{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,21]],"date-time":"2025-10-21T15:29:29Z","timestamp":1761060569293,"version":"3.41.0"},"reference-count":91,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2018,4,25]],"date-time":"2018-04-25T00:00:00Z","timestamp":1524614400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2019,7]]},"DOI":"10.1007\/s00145-018-9294-z","type":"journal-article","created":{"date-parts":[[2018,4,25]],"date-time":"2018-04-25T19:50:40Z","timestamp":1524685840000},"page":"867-894","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Koblitz Curves over Quadratic Fields"],"prefix":"10.1007","volume":"32","author":[{"given":"Thomaz","family":"Oliveira","sequence":"first","affiliation":[]},{"given":"Julio","family":"L\u00f3pez","sequence":"additional","affiliation":[]},{"given":"Daniel","family":"Cervantes-V\u00e1zquez","sequence":"additional","affiliation":[]},{"given":"Francisco","family":"Rodr\u00edguez-Henr\u00edquez","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,4,25]]},"reference":[{"key":"9294_CR1","unstructured":"AMD Technology, AMD64 architecture programmer\u2019s manual, Volume 1: Application programming. 24592 3.21. http:\/\/developer.amd.com\/resources\/developer-guides-manuals\/"},{"key":"9294_CR2","unstructured":"ANSSI, Les R\u00e8gles et recommandations concernant le choix et le dimensionnement des m\u00e9canismes cryptographiques. Agence nationale de la s\u00e9curit des syst\u00e8mes dinformation (2014). https:\/\/www.ssi.gouv.fr\/guide\/cryptographie-les-regles-du-rgs\/"},{"key":"9294_CR3","doi-asserted-by":"crossref","unstructured":"D.F. Aranha, A. Faz-Hern\u00e1ndez, J. L\u00f3pez, F. Rodr\u00edguez-Henr\u00edquez, Faster implementation of scalar multiplication on Koblitz curves, in Proceedings of LATINCRYPT 2012. LNCS, vol. 7533 (Springer, Berlin, 2012), pp. 177\u2013193","DOI":"10.1007\/978-3-642-33481-8_10"},{"key":"9294_CR4","doi-asserted-by":"crossref","unstructured":"D.F. Aranha, J.L\u00f3pez, D. Hankerson, Efficient software implementation of binary field arithmetic using vector instruction sets, in Proceedings of LATINCRYPT 2010. LNCS, vol. 6212 (Springer, Berlin, 2010), pp. 144\u2013161","DOI":"10.1007\/978-3-642-14712-8_9"},{"key":"9294_CR5","doi-asserted-by":"crossref","unstructured":"A.U. Ay, E. \u00d6zt\u00fcrk, F. Rodr\u00edguez-Henr\u00edquez, E. Sava\u015f, Design and implementation of a constant-time FPGA accelerator for fast elliptic curve cryptography, in ReConFig 2016 (IEEE, Piscataway, 2016), pp. 1\u20138","DOI":"10.1109\/ReConFig.2016.7857163"},{"key":"9294_CR6","doi-asserted-by":"crossref","unstructured":"R. Barbulescu, P. Gaudry, A. Joux, E. Thom\u00e9, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in Proceedings of EUROCRYPT 2014. LNCS, vol. 8441 (Springer, Berlin, 2014), pp. 1\u201316","DOI":"10.1007\/978-3-642-55220-5_1"},{"key":"9294_CR7","doi-asserted-by":"crossref","unstructured":"P. Belgarric, P.-A. Fouque, G. Macario-Rat, M. Tibouchi, Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android smartphones, in Proceedings of CT-RSA 2016. LNCS, vol. 9610 (Springer, Berlin, 2016), pp. 236\u2013252","DOI":"10.1007\/978-3-319-29485-8_14"},{"key":"9294_CR8","doi-asserted-by":"crossref","unstructured":"D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: new DH speed records, in Proceedings of ASIACRYPT 2014. LNCS, vol. 8873 (Springer, Berlin, 2014), pp. 317\u2013337","DOI":"10.1007\/978-3-662-45611-8_17"},{"key":"9294_CR9","unstructured":"D.J. Bernstein, T.L. (eds.), eBACS: ECRYPT benchmarking of cryptographic systems. http:\/\/bench.cr.yp.to . Accessed 14 Dec 2016"},{"key":"9294_CR10","unstructured":"D.J. Bernstein, S. Engels, T. Lange, R. Niederhagen, C. Paar, P. Schwabe, R. Zimmermann, Faster discrete logarithms on FPGAs. Cryptology ePrint Archive, Report 