WO2000014924A1

WO2000014924A1 - Elliptic curve cryptosystems for low memory devices

Info

Publication number: WO2000014924A1
Application number: PCT/US1999/020411
Authority: WO
Inventors: Janos A. Csirik
Original assignee: Citibank, N.A.
Priority date: 1998-09-08
Filing date: 1999-09-07
Publication date: 2000-03-16
Also published as: AU6243899A; JP2002524778A; EP1112637A1

Abstract

Each participant in a cryptographic system selects its own elliptic curve and verifies that the elliptic curve is sufficiently secure. A participant is represented by a handheld low memory device such as a smart card. A central facility is not required for key creation. The determination of whether an elliptic curve is sufficiently secure is made by counting the number of points on the curve and ensuring that this number is divisible by a prime number of at least a predetermined length.

Description

ELLIPTIC CURVE CRYPTOSYSTEMS FOR LOW MEMORY DEVICES BACKGROUND OF THE INVENTION The present invention relates to cryptosystems, and, more particularly, is directed to cryptosystems wherein a handheld device for each user of the cryptosystem selects its own elliptic curve, rather than using an elliptic curve predetermined for all users of the cryptosystem. In a conventional elliptic curve cryptosystem, as shown in Fig. 1, a central facility selects a finite field, an elliptic curve, a generator of an appropriate subgroup of the group of points of the elliptic curve over the finite field, and determines the order of that generator. The central facility distributes these data among the participants in the cryptographic system. Each participant then selects a secret key, computes a corresponding public key, and may optionally obtain certification for its public key. The objective of the certificate is to make one party's public key available to other parties in such a way that those other parties can independently verify that the public key is valid and authentic. An advantage of the conventional system is that, while a lot of computation is required to obtain both the cardinality of the group of points of an elliptic curve over a finite field, and to find an elliptic curve for which this cardinality satisfies the security requirements, this computation need not be performed by participants - - which would be very burdensome - - as the computation is performed once by the central facility. Conventional elliptic curve cryptosystems are used in the same applications as other public key cryptosystems, such as authentication, certification, encryption/decryption, signature generation and verification. As shown in Fig. 2, to use the conventional elliptic curve cryptosystem, two parties wishing to communicate exchange their cryptographic data, and then proceed with their communication, such as a signature scheme or a data encryption/decryption scheme. A serious problem with the above-described conventional elliptic curve cryptosystem is that all participants are vulnerable to an attack on the centrally selected elliptic curve and finite field. That is, the system is vulnerable to a concentrated attack on the Discrete Logarithm problem in the group defined by the centrally selected elliptic curve and finite field. Thus, there is a need to reduce the vulnerability to attack of elliptic curve cryptosystems, in particular, cryptosystems having the cryptographic functionality implemented in a small, inexpensive, low power device such as a so-called "smart card". SUMMARY OF THE INVENTION In accordance with an aspect of the invention, a method of selecting an elliptic curve for a cryptosystem is provided. A prime number/? defining a field F_p is selected. A set of candidate elliptic curves E over the field F_p is selected. Then a

set of modular polynomials Ψ_t modulo p for a list of candidate auxiliary primes £ is

found by a calculation in characteristic p using a stored polynomial P,, . The roots

modulo p of the modular polynomials Ψ_f are found. Kernel polynomials {X) based

on the roots of the modular polynomials Ψ, are generated. An eigenvalue e for one

of the kernel polynomials h{X) is found. A value t based on the eigenvalue e and the prime number ? is obtained. The number of points of one of the candidate elliptic curves E over F_p is compared with the value t to make a determination whether the candidate elliptic curve is sufficiently secure. When the determination is that the candidate elliptic curve is sufficiently secure, the candidate elliptic curve is selected for the cryptosystem.

The step of finding the set of modular polynomials Ψ, is performed by

without table look-up of the modular polynomials¹!^ .

When the determination is that the candidate elliptic curve is insufficiently secure, the step of obtaining the nubmer of points is repeated for another of the candidate elliptic curves E . The prime number ? has about 200 bits, and the number of points of the selected elliptic curve is a product of a second prime number and a cofactor, the cofactor having up to 5 bits. In accordance with another aspect of the invention, a method of encrypting a message M is provided, wherein an elliptic curve E is selected according to the method described above, and then the following are selected: a point P of prime order q on the selected elliptic curve E over the field of F_p, a secret positive integer

m and a random positive integer k, m < q, k<q. The points k ® P and k ® (m <S> P)

= (x, y) on the curve E are obtained, and the point (k <8> P, (x * M) mod p) is obtained as the encrypted message. In accordance with yet another aspect of the invention, a method of obtaining a digital signature for a message M is provided, wherein an elliptic curve E is selected according to the method described above, and then the following are selected: a point P of prime order q on the selected elliptic curve E over the field of F_p, a secret positive integer m and a random positive integer k, m < q, k<q. A cryptographically secure hash value d between 1 and q - 1 of the message M is

obtained, and k ® P = {x, y) is calculated. The pair {(x + d) mod q, (k - m (x + d)) mod q) is obtained as the digital signature. In accordance with a further aspect of the invention, a portable device for encoding information using an elliptic curve cryptosystem is provided, having

means for selecting an elliptic curve by finding the roots of modular polynomials Ψ^

modulo p for a list of candidate auxiliary primes £ and a prime number p by a

calculation in characteristic/? using a stored polynomial P^ , and means for encoding

the information using the selected elliptic curve. In accordance with a still further aspect of the invention, a portable device for digitally signing information using an elliptic curve cryptosystem is provided, having means for selecting an elliptic curve by finding the roots of modular

polynomials Ψ, modulo p for a list of candidate auxiliary primes £ and a prime

number/? by a calculation in characteristic/? using a stored polynomial P_f , and

means for digitally signing the information using the selected elliptic curve. It is not intended that the invention be summarized here in its entirety. Rather, further features, aspects and advantages of the invention are set forth in or are apparent from the following description and drawings. BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a flowchart showing a set-up phase of a common curve elliptic curve cryptosystem; Fig. 2 is a flowchart showing operation of a common curve elliptic curve cryptosystem; Figs. 3 A and 3B are flowcharts showing set-up and operation of a proposed user-selected curve elliptic curve cryptosystem; Figs. 4A and 4B are flowcharts showing set-up and operation of a user- selected curve elliptic curve cryptosystem according to the present invention; Figs. 5A-5C comprise a flowchart showing, in detail, the flowchart of Fig. 4B; Fig. 6 is a flowchart showing selection of a suitable elliptic curve, as required in step 130 of Fig. 5 A;

