3

An Elliptic Curve Implementation of the Finite
Field Digital Signature Algorithm
Neal Koblitz
Dept. of Mathematics, Box 354350, Univ. of Washington
Seattle, WA 98195 USA
koblitz@math.washington.edu
Abstract. We construct a supersingular implementation of the Elliptic
Curve Digital Signature Algorithm (ECDSA) that is essentially equiva-
lent to a nite eld implementation of the Digital Signature Algorithm
(DSA), and then we compare the eciency of the two systems. The ellip-
tic curve method is about 12 times faster. In the last section we use the
same ideas to give a particularly ecient nonsupersingular implementa-
tion of elliptic curve cryptography in characteristic 7.
Keywords: Digital Signature, Elliptic Curve, Supersingular, Nonadja-
cent Form
1 Introduction
The security of elliptic curve cryptosystems depends on the presumed intracta-
bility of the discrete logarithm problem in the group of points on the curve. Aside
from the exponential time algorithms that apply to an arbitrary group | all of
which are impractical if the order of the group is divisible by a prime of more than
40 decimal digits | the only discrete log algorithms that have been found for an
elliptic curve group are the algorithm of Semaev{Smart{Satoh{Araki [20,22,17],
which applies only to an elliptic curve over a prime eld Fp whose order is equal
to p, and the algorithm of Menezes{Okamoto{Vanstone (MOV) [12]. The MOV
algorithm uses the Weil pairing to imbed the group of points of an elliptic curve
E over a nite eld Fq into the multiplicative group F
qK of an extension eld
FqK; the elliptic curve discrete log problem then reduces to the discrete log
problem in F
qK. This algorithm is practical if K can be taken to be small. If E
is a supersingular elliptic curve, then K can always be chosen equal to 1, 2, 3, 4,
or 6 [12]; whereas if E is nonsupersingular, then K is almost always much too
large [1]. For this reason it is usually assumed that supersingular curves should
not be used in cryptography.
The purpose of this article is to give a cryptographic application of a family
of supersingular elliptic curves for which K = 6 in the MOV algorithm. Suppose
that #E(Fq) is a prime l (or a very small integer factor times a prime l) of
between 40 and 80 decimal digits (which is the range one would use with a
nonsupersingular curve). Then qK = q6 is roughly in the 250- to 500-digit range,
H. Krawczyk (Ed.): CRYPTO'98, LNCS 1462, pp. 327{337, 1998.
c

Springer-Verlag Berlin Heidelberg 1998
328 Neal Koblitz
which is beyond the practical limits of algorithms for the discrete log in F
qK.
Thus, such a family of curves can be used in cryptography.
Moreover, the family of curves that we study lends itself to particularly e-
cient computation of a multiple of a point, which is the basic operation in elliptic
curve cryptosystems. Because the curves have complex multiplication by cube
roots of unity, this family can be treated in a manner similar to the family of
anomalous binary curves that was studied in [6], [10], and [23]. xx2{3 are devoted
to the properties of the curves we are proposing and to the use of a special type
of ternary expansion of an integer k that allows one to compute kP with only
 2
5 log3 q elliptic curve additions.
In xx4{5 we describe our main motivation for looking at this family of su-
persingular elliptic curves: it enables us in characteristic 3 to make a very direct
comparison of eciency between the Digital Signature Algorithm (DSA) us-
ing nite elds (see [16]) and the Elliptic Curve Digital Signature Algorithm
(ECDSA) (see, for example, [9]). Recall that in DSA one works in a cyclic sub-
group of prime order l inside a nite eld whose bitlength is between 3 and 6
times that of l. Thus, it would be completely consistent with the Digital Sig-
nature Standard to take Fq6 as one's nite eld and the image of E(Fq) under
the MOV imbedding as one's cyclic subgroup of order l. Then, conjecturally, the
ECDSA and the corresponding DSA have identical security, and so it is inter-
esting to compare eciency. We show that the elliptic curve implementation is
about 12 times as fast. In other words, even though the two groups of order l
are apparently cryptographically equivalent, the elliptic curve \exponentiation"
can be carried out more rapidly than exponentiation in the nite eld.
Remark. We say \conjecturally" and \apparently" because we do not know how
to prove that the discrete log problem on the elliptic curve group could not
be easier than the discrete log problem in the corresponding subgroup of F
q6 .
This is because we do not know how to compute the inverse of the imbedding
E(Fq) ,! F
q6 given by the Weil pairing.
Finally, in x6 we use the same ideas as in xx2{3 to give a family of nonsuper-
singular elliptic curves in characteristic 7 for which one also has a particularly
ecient method to compute multiples of points.
2 TheCurves
Let q = 3m, where m is not divisible by 2 or 3, and let a = 0 or 1. Let E be the
elliptic curve
Y 2 = X3 − X − (−1)a (1)
over the eld of 3 elements F3; and let Nm denote the number of Fq-points on
E. Because x3 −x = 0 for all x 2 F3, it is easy to see that N1 = 4−(−1)a3. We
can also write N1 = 4− −, where
 =
(−1)a3 + i
p
3
2
An Elliptic Curve Implementation 329
is the root with positive imaginary part of the characteristic polynomial
T 2 − (−1)a3T + 3 of the Frobenius map  : (x; y) 7! (x3; y3).1 In other words,
 satis es the relation
3 = (−1)a3 − 2: (2)
Then, by Weil's theorem,
Nm = jm − 1j2 = 3m −(−1)a