2016\/382 (2016). http:\/\/eprint.iacr.org\/2016\/382"},{"key":"9294_CR11","unstructured":"D.J. Bernstein, T. Lange, eBACS: ECRYPT benchmarking of cryptographic systems. http:\/\/bench.cr.yp.to . Accessed 12 Dec 2016"},{"key":"9294_CR12","unstructured":"D.J. Bernstein, T. Lange, SafeCurves: choosing safe curves for elliptic-curve cryptography. http:\/\/safecurves.cr.yp.to . Accessed 14 Dec 2016"},{"key":"9294_CR13","doi-asserted-by":"crossref","unstructured":"J. Beuchat, N. Brisebarre, J. Detrey, E. Okamoto, F. Rodr\u00edguez-Henr\u00edquez, A comparison between hardware accelerators for the modified Tate pairing over $${{\\mathbb{F}}}_{2^m}$$ F 2 m and $${\\mathbb{F}}_{3^m}$$ F 3 m , in Proceedings of Pairing 2008. LNCS, vol. 5209 (Springer, Berlin, 2008), pp. 297\u2013315","DOI":"10.1007\/978-3-540-85538-5_20"},{"issue":"2","key":"9294_CR14","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1109\/TC.2010.163","volume":"60","author":"J Beuchat","year":"2011","unstructured":"J. Beuchat, J. Detrey, N. Estibals, E. Okamoto, F. Rodr\u00edguez-Henr\u00edquez, Fast architectures for the $$\\eta _{T}$$ \u03b7 T pairing over small-characteristic supersingular elliptic curves. IEEE Trans. Comput. 60(2), 266\u2013281 (2011)","journal-title":"IEEE Trans. Comput."},{"key":"9294_CR15","doi-asserted-by":"crossref","unstructured":"J. Beuchat, E. L\u00f3pez-Trejo, L. Mart\u00ednez-Ramos, S. Mitsunari, F. Rodr\u00edguez-Henr\u00edquez, Multi-core implementation of the Tate pairing over supersingular elliptic curves, in Proceedings of CANS 2009. LNCS, vol. 5888 (Springer, Berlin, 2009), pp. 413\u2013432","DOI":"10.1007\/978-3-642-10433-6_28"},{"key":"9294_CR16","doi-asserted-by":"publisher","first-page":"276","DOI":"10.1137\/0605029","volume":"5","author":"IF Blake","year":"1984","unstructured":"I.F. Blake, R. Fuji-Hara, R.C. Mullin, S.A. Vanstone, Computing logarithms in finite fields of characteristic two. SIAM J. Algebr. Discrete Methods 5, 276\u2013285 (1984)","journal-title":"SIAM J. Algebr. Discrete Methods"},{"key":"9294_CR17","unstructured":"S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, B. Moeller, Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS). RFC 4492. Internet Engineering Task Force (IETF) (2006). https:\/\/tools.ietf.org\/html\/rfc4492"},{"issue":"3","key":"9294_CR18","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1007\/s13389-015-0094-1","volume":"5","author":"M Bluhm","year":"2015","unstructured":"M. Bluhm, S. Gueron, Fast software implementation of binary elliptic curve cryptography. J. Cryptogr. Eng. 5(3), 215\u2013226 (2015)","journal-title":"J. Cryptogr. Eng."},{"key":"9294_CR19","doi-asserted-by":"crossref","unstructured":"D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in Proceedings of CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 213\u2013229","DOI":"10.1007\/3-540-44647-8_13"},{"issue":"4","key":"9294_CR20","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1007\/s13389-015-0097-y","volume":"6","author":"JW Bos","year":"2016","unstructured":"J.W. Bos, C. Costello, P. Longa, M. Naehrig, Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptogr. Eng. 6(4), 259\u2013286 (2016)","journal-title":"J. Cryptogr. Eng."},{"key":"9294_CR21","doi-asserted-by":"crossref","unstructured":"R.P. Brent, P. Zimmermann, Algorithms for finding almost irreducible and almost primitive trinomials, in Primes and Misdemeanours: Lectures in Honour of the Sixtieth Birthday of Hugh Cowie Williams (Fields Institute, Toronto, 2003), p. 212","DOI":"10.1090\/fic\/041\/08"},{"issue":"3","key":"9294_CR22","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/s00607-010-0118-8","volume":"91","author":"NM Clift","year":"2011","unstructured":"N.M. Clift, Calculating optimal addition chains. Computing 91(3), 265\u2013284 (2011)","journal-title":"Computing"},{"issue":"4","key":"9294_CR23","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1109\/TIT.1984.1056941","volume":"30","author":"D Coppersmith","year":"1984","unstructured":"D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30(4), 587\u2013593 (1984)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9294_CR24","doi-asserted-by":"crossref","unstructured":"C. Costello, P. Longa, Four $$({\\mathbb{Q}}$$ ( Q ): four-dimensional decompositions on a $$({\\mathbb{Q}}$$ ( Q )-curve over the Mersenne prime, in Proceedings of ASIACRYPT 2015. LNCS, vol. 9452 (Springer, Berlin, 2015), pp. 214\u2013235","DOI":"10.1007\/978-3-662-48797-6_10"},{"key":"9294_CR25","unstructured":"T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2. RFC 5246. Internet Engineering Task Force (IETF) (2008). https:\/\/tools.ietf.org\/html\/rfc5246"},{"key":"9294_CR26","doi-asserted-by":"crossref","unstructured":"C. Doche, Redundant trinomials for finite fields of characteristic 2, in Proceedings of ACISP 2005. LNCS, vol. 3574 (Springer, Berlin, 2005), pp. 122\u2013133","DOI":"10.1007\/11506157_11"},{"key":"9294_CR27","unstructured":"ECRYPT II, Ecrypt II yearly report on algorithms and keysizes (2011\u20132012). Katholieke Universiteit Leuven (KUL) (2012). http:\/\/www.ecrypt.eu.org\/"},{"key":"9294_CR28","doi-asserted-by":"publisher","first-page":"83","DOI":"10.4064\/aa102-1-6","volume":"102","author":"A Enge","year":"2002","unstructured":"A. Enge, P. Gaudry. A general framework for subexponential discrete logarithm algorithms. Acta Arith. 102, 83\u2013103 (2002)","journal-title":"Acta Arith."},{"key":"9294_CR29","doi-asserted-by":"crossref","unstructured":"J. Faug\u00e8re, L. Perret, C. Petit, G. Renault. Improving the complexity of index calculus algorithms in elliptic curves over binary fields, in Proceedings of EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Berlin 2012), pp. 27\u201344","DOI":"10.1007\/978-3-642-29011-4_4"},{"issue":"1","key":"9294_CR30","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1007\/s10623-015-0146-7","volume":"78","author":"SD Galbraith","year":"2016","unstructured":"S.D. Galbraith, P. Gaudry, Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 78(1), 51\u201372 (2016)","journal-title":"Des. Codes Cryptogr."},{"key":"9294_CR31","doi-asserted-by":"crossref","unstructured":"S.D. Galbraith, S.W. Gebregiyorgis, Summation polynomial algorithms for elliptic curves in characteristic two, in Proceedings of INDOCRYPT 2014. LNCS, vol. 8885 (Springer, Berlin, 2014), pp. 409\u2013427","DOI":"10.1007\/978-3-319-13039-2_24"},{"key":"9294_CR32","doi-asserted-by":"crossref","unstructured":"S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves, in Proceedings of EUROCRYPT 2009. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 518\u2013535","DOI":"10.1007\/978-3-642-01001-9_30"},{"key":"9294_CR33","doi-asserted-by":"crossref","unstructured":"S.D. Galbraith, N.P. Smart, A cryptographic application of Weil descent, in Proceedings of Cryptography and Coding. LNCS, vol. 1746 (Springer, Berlin, 1999), pp. 191\u2013200","DOI":"10.1007\/3-540-46665-7_23"},{"issue":"232","key":"9294_CR34","doi-asserted-by":"publisher","first-page":"1699","DOI":"10.1090\/S0025-5718-99-01119-9","volume":"69","author":"RP Gallant","year":"2000","unstructured":"R.P. Gallant, R.J. Lambert, S.A. Vanstone, Improving the parallelized pollard lambda search on anomalous binary curves. Math. Comput. 69(232), 1699\u20131705 (2000)","journal-title":"Math. Comput."},{"issue":"12","key":"9294_CR35","doi-asserted-by":"publisher","first-page":"1690","DOI":"10.1016\/j.jsc.2008.08.005","volume":"44","author":"P Gaudry","year":"2009","unstructured":"P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690\u20131702 (2009)","journal-title":"J. Symb. Comput."