese.



Ⱥ Å 3 Ð×Ù ¾¾ [Å  1997] , Optimal Galois field bases which are not normal, 1997. Presented at the Workshop on Fast Software Encryption in Haifa.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 763

 ¾¿½ [Å  2000] , Medium Galois fields, their bases and arithmetic, 2000. Preprint.

http://grouper.ieee.org/groups/1363/P1363a/contributions/Medium.pdf



κ ˺ Å ÐÐÖ ½¾¾¸ ¿ ¾ [Å Ð 1986] , Short programs for functions on curves, 1986. IBM, Thomas J. Watson Research Center.

http://crypto.stanford.edu/miller/

 ½¾¾¸ ¿ ¾ [Å Ð 2004] , The Weil pairing, and its efficient calculation, J. Cryptology 17 (2004), 235–261.

+



º Å Ý < ź Æ "  Ý × ˺ Ì " ÒÓ   [Å Æ 2001] , ,& , New explicit conditions of elliptic curve traces for FR-reduction, IEICE Trans. Fundamentals E84-A No5 (2001), 1234–

1243.



Ⱥ ú Å ×Ö ¿¼¾¸  ¾ [Å × 2004a] , Pipelined computation of scalar multiplication in elliptic curve cryp- tosystems, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes

in Comput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004, 328–342.

   [Å × 2004b] , Scalar multiplication in elliptic curve cryptosystems: Pipelining with pre- computations, preprint, 2004.

http://eprint.iacr.org/2004/191/



½  ʺ ̺ ÅÓÒ" º º ÓÖÓ Ò [ÅÓÓ 1972] & , Fast modular transforms via division, Conf. Record, IEEE 13th Annual Symp. on Switching and Automata Theory, IEEE Press, 1972,

90–96.



ź º ÅÓÖÖ ×ÓÒ Âº Ö ÐÐ ÖØ ¼ ¸ ¼ [ÅÓÖ 1975] & , A method of factorization and the factorization

of F7, Math. Comp. 29 (1975), 183–205.



ÅÓ ʺ ̺ ÅÓÒ" [ 1973] , Fast computation of GCDs, Proceedings of the 5th Annual ACM Sym- ¾¿

posium on the Theory of Computing, 1973, 142–151.



  ;º ÅÓ Âº Ⱥ ÂÓÒ×

[ÅÓÂÓ- & , A new primality test using Lucas sequences, preprint.



Å=Ð º Å=ÐÐÖ [ 2001a] , Securing elliptic curve point multiplication against Side-Channel Attacks,  ¼¸ 

Information Security Conference – ISC 2001, Lecture Notes in Comput. Sci., vol. 2200, 

Springer-Verlag, 2001, 324–334. See also [Å=Ð 2001 ].

 Å=Ð [ 2001b] , Securing elliptic curve point multiplication against Side-Channel Attacks, Tech.  ¼¸ ¿ report, TU Darmstadt, 2001, Addendum “Efficiency Improvement” added 2001-08- 27/2001-08-29. Errata added 2001-12-21.

http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/

 ½ [Å=Ð 2003] , Improved techniques for fast exponentiation, Information Security and Cryptol- ogy – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587, Springer-Verlag, 2003, 298–

312.



ÅÓÒ Èº ÅÓÒ×"Ý [ 1968] , Formal cohomology. II: the cohomology sequence of a pair, Ann. of Math. ½¿¸ ½¿

(2) 88 (1968), 218–238.

 ÅÓÒ [ 1970] , p-adic analysis and zeta functions, Lectures in Mathematics, Department of ½¿

Mathematics Kyoto University, vol. 4, Kinokuniya Book-Store Co. Ltd., Tokyo, 1970.

 ½¿¸ ½¿ [ÅÓÒ 1971] , Formal cohomology. III: fixed point theorems, Ann. of Math. (2) 93 (1971), 315–

343.



ÅÓÒ Èº ĺ ÅÓÒØÓÑÖÝ [ 1985] , Modular multiplication without trial division, Math. Comp. 44 ½ ¼¸ ¾¼

No170 (1985), 519–521.

 ¾ ¸ ¼¿ [ÅÓÒ 1987] , Speeding the Pollard and elliptic curve methods of factorization, Math. Comp. 48 No177 (1987), 243–264.

o

 ½¼ [ÅÓÒ 1994] , A survey of modern integer factorization algorithms, CWI Quarterly 7 N 4

(1994), 337–366.

 ¼¿ [ÅÓÒ 1995] , A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology – Eurocrypt 1995, Lecture Notes in Comput. Sci., no. 921, Springer-Verlag, 1995, 106–120.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

764 References



1º ÅÓÖ Ò Âº ÇÐ ÚÓ× ½½¸ ½¿ [ÅÓÇÐ 1990] & , Speeding up the computations on an elliptic curve using

addition-subtraction chains, Inform. Theory Appl. 24 (1990), 531–543.



½¸ ¾¼ 1º ÅÓÖ Ò [ÅÓÖ 1995] , Calcul du nombre de points sur une courbe elliptique dans un corps fini :

aspects algorithmiques, J. Théor. Nombres Bordeaux 7 (1995), 255–282.

 ¼½ [ÅÓÖ Ò- , homepage.

http://www.lix.polytechnique.fr/~morain/



Ⱥ ÅÓÒ×"Ý $º Ï ×Ò ØÞÖ ½¿¸ ½¿ [ÅÓÏ 1968] & , Formal cohomology. I, Ann. of Math. (2) 88 (1968),

181–217.



κ Å7ÐÐÖ ½¸ ¾¼ [Å7Ð 1995] , Ein Algorithmus zur Bestimmung der Punktanzahl elliptisher Kurven über endlichen Körpen der Charakteristik größer drei, PhD. Thesis, Technische Fakultät der

Universität des Saarlandes, February 1995.

 ¿ ¸ ¿ ¼ [Å7Ð 1998] , Fast multiplication on elliptic curves over small fields of characteristic two,J.

Cryptology 11 (1998), 219–234.



 º ÅÙÑ%ÓÖ [ÅÙÑ 1966] , On the equations defining Abelian varieties I-III, Invent. Math. 1 (1966),

287–354.

 ¸ ¼¸ ¾¸ ¿¸

[ÅÙÑ 1974] , Abelian varieties, Oxford University Press, New York, 1974.

¾¸ ¿¸ ½½½¸

 ½½

+



¾½ ¸ ¾¾½ ʺ º ÅÙÐÐ Ò Áº ź ÇÒÝ×ÞÙ" ˺ºÎ Ò×ØÓÒ ʺ ź Ï Ð×ÓÒ [ÅÙÇÒ 1989] , , ,& , Optimal normal bases in GF(pn), Discrete Appl. Math. 22 (1989), 149–161.

+



ÅÙËÑ º ÅÙÞÖ ٠ƺ Ⱥ ËÑ ÖØ 1º ÎÖ ÙØÖÒ [ 2004] , ,& , The equivalence between the ½¼ DHP and DLP for elliptic curves used in practical applications, LMS J. Comp. Math. 7

(2004), 50–72.



º º ÅÙ Ö º ʺ ËØ Ò×ÓÒ ½¿ [ÅÙËØ 2004] & , Minimality and other properties of the width-w nonad- jacent form, Combinatorics and Optimization Research Report CORR 2004-08, University of Waterloo, 2004.

http://www.cacr.math.uwaterloo.ca/techreports/2004/corr2004-08.ps

 ÅÙËØ [ 2005] , New minimal weight representations for left-to-right window methods, Topics in ½ cryptology – CT-RSA 2005, Lecture Notes in Comput. Sci., vol. 3376, Springer-Verlag,

Berlin, 2005, 366–383.