3
m

3(m+1)=2 + 1; (3)
where
􀀀
3
m


is the Jacobi symbol, which is de ned as follows:

3
m

=

1 ifm 1 (mod 12);
−1 ifm 5 (mod 12).
Since Nm is divisible by Nm0 whenever m0jm, we have the best chance of
getting a large prime factor of Nm when m is prime. In that case N1jNm, but it
may happen that Nm=N1 is prime. In other words, when m is prime Nm could
be a prime in the case a = 0 and 7 times a prime in the case a = 1. For example,
when a = 0 we nd that N163 = 3163 + 382 + 1 is a prime of 78 decimal digits
(259 bits); and when a = 1 we nd that N97 = 397 + 349 + 1 is 7 times a prime
of 46 decimal digits (154 bits).
Remark. One might want to use composite m in order to be able to perform
multiplications and inversions in F3m more eciently using a tower of sub elds.
It is still possible to get a large prime factor of Nm with m not much larger
than in the case when m is prime. For example, when a = 0, a 66-digit prime
divides N169; and when a = 1, a 47-digit prime divides N121, and a 74-digit
prime divides N187.
We let ! denote the 6th root of unity
! =  − (−1)a =
(−1)a + i
p
3
2 ; (4)
and we let Z[!] denote the ring of integers of the form u + v!, u; v 2 Z. Then
when m is prime we are interested in primality of the element (!+1)m−1 when
a = 0 and primality of the element ((! − 1)m − 1)=(! − 2) when a = 1, since it
is a prime element of Z[!] if and only if
Nm
N1
=

j(! + 1)m −1j2; if a = 0;
1
7
j(! −1)m − 1j2; if a = 1,
is a prime in Z. When a = 0 this is a close analogue of the Mersenne prime
problem, as we see by replacing ! by 1. (This example of an elliptic curve
1 This means that
􀀀
2 − (−1)a3 + 3


P = O for any point P on the curve. This
polynomial (more precisely, its reciprocal polynomial 1−(−1)a3T +3T2) is also the
numerator of the zeta-function of the curve. For details on this and other properties
of elliptic curves, see xVI.1 of [7] and Ch. V of [21].
330 Neal Koblitz
for cryptography and the analogy with the Mersenne prime problem were rst
mentioned in Exercise 11 of xVI.1 and Exercise 6 of xVI.2 in [7].)
As always, the Frobenius map  : (x; y) 7! (x3; y3) takes negligible time,
provided that we are working in a normal basis of Fq over F3; and the negation
map (x; y) 7! (x;−y) is also trivial to carry out. The Frobenius map  acting on
points P 2 E(Fq) may be regarded as the element  2 Z[!], because it satis es
the same quadratic equation 2 − (−1)a3 + 3 = 0.
In the case of the particular equation (1), it is also extremely easy to describe
the action on points P 2 E(Fq) of the cube roots of unity. Let us take a = 1; the
case a = 0 is virtually identical. Then we are interested in how the nontrivial
cube root of unity ! = (−1 +
p
3i)=2 =  + 1 acts on P = (x; y) 2 E(Fq).
That is, we want to nd the coordinates of (+ 1)P = Px;y + Px3;y3 . Using the
addition law for Px1;y1 + Px2;y2 = Px3;y3 , which takes the following form when
Px2;y2
6= Px1;y1 :
x3 =