},{"key":"9294_CR36","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/s00145-001-0011-x","volume":"15","author":"P Gaudry","year":"2002","unstructured":"P. Gaudry, F. Hess, N.P. Smart, Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15, 19\u201346 (2002)","journal-title":"J. Cryptol."},{"key":"9294_CR37","unstructured":"D. Genkin, L. Valenta, Y. Yarom, May the fourth be with you: a microarchitectural side channel attack on several real-world applications of curve25519. Cryptology ePrint Archive, Report 2017\/806 (2017). https:\/\/eprint.iacr.org\/2017\/806"},{"key":"9294_CR38","unstructured":"R. Granger, T. Kleinjung, J. Zumbr\u00e4gel, On the powers of 2. Cryptology ePrint Archive, Report 2014\/300 (2014). http:\/\/eprint.iacr.org\/2014\/300"},{"issue":"10","key":"9294_CR39","doi-asserted-by":"publisher","first-page":"1411","DOI":"10.1109\/TC.2009.61","volume":"58","author":"D Hankerson","year":"2009","unstructured":"D. Hankerson, K. Karabina, A. Menezes, Analyzing the Galbraith\u2013Lin\u2013Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Comput. 58(10), 1411\u20131420 (2009)","journal-title":"IEEE Trans. Comput."},{"key":"9294_CR40","volume-title":"Guide to Elliptic Curve Cryptography","author":"D Hankerson","year":"2003","unstructured":"D. Hankerson, A.J. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography (Springer, Secaucus, 2003)"},{"key":"9294_CR41","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1112\/S146115700000108X","volume":"7","author":"F Hess","year":"2004","unstructured":"F. Hess, Generalising the GHS attack on the elliptic curve discrete logarithm problem. LMS J. Comput. Math. 7, 167\u2013192 (2004)","journal-title":"LMS J. Comput. Math."},{"key":"9294_CR42","unstructured":"Y.-J. Huang, C. Petit, N. Shinohara, T. Takagi, On generalized first fall degree assumptions. Cryptology ePrint Archive, Report 2015\/358 (2015). http:\/\/eprint.iacr.org\/2015\/358"},{"key":"9294_CR43","unstructured":"Intel Corporation, Intel 64 and IA-32 architectures software developers manual, 253665-064US (2017)"},{"issue":"3","key":"9294_CR44","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1016\/0890-5401(88)90024-7","volume":"78","author":"T Itoh","year":"1988","unstructured":"T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF $$(2^m)$$ ( 2 m ) using normal bases. Inf. Comput. 78(3), 171\u2013177 (1988)","journal-title":"Inf. Comput."},{"key":"9294_CR45","doi-asserted-by":"crossref","unstructured":"A. Joux, A one round protocol for tripartite Diffie\u2013Hellman, in Proceedings of ANTS-IV. LNCS, vol. 1838 (Springer, Berlin, 2000), pp. 385\u2013394","DOI":"10.1007\/10722028_23"},{"issue":"4","key":"9294_CR46","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/s00145-004-0312-y","volume":"17","author":"A Joux","year":"2004","unstructured":"A. Joux, A one round protocol for tripartite Diffie\u2013Hellman. J. Cryptol. 17(4), 263\u2013276 (2004)","journal-title":"J. Cryptol."},{"key":"9294_CR47","doi-asserted-by":"crossref","unstructured":"A. Joux, A new index calculus algorithm with complexity $$L(1\/4+o(1))$$ L ( 1 \/ 4 + o ( 1 ) ) in small characteristic, in Proceedings of SAC 2013. LNCS, vol. 8282 (Springer, Berlin, 2014), pp. 355\u2013379","DOI":"10.1007\/978-3-662-43414-7_18"},{"key":"9294_CR48","doi-asserted-by":"crossref","unstructured":"M. Joye, M. Tunstall, Exponent recoding and regular exponentiation algorithms, in AFRICACRYPT 2009. LNCS, vol. 5580 (Springer, Berlin, 2009), pp. 334\u2013349","DOI":"10.1007\/978-3-642-02384-2_21"},{"key":"9294_CR49","unstructured":"K. Karabina, Point decomposition problem in binary elliptic curves. Cryptology ePrint Archive, Report 2015\/319 (2015). http:\/\/eprint.iacr.org\/2015\/319"},{"key":"9294_CR50","doi-asserted-by":"crossref","unstructured":"E. Knudsen, Elliptic scalar multiplication using point halving, in Proceedings of ASIACRYPT 99. LNCS, vol. 1716 (Springer, Berlin, 1999), pp. 135\u2013149","DOI":"10.1007\/978-3-540-48000-6_12"},{"key":"9294_CR51","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1090\/S0025-5718-1987-0866109-5","volume":"48","author":"N Koblitz","year":"1987","unstructured":"N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48, 203\u20139 (1987)","journal-title":"Math. Comput."