Æ  ú¹Áº Æ  Ó [ 2004] , Improvement of Thériault algorithm of index calculus for Jacobian of ¾ hyperelliptic curves of small genus, preprint, 2004. http://eprint.iacr.org/2004/161/

+



¼¼ º Æ   º ËØÖÒ Æº Ⱥ ËÑ ÖØ [Æ ËØ 2004] , ,& , Projective coordinates leak, Advances in Cryptology – Eurocrypt 2004, Lecture Notes in Comput. Sci., vol. 3027, Springer-Verlag,

Berlin, 2004, 257–267.



٠ƺ Æ ÙÑ ÒÒ ¿ ¿¸ ¿  [Æ 1999] , Weil-Restriktion abelscher Varietäten, Master’s thesis, University Essen,

1999.



 ¸  ¼ κ Áº Æ Ú [Æ 1994] , On the complexity of a deterministic algorithm for a discrete logarithm, Mat. Zametki 55 No2 (1994), 91–101, 189, Russian. Translation in Math. Notes 55 (1994),

no. 1-2, 165–172.



ƺ Æ<  ĺ  Å Ó ÅÓÙÖÐÐ ½¿ [ÆÅ 2002] & , Minimal addition chain for efficient modular exponentiation using genetic algorithms, Proceedings of the 2002 Industrial and Engineering, Applications of Artificial Intelligence and Expert Systems Conference, Lec-

ture Notes in Comput. Sci., vol. 2358, Springer-Verlag, Berlin, 2002, 88–98.



Ⱥ ɺ ÆÙÝÒ Áº 'º ËÔ ÖÐ Ò×" ¿ ¸  ¸  [ÆË 2003] & , The insecurity of the elliptic curve digital signature algorithm with partially known nonces, Des. Codes Cryptogr. 30 (2003), 201–

217.



¿  Ⱥ ɺ ÆÙÝÒ Âº ËØÖÒ [ÆËØ 1999] & , The hardness of the hidden subset sum problem and its cryptographic implications, Advances in Cryptology – Crypto 1999, Lecture Notes in Comput. Sci., vol. 1666, Springer-Verlag, Berlin, 1999, 31–46.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 765



Ⱥ ɺ ÆÙÝÒ ½ [ÆÙ 1998] , A Montgomery-like square root for the Number Field Sieve, Algorith- mic Number Theory Symposium – ANTS III, Lecture Notes in Comput. Sci., vol. 1423,

Springer-Verlag, Berlin, 1998, 151–168.



ú ÆÙÝÒ ½½ ¸ ½¾½¸ ¼ [ÆÙ 2001] , Explicit arithmetic of Brauer groups, ray class fields and index calculus,

PhD. Thesis, Universität Gesamthochschule Essen, 2001.



Àº Æ ÖÖ ØÖ ½ [Æ  1986] , Knapsack-type cryptosystems and algebraic coding theory, Prob.

Contr. Inform. Theory 15 No2 (1986), 157–166.

 ¿¼ [Æ  2003] , Linear complexity and related complexity measures for sequences, Progress in Cryptology – Indocrypt 2003, Lecture Notes in Comput. Sci., vol. 2904, Springer-Verlag,

2003, 1–17.



Àº Æ ÖÖ ØÖ Áº 'º ËÔ ÖÐ Ò×" ¿½ [Æ Ë 1999] & , On the distribution and lattice structure of

nonlinear congruential pseudorandom numbers, Finite Fields Appl. 5 (1999), 246–253.



¾  ÆØ ÓÒÐ ÁÒ×Ø ØÙØ Ó ËØÒ Ö Ò ÌÒÓÐÓÝ [ÆÁËÌ- , Recommended elliptic curves for federal government use, 1999. http://www.csrc.nist.gov/encryption/

o



Æ Ú $º Æ Ú × [ 2004] , Cycle detection using a stack, Inform. Process. Lett. 90 N 3 (2004), 135–  ¸  ¼

140.



¿¼ Àº Æ ÖÖ ØÖ º ) Ò [Æ ) 2001] & , Rational points on curves over finite fields. Theory and Applications, London Mathematical Society Lecture Note Series, vol. 285, Cambridge

University Press, 2001.



¾¾¸ ¾¾ ź Æ="Ö [Æ= 1996] , Exponentiation in finite fields: theory and practice, Diplomarbeit im Fach

Informatik, Universität Paderborn, 1996.

 ¿ [Æ= 2001] , Data structures for parallel exponentiation in finite fields, PhD. Thesis, Univer-

sität Paderborn, 2001.



ÆË- ÆË ÌÑÔ×Ø ËÖ × [ .  ¾

http://cryptome.org/nsa-tempest.htm



¾¼½ κ ËÓÙÔ [ÆÌÄ- , NTL: A Library for doing Number Theory, version 5.4, 2005.

http://www.shoup.net/



ÆÌÊÍ- ÆÌÊÍÖÝÔØÓÐ  [ . ½

http://www.ntru.com/cryptolab/index.htm



½¼ - ĺ º dzÓÒÒÓÖ [dzÓ 2001 , On string replacement exponentiation, Des. Codes Cryptogr. 23

(2001), 173–183.

ÇÐ º ź ÇÐÝÞ"Ó

[ 1985] , Discrete logarithms in finite fields and their cryptographic signifi- ¾½¸  ¸ ¼¸  cance, Advances in Cryptology – Eurocrypt 1984, Lecture Notes in Comput. Sci., vol. ¼

209, Springer-Verlag, Berlin, 1985, 224–314.

 ÇÐ [ 1990] , The rise and fall of knapsack cryptosystems, Cryptology and computational num- ½

ber theory (Boulder, CO, 1989) (Providence, RI), Amer. Math. Soc., 1990, 75–88.



Ç"ÈÓ Ìº Ç" ÑÓØÓ º ÈÓ ÒØÚ Ð [ 2001] & , The gap-problems: a new class of problems for  the security of cryptographic schemes, Public Key Cryptography – PKC 2001, Lecture

Notes in Comput. Sci., vol. 1992, Springer-Verlag, 2001, 104–118.



Ç"Ë Ãº Ç"Ý Ãº Ë "ÙÖ [ 2000] & , Power analysis breaks elliptic curve cryptosystems even  secure against the timing attack, Progress in Cryptology – Indocrypt 2000, Lecture Notes

in Comput. Sci., vol. 1977, Springer-Verlag, Berlin, 2000, 178–190.

 Ç"Ë [ 2001] , Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with ¾ ¸ ¾ recovery of the y-coordinate on a Montgomery-form elliptic curve, Cryptographic Hard- ware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 126–141.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

766 References

  [Ç"Ë 2002] , On insecurity of the Side Channel Attack countermeasure using addition- subtraction chains under distinguishability between addition and doubling, Australasian Conference on Information Security and Privacy – ACISP 2002, Lecture Notes in Comput.

Sci., vol. 2384, Springer-Verlag, Berlin, 2002, 420–435.

  [Ç"Ë 2003] , A simple power attack on a randomized addition-subtraction chains method for

elliptic curve cryptosystems, IEICE Transactions E86-A (2003), 1171–1180.



 ¼ ú Ç"Ý Ìº Ì "  [Ç"Ì 2003] & , The width-w NAF method provides small memory and fast elliptic scalar multiplication secure against side channel attacks, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin, 2003,

328–342.



º ÇÐ ÚÓ× ½

[ÇÐ 1981] , On vectorial addition chains, Journal of algorithms 2 (1981), 13–21.



  ĺ º ÇÐ×ÓÒ [ÇÐ× 2004] , Side-Channel Attacks in ECC: A general technique for varying the parametrization of the elliptic curve, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes in Comput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004,

220–229.



º ÇÑÙÖ Âº ĺ Å ××Ý ¿¸ ¾¾¼ [ÇÑÅ 1986] & , Computational method and apparatus for finite field

arithmetic, United States Patent 4, 587, 627, Date: May 6th 1986.



1º ÇÓÖØ Ëº Ì×ÙØÓÑÙ ½¿ [ÇÓÌ× 1986] & , The canonical lifting of an ordinary Jacobian variety need

not be a Jacobian variety, J. Math. Soc. Japan 38 No3 (1986), 427–437.

Ⱥ Ú Ò ÇÓÖ×ÓØ Åº º Ï ÒÖ  ¸  ¼¸  ¾¸

[ÇÓÏ 1999] & , Parallel collision search with cryptanalytic 

applications, J. Cryptology 12 (1999), 1–28.  ¿



 'º Ç×Û Ð ź ÒÖ [Ç× 2001] & , Randomized addition-subtraction chains as a countermea- sure against power attacks, Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 39–50.

+



¿ ¼  8º¹Àº È Ö" ˺ÂÓÒº Ã Ñ Âº Ä Ñ [È 2002a] , , ,& , An alternate decomposition of an integer for faster point multiplication on certain elliptic curves, Public Key Cryptography – PKC 2002, Lecture Notes in Comput. Sci., vol. 2274, Springer-Verlag, Berlin, 2002, 323–334.

+



È Â 8º¹Àº È Ö" ˺ ÂÓÒ º Ä Ñ [ 2002b] , ,& , Speeding up point multiplication on hyperelliptic ¿ ¼ curves with efficiently-computable endomorphisms, Advances in Cryptology – Eurocrypt

2002, Lecture Notes in Comput. Sci., vol. 2332, Springer-Verlag, 2002, 197–208.



¾¼¸ ¾½ Å ËºÃºÈ Ö" ú Ϻ Å ÐÐÖ [È 1998] & , Random number generators: Good ones are hard to

find, Comm. ACM 31 No10 (1998), 1192–1201.



È Ô º Àº È Ô  Ñ ØÖ ÓÙ [ 1994] , Computational complexity, Addison-Wesley Publishing Com- ¾

pany, Reading, MA, 1994.



Ö º È Ö Ñ ½ [È 2000] , Computer arithmetic Ð algorithms and hardware design, Oxford Univer-

sity Press, New York, 2000.



¾ ¸  Ö - [È The PARI Group, Bordeaux, PARI/GP, version 2.1.6, 2004. http://pari.math.u-bordeaux.fr/

+



È ËÑ º È  ƺ Ⱥ ËÑ ÖØ 1º ÎÖ ÙØÖÒ [ 2004] , ,& , A comparison of MNT curves and  supersingular curves, preprint, 2004.

http://eprint.iacr.org/2004/165/

È ËØ Åº ˺ È ØÖ×ÓÒ Äº º ËØÓ"ÑÝÖ

[ 1973] & , On the number of nonscalar multiplications ¾½¸ ¾¿¸ ¾¼¸ 

necessary to evaluate polynomials, SIAM J. Comput. 2 (1973), 60–66. ¾½



È Ø Âº È Ø Ö Ò [ 1996] , Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): ½ two new families of asymmetric algorithms, Advances in Cryptology – Eurocrypt 1996,

Lecture Notes in Comput. Sci., vol. 1070, Springer-Verlag, Berlin, 1996, 33–48.



º ÈÐÞÐ ¿ [ÈÐ 2002] , Fast hyperelliptic curve cryptosystems for embedded processors, Master’s the- sis, Ruhr-University of Bochum, 2002.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC References 767

+



Ó Âº ÈÐÞР̺ ÏÓÐÐ ÒÖ º È Ö ¿¿ [ÈÏ 2004] , ,& , Special hyperelliptic curve cryptosystems of genus two: Efficient arithmetic and fast implementation, Embedded Cryptographic Hard-

ware: Design and Security, Nova Science Publishers, 2004.



º È Ð ½¿ ¸ ¾¾ [È Ð 1990] , Frobenius maps of abelian varieties and finding roots of unity in finite fields,

Math. Comp. 55 No192 (1990), 745–763.



ʺ È Ò  ¿ [È Ò- , homepage.

http://www.chalcedon.demon.co.uk/rgep.html



ƺ È ÔÔÒÖ ½ [È Ô 1979] , The minimum number of edges in graphs with prescribed paths, Math.

Systems Theory 12 (1979), 325–346.

 ½ [È Ô 1980] , On the evaluation of powers and monomials, SIAM J. Comput. 9 (1980), 230–

250.



ÈÃË- ÈÙÐ  ÃÝ ÖÝÔØÓÖ ÔÝ ËØ Ò Ö× [ , PKCS #1 v1.5: RSA encryption stan- ½ dard, 1993.

http://www.rsasecurity.com/rsalabs/pkcs



˺ ÈÓÐ  ź ÀÐÐÑ ÒÒ  [ÈÓÀ 1978] & , An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Trans. Inform. Theory IT-24 (1978), 106–

110.



º ź ÈÓÐÐ Ö ¼¿ [ÈÓÐ 1974] , Theorems on factorization and primality testing, Proceedings of the

Cambridge philosophical society 76 (1974), 521–528.

  ¿¸  ¸  ¾ [ÈÓÐ 1978] , Monte Carlo methods for index computation (mod p), Math. Comp. 32 (1978),

918–924.

  ¾   [ÈÓÐ 2000] , Kangaroos, monopoly and discrete logarithms, J. Cryptology 13 (2000), 437–

447.



ÈÓÑ º ÈÓÑÖ Ò

[ 1983] , Analysis and comparison of some integer factoring algorithms, Com- ¼ ¸ ½¼ ʺ Ì <Ñ Ò putational methods in number theory (Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº & , eds.),

Math. Centre Tracts, no. 154, 155, Mathematisch Centrum, Amsterdam, 1983, 89–139.

 ÈÓÑ

[ 1984] , Are there counter-examples to the Baillie-PSW primality test?, Dopo Le Parole  

º ú ÄÒ×ØÖ Èº Ú Ò

aangeboden aan Dr. A.K. Lenstra (Àº Ϻ ÄÒ×ØÖ ¸ ÂÖº, ,& × 'Ñ Ó , eds.), Amsterdam, 1984.

http://www.pseudoprime.com/dopo.ps

 ¼ [ÈÓÑ 1985] , The quadratic sieve factoring algorithm, Advances in Cryptology – Eurocrypt

1984, Lecture Notes in Comput. Sci., vol. 209, Springer-Verlag, Berlin, 1985, 169–182.

   [ÈÓÑ 1990] , Factoring, Cryptology and Computational Number Theory, Proceedings of Sym- posia in Applied Mathematics, vol. 42, American Mathematical Society, 1990, 27–47.

+



 ¿¸  ¸   º ÈÓÑÖ Ò º ĺ ËÐ%Ö  ËºËºÏ ×Ø %%¸ ÂÖº [ÈÓË 1980] , ,& , The pseudoprimes

to 25 · 109, Math. Comp. 35 No151 (1980), 1003–1026.