y2−y1
x2−x1

2
− x1 − x2;
y3 = y1 + y2 −

y2−y1
x2−x1

3
;
and the relation x3 − x = y2 − 1 from (1), we obtain:
Px;y + Px3;y3 = Px+1;y:
(It is easy to check that this formula also holds when Px3;y3 = Px;y, i.e., when
Px;y is an F3-point.) Thus, the action on points of any power of  and any sixth
root of unity can be computed in trivial time.
Remark. Another convenient feature of the curves (1) in characteristic 3 is that,
if we use a normal F3-basis f ; 3; : : : ; 3m−1g of Fq, then there is an easy
compression technique for storing a point Px;y, by analogy with the characteristic
2 method in [13]. Namely, we represent P as (x0; y), where x0 2 f0;1;−1g is the
rst coordinate of x. Then x =
P
xi 3i can be recovered by setting xi = xi−1 +
zi, i = 1;2; : : :;m−1, where the zi are the coordinates of −y2−(−1)a =
P
zi 3i .
3 Base- Expansions
Suppose that we want to compute a multiple kP of an F3m-point on the elliptic
curve (1). As in [10] and [23], our rst step is to divide k by m − 1 in the ring
Z[!], and then replace k by its remainder k0 modulo m − 1. This is justi ed
because (m−1)P = mP −P = O. Our next step is to nd a base- expansion
of k0 with digits f0;1;!;!2g that has nonadjacent form (NAF), where,
following [23], we de ne \nonadjacent form" to mean that no two consecutive
coecients are nonzero.
Theorem 1. Every element of Z[!] reduced modulo m − 1 has a unique NAF
base- expansion with digits f0;1;!;!2g, in which at most (m+1)=2 digits
are nonzero. Asymptotically on the average 60% of the digits are zero.
An Elliptic Curve Implementation 331
Proof. We rst recall the algorithm for nding the usual base- expansion of
an element u + v! 2 Z[!] with digits j 2 f0;1;−1g. By (4) we have u +
v! = (u−(−1)av) + v. Dividing the integer u − (−1)av by 3, we can write
u − (−1)av = 3w +"0 for some "0 2 f0;1;−1g. Then we use (2) to write
u + v! = (3w +"0) + v = (((−1)a3w + v) − w)  + "0. We then take the
quotient ((−1)a3w + v) − w and repeat the process to nd "1, "2, and so on.
Now we describe the algorithm for nding the NAF base- expansion of an
element of Z[!]. In each step we divide our previous quotient qj−1 by  , getting
a quotient u+v and a remainder " 2 f0;1;−1g, as we did in the previous
paragraph:
qj−1 = (u+v) + ":
If " = 0 or if 3ju, then we leave the above equality unchanged and set qj = u+v,
j = ". Otherwise, we modify the above equation as follows:
qj−1 = qj + j ;
where
qj =

(u + (−1)a2") + (v −") if u  (−1)a" (mod 3);
(u + (−1)a") + v if u  −(−1)a" (mod 3),
and
j =

−(−1)a"! if u  (−1)a" (mod 3);
−(−1)a"! if u  −(−1)a" (mod 3).
Uniqueness of the NAF expansion is clear from the construction. Finally, the
asymptotic expectation is that every nonzero digit is followed by 1+1
3+ 1
32 +