},{"key":"9294_CR52","unstructured":"N. Koblitz, Constructing elliptic curve cryptosystems in characteristic 2, in Proceedings of CRYPTO 90. LNCS, vol. 537 (1990), pp. 156\u2013167"},{"key":"9294_CR53","doi-asserted-by":"crossref","unstructured":"N. Koblitz, CM-curves with good cryptographic properties, in Proceedings of CRYPTO 1991. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 279\u2013287","DOI":"10.1007\/3-540-46766-1_22"},{"key":"9294_CR54","unstructured":"N. Koblitz, A. Menezes, A riddle wrapped in an enigma. Cryptology ePrint Archive, Report 2015\/1018 (2015) http:\/\/eprint.iacr.org\/2015\/1018"},{"key":"9294_CR55","doi-asserted-by":"crossref","unstructured":"P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Proceedings of CRYPTO 99. LNCS, vol. 1666 (Springer, Berlin, 1999), pp. 388\u2013397","DOI":"10.1007\/3-540-48405-1_25"},{"issue":"2","key":"9294_CR56","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1007\/s00145-012-9144-3","volume":"27","author":"P Longa","year":"2014","unstructured":"P. Longa, F. Sica, Four-dimensional Gallant\u2013Lambert\u2013Vanstone scalar multiplication. J. Cryptol. 27(2), 248\u2013283 (2014)","journal-title":"J. Cryptol."},{"key":"9294_CR57","doi-asserted-by":"crossref","unstructured":"M. Maurer, A. Menezes, E. Teske, Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree, in Proceedings of INDOCRYPT 2001. LNCS, vol. 2247 (Springer, Berlin, 2001), pp. 195\u2013213","DOI":"10.1007\/3-540-45311-3_19"},{"key":"9294_CR58","doi-asserted-by":"publisher","first-page":"1639","DOI":"10.1109\/18.259647","volume":"39","author":"A Menezes","year":"1993","unstructured":"A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639\u20131646 (1993)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9294_CR59","doi-asserted-by":"crossref","unstructured":"A. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, in STOC 91 (ACM, New York, 1992), pp. 80\u201389","DOI":"10.1145\/103418.103434"},{"key":"9294_CR60","doi-asserted-by":"crossref","unstructured":"A. Menezes, M. Qu, Analysis of the Weil descent attack of Gaudry, Hess and Smart, in Proceedings of CT-RSA 2001. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 308\u2013318","DOI":"10.1007\/3-540-45353-9_23"},{"key":"9294_CR61","unstructured":"A. Menezes, S.A. Vanstone, The implementation of elliptic curve cryptosystems, in Proceedings of AUSCRYPT 90. LNCS, vol. 453 (Springer, Berlin, 1990), pp. 2\u201313"},{"key":"9294_CR62","doi-asserted-by":"crossref","unstructured":"V. Miller, Uses of elliptic curves in cryptography, in Proceedings of CRYPTO 85. LNCS, vol. 218 (Springer, Berlin, 1985), pp. 417\u2013426","DOI":"10.1007\/3-540-39799-X_31"},{"key":"9294_CR63","doi-asserted-by":"publisher","first-page":"243","DOI":"10.1090\/S0025-5718-1987-0866113-7","volume":"48","author":"P Montgomery","year":"1987","unstructured":"P. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243\u2013264 (1987)","journal-title":"Math. Comput."},{"key":"9294_CR64","doi-asserted-by":"crossref","unstructured":"D. Naccache, N.P. Smart, J. Stern, Projective coordinates leak, in Proceedings of EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 257\u2013267","DOI":"10.1007\/978-3-540-24676-3_16"},{"key":"9294_CR65","unstructured":"National Institute of Standards and Technology, Recommended elliptic curves for federal government use. NIST special publication (1999). http:\/\/csrc.nist.gov\/csrc\/fedstandards.html"},{"key":"9294_CR66","unstructured":"National Institute of Standards and Technology, FIPS PUB 186-4: Digital Signature Standard (DSS). Federal Information Processing Standards (2013). https:\/\/nvlpubs.nist.gov\/nistpubs\/FIPS\/NIST.FIPS.186-4.pdf"},{"key":"9294_CR67","unstructured":"National Security Agency, The case for elliptic curve cryptography, Oct 2005. https:\/\/web.archive.org\/web\/20051013062853\/ http:\/\/www.nsa.gov\/ia\/industry\/crypto_elliptic_curve.cfm?"},{"key":"9294_CR68","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1023\/A:1025436905711","volume":"30","author":"PQ Nguyen","year":"2003","unstructured":"P.Q. Nguyen, I.E. Shparlinski, The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30, 201\u2013217 (2003)","journal-title":"Des. Codes Cryptogr."},{"key":"9294_CR69","doi-asserted-by":"crossref","unstructured":"T. Oliveira, D.F. Aranha, J.L. Hernandez, F. Rodr\u00edguez-Henr\u00edquez, Fast point multiplication algorithms for binary elliptic curves with and without precomputation, in Proceedings of SAC 2014. LNCS, vol. 8781 (Springer, Berlin, 2014), pp. 324\u2013344","DOI":"10.1007\/978-3-319-13051-4_20"},{"key":"9294_CR70","unstructured":"T. Oliveira, D.F. Aranha, J. L\u00f3pez, F, Rodr\u00edguez-Henr\u00edquez, Improving the performance of the GLS254. Presentation at CHES 2016 rump session (2016)"},{"issue":"1","key":"9294_CR71","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/s13389-013-0069-z","volume":"4","author":"T Oliveira","year":"2014","unstructured":"T. Oliveira, J. L\u00f3pez, D.F. Aranha, F. Rodr\u00edguez-Henr\u00edquez, Two is the fastest prime: lambda coordinates for binary elliptic curves. J. Cryptogr. Eng. 4(1), 3\u201317 (2014)","journal-title":"J. Cryptogr. Eng."},{"key":"9294_CR72","unstructured":"T. Oliveira, J. L\u00f3pez, F. Rodr\u00edguez-Henr\u00edquez, The Montgomery ladder on binary elliptic curves. Cryptology ePrint Archive, Report 2017\/350 (2017). http:\/\/eprint.iacr.org\/2017\/350"},{"key":"9294_CR73","unstructured":"D. Page, Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive, Report 2002\/169 (2002). http:\/\/eprint.iacr.org\/"},{"key":"9294_CR74","unstructured":"G. Paoloni, How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Technical report, Intel Corporation (2010)"},{"key":"9294_CR75","doi-asserted-by":"crossref","unstructured":"C. Petit, M. Kosters, A. Messeng, Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields, in Proceedings of PKC 2016. LNCS, vol. 9615 (Springer, Berlin, 2016), pp. 3\u201318","DOI":"10.1007\/978-3-662-49387-8_1"},{"key":"9294_CR76","unstructured":"R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairing over elliptic curve (in Japanese), in The 2001 Symposium on Cryptography and Information Security (2001)"},{"key":"9294_CR77","unstructured":"R. Schroeppel, Cryptographic elliptic curve apparatus and method. US Patent 2002\/6490352 B1 (2000)"},{"key":"9294_CR78","unstructured":"M. Scott, Optimal irreducible polynomials for $$GF(2^m)$$ G F ( 2 m ) arithmetic. Cryptology ePrint Archive, Report 2007\/192 (2007). http:\/\/eprint.iacr.org\/"},{"key":"9294_CR79","unstructured":"I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004\/031 (2004). http:\/\/eprint.iacr.org\/2004\/031"},{"key":"9294_CR80","unstructured":"I. Semaev, New algorithm for the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2015\/310 (2015). http:\/\/eprint.iacr.org\/2015\/310"},{"key":"9294_CR81","doi-asserted-by":"crossref","unstructured":"J.A. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, in Proceedings of CRYPTO 97. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 357\u2013371","DOI":"10.1007\/BFb0052248"},{"issue":"2\u20133","key":"9294_CR82","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1023\/A:1008306223194","volume":"19","author":"JA Solinas","year":"2000","unstructured":"J.A. Solinas, Efficient arithmetic on Koblitz curves. Des. Codes Cryptogr. 19(2\u20133), 195\u2013249 (2000)","journal-title":"Des. Codes Cryptogr."},{"key":"9294_CR83","doi-asserted-by":"publisher","first-page":"134","DOI":"10.1007\/BF01404549","volume":"22","author":"J Tate","year":"1966","unstructured":"J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 22, 134\u2013144 (1966)","journal-title":"Invent. Math."},{"key":"9294_CR84","doi-asserted-by":"crossref","unstructured":"J. Taverne, A. Faz-Hern\u00e1ndez, D.F. Aranha, F. Rodr\u00edguez-Henr\u00edquez, D. Hankerson, J. L\u00f3pez, Software implementation of binary elliptic curves: impact of the carry-less multiplier on scalar multiplication, in Proceedings of CHES 2011. LNCS, vol. 6917 (Springer, Berlin, 2011), pp. 108\u2013123","DOI":"10.1007\/978-3-642-23951-9_8"},{"key":"9294_CR85","unstructured":"W.R. Trost, G. Xu, On the optimal pre-computation of window $$\\tau $$ \u03c4 -NAF for Koblitz curves. Cryptology ePrint Archive, Report 2014\/664 (2014). http:\/\/eprint.iacr.org\/"},{"key":"9294_CR86","unstructured":"Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of block ciphers implemented on computers with cache, in International Symposium on Information Theory and Its Applications (IEEE Information Theory Society, 2002), pp. 803\u2013806"},{"key":"9294_CR87","doi-asserted-by":"crossref","unstructured":"M.D. Velichka, M.J. Jacobson Jr., A. Stein, Computing discrete logarithms in the Jacobian of high-genus hyperelliptic curves over even characteristic finite fields. Math. Comput. 83(286), 935\u2013963 (2014)","DOI":"10.1090\/S0025-5718-2013-02748-2"},{"key":"9294_CR88","unstructured":"A. Weimerskirch, C. Paar, Generalizations of the Karatsuba algorithm for efficient implementations. Cryptology ePrint Archive, Report 2006\/224 (2006). http:\/\/eprint.iacr.org\/"},{"key":"9294_CR89","doi-asserted-by":"crossref","unstructured":"E. Wenger, P. Wolfger, Solving the discrete logarithm of a 113-Bit Koblitz curve with an FPGA cluster, in Proceedings of SAC 2014. LNCS, vol. 8781 (Springer, Berlin, 2014), pp. 363\u2013379","DOI":"10.1007\/978-3-319-13051-4_22"},{"issue":"4","key":"9294_CR90","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/s13389-015-0108-z","volume":"6","author":"E Wenger","year":"2016","unstructured":"E. Wenger, P. Wolfger, Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J. Cryptogr. Eng. 6(4), 287\u2013297 (2016)","journal-title":"J. Cryptogr. Eng."},{"key":"9294_CR91","doi-asserted-by":"crossref","unstructured":"M.J. Wiener, R.J. Zuccherato, Faster attacks on elliptic curve cryptosystems, in Proceedings of SAC 98. LNCS, vol. 1556 (Springer, Berlin, 1999), pp. 190\u2013200","DOI":"10.1007\/3-540-48892-8_15"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9294-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-018-9294-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-018-9294-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,3]],"date-time":"2025-07-03T23:05:50Z","timestamp":1751583950000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-018-9294-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,4,25]]},"references-count":91,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,7]]}},"alternative-id":["9294"],"URL":"https:\/\/doi.org\/10.1007\/s00145-018-9294-z","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"type":"print","value":"0933-2790"},{"type":"electronic","value":"1432-1378"}],"subject":[],"published":{"date-parts":[[2018,4,25]]},"assertion":[{"value":"21 December 2016","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 March 2018","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 April 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}