Fig. 7 is a flowchart showing calculation of a modular polynomial Ψ, , as

required in step 220 of Fig. 5 A; Fig. 8 is a flowchart showing generation of a polynomial G , as required in step 780 of Fig. 7; Fig. 9 is a flowchart showing how to obtain an eigenvalue e, as required in step 370 of Fig. 5B; Fig. 10 is a flowchart showing how to obtain polynomials Α_S X), b_s{X), c_s{X) and d_s(N); Fig. 11 is a flowchart showing how to obtain coefficients a^; and Fig. 12 is a flowchart showing how to obtain the coefficients (-I)'S_J. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the present invention, each user, typically represented by a respective handheld low memory device such as a smart card, selects its own elliptic curve and verifies that the elliptic curve is sufficiently secure. It is an important aspect of the present invention that each user's device is able to independently verify the sufficiency of security of its selected elliptic curve. It is an important aspect of the present invention that a central facility is not required during key creation but may be used during key certification. Users wishing to communicate exchange cryptographic data, and then encrypt and decrypt as desired. Advantageously, cryptosystems according to the present invention are not vulnerable to an attack on a centrally selected elliptic curve and finite field, since such targets do not exist. Another advantage of cryptosystems according to the present invention is that a central facility cannot influence selection of cryptographic parameters, and therefore cannot disadvantage users, such as by selecting parameters with a "trapdoor" facilitating unauthorized retrieval of a user's secret key. Practically, an elliptic curve for an elliptic curve cryptosystem is sufficiently secure when the number of points in the group of the elliptic curve, also referred to as the "order" of the elliptic curve, is divisible by a prime number of at least a predetermined length. After counting the number of points in the group of the elliptic curve, it is straightforward to assess the security of the elliptic curve. When the order is divisible by a sufficiently large prime number, then the discrete logarithm (DL) problem faced by an unauthorized user of the cryptosystem presents sufficient computational difficulty that the security of the cryptosystem is adequate. An overview of polynomial time algorithms for determining the number of points on an elliptic curve is presented in Schoof, "Counting points on elliptic curves over finite fields", J. de Theorie de Nombres de Bordeaux, vol. 7, 219-254 (1995). The instant technique for finding an appropriate elliptic curve is based on the Schoof-Elkies-Atkin algorithm. Examples of algorithms are provided in Elkies, "Elliptic and modular curves over finite fields and related computational issues", in Buell et al. (ed.) Computational Perspectives in Number Theory, AMS, 21-76 (1998). A practical implementation of the Schoof-Elkies-Atkin algorithm is described in Morain, "Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques", J de Theorie de Nombres de Bordeaux, vol. 7, 255-282 (1995). Another implementation involving a match and sort method and isogeny cycles is described in Izu et al., "Efficient Implementation of Schoof s Algorithm" in Lecture Notes on Computer Science: ASIACRYPT 98 Conference, Beijing, Springer, 66-79 (1998). The instant technique for determining the number of points on an elliptic curve is similar to that described in Morain' s 1995 paper. As discussed further

below, a modular polynomial Ψ,, must be generated for each candidate auxiliary

prime number £.

Fig. 3 A shows that, for Morain' s technique, in a set-up procedure performed

ahead of actual operation, the modular polynomials Ψ₍ for characteristic 0 are

generated and stored in a TABLE. Fig. 3B shows that, for Morain' s technique,

during usage, the modular polynomials Ψ^ are obtained via TABLE look-up, and

then an appropriate elliptic curve is found. Fig. 4A shows that, for the instant technique, in a set-up procedure, the set of

modular polynomials Ψ_f for £ belonging to a set of small primes A_s (discussed in

detail below) is hard-coded in software, such as by placing the polynomials in a table. Fig. 4B shows that, for the instant technique, during usage, the modular

polynomials Ψ_e mod/? for the £ in A_s are obtained by retrieving the modular

polynomials Ψ_f from the table and by reducing the retrieved polynomials modulo p,

whereas the Ψ_e mod/? for £ not in A_s are obtained dynamically, where/? is a large

prime number, after which an appropriate curve is found. The performance of Morain' s technique during usage will now be compared with the performance of the instant technique during usage. Using Morain' s technique, even when a device is not performing cryptographic computing, it must keep the TABLE in memory, which consumes about 300 KB (kilobytes), for a particular security level. For the same security level, using the instant technique, when a device is not performing cryptographic

computing, only executable software, including the modular polynomials Ψ,

corresponding to the small primes £, is kept in memory and consumes about 40 KB.

Using Morain' s technique, when a device is performing cryptographic calculations, it requires about 300 KB for the TABLE and 40 KB for the executable cryptographic code, for a total requirement of 340 KB. Using the instant technique, when a device is performing cryptographic calculations, it requires about 100 KB

for the dynamically calculated Ψ, and 40 KB for the executable cryptographic code,

for a total requirement of about 140 KB. It is observed that since the Ψ_e are not

calculated in characteristic 0 during the dynamic calculation of the instant

technique, only the Ψ, mod/? are calculated, less memory is required than for

Morain' s technique, which calculates the ¥_t in characteristic 0.

Thus, it can be seen that the present technique requires dramatically less memory in a device than Morain' s technique. Reduced memory requirements make it practical to use a cheaper device, which in turn makes cryptographic protection according to the present technique available to a wider range of applications. Referring to Figs. 5A-5C, the instant technique for obtaining a suitable elliptic curve E will now be described. The steps depicted in Figs. 5A-5C are assumed to be performed by a general purpose computer programmed in accordance with the instant technique, but may alternatively be performed by a specially designed circuit. Let E be an elliptic curve defined using predetermined integers a^ εiβ as follows:

When a large odd prime ? does not divide (4a₄ ³ + 27 a^), the elliptic curve E can be reduced to an elliptic curve over the field F_p. Let #E(F_P) be the number of points of E over F_p, given as #E(F_P) =/? + 1 - 1 where t is an integer which satisfies -2 p^{0 5} < t < 2 p⁰⁵

The instant technique finds t modulo several small auxiliary primes. When the product of the auxiliary primes exceeds 4 p° ⁵, the Chinese Remainder Theorem is used to recover the exact value of t, and hence the exact value of #E(F_P). At step 110 of Fig. 5 A, a prime number/? having about 200 bits, hence a

value around 2²⁰⁰, is chosen. At step 120, it is determined whether/? ≡ 3 mod 4; if

not, then the procedure returns to step 110 and selects a different prime number/?. The instant technique proceeds with a predetermined number of candidate curves, such as 70 candidates, in parallel. For a randomly chosen elliptic curve E

over F_p, the probability that #E(F_P) = x r for a positive integer x ≤ 30 and a prime

number r is about 3%, so approximately 70 curves must be evaluated to find a curve where the group order #E(F_P) has a large prime r which, in turn, ensures that the DL problem is sufficiently difficult. Let the predetermined number of curves be ij Ax; in this example iMA = 70. At step 130, a suitable curve E; is found for i = 1, ... , ii_vi_AX> and the following quantities dependent on E, are also found: j{E_\), a_s, b_s, c_s, and d_s. Fig. 6 is a flowchart depicting a procedure for finding a suitable candidate elliptic curve E. At step 600, values for the coefficients a₄ and a₆ are randomly selected in F_p. At step 610, it is checked whether the prime number/? divides (4 a₄ ³ + 27 a^²). If so, then E is not an elliptic curve when reduced modulo /? and the procedure returns to step 600 to select new coefficients. If not, the procedure continues to step 620. At step 620, the /^'-invariant j(E) is found: ytE) ⁼ 6912 a₄ ³ / (4 a₄ ³ + 27 a₆ ²) e F_p

At step 640, it is checked whether the /^'-invariant is 0 or 1728. If so, then the procedure returns to step 600 to select new coefficients. If not, the procedure continues to step 650. At step 650, a random point Q on E is selected, and at step 660, it is checked

whether (p + l) ® Q = 0, that is, whether ( ? + 1) annihilates the point Q. If so, then

E is probably supersingular and it is best to return to step 600 and select new coefficients. If not, then E is definitely not supersingular and the procedure

continues to step 670. If (/? + 1) <S> Q = 0, then steps 650 and 660 may be repeated

for another randomly chosen point Q, to decrease the likelihood of rejecting a curve that is not supersingular. At step 670, values are initialized for the Chinese Remainder count of the trace t. The modulus M for E with respect to known t is set to 1. The value T such that t ≡ T mod M is set to 0.