=
1:5 zero digits, in which case 60% of the digits are zero. tu
Here is an example. Let us take a = 0 and nd the expansion of 10 + 2i
p
3.
We have:
10 + 2i
p
3 = (7−) + 1
= (9−2) +!2;
9−2 = (7−3) + 0;
7−3 = (3−2) + 1;
3−2 = (1−) + 0;
1− = 0
 +!4;
and hence the digits are 4 = !4, 3 = 0, 2 = 1, 1 = 0, 0 = !2.
Remark. The expected number 2
5 log3 q of elliptic curve additions given by The-
orem 1 is about 25% less than the previous lowest result for the number of
additions of points in computing kP, which was 1
3 log2 q due to Solinas [23].
However, from a practical point of view this improvement in the number of el-
liptic curve additions might be oset by the decreased eciency of working in
characteristic 3 rather than 2. For example, in characteristic 2 one can often
minimize time for a eld operation by using an optimal normal basis [15].
In order to avoid eld inversions and determine the time required to compute
a multiple of a point in terms of eld multiplications alone, we introduce pro-
jective coordinates. (See x6.3 of [11] for a discussion of this in characteristic 2.)
332 Neal Koblitz
When converted to homogeneous coordinates, the equations for point addition
(see x2) become
z3 = (x2z1−x1z2)3z1z2;
x3 = (y2z1 −y1z2)2(x2z1−x1z2)z1z2−(x2z1 −x1z2)3x1z2−
−(x2z1−x1z2)3x2z1;
y3 = −(x2z1−x1z2)3y1z2 + (y2z1 −y1z2)(x2z1 − x1z2)2x1z2−
−x3(y2z1 − y1z2)=(x2z1 − x1z2):
(Note that the last expression is a polynomial, because x3 is divisible by x2z1 −
x1z2.)
In each stage of the computation of kP one adds a partial sum to a point
of the form jjP (in which the NAF digit j is a sixth root of unity). The
latter point is computed in negligible time in ane (i.e., non-homogeneous)
coordinates; so we may assume that its projective coordinates are (x2; y2; 1);
that is, z2 = 1. Assuming now that z2 = 1, the above formulas can be computed
as follows. Successively set
A = x2z1; B = y2z1; C = (A−x1)2; D = (A−x1)3;
E = (B −y1)2; F = x1C; G = z1E −(D+ 2F):
Then
z3 = z1D; x3 = (A−x1)G; y3 = −y1D+ (B −y1)(F − G):
This all takes 10 eld multiplications. (Note that D is computed in negligible
time, since we are in characteristic 3.)
Since on the average 2
5m point additions are needed to compute a multiple
of a point, it follows that in projective coordinates one expects to compute a
multiple of a point with 4m eld multiplications.
From the formulas for adding points in ane coordinates (see x2) we see that,
alternatively, a point addition can be accomplished with 1 eld inversion and 2
eld multiplications. Thus, if an inversion can be done in less time than 8 eld
multiplications, we should use ane rather than projective coordinates. In char-
acteristic 2 there are implementations of eld inversion that take time roughly
equal to that of 3 eld multiplications (see [19] and [24]); and it is reasonable to
expect that the same equivalence can be achieved in characteristic 3 [18].
We have obtained the following corollary of Theorem 1.
Corollary 1. If one uses projective coordinates, the expected number of eld
multiplications in F3m needed to compute a multiple of a point on the curve (1)
is 4m. Using ane coordinates, on the average one can compute a multiple of a
point on (1) with 4
5m eld multiplications and 2
5m eld inversions. If a eld in-
version can be carried out in time equivalent to that of three eld multiplications,
then in ane coordinates one has a time estimate of 2m eld multiplications for
computing a multiple of a point.
An Elliptic Curve Implementation 333
4 DSA and ECDSA
We shall use DSA in a slightly generalized form, in which the nite eld Fq,
q = pm, is not necessarily a prime eld. Here q has at least 500 bits, and q − 1
is divisible by a prime l of at least 160 bits. Let f : Fq ! Fl be a xed, easily
computable function such that #f−1(y)  q=l for each y 2 Fl; that is, f spreads
Fq fairly evenly over Fl. If q = p, then we represent elements of Fq by integers
x 2 f0;1; : : : ; p−1g, and we usually take f(x) to be the least nonnegative residue
of x modulo l. If m > 1, and if f 0; : : : ; m−1g is our Fp-basis of Fq, then for
x =
P
xi i, xi 2 f0;1; : : : ; p−1g, we could, for example, de ne f(x) to be the
least nonnegative residue modulo l of the integer
P
xipi.
Let g 2 Fq be a generator of the unique subgroup of F
q of order l, and let H
be a hash function taking values in Fl. Here q, l, f ig, g, f, and H are publicly
known. Alice's secret key is a random integer x in the range 1 < x < l, and her
public key is y = gx 2 Fq.
To sign a message M, Alice does the following:
1) She selects a random integer k in the range 1 < k < l.
2) She computes gk 2 Fq and r = f(gk). If r = 0, she returns to step 1).
3) She computes k−1 2 Fl and s = k−1(H(M) + xr) 2 Fl. If s = 0, she returns
to step 1).
4) Her signature for the message M is the pair (r; s).
To verify the signature, Bob computes u1 = s−1H(M) 2 Fl, u2 = s−1r 2 Fl,
and then gu1yu2 2 Fq. If f(gu1yu2) = r, he accepts the signature.
We now describe the elliptic curve version ECDSA. Let E be an elliptic curve
de ned over Fq such that #E(Fq) is equal to a prime l of at least 160 bits (or to
a small integer factor times such a prime l). Let P be an Fq-point of E of order
l. Let fE : E(Fq) ! Fl be a xed, easily computable function that spreads
the points over Fl fairly evenly (for instance, we might require that #f
−1
E (y) be
bounded by a small constant for y 2 Fl). One way to de ne the elliptic curve
function fE, for example, would be to take the x-coordinate of a point and then
apply to it the function f : Fq ! Fl in the above description of DSA.
Alice's secret key is an integer x in the range 1 < x < l, and her public key
is the point Q = xP 2 E(Fq). To sign a message M, Alice does the following:
1) She selects a random integer k in the range 1 < k < l.
2) She computes kP and r = fE(kP). If r = 0, she returns to step 1).
3) She computes k−1 2 Fl and s = k−1(H(M) + xr) 2 Fl. If s = 0, she returns
to step 1).
4) Her signature for the message M is the pair (r; s).
To verify the signature, Bob computes u1 = s−1H(M) 2 Fl, u2 = s−1r 2 Fl,
and then u1P + u2Q 2 E(Fq). If fE(u1P + u2Q) = r, he accepts the signature.
334 Neal Koblitz
5 Comparison of DSA and ECDSA
We set up ECDSA using the curve E in (1) over Fq, q = 3m. We assume that
l = Nm
N1
=

