Amicable pairs and aliquot cycles for elliptic curves

An amicable pair for an elliptic curve E/Q is a pair of primes (p,q) of good reduction for E satisfying #E(F_p) = q and #E(F_q) = p. In this paper we study elliptic amicable pairs and analogously defined longer elliptic aliquot cycles. We show that there exist elliptic curves with arbitrarily long aliqout cycles, but that CM elliptic curves (with j not 0) have no aliqout cycles of length greater than two. We give conjectural formulas for the frequency of amicable pairs. For CM curves, the derivation of precise conjectural formulas involves a detailed analysis of the values of the Grossencharacter evaluated at a prime ideal P in End(E) having the property that #E(F_P) is prime. This is especially intricate for the family of curves with j = 0.Comment: 53 page

On the performance of hyperelliptic cryptosystems

In this paper we discuss various aspects of cryptosystems based on hyperelliptic curves. In particular we cover the implementation of the group law on such curves and how to generate suitable curves for use in cryptography. This paper presents a practical comparison between the performance of elliptic curve based digital signature schemes and schemes based on hyperelliptic curves. We conclude that, at present, hyperelliptic curves offer no performance advantage over elliptic curves

Analysis of the Weil Descent Attack of Gaudry, Hess and Smart

. We analyze the Weil descent attack of Gaudry, Hess and Smart [12] on the elliptic curve discrete logarithm problem for elliptic curves dened over F2 n , where n is prime. 1 Introduction Let E be an elliptic curve dened over a nite eld F q . The elliptic curve discrete logarithm problem (ECDLP) in E(F q ) is the following: given E, P 2 E(F q ), r = ord(P ) and Q 2 hP i, nd the integer s 2 [0; r 1] such that Q = sP . The ECDLP is of interest because its apparent intractability forms the basis for the security of elliptic curve cryptographic schemes. The elliptic curve parameters have to be carefully chosen in order to circumvent some known attacks on the ECDLP. In order to avoid the Pohlig-Hellman [19] and Pollard's rho [20, 17] attacks, r should be a large prime number, say r > 2 160 . To avoid the Weil pairing [15] and Tate pairing [8] attacks, r should not divide q k 1 for each 1 k C, where C is large enough so that it is computationally infeasible to nd discrete ..

Faster Compact Diffie-Hellman: Endomorphisms on the x-line

Abstract. We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of sidechannel resistance. The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F p 2 with p = 2 127 −1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication