Skip to main content
×
×
Home
Topics in Computational Number Theory Inspired by Peter L. Montgomery

Book description

Peter L. Montgomery has made significant contributions to computational number theory, introducing many basic tools such as Montgomery multiplication, Montgomery simultaneous inversion, Montgomery curves, and the Montgomery ladder. This book features state-of-the-art research in computational number theory related to Montgomery's work and its impact on computational efficiency and cryptography. Topics cover a wide range of topics such as Montgomery multiplication for both hardware and software implementations; Montgomery curves and twisted Edwards curves as proposed in the latest standards for elliptic curve cryptography; and cryptographic pairings. This book provides a comprehensive overview of integer factorization techniques, including dedicated chapters on polynomial selection, the block Lanczos method, and the FFT extension for algebraic-group factorization algorithms. Graduate students and researchers in applied number theory and cryptography will benefit from this survey of Montgomery's work.

Refine List
Actions for selected content:
Select all | Deselect all
  • View selected items
  • Export citations
  • Download PDF (zip)
  • Send to Kindle
  • Send to Dropbox
  • Send to Google Drive
  • Send content to

    To send content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about sending content to .

    To send content items to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle.

    Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

    Find out more about the Kindle Personal Document Service.

    Please be advised that item(s) you selected are not available.
    You are about to send
    ×

Save Search

You can save your searches here and later view and run them again in "My saved searches".