m − 1
 − 1

2
=

3m −
􀀀
3
m


3(m+1)=2 􀀀 + 1; if a = 0;
3m +
􀀀
3
m


3(m+1)=2 + 1


=7; if a = 1,
is prime. Let P 2 E(Fq) be a point of order l.
Let F : E(Fq) ! F
q6 be an MOV imbedding of the elliptic curve group
into the multiplicative group of Fq6 constructed using the Weil pairing [12]. Let
g = F(P), which is a generator of the unique subgroup of F
q6 of order l.
We set up DSA in F
q6 and ECDSA in E(Fq) so as to be equivalent to one
another by means of F. Thus, if f : Fq6 !Fl is the function in DSA, then we
de ne fE : E(Fq) ! Fl by the formula fE = f  F.
Remark. In a practical situation it would be more ecient to de ne fE without
using the MOV imbedding F (for example, by applying f to the x-coordinate of a
point, as suggested in x4), because even though the computation of F is polyno-
mial time, it is not very fast. We have chosen to set fE = f  F for a theoretical
rather than practical reason: to make the DSA and ECDSA implementations
completely equivalent.
We can now easily verify that the MOV imbedding F gives an equivalence
between the two signature schemes. In both cases Alice's secret key is an integer
x in the range 1 < x < l; her public key is Q = xP in ECDSA and F(Q) =
F(xP) = F(P)x = gx = y in DSA. The k, r, and s are the same in both cases.
So are the u1 and u2 in signature veri cation. In ECDSA the signature is veri ed
by computing u1P + u2Q, and in DSA by computing gu1yu2 . The signature is
accepted if
r = fE(u1P + u2Q)
= f(F(u1P + u2Q))
= f(gu1yu2 ):
Thus, the DSA and ECDSA implementations are equivalent.
In order to get an approximate idea of the relative eciency of the two
systems, let us compare the times to compute 1) kP 2 E(Fq) and 2) gk 2 Fq6,
where k is a random integer in the range 1 < k < l, i.e., k has about the same
bitlength as q = 3m. We shall neglect possible speed-ups using precomputations,
fast multiplication techniques, etc., and shall assume that a eld multiplication
in Fq takes time proportional to (log2 q)2.
We shall also assume that a eld inversion in Fq takes approximately the
same amount of time as 3 eld multiplications; in that case the computation of
kP on the average takes the equivalent of 2m eld multiplications in Fq, by the
corollary to Theorem 1 (see x3).
On the DSA side, we have a signi cant eciency advantage because we are
working in characteristic 3. Namely, we rst write the exponent k in ternary form
as k =
P
"j3j, where "j 2 f0;1;2g. For  = 0;1; 2 let J be the set of j for which
"j = . Since the computation of g3j takes negligible time, the computation of
An Elliptic Curve Implementation 335
gk =
Q
j2J1 g3j
Q
j2J2 g3j

