CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Elliptic-curve cryptography - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"20c2d233-4c5a-4887-b3d6-da97c589f9e0","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Elliptic-curve_cryptography","wgTitle":"Elliptic-curve cryptography","wgCurRevisionId":1259065219,"wgRevisionId":1259065219,"wgArticleId":9966,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Webarchive template wayback links","CS1 errors: missing periodical","Articles with short description","Short description is different from Wikidata","All articles with vague or ambiguous time","Vague or ambiguous time from October 2022","All articles with unsourced statements","Articles with unsourced statements from April 2023","Vague or ambiguous time from November 2022","Wikipedia articles needing clarification from December 2011", "Articles with unsourced statements from September 2020","Commons link is locally defined","Elliptic curve cryptography","Public-key cryptography","Finite fields"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Elliptic-curve_cryptography","wgRelevantArticleId":9966,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":40000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false, "wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q1048911","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","ext.math.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage": "ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.math.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Elliptic-curve cryptography - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Elliptic-curve_cryptography"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Elliptic-curve_cryptography&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Elliptic-curve_cryptography"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Elliptic-curve_cryptography rootpage-Elliptic-curve_cryptography skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Elliptic-curve+cryptography" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Elliptic-curve+cryptography" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Elliptic-curve+cryptography" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Elliptic-curve+cryptography" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-History" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#History"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>History</span> </div> </a> <button aria-controls="toc-History-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle History subsection</span> </button> <ul id="toc-History-sublist" class="vector-toc-list"> <li id="toc-Security_concerns" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Security_concerns"> <div class="vector-toc-text"> <span class="vector-toc-numb">1.1</span> <span>Security concerns</span> </div> </a> <ul id="toc-Security_concerns-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Patents" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Patents"> <div class="vector-toc-text"> <span class="vector-toc-numb">1.2</span> <span>Patents</span> </div> </a> <ul id="toc-Patents-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Elliptic_curve_theory" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Elliptic_curve_theory"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Elliptic curve theory</span> </div> </a> <button aria-controls="toc-Elliptic_curve_theory-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Elliptic curve theory subsection</span> </button> <ul id="toc-Elliptic_curve_theory-sublist" class="vector-toc-list"> <li id="toc-Application_to_cryptography" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Application_to_cryptography"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1</span> <span>Application to cryptography</span> </div> </a> <ul id="toc-Application_to_cryptography-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Cryptographic_schemes" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cryptographic_schemes"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2</span> <span>Cryptographic schemes</span> </div> </a> <ul id="toc-Cryptographic_schemes-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Implementation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Implementation"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Implementation</span> </div> </a> <button aria-controls="toc-Implementation-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Implementation subsection</span> </button> <ul id="toc-Implementation-sublist" class="vector-toc-list"> <li id="toc-Domain_parameters" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Domain_parameters"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.1</span> <span>Domain parameters</span> </div> </a> <ul id="toc-Domain_parameters-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Key_sizes" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Key_sizes"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.2</span> <span>Key sizes</span> </div> </a> <ul id="toc-Key_sizes-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Projective_coordinates" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Projective_coordinates"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.3</span> <span>Projective coordinates</span> </div> </a> <ul id="toc-Projective_coordinates-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Fast_reduction_(NIST_curves)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Fast_reduction_(NIST_curves)"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.4</span> <span>Fast reduction (NIST curves)</span> </div> </a> <ul id="toc-Fast_reduction_(NIST_curves)-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Security" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Security"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Security</span> </div> </a> <button aria-controls="toc-Security-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Security subsection</span> </button> <ul id="toc-Security-sublist" class="vector-toc-list"> <li id="toc-Side-channel_attacks" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Side-channel_attacks"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.1</span> <span>Side-channel attacks</span> </div> </a> <ul id="toc-Side-channel_attacks-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Backdoors" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Backdoors"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.2</span> <span>Backdoors</span> </div> </a> <ul id="toc-Backdoors-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Quantum_computing_attack" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Quantum_computing_attack"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.3</span> <span>Quantum computing attack</span> </div> </a> <ul id="toc-Quantum_computing_attack-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Invalid_curve_attack" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Invalid_curve_attack"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.4</span> <span>Invalid curve attack</span> </div> </a> <ul id="toc-Invalid_curve_attack-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Alternative_representations" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Alternative_representations"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Alternative representations</span> </div> </a> <ul id="toc-Alternative_representations-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Notes" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Notes"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>Notes</span> </div> </a> <ul id="toc-Notes-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Elliptic-curve cryptography</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 21 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-21" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">21 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D8%AA%D8%B9%D9%85%D9%8A%D8%A9_%D8%A8%D8%A7%D9%84%D9%85%D9%86%D8%AD%D9%86%D9%8A%D8%A7%D8%AA_%D8%A7%D9%84%D8%A5%D9%87%D9%84%D9%8A%D9%84%D8%AC%D9%8A%D8%A9" title="تعمية بالمنحنيات الإهليلجية – Arabic" lang="ar" hreflang="ar" data-title="تعمية بالمنحنيات الإهليلجية" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-ca mw-list-item"><a href="https://ca.wikipedia.org/wiki/Criptografia_de_corba_el%C2%B7l%C3%ADptica" title="Criptografia de corba el·líptica – Catalan" lang="ca" hreflang="ca" data-title="Criptografia de corba el·líptica" data-language-autonym="Català" data-language-local-name="Catalan" class="interlanguage-link-target"><span>Català</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/Kryptografie_nad_eliptick%C3%BDmi_k%C5%99ivkami" title="Kryptografie nad eliptickými křivkami – Czech" lang="cs" hreflang="cs" data-title="Kryptografie nad eliptickými křivkami" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography" title="Elliptic Curve Cryptography – German" lang="de" hreflang="de" data-title="Elliptic Curve Cryptography" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-el mw-list-item"><a href="https://el.wikipedia.org/wiki/%CE%9A%CF%81%CF%85%CF%80%CF%84%CE%BF%CE%B3%CF%81%CE%B1%CF%86%CE%AF%CE%B1_%CE%B5%CE%BB%CE%BB%CE%B5%CE%B9%CF%80%CF%84%CE%B9%CE%BA%CF%8E%CE%BD_%CE%BA%CE%B1%CE%BC%CF%80%CF%85%CE%BB%CF%8E%CE%BD" title="Κρυπτογραφία ελλειπτικών καμπυλών – Greek" lang="el" hreflang="el" data-title="Κρυπτογραφία ελλειπτικών καμπυλών" data-language-autonym="Ελληνικά" data-language-local-name="Greek" class="interlanguage-link-target"><span>Ελληνικά</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Criptograf%C3%ADa_de_curva_el%C3%ADptica" title="Criptografía de curva elíptica – Spanish" lang="es" hreflang="es" data-title="Criptografía de curva elíptica" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%B1%D9%85%D8%B2%D9%86%DA%AF%D8%A7%D8%B1%DB%8C_%D9%85%D9%86%D8%AD%D9%86%DB%8C_%D8%A8%DB%8C%D8%B6%D9%88%DB%8C" title="رمزنگاری منحنی بیضوی – Persian" lang="fa" hreflang="fa" data-title="رمزنگاری منحنی بیضوی" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Cryptographie_sur_les_courbes_elliptiques" title="Cryptographie sur les courbes elliptiques – French" lang="fr" hreflang="fr" data-title="Cryptographie sur les courbes elliptiques" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/%ED%83%80%EC%9B%90%EA%B3%A1%EC%84%A0_%EC%95%94%ED%98%B8" title="타원곡선 암호 – Korean" lang="ko" hreflang="ko" data-title="타원곡선 암호" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/Kriptografi_kurva_eliptis" title="Kriptografi kurva eliptis – Indonesian" lang="id" hreflang="id" data-title="Kriptografi kurva eliptis" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/Crittografia_ellittica" title="Crittografia ellittica – Italian" lang="it" hreflang="it" data-title="Crittografia ellittica" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-he mw-list-item"><a href="https://he.wikipedia.org/wiki/%D7%94%D7%A6%D7%A4%D7%A0%D7%94_%D7%9E%D7%91%D7%95%D7%A1%D7%A1%D7%AA_%D7%A2%D7%A7%D7%95%D7%9D_%D7%90%D7%9C%D7%99%D7%A4%D7%98%D7%99" title="הצפנה מבוססת עקום אליפטי – Hebrew" lang="he" hreflang="he" data-title="הצפנה מבוססת עקום אליפטי" data-language-autonym="עברית" data-language-local-name="Hebrew" class="interlanguage-link-target"><span>עברית</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/%E6%A5%95%E5%86%86%E6%9B%B2%E7%B7%9A%E6%9A%97%E5%8F%B7" title="楕円曲線暗号 – Japanese" lang="ja" hreflang="ja" data-title="楕円曲線暗号" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/Kryptografia_krzywych_eliptycznych" title="Kryptografia krzywych eliptycznych – Polish" lang="pl" hreflang="pl" data-title="Kryptografia krzywych eliptycznych" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/Criptografia_de_curva_el%C3%ADptica" title="Criptografia de curva elíptica – Portuguese" lang="pt" hreflang="pt" data-title="Criptografia de curva elíptica" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/%D0%AD%D0%BB%D0%BB%D0%B8%D0%BF%D1%82%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%B0%D1%8F_%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B3%D1%80%D0%B0%D1%84%D0%B8%D1%8F" title="Эллиптическая криптография – Russian" lang="ru" hreflang="ru" data-title="Эллиптическая криптография" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-sk mw-list-item"><a href="https://sk.wikipedia.org/wiki/Kryptografia_na_b%C3%A1ze_eliptick%C3%BDch_kriviek" title="Kryptografia na báze eliptických kriviek – Slovak" lang="sk" hreflang="sk" data-title="Kryptografia na báze eliptických kriviek" data-language-autonym="Slovenčina" data-language-local-name="Slovak" class="interlanguage-link-target"><span>Slovenčina</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/Elliptisen_k%C3%A4yr%C3%A4n_salaus" title="Elliptisen käyrän salaus – Finnish" lang="fi" hreflang="fi" data-title="Elliptisen käyrän salaus" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/Eliptik_e%C4%9Fri_kriptografisi" title="Eliptik eğri kriptografisi – Turkish" lang="tr" hreflang="tr" data-title="Eliptik eğri kriptografisi" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/%D0%95%D0%BB%D1%96%D0%BF%D1%82%D0%B8%D1%87%D0%BD%D0%B0_%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B3%D1%80%D0%B0%D1%84%D1%96%D1%8F" title="Еліптична криптографія – Ukrainian" lang="uk" hreflang="uk" data-title="Еліптична криптографія" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/%E6%A4%AD%E5%9C%86%E6%9B%B2%E7%BA%BF%E5%AF%86%E7%A0%81%E5%AD%A6" title="椭圆曲线密码学 – Chinese" lang="zh" hreflang="zh" data-title="椭圆曲线密码学" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1048911#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Elliptic-curve_cryptography" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Elliptic-curve_cryptography" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Elliptic-curve_cryptography"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Elliptic-curve_cryptography"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Elliptic-curve_cryptography" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Elliptic-curve_cryptography" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&oldid=1259065219" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Elliptic-curve_cryptography&id=1259065219&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FElliptic-curve_cryptography"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FElliptic-curve_cryptography"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Elliptic-curve_cryptography&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Elliptic-curve_cryptography&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1048911" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Approach to public-key cryptography</div> <p><b>Elliptic-curve cryptography</b> (<b>ECC</b>) is an approach to <a href="/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a> based on the <a href="/wiki/Algebraic_structure" title="Algebraic structure">algebraic structure</a> of <a href="/wiki/Elliptic_curve" title="Elliptic curve">elliptic curves</a> over <a href="/wiki/Finite_field" title="Finite field">finite fields</a>. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in <a href="/wiki/Finite_field" title="Finite field">Galois fields</a>, such as the <a href="/wiki/RSA_(cryptosystem)" title="RSA (cryptosystem)"> RSA cryptosystem</a> and <a href="/wiki/ElGamal_encryption" title="ElGamal encryption"> ElGamal cryptosystem</a>.<sup id="cite_ref-:0_1-0" class="reference"><a href="#cite_note-:0-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> </p><p>Elliptic curves are applicable for <a href="/wiki/Key_agreement" class="mw-redirect" title="Key agreement">key agreement</a>, <a href="/wiki/Digital_signature" title="Digital signature">digital signatures</a>, <a href="/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">pseudo-random generators</a> and other tasks. Indirectly, they can be used for <a href="/wiki/Encryption" title="Encryption">encryption</a> by combining the key agreement with a <a href="/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">symmetric encryption</a> scheme. They are also used in several <a href="/wiki/Integer_factorization" title="Integer factorization">integer factorization</a> <a href="/wiki/Algorithm" title="Algorithm">algorithms</a> that have applications in cryptography, such as <a href="/wiki/Lenstra_elliptic-curve_factorization" title="Lenstra elliptic-curve factorization">Lenstra elliptic-curve factorization</a>. </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="History">History</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=1" title="Edit section: History"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The use of elliptic curves in cryptography was suggested independently by <a href="/wiki/Neal_Koblitz" title="Neal Koblitz">Neal Koblitz</a><sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup> and <a href="/wiki/Victor_S._Miller" title="Victor S. Miller">Victor S. Miller</a><sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup> in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005. </p><p>In 1999, NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4<sup id="cite_ref-4" class="reference"><a href="#cite_note-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> has ten recommended finite fields: </p> <ul><li>Five <a href="/wiki/Finite_Field" class="mw-redirect" title="Finite Field">prime fields</a> <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{p}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{p}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d35035371db7bee93733c68c1802114c17d8bb4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.479ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{p}}"></span> for certain primes <i>p</i> of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.</li> <li>Five <a href="/wiki/Finite_Field" class="mw-redirect" title="Finite Field">binary fields</a> <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{2^{m}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> </msup> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{2^{m}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/950de5de23e6ba61c1a5186dae752ae92ff4870e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.81ex; height:2.509ex;" alt="{\displaystyle \mathbb {F} _{2^{m}}}"></span> for <i>m</i> equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one <a href="/wiki/Neal_Koblitz" title="Neal Koblitz">Koblitz</a> curve was selected.