º ÈÓÑÖ Ò º Ϻ ËÑ Ø ¼ [ÈÓËÑ 1992] & , Reduction of huge, sparse matrices over finite fields

via created catastrophes, Experiment. Math. 1 No2 (1992), 89–94.



ź Å ÖØ Ò   [ÈÊÁÅÇ- , PRIMO Ð Primality Proving.

http://www.ellipsa.net



ź Ú Ò Ö ÈÙØ ½¿ [ÈÙØ 1986] , The cohomology of Monsky and Washnitzer, Mém. Soc. Math. France

23 (1986), 33–60.



ÉÙ º¹Âº ÉÙ ×ÕÙ ØÖ Âº¹Èº Ð× ÐÐ [ 1990] & , How easy is collision search? Application  to DES, Advances in Cryptology – Eurocrypt 1989, Lecture Notes in Comput. Sci., no.

434, Springer-Verlag, 1990, 429–434.



½ ¸ ¾¼¿ º¹Âº ÉÙ ×ÕÙ ØÖ [ÉÙ 1990] , Procédé de codage selon la méthode dite RSA, par un microcon- trôleur et dispositifs utilisant ce procédé, Demande de brevet français. No de dépôt 90 02274, Date: Feb. 23rd 1990.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

768 References

 ½ ¸ ¾¼¿ [ÉÙ 1992] , Encoding system according to the so-called RSA method, by means of a micro- controller and arrangement implementing this system, U.S. Patent # 5,166,978, Date: Nov. 24th 1992.

+



º¹Âº ÉÙ ×ÕÙ ØÖ º  Ï Ð%% º¹Èº ÓÙÖÒ × ¾¼ [ÉÙÏ 1991] , ,& , A chip with fast RSA capability, Proceedings of Smart Card 2000, Elsevier Science Publishers, Amsterdam, 1991, 199–205.

o



¾½ ź Ǻ Ê  Ò [Ê  1980] , Probabilistic algorithms in finite fields, SIAM J. Comput. N 9 (1980),

273–280.



¿¸ ¼¸ ½ Ϻ Ê Ò"РϺ '%% Ò [Ê '% 2000] & , Smart card handbook, 2nd ed., John Wiley & Sons, Ltd.,

2000.



$º Ê ØÛ ×ÒÖ ½½

[Ê 1962] , Binary arithmetic, Adv. Comput. 1 (1962), 231–308.



Ⱥ Ê ÒÓ Ñ   [Ê  1996] , Lucas pseudoprimes, p. 129, Springer, 1996.

+



ʺ ĺ Ê Ú×Ø º Ë Ñ Ö Äº ÐÑ Ò [Ê Ë 1978] , ,& , A method for obtaining digital signa-

tures and public key cryptosystems, Comm. ACM 21 (1978), 120–126.



Ê Ë Êº ĺ Ê Ú×Ø Êº º Ë ÐÚÖÑ Ò [ 1997] & , Are “strong” primes needed for RSA?, preprint,  ¸ ¼ 1997.

http://eprint.iacr.org/2001/007/



̺ Ê ØØÖ ½ [Ê Ø- , Random number machines: A literature survey.

http://www.ciphersbyritter.com/RES/RNGMACH.HTM



½ ÓÓ Èº  ÊÓÓ < [Ê 1995] , Efficient exponentiation using precomputation and vector addition chains, Advances in Cryptology – Eurocrypt 1994, Lecture Notes in Comput. Sci., vol. 950,

Springer-Verlag, Berlin, 1995, 389–399.

 ÊË- [ The new RSA factoring challenge.

http://www.rsasecurity.com/rsalabs/node.asp?id=2092



Ê7 Àº¹$º Ê7" [ 1999] , On the discrete logarithm problem in the divisor class group of curves, ¸ ¾

Math. Comp. 68 (1999), 805–806.



¾¼ Ù" º ÊÙ" Ò [Ê 2001] , Testing randomness: A suite of statistical procedures, Theory Probab. Appl. 45 No1 (2001), 111–132.

+



¾ ÙËÓ - º ÊÙ" Ò Âº ËÓØÓ Âº ÆÚ Ø Ð Åº ËÑ  'º  Ö"Ö Ëº Ä 

[Ê , , , , , ,

ź ÄÚÒ×ÓÒ Î ÒÐ º  Ò"× º À"ÖØ Âº Ö Ý Ëº ÎÓ , ź , , , ,& , A statistical test suite for random and pseudorandom number generators for cryptographic Applications, NIST Special Publication 800-22.

http://csrc.nist.gov/rng/



Ë Ö Ìº Ë ØÓ ú Ö " [ 1998] & , Fermat quotients and the polynomial time discrete log algo- ¾

rithm for anomalous elliptic curves, Comm. Math. Univ. Sancti Pauli 47 (1998), 81–92.



Ë  ˺ Ë Ò [ 1975] , Approximate algorithms for the 0/1 knapsack problem,J.ACM22 (1975), ½

115–124.



Ó 'º Ë Ú O Lº ú ÃÓM  [Ë Ã 2002] & , Architectures for unified field inversion with applications in elliptic curve cryptography, International Conference on Electronics, Circuits and Systems

– ICECS 2002, vol. 2, 2002, 1155–1158.



Ë Ë º Ë ØØÐÖ º Ⱥ ËÒÓÖÖ [ 1985] & , Generating random walks in groups, Ann. Univ. Sci.  Budapest. Sect. Comput. 6 (1985), 65–79.

+



Ë Ë Àº Ë ØÓ º ËÔÖ× Ìº Ì "  [ 2004] , ,& , Exact analysis of Montgomery multiplication, ¼ Progress in Cryptology – Indocrypt 2004, vol. 3348, Springer-Verlag, Berlin, 2004, 290– 304.

+



̺ Ë ØÓ º Ë"<ÖÒ 8º Ì Ù ¾ ¸ ¾¾¸ ¿¿ [Ë Ë" 2003] , ,& , Fast computation of canonical lifts of elliptic curves and its application to point counting, Finite Fields Appl. 9 (2003), 89–101.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 769

Ø Ìº Ë ØÓ ½¿ ¸ ¾¿¸ ¾ ¸

[Ë 2000] , The canonical lift of an ordinary elliptic curve over a finite field and its point  counting, J. Ramanujan Math. Soc. 15 No4 (2000), 247–270. ¾

+



'º Ë Ú O º 1º ÌÒ Lº ú ÃÓM  [Ë Ì 2000] , ,& , A scalable and unified multiplier architecture for finite fields GF(p) and GF(2m), Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,

277–292.



 ÝÔعΠÑÔ Ö [Ë ÄÓÙÒ- 'Ö , The side-channel cryptanalysis lounge.

http://www.crypto.ruhr-uni-bochum.de/en_sclounge.html



¼½¸  ¸  ź ËÓØØ Èº ˺ ĺ ź  ÖÖØÓ [Ë 2004] & , Compressed pairings, Advances in Cryptology – Crypto 2004, Lecture Notes in Comput. Sci., vol. 3152, Springer-Verlag, Berlin, 2004,

140–156.



1º ú ËÑ Ø ¿ [Ë 1927] , Zur Zahlentheorie in Körpern der Charakteristik p. (Vorläufige Mit-

teilung.), Sitz.-Ber. phys. med. Soz. Erlangen 58/59 (1926/1927), 159–172.