2
takes just #(J1)+#(J2) eld multiplications. We
expect about one third of the digits in k to be zero, so we conclude that the
computation of gk takes roughly 2
3m eld multiplications in Fq6 , each of which
takes about 36 times as long as a eld multiplication in Fq.
Thus, the ratio of time for gk to time for kP is roughly
36
2
3m
2m
= 12:
In other words, when we choose parameters for ECDSA and for DSA in such a
way as to make the two systems equivalent, we nd that ECDSA is approximately
12 times faster than DSA, independently of the value of m.
6 A Nonsupersingular Family
Consider the curve
Y 2 = X3 − b; b 6= 0;
de ned over F7. This elliptic curve is nonsupersingular. The number N1 = 8−t
of F7-points and the root  with positive imaginary part of the characteristic
polynomial T 2 − tT + 7 are given in the following table:
b t 
1 4 2 +
p
3i
2 1 (1 + 3
p
3i)=2
3 5 (5+
p
3i)=2
As usual, we choose b and a prime m so that Nm=N1 = j(m −1)=( −1)j2 is
prime. For instance, when b = −1 the number N59 is 12 times a 49-digit prime;
and when b = 3 the number N61 is 3 times a 52-digit prime, and the number
N71 is 3 times a 60-digit prime.
Note that, up to complex conjugation, the six value of  in the table dier
from one another by a factor of 1, !, or !2, where ! = (−1 +
p
3i)=2.
As before, we de ne the action of S  on a point P 2 E(F7), where F7 =
m F7m is the algebraic closure of F7, to be the Frobenius map Px;y = Px;y =
Px7;y7 . In this way Z[!] imbeds in the ring of endomorphisms of E(F7); and it
follows from the properties of nonsupersingular curves (see p. 137 of [21]) that
the image of Z[!] is all of the endomorphism ring of E(F7).
It is easy to check that the maps Px;y 7! P2x;y and Px;y 7! P4x;y are endo-
morphisms of E(F7) of order 3. Since ! = (−1+
p
3i)=2 and !2 = ! are the only
nontrivial cube roots of unity, it follows that in each case !P must be given by
one of these maps; one can quickly determine which of the two by testing on an
F7- or F72-point of E. Thus, the action on F7m-points of any of the sixth roots
of unity 1, !, !2 is trivial to compute.
Suppose that we want to compute a multiple kP for P 2 E(F7m). As usual,
we rst replace k by its remainder k0 2 Z[!] after division by m − 1. We
336 Neal Koblitz
then compute the base- expansion of k0 using f0;1;!;!2g rather than
f0;1;2;3g as digits; this is easy to do using the equality 2 = t − 7
and the simple relations between ;!, and 2;3. We cannot obtain an NAF
expansion, but we have the advantage that k0 has fewer digits in characteristic 7,
where the base  has larger norm (7 rather than 2 or 3). Since 1=7 of the digits
are expected to be 0, we conclude that on the average the computation of kP
requires  6
7 log7 q = 0:3052 log2 q elliptic curve additions.
This estimate for the number of elliptic curve additions is slightly lower than
Solinas' value of 1
3 log2 q on an anomalous binary curve [23]. But in practice the
improvement from 1
3 log2 q to 0:3052 log2 q is not enough to compensate for the
lower eciency of working in characteristic 7 rather than in characteristic 2.
Remark. A disadvantage of this family of curves is that there are not many
curves and elds to choose from. The same applies to the curves in x2, and to
the anomalous binary curves in [6,10,23]. Random curves allow far more choice,
