1 2 The first 10 years of Curve25519 Abstract: “This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 2 3 Abstract: “This paper explains Elliptic-curve computations the design and implementation of a high-security elliptic-curve- Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 3 4 Elliptic-curve computations 1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method of factoring integers. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST and independently standards specify y 2 = x3 −3x +b 1987 (distributed 1984) Koblitz: in Jacobian coordinates, ECC—use elliptic curves in DH citing Chudnovsky–Chudnovsky. to avoid index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”. 4 5 6 1987