½¸ ½ º ËÓÒÖ [Ë 1974] , Elliptic modular functions, Die Grundlehren der mathematischen

Wissenschaften in Einzeldarstellungen, vol. 203, Springer-Verlag, 1974.



½ º Ë=Ò  [Ë 1975] , A lower bound on the length of addition chains, Theoret. Comput. Sci.

1 (1975), 1–12.



ʺ ËÓÓ% ½¿ [Ë 1985] , Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. 44 (1985), 483–494.

o

 Ë [ 1987] , Nonsingular plane cubic curves, J. Combin. Theory Ser. A 46 N 2 (1987), 183– ¼

211.

 ½ ¸ ¾¼ [Ë 1995] , Counting points on elliptic curves over finite fields, J. Théor. Nombres Bordeaux

7 (1995), 219–254.



 º ËÒ Ö [Ë 1996] , Applied cryptography: protocols, algorithms and source code in C, John

Wiley & Sons, Ltd., New York, 1996, second edition.



¼ Ϻ Ë ÒÐÖ [Ë 2000a] , A timing attack against RSA with the Chinese Remainder Theorem, Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput.

Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 109–124.



Ë Ǻ Ë ÖÓ" ÙÖ [ 2000b] , Using number fields to compute logarithms in finite fields, Math. ¼

Comp. 69 No231 (2000), 1267–1283.



¾ ʺ ËÖÓÔÔÐ [Ë 2000c] , Elliptic curves: Twice as fast!, 2000. Presentation at the Crypto 2000

Rump Session.



 ¼ 'º ËÙÐع$Ö× [Ë 2000d] , Collision search in a random mapping: some asymptotic results, Talk at ECC 2000, the fourth Workshop on Elliptic Curve Cryptography, Essen, Germany, 2000. http://www.cacr.math.uwaterloo.ca/conferences/2000/ecc2000/

+



ʺ ËÖÓÔÔÐ Àº ÇÖÑ Ò Ëº dzŠÐÐÝ ¾½ [ËÇÖ 1995] , ,& , Fast key exchange with elliptic curve

systems, Tech. report, Department of Computer Science. The University of Arizona, 1995.



º Ë=Ò  κ ËØÖ ××Ò ¾ [ËËØ 1971] & , Schnelle Multiplikation grosser Zahlen, Computing (Arch. Elektron. Rechnen) 7 (1971), 281–292.

+



ËÏ Ǻ Ë ÖÓ" ÙÖ º ÏÖ Ìº 1º ÒÒÝ [ 1996] , ,& , Discrete logarithms: the effec- ¼ tiveness of the index calculus method, Algorithmic Number Theory Symposium – ANTS

II, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag, Berlin, 1996, 337–361.



ËØÒ Ö × ÓÖ  ÒØ ÖÝÔØÓÖÔÝ ¾  [Ë- , Elliptic curve cryptography Ver.0.5, 1999.

http://www.secg.org/drafts.htm



$º ËÖÓÙ×× º ÄÑÔÐ ¿ [ËÄ 1980] & , Factorization of symmetric matrices and trace-orthogonal bases in finite fields, SIAM J. Comput. 9 No4 (1980), 758–767.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

770 References



Áº ËÑ ½ [ËÑ 1983] , Systematic method for determining the number of multiplications required to

compute xm, where m is a positive integer, J. Inform. Process. 6 No1 (1983), 31–33.



¾ Áº ËÑ Ú [ËÑ 1998] , Evaluation of discrete logarithms in a group of p-torsion points of an elliptic

curve in characteristic p, Math. Comp. 67 (1998), 353–356.

 ½ [ËÑ 2004] , Summation polynomials and the discrete logarithm problem on elliptic curves, preprint, 2004.

http://eprint.iacr.org/2004/031/



 º¹Èº ËÖÖ [ËÖ 1958] , Sur la topologie des variétés algébriques en caractéristique p, Symposium internacional de topología algebraica – International symposium on algebraic topology (México City 1956), Universidad Nacional Autónoma de México and UNESCO, 1958,

24–53.

 ½

[ËÖ 1970] , Cours d’arithmétique, Presses Universitaires de France, 1970.

 ËÖ

[ 1979] , Local Fields, Graduate Texts in Mathematics, vol. 67, Springer-Verlag, 1979. ¿



$º ËÖÓÙ×× ¾½¸ ¾½ [ËÖ 1998] , Table of low-weight binary irreducible polynomials, Tech. Report HPL- 98-135, Hewlett–Packard, August 1998.

http://www.hpl.hp.com/techreports/98/HPL-98-135.pdf



º ˺ ËÖ Ãº º ËÑ Ø ¿ [ËËÑ 1991] & , Microelectronic circuits, Oxford University Press, New York, 1991.

+



ʺ ËÛ " ̺ $º ËÞÝÑ Ò×" º º 8 Ó   [ËËÞ 1982] , ,& , The complexity of finding cycles

in periodic functions, SIAM J. Comput. 11 No2 (1982), 376–390.

 ½¿ [Ë$ E- Théorie des topos et cohomologie étale des schémas., Springer-Verlag, Berlin, 1973, Sémi- naire de Géométrie Algébrique du Bois-Marie 1963–1964 (SGA 4), Dirigé par M. Artin,

A. Grothendieck et J. L. Verdier. Lecture Notes in Math., Vol. 269, 270, 305.



Ë º Ë Ò"× [ 1971] , Class number, a theory of factorization and genera, Proc. Symp. Pure Math.  ¼

20 (1971), 415–440.



  º Ë Ñ Ö [Ë 1984] , Identity-based cryptosystems and signature schemes, Advances in Cryp- tology – Crypto 1984, Lecture Notes in Comput. Sci., vol. 196, Springer-Verlag, 1984,

47–53.

 Ë [ 1999] , Method and apparatus for protecting public key schemes from timing and fault ¼

attacks, United States Patent 5991415, 1999.



̺ Ë Ó ½¼½ [Ë 1967] , On the graded ring of invariants of binary octavics, Amer. J. Math. 89

(1967), 1022–1046.



$º Ë ÑÙÖ ½¼ [Ë 1998] , Abelian Varieties with complex multiplication and modular functions, re-

vised ed., Princeton University Press, 1998.



ËÓ- κ ËÓÙÔ [ , A computational introduction to number theory and algebra. ¾¼½

http://www.shoup.net/ntb/ntb-b5.pdf

 ¼ [ËÓ 1990] , On the deterministic complexity of factoring polynomials over finite fields, In-

form. Process. Lett. 33 No5 (1990), 261–267.

 ËÓ [ 1991] , A fast deterministic algorithm for factoring polynomials over finite fields of ¼ small characteristic, International Symposium on Symbolic and Algebraic Computations – ISSAC 1991, ACM Press, Bonn, 1991, 14–21.

n

 ¾¾ [ËÓ 1994a] , Exponentiation in GF(2 ) using fewer polynomial multiplications, preprint,

1994.

 ËÓ [ 1994b] , Fast construction of irreducible polynomials over finite fields, J. Symbolic Com- ¾½

put. 17 No5 (1994), 371–391.

  [ËÓ 1997] , Lower bounds for discrete logarithms and related problems, Advances in Cryp- tology – Eurocrypt 1997, Lecture Notes in Comput. Sci., vol. 1233, Springer-Verlag, Berlin, 1997, 256–266.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 771



Áº 'º ËÔ ÖÐ Ò×" ¿¸ ¾¼½ [ËÔ 1999] , Finite fields: Theory and computation, Kluwer Academic Publish-

ers, Dordrecht/Boston/London, 1999.