</li></ul> <p>The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.<sup id="cite_ref-5" class="reference"><a href="#cite_note-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup> </p><p>At the <a href="/wiki/RSA_Conference" title="RSA Conference">RSA Conference</a> 2005, the <a href="/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> (NSA) announced <a href="/wiki/NSA_Suite_B" class="mw-redirect" title="NSA Suite B">Suite B</a>, which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.<sup id="cite_ref-:0_1-1" class="reference"><a href="#cite_note-:0-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> <a href="/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) has endorsed elliptic curve cryptography in its <a href="/wiki/NSA_Suite_B" class="mw-redirect" title="NSA Suite B">Suite B</a> set of recommended algorithms, specifically <a href="/wiki/Elliptic-curve_Diffie%E2%80%93Hellman" title="Elliptic-curve Diffie–Hellman">elliptic-curve Diffie–Hellman</a> (ECDH) for key exchange and <a href="/wiki/Elliptic_Curve_Digital_Signature_Algorithm" title="Elliptic Curve Digital Signature Algorithm">Elliptic Curve Digital Signature Algorithm</a> (ECDSA) for digital signature. The NSA allows their use for protecting information classified up to <a href="/wiki/Classified_information_in_the_United_States" title="Classified information in the United States">top secret</a> with 384-bit keys.<sup id="cite_ref-6" class="reference"><a href="#cite_note-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> </p><p>Recently,<sup class="noprint Inline-Template" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Manual_of_Style/Dates_and_numbers#Chronological_items" title="Wikipedia:Manual of Style/Dates and numbers"><span title="The time period mentioned near this tag is ambiguous. (October 2022)">when?</span></a></i>]</sup> a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the <a href="/wiki/Weil_pairing" title="Weil pairing">Weil</a> and <a href="/wiki/Tate_pairing" title="Tate pairing">Tate pairings</a>, have been introduced. Schemes based on these primitives provide efficient <a href="/wiki/Identity-based_encryption" title="Identity-based encryption">identity-based encryption</a> as well as pairing-based signatures, <a href="/wiki/Signcryption" title="Signcryption">signcryption</a>, <a href="/wiki/Key_agreement" class="mw-redirect" title="Key agreement">key agreement</a>, and <a href="/wiki/Proxy_re-encryption" title="Proxy re-encryption">proxy re-encryption</a>.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (April 2023)">citation needed</span></a></i>]</sup> </p><p>Elliptic curve cryptography is used successfully in numerous popular protocols, such as <a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">Transport Layer Security</a> and <a href="/wiki/Bitcoin" title="Bitcoin">Bitcoin</a>. </p> <div class="mw-heading mw-heading3"><h3 id="Security_concerns">Security concerns</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=2" title="Edit section: Security concerns"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In 2013, <i><a href="/wiki/The_New_York_Times" title="The New York Times">The New York Times</a></i> stated that <a href="/wiki/Dual_EC_DRBG" title="Dual EC DRBG">Dual Elliptic Curve Deterministic Random Bit Generation</a> (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of <a href="/wiki/NSA" class="mw-redirect" title="NSA">NSA</a>, which had included a deliberate weakness in the algorithm and the recommended elliptic curve.<sup id="cite_ref-7" class="reference"><a href="#cite_note-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> <a href="/wiki/RSA_Security" title="RSA Security">RSA Security</a> in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-9" class="reference"><a href="#cite_note-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves,<sup id="cite_ref-10" class="reference"><a href="#cite_note-10"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup> suggesting a return to encryption based on non-elliptic-curve groups. </p> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">Further information: <a href="#Quantum_computing_attack">§ Quantum computing attack</a></div> <p>Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about <a href="/wiki/Quantum_computing" title="Quantum computing">quantum computing</a> attacks on ECC.<sup id="cite_ref-nsaquantum_11-0" class="reference"><a href="#cite_note-nsaquantum-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-nsaQCfaq_12-0" class="reference"><a href="#cite_note-nsaQCfaq-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Patents">Patents</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=3" title="Edit section: Patents"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/ECC_patents" title="ECC patents">ECC patents</a></div> <p>While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme (<a href="/wiki/ECMQV" class="mw-redirect" title="ECMQV">ECMQV</a>). However, <a href="/wiki/RSA_Security" title="RSA Security">RSA Laboratories</a><sup id="cite_ref-13" class="reference"><a href="#cite_note-13"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> and <a href="/wiki/Daniel_J._Bernstein" title="Daniel J. Bernstein">Daniel J. Bernstein</a><sup id="cite_ref-14" class="reference"><a href="#cite_note-14"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> have argued that the <a href="/wiki/Federal_government_of_the_United_States" title="Federal government of the United States">US government</a> elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing those patents. </p> <div class="mw-heading mw-heading2"><h2 id="Elliptic_curve_theory">Elliptic curve theory</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=4" title="Edit section: Elliptic curve theory"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>For the purposes of this article, an <i>elliptic curve</i> is a <a href="/wiki/Plane_curve" title="Plane curve">plane curve</a> over a <a href="/wiki/Finite_field" title="Finite field">finite field</a> (rather than the real numbers) which consists of the points satisfying the equation: </p> <dl><dd><span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y^{2}=x^{3}+ax+b,\,}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> <mo>=</mo> <msup> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>3</mn> </mrow> </msup> <mo>+</mo> <mi>a</mi> <mi>x</mi> <mo>+</mo> <mi>b</mi> <mo>,</mo> <mspace width="thinmathspace" /> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y^{2}=x^{3}+ax+b,\,}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/fc86af15bc8199a9f34988f2928839b91d3ddd88" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:17.969ex; height:3.009ex;" alt="{\displaystyle y^{2}=x^{3}+ax+b,\,}"></span></dd></dl> <p>along with a distinguished <a href="/wiki/Point_at_infinity" title="Point at infinity">point at infinity</a>, denoted ∞. The coordinates here are to be chosen from a fixed <a href="/wiki/Finite_field" title="Finite field">finite field</a> of <a href="/wiki/Characteristic_(algebra)#Case_of_fields" title="Characteristic (algebra)">characteristic</a> not equal to 2 or 3, or the curve equation would be somewhat more complicated. </p><p>This set of points, together with the <a href="/wiki/Elliptic_curve#The_group_law" title="Elliptic curve">group operation of elliptic curves</a>, is an <a href="/wiki/Abelian_group" title="Abelian group">abelian group</a>, with the point at infinity as an identity element. The structure of the group is inherited from the <a href="/wiki/Divisor_(algebraic_geometry)" title="Divisor (algebraic geometry)">divisor group</a> of the underlying <a href="/wiki/Algebraic_variety" title="Algebraic variety">algebraic variety</a>: </p> <dl><dd><span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathrm {Div} ^{0}(E)\to \mathrm {Pic} ^{0}(E)\simeq E,\,}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="normal">D</mi> <mi mathvariant="normal">i</mi> <mi mathvariant="normal">v</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>0</mn> </mrow> </msup> <mo stretchy="false">(</mo> <mi>E</mi> <mo stretchy="false">)</mo> <mo stretchy="false">→</mo> <msup> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="normal">P</mi> <mi mathvariant="normal">i</mi> <mi mathvariant="normal">c</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>0</mn> </mrow> </msup> <mo stretchy="false">(</mo> <mi>E</mi> <mo stretchy="false">)</mo> <mo>≃</mo> <mi>E</mi> <mo>,</mo> <mspace width="thinmathspace" /> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathrm {Div} ^{0}(E)\to \mathrm {Pic} ^{0}(E)\simeq E,\,}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/59c3e49d2c4bc845022d15d0d1b327e806086312" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:25.712ex; height:3.176ex;" alt="{\displaystyle \mathrm {Div} ^{0}(E)\to \mathrm {Pic} ^{0}(E)\simeq E,\,}"></span></dd></dl> <div class="mw-heading mw-heading3"><h3 id="Application_to_cryptography">Application to cryptography</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=5" title="Edit section: Application to cryptography"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a> is based on the <a href="/wiki/Intractability_(complexity)#Intractability" class="mw-redirect" title="Intractability (complexity)">intractability</a> of certain mathematical <a href="/wiki/Computational_hardness_assumption" title="Computational hardness assumption">problems</a>. Early public-key systems, such as <a href="/wiki/RSA_(cryptosystem)" title="RSA (cryptosystem)">RSA</a>'s 1983 patent, based their security on the assumption that it is difficult to <a href="/wiki/Integer_factorization" title="Integer factorization">factor</a> a large integer composed of two or more large prime factors which are far apart. For later elliptic-curve-based protocols, the base assumption is that finding the <a href="/wiki/Discrete_logarithm" title="Discrete logarithm">discrete logarithm</a> of a random elliptic curve element with respect to a publicly known base point is infeasible (the <a href="/wiki/Computational_Diffie%E2%80%93Hellman_assumption" title="Computational Diffie–Hellman assumption">computational Diffie–Hellman assumption</a>): this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute a <a href="/wiki/Elliptic_curve_point_multiplication" title="Elliptic curve point multiplication">point multiplication</a> and the inability to compute the multiplicand given the original point and product point. The size of the elliptic curve, measured by the total number of discrete integer pairs satisfying the curve equation, determines the difficulty of the problem. </p><p>The primary benefit promised by elliptic curve cryptography over alternatives such as RSA is a smaller <a href="/wiki/Key_size" title="Key size">key size</a>, reducing storage and transmission requirements.<sup id="cite_ref-:0_1-2" class="reference"><a href="#cite_note-:0-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> For example, a 256-bit elliptic curve public key should provide <a href="/wiki/Security_level" title="Security level">comparable security</a> to a 3072-bit RSA public key. </p> <div class="mw-heading mw-heading3"><h3 id="Cryptographic_schemes">Cryptographic schemes</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=6" title="Edit section: Cryptographic schemes"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Several <a href="/wiki/Discrete_logarithm" title="Discrete logarithm">discrete logarithm</a>-based protocols have been adapted to elliptic curves, replacing the group <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (\mathbb {Z} _{p})^{\times }}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">Z</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mo>×</mo> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (\mathbb {Z} _{p})^{\times }}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/330c9efd1ac7f717428e734aa2ed3dcf97e47756" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:5.93ex; height:3.009ex;" alt="{\displaystyle (\mathbb {Z} _{p})^{\times }}"></span> with an elliptic curve: </p> <ul><li>The <a href="/wiki/Elliptic-curve_Diffie%E2%80%93Hellman" title="Elliptic-curve Diffie–Hellman">Elliptic-curve Diffie–Hellman</a> (ECDH) key agreement scheme is based on the <a href="/wiki/Diffie%E2%80%93Hellman" class="mw-redirect" title="Diffie–Hellman">Diffie–Hellman</a> scheme,</li> <li>The Elliptic Curve <a href="/wiki/Integrated_Encryption_Scheme" title="Integrated Encryption Scheme">Integrated Encryption Scheme</a> (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,</li> <li>The <a href="/wiki/Elliptic_Curve_Digital_Signature_Algorithm" title="Elliptic Curve Digital Signature Algorithm">Elliptic Curve Digital Signature Algorithm</a> (ECDSA) is based on the <a href="/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">Digital Signature Algorithm</a>,</li> <li>The deformation scheme using Harrison's p-adic Manhattan metric,</li> <li>The <a href="/wiki/EdDSA" title="EdDSA">Edwards-curve Digital Signature Algorithm</a> (EdDSA) is based on <a href="/wiki/Schnorr_signature" title="Schnorr signature">Schnorr signature</a> and uses <a href="/wiki/Twisted_Edwards_curve" title="Twisted Edwards curve">twisted Edwards curves</a>,</li> <li>The <a href="/wiki/ECMQV" class="mw-redirect" title="ECMQV">ECMQV</a> key agreement scheme is based on the <a href="/wiki/Menezes%E2%80%93Qu%E2%80%93Vanstone" class="mw-redirect" title="Menezes–Qu–Vanstone">MQV</a> key agreement scheme,</li> <li>The <a href="/wiki/Implicit_certificate" title="Implicit certificate">ECQV</a> implicit certificate scheme.</li></ul> <div class="mw-heading mw-heading2"><h2 id="Implementation">Implementation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=7" title="Edit section: Implementation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Some common implementation considerations include: </p> <div class="mw-heading mw-heading3"><h3 id="Domain_parameters">Domain parameters</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=8" title="Edit section: Domain parameters"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the <i>domain parameters</i> of the scheme. The size of the field used is typically either prime (and denoted as p) or is a power of two (<span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle 2^{m}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle 2^{m}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/667d0154f26e56e3f7979803f08afac16b4dcb16" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.837ex; height:2.343ex;" alt="{\displaystyle 2^{m}}"></span>); the latter case is called <i>the binary case</i>, and this case necessitates the choice of an auxiliary curve denoted by <i>f</i>. Thus the field is defined by <i>p</i> in the prime case and the pair of <i>m</i> and <i>f</i> in the binary case. The elliptic curve is defined by the constants <i>a</i> and <i>b</i> used in its defining equation. Finally, the cyclic subgroup is defined by its <a href="/wiki/Generating_set_of_a_group" title="Generating set of a group">generator</a> (a.k.a. <i>base point</i>) <i>G</i>. For cryptographic application, the <a href="/wiki/Order_(group_theory)" title="Order (group theory)">order</a> of <i>G</i>, that is the smallest positive number <i>n</i> such that <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle nG={\mathcal {O}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>n</mi> <mi>G</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mrow class="MJX-TeXAtom-ORD"> <mi class="MJX-tex-caligraphic" mathvariant="script">O</mi> </mrow> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle nG={\mathcal {O}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/69301d032dc873e947b4ff794ca3af6b42c45f66" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:8.17ex; height:2.176ex;" alt="{\displaystyle nG={\mathcal {O}}}"></span> (the <a href="/wiki/Point_at_infinity" title="Point at infinity">point at infinity</a> of the curve, and the <a href="/wiki/Identity_element" title="Identity element">identity element</a>), is normally prime. Since <i>n</i> is the size of a subgroup of <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle E(\mathbb {F} _{p})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>E</mi> <mo stretchy="false">(</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle E(\mathbb {F} _{p})}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8b6f9d9f090b11993420204881e93e7e394f1b0" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:6.064ex; height:3.009ex;" alt="{\displaystyle E(\mathbb {F} _{p})}"></span> it follows from <a href="/wiki/Lagrange%27s_theorem_(group_theory)" title="Lagrange's theorem (group theory)">Lagrange's theorem</a> that the number <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle h={\frac {1}{n}}|E(\mathbb {F} _{p})|}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>h</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mn>1</mn> <mi>n</mi> </mfrac> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mi>E</mi> <mo stretchy="false">(</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle h={\frac {1}{n}}|E(\mathbb {F} _{p})|}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e7be51a69a2633655e5b9fdb18fc06cf64084aca" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.838ex; width:14.026ex; height:5.176ex;" alt="{\displaystyle h={\frac {1}{n}}|E(\mathbb {F} _{p})|}"></span> is an integer. In cryptographic applications, this number <i>h</i>, called the <i>cofactor</i>, must be small (<span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle h\leq 4}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>h</mi> <mo>≤</mo> <mn>4</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle h\leq 4}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/7b459ecd8482adc7f5240b899ed2bdaeea68a4a7" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:5.6ex; height:2.343ex;" alt="{\displaystyle h\leq 4}"></span>) and, preferably, <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle h=1}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>h</mi> <mo>=</mo> <mn>1</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle h=1}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3d5d82ae0a834e0d0b839e2ea7a0f8eac0ee791d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.6ex; height:2.176ex;" alt="{\displaystyle h=1}"></span>. To summarize: in the prime case, the domain parameters are <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (p,a,b,G,n,h)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>p</mi> <mo>,</mo> <mi>a</mi> <mo>,</mo> <mi>b</mi> <mo>,</mo> <mi>G</mi> <mo>,</mo> <mi>n</mi> <mo>,</mo> <mi>h</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (p,a,b,G,n,h)}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/855fbb66e0a1bf31aa7f20678c781678270bb231" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:14.936ex; height:2.843ex;" alt="{\displaystyle (p,a,b,G,n,h)}"></span>; in the binary case, they are <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (m,f,a,b,G,n,h)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>m</mi> <mo>,</mo> <mi>f</mi> <mo>,</mo> <mi>a</mi> <mo>,</mo> <mi>b</mi> <mo>,</mo> <mi>G</mi> <mo>,</mo> <mi>n</mi> <mo>,</mo> <mi>h</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (m,f,a,b,G,n,h)}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/93f5549823023038c72ec57dba5ef4cc71f2ad7c" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:18.12ex; height:2.843ex;" alt="{\displaystyle (m,f,a,b,G,n,h)}"></span>. </p><p>Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters <i>must</i> be validated before use. </p><p>The generation of domain parameters is not usually done by each participant because this involves computing <a href="/wiki/Counting_points_on_elliptic_curves" title="Counting points on elliptic curves">the number of points on a curve</a> which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique <a href="/wiki/Object_identifier" title="Object identifier">object identifier</a> defined in the standard documents: </p> <ul><li><a href="/wiki/NIST" class="mw-redirect" title="NIST">NIST</a>, <a rel="nofollow" class="external text" href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf">Recommended Elliptic Curves for Government Use</a></li> <li><a href="/wiki/SECG" title="SECG">SECG</a>, <a rel="nofollow" class="external text" href="http://www.secg.org/sec2-v2.pdf">SEC 2: Recommended Elliptic Curve Domain Parameters</a></li> <li>ECC Brainpool (<style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5639">5639</a>), <a rel="nofollow" class="external text" href="http://www.ecc-brainpool.org/download/Domain-parameters.pdf">ECC Brainpool Standard Curves and Curve Generation</a><sup id="cite_ref-15" class="reference"><a href="#cite_note-15"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup></li></ul> <p>SECG test vectors are also available.