At step 690, expressions modulo/? are found for the polynomials sk X),

b_s(N), c_s{X) and d_s(-Y) for s < R as follows, where the upper bound R=l 1 is large

enough for the set of candidate auxilary prime numbers £ used here. Fig. 10 is a detailed flowchart for the processing that occurs at step 690 of Fig. 6. At step 1010 of Fig. 10, the following terms are initialized: w(X) = N³ + a₄N+ a₆

ff(X) = 1

f₂(X) = 2

fs(X) = 3 X + 6 a₄N + 12 a_fiN- a₄ ²

f₄(X) = 4 N + 20 a₄N + 80 a_gN³ - 20 a^ N² - 16 a₄ a₆N- 4 a₄ ³ - 32

At step 1020, polynomials are determined for s = 2 as follows:

b₂{X) = A w(X)

c₂(X) =f₄(X) I A

d₂{X) = 8 w(X)²

At step 1030, a counter n is set to a value of 5. At step 1040, it is checked whether n is even. If the result of the check at step 1040 is that n is even, then at step 1050, m is

set to n/2. At step 1060, the expression/ is set

12_? and

processing proceeds to step 1110. If the result of the check at step 1040 is that n is odd, then at step 1070, m is set to (n - l)/2. At step 1080, it is checked whether m is even. If m is even, then at step

1090, /_n is set to w²/_m+2/_m ³ -f_{m .}. /_{m + j} ³ _> and processing proceeds to step 1110. If

m is odd, then at step 1100, ^ is set -θf_m+2fm - w² f_{m . l}f_{m +} ,³ , and processing

proceeds to step 1110. At step 1110, the counter n is incremented. At step 1120, it is checked whether n = R + 3. If not, then processing returns to step 1040. If the result of the check at step 1120 is positive, then at step 1130, s is set to 3. At step 1140, it will be appreciated that s is odd and in the range 2 < s < R. Polynomials are evaluated as follows:

as(A) =Xf_s{X)² - w(X)f_s._l{X)f_s+l(X) b_s{X) =MX)²

c_s =f_s+2{X)f_s._l{X)² -f_s.₂{X)f_s+l{X)² d_s(N) = 4/_s(N)³ The polynomials a_s(N), b_s(X), c_s(X) and d_s(X) are stored, for retrieval at step 920,

discussed below. At step 1150- s is incremented by 2, that is, to be the next odd number. At step 1160, it is checked whether s > R. If so, then processing terminates. If not, then processing returns to step 1140. Returning to Fig. 6, at step 695, the procedure is completed and a suitable E has been found. It will be appreciated that the procedure of Fig. 6 is repeated to obtain each of the candidate curves E. Returning to Fig. 5 A, at step 160, a temporary value g is initialized to "1". At step 170, the temporary value g is used as an index into the set A of auxiliary primes {A[l], A[2], ..., A[36]}: A = {3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 41, 47, 59, 71, 53, 61, 79, 83, 89, 101, 73, 131, 103, 107, 109, 97, 113, 151, 167, 127, 179, 139, 191, 149, 137, 173} At this point, g = 1 , so the first of the auxiliary primes is obtained and used as the

value for a candidate auxiliary prime £. After the first execution of step 170, £ = 3.

At step 200, the modular polynomial ^x¥_/ for the auxiliary prime £ currently

being evaluated is obtained. If £ is one of the first eight of the auxiliary primes, then

Ψ^ is obtained by look up in Table 1.

TABLE 1

auxiliary modular polynomial ψ (F, J) prime £

19 ⁷²⁰+ (- J + 664) F¹⁹ + (76J + 143260) F¹⁸

+ (- 2622J + 9204360) F¹⁷ + (54454J - 176115066) F¹⁶

+ (- 761425J + 1108178952) F¹⁵ + (7598556J - 1742337316) F 14

+ (- 55989713J - 13420942600) F¹³

+ (310967414J + 7967345585) F¹²

+ (- 1317638334J - 133492721376) F¹¹

+ (4284347658J - 271425795648) F¹⁰

+ (- 10696404825J + 1738318231104) F⁹

+ (20413753140J - 3257912161280) F⁸

+ (- 29485216120J + 528231178240) F⁷

+ (31694225470J + 10718241992704) F⁶

+ (- 24698209440J - 26958821326848) F⁵

+ (13397395220J + 36334713176064) F⁴

+ (-4738229120J - 31060143636480) F³

+ (973578240J + 16944463872000) F²

+ (- 91238400J - 5430382166016) F

+ (J² + 1769472J + 782757789696)

23 F²⁴ + (- J + 720) F²³ + (23J + 179952) F²² + (- 161J + 17282016) F²¹ + 441081120F^; 20

3864J + 5678198784) F :1^ι9^y + (- 5681J + 45492865088) F 18 .46644J + 252605710080) F¹⁷ 53084J + 1038071734272) F¹⁶ 393024J + 3294356631552) F¹⁵ 19136J + 8309302456320) F¹⁴

- 1978368J+ 16991995871232) F¹³

- 2689666J + 28563290271744) F 1^"2 2882544J + 39839110889472) F¹¹ 11625488J+ 46370418130944) F 10 11002464J + 45154515419136) F⁹

- 3833824J + 36762400456704) F⁸

- 19783680J + 24919460020224) F⁷ - 21906304J + 13946021740544) F⁶

11787776J + 6353857806336) F⁵ -1554432J - 2304837156864) F⁴ 2213888J + 642483486720) F³ 1648640J + 129654325248) F² 516096J+ 16911433728) F J² + 65536J+ 1073741824)

If £ is one of the remaining auxiliary primes, i.e., not one of the first eight auxiliary primes, then Ψ_/ mod/? is obtained by computation, as described in Fig. 7.

At step 710, the value of a polynomial P_/is obtained by look-up from Table

2. Let v be the degree of P^ that is, -1 times the smallest exponent occurring in J.

The first column of Table 2 indicates the particular prime number £ under consideration. The second column of Table 2 indicates the number of coefficients

in F_p which must be stored in connection with the polynomial P _e (J), which is given in the third column of Table 2.

TABLE 2

At step 720, the coefficients ak e F are obtained. Fig. 11 is a flowchart for

obtaining the coefficients a_k. At step 1210 of Fig. 11, the truncated power series X is obtained by

considering modulo £ the power series

2£v-v P, <j( ) V (Φ W (<f) ≡ ∑a_kq^k + 0(q^(2v+1>^) (mod £) k=-v

and dropping all powers of q with an exponent of at least 2£v - v + 1.

At step 1220, k is set to -v.

At step 1230, the coefficients a^ (which are not to be confused with the

polynomials a_s)

are obtained by multiplying the terms on the left hand side modulo £ and reading off

the resulting coefficients. The polynomial P_e was obtained in step 710. The term

j(q) is obtained from:

j(q) = 1728E ₄(- )3/(E₄(- )3 - E₆( )2)

= cr^{1 +} 744 + 196884tj + 21493760#² + ... For any integer n, let the function σ_k(«) denote the sum of the &th powers of the

positive divisors of n. The ^-series used in the above equation are given as:

E q) 1 + 240 ∑ σι(n)q" π=\

1 + 240 q + 2160 q² + 6720 q³ +

E₆(q) = 1 - 504 ∑ o₅ )q"

1-504 q - 166532 q² - 122976 </³ ■

The term η (q) is obtained from

η (q⁾ = FI ⁽i - eO

«=1

V (.1)^(3 ^2 + ^/2

A: =-oo

= 1 - q - q² + q⁵ + ...