 ¿ [ËÔ 2000] , On the NaorÐReingold pseudo-random function from elliptic curves, Appl. Alge-

bra Engrg. Comm. Comput. 11 (2000), 27–34.

  [ËÔ 2003] , Cryptographic applications of analytic number theory, Progress in Computer Science and Applied Logic, vol. 22, Birkhäuser Verlag, Basel, 2003, Complexity lower

bounds and pseudorandomness.



$º Ë ÑÙÖ 8º Ì Ò Ý Ñ ½¼¸ ½¼ [ËÌ 1961] & , Complex multiplication of abelian varieties and its applications to number theory, Publications of the Mathematical Society of Japan, vol. 6, the Mathematical Society of Japan, Tokyo, 1961.

+



1º Ë  ź  Ø Âº¹Âº ÉÙ ×ÕÙ ØÖ ¿ ¸ ¿ ¸ ¿ ¼ [Ë  2002] , ,& , Analysis of the Gallant-Lambert-Vanstone method based on efficient endomorphisms: Elliptic and hyperelliptic curves, Selected Ar- eas in Cryptography – SAC 2002, Lecture Notes in Comput. Sci., vol. 2595, Springer-

Verlag, 2002, 21–36.



κ ź Ë Ð³Ò "ÓÚ ½ [Ë  1994] , A public-key cryptosystem based on ReedÐMuller codes, Discr.

Math. Appli. 4 No3 (1994), 191–207.

¸ ¾¸ ¸ ¸ º Àº Ë ÐÚÖÑ Ò [Ë Ð 1986] , The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics,

vol. 106, Springer-Verlag, Berlin, 1986. ¸ ½½¸ ¾¸



¿¾

 ¸ ½ [Ë Ð 1994] , Advanced topics in the arithmetic of elliptic curves, Springer-Verlag, Berlin, 1994.

n

 ¾½ [Ë Ð 1999] , Fast multiplication in finite fields GF(2 ), Cryptographic Hardware and Embed- ded Systems – CHES 1999, Lecture Notes in Comput. Sci., vol. 1717, Springer-Verlag,

Berlin, 1999, 122–134.



Ë Ñ Ø- [ Simath, a computer algebra system for number theoretic applications. ¾

http://tnt.math.metro-u.ac.jp/simath



Ë ÊÙ º Ë ÐÚÖÖ ú ÊÙ Ò [ 2004] & , Algebraic tori in cryptography, High Primes and Mis-  demeanours: lectures in honour of the 60th birthday of Hugh Cowie Williams, Fields

Institute Communications, AMS, 2004.



Ë Ë º Àº Ë ÐÚÖÑ Ò Áº 'º ËÔ ÖÐ Ò×" [ 2001] & , On the linear complexity of the NaorÐ ¿¸ ¿ Reingold pseudo-random function from elliptic curves, Des. Codes Cryptogr. 243 (2001),

279–289.



  ˺ȺË"ÓÖÓÓ ØÓÚ Êº º ÒÖ×ÓÒ [Ë"Ò 2003] & , Optical fault induction attacks, Crypto- graphic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2003, 281–290.

o



º Ë"<ÖÒ ¿¾ [Ë"< 2003] , Satoh’s algorithm in characteristic 2, Math. Comp. 72 N 241 (2003),

477–487.



 ƺ Ⱥ ËÑ ÖØ [ËÑ 1998] , The algorithmic resolution of Diophantine equations, London Mathemat-

ical Society Student Texts, vol. 41, Cambridge University Press, 1998.

 ËÑ [ 1999a] , The Discrete Logarithm problem on elliptic curves of trace one, J. Cryptology 12 ¾

(1999), 193–196.

 ¿ ¸ ¿ ¼ [ËÑ 1999b] , Elliptic curve cryptosystems over small fields of odd characteristic, J. Cryptology

12 (1999), 141–151.

¾ ¸ ¾ ¸ ¾ ¸

[ËÑ 2001] , The Hessian form of an elliptic curve, Cryptographic Hardware and Embedded  Systems – CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, 2001,  

118–125.

  ¾¸ ¼¿ [ËÑ 2003] , An analysis of Goubin refined power analysis attack, Cryptographic Hardware and Embedded Systems – CHES 2003, Lecture Notes in Comput. Sci., vol. 2779, Springer- Verlag, Berlin, 2003, 281–290.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

772 References



'º ËÑ Ø º $ÓØÝ× ¼ ¸ ½½¸ ½¾ [ËÑ$ 2003] & , SCA countermeasures for ECC over binary fields on a VLIW DSP core, Combinatorics and Optimization Research Report CORR 2003-06, University of Waterloo, 2003.

http://www.cacr.math.uwaterloo.ca/techreports/2003/cacr2003-06.pdf



Ⱥ ËÑ Ø º Ë" ÒÒÖ [ËÑË" 1995] & , A public key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms, Advances in Cryptology – Asiacrypt 1994, Lecture Notes in Comput. Sci., vol. 917, Springer-Verlag, Berlin, 1995,

357–364.



º º ËÓÐ Ò × ¾ ¸ ¿ ¸ ¾ [ËÓÐ 1997] , An improved algorithm for arithmetic on a family of elliptic curves, Ad- vances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294, Springer-

Verlag, Berlin, 1997, 357–371.

 ½ ¿¸ ¿ ¿ [ËÓÐ 1999a] , Generalized Mersenne numbers, Combinatorics and Optimization Research Re- port CORR 99-39, University of Waterloo, 1999.

http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-39.ps

¿¸ ¿ ¸ ¿¼¸

[ËÓÐ 1999b] , Improved algorithms for arithmetic on anomalous binary curves, Combinatorics  and Optimization Research Report CORR 99-46, University of Waterloo, 1999, updated ¿¾¸ ¿¿

and corrected version of [ËÓÐ 1997].

http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-46.ps

 ¿¸ ¿¿¸ ¿ ¿

[ËÓÐ 2000] , Efficient arithmetic on Koblitz curves, Des. Codes Cryptogr. 19 (2000), 195–249.

 ½¸ ½ [ËÓÐ 2001] , Low-weight binary representations for pairs of integers, Combinatorics and Op- timization Research Report CORR 2001-41, University of Waterloo, 2001.

http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-41.ps

½¼½¸ ¿½¿¸  ¸ º ź ËÔ ÐÐ"

[ËÔ 1994] , Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key- 

Kryptosystemen, PhD. Thesis, Universität Gesamthochschule Essen, 1994. 



ËØ Åº ËØ Ñ [ 2003] , Speeding up subgroup cryptosystems, PhD. Thesis, Technische Universiteit ½¸ ½ ¸  ½

Eindhoven, 2003.



¿½½ º ËØ Ð" F [ËØ 2004] , Point compression on Jacobians of hyperelliptic curves over q, preprint, 2004.

http://eprint.iacr.org/2004/030/



¾ 'º ËØ Ò ØÞ [ËØ 1910] , Algebraische Theorie der Körper, J. Reine Angew. Math. 137 (1910), 167–

309.



ËØ - Àº ËØ ØÒÓØ [ 1979 , Die HasseÐWittÐInvariante eines Kongruenzfunktionenkörpers, ½¿

Arch. Math. (Basel) 33 No4 (1979/80), 357–360.

¸ ½¸  ¸  ¸

[ËØ 1993] , Algebraic function fields and codes, Springer-Verlag, Berlin, 1993.