<sup id="cite_ref-17" class="reference"><a href="#cite_note-17"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name. </p><p>If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods: </p> <ul><li>Select a random curve and use a general point-counting algorithm, for example, <a href="/wiki/Schoof%27s_algorithm" title="Schoof's algorithm">Schoof's algorithm</a> or the <a href="/wiki/Schoof%E2%80%93Elkies%E2%80%93Atkin_algorithm" title="Schoof–Elkies–Atkin algorithm">Schoof–Elkies–Atkin algorithm</a>,</li> <li>Select a random curve from a family which allows easy calculation of the number of points (e.g., <a href="/w/index.php?title=Koblitz_curve&action=edit&redlink=1" class="new" title="Koblitz curve (page does not exist)">Koblitz curves</a>), or</li> <li>Select the number of points and generate a curve with this number of points using the <i>complex multiplication</i> technique.<sup id="cite_ref-18" class="reference"><a href="#cite_note-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup></li></ul> <p>Several classes of curves are weak and should be avoided: </p> <ul><li>Curves over <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{2^{m}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> </msup> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{2^{m}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/950de5de23e6ba61c1a5186dae752ae92ff4870e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.81ex; height:2.509ex;" alt="{\displaystyle \mathbb {F} _{2^{m}}}"></span> with non-prime <i>m</i> are vulnerable to <a href="/wiki/Weil_descent" class="mw-redirect" title="Weil descent">Weil descent</a> attacks.<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-20" class="reference"><a href="#cite_note-20"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup></li> <li>Curves such that <i>n</i> divides <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p^{B}-1}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>B</mi> </mrow> </msup> <mo>−</mo> <mn>1</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p^{B}-1}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8e4b00cdb3241bd583e5edb55df1fdbd32613753" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:6.741ex; height:3.009ex;" alt="{\displaystyle p^{B}-1}"></span> (where <i>p</i> is the characteristic of the field: <i>q</i> for a prime field, or <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle 2}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mn>2</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle 2}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/901fc910c19990d0dbaaefe4726ceb1a4e217a0f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.162ex; height:2.176ex;" alt="{\displaystyle 2}"></span> for a binary field) for sufficiently small <i>B</i> are vulnerable to Menezes–Okamoto–Vanstone (MOV) attack<sup id="cite_ref-21" class="reference"><a href="#cite_note-21"><span class="cite-bracket">[</span>21<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-22" class="reference"><a href="#cite_note-22"><span class="cite-bracket">[</span>22<span class="cite-bracket">]</span></a></sup> which applies usual <a href="/wiki/Discrete_logarithm_problem" class="mw-redirect" title="Discrete logarithm problem">discrete logarithm problem</a> (DLP) in a small-degree extension field of <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{p}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{p}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d35035371db7bee93733c68c1802114c17d8bb4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.479ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{p}}"></span> to solve ECDLP. The bound <i>B</i> should be chosen so that <a href="/wiki/Discrete_logarithm" title="Discrete logarithm">discrete logarithms</a> in the field <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{p^{B}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msup> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>B</mi> </mrow> </msup> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{p^{B}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/52ce10a03eee6eec8cedaa63a1470fa5b0566948" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.171ex; width:3.656ex; height:3.009ex;" alt="{\displaystyle \mathbb {F} _{p^{B}}}"></span> are at least as difficult to compute as discrete logs on the elliptic curve <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle E(\mathbb {F} _{q})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>E</mi> <mo stretchy="false">(</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle E(\mathbb {F} _{q})}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/211791ca6b9e75649feeba5dd7ec52de98c85d77" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:5.994ex; height:3.009ex;" alt="{\displaystyle E(\mathbb {F} _{q})}"></span>.<sup id="cite_ref-23" class="reference"><a href="#cite_note-23"><span class="cite-bracket">[</span>23<span class="cite-bracket">]</span></a></sup></li> <li>Curves such that <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle |E(\mathbb {F} _{q})|=q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mi>E</mi> <mo stretchy="false">(</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mo>=</mo> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle |E(\mathbb {F} _{q})|=q}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/742e321d63fb260bbdb28d431e643d3a895b19a3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:11.455ex; height:3.009ex;" alt="{\displaystyle |E(\mathbb {F} _{q})|=q}"></span> are vulnerable to the attack that maps the points on the curve to the additive group of <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{q}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{q}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/dbb96e056c071d13fc7702013f9273e7f5cd88a7" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.409ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{q}}"></span>.<sup id="cite_ref-24" class="reference"><a href="#cite_note-24"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-25" class="reference"><a href="#cite_note-25"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-26" class="reference"><a href="#cite_note-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup></li></ul> <div class="mw-heading mw-heading3"><h3 id="Key_sizes">Key sizes</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=9" title="Edit section: Key sizes"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">See also: <a href="/wiki/Discrete_logarithm_records#Elliptic_curves" title="Discrete logarithm records">Discrete logarithm records § Elliptic curves</a></div> <p>Because all the fastest known algorithms that allow one to solve the ECDLP (<a href="/wiki/Baby-step_giant-step" title="Baby-step giant-step">baby-step giant-step</a>, <a href="/wiki/Pollard%27s_rho_algorithm_for_logarithms" title="Pollard's rho algorithm for logarithms">Pollard's rho</a>, etc.), need <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O({\sqrt {n}})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mrow class="MJX-TeXAtom-ORD"> <msqrt> <mi>n</mi> </msqrt> </mrow> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O({\sqrt {n}})}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5526ab1252c0f682bbe07c0ad67c0f29de5522b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:6.913ex; height:3.009ex;" alt="{\displaystyle O({\sqrt {n}})}"></span> steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{q}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{q}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/dbb96e056c071d13fc7702013f9273e7f5cd88a7" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.409ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{q}}"></span>, where <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q\approx 2^{256}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo>≈</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>256</mn> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q\approx 2^{256}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ab29b541de93af75bb5724e6be7b9985ece02a8e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:8.029ex; height:3.009ex;" alt="{\displaystyle q\approx 2^{256}}"></span>. This can be contrasted with finite-field cryptography (e.g., <a href="/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">DSA</a>) which requires<sup id="cite_ref-27" class="reference"><a href="#cite_note-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g., <a href="/wiki/RSA_(algorithm)" class="mw-redirect" title="RSA (algorithm)">RSA</a>) which requires a 3072-bit value of <i>n</i>, where the private key should be just as large. However, the public key may be smaller to accommodate efficient encryption, especially when processing power is limited. </p><p>The hardest ECC scheme (publicly) broken to date<sup class="noprint Inline-Template" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Manual_of_Style/Dates_and_numbers#Chronological_items" title="Wikipedia:Manual of Style/Dates and numbers"><span title="The time period mentioned near this tag is ambiguous. (November 2022)">when?</span></a></i>]</sup> had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200 <a href="/wiki/PlayStation_3" title="PlayStation 3">PlayStation 3</a> game consoles and could have been finished in 3.5 months using this cluster when running continuously.<sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">[</span>28<span class="cite-bracket">]</span></a></sup> The binary field case was broken in April 2004 using 2600 computers over 17 months.<sup id="cite_ref-29" class="reference"><a href="#cite_note-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> </p><p>A current project is aiming at breaking the ECC2K-130 challenge by Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.<sup id="cite_ref-30" class="reference"><a href="#cite_note-30"><span class="cite-bracket">[</span>30<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Projective_coordinates">Projective coordinates</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=10" title="Edit section: Projective coordinates"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>A close examination of the addition rules shows that in order to add two points, one needs not only several additions and multiplications in <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{q}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{q}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/dbb96e056c071d13fc7702013f9273e7f5cd88a7" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.409ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{q}}"></span> but also an <a href="/wiki/Modular_multiplicative_inverse" title="Modular multiplicative inverse">inversion</a> operation. The <a href="/wiki/Modular_multiplicative_inverse" title="Modular multiplicative inverse">inversion</a> (for given <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x\in \mathbb {F} _{q}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>∈</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x\in \mathbb {F} _{q}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cbe47674612548295c5c24f518686e99cfbe17b8" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:6.579ex; height:2.843ex;" alt="{\displaystyle x\in \mathbb {F} _{q}}"></span> find <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y\in \mathbb {F} _{q}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> <mo>∈</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y\in \mathbb {F} _{q}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f447d31b715006568a1815459b3cc9087cb2ffb5" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:6.405ex; height:2.843ex;" alt="{\displaystyle y\in \mathbb {F} _{q}}"></span> such that <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle xy=1}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mi>y</mi> <mo>=</mo> <mn>1</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle xy=1}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/dc7028e7e873eb4ec50f53be53ad478ded8351c1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:6.746ex; height:2.509ex;" alt="{\displaystyle xy=1}"></span>) is one to two orders of magnitude slower<sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">[</span>31<span class="cite-bracket">]</span></a></sup> than multiplication. However, points on a curve can be represented in different coordinate systems which do not require an <a href="/wiki/Modular_multiplicative_inverse" title="Modular multiplicative inverse">inversion</a> operation to add two points. Several such systems were proposed: in the <i>projective</i> system each point is represented by three coordinates <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (X,Y,Z)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <mi>Z</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (X,Y,Z)}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/15fcf4aac62f9533d646603bdc5a9cf76ce95c23" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:9.311ex; height:2.843ex;" alt="{\displaystyle (X,Y,Z)}"></span> using the following relation: <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x={\frac {X}{Z}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>X</mi> <mi>Z</mi> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x={\frac {X}{Z}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a128a5b548d8d9b23c2fa0446768a61cb0dc0853" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.838ex; width:7.244ex; height:5.176ex;" alt="{\displaystyle x={\frac {X}{Z}}}"></span>, <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y={\frac {Y}{Z}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>Y</mi> <mi>Z</mi> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y={\frac {Y}{Z}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f54ff3015e02cd67e29a3eaef73054ec56ea1432" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.838ex; width:6.863ex; height:5.176ex;" alt="{\displaystyle y={\frac {Y}{Z}}}"></span>; in the <i>Jacobian system</i> a point is also represented with three coordinates <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (X,Y,Z)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <mi>Z</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (X,Y,Z)}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/15fcf4aac62f9533d646603bdc5a9cf76ce95c23" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:9.311ex; height:2.843ex;" alt="{\displaystyle (X,Y,Z)}"></span>, but a different relation is used: <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x={\frac {X}{Z^{2}}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>X</mi> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x={\frac {X}{Z^{2}}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9245e48cc26c553bd4d2718d2f98e4ac9044e5c1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.005ex; width:8.027ex; height:5.343ex;" alt="{\displaystyle x={\frac {X}{Z^{2}}}}"></span>, <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y={\frac {Y}{Z^{3}}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>Y</mi> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>3</mn> </mrow> </msup> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y={\frac {Y}{Z^{3}}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4c41c0f3df23d36c9f6fdcf66eecce7aa777974b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.005ex; width:7.853ex; height:5.343ex;" alt="{\displaystyle y={\frac {Y}{Z^{3}}}}"></span>; in the <i>López–Dahab system</i> the relation is <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x={\frac {X}{Z}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>X</mi> <mi>Z</mi> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x={\frac {X}{Z}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a128a5b548d8d9b23c2fa0446768a61cb0dc0853" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.838ex; width:7.244ex; height:5.176ex;" alt="{\displaystyle x={\frac {X}{Z}}}"></span>, <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y={\frac {Y}{Z^{2}}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>Y</mi> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y={\frac {Y}{Z^{2}}}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cd4a44331a28859d2de621c25aa829015e8998ad" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.005ex; width:7.853ex; height:5.343ex;" alt="{\displaystyle y={\frac {Y}{Z^{2}}}}"></span>; in the <i>modified Jacobian</i> system the same relations are used but four coordinates are stored and used for calculations <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (X,Y,Z,aZ^{4})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <mi>Z</mi> <mo>,</mo> <mi>a</mi> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>4</mn> </mrow> </msup> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (X,Y,Z,aZ^{4})}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/791891184fae2f51ebc3c61ce19f5fae0754470c" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:14.337ex; height:3.176ex;" alt="{\displaystyle (X,Y,Z,aZ^{4})}"></span>; and in the <i>Chudnovsky Jacobian</i> system five coordinates are used <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (X,Y,Z,Z^{2},Z^{3})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>X</mi> <mo>,</mo> <mi>Y</mi> <mo>,</mo> <mi>Z</mi> <mo>,</mo> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> <mo>,</mo> <msup> <mi>Z</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>3</mn> </mrow> </msup> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (X,Y,Z,Z^{2},Z^{3})}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/244b32573250cb250e5e3ef292c60490d2ead2fb" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:16.904ex; height:3.176ex;" alt="{\displaystyle (X,Y,Z,Z^{2},Z^{3})}"></span>. Note that there may be different naming conventions, for example, <a href="/wiki/IEEE_P1363" title="IEEE P1363">IEEE P1363</a>-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used.