Please provide a title, maximum of 40 characters.
×
Bibliography
[1] T., Acar and D., Shumow. Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research, 2010. (Cited on page 24.)
[2] L. M., Adleman. A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In Proceedings of the 20th Annual Symposium on Foundations of Computer Science, SFCS 79, pages 55–60, Washington, DC, USA, 1979. IEEE Computer Society. (Cited on pages 139 and 140.)
[3] L. M., Adleman. Factoring numbers using singular integers. In Proceedings of the 23rd Annual ACMSymposium on Theory of Computing, May 5–8, 1991, New Orleans, Louisiana, USA, pages 64–71, 1991. (Cited on pages 154 and 155.)
[4] L. M., Adleman. The story of sneakers, the movie and Len Adleman the mathematician. URL: http://www.usc.edu/dept/molecular-science/fm-sneakers.htm, 199. (accessed April 20, 2017). (Cited on page 139.)
[5] A. V., Aho, J. E., Hopcroft, and J. D., Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, Reading, MA, 1974. (Cited on pages 195 and 196.)
[6] H., Aigner, H., Bock, M., Hütter, and J., Wolkerstorfer. A low-cost ECC coprocessor for smartcards. In M., Joye and J.-J., Quisquater, editors, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 107–118. Springer, Heidelberg, Aug. 2004. (Cited on page 40.)
[7] T., Akishita. Fast simultaneous scalar multiplication on elliptic curve with Montgomery form. In S., Vaudenay and A. M., Youssef, editors, SAC 2001: 8th Annual International Workshop on Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 255–267. Springer, Heidelberg, Aug. 2001. (Cited on page 108.)
[8] W. R., Alford and C., Pomerance. Implementing the self-initializing quadratic sieve on a distributed network. In A. J., van der Poorten, I., Shparlinski, and H. G., Zimmer, editors, Number Theoretic and AlgebraicMethods in Computer Scienc. (Moscow 1993), pages 163–174. World Scientific, 1995. (Cited on pages 135 and 137.)
[9] A., Ambainis, Y., Filmus, and F., Le Gall. Fast matrix multiplication: Limitations of the Coppersmith-Winograd method. In R. A., Servedio and R., Rubinfeld, editors, Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14–17, 2015, pages 585–593. ACM, 2015. (Cited on page 123.)
[10] S., Antão, J.-C., Bajard, and L. Sousa. RNS-based elliptic curve point multiplication for massive parallel architectures. The Computer Journal, 55 (5):629–647, 2012. (Cited on page 37.)
[11] D. F., Aranha, P. S. L.M., Barreto, P., Longa, and J. E., Ricardini. The realm of the pairings. In T., Lange, K., Lauter, and P., Lisonek, editors, SAC 2013: 20th Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 3–25. Springer, Heidelberg, Aug. 2014. (Cited on pages 207 and 215.)
[12] D. F., Aranha, L., Fuentes-Castañeda, E., Knapp, A., Menezes, and F., Rodríguez- Henríquez. Implementing pairings at the 192-bit security level. In M., Abdalla and T., Lange, editors, Pairing-Based Cryptography – Pairing 2012, volume 7708 of Lecture Notes in Computer Science, pages 177–195. Springer, 2012. (Cited on page 207.)
[13] D. F., Aranha, K., Karabina, P., Longa, C. H., Gebotys, and J., López. Faster explicit formulas for computing pairings over ordinary curves. In K. G., Paterson, editor, Advances in Cryptology – EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pages 48–68. Springer, Heidelberg, May 2011. (Cited on pages 207 and 215.)
[14] C., Arène, T., Lange, M., Naehrig, and C., Ritzenthaler. Faster computation of the Tate pairing. Journal of Number Theory, 131 (5):842–857, 2011. (Cited on pages 221 and 222.)
[15] D., Atkins, M., Graff, A. K., Lenstra, and P. C., Leyland. The magic words are squeamish ossifrage. In J., Pieprzyk and R., Safavi-Naini, editors, Advances in Cryptology – ASIACRYPT'94, volume 917 of Lecture Notes in Computer Science, pages 263–277. Springer, Heidelberg, Nov. / Dec. 1995. (Cited on pages 135 and 153.)
[16] R. M., Avanzi, H., Cohen, C., Doche, G., Frey, T., Lange, K., Nguyen, and F., Vercauteren. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC Press, 2005. (Cited on pages 90, 244, and 245.)
[17] E., Bach and J., Shallit. Factoring with cyclotomic polynomials. Mathematics of Computation, 52:201–219, 1989. (Cited on page 116.)
[18] S., Bai, C., Bouvier, A., Kruppa, and P., Zimmermann. Better polynomials for GNFS. Mathematics of Computation, pages 1–12, December 2015. (Cited on page 174.)
[19] S., Bai, R. P., Brent, and E., Thomé. Root optimization of polynomials in the number field sieve. Mathematics of Computation, 84(295), 2015. (Cited on page 173.)
[20] D. V., Bailey, L., Batina, D. J., Bernstein, P., Birkner, J. W., Bos, H.-C., Chen, C.- M., Cheng, G., van Damme, G., de Meulenaer, L. J. D., Perez, J., Fan, T., Güneysu, F., Gurkaynak, T., Kleinjung, T., Lange, N., Mentens, R., Niederhagen, C., Paar, F., Regazzoni, P., Schwabe, L., Uhsadel, A. V., Herrewege, and B.-Y., Yang. Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541, 2009. http:// eprint.iacr.org/2009/54. (accessed May 3, 2017). (Cited on page 9.)
[21] D. V., Bailey and C., Paar. Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. Journal of Cryptology, 14 (3):153–176, 2001. (Cited on page 215.)
[22] J., Bajard, M. E., Kaihara, and T., Plantard. Selected RNS bases for modular multiplication. In J. D., Bruguera, M., Cornea, D. D., Sarma, and J., Harrison, editors, 19th IEEE Symposium on Computer Arithmetic – ARITH 2009, pages 25–32. IEEE Computer Society, 2009. (Cited on page 37.)
[23] J.-C., Bajard, L.-S., Didier, and P., Kornerup. An RNS montgomery modular multiplication algorithm. IEEE Trans. Computers, 47 (7):766–776, 1998. (Cited on page 36.)