¿¸ ¸



½½¼ ½½¾



ËØ º ËØ Ò×ÓÒ

[ 1995] , Cryptography Ð theory and practice, CRC Press, Inc., 1995. 



ËØÄ ź ËØ Ñ º ú ÄÒ×ØÖ [ 2003] & , Efficient subgroup exponentiation in quadratic and  ½ sixth degree extensions, Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, 2003, 317–332.

+



 ½ º ËØÖÒ º ÈÓ ÒØÚ Ð Âº Å ÐÓÒ¹Ä ƺ Ⱥ ËÑ ÖØ [ËØÈÓ 2002] , , ,& , Flaws in ap- plying proof methodologies to signature schemes, Advances in Cryptology – Crypto 2002,

Lecture Notes in Comput. Sci., vol. 2442, Springer-Verlag, Berlin, 2002, 93–110.



ËØÖ 'º $º ËØÖ Ù× [ 1964] , Addition chains of vectors (problem 5125), Amer. Math. Monthly 70 ½

(1964), 806–808.



Àº ËØ ØÒÓØ º Ⱥ ) Ò ½¿ [ËØ) 1995] & , On the structure of the divisor class group of a class of curves over finite fields, Arch. Math. (Basel) 65 No2 (1995), 141–150.

+



¿½¸ ¿½ Àº ËÙ Þ " ú Å Ø×ÙÓ Âº  Ó Ëº Ì×Ù< [ËÙÅ 2002] , , ,& , An Extension of Harley algorithm addition algorithm for hyperelliptic curves over finite fields of characteristic two, Tech. Report ISEC2002-9(2002-5), IEICE, 2002.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 773



ʺ $º ËÛ Ò ¾½ [ËÛ 1962] , Factorization of polynomials over finite fields, Pacific J. Math. 12 (1962),

1099–1106.



¾¼ " ƺ Ì "  [Ì 1998] , A VLSI algorithm for modular division based on the binary GCD algorithm,

IEICE Trans. Fundamentals E81-A No5 (1998), 724–728.



Ì " - ź Ì "  × [ 2002 , Improving Harley algorithms for Jacobians of genus 2 hyperelliptic ¿½¸ ¿½

curves, Symposium on Cryptography and Information Security – SCIS 2002. In Japanese.



" - ú Ì " × Ñ ¿ ½ [Ì 2004 , New families of hyperelliptic curves with efficient Gallant-Lambert-

Vanstone method, Preproceedings ICISC 2004.



Ø Âº Ì Ø p ½½ [Ì 1958] , WC-groups over -adic fields, Séminaire Bourbaki; 10e année: 1957/1958. Textes des conférences; Exposés 152 à 168; 2e éd. corrigée, Exposé 156, vol. 13, Secré-

tariat mathématique, Paris, 1958.



Ø ½½¾¸  [Ì 1966] , Endomorphisms of abelian varieties over finite fields, Invent. Math. 2 (1966),

134–144.



ÌÖ º º ÌÖÖ [ 2000] , A modification of Shanks’ baby-step giant-step algorithm, Math. Comp.  ½

69 No230 (2000), 767–773.



'º Ì×"   [Ì× 1998a] , A space efficient algorithm for group structure computation, Math. Comp. 67

No224 (1998), 1637–1663.

  [Ì× 1998b] , Speeding up Pollard’s rho method for computing discrete logarithms, Algorith- mic Number Theory Symposium – ANTS III, Lecture Notes in Comput. Sci., no. 1423, Springer-Verlag, Berlin, 1998, 541–554.

o

  [Ì× 2001a] , On random walks for Pollard’s rho method, Math. Comp. 70 N 234 (2001),

809–825.

  [Ì× 2001b] , Square-root algorithms for the Discrete Logarithm Problem (a survey), Public-

Key Cryptography and Computational Number Theory, Walter de Gruyter, 2001, 283–301.

 Ì× [ 2003] , Computing discrete logarithms with the parallelized kangaroo method, Discrete  ¿

Appl. Math. 130 No3 (2003), 61–82.



½ ¸ ¾½¸  ƺ Ì4Ö ÙÐØ [Ì4 2003a] , Index calculus attack for hyperelliptic curves of small genus, Advances in Cryptology – Asiacrypt 2003, Lecture Notes in Comput. Sci., vol. 2894, Springer-

Verlag, Berlin, 2003, 75–92.

 Ì4 [ 2003b] , Weil descent attack for ArtinÐSchreier curves, preprint, 2003. ¿½¸ ¿ ¿

http://www.cacr.math.uwaterloo.ca/~ntheriault/weildescent.pdf

 ¿ [Ì4 2003c] , Weil descent attack for Kummer extensions, J. Ramanujan Math. Soc. 18 (2003), 281–312.

+



Ìà º º ÌÓÑ × Âº ź ÃÐÐÖ $º ƺ Ä Ö×Ò [ 1986] , ,& , The calculation of multiplicative ¾¼ inverses over GF(p) efficiently where p is a Mersenne prime, IEEE Trans. on Computers

35 No5 (1986), 478–482.



'º ÌÓÑ4 F ¼½ [ÌÓ 2001] , Computation of Discrete Logarithms in 2607 , Advances in Cryptology – Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag, 2001, 107–

124.

 ¼½¸ ¼ ¸ ¼ [ÌÓ 2003] , Algorithmes de calcul des Logarithmes Discrets dans les corps finis, PhD. Thesis,

École Polytechnique, Palaiseau, September 2003.



'º $º ÌÙÖÖ ½ [ÌÙ 1999] , Efficient generation of minimal length addition chains, SIAM J. Com- put. 28 No4 (1999), 1247–1263.

+



ÌÖ; º ÌÖÓÑÔ Äº ; Ò 8º ; Ó [ 1997] , ,& , Small weight bases for Hamming codes, Theoret. ¾½

Comput. Sci. 181 No2 (1997), 337–345.



º Ⱥ ÌÙÒ×Ø ÐÐ ½¼ [ÌÙÒ 1968] , Synthesis of noiseless compression codes, PhD. Thesis, Georgia Inst. Tech. Atlanta, 1968.

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

774 References



Í× ÍÒ ÚÖ×Ð ×Ö Ð Ù× ×Ô  Ø ÓÒ ÖÚ × ÓÒ ¾º¼  [Í×- , , April 27 2000.

http://www.usb.org



½¸ ¾ º Î4ÐÙ [Î4Ð 1971] , Isogénies entre courbes elliptiques, C. R. Acad. Sci. Paris Sér. A-B 273 (1971), A238–A241.

+



1º ÎÖ ÙØÖÒ º ÈÖÒРº Î ÒÛ ÐÐ ¿¿¸ ¿ [ÎÈÖ 2001] , ,& , A memory efficient version of Satoh’s algorithm, Advances in Cryptology – Eurocrypt 2001, Lecture Notes in Comput.

Sci., vol. 2045, Springer-Verlag, Berlin, 2001, 1–13.



 ¾ 'º ÎÖÙÐ [ÎÖ 2001] , Evidence that XTR is more secure than supersingular elliptic curves cryp- tosystems, Advances in Cryptology – Eurocrypt 2001, Lecture Notes in Comput. Sci., vol.

2045, Springer-Verlag, Berlin, 2001, 195–210.

  ¾ [ÎÖ 2004] , Evidence that XTR is more secure than supersingular elliptic curves cryptosys-

tems, J. Cryptology 17 (2004), 277–296.



Ï Ð º º Ï ÐØÖ [ 2001] , MIST: An efficient, randomized exponentiation algorithm for resisting  power analysis, Topics in Cryptology – CT-RSA 2002, Lecture Notes in Comput. Sci.,

vol. 2271, Springer-Verlag, Berlin, 2001, 53–66.



Ð  [Ï 2002a] , Breaking the LiardetÐSmart randomized exponentiation algorithm, Smart Card

Research and Advanced Applications – CARDIS 2002, Usenix Association, 2002, 59–68.



Ï Ð [ 2002b] , Some security aspects of the MIST randomized exponentiation algorithm, Cryp-  tographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput.

Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 276–290.



 Ð [Ï 2003] , Seeing through MIST given a small fraction of an RSA private key, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag,

Berlin, 2003, 391–402.



 Ð [Ï 2004] , Security constraints on the OswaldÐAigner exponentiation algorithm, Topics in Cryptology – CT-RSA 2004, Lecture Notes in Comput. Sci., vol. 2964, Springer-Verlag,

Berlin, 2004, 208–221.



¾ ¸ ¼ Ø Ïº Ï ØÖÓÙ× [Ï 1969] , Abelian varieties over finite fields, Ann. Sci. École Norm. Sup. 4

série 2 (1969), 521–560.



½¼¸  ¼¸  ¾ Àº º ÏÖ [Ï 1997] , Hyperelliptic simple factors of J0(N) with dimension at least 3, Exper-

iment. Math. 6 (1997), 273–287.



º Ï Ð ½¿ [Ï 1948] , Sur les courbes algébriques et les variétés qui s’en déduisent, Publ. Inst. Math.

Univ. Strasbourg (1945), Hermann et Cie., Paris, 1948.

 Ï [ 1949] , Numbers of solutions of equations in finite fields, Bull. Amer. Math. Soc. 55 ½¿

(1949), 497–508.

 ½¼½ [Ï 1957] , Zum Beweis des Torellischen Satzes, Nachr. Akad. Wiss. Göttingen, Math. Phys.

Klasse (1957), 33–53.



¿ ¿ º Ï ÑÖ×" Ö [Ï 2001] , The application of the MordellÐWeil group to cryptographic sys-

tems, Master’s thesis, Worchester polytechnic institute, 2001.



Ï 'º Ϻ Ï ××Ø Ò [ 2005] , RSA-200 factored, 2005.

http://mathworld.wolfram.com/news/2005-05-10/rsa-200/

º ÏÒ ½¼¸ ½¼ ¸  ¾¸

[ÏÒ 2001a] , Hyperelliptic CM-curves of genus 3, J. Ramanujan Math. Soc. 16 (2001), 

339–372.  ¿

ÏÒ

[ 2001b] , Konstruktion kryptographisch geeigneter Kurven mit komplexer Multiplikation, ½¼¸  ¸  ½¸ 

PhD. Thesis, Universität Gesamthochschule Essen, 2001. 

½¼½¸ ¸  ¸

[ÏÒ 2003] , Constructing hyperelliptic curves of genus 2 suitable for cryptography, Math. 

Comp. 72 No241 (2003), 435–458. 

 ¸  ¸ ¼¸

[ÏÒ- , A table of class polynomials covering all CM-curves up to discriminant 422500.  http://www.exp-math.uni-essen.de/zahlentheorie/classpol/class.html 

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC

References 775



º Àº Ï Ñ ÒÒ ¼½ [Ï  1986] , Solving sparse linear equations over finite fields, IEEE Trans. Inform. Theory IT-32 No1 (1986), 54–62.

o



¼ Àº º Ï ÐÐ Ñ×

[Ï Ð 1982] , A p+1 method of factoring, Math. Comp. 39 N 159 (1982), 225–234.



Ï ;٠ź Ï ÒÖ Êº ;ÙÖ ØÓ [ 1998] & , Faster attacks on elliptic curve cryptosystems, Se-  ½ lected Areas in Cryptography – SAC 1998, Lecture Notes in Comput. Sci., vol. 1556, Springer-Verlag, Berlin, 1998, 190–200.

+



ÏÓ º ÏÓÓÙÖÝ º  ÐÝ º È Ö [ 2000] , ,& , Elliptic curve cryptography on smart cards ¾¾ ¸  without coprocessor, Smart Card Research and Advanced Application – CARDIS 2000,

IFIP Conference Proceedings, vol. 180, Kluwer Academic Publishers, 2000, 71–92.



ÏÓР̺ ÏÓÐÐ ÒÖ [ 2004] , Software and hardware implementation of hyperelliptic curve cryp- ¿ ¸ ¿¾ tosystems, PhD. Thesis, Ruhr-University of Bochum, 2004.

+



Àº Ï٠ź º À × Ò Áº 1º Ð " ˺ $ Ó ¾½ [ÏÙÀ 2002] , , ,& , Finite field multiplier using redundant representation, IEEE Trans. on Computers 51 No11 (2002), 1306–1316.

+



º¹Àº ÏÙ º¹Åº Ï٠ź¹º Ë  8º¹Ìº ÀÛ Ò ¾¾¿ [ÏÙÏÙ 2004] , , ,& , High-speed, low- complexity systolic designs of novel iterative division algorithms in GF(2m), IEEE Trans. on Computers 53 No3 (2004), 375–380.

o



 8º 8 Ó ½¼ [8 1998] , Fast exponentiation using data compression, SIAM J. Comput. 28 N 2

(1998), 700–703.



Ò Ìº 8 ÒP" ¾¼¾ [8 2001] , New methods for finite field arithmetic, PhD. Thesis, Oregon State University, 2001.

http://islab.oregonstate.edu/papers/01Yanik.pdf



Ó º º 8 Ó ½ ¸ ½ [8 1976] , On the evaluation of powers, SIAM J. Comput. 5 (1976), 100–103.

+



¾¼¾¸ ¼ Ë Ìº 8 ÒP" 'º Ë Ú O Lº ú ÃÓM [8 2002] , ,& , Incomplete reduction in modular arithmetic,

IEEE Micro 149 No2 (2002), 46–52.



;  º ;  Ö [ 1981] , Zetafunktionen und quadratische Zahlkörper, Springer-Verlag, Berlin, 1981,  Eine Einführung in die höhere Zahlentheorie. [An introduction to higher number theory],

Hochschultext. [University Text].

Ǻ ; Ö ×" Ⱥ Ë ÑÙÐ ¸  ¸  ¸ ¸

[; Ë 1976] & , Commutative algebra. vol. II., Springer, 1976.





;Ò- 1º   Ù ʺ ÄÖ Ö [ & , ZEN, version 3.0, 2001. ¾¼½

http://zenfact.sourceforge.net/



  ;º ; Ò [; 2002] , A one-parameter quadratic-base version of the Baillie-PSW probable prime

test, Math. Comp. 71 No240 (2002), 1669–1734.



; Ä º ; Ú º ÄÑÔÐ [ 1977] & , A universal algorithm for data compression, IEEE Trans. Inform. ½¼

Theory IT-23 (1977), 337–343.



½ ¾¸ ½ Ⱥ ; ÑÑÖÑ ÒÒ [; Ñ 2001] , Arithmétique en précision arbitraire, Tech. Report 4272, INRIA Lor- raine, September 2001. http://www.loria.fr/~zimmerma/papers/RR4272.ps.gz

Handbook of Elliptic and Hyperelliptic Curve Cryptography c 2006 by CRC Press, LLC