Although the ^-series for E₄{q ), E₆{q),j(q) and η (q) do not depend on £, their

coefficients increase quickly and are only needed modulo £ or modulo/?. Therefore,

it is advantageous to compute them each time they are needed, rather than storing

them. In a variation, only l/η (q) modulo/? is computed and stored, since it is used

for each auxiliary prime £ .

At step 1240, it is checked whether k = 2£ v-v. If yes, then processing in

Fig. 11 terminates. If not, then at step 1250, k is incremented and processing returns to step 1230. Returning to Fig. 7, at step 730, the coefficients b_k (which are not to be confused with the polynomials b_s) are obtained. For each k between -v and 2£v-v,

the coefficient b is the least absolute remainder of a_k modulo £, that is, the integer

with the smallest possible absolute value that reduces to a modulo £.

At step 740, the q-series for /is obtained:

Λq⁾ l{η{q)η q^e)) modulo/?

At step 750, the q-expansions of// 2 , ...,/ si a . re obtained and used to define a(n,k):

(f(q))^k = ∑ ι{n,k) qⁿ n

At step 760, the terms S_k(q), for 1 < k < / are obtained. For each 1 < k < /, let

At step 765, the terms C_k(q), for 1 < k < / are obtained. For each 1 < k < /, let

Ck q) k-_r (q)^sr(q) Ik

At step 770, the initial and final terms of C(q) are set:

C_{/ +} ιfø) = -f c/£7)

At step 775, the terms C_k(#) for each 2 < k < £ are obtained:

Ckfø) = -fc_{k -} ιfø) + Ck(-7).

At step 780, the polynomials Gk for 1 < k < £ + 1 are obtained. For each 1 <

k < £ + 1, there is a polynomial Gk such that d {j(q)) ≡ C_\Λq) mod/?. Fig. 8 is a flowchart of a procedure for determining G . At step 810 of Fig. 8, set z = c_k{q). At step 820, set t = order (z), that is, t = - min{«: coef " in z) ≠ 0}

At step 830, set R = 0 and b = t. The value R is used to accumulate G - The value b is decremented so as to accumulate G_k terms for each power of z. At step 840, set R = R + J^b coeff(q^"b in z). At step 850, set z = z - coeff (q^"b in z) {j(q)) At step 860, determine whether b = 0. If not, then there are additional powers of z to be evaluated, so at step 870, b is decremented and the procedure returns to step 840. If b = 0 then all powers of z have been evaluated, and the procedure returns with G_k = R.

Returning to Fig. 7, at step 790, the modular polynomial Ψ_/ mod/? is

generated based on the polynomials G_k.

Ψ,(F, J) = F^^{+ 1} + ∑ Gi (J) F ^+1_i

;=1 Returning to Fig. 5 A, at step 210, a counter i is set to 1. The counter i is used to index the candidate elliptic curves under evaluation. Of course, other numbers of elliptic curves could be evaluated in parallel, or the elliptic curves could be evaluated serially, corresponding to ijvi_A = 1 •

At step 220, the roots f in the field F_p of the expression Ψ_/(j(Ej), f) = 0 are

obtained. These roots may be obtained using Berlekamp's second algorithm, as described at H. Cohen, A Course in Computational Algebraic Number Theory,

Springer- Verlag, 1993, pages 123-132. Let the set of roots be {f,, ... , f, } where

d_max is the number of distinct roots f. At step 240, for each of the roots fd , d = 1 to d_max (where d_max is from step

220), find all roots j e F_p of Ψ,( , f_d) = 0. These roots may also be obtained

using Berlekamp's second algorithm, as discussed above.

At step 270, any entries equal to 0 or 1728 in the lists of roots j are deleted.

Turning to Fig. 5B, at step 300, for the first of the pairs of roots (f, j ),

values are obtained for the variables α₄ , a₆ and/?ι via the following intermediate

calculations: E₄ = -48α₄ E₆ = 864α₆

4 = Q² - 1728

E ,Q

t\ = + /^'2Ψ₂₂(/,y))

t₂

+ 7²Ψ₂₂(/,

F F t₃ = ^{6 4}

3E₄ 2E₆

'2 +' h

Pι=£

a =-£⁴E,/A8

a₆ = TEN864

The values for all intermediate values may be discarded, that is, only the values for

a ₄ , a₆ and pi are retained.

At step 310, the kernel polynomial (X) of degree d=(£- 1 )/2 is determined

based on the values for ₄ , d₆ and pi obtained at step 300. Figure 12 is a flowchart

for the processing that occurs at step 310 of Fig.5B. At step 1310 of Fig.12, the following values are set: Po = d

p₂ = ((l-10d)a₄- a₄)l 30

p₃ = ((l-28 )a₆-42p₁a₄-α₆)/70

c, = 6p₂ + 2a₄

c₂ = 10p₃ + 6a₄p_j + 4 a₆ d

At step 1320, a small positive integer S is selected that determines the number of extra terms which will be carried, such as S = 3.

At step 1330, for each 2 < r < d - 1 + S, the term c + \ is obtained as

follows:

³∑ -ι ^cn^cr-n ^~ (^{2r ~} (^{r ~} lK< -i - (2r - 2)(r - 2)a₆c_r _₂ c_r+ι = "^-1 ^{r l} (r-1) (2r + 5) At step 1340, for each 3 < n < d- \ + S, the term _{w +} is obtained as

follows:

Pn + 1 ⁼ -; (^c«- (4«-2) ∑u p„-ι - {An -A) aφ_n.₂)

An + 2 These p ₊ . terms are power sums of the roots of h(-¥).

At step 1350, s_Q is set to be 1.

At step 1360, for 1 < i < d + S, the term SJ is obtained as follows:

Returning to Fig. 5B, at step 330, the procedure checks whether the result obtained at step 310 is valid. Specifically, a check is made as to whether s ₊ \ = Sd+ ₂ = ... = S_d+ s = for the terms obtained at step 1360 of Fig. 12. If the result of the check at step 330 of Fig. 5B fails, that is, it is not the case that S_{d+ 1} = ₊i = ••• ⁼ Sr_f+ s = 0, then, at step 340, the procedure determines whether

there are any untried root pairs (f, j ). If so, then at step 350, the next of the pairs

(f, j ) is selected, and the procedure returns to step 300. If all root pairs (f, /^' ) have

been tried, then the elliptic curve Ej being evaluated is not acceptable, and the procedure moves to step 400. If the result of the check at step 330 is successful, that is, it is the case that s^ ₊ ι = Sr_{f + 2} ⁼ _"- ⁼ Sr_{f +}s = 0, then the procedure moves to step 360, and obtains the kernel polynomial h{X) as follows:

h(N) = ∑(-l) ' s, X^rf- '

At step 370, the eigenvalue e based on the kernel polynomial {X) is obtained. Fig. 9 is a flowchart illustrating a procedure for finding the eigenvalue e. At step 905, {X) is factored modulo £ using Berlekamp's algorithm. At step 910, one of the factors of h{X) is henceforth used instead of h{X). In one embodiment, a factor of smallest degree is selected. In other embodiments, any factor of suitably small degree is selected.

At step 915, the value of is used to obtain a value for s, by lookup in Table

3.