but less ecient implementation.
Acknowledgments
I would like to thank Arjen Lenstra, Richard Schroeppel, and Alfred Menezes
for several very helpful comments and suggestions.
References
1. R. Balasubramanian and N. Koblitz, The improbability than an elliptic curve
has subexponential discrete log problem under the Menezes{Okamoto{Vanstone
algorithm, J. Cryptology 11 (1998), 141-145. 327
2. I. Blake, X. H. Gao, R. C. Mullin, S. A. Vanstone, and T. Yaghoobian, Applications
of Finite Fields, Kluwer Acad. Publ., 1993.
3. S. Gao and H. W. Lenstra, Jr., Optimal normal bases, Designs, Codes and Cryp-
tography 2 (1992), 315-323.
4. K. Ireland and M. I. Rosen, A Classical Introduction to Modern Number Theory,
2nd ed., Springer-Verlag, 1990.
5. N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (1987), 203-209.
6. N. Koblitz, CM-curves with good cryptographic properties, Advances in Cryptology
{ Crypto '91, Springer-Verlag, 1992, 279-287. 328, 336
7. N. Koblitz, A Course in Number Theory and Cryptography, 2nd ed., Springer-
Verlag, 1994. 329, 330
8. N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag, 1998.
9. N. Koblitz, A. Menezes, and S. A. Vanstone, The state of elliptic curve cryptogra-
phy, to appear in Designs, Codes and Cryptography. 328
10. W. Meier and O. Staelbach, Ecient multiplication on certain non-supersingular
elliptic curves, Advances in Cryptology { Crypto '92, Springer-Verlag, 1993, 333-
344. 328, 330, 336
11. A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Acad. Publ., 1993.
331
An Elliptic Curve Implementation 337
12. A. Menezes, T. Okamoto, and S. A. Vanstone, Reducing elliptic curve logarithms to
logarithms in a nite eld, IEEE Trans. Information Theory 39 (1993), 1639-1646.
327, 327, 334
13. A. Menezes and S. A. Vanstone, Elliptic curve cryptosystems and their implemen-
tation, J. Cryptology 6 (1993), 209-224. 330
14. V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology | Crypto
'85, Springer-Verlag, 1986, 417-426.
15. R. Mullin, I. Onyszchuk, S. A. Vanstone, and R. Wilson, Optimal normal bases in
GF(pn), Discrete Applied Math. 22 (1988/89), 149-161. 331
16. National Institute for Standards and Technology, Digital signature standard, FIPS
Publication 186, 1993. 328
17. T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log
algorithm for anomalous elliptic curves, preprint. 327
18. R. Schroeppel, personal communication, Dec. 2, 1997. 332
19. R. Schroeppel, H. Orman, S. O'Malley, and O. Spatscheck, Fast key exchange
with elliptic curve systems, Advances in Cryptology | Crypto '95, Springer-Verlag,
1995, 43-56. 332
20. I. A. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of
an elliptic curve in characteristic p, Math. Comp. 67 (1998), 353-356. 327
21. J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986. 329, 335
22. N. Smart, The discrete log problem on elliptic curves of trace 1, preprint. 327
23. J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves,
Advances in Cryptology { Crypto '97, Springer-Verlag, 1997, 357-371. 328, 330,
330, 331, 336, 336
24. E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle,
A fast software implementation for arithmetic operations in GF(2n), Advances in
Cryptology | Asiacrypt '96, Springer-Verlag, 1996, 65-76. 332