<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">[</span>32<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Fast_reduction_(NIST_curves)"><span id="Fast_reduction_.28NIST_curves.29"></span>Fast reduction (NIST curves)</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=11" title="Edit section: Fast reduction (NIST curves)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Reduction modulo <i>p</i> (which is needed for addition and multiplication) can be executed much faster if the prime <i>p</i> is a pseudo-<a href="/wiki/Mersenne_prime" title="Mersenne prime">Mersenne prime</a>, that is <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p\approx 2^{d}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo>≈</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>d</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p\approx 2^{d}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/db99547ffde5293fae68fffc55c22ace3b80cc5b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:6.612ex; height:3.009ex;" alt="{\displaystyle p\approx 2^{d}}"></span>; for example, <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p=2^{521}-1}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo>=</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>521</mn> </mrow> </msup> <mo>−</mo> <mn>1</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p=2^{521}-1}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9c524daa1c5aeeaf5691344d68a5ac15c673c390" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:12.221ex; height:3.009ex;" alt="{\displaystyle p=2^{521}-1}"></span> or <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1.}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo>=</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>256</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>32</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>9</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>8</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>7</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>6</mn> </mrow> </msup> <mo>−</mo> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mn>4</mn> </mrow> </msup> <mo>−</mo> <mn>1.</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1.}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/03f7d3c4ad1b6d755f3ceb34b2695954ec24bc34" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:44.032ex; height:3.009ex;" alt="{\displaystyle p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1.}"></span> Compared to <a href="/wiki/Barrett_reduction" title="Barrett reduction">Barrett reduction</a>, there can be an order of magnitude speed-up.<sup id="cite_ref-33" class="reference"><a href="#cite_note-33"><span class="cite-bracket">[</span>33<span class="cite-bracket">]</span></a></sup> The speed-up here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with <a href="/wiki/Bitwise_operation" title="Bitwise operation">bitwise operations</a>. </p><p>The curves over <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {F} _{p}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {F} _{p}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d35035371db7bee93733c68c1802114c17d8bb4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:2.479ex; height:2.843ex;" alt="{\displaystyle \mathbb {F} _{p}}"></span> with pseudo-Mersenne <i>p</i> are recommended by NIST. Yet another advantage of the NIST curves is that they use <i>a</i> = −3, which improves addition in Jacobian coordinates. </p><p>According to Bernstein and Lange, many of the efficiency-related decisions in NIST FIPS 186-2 are suboptimal. Other curves are more secure and run just as fast.<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">[</span>34<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Security">Security</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=12" title="Edit section: Security"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading3"><h3 id="Side-channel_attacks">Side-channel attacks</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=13" title="Edit section: Side-channel attacks"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Unlike most other <a href="/wiki/Discrete_Logarithm" class="mw-redirect" title="Discrete Logarithm">DLP</a> systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (<i>P</i> = <i>Q</i>) and general addition (<i>P</i> ≠ <i>Q</i>) depending on the coordinate system used. Consequently, it is important to counteract <a href="/wiki/Side-channel_attack" title="Side-channel attack">side-channel attacks</a> (e.g., timing or <a href="/wiki/Power_analysis" title="Power analysis">simple/differential power analysis attacks</a>) using, for example, fixed pattern window (a.k.a. comb) methods<sup class="noprint Inline-Template" style="margin-left:0.1em; white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Please_clarify" title="Wikipedia:Please clarify"><span title="The text near this tag may need clarification or removal of jargon. (December 2011)">clarification needed</span></a></i>]</sup><sup id="cite_ref-35" class="reference"><a href="#cite_note-35"><span class="cite-bracket">[</span>35<span class="cite-bracket">]</span></a></sup> (note that this does not increase computation time). Alternatively one can use an <a href="/wiki/Edwards_curve" title="Edwards curve">Edwards curve</a>; this is a special family of elliptic curves for which doubling and addition can be done with the same operation.<sup id="cite_ref-36" class="reference"><a href="#cite_note-36"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup> Another concern for ECC-systems is the danger of <a href="/wiki/Differential_fault_analysis" title="Differential fault analysis">fault attacks</a>, especially when running on <a href="/wiki/Smart_card" title="Smart card">smart cards</a>.<sup id="cite_ref-37" class="reference"><a href="#cite_note-37"><span class="cite-bracket">[</span>37<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Backdoors">Backdoors</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=14" title="Edit section: Backdoors"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Cryptographic experts have expressed concerns that the <a href="/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> has inserted a <a href="/wiki/Kleptographic" class="mw-redirect" title="Kleptographic">kleptographic</a> backdoor into at least one elliptic curve-based pseudo random generator.<sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">[</span>38<span class="cite-bracket">]</span></a></sup> Internal memos leaked by former NSA contractor <a href="/wiki/Edward_Snowden" title="Edward Snowden">Edward Snowden</a> suggest that the NSA put a backdoor in the <a href="/wiki/Dual_EC_DRBG" title="Dual EC DRBG">Dual EC DRBG</a> standard.<sup id="cite_ref-39" class="reference"><a href="#cite_note-39"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup> One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.<sup id="cite_ref-40" class="reference"><a href="#cite_note-40"><span class="cite-bracket">[</span>40<span class="cite-bracket">]</span></a></sup> </p><p>The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.<sup id="cite_ref-41" class="reference"><a href="#cite_note-41"><span class="cite-bracket">[</span>41<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Quantum_computing_attack">Quantum computing attack</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=15" title="Edit section: Quantum computing attack"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/Shor%27s_algorithm" title="Shor's algorithm">Shor's algorithm</a> can be used to break elliptic curve cryptography by computing discrete logarithms on a hypothetical <a href="/wiki/Quantum_computing" title="Quantum computing">quantum computer</a>. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 <a href="/wiki/Qubits" class="mw-redirect" title="Qubits">qubits</a> and 126 billion <a href="/wiki/Toffoli_gate" title="Toffoli gate">Toffoli gates</a>.<sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">[</span>42<span class="cite-bracket">]</span></a></sup> For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security).<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">[</span>43<span class="cite-bracket">]</span></a></sup> In comparison, using Shor's algorithm to break the <a href="/wiki/RSA_(cryptosystem)" title="RSA (cryptosystem)">RSA</a> algorithm requires 4098 qubits and 5.2 trillion Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a decade or more away.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (September 2020)">citation needed</span></a></i>]</sup><sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">[</span>44<span class="cite-bracket">]</span></a></sup> </p><p><a href="/wiki/Supersingular_isogeny_key_exchange" title="Supersingular isogeny key exchange">Supersingular Isogeny Diffie–Hellman Key Exchange</a> claimed to provide a <a href="/wiki/Post-quantum_cryptography" title="Post-quantum cryptography">post-quantum</a> secure form of elliptic curve cryptography by using <a href="/wiki/Isogenies" class="mw-redirect" title="Isogenies">isogenies</a> to implement <a href="/wiki/Diffie%E2%80%93Hellman" class="mw-redirect" title="Diffie–Hellman">Diffie–Hellman</a> key exchanges. This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.<sup id="cite_ref-45" class="reference"><a href="#cite_note-45"><span class="cite-bracket">[</span>45<span class="cite-bracket">]</span></a></sup> However, new classical attacks undermined the security of this protocol.<sup id="cite_ref-46" class="reference"><a href="#cite_note-46"><span class="cite-bracket">[</span>46<span class="cite-bracket">]</span></a></sup> </p><p>In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to <a href="/wiki/Quantum_computing" title="Quantum computing">quantum</a> attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."<sup id="cite_ref-nsaquantum_11-1" class="reference"><a href="#cite_note-nsaquantum-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Invalid_curve_attack">Invalid curve attack</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=16" title="Edit section: Invalid curve attack"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>When ECC is used in <a href="/wiki/Virtual_machine" title="Virtual machine">virtual machines</a>, an attacker may use an invalid curve to get a complete PDH private key.<sup id="cite_ref-Cohen,_Seclist,_2019_47-0" class="reference"><a href="#cite_note-Cohen,_Seclist,_2019-47"><span class="cite-bracket">[</span>47<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Alternative_representations">Alternative representations</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=17" title="Edit section: Alternative representations"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Alternative representations of elliptic curves include: </p> <ul><li><a href="/wiki/Hessian_curves" class="mw-redirect" title="Hessian curves">Hessian curves</a></li> <li><a href="/wiki/Edwards_curves" class="mw-redirect" title="Edwards curves">Edwards curves</a></li> <li><a href="/wiki/Twisted_curves" class="mw-redirect" title="Twisted curves">Twisted curves</a></li> <li><a href="/wiki/Twisted_Hessian_curves" title="Twisted Hessian curves">Twisted Hessian curves</a></li> <li><a href="/wiki/Twisted_Edwards_curve" title="Twisted Edwards curve">Twisted Edwards curve</a></li> <li><a href="/wiki/Doubling-oriented_Doche%E2%80%93Icart%E2%80%93Kohel_curve" title="Doubling-oriented Doche–Icart–Kohel curve">Doubling-oriented Doche–Icart–Kohel curve</a></li> <li><a href="/wiki/Tripling-oriented_Doche%E2%80%93Icart%E2%80%93Kohel_curve" title="Tripling-oriented Doche–Icart–Kohel curve">Tripling-oriented Doche–Icart–Kohel curve</a></li> <li><a href="/wiki/Jacobian_curve" title="Jacobian curve">Jacobian curve</a></li> <li><a href="/wiki/Montgomery_curve" title="Montgomery curve">Montgomery curves</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=18" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1184024115">.mw-parser-output .div-col{margin-top:0.3em;column-width:30em}.mw-parser-output .div-col-small{font-size:90%}.mw-parser-output .div-col-rules{column-rule:1px solid #aaa}.mw-parser-output .div-col dl,.mw-parser-output .div-col ol,.mw-parser-output .div-col ul{margin-top:0}.mw-parser-output .div-col li,.mw-parser-output .div-col dd{page-break-inside:avoid;break-inside:avoid-column}</style><div class="div-col" style="column-width: 20em;"> <ul><li><a href="/wiki/Cryptocurrency" title="Cryptocurrency">Cryptocurrency</a></li> <li><a href="/wiki/Curve25519" title="Curve25519">Curve25519</a></li> <li><a href="/wiki/FourQ" title="FourQ">FourQ</a></li> <li><a href="/wiki/DNSCurve" title="DNSCurve">DNSCurve</a></li> <li><a href="/wiki/RSA_(cryptosystem)" title="RSA (cryptosystem)">RSA (cryptosystem)</a></li> <li><a href="/wiki/ECC_patents" title="ECC patents">ECC patents</a></li> <li><a href="/wiki/Elliptic-curve_Diffie%E2%80%93Hellman" title="Elliptic-curve Diffie–Hellman">Elliptic-curve Diffie–Hellman</a> (ECDH)</li> <li><a href="/wiki/Elliptic_Curve_Digital_Signature_Algorithm" title="Elliptic Curve Digital Signature Algorithm">Elliptic Curve Digital Signature Algorithm</a> (ECDSA)</li> <li><a href="/wiki/EdDSA" title="EdDSA">EdDSA</a></li> <li><a href="/wiki/ECMQV" class="mw-redirect" title="ECMQV">ECMQV</a></li> <li><a href="/wiki/Elliptic_curve_point_multiplication" title="Elliptic curve point multiplication">Elliptic curve point multiplication</a></li> <li><a href="/wiki/Homomorphic_signatures_for_network_coding" title="Homomorphic signatures for network coding">Homomorphic signatures for network coding</a></li> <li><a href="/wiki/Hyperelliptic_curve_cryptography" title="Hyperelliptic curve cryptography">Hyperelliptic curve cryptography</a></li> <li><a href="/wiki/Pairing-based_cryptography" title="Pairing-based cryptography">Pairing-based cryptography</a></li> <li><a href="/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></li> <li><a href="/wiki/Quantum_cryptography" title="Quantum cryptography">Quantum cryptography</a></li> <li><a href="/wiki/Supersingular_isogeny_key_exchange" title="Supersingular isogeny key exchange">Supersingular isogeny key exchange</a></li> <li><a href="/wiki/BLS_digital_signature" title="BLS digital signature">BLS digital signature</a></li></ul> </div> <div class="mw-heading mw-heading2"><h2 id="Notes">Notes</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=19" title="Edit section: Notes"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist reflist-columns references-column-width" style="column-width: 30em;"> <ol class="references"> <li id="cite_note-:0-1"><span class="mw-cite-backlink">^ <a href="#cite_ref-:0_1-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-:0_1-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-:0_1-2"><sup><i><b>c</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20090117023500/http://www.nsa.gov/business/programs/elliptic_curve.shtml">"The Case for Elliptic Curve Cryptography"</a>. <i>NSA</i>. Archived from <a rel="nofollow" class="external text" href="http://www.nsa.gov/business/programs/elliptic_curve.shtml">the original</a> on 2009-01-17.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=NSA&rft.atitle=The+Case+for+Elliptic+Curve+Cryptography&rft_id=http%3A%2F%2Fwww.nsa.gov%2Fbusiness%2Fprograms%2Felliptic_curve.shtml&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFKoblitz1987" class="citation journal cs1">Koblitz, N. (1987). <a rel="nofollow" class="external text" href="https://doi.org/10.2307%2F2007884">"Elliptic curve cryptosystems"</a>. <i>Mathematics of Computation</i>. <b>48</b> (177): 203–209. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.2307%2F2007884">10.2307/2007884</a></span>. <a href="/wiki/JSTOR_(identifier)" class="mw-redirect" title="JSTOR (identifier)">JSTOR</a> <a rel="nofollow" class="external text" href="https://www.jstor.org/stable/2007884">2007884</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Mathematics+of+Computation&rft.atitle=Elliptic+curve+cryptosystems&rft.volume=48&rft.issue=177&rft.pages=203-209&rft.date=1987&rft_id=info%3Adoi%2F10.2307%2F2007884&rft_id=https%3A%2F%2Fwww.jstor.org%2Fstable%2F2007884%23id-name%3DJSTOR&rft.aulast=Koblitz&rft.aufirst=N.&rft_id=https%3A%2F%2Fdoi.org%2F10.2307%252F2007884&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMiller1986" class="citation book cs1">Miller, V. (1986). "Use of Elliptic Curves in Cryptography". <i>Advances in Cryptology — CRYPTO '85 Proceedings</i>. Lecture Notes in Computer Science. Vol. 85. pp. 417–426. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-39799-X_31">10.1007/3-540-39799-X_31</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-16463-0" title="Special:BookSources/978-3-540-16463-0"><bdi>978-3-540-16463-0</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:206617984">206617984</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Use+of+Elliptic+Curves+in+Cryptography&rft.btitle=Advances+in+Cryptology+%E2%80%94+CRYPTO+%2785+Proceedings&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=417-426&rft.date=1986&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A206617984%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1007%2F3-540-39799-X_31&rft.isbn=978-3-540-16463-0&rft.aulast=Miller&rft.aufirst=V.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-4"><span class="mw-cite-backlink"><b><a href="#cite_ref-4">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://csrc.nist.gov/publications/detail/fips/186/4/final">"Digital Signature Standard (DSS)"</a>. National Institute of Standards and Technology. 2013-07-19. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.6028%2FNIST.FIPS.186-4">10.6028/NIST.FIPS.186-4</a></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Digital+Signature+Standard+%28DSS%29&rft.pub=National+Institute+of+Standards+and+Technology&rft.date=2013-07-19&rft_id=info%3Adoi%2F10.6028%2FNIST.FIPS.186-4&rft_id=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Ffips%2F186%2F4%2Ffinal&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-5"><span class="mw-cite-backlink"><b><a href="#cite_ref-5">^</a></b></span> <span class="reference-text">FIPS PUB 186-3, <a rel="nofollow" class="external text" href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf">Digital Signature Standard (DSS)</a>.</span> </li> <li id="cite_note-6"><span class="mw-cite-backlink"><b><a href="#cite_ref-6">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20090207005135/http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml">"Fact Sheet NSA Suite B Cryptography"</a>. <i>U.S. National Security Agency</i>. Archived from <a rel="nofollow" class="external text" href="http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml">the original</a> on 2009-02-07.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=U.S.+National+Security+Agency&rft.atitle=Fact+Sheet+NSA+Suite+B+Cryptography&rft_id=http%3A%2F%2Fwww.nsa.gov%2Fia%2Fprograms%2Fsuiteb_cryptography%2Findex.shtml&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-7">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFPerlrothLarsonShane2013" class="citation news cs1">Perlroth, Nicole; Larson, Jeff; Shane, Scott (2013-09-05). <a rel="nofollow" class="external text" href="https://ghostarchive.org/archive/20220101/https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html">"N.S.A. Able to Foil Basic Safeguards of Privacy on Web"</a>. <i>New York Times</i>. Archived from <span class="id-lock-limited" title="Free access subject to limited trial, subscription normally required"><a rel="nofollow" class="external text" href="https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html">the original</a></span> on 2022-01-01<span class="reference-accessdate">. Retrieved <span class="nowrap">28 October</span> 2018</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=New+York+Times&rft.atitle=N.S.A.+Able+to+Foil+Basic+Safeguards+of+Privacy+on+Web&rft.date=2013-09-05&rft.aulast=Perlroth&rft.aufirst=Nicole&rft.au=Larson%2C+Jeff&rft.au=Shane%2C+Scott&rft_id=https%3A%2F%2Fwww.nytimes.com%2F2013%2F09%2F06%2Fus%2Fnsa-foils-much-internet-encryption.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text">Kim Zetter, <a rel="nofollow" class="external text" href="https://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/">RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm</a> <i><a href="/wiki/Wired_(magazine)" title="Wired (magazine)">Wired</a></i>, 19 September 2013. "Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."</span> </li> <li id="cite_note-9"><span class="mw-cite-backlink"><b><a href="#cite_ref-9">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A+Rev+1+B+and+C">"Search – CSRC"</a>. <i>csrc.nist.gov</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=csrc.nist.gov&rft.atitle=Search+%E2%80%93+CSRC&rft_id=http%3A%2F%2Fcsrc.nist.gov%2Fpublications%2FPubsDrafts.html%23SP-800-90-A%2BRev%2B1%2BB%2Band%2BC&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-10">^</a></b></span> <span class="reference-text"><a href="/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a> (5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." See <a rel="nofollow" class="external text" href="http://it.slashdot.org/firehose.pl?op=view&type=story&sid=13/09/11/1224252">Are the NIST Standard Elliptic Curves Back-doored?</a>, <i><a href="/wiki/Slashdot" title="Slashdot">Slashdot</a></i>, 11 September 2013.</span> </li> <li id="cite_note-nsaquantum-11"><span class="mw-cite-backlink">^ <a href="#cite_ref-nsaquantum_11-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-nsaquantum_11-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm">"Commercial National Security Algorithm Suite"</a>. <i>www.nsa.gov</i>. 19 August 2015. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20190604080321/https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm">Archived</a> from the original on 2019-06-04<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-01-08</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.nsa.gov&rft.atitle=Commercial+National+Security+Algorithm+Suite&rft.date=2015-08-19&rft_id=https%3A%2F%2Fapps.nsa.gov%2Fiaarchive%2Fprograms%2Fiad-initiatives%2Fcnsa-suite.cfm&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-nsaQCfaq-12"><span class="mw-cite-backlink"><b><a href="#cite_ref-nsaQCfaq_12-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf">Commercial National Security Algorithm Suite and Quantum Computing FAQ</a> U.S. National Security Agency, January 2016.</span> </li> <li id="cite_note-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-13">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRSA_Laboratories" class="citation web cs1">RSA Laboratories. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20161101041810/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/are-elliptic-curve-cryptosystems-patented.htm">"6.3.4 Are elliptic curve cryptosystems patented?"</a>. Archived from <a rel="nofollow" class="external text" href="http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/are-elliptic-curve-cryptosystems-patented.htm">the original</a> on 2016-11-01.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=6.3.4+Are+elliptic+curve+cryptosystems+patented%3F&rft.au=RSA+Laboratories&rft_id=http%3A%2F%2Fwww.emc.com%2Femc-plus%2Frsa-labs%2Fstandards-initiatives%2Fare-elliptic-curve-cryptosystems-patented.htm&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-14">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBernstein" class="citation web cs1">Bernstein, D. J. <a rel="nofollow" class="external text" href="http://cr.yp.to/ecdh/patents.html">"Irrelevant patents on elliptic-curve cryptography"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Irrelevant+patents+on+elliptic-curve+cryptography&rft.aulast=Bernstein&rft.aufirst=D.+J.&rft_id=http%3A%2F%2Fcr.yp.to%2Fecdh%2Fpatents.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-15">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20180417212206/http://www.ecc-brainpool.org/download/Domain-parameters.pdf">Archived</a> 2018-04-17 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation pressrelease cs1"><a rel="nofollow" class="external text" href="https://www.secunet.com/en/about-us/news-events/article/elliptic-curve-cryptography-made-in-germany-1#:~:text=In%20contrast%2C%20the%20Brainpool%20curves,and%20from%20Euler's%20number%20e.">"Elliptic Curve Cryptography "Made in Germany"<span class="cs1-kern-right"></span>"</a> (Press release). 2014-06-25.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Elliptic+Curve+Cryptography+%22Made+in+Germany%22&rft.date=2014-06-25&rft_id=https%3A%2F%2Fwww.secunet.com%2Fen%2Fabout-us%2Fnews-events%2Farticle%2Felliptic-curve-cryptography-made-in-germany-1%23%3A~%3Atext%3DIn%2520contrast%252C%2520the%2520Brainpool%2520curves%2Cand%2520from%2520Euler%27s%2520number%2520e.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-17">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20130606004254/http://www.secg.org/download/aid-390/gec2.pdf">"GEC 2: Test Vectors for SEC 1"</a> <span class="cs1-format">(PDF)</span>. <i>www.secg.org</i>. Archived from <a rel="nofollow" class="external text" href="http://www.secg.org/download/aid-390/gec2.pdf">the original</a> <span class="cs1-format">(PDF download)</span> on 2013-06-06.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.secg.org&rft.atitle=GEC+2%3A+Test+Vectors+for+SEC+1&rft_id=http%3A%2F%2Fwww.secg.org%2Fdownload%2Faid-390%2Fgec2.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-18">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFLayZimmer1994" class="citation book cs1">Lay, Georg-Johann; Zimmer, Horst G. (1994). "Constructing elliptic curves with given group order over large finite fields". <i>Algorithmic Number Theory</i>. Lecture Notes in Computer Science. Vol. 877. pp. 250–263. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-58691-1_64">10.1007/3-540-58691-1_64</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-58691-3" title="Special:BookSources/978-3-540-58691-3"><bdi>978-3-540-58691-3</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Constructing+elliptic+curves+with+given+group+order+over+large+finite+fields&rft.btitle=Algorithmic+Number+Theory&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=250-263&rft.date=1994&rft_id=info%3Adoi%2F10.1007%2F3-540-58691-1_64&rft.isbn=978-3-540-58691-3&rft.aulast=Lay&rft.aufirst=Georg-Johann&rft.au=Zimmer%2C+Horst+G.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGalbraithSmart1999" class="citation book cs1">Galbraith, S. D.; Smart, N. P. (1999). "A Cryptographic Application of Weil Descent". <i>A cryptographic application of the Weil descent</i>. Lecture Notes in Computer Science. Vol. 1746. p. 799. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-46665-7_23">10.1007/3-540-46665-7_23</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-66887-9" title="Special:BookSources/978-3-540-66887-9"><bdi>978-3-540-66887-9</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:15134380">15134380</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=A+Cryptographic+Application+of+Weil+Descent&rft.btitle=A+cryptographic+application+of+the+Weil+descent&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=799&rft.date=1999&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A15134380%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1007%2F3-540-46665-7_23&rft.isbn=978-3-540-66887-9&rft.aulast=Galbraith&rft.aufirst=S.+D.&rft.au=Smart%2C+N.+P.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-20">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGaudryHessSmart2000" class="citation web cs1">Gaudry, P.; Hess, F.; Smart, N. P. (2000). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20061206133559/http://hpl.hp.com/techreports/2000/HPL-2000-10.pdf">"Constructive and destructive facets of Weil descent on elliptic curves"</a> <span class="cs1-format">(PDF)</span>. <i>Hewlett Packard Laboratories Technical Report</i>. Archived from <a rel="nofollow" class="external text" href="http://www.hpl.hp.com/techreports/2000/HPL-2000-10.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2006-12-06<span class="reference-accessdate">. Retrieved <span class="nowrap">2006-01-02</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Hewlett+Packard+Laboratories+Technical+Report&rft.atitle=Constructive+and+destructive+facets+of+Weil+descent+on+elliptic+curves&rft.date=2000&rft.aulast=Gaudry&rft.aufirst=P.&rft.au=Hess%2C+F.&rft.au=Smart%2C+N.+P.&rft_id=http%3A%2F%2Fwww.hpl.hp.com%2Ftechreports%2F2000%2FHPL-2000-10.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-21"><span class="mw-cite-backlink"><b><a href="#cite_ref-21">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMenezesOkamotoVanstone1993" class="citation journal cs1">Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve logarithms to logarithms in a finite field". <i>IEEE Transactions on Information Theory</i>. <b>39</b> (5): 1639–1646. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2F18.259647">10.1109/18.259647</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=IEEE+Transactions+on+Information+Theory&rft.atitle=Reducing+elliptic+curve+logarithms+to+logarithms+in+a+finite+field&rft.volume=39&rft.issue=5&rft.pages=1639-1646&rft.date=1993&rft_id=info%3Adoi%2F10.1109%2F18.259647&rft.aulast=Menezes&rft.aufirst=A.&rft.au=Okamoto%2C+T.&rft.au=Vanstone%2C+S.+A.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-22">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHitt2006" class="citation journal cs1">Hitt, L. (2006). <a rel="nofollow" class="external text" href="http://eprint.iacr.org/2006/415">"On an Improved Definition of Embedding Degree"</a>. <i>IACR ePrint Report</i>. <b>415</b>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=IACR+ePrint+Report&rft.atitle=On+an+Improved+Definition+of+Embedding+Degree&rft.volume=415&rft.date=2006&rft.aulast=Hitt&rft.aufirst=L.&rft_id=http%3A%2F%2Feprint.iacr.org%2F2006%2F415&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-23">^</a></b></span> <span class="reference-text">IEEE <a rel="nofollow" class="external text" href="http://grouper.ieee.org/groups/1363/P1363/index.html">P1363</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20070213061138/http://grouper.ieee.org/groups/1363/P1363/index.html">Archived</a> 2007-02-13 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, section A.12.1</span> </li> <li id="cite_note-24"><span class="mw-cite-backlink"><b><a href="#cite_ref-24">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSemaev1998" class="citation journal cs1">Semaev, I. (1998). <a rel="nofollow" class="external text" href="https://doi.org/10.1090%2FS0025-5718-98-00887-4">"Evaluation of discrete logarithm in a group of <i>p</i>-torsion points of an elliptic curve in characteristic <i>p</i>"</a>. <i>Mathematics of Computation</i>. <b>67</b> (221): 353–356. <a href="/wiki/Bibcode_(identifier)" class="mw-redirect" title="Bibcode (identifier)">Bibcode</a>:<a rel="nofollow" class="external text" href="https://ui.adsabs.harvard.edu/abs/1998MaCom..67..353S">1998MaCom..67..353S</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.1090%2FS0025-5718-98-00887-4">10.1090/S0025-5718-98-00887-4</a></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Mathematics+of+Computation&rft.atitle=Evaluation+of+discrete+logarithm+in+a+group+of+p-torsion+points+of+an+elliptic+curve+in+characteristic+p&rft.volume=67&rft.issue=221&rft.pages=353-356&rft.date=1998&rft_id=info%3Adoi%2F10.1090%2FS0025-5718-98-00887-4&rft_id=info%3Abibcode%2F1998MaCom..67..353S&rft.aulast=Semaev&rft.aufirst=I.&rft_id=https%3A%2F%2Fdoi.org%2F10.1090%252FS0025-5718-98-00887-4&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-25">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSmart1999" class="citation journal cs1">Smart, N. (1999). <a rel="nofollow" class="external text" href="http://www.hpl.hp.com/techreports/97/HPL-97-128.ps">"The discrete logarithm problem on elliptic curves of trace one"</a>. <i>Journal of Cryptology</i>. <b>12</b> (3): 193–196. <a href="/wiki/CiteSeerX_(identifier)" class="mw-redirect" title="CiteSeerX (identifier)">CiteSeerX</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.1880">10.1.1.17.1880</a></span>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2Fs001459900052">10.1007/s001459900052</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:24368962">24368962</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Journal+of+Cryptology&rft.atitle=The+discrete+logarithm+problem+on+elliptic+curves+of+trace+one&rft.volume=12&rft.issue=3&rft.pages=193-196&rft.date=1999&rft_id=https%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fsummary%3Fdoi%3D10.1.1.17.1880%23id-name%3DCiteSeerX&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A24368962%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1007%2Fs001459900052&rft.aulast=Smart&rft.aufirst=N.&rft_id=http%3A%2F%2Fwww.hpl.hp.com%2Ftechreports%2F97%2FHPL-97-128.ps&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-26"><span class="mw-cite-backlink"><b><a href="#cite_ref-26">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSatohAraki1998" class="citation journal cs1">Satoh, T.; Araki, K. (1998). "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves". <i>Commentarii Mathematici Universitatis Sancti Pauli</i>. <b>47</b>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Commentarii+Mathematici+Universitatis+Sancti+Pauli&rft.atitle=Fermat+quotients+and+the+polynomial+time+discrete+log+algorithm+for+anomalous+elliptic+curves&rft.volume=47&rft.date=1998&rft.aulast=Satoh&rft.aufirst=T.&rft.au=Araki%2C+K.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-27"><span class="mw-cite-backlink"><b><a href="#cite_ref-27">^</a></b></span> <span class="reference-text">NIST, <a rel="nofollow" class="external text" href="http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf">Recommendation for Key Management—Part 1: general</a>, Special Publication 800-57, August 2005.</span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20090715060838/http://lacal.epfl.ch/page81774.html">"112-bit prime ECDLP solved – LACAL"</a>. <i>lacal.epfl.ch</i>. Archived from <a rel="nofollow" class="external text" href="http://lacal.epfl.ch/page81774.html">the original</a> on 2009-07-15<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-07-11</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=lacal.epfl.ch&rft.atitle=112-bit+prime+ECDLP+solved+%E2%80%93+LACAL&rft_id=http%3A%2F%2Flacal.epfl.ch%2Fpage81774.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-29"><span class="mw-cite-backlink"><b><a href="#cite_ref-29">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20110719233751/https://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months-">"Certicom Announces Elliptic Curve Cryptography Challenge Winner"</a>. <i>Certicom</i>. April 27, 2004. Archived from <a rel="nofollow" class="external text" href="http://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months-">the original</a> on 2011-07-19.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Certicom&rft.atitle=Certicom+Announces+Elliptic+Curve+Cryptography+Challenge+Winner&rft.date=2004-04-27&rft_id=http%3A%2F%2Fwww.certicom.com%2Findex.php%2F2004-press-releases%2F36-2004-press-releases%2F300-solution-required-team-of-mathematicians-2600-computers-and-17-months-&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-30">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.ecc-challenge.info/">"Breaking ECC2K-130"</a>. <i>www.ecc-challenge.info</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.ecc-challenge.info&rft.atitle=Breaking+ECC2K-130&rft_id=http%3A%2F%2Fwww.ecc-challenge.info%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHitchcockDawsonClarkMontague2002" class="citation journal cs1">Hitchcock, Y.; Dawson, E.; Clark, A.; Montague, P. (2002). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20060327202009/http://anziamj.austms.org.au/V44/CTAC2001/Hitc/Hitc.pdf">"Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card"</a> <span class="cs1-format">(PDF)</span>. <i>ANZIAM Journal</i>. <b>44</b>. Archived from <a rel="nofollow" class="external text" href="http://anziamj.austms.org.au/V44/CTAC2001/Hitc/Hitc.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2006-03-27.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=ANZIAM+Journal&rft.atitle=Implementing+an+efficient+elliptic+curve+cryptosystem+over+GF%28p%29+on+a+smart+card&rft.volume=44&rft.date=2002&rft.aulast=Hitchcock&rft.aufirst=Y.&rft.au=Dawson%2C+E.&rft.au=Clark%2C+A.&rft.au=Montague%2C+P.&rft_id=http%3A%2F%2Fanziamj.austms.org.au%2FV44%2FCTAC2001%2FHitc%2FHitc.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFCohenMiyajiOno1998" class="citation book cs1"><a href="/wiki/Henri_Cohen_(number_theorist)" title="Henri Cohen (number theorist)">Cohen, H.</a>; <a href="/wiki/Atsuko_Miyaji" title="Atsuko Miyaji">Miyaji, A.</a>; Ono, T. (1998). "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates". <i>Advances in Cryptology — ASIACRYPT'98</i>. Lecture Notes in Computer Science. Vol. 1514. pp. 51–65. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-49649-1_6">10.1007/3-540-49649-1_6</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-65109-3" title="Special:BookSources/978-3-540-65109-3"><bdi>978-3-540-65109-3</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Efficient+Elliptic+Curve+Exponentiation+Using+Mixed+Coordinates&rft.btitle=Advances+in+Cryptology+%E2%80%94+ASIACRYPT%2798&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=51-65&rft.date=1998&rft_id=info%3Adoi%2F10.1007%2F3-540-49649-1_6&rft.isbn=978-3-540-65109-3&rft.aulast=Cohen&rft.aufirst=H.&rft.au=Miyaji%2C+A.&rft.au=Ono%2C+T.&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-33">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBrownHankersonLopezMenezes2001" class="citation book cs1">Brown, M.; Hankerson, D.; Lopez, J.; Menezes, A. (2001). "Software Implementation of the NIST Elliptic Curves over Prime Fields". <a rel="nofollow" class="external text" href="http://cr.yp.to/bib/2000/brown-prime.ps"><i>Topics in Cryptology — CT-RSA 2001</i></a>. Lecture Notes in Computer Science. Vol. 2020. pp. 250–265. <a href="/wiki/CiteSeerX_(identifier)" class="mw-redirect" title="CiteSeerX (identifier)">CiteSeerX</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.25.8619">10.1.1.25.8619</a></span>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-45353-9_19">10.1007/3-540-45353-9_19</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-41898-6" title="Special:BookSources/978-3-540-41898-6"><bdi>978-3-540-41898-6</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Software+Implementation+of+the+NIST+Elliptic+Curves+over+Prime+Fields&rft.btitle=Topics+in+Cryptology+%E2%80%94+CT-RSA+2001&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=250-265&rft.date=2001&rft_id=https%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fsummary%3Fdoi%3D10.1.1.25.8619%23id-name%3DCiteSeerX&rft_id=info%3Adoi%2F10.1007%2F3-540-45353-9_19&rft.isbn=978-3-540-41898-6&rft.aulast=Brown&rft.aufirst=M.&rft.au=Hankerson%2C+D.&rft.au=Lopez%2C+J.&rft.au=Menezes%2C+A.&rft_id=http%3A%2F%2Fcr.yp.to%2Fbib%2F2000%2Fbrown-prime.ps&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFDaniel_J._BernsteinTanja_Lange" class="citation web cs1">Daniel J. Bernstein & <a href="/wiki/Tanja_Lange" title="Tanja Lange">Tanja Lange</a>. <a rel="nofollow" class="external text" href="https://safecurves.cr.yp.to/">"SafeCurves: choosing safe curves for elliptic-curve cryptography"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">1 December</span> 2013</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=SafeCurves%3A+choosing+safe+curves+for+elliptic-curve+cryptography&rft.au=Daniel+J.+Bernstein&rft.au=Tanja+Lange&rft_id=https%3A%2F%2Fsafecurves.cr.yp.to%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-35">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHedabouPinelBeneteau2004" class="citation journal cs1">Hedabou, M.; Pinel, P.; Beneteau, L. (2004). <a rel="nofollow" class="external text" href="http://eprint.iacr.org/2004/342.pdf">"A comb method to render ECC resistant against Side Channel Attacks"</a> <span class="cs1-format">(PDF)</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=A+comb+method+to+render+ECC+resistant+against+Side+Channel+Attacks&rft.date=2004&rft.aulast=Hedabou&rft.aufirst=M.&rft.au=Pinel%2C+P.&rft.au=Beneteau%2C+L.&rft_id=http%3A%2F%2Feprint.iacr.org%2F2004%2F342.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span> <span class="cs1-visible-error citation-comment"><code class="cs1-code">{{<a href="/wiki/Template:Cite_journal" title="Template:Cite journal">cite journal</a>}}</code>: </span><span class="cs1-visible-error citation-comment">Cite journal requires <code class="cs1-code">|journal=</code> (<a href="/wiki/Help:CS1_errors#missing_periodical" title="Help:CS1 errors">help</a>)</span></span> </li> <li id="cite_note-36"><span class="mw-cite-backlink"><b><a href="#cite_ref-36">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://blog.cr.yp.to/20140323-ecdsa.html">"Cr.yp.to: 2014.03.23: How to design an elliptic-curve signature system"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Cr.yp.to%3A+2014.03.23%3A+How+to+design+an+elliptic-curve+signature+system&rft_id=http%3A%2F%2Fblog.cr.yp.to%2F20140323-ecdsa.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-37">^</a></b></span> <span class="reference-text">See, for example, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBiehlMeyerMüller2000" class="citation book cs1">Biehl, Ingrid; Meyer, Bernd; Müller, Volker (2000). "Differential Fault Attacks on Elliptic Curve Cryptosystems". <a rel="nofollow" class="external text" href="http://www.iacr.org/archive/crypto2000/18800131/18800131.pdf"><i>Advances in Cryptology — CRYPTO 2000</i></a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Lecture_Notes_in_Computer_Science" title="Lecture Notes in Computer Science">Lecture Notes in Computer Science</a>. Vol. 1880. pp. 131–146. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-44598-6_8">10.1007/3-540-44598-6_8</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-67907-3" title="Special:BookSources/978-3-540-67907-3"><bdi>978-3-540-67907-3</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Differential+Fault+Attacks+on+Elliptic+Curve+Cryptosystems&rft.btitle=Advances+in+Cryptology+%E2%80%94+CRYPTO+2000&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=131-146&rft.date=2000&rft_id=info%3Adoi%2F10.1007%2F3-540-44598-6_8&rft.isbn=978-3-540-67907-3&rft.aulast=Biehl&rft.aufirst=Ingrid&rft.au=Meyer%2C+Bernd&rft.au=M%C3%BCller%2C+Volker&rft_id=http%3A%2F%2Fwww.iacr.org%2Farchive%2Fcrypto2000%2F18800131%2F18800131.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.schneier.com/essay-198.html">"Did NSA Put a Secret Backdoor in New Encryption Standard?"</a>. <i>www.schneier.com</i>.</span> </li> <li id="cite_note-39"><span class="mw-cite-backlink"><b><a href="#cite_ref-39">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/">"Government Announces Steps to Restore Confidence on Encryption Standards"</a>. <i>NY Times – Bits Blog</i>. 2013-09-10<span class="reference-accessdate">. Retrieved <span class="nowrap">2015-11-06</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=NY+Times+%E2%80%93+Bits+Blog&rft.atitle=Government+Announces+Steps+to+Restore+Confidence+on+Encryption+Standards&rft.date=2013-09-10&rft_id=http%3A%2F%2Fbits.blogs.nytimes.com%2F2013%2F09%2F10%2Fgovernment-announces-steps-to-restore-confidence-on-encryption-standards%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-40">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFShumowFerguson" class="citation web cs1">Shumow, Dan; Ferguson, Niels. <a rel="nofollow" class="external text" href="http://rump2007.cr.yp.to/15-shumow.pdf">"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng"</a> <span class="cs1-format">(PDF)</span>. <i>Microsoft</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Microsoft&rft.atitle=On+the+Possibility+of+a+Back+Door+in+the+NIST+SP800-90+Dual+Ec+Prng&rft.aulast=Shumow&rft.aufirst=Dan&rft.au=Ferguson%2C+Niels&rft_id=http%3A%2F%2Frump2007.cr.yp.to%2F15-shumow.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-41">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBernsteinLange" class="citation web cs1">Bernstein, Daniel J.; Lange, Tanja. <a rel="nofollow" class="external text" href="http://safecurves.cr.yp.to/">"SafeCurves: choosing safe curves for elliptic-curve cryptography"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">October 1,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=SafeCurves%3A+choosing+safe+curves+for+elliptic-curve+cryptography&rft.aulast=Bernstein&rft.aufirst=Daniel+J.&rft.au=Lange%2C+Tanja&rft_id=http%3A%2F%2Fsafecurves.cr.yp.to%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRoettelerNaehrigSvoreLauter2017" class="citation arxiv cs1">Roetteler, Martin; Naehrig, Michael; <a href="/wiki/Krysta_Svore" title="Krysta Svore">Svore, Krysta M.</a>; Lauter, Kristin (2017). "Quantum resource estimates for computing elliptic curve discrete logarithms". <a href="/wiki/ArXiv_(identifier)" class="mw-redirect" title="ArXiv (identifier)">arXiv</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://arxiv.org/abs/1706.06752">1706.06752</a></span> [<a rel="nofollow" class="external text" href="https://arxiv.org/archive/quant-ph">quant-ph</a>].</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=preprint&rft.jtitle=arXiv&rft.atitle=Quantum+resource+estimates+for+computing+elliptic+curve+discrete+logarithms&rft.date=2017&rft_id=info%3Aarxiv%2F1706.06752&rft.aulast=Roetteler&rft.aufirst=Martin&rft.au=Naehrig%2C+Michael&rft.au=Svore%2C+Krysta+M.&rft.au=Lauter%2C+Kristin&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBanegasBernsteinHoofLange2020" class="citation journal cs1">Banegas, G.; Bernstein, D. J.; Hoof, I. van; Lange, T. (2020). <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2020/1296.pdf">"Concrete quantum cryptanalysis of binary elliptic curves"</a> <span class="cs1-format">(PDF)</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Concrete+quantum+cryptanalysis+of+binary+elliptic+curves&rft.date=2020&rft.aulast=Banegas&rft.aufirst=G.&rft.au=Bernstein%2C+D.+J.&rft.au=Hoof%2C+I.+van&rft.au=Lange%2C+T.&rft_id=https%3A%2F%2Feprint.iacr.org%2F2020%2F1296.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span> <span class="cs1-visible-error citation-comment"><code class="cs1-code">{{<a href="/wiki/Template:Cite_journal" title="Template:Cite journal">cite journal</a>}}</code>: </span><span class="cs1-visible-error citation-comment">Cite journal requires <code class="cs1-code">|journal=</code> (<a href="/wiki/Help:CS1_errors#missing_periodical" title="Help:CS1 errors">help</a>)</span></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHolmes2021" class="citation web cs1">Holmes, David (September 7, 2021). <a rel="nofollow" class="external text" href="https://www.f5.com/labs/articles/threat-intelligence/rsa-in-a-pre-post-quantum-computing-world">"RSA in a "Pre-Post-Quantum" Computing World"</a>. <i>f5</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20200808204717/https://www.f5.com/labs/articles/threat-intelligence/rsa-in-a-pre-post-quantum-computing-world">Archived</a> from the original on 2020-08-08<span class="reference-accessdate">. Retrieved <span class="nowrap">March 16,</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=f5&rft.atitle=RSA+in+a+%22Pre-Post-Quantum%22+Computing+World&rft.date=2021-09-07&rft.aulast=Holmes&rft.aufirst=David&rft_id=https%3A%2F%2Fwww.f5.com%2Flabs%2Farticles%2Fthreat-intelligence%2Frsa-in-a-pre-post-quantum-computing-world&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-45"><span class="mw-cite-backlink"><b><a href="#cite_ref-45">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFDe_FeoJao,_Plut2011" class="citation web cs1">De Feo, Luca; Jao, Plut (2011). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20140503190338/http://eprint.iacr.org/2011/506">"Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies"</a>. <i>Cryptology ePrint Archive, Report 2011/506</i>. IACR. Archived from <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2011/506">the original</a> on 2014-05-03<span class="reference-accessdate">. Retrieved <span class="nowrap">3 May</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Cryptology+ePrint+Archive%2C+Report+2011%2F506&rft.atitle=Towards+quantum-resistant+cryptosystems+from+supersingular+elliptic+curve+isogenies&rft.date=2011&rft.aulast=De+Feo&rft.aufirst=Luca&rft.au=Jao%2C+Plut&rft_id=https%3A%2F%2Feprint.iacr.org%2F2011%2F506&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-46"><span class="mw-cite-backlink"><b><a href="#cite_ref-46">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRobert2022" class="citation journal cs1">Robert, Damien (2022). <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2022/1038">"Breaking SIDH in polynomial time"</a>. <i>Cryptology ePrint Archive</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Cryptology+ePrint+Archive&rft.atitle=Breaking+SIDH+in+polynomial+time&rft.date=2022&rft.aulast=Robert&rft.aufirst=Damien&rft_id=https%3A%2F%2Feprint.iacr.org%2F2022%2F1038&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> <li id="cite_note-Cohen,_Seclist,_2019-47"><span class="mw-cite-backlink"><b><a href="#cite_ref-Cohen,_Seclist,_2019_47-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFCohen2019" class="citation web cs1">Cohen, Cfir (25 June 2019). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20190702011957/https://seclists.org/fulldisclosure/2019/Jun/46">"AMD-SEV: Platform DH key recovery via invalid curve attack (CVE-2019-9836)"</a>. <i>Seclist Org</i>. Archived from <a rel="nofollow" class="external text" href="https://seclists.org/fulldisclosure/2019/Jun/46">the original</a> on 2 July 2019<span class="reference-accessdate">. Retrieved <span class="nowrap">4 July</span> 2019</span>. <q>The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware's private DH scalar.</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Seclist+Org&rft.atitle=AMD-SEV%3A+Platform+DH+key+recovery+via+invalid+curve+attack+%28CVE-2019-9836%29&rft.date=2019-06-25&rft.aulast=Cohen&rft.aufirst=Cfir&rft_id=https%3A%2F%2Fseclists.org%2Ffulldisclosure%2F2019%2FJun%2F46&rfr_id=info%3Asid%2Fen.wikipedia.org%3AElliptic-curve+cryptography" class="Z3988"></span></span> </li> </ol></div> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=20" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239549316">.mw-parser-output .refbegin{margin-bottom:0.5em}.mw-parser-output .refbegin-hanging-indents>ul{margin-left:0}.mw-parser-output .refbegin-hanging-indents>ul>li{margin-left:0;padding-left:3.2em;text-indent:-3.2em}.mw-parser-output .refbegin-hanging-indents ul,.mw-parser-output .refbegin-hanging-indents ul li{list-style:none}@media(max-width:720px){.mw-parser-output .refbegin-hanging-indents>ul>li{padding-left:1.6em;text-indent:-1.6em}}.mw-parser-output .refbegin-columns{margin-top:0.3em}.mw-parser-output .refbegin-columns ul{margin-top:0}.mw-parser-output .refbegin-columns li{page-break-inside:avoid;break-inside:avoid-column}@media screen{.mw-parser-output .refbegin{font-size:90%}}</style><div class="refbegin" style=""> <ul><li><a href="/wiki/SECG" title="SECG">Standards for Efficient Cryptography Group (SECG)</a>, <a rel="nofollow" class="external text" href="http://www.secg.org/sec1-v2.pdf">SEC 1: Elliptic Curve Cryptography</a>, Version 1.0, September 20, 2000. (<a rel="nofollow" class="external text" href="https://web.archive.org/web/20141111191126/http://www.secg.org/sec1-v2.pdf">archived</a> as of Nov 11, 2014)</li> <li>D. Hankerson, A. Menezes, and S.A. Vanstone, <i>Guide to Elliptic Curve Cryptography</i>, Springer-Verlag, 2004.</li> <li>I. Blake, G. Seroussi, and N. Smart, <i>Elliptic Curves in Cryptography</i>, London Mathematical Society 265, Cambridge University Press, 1999.</li> <li>I. Blake, G. Seroussi, and N. Smart, editors, <i>Advances in Elliptic Curve Cryptography</i>, London Mathematical Society 317, Cambridge University Press, 2005.</li> <li>L. Washington, <i>Elliptic Curves: Number Theory and Cryptography</i>, Chapman & Hall / CRC, 2003.</li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20090117023500/http://www.nsa.gov/business/programs/elliptic_curve.shtml">The Case for Elliptic Curve Cryptography</a>, National Security Agency (archived January 17, 2009)</li> <li><a rel="nofollow" class="external text" href="http://www.certicom.com/index.php/ecc-tutorial">Online Elliptic Curve Cryptography Tutorial</a>, Certicom Corp. (archived <a rel="nofollow" class="external text" href="https://web.archive.org/web/20160309033943/http://certicom.com/index.php/ecc-tutorial">here</a> as of March 3, 2016)</li> <li>K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244</li> <li>Saikat Basu, <a rel="nofollow" class="external text" href="http://ijns.jalaxy.com.tw/contents/ijns-v14-n2/ijns-2012-v14-n2-p101-108.pdf">A New Parallel Window-Based Implementation of the Elliptic Curve Point Multiplication in Multi-Core Architectures</a>, International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234–241 (archived <a rel="nofollow" class="external text" href="https://web.archive.org/web/20160304121101/http://ijns.jalaxy.com.tw/contents/ijns-v14-n2/ijns-2012-v14-n2-p101-108.pdf">here</a> as of March 4, 2016)</li> <li>Christof Paar, Jan Pelzl, <a rel="nofollow" class="external text" href="https://archive.today/20121208212741/http://wiki.crypto.rub.de/Buch/movies.php">"Elliptic Curve Cryptosystems"</a>, Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009. (archived <a rel="nofollow" class="external text" href="https://archive.today/20121208212741/http://wiki.crypto.rub.de/Buch/movies.php">here</a> as of April 20, 2016)</li> <li>Luca De Feo, David Jao, Jerome Plut, <a rel="nofollow" class="external text" href="http://eprint.iacr.org/2011/506">Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies</a>, Springer 2011. (archived <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120507200407/http://eprint.iacr.org/2011/506">here</a> as of May 7, 2012)</li> <li>Gustavo Banegas, Daniel J. Bernstein, Iggy Van Hoof, Tanja Lange, <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2020/1296">Concrete quantum cryptanalysis of binary elliptic curves</a>, Springer 2020. (archived <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2020/1296">here</a> as of June 1, 2020)</li></ul> </div> <ul><li><a rel="nofollow" class="external text" href="http://archive.numdam.org/ARCHIVE/MSMF/MSMF_1978__57_/MSMF_1978__57__1_0/MSMF_1978__57__1_0.pdf">Jacques Vélu, <i>Courbes elliptiques (...)</i>, Société Mathématique de France, <b>57</b>, 1-152, Paris, 1978.</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Elliptic-curve_cryptography&action=edit&section=21" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="https://crypto.stanford.edu/pbc/notes/elliptic/">Elliptic Curves</a> at <a href="/wiki/Stanford_University" title="Stanford University">Stanford University</a></li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20120301091325/http://sagenb.org/home/pub/1126/">Interactive introduction to elliptic curves and elliptic curve cryptography with Sage</a> by <a rel="nofollow" class="external text" href="http://www.maths.unsw.edu.au/~maikemassierer/">Maike Massierer</a> and the <a rel="nofollow" class="external text" href="https://www.cryptool.org/en/">CrypTool</a> team</li> <li><span class="noviewer" typeof="mw:File"><a href="/wiki/File:Commons-logo.svg" class="mw-file-description"><img alt="" src="//upload.wikimedia.org/wikipedia/en/thumb/4/4a/Commons-logo.svg/12px-Commons-logo.svg.png" decoding="async" width="12" height="16" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/4/4a/Commons-logo.svg/18px-Commons-logo.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/4/4a/Commons-logo.svg/24px-Commons-logo.svg.png 2x" data-file-width="1024" data-file-height="1376" /></a></span> Media related to <a href="https://commons.wikimedia.org/wiki/Elliptic_curve" class="extiw" title="commons:Elliptic curve">Elliptic curve</a> at Wikimedia Commons</li></ul> <div class="navbox-styles"><style data-mw-deduplicate="TemplateStyles:r1129693374">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist.inline,.mw-parser-output .hlist.inline dl,.mw-parser-output .hlist.inline ol,.mw-parser-output .hlist.inline ul,.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li{display:none}.mw-parser-output .hlist dt::after{content:": "}.mw-parser-output .hlist dd::after,.mw-parser-output .hlist li::after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child::after,.mw-parser-output .hlist dt:last-child::after,.mw-parser-output .hlist li:last-child::after{content:none}.mw-parser-output .hlist dd dd:first-child::before,.mw-parser-output .hlist dd dt:first-child::before,.mw-parser-output .hlist dd li:first-child::before,.mw-parser-output .hlist dt dd:first-child::before,.mw-parser-output .hlist dt dt:first-child::before,.mw-parser-output .hlist dt li:first-child::before,.mw-parser-output .hlist li dd:first-child::before,.mw-parser-output .hlist li dt:first-child::before,.mw-parser-output .hlist li li:first-child::before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child::after,.mw-parser-output .hlist dd dt:last-child::after,.mw-parser-output .hlist dd li:last-child::after,.mw-parser-output .hlist dt dd:last-child::after,.mw-parser-output .hlist dt dt:last-child::after,.mw-parser-output .hlist dt li:last-child::after,.mw-parser-output .hlist li dd:last-child::after,.mw-parser-output .hlist li dt:last-child::after,.mw-parser-output .hlist li li:last-child::after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li::before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child::before,.mw-parser-output .hlist dt ol>li:first-child::before,.mw-parser-output .hlist li ol>li:first-child::before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r1236075235">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}body.skin--responsive .mw-parser-output .navbox-image img{max-width:none!important}@media print{body.ns-0 .mw-parser-output .navbox{display:none!important}}</style><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><style data-mw-deduplicate="TemplateStyles:r1239400231">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar-collapse{float:left;text-align:left}.mw-parser-output .navbar-boxtext{word-spacing:0}.mw-parser-output .navbar ul{display:inline-block;white-space:nowrap;line-height:inherit}.mw-parser-output .navbar-brackets::before{margin-right:-0.125em;content:"[ "}.mw-parser-output .navbar-brackets::after{margin-left:-0.125em;content:" ]"}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbar a>span,.mw-parser-output .navbar a>abbr{text-decoration:inherit}.mw-parser-output .navbar-mini abbr{font-variant:small-caps;border-bottom:none;text-decoration:none;cursor:inherit}.mw-parser-output .navbar-ct-full{font-size:114%;margin:0 7em}.mw-parser-output .navbar-ct-mini{font-size:114%;margin:0 4em}html.skin-theme-clientpref-night .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}@media(prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}}@media print{.mw-parser-output .navbar{display:none!important}}</style></div><div role="navigation" class="navbox" aria-label="Navbox" style="padding:3px"><table class="nowraplinks hlist navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><td colspan="2" class="navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><td colspan="2" class="navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Cryptography_public-key" title="Template:Cryptography public-key"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Cryptography_public-key" title="Template talk:Cryptography public-key"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Cryptography_public-key" title="Special:EditPage/Template:Cryptography public-key"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Public-key_cryptography" style="font-size:114%;margin:0 4em"><a href="/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">Algorithms</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="row" class="navbox-group wraplinks" style="width:1%"><a href="/wiki/Integer_factorization" title="Integer factorization">Integer factorization</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Benaloh_cryptosystem" title="Benaloh cryptosystem">Benaloh</a></li> <li><a href="/wiki/Blum%E2%80%93Goldwasser_cryptosystem" title="Blum–Goldwasser cryptosystem">Blum–Goldwasser</a></li> <li><a href="/wiki/Cayley%E2%80%93Purser_algorithm" title="Cayley–Purser algorithm">Cayley–Purser</a></li> <li><a href="/wiki/Damg%C3%A5rd%E2%80%93Jurik_cryptosystem" title="Damgård–Jurik cryptosystem">Damgård–Jurik</a></li> <li><a href="/wiki/GMR_(cryptography)" title="GMR (cryptography)">GMR</a></li> <li><a href="/wiki/Goldwasser%E2%80%93Micali_cryptosystem" title="Goldwasser–Micali cryptosystem">Goldwasser–Micali</a></li> <li><a href="/wiki/Naccache%E2%80%93Stern_cryptosystem" title="Naccache–Stern cryptosystem">Naccache–Stern</a></li> <li><a href="/wiki/Paillier_cryptosystem" title="Paillier cryptosystem">Paillier</a></li> <li><a href="/wiki/Rabin_cryptosystem" title="Rabin cryptosystem">Rabin</a></li> <li><a href="/wiki/RSA_(cryptosystem)" title="RSA (cryptosystem)">RSA</a></li> <li><a href="/wiki/Okamoto%E2%80%93Uchiyama_cryptosystem" title="Okamoto–Uchiyama cryptosystem">Okamoto–Uchiyama</a></li> <li><a href="/wiki/Schmidt-Samoa_cryptosystem" title="Schmidt-Samoa cryptosystem">Schmidt–Samoa</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group wraplinks" style="width:1%"><a href="/wiki/Discrete_logarithm" title="Discrete logarithm">Discrete logarithm</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham" class="mw-redirect" title="Boneh–Lynn–Shacham">BLS</a></li> <li><a href="/wiki/Cramer%E2%80%93Shoup_cryptosystem" title="Cramer–Shoup cryptosystem">Cramer–Shoup</a></li> <li><a href="/wiki/Diffie%E2%80%93Hellman_key_exchange" title="Diffie–Hellman key exchange">DH</a></li> <li><a href="/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">DSA</a></li> <li><a href="/wiki/Elliptic-curve_Diffie%E2%80%93Hellman" title="Elliptic-curve Diffie–Hellman">ECDH</a> <ul><li><a href="/wiki/Curve25519" title="Curve25519">X25519</a></li> <li><a href="/wiki/Curve448" title="Curve448">X448</a></li></ul></li> <li><a href="/wiki/Elliptic_Curve_Digital_Signature_Algorithm" title="Elliptic Curve Digital Signature Algorithm">ECDSA</a></li> <li><a href="/wiki/EdDSA" title="EdDSA">EdDSA</a> <ul><li><a href="/wiki/EdDSA#Ed25519" title="EdDSA">Ed25519</a></li> <li><a href="/wiki/EdDSA#Ed448" title="EdDSA">Ed448</a></li></ul></li> <li><a href="/wiki/ECMQV" class="mw-redirect" title="ECMQV">ECMQV</a></li> <li><a href="/wiki/Encrypted_key_exchange" title="Encrypted key exchange">EKE</a></li> <li><a href="/wiki/ElGamal_encryption" title="ElGamal encryption">ElGamal</a> <ul><li><a href="/wiki/ElGamal_signature_scheme" title="ElGamal signature scheme">signature scheme</a></li></ul></li> <li><a href="/wiki/MQV" title="MQV">MQV</a></li> <li><a href="/wiki/Schnorr_signature" title="Schnorr signature">Schnorr</a></li> <li><a href="/wiki/SPEKE" title="SPEKE">SPEKE</a></li> <li><a href="/wiki/Secure_Remote_Password_protocol" title="Secure Remote Password protocol">SRP</a></li> <li><a href="/wiki/Station-to-Station_protocol" title="Station-to-Station protocol">STS</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group wraplinks" style="width:1%"><a href="/wiki/Lattice-based_cryptography" title="Lattice-based cryptography">Lattice/SVP/CVP</a>/<wbr /><a href="/wiki/Learning_with_errors" title="Learning with errors">LWE</a>/<wbr /><a href="/wiki/Short_integer_solution_problem" title="Short integer solution problem">SIS</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/BLISS_signature_scheme" title="BLISS signature scheme">BLISS</a></li> <li><a href="/wiki/Kyber" title="Kyber">Kyber</a></li> <li><a href="/wiki/NewHope" title="NewHope">NewHope</a></li> <li><a href="/wiki/NTRUEncrypt" title="NTRUEncrypt">NTRUEncrypt</a></li> <li><a href="/wiki/NTRUSign" title="NTRUSign">NTRUSign</a></li> <li><a href="/wiki/RLWE-KEX" class="mw-redirect" title="RLWE-KEX">RLWE-KEX</a></li> <li><a href="/wiki/RLWE-SIG" class="mw-redirect" title="RLWE-SIG">RLWE-SIG</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group wraplinks" style="width:1%">Others</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Algebraic_Eraser" title="Algebraic Eraser">AE</a></li> <li><a href="/wiki/CEILIDH" title="CEILIDH">CEILIDH</a></li> <li><a href="/wiki/Efficient_Probabilistic_Public-Key_Encryption_Scheme" title="Efficient Probabilistic Public-Key Encryption Scheme">EPOC</a></li> <li><a href="/wiki/Hidden_Field_Equations" title="Hidden Field Equations">HFE</a></li> <li><a href="/wiki/Integrated_Encryption_Scheme" title="Integrated Encryption Scheme">IES</a></li> <li><a href="/wiki/Lamport_signature" title="Lamport signature">Lamport</a></li> <li><a href="/wiki/McEliece_cryptosystem" title="McEliece cryptosystem">McEliece</a></li> <li><a href="/wiki/Merkle%E2%80%93Hellman_knapsack_cryptosystem" title="Merkle–Hellman knapsack cryptosystem">Merkle–Hellman</a></li> <li><span class="wraplinks"><a href="/wiki/Naccache%E2%80%93Stern_knapsack_cryptosystem" title="Naccache–Stern knapsack cryptosystem">Naccache–Stern knapsack cryptosystem</a></span></li> <li><a href="/wiki/Three-pass_protocol" title="Three-pass protocol">Three-pass protocol</a></li> <li><a href="/wiki/XTR" title="XTR">XTR</a></li> <li><a href="/wiki/SQIsign" title="SQIsign">SQIsign</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Theory</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Discrete_logarithm#Cryptography" title="Discrete logarithm">Discrete logarithm cryptography</a></li> <li><a class="mw-selflink selflink">Elliptic-curve cryptography</a></li> <li><a href="/wiki/Hash-based_cryptography" title="Hash-based cryptography">Hash-based cryptography</a></li> <li><a href="/wiki/Non-commutative_cryptography" title="Non-commutative cryptography">Non-commutative cryptography</a></li> <li><a href="/wiki/RSA_problem" title="RSA problem">RSA problem</a></li> <li><a href="/wiki/Trapdoor_function" title="Trapdoor function">Trapdoor function</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Standardization</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/CRYPTREC" title="CRYPTREC">CRYPTREC</a></li> <li><a href="/wiki/IEEE_P1363" title="IEEE P1363">IEEE P1363</a></li> <li><a href="/wiki/NESSIE" title="NESSIE">NESSIE</a></li> <li><a href="/wiki/NSA_Suite_B_Cryptography" title="NSA Suite B Cryptography">NSA Suite B</a></li> <li><a href="/wiki/Commercial_National_Security_Algorithm_Suite" title="Commercial National Security Algorithm Suite">CNSA</a></li> <li><a href="/wiki/NIST_Post-Quantum_Cryptography_Standardization" title="NIST Post-Quantum Cryptography Standardization">Post-Quantum Cryptography</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Topics</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Digital_signature" title="Digital signature">Digital signature</a></li> <li><a href="/wiki/Optimal_asymmetric_encryption_padding" title="Optimal asymmetric encryption padding">OAEP</a></li> <li><a href="/wiki/Public_key_fingerprint" title="Public key fingerprint">Fingerprint</a></li> <li><a href="/wiki/Public_key_infrastructure" title="Public key infrastructure">PKI</a></li> <li><a href="/wiki/Web_of_trust" title="Web of trust">Web of trust</a></li> <li><a href="/wiki/Key_size" title="Key size">Key size</a></li> <li><a href="/wiki/Identity-based_cryptography" title="Identity-based cryptography">Identity-based cryptography</a></li> <li><a href="/wiki/Post-quantum_cryptography" title="Post-quantum cryptography">Post-quantum cryptography</a></li> <li><a href="/wiki/OpenPGP_card" title="OpenPGP card">OpenPGP card</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr></tbody></table><div></div></td></tr><tr><td colspan="2" class="navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks mw-collapsible mw-collapsed navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Cryptography_navbox" title="Template:Cryptography navbox"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Cryptography_navbox" title="Template talk:Cryptography navbox"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Cryptography_navbox" title="Special:EditPage/Template:Cryptography navbox"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Cryptography" style="font-size:114%;margin:0 4em"><a href="/wiki/Cryptography" title="Cryptography">Cryptography</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">General</th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/History_of_cryptography" title="History of cryptography">History of cryptography</a></li> <li><a href="/wiki/Outline_of_cryptography" title="Outline of cryptography">Outline of cryptography</a></li> <li><a href="/wiki/Classical_cipher" title="Classical cipher">Classical cipher</a></li> <li><a href="/wiki/Cryptographic_protocol" title="Cryptographic protocol">Cryptographic protocol</a> <ul><li><a href="/wiki/Authentication_protocol" title="Authentication protocol">Authentication protocol</a></li></ul></li> <li><a href="/wiki/Cryptographic_primitive" title="Cryptographic primitive">Cryptographic primitive</a></li> <li><a href="/wiki/Cryptanalysis" title="Cryptanalysis">Cryptanalysis</a></li> <li><a href="/wiki/Cryptocurrency" title="Cryptocurrency">Cryptocurrency</a></li> <li><a href="/wiki/Cryptosystem" title="Cryptosystem">Cryptosystem</a></li> <li><a href="/wiki/Cryptographic_nonce" title="Cryptographic nonce">Cryptographic nonce</a></li> <li><a href="/wiki/Cryptovirology" title="Cryptovirology">Cryptovirology</a></li> <li><a href="/wiki/Hash_function" title="Hash function">Hash function</a> <ul><li><a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a></li> <li><a href="/wiki/Key_derivation_function" title="Key derivation function">Key derivation function</a></li> <li><a href="/wiki/Secure_Hash_Algorithms" title="Secure Hash Algorithms">Secure Hash Algorithms</a></li></ul></li> <li><a href="/wiki/Digital_signature" title="Digital signature">Digital signature</a></li> <li><a href="/wiki/Kleptography" title="Kleptography">Kleptography</a></li> <li><a href="/wiki/Key_(cryptography)" title="Key (cryptography)">Key (cryptography)</a></li> <li><a href="/wiki/Key_exchange" title="Key exchange">Key exchange</a></li> <li><a href="/wiki/Key_generator" title="Key generator">Key generator</a></li> <li><a href="/wiki/Key_schedule" title="Key schedule">Key schedule</a></li> <li><a href="/wiki/Key_stretching" title="Key stretching">Key stretching</a></li> <li><a href="/wiki/Keygen" title="Keygen">Keygen</a></li> <li><a href="/wiki/Template:Cryptography_machines" title="Template:Cryptography machines">Machines</a></li> <li><a href="/wiki/Cryptojacking_malware" class="mw-redirect" title="Cryptojacking malware">Cryptojacking malware</a></li> <li><a href="/wiki/Ransomware" title="Ransomware">Ransomware</a></li> <li><a href="/wiki/Random_number_generation" title="Random number generation">Random number generation</a> <ul><li><a href="/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Cryptographically secure pseudorandom number generator</a> (CSPRNG)</li></ul></li> <li><a href="/wiki/Pseudorandom_noise" title="Pseudorandom noise">Pseudorandom noise</a> (PRN)</li> <li><a href="/wiki/Secure_channel" title="Secure channel">Secure channel</a></li> <li><a href="/wiki/Insecure_channel" class="mw-redirect" title="Insecure channel">Insecure channel</a></li> <li><a href="/wiki/Subliminal_channel" title="Subliminal