TABLE 3

At step 920, the polynomials as(N), b_s{X), c_s{X), d_s{X) corresponding to the elliptic curve under consideration, as found in step 690, are retrieved. At step 925, the degree of h{X) is obtained. If the result is even, the next step is step 930. If the result is odd, the next step is step 960. At step 930, parameters are initialized as follows: Qι(N) = X^p mod h( ) Q₂{X) = (N³ + a₄N+ a₆ )^(p-^1)/2 mod h(N) ?ι{X) = Nmod h(N) P₂(N) = 1 e = 1

At step 935, a check is made as to whether (Pι(N), P₂(N)) = (Qι(N), ±

If the check at step 935 is negative, then at step 940, the parameters are simultaneously updated as follows, that is, the new Pι{X) and ?₂ X) are each based on the previous P ι (N) :

p- = Orø⁾ _{mod h(X)}

P₂(N) = P₂(N) ^Cf ' ^{( ))} mod h(N) (P, (N))

e - e s mod f Step 940 is repeated, at most ( £ - 1 )/2 times, until the condition (P 1 {X), P₂( ))

(Qι(N), ±Q2(N)) is true. When the condition is true, the desired eigenvalue e has been found. At step 945, a check is made as to whether ¥ {X) = Qι{X)- If so, then at step 950, the desired eigenvalue is e. Otherwise, at step 955, the desired eigenvalue is determined as -e. The desired eigenvalue is then used at step 380 of Fig. 5B. At step 960 of Fig. 9, parameters are initialized as follows: Q N) = J^ mod h N) Pι(N) - (Nmod h(N)) e - 1 At step 965, a check is made as to whether Pι(N) = Q_\{X). If the check at step 965 is negative, then step 970, the parameters are updated as follows: ! _?]{χ₎ = ^astP (X)) _{mod h(χ)}

2

3 e = e s mod £

A

5 Step 970 is repeated, at most ( £ -l)/2 times, until the condition Pj(X) = Q_X{X)

6 is true. When the condition is true, the desired eigenvalue e has been found.

7 At step 975, the desired eigenvalue is e^s(e) (τl£) e, where r is the resultant of

8 {X) and w(N) = (Λ³ + a N+ a ) and s(e) is the semi-order of e modulo £ , that is,

9 the smallest positive n such that eⁿ ≡ ±1 (modulo £). A resultant is defined in

0 Cohen, page 118, definition 3.3.2, and may be computed using Cohen, page 121, 1 algorithm 3.3.7.

2 Returning to Fig. 5B, at step 380, the value t = e + (pie) modulo £ is

3 obtained. An extended Euclidean algorithm procedure for finding t is given in 4 Cohen, pages 12-19, particularly page 16, algorithm 1.3.6.

5 At step 390, with x ≡ Tj mod Mj and x ≡ t mod £, use the Chinese Remainder

6 Theorem to find x -≡ F mod £ Mj. The Chinese Remainder Theorem is described in

7 Cohen, pages 19-21. 8 The value F is chosen to have a minimum absolute value by subtracting £ Mj from 9 the least non-negative remainder modulo £ Mj if the least non-negative remainder is 0 larger than £ Mj/2. 1 At step 395, values are reset as follows: Tj is set to be F, and Mj is set to be 2 £ Mj. This completes evaluation of the current elliptic curve Ej. 3 Turning to Fig. 5C, at step 400, it is checked whether there are any more 4 elliptic curves to be evaluated. If so, then at step 410, the counter i is incremented, thereby selecting the next elliptic curve, and the procedure returns to step 220. If, at step 400, it is determined that there are no more elliptic curves to evaluate, then at step 420 it is checked whether there are any more candidate auxiliary primes to be evaluated. If so, then at step 430, the counter g is incremented, thereby selecting the next candidate auxiliary prime, and the procedure returns to step 170. If, at step 420, it is determined that there are no more candidate auxiliary primes to evaluate, then at step 440, a counter i is initialized. Once again, the counter i is used to indicate which of the possible elliptic curves is being considered. At step 450, it is checked whether Mj > 4 p° ⁵, that is, whether the bound for Mj has been reached. If not, then at step 460, it is checked whether i = -_MAX, that is, whether there are any more elliptic curves. If there are, then at step 470, i is incremented and the procedure returns to step 450. If not, then all candidate elliptic curves for the originally chosen prime number/? have failed to yield an acceptable elliptic curve, so the procedure returns to step 110 to pick a new prime number/?. If, at step 450, it is determined that Mj > 4 p° ⁵, then at step 480, the value g

is set to p + 1 - Tj, and at step 490, the largest x ≤ 32 such that x divides g is found.

This largest x is referred to as the cofactor β. The value 32 is equal to 2⁵, with the value 5 being a second security parameter. There are two main security parameters in the instant procedure. The first security parameter is embodied in step 110, and is the length in bits of the prime number ?. The second security parameter is embodied in step 490, and is the logarithm to the base 2 of the largest small factor, rounded up to the nearest power of two, which divides g. This second security parameter is referred to as the maximum allowable length of the cofactor β. The difference between the two

security parameters, in this case, 200 - 5 = 195, is a measure of the security of an elliptic curve chosen by the instant procedure, with a larger difference value indicating higher security. At step 500, it is determined whether g/x is prime, such as by using a probabilistic compositeness test wherein if g/x can be proved to be composite, then g/x is not prime, and if the proof of compositeness for g/x fails, then g/x is assumed to be prime. A probabilistic compositeness test is described in A.K. Lenstra and H.W. Lenstra, Jr., "Algorithms in Number Theory" in Handbook of Theoretical Computer Science, J. van Leeuwen ed., pages 675-677 and 706-715, Elsevier Science 1990, the disclosure of which is hereby incorporated by reference. If the quotient g/x is not prime, then the procedure moves to step 460 to check the next elliptic curve. If the quotient g/x is prime, then the procedures moves to step 505 to check if the present elliptic curve is insecure, that is, if g/x divides p^k-l for a positive

integer k that is "too small" so that a sub-exponential attack on F _k would be faster

than a square-root attack on E(F_P), which corresponds to exp ((1.923 + o(l))(k log (p)) ^m (log (k log (p)))^{2 3})<p ^m If it is determined at step 505 that the present elliptic curve is insecure, then the procedure moves to step 460 to check the next elliptic curve. If the present elliptic curve is determined to be secure at step 505, then an acceptable elliptic curve Εj has been found, and the procedure is finished. In a modification, after step 500, if the quotient g/x is prime, rather than immediately terminating at step 510, the modified procedure collects the prime quotients for all the elliptic curves being evaluated, then chooses the curve with the largest quotient g/x, because that curve will be the most secure.

In another modification, instead of step 200 in Fig. 5 A, the Ψ_/ can be found by table look-up, as is done by Morain (see page 264 Remarque), with the calculations in Fig. 7 done in characteristic 0, rather than modulo p, and at step 370 as soon

is sufficiently small, g may be found using a baby step-giant step approach, described in Cohen at pages 235-238, or rho-like methods, described in Cohen at pages 419-422 In another modification, the technique of calculating the modular

polynomials ₍ mod/? is combined with Morain' s method of the isogeny cycles to

allow the calculation to be carried out using fewer auxiliary primes. An example of practicing the present technique will now be provided. At step 110 of Fig. 5 A, a prime is selected. For this example, a very short prime number, p = 9883, is chosen. It will be understood that, in practice, a much longer (larger) prime number is required for sufficient security.

At step 120, it is determined that 9883 = (4)(2470) + 3, so that p ≡3 (mod 4)

is true. At step 130, for this example, i_max = 1 is chosen. In practice, a larger value would be used. To find an elliptic curve Ei, at step 600 of Fig. 6, the values a₄ - 123 and a₆ = 765 are chosen. At step 610, the expression

4(123)³ + 27(765)² _ 23244543

9883 9883 is evaluated and determined to not be an integer. At step 620, j(E) is obtained: 6912 (123)³ ₌ 476381952

4 (123)³ + 27 (765)² 860909

At step 640, neither of the conditions are true. At step 650, a value Q = (235, 2241) is selected; this is a point on E. At step 660, the following calculation is made:

(9883 + 1) ® (235, 2241) = (1057, 6231) ≠ 0

At step 670, M=l, T=0 and t=0 mod 1. To perform step 690 of Fig. 6, processing moves to step 1010 of Fig. 10. At step 1010 of Fig. 10, the following terms are set: w{X) =X³ + l23X+ 165

fι(N) = l f₂(X) = 2 f₃(-Y) = 3J^ + 738N² + 9180a₆N+ 4637 {X) = AX⁶ + 2460N⁴ + 1902N³ + 3793N² + 6579N+ 9399 At step 1020, the following expressions are obtained: a₂(X) = X⁴ + 9637N² + 3763N+ 5246 b₂(N) = 4X³ + 492N+ 3060 c₂{X) -N⁵ + 615.X⁴ + 5417N³ + 3419N² + 9057N+ 9762 d₂{X) = SX⁶ + 1968N¹ + 2351X³ + 2436N² + 3304N+ 7141 Processing proceeds through steps 1030 and 1040. At step 1070, m = (5-l)/2 = 2 is obtained. Via step 1080, processing goes to step 1090 and generates the following expression: f_s(X) = 5X¹² + 7626N¹⁰ + 4093N⁹ + 2618N⁸ + 145N⁷ + 4117N°+ 2635N⁵ + 2327N⁴ + 2640N⁵ + 9386N² + 3207N + 6568 At step 1110, n is incremented to n = 6. At step 1120, it is checked whether 6 = 10 + 3; since it is not, processing returns to step 1040, thence to step 1050 to set m = 6/2 = 3, and then to step 1060 to obtain: f₆{X) = 6N¹⁶ + 7829N¹⁴ + 328N¹³ + 5633N¹² + 2016N¹⁰ + 1819^⁹ + 391N⁸ + 8771N⁷ + 1126-Y⁶ + 7115N⁵ + 5246N⁴ + AAIAX³ + 8147N² + 7098N+ 432 At step 1110, n is incremented to n = 7. Details of iterations until n is incremented to n = 13 are omitted for brevity. At step 1130, s is set to s = 3. At step 1140, the following expressions are obtained: a₃(N) - -Y⁹ + 8407N⁷ + 5624N⁵ + 9135N⁵ + 4927N⁴ + 7552-Y³

+ 3567N² + 1736N+ 9178 b₃(N) = 9N⁸ + 4428N⁵ + 5665N⁵ + 9135N⁴ + 87 ³ + 5235N²

+ 3158N+ 6244 c₃(N) = 4N¹² + 941N¹⁰ + 1156N⁹ + 6573-¥⁸ + 8607N⁷ + 7575-X⁶

+ 9293N⁵ + 8824-Y⁴ + 443 IN³ + 7342N² + 6765N+

9442 d₃(X) = 108X¹² + 640N¹⁰ + 3140-Y⁹ + 5958N⁸ + 3132N⁷ +

3565-X⁶ + 4774N⁵ + 6714N⁴ + 46 IN³ + 3319N² + 2006N+

4718. At step 1150, s is incremented by 2 to s = 5. Details of iterations until s is incremented to s = 11 are omitted for brevity. At step 1170, processing returns to step 695 of Fig. 6. At step 695 of Fig. 6, processing returns to step 160 of Fig. 5 A.

At step 160 of Fig. 5A, g is set to g = 1. At step 170, £ is set to £ = 3. At step 200, the modular polynomial Ψ₃ is obtained from Table 1. At step 210, i is set

to i = 1. At step 220, the roots of the following expression are found: 0 = F⁴ + 9420F³ + 8209F² + 5805F + 7290. Specifically, there is only one root in F₉₈₈₃ = F_P, f = 370. At step 240, the roots of the following expresion are found:

0 = J² + 9380 J + 5008.

Specifically, the roots of j e F₉₈₈₃ are 1255 and 9131. At step 270, neither of the

roots of 7 are deleted. At step 300 of Fig. 5B, the pair (f, j ) = (370, 9131) is

selected. To calculate α , d and pi, processing as described above with regard to

Fig. 5B, step 300, is executed, to obtain: E₄ = 3979 E₆ = 8682

f - 446

Q = 8595

E₄ = 5314

E₆ = 4487

t₂ = 1442 t₃ = 2879 t₄ = 1657 p, = 1563

24 = 2151

₆= 1624 To execute step 310 of Fig. 5B, processing proceeds to step 1310 of Fig. 12. At step 1310 of Fig. 12, the following values are set:

po = l p₂ = 1868 p₃ = 4199

c₂ = 2701 At step 1320, S is set to S = 3. At step 1330, the following are set: c₃ = 3867 c₄ = 6078 At step 1340, the value p₄ = 725 is set. At step 1350, s₀ = 1. At step 1360, the following are obtained:

s₂ = 0 s₃ = 0 s₄ = 0 Processing returns to step 330 of Fig. 5B. At step 330 of Fig. 5B, since s₂ = s₃ = s₄ = 0, processing proceeds to step 360. At step 360, the kernel polynomial is found to be: h(N) =N+ 8320 To find the eigenvalue e at step 370, processing proceeds to step 905 of Fig. 9. At step 905, it is determined that the polynomial h(N) is irreducible, that is, it lacks polynomial factors of smaller degree other than constant multiples of itself and 1. After step 910, h{X) = X + 8320 is obtained. At step 915 , by table look-up, s = 2 is obtained. At step 920, the values for a₂, b, c₂ and d₂ from step 1020 are recalled. At step 925, the degree of h{X) is found to be "1", so at step 960, the following values are set: Q.(N)=1563 Pi (A) =1563 e=l At step 965, Pι(N) = Qi {X) is true, so at step 975, e = 1 is obtained and processing returns to step 380 of Fig.5B. At step 380 of Fig.5B, t is calculated as t = 2. At step 390, F = -1. At step 395,T.=-landM, =3. Continuing to step 400 of Fig.5C, since i = i_max is true, at step 420, g has a

value of 2, so the check finds that 2 ≠ 36 and the result is negative. It is noted that, in a practical example, i_maχ = 70 is realistic, and so processing would iterate through step 410 im_ax - 1 = 69 times before proceeding to step 420. This is not shown for brevity. Similarly, after the negative result at step 420, processing iterates through

step 430 for £ = 5, 7, 11, 13, 17, 19 and 23, in similar manner as described above.

Step 380 is executed for £ = 13 and £ = 23. On the next iteration through step 430,

processing proceeds to step 170 of Fig.5 A and £ is set to £ - 29. To execute step

200, processing proceeds to step 710 of Fig.7. At step 710 of Fig.7, the polynomial P₂₉ (J) = J+ 11 is obtained by table

look-up, and the degree v has a value of 1. To execute step 720, processing

proceeds to step 1210 of Fig.11. At step 1210 of Fig.11, the truncated power seriesNis obtained as: Λ_ — q„-l+q. + , q -q 6-2q 7-2q.10 + , q 11 - τ2q„15+, q 19 - o2q _^22+ , o2q ,,28 j +- q _r,²⁹ j +.2 n „q³⁰ - O2 q ^^{3 l} j +. 2 o q -.34 + , 2 o q 40 + , q 41 - T2 q „42 + , 2 o q 48 - q „55

At step 1220, k is set to k = -1. At step 1230, a_ι is set to the coefficient of q^" ' in the truncated power series X, that is a.] = 1. At step 1240, it is checked whether

(-1) = (2) (29) (1) -1 ; since (-1) ≠ 57, processing proceeds to step 1250 to increment k to k = 0 and return to step 1230. Processing iterates as described above until all the coefficients aj are determined as follows, all ai = 0 for i = -1 to 57, except: a_ι = 1, a] = 1, a₅ = 1, a6 = -1, a₇ = -2, aio =-2, an == 1, a₁₅ = -2, a₁₉= 1, a₂₂ = -2, a₂₈ = 2, a₂₉ = 1, a₃₀ = 2, a₃ι = -2, a₃₄ = 2, a ₀ = 2, a ι = l, a₄₂ = -2, a ₈ = 2, a₅₅ = -l When k = 57, the test at step 1240 is positive, so processing returns to step 730 of Fig. 7. At step 730 of Fig. 7, the coefficients b_k are obtained as follows, all bk = 0 for k = -1 to 57 except: b.i = 1, bj = 1, b₅ = 1, b₆ = -1, b₇ = -2, bio = -2, bn = 1, bι₅ = -2, b_]9 = 1, b₂₂ = -2, b₂₈ = 2, b₂₉ = 1, b₃₀ = 2, b₃ι = -2, b₃₄ = 2, b₄₀ = 2, b₄ι = l, b₄₂ = -2, b₄₈ = 2, b₅₅ = -1 At step 740, the q-series for f is obtained as: f(q) = q^"1 + 1 + 3q + 4q² + 7q³ + 10q⁴ + 17q⁵ + 22q⁶ + 32q⁷ + 44q⁸ + 62q⁹ + 80q¹⁰ + 112q^π + 144q¹² + 193q¹³ + 248q¹⁴ + 323q¹⁵ + 410q¹⁶ + 530q¹⁷ + 664q¹⁸ + 845q¹⁹ + 1054q²⁰ + 1324q²¹ + 1634q ,^:22

+2037q²³ + 2498q²⁴ + 3082q²⁵ + 3760q²⁶ + 4601q²⁷ + 5580q ,28

+ 6789q²⁹ + 8186q³⁰ + 8q³¹ + 1993q³² + 4388q³³ + 7169q³⁴ + 627q ,35 + 4494q³⁶ + 9110q³⁷ + 4575q³⁸ + 1025q³⁹ + 8356q⁴⁰ + 7125q⁴¹ + 7218q⁴² + 9059q⁴³ + 2813q⁴⁴ + 8730q⁴⁵ + 7152q⁴⁶ + 8581q⁴⁷ + 3277q⁴⁸ + 1895q⁴⁹ + 4675q⁵⁰ + 2655q⁵¹ + 6093q⁵² + 6263q⁵³ + 3636q⁵⁴ + 9551q⁵⁵ + 4936q⁵⁶ + 141 lq⁵⁷ At step 750, the power series expansions off², f³, ..., f²⁹ are obtained using the q- series expression for f, above. At step 760, the terms S_k (q) are obtained, for example, sι₆ (q) = 8565 + 457q. At step 765, the terms Ck (q) are obtained, for example, en (q) = 5327 + 89q. At step 770, the following terms are set: Ci (q) = 9882q^"' + 9853 + 776q C₃₀ (q) = q^"2 + 8238q^'1 + 5381 At step 775, the terms C_k (q) are obtained, for example, C₂ (q) = 29 q^'1 + 9452. To execute step 780, processing proceeds to step 810 of Fig. 8. For brevity, instead of discussing how to obtain all polynomials Gk, only the polynomial G₃ will be discussed. At step 810 of Fig. 8, z is set to z = C₃ (q) = 9564 q^"1 + 8420. At step 820, t is set to t = 1. At step 830, R = 0, b = 1. At step 840, R = 9564J. At step 850, z = 8564. At step 860, since b ≠ 0, processing proceeds to step

870 where b is decremented to b = 0, and then returns to step 840. In the second iteration of step 840, R = 9564J + 8564. At step 850, z = 0. At step 860, b = 0, so at step 880, G₃ is set to G₃ = 9564J + 8564, and processing returns to step 790 of Fig. 7. At step 790 of Fig. 7, the modular polynomial Ψ ₉ is computed as:

Ψ₂₉(F,J) = F³⁰ + (9882J + 714) F²⁹ + (29J + 7642) F²⁸ + (9564J + 8564) F²⁷ + (1421 J + 9576) F²⁶ + (580J + 2026) F²⁵ + (2969J + 729) F²⁴

-.23

+ (4264J + 8756) F^J + (1622J + 6533) F 2^Z2¹ + (23U +

3005)F²¹

+ (6003J + 4219) F 20^υ + (7847J + 4570) F 1^ι9^y + (4556J +

8942) F¹⁸

+ (5613J + 8192) F¹⁷ + (2349J + 1640) F¹⁶ + (4436J +

2545) F¹⁵

+ (2625J + 8972) F¹⁴ + (4697J + 861) F¹³ + (6155J + 7530)

F¹²

+ (4605J + 2858) F¹¹ + (2082J + 4883) F¹⁰ + (1815J +

1968) F⁹

+ (6079J + 2675) F⁸ + (118J + 4907) F⁷ + (4424J + 9155)

F⁶

+ (1028J + 3410) F⁵ + (4890J + 730) F⁴ + (3190J + 9362)

F³ + (4727J + 5869) F² + (2267J + 1683) F + (J² + 6750J + 5409) and processing returns to step 210 of Fig. 5 A. At step 210 of Fig. 5 A, i is set to i = 1. The next several iterations are

omitted for brevity. For £ e A_\, processing proceeds through step 380, that is the

auxiliary prime £ provided information, for I being one of 41, 47, 59, 71, 61, 79, 89,

73, 131, 109, 97, 151, 167, 139 and 137. Discussion of this example resumes with step 440 of Fig. 5C. At step 440 of Fig. 5C, i is set to i = 1. At step 450, the value Mi Mi = 150783085059766145035730230806789 is compared with 4(9883)° ⁵ = 397.65. Since Mj is larger, processing proceeds to step 480, at which g is set to g = 9883 + 1 - 62 = 9822. At step 490, x is found to be x = 6. At step 500, the expression 9822/6 = 1637 is determined to be a prime number. At step 505, it is checked whether 1637 divides (9883)^k -1. Since the result is negative, at step 510, Ei is determined to be an acceptable elliptic curve. An example of using an elliptic curve obtained according to the present technique for encryption and decryption will now be discussed. Let P be a point of prime order q on the curve E{a, b} over the finite field Fp

of p elements. Let m be a secret positive integer less than q, m < q, and let G be the

point m ® P on E{a, b}, where <S> denotes scalar multiplication on the curve. The

public key consists of (Fp, E{a, b}, P, q, G) and the private key consists of the

integer m. Encryption and decryption using this public/private key pair may be done as follows. Let M be the message to be encrypted; it is assumed that M is a positive integer smaller than p, the cardinality of Fp, M < p. To encrypt M, choose a random

positive integer k less than q and compute the points k <S> P and k <2> G on the curve

E{a, b}. Let k ® G = (x, y). The encryption of M is (k <8> P, (x * M) mod p). To decrypt an encrypted message consisting of the pair (R, S) encrypted according to the encryption method described above where R is a point on the curve and S is a positive integer smaller than p, S < p, the owner of the private key m

computes m <S> R on the curve E{a, b} using the private key m. Let m <S> R = (U, V). The decrypted message is (S/TJ) mod p. For the example, with p = 9883, let P = (8508, 3003) be a point of order q = 1637 on the curve E{123, 765}: Y² = χ + 123 X + 765 over F₉₈₈₃ = F_p. Let m =

1234 be the private key. It follows that m ® P = 1234 ® (8508, 3003) = (4131,

9630) = G, the public point on the curve corresponding to m. Let M = 1122 be the message to be encrypted. Randomly choose k = 635 and compute k ® P = 635 ® (8508, 3003) = (4071, 578), and k ® G = 635 ® (4131, 9630) =

(5104, 8488). The encryption ofM = 1122 is ((4071, 578), (5104 * 1122) mod 9883) = ((4071, 578), 4431). To decrypt the message (R, S) with R = (4071 , 578) and S = 4431 , compute m ® R = 1234 ® (4071, 578) = (5104, 8488) = (U, V) with U = 5104. The

decrypted message is (S/U) mod p = (4431/5104) mod 9883 = 1122. Note that the resulting decryption is the same as the message M that was encrypted. An example of using an elliptic curve obtained according to the present technique for generation and verification of digital signatures will now be discussed. Let P be a point of prime order q on the curve E{a, b} over the finite field F_p of p elements. Let m be a secret positive integer less than q, m < q, and let G be the

point m ® P on E{a, b}, where ® denotes scalar multiplication on the curve. The

public key consists of (F_p, E{a, b}, P, q, G) and the private key consists of the integer m. Generation of a digital signature may be done as follows. Let d be the value of a cryptographically secure hash function applied to the message to be signed. Choose the hash function to assure 0 < d < q. Pick a random positive integer k, k <

q. Calculate k ® P = (x, y). Calculate r = (x + d) mod q and s = (k - m r) mod q.

The digital signature for the message of hash value d is the pair (r, s). Verification of a digital signature (r, s) for a message of hash value d is as follows.

Calculate s ® P + r ® G = (x', If the integers d and r - x' yield the same

residue when divided by q, the signature is deemed valid. Otherwise, the signature is rejected. For the example, with p = 9883, let P = (8508, 3003) be a point of order q = 1637 on the curve E{123, 765}: Y² = X³ + 123 X + 765 over F₉₈₈₃ = F_p. Let m =

1234 be the private key. It follows that m ® P = 1234 ® (8508, 3003) = (4131, 9630) = G, the public point on the curve corresponding to m. Let the hash value to be signed by d = 876 and let the randomly chosen

integer be it = 101. Then £ ® P = 101 ® (8508, 3003) = (7060, 9514), therefore x =

7060 and r = (7060 + 876) mod 1637 = 1388. Furthermore, s = (101 - 1234 * 1388) mod 1637 = 1248. Therefore, the signature is (1388, 1248). To verify the signature (r, s) = (1388, 1248) for the message with hash value

d, calculate s ® P + r ® G = (7060, 9514), so that x' = 7060. The integers d = 876

and r - x' = -5672 yield the same residue modulo q = 1637, namely, the residue 876. Therefore, the signature is accepted as valid. Although an illustrative embodiment of the present invention, and various modifications thereof, have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to this precise embodiment and the described modifications, and that various changes and further modifications may be effected therein by one skilled in the art without departing from the scope or spirit of the invention as defined in the appended claims.

Claims

What is claimed is:

1. A method of selecting an elliptic curve for a cryptosystem, comprising the steps of: selecting a prime number/? defining a field F_p, selecting a set of candidate elliptic curves E over the field F_p,

finding a set of modular polynomials ╬¿, modulo/? for a list of candidate

auxiliary primes ┬ú by a calculation in characteristic p using a stored polynomial P_f ,

finding the roots modulo p of the modular polynomials ╬¿_<5

generating kernel polynomials h{X) based on the roots of the modular

polynomials ╬¿_e,

finding an eigenvalue e for one of the kernel polynomials h(N), obtaining a value t based on the eigenvalue e and the prime number/?, obtaining the number of points of one of the candidate elliptic curves

over

F_p using the value t to make a determination whether the candidate elliptic curve is sufficiently secure, and selecting the candidate elliptic curve for the cryptosystem when the determination is that the candidate elliptic curve is sufficiently secure.

2. The method of claim 1, wherein the step of finding is performed

without table look-up of the modular polynomials ╬¿_e .

3. The method of claim 1 , wherein, when the determination is that the candidate elliptic curve is insufficiently secure, the step of comparing is repeated for another of the candidate elliptic curves Ej.

4. The method of claim 1 , wherein the list of auxiliary primes is A = {3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 41, 47, 59, 71, 53, 61, 79, 83, 89, 101, 73, 131, 103, 107, 109, 97, 113, 151, 167, 127, 179, 139, 191, 149, 137, 173}.

5. The method of claim 1 , wherein the prime number /? has about 200 bits.

6. The method of claim 1, wherein the number of points of the selected elliptic curve is a product of a second prime number and a cofactor, the cofactor having up to 5 bits.

7. A method of encrypting a message M, comprising the steps of: selecting an elliptic curve ╬ò according to the method of claim 1 ; selecting a point P of prime order q on the selected elliptic curve ╬ò over the field of F_p; selecting a secret positive integer m and a random positive integer k, m < q, k<q;

obtain the points k ┬« P and k ┬« (m ┬« P) = (x, y) on the curve ╬ò; and

obtaining the point (k ┬« P, (x * M) mod p) as the encrypted message.

8. A method of obtaining a digital signature for a message M, comprising the steps of: selecting an elliptic curve E according to the method of claim 1 ; selecting a point P of prime order q on the selected elliptic curve E over the field of F_p; selecting a secret positive integer m and a random positive integer k, m < q, k < q; obtaining a cryptographically secure hash value d between 1 and q - 1 of the message M;

calculating k ┬« P - (x, y); and

obtaining the pair ((x + d) mod q, {k - m (x + d) mod q) as the digital signature.

9. A portable device for encoding information using an elliptic curve cryptosystem, comprising: means for selecting an elliptic curve by finding the roots of modular

polynomials ╬¿_e modulo/? for a list of candidate auxiliary primes ┬ú and a prime

number p by a calculation in characteristic/? using a stored polynomial P^ , and

means for encoding the information using the selected elliptic curve.

10. The device of claim 9, further comprising means for decoding received information using the selected elliptic curve.

11. A portable device for digitally signing information using an elliptic curve cryptosystem, comprising: means for selecting an elliptic curve by finding the roots of modular

polynomials ╬¿_e modulo ? for a list of candidate auxiliary primes ┬ú and a prime

number/? by a calculation in characteristic ? using a stored polynomial P^ , and

means for digitally signing the information using the selected elliptic curve.

12. The device of claim 11, further comprising means for verifying a received digital signature using the selected elliptic curve.