channel">Subliminal channel</a></li> <li><a href="/wiki/Encryption" title="Encryption">Encryption</a></li> <li><a href="/wiki/Decryption" class="mw-redirect" title="Decryption">Decryption</a></li> <li><a href="/wiki/End-to-end_encryption" title="End-to-end encryption">End-to-end encryption</a></li> <li><a href="/wiki/Harvest_now,_decrypt_later" title="Harvest now, decrypt later">Harvest now, decrypt later</a></li> <li><a href="/wiki/Information-theoretic_security" title="Information-theoretic security">Information-theoretic security</a></li> <li><a href="/wiki/Plaintext" title="Plaintext">Plaintext</a></li> <li><a href="/wiki/Codetext" class="mw-redirect" title="Codetext">Codetext</a></li> <li><a href="/wiki/Ciphertext" title="Ciphertext">Ciphertext</a></li> <li><a href="/wiki/Shared_secret" title="Shared secret">Shared secret</a></li> <li><a href="/wiki/Trapdoor_function" title="Trapdoor function">Trapdoor function</a></li> <li><a href="/wiki/Trusted_timestamping" title="Trusted timestamping">Trusted timestamping</a></li> <li><a href="/wiki/Key-based_routing" title="Key-based routing">Key-based routing</a></li> <li><a href="/wiki/Onion_routing" title="Onion routing">Onion routing</a></li> <li><a href="/wiki/Garlic_routing" title="Garlic routing">Garlic routing</a></li> <li><a href="/wiki/Kademlia" title="Kademlia">Kademlia</a></li> <li><a href="/wiki/Mix_network" title="Mix network">Mix network</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Mathematics</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">Cryptographic hash function</a></li> <li><a href="/wiki/Block_cipher" title="Block cipher">Block cipher</a></li> <li><a href="/wiki/Stream_cipher" title="Stream cipher">Stream cipher</a></li> <li><a href="/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">Symmetric-key algorithm</a></li> <li><a href="/wiki/Authenticated_encryption" title="Authenticated encryption">Authenticated encryption</a></li> <li><a href="/wiki/Public-key_cryptography" title="Public-key cryptography">Public-key cryptography</a></li> <li><a href="/wiki/Quantum_key_distribution" title="Quantum key distribution">Quantum key distribution</a></li> <li><a href="/wiki/Quantum_cryptography" title="Quantum cryptography">Quantum cryptography</a></li> <li><a href="/wiki/Post-quantum_cryptography" title="Post-quantum cryptography">Post-quantum cryptography</a></li> <li><a href="/wiki/Message_authentication_code" title="Message authentication code">Message authentication code</a></li> <li><a href="/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">Random numbers</a></li> <li><a href="/wiki/Steganography" title="Steganography">Steganography</a></li></ul> </div></td></tr><tr><td class="navbox-abovebelow" colspan="2"><div> <ul><li><span class="noviewer" typeof="mw:File"><span title="Category"><img alt="" src="//upload.wikimedia.org/wikipedia/en/thumb/9/96/Symbol_category_class.svg/16px-Symbol_category_class.svg.png" decoding="async" width="16" height="16" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/9/96/Symbol_category_class.svg/23px-Symbol_category_class.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/9/96/Symbol_category_class.svg/31px-Symbol_category_class.svg.png 2x" data-file-width="180" data-file-height="185" /></span></span> <a href="/wiki/Category:Cryptography" title="Category:Cryptography">Category</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr></tbody></table></div> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236075235"></div><div role="navigation" class="navbox" aria-labelledby="Topics_in_algebraic_curves" style="padding:3px"><table class="nowraplinks mw-collapsible autocollapse navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239400231"><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Algebraic_curves_navbox" title="Template:Algebraic curves navbox"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Algebraic_curves_navbox" title="Template talk:Algebraic curves navbox"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Algebraic_curves_navbox" title="Special:EditPage/Template:Algebraic curves navbox"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Topics_in_algebraic_curves" style="font-size:114%;margin:0 4em">Topics in <a href="/wiki/Algebraic_curve" title="Algebraic curve">algebraic curves</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Rational_curve" class="mw-redirect" title="Rational curve">Rational curves</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Five_points_determine_a_conic" title="Five points determine a conic">Five points determine a conic</a></li> <li><a href="/wiki/Projective_line" title="Projective line">Projective line</a></li> <li><a href="/wiki/Rational_normal_curve" title="Rational normal curve">Rational normal curve</a></li> <li><a href="/wiki/Riemann_sphere" title="Riemann sphere">Riemann sphere</a></li> <li><a href="/wiki/Twisted_cubic" title="Twisted cubic">Twisted cubic</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Elliptic_curve" title="Elliptic curve">Elliptic curves</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="row" class="navbox-group" style="width:1%">Analytic theory</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Elliptic_function" title="Elliptic function">Elliptic function</a></li> <li><a href="/wiki/Elliptic_integral" title="Elliptic integral">Elliptic integral</a></li> <li><a href="/wiki/Fundamental_pair_of_periods" title="Fundamental pair of periods">Fundamental pair of periods</a></li> <li><a href="/wiki/Modular_form" title="Modular form">Modular form</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Arithmetic theory</th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Counting_points_on_elliptic_curves" title="Counting points on elliptic curves">Counting points on elliptic curves</a></li> <li><a href="/wiki/Division_polynomials" title="Division polynomials">Division polynomials</a></li> <li><a href="/wiki/Hasse%27s_theorem_on_elliptic_curves" title="Hasse's theorem on elliptic curves">Hasse's theorem on elliptic curves</a></li> <li><a href="/wiki/Mazur%27s_torsion_theorem" class="mw-redirect" title="Mazur's torsion theorem">Mazur's torsion theorem</a></li> <li><a href="/wiki/Modular_elliptic_curve" title="Modular elliptic curve">Modular elliptic curve</a></li> <li><a href="/wiki/Modularity_theorem" title="Modularity theorem">Modularity theorem</a></li> <li><a href="/wiki/Mordell%E2%80%93Weil_theorem" title="Mordell–Weil theorem">Mordell–Weil theorem</a></li> <li><a href="/wiki/Nagell%E2%80%93Lutz_theorem" title="Nagell–Lutz theorem">Nagell–Lutz theorem</a></li> <li><a href="/wiki/Supersingular_elliptic_curve" title="Supersingular elliptic curve">Supersingular elliptic curve</a></li> <li><a href="/wiki/Schoof%27s_algorithm" title="Schoof's algorithm">Schoof's algorithm</a></li> <li><a href="/wiki/Schoof%E2%80%93Elkies%E2%80%93Atkin_algorithm" title="Schoof–Elkies–Atkin algorithm">Schoof–Elkies–Atkin algorithm</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Applications</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Elliptic_curve_cryptography" class="mw-redirect" title="Elliptic curve cryptography">Elliptic curve cryptography</a></li> <li><a href="/wiki/Elliptic_curve_primality" title="Elliptic curve primality">Elliptic curve primality</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Higher genus</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/De_Franchis_theorem" title="De Franchis theorem">De Franchis theorem</a></li> <li><a href="/wiki/Faltings%27s_theorem" title="Faltings's theorem">Faltings's theorem</a></li> <li><a href="/wiki/Hurwitz%27s_automorphisms_theorem" title="Hurwitz's automorphisms theorem">Hurwitz's automorphisms theorem</a></li> <li><a href="/wiki/Hurwitz_surface" title="Hurwitz surface">Hurwitz surface</a></li> <li><a href="/wiki/Hyperelliptic_curve" title="Hyperelliptic curve">Hyperelliptic curve</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Plane_curve" title="Plane curve">Plane curves</a></th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/AF%2BBG_theorem" title="AF+BG theorem">AF+BG theorem</a></li> <li><a href="/wiki/B%C3%A9zout%27s_theorem" title="Bézout's theorem">Bézout's theorem</a></li> <li><a href="/wiki/Bitangent" title="Bitangent">Bitangent</a></li> <li><a href="/wiki/Cayley%E2%80%93Bacharach_theorem" title="Cayley–Bacharach theorem">Cayley–Bacharach theorem</a></li> <li><a href="/wiki/Conic_section" title="Conic section">Conic section</a></li> <li><a href="/wiki/Cramer%27s_paradox" title="Cramer's paradox">Cramer's paradox</a></li> <li><a href="/wiki/Cubic_plane_curve" title="Cubic plane curve">Cubic plane curve</a></li> <li><a href="/wiki/Fermat_curve" title="Fermat curve">Fermat curve</a></li> <li><a href="/wiki/Genus%E2%80%93degree_formula" title="Genus–degree formula">Genus–degree formula</a></li> <li><a href="/wiki/Hilbert%27s_sixteenth_problem" title="Hilbert's sixteenth problem">Hilbert's sixteenth problem</a></li> <li><a href="/wiki/Nagata%27s_conjecture_on_curves" title="Nagata's conjecture on curves">Nagata's conjecture on curves</a></li> <li><a href="/wiki/Pl%C3%BCcker_formula" title="Plücker formula">Plücker formula</a></li> <li><a href="/wiki/Quartic_plane_curve" title="Quartic plane curve">Quartic plane curve</a></li> <li><a href="/wiki/Real_plane_curve" title="Real plane curve">Real plane curve</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Riemann_surface" title="Riemann surface">Riemann surfaces</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Belyi%27s_theorem" title="Belyi's theorem">Belyi's theorem</a></li> <li><a href="/wiki/Bring%27s_curve" title="Bring's curve">Bring's curve</a></li> <li><a href="/wiki/Bolza_surface" title="Bolza surface">Bolza surface</a></li> <li><a href="/wiki/Compact_Riemann_surface" class="mw-redirect" title="Compact Riemann surface">Compact Riemann surface</a></li> <li><a href="/wiki/Dessin_d%27enfant" title="Dessin d'enfant">Dessin d'enfant</a></li> <li><a href="/wiki/Differential_of_the_first_kind" title="Differential of the first kind">Differential of the first kind</a></li> <li><a href="/wiki/Klein_quartic" title="Klein quartic">Klein quartic</a></li> <li><a href="/wiki/Riemann%27s_existence_theorem" class="mw-redirect" title="Riemann's existence theorem">Riemann's existence theorem</a></li> <li><a href="/wiki/Riemann%E2%80%93Roch_theorem" title="Riemann–Roch theorem">Riemann–Roch theorem</a></li> <li><a href="/wiki/Teichm%C3%BCller_space" title="Teichmüller space">Teichmüller space</a></li> <li><a href="/wiki/Torelli_theorem" title="Torelli theorem">Torelli theorem</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Constructions</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Dual_curve" title="Dual curve">Dual curve</a></li> <li><a href="/wiki/Polar_curve" title="Polar curve">Polar curve</a></li> <li><a href="/wiki/Smooth_completion" title="Smooth completion">Smooth completion</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Structure of curves</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="row" class="navbox-group" style="width:1%">Divisors on curves</th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Abel%E2%80%93Jacobi_map" title="Abel–Jacobi map">Abel–Jacobi map</a></li> <li><a href="/wiki/Brill%E2%80%93Noether_theory" title="Brill–Noether theory">Brill–Noether theory</a></li> <li><a href="/wiki/Clifford%27s_theorem_on_special_divisors" title="Clifford's theorem on special divisors">Clifford's theorem on special divisors</a></li> <li><a href="/wiki/Gonality_of_an_algebraic_curve" title="Gonality of an algebraic curve">Gonality of an algebraic curve</a></li> <li><a href="/wiki/Jacobian_variety" title="Jacobian variety">Jacobian variety</a></li> <li><a href="/wiki/Riemann%E2%80%93Roch_theorem" title="Riemann–Roch theorem">Riemann–Roch theorem</a></li> <li><a href="/wiki/Weierstrass_point" title="Weierstrass point">Weierstrass point</a></li> <li><a href="/wiki/Weil_reciprocity_law" title="Weil reciprocity law">Weil reciprocity law</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Moduli</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/ELSV_formula" title="ELSV formula">ELSV formula</a></li> <li><a href="/wiki/Gromov%E2%80%93Witten_invariant" title="Gromov–Witten invariant">Gromov–Witten invariant</a></li> <li><a href="/wiki/Hodge_bundle" title="Hodge bundle">Hodge bundle</a></li> <li><a href="/wiki/Moduli_of_algebraic_curves" title="Moduli of algebraic curves">Moduli of algebraic curves</a></li> <li><a href="/wiki/Stable_curve" title="Stable curve">Stable curve</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Morphisms</th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Hasse%E2%80%93Witt_matrix" title="Hasse–Witt matrix">Hasse–Witt matrix</a></li> <li><a href="/wiki/Riemann%E2%80%93Hurwitz_formula" title="Riemann–Hurwitz formula">Riemann–Hurwitz formula</a></li> <li><a href="/wiki/Prym_variety" title="Prym variety">Prym variety</a></li> <li><a href="/wiki/Weber%27s_theorem_(Algebraic_curves)" title="Weber's theorem (Algebraic curves)">Weber's theorem (Algebraic curves)</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Singular_point_of_a_curve" title="Singular point of a curve">Singularities</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Ak_singularity" title="Ak singularity"><i>A<sub>k</sub></i> singularity</a></li> <li><a href="/wiki/Acnode" title="Acnode">Acnode</a></li> <li><a href="/wiki/Crunode" title="Crunode">Crunode</a></li> <li><a href="/wiki/Cusp_(singularity)" title="Cusp (singularity)">Cusp</a></li> <li><a href="/wiki/Delta_invariant" class="mw-redirect" title="Delta invariant">Delta invariant</a></li> <li><a href="/wiki/Tacnode" title="Tacnode">Tacnode</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Vector_bundle" title="Vector bundle">Vector bundles</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Birkhoff%E2%80%93Grothendieck_theorem" title="Birkhoff–Grothendieck theorem">Birkhoff–Grothendieck theorem</a></li> <li><a href="/wiki/Stable_vector_bundle" title="Stable vector bundle">Stable vector bundle</a></li> <li><a href="/wiki/Vector_bundles_on_algebraic_curves" title="Vector bundles on algebraic curves">Vector bundles on algebraic curves</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr></tbody></table></div>    </div><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Elliptic-curve_cryptography&oldid=1259065219">https://en.wikipedia.org/w/index.php?title=Elliptic-curve_cryptography&oldid=1259065219</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Elliptic_curve_cryptography" title="Category:Elliptic curve cryptography">Elliptic curve cryptography</a></li><li><a href="/wiki/Category:Public-key_cryptography" title="Category:Public-key cryptography">Public-key cryptography</a></li><li><a href="/wiki/Category:Finite_fields" title="Category:Finite fields">Finite fields</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:Webarchive_template_wayback_links" title="Category:Webarchive template wayback links">Webarchive template wayback links</a></li><li><a href="/wiki/Category:CS1_errors:_missing_periodical" title="Category:CS1 errors: missing periodical">CS1 errors: missing periodical</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:All_articles_with_vague_or_ambiguous_time" title="Category:All articles with vague or ambiguous time">All articles with vague or ambiguous time</a></li><li><a href="/wiki/Category:Vague_or_ambiguous_time_from_October_2022" title="Category:Vague or ambiguous time from October 2022">Vague or ambiguous time from October 2022</a></li><li><a href="/wiki/Category:All_articles_with_unsourced_statements" title="Category:All articles with unsourced statements">All articles with unsourced statements</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_April_2023" title="Category:Articles with unsourced statements from April 2023">Articles with unsourced statements from April 2023</a></li><li><a href="/wiki/Category:Vague_or_ambiguous_time_from_November_2022" title="Category:Vague or ambiguous time from November 2022">Vague or ambiguous time from November 2022</a></li><li><a href="/wiki/Category:Wikipedia_articles_needing_clarification_from_December_2011" title="Category:Wikipedia articles needing clarification from December 2011">Wikipedia articles needing clarification from December 2011</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_September_2020" title="Category:Articles with unsourced statements from September 2020">Articles with unsourced statements from September 2020</a></li><li><a href="/wiki/Category:Commons_link_is_locally_defined" title="Category:Commons link is locally defined">Commons link is locally defined</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 23 November 2024, at 04:30<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Elliptic-curve_cryptography&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-gjvwm","wgBackendResponseTime":142,"wgPageParseReport":{"limitreport":{"cputime":"0.863","walltime":"1.080","ppvisitednodes":{"value":4045,"limit":1000000},"postexpandincludesize":{"value":184233,"limit":2097152},"templateargumentsize":{"value":3464,"limit":2097152},"expansiondepth":{"value":14,"limit":100},"expensivefunctioncount":{"value":8,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":167155,"limit":5000000},"entityaccesscount":{"value":1,"limit":400},"timingprofile":["100.00% 826.651 1 -total"," 41.76% 345.234 1 Template:Reflist"," 24.68% 204.007 7 Template:Navbox"," 18.83% 155.677 20 Template:Cite_web"," 14.42% 119.239 1 Template:Cryptography_navbox"," 10.68% 88.316 1 Template:Short_description"," 7.68% 63.523 4 Template:Fix"," 7.24% 59.821 1 Template:Cryptography_public-key"," 7.22% 59.667 10 Template:Cite_journal"," 6.90% 57.030 2 Template:Pagetype"]},"scribunto":{"limitreport-timeusage":{"value":"0.475","limit":"10.000"},"limitreport-memusage":{"value":6724877,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-dxng5","timestamp":"20241123043034","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Elliptic-curve cryptography","url":"https:\/\/en.wikipedia.org\/wiki\/Elliptic-curve_cryptography","sameAs":"http:\/\/www.wikidata.org\/entity\/Q1048911","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q1048911","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2001-10-23T21:46:07Z","dateModified":"2024-11-23T04:30:31Z","headline":"approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields"}</script> </body> </html>