[24] J.-C., Bajard and L., Imbert. A full RNS implementation of RSA. IEEE Transactions on Computers, 53(6):769–774, June 2004. (Cited on page 37.)
[25] S., Baktir and B., Sunar. Optimal tower fields. IEEE Transactions on Computers, 53 (10):1231–1243, 2004. (Cited on page 218.)
[26] R., Barbulescu, J.W., Bos, C., Bouvier, T., Kleinjung, and P. L., Montgomery. Finding ECM-friendly curves through a study of Galois properties. The Open Book Series – Proceedings of the Tenth Algorithmic Number Theory Symposium, pages 63–86, 2013. (Cited on pages 4 and 94.)
[27] R., Barbulescu, P., Gaudry, A., Joux, and E., Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In P. Q., Nguyen and E., Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 1–16. Springer, Heidelberg, May 2014. (Cited on page 140.)
[28] R., Barbulescu and A., Lachand. Some mathematical remarks on the polynomial selection in NFS. Mathematics of Computation, 86 (303):397–418, 2017. (Cited on page 172.)
[29] P. S. L. M, Barreto, H. Y., Kim, B., Lynn, and M., Scott. Efficient algorithms for pairing-based cryptosystems. In M., Yung, editor, Advances in Cryptology – CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 354– 368. Springer, Heidelberg, Aug. 2002. (Cited on pages 207, 210, 212, and 231.)
[30] P. S. L.M., Barreto, B., Lynn, and M., Scott. Efficient implementation of pairingbased cryptosystems. Journal of Cryptology, 17(4):321–334, Sept. 2004. (Cited on pages 210, 212, and 231.)
[31] P., Barrett. Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In A. M., Odlyzko, editor, Advances in Cryptology – CRYPTO'86, volume 263 of Lecture Notes in Computer Science, pages 311–323. Springer, Heidelberg, Aug. 1987. (Cited on pages 11 and 48.)
[32] C., Baum. The System Builders: The Story of SDC. System Development Corporation, 1981. (Cited on pages 4 and 5.)
[33] N., Benger and M., Scott. Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In M. A., Hasan and T., Helleseth, editors, Arithmetic of Finite Fields, Third International Workshop, WAIFI 2010, Istanbul, Turkey, June 27-30, 2010. Proceedings, volume 6087 of Lecture Notes in Computer Science, pages 180–195. Springer, 2010. (Cited on page 215.)
[34] E. R., Berlekamp. Algebraic coding theory. McGraw-Hill, 1968. (Cited on page 3.)
[35] D. J., Bernstein. Curve25519: New Diffie-Hellman speed records. In M., Yung, Y., Dodis, A., Kiayias, and T., Malkin, editors, PKC 2006: 9th International Conference on Theory and Practice of Public Key Cryptography, volume 3958 of 238 Bibliography Lecture Notes in Computer Science, pages 207–228. Springer, Heidelberg, Apr. 2006. (Cited on pages 23, 83, 94, 98, and 106.)
[36] D. J., Bernstein. Differential addition chains, 2006. https://cr.yp.to/papers.html# diffchai. (accessed May 3, 2017). (Cited on pages 108 and 114.)
[37] D. J., Bernstein, P., Birkner, M., Joye, T., Lange, and C., Peters. Twisted Edwards curves. In S., Vaudenay, editor, AFRICACRYPT 08: 1st International Conference on Cryptology in Africa, volume 5023 of Lecture Notes in Computer Science, pages 389–405. Springer, Heidelberg, June 2008. (Cited on page 90.)
[38] D. J., Bernstein, P., Birkner, T., Lange, and C., Peters. ECM using Edwards curves. Mathematics of Computation, 82 (282):1139–1179, 2013. (Cited on page 190.)
[39] D. J., Bernstein, C., Chuengsatiansup, D., Kohel, and T., Lange. Twisted Hessian curves. In K. E., Lauter and F., Rodríguez-Henríquez, editors, Progress in Cryptology - LATINCRYPT 2015: 4th International Conference on Cryptology and Information Security in Latin America, volume 9230 of Lecture Notes in Computer Science, pages 269–294. Springer, Heidelberg, Aug. 2015. (Cited on page 97.)
[40] D. J., Bernstein, C., Chuengsatiansup, and T., Lange. Curve41417: Karatsuba revisited. In L., Batina and M., Robshaw, editors, Cryptographic Hardware and Embedded Systems – CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages 316–334. Springer, Heidelberg, Sept. 2014. (Cited on page 94.)
[41] D. J., Bernstein, C., Chuengsatiansup, T., Lange, and P., Schwabe. Kummer strikes back: New DH speed records. In P., Sarkar and T., Iwata, editors, Advances in Cryptology – ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pages 317–337. Springer, Heidelberg, Dec. 2014. (Cited on page 83.)
[42] D. J., Bernstein, N., Duif, T., Lange, P., Schwabe, and B.-Y., Yang. High-speed high-security signatures. In B., Preneel and T., Takagi, editors, Cryptographic Hardware and Embedded Systems – CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 124–142. Springer, Heidelberg, Sept. / Oct. 2011. (Cited on pages 83 and 94.)
[43] D. J., Bernstein, S., Josefsson, T., Lange, P., Schwabe, and B.-Y., Yang. EdDSA for more curves. Cryptology ePrint Archive, Report 2015/677, 2015. http://eprint .iacr.org/2015/67. (accessed May 3, 2017). (Cited on page 94.)
[44] D. J., Bernstein and T., Lange. Faster addition and doubling on elliptic curves. In K., Kurosawa, editor, Advances in Cryptology – ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 29–50. Springer, Heidelberg, Dec. 2007. (Cited on pages 90 and 91.)
[45] D. J., Bernstein and T., Lange. YZ coordinates with square d for Edwards curves, 2009. https://hyperelliptic.org/EFD/g1p/auto-edwards-yz.htm. (accessedMay 3, 2017). (Cited on page 97.)
[46] D. J., Bernstein and T., Lange. A complete set of addition laws for incomplete Edwards curves. Journal of Number Theory, 131:858–872, 2011. (Cited on page 91.)
[47] D. J., Bernstein and T., Lange. SafeCurves: choosing safe curves for elliptic-curve cryptography, 2014. https://safecurves.cr.yp.t. (accessed May 3, 2017). (Cited on page 94.)
[48] D. J., Bernstein and T., Lange. Explicit-Formulas Database, 2016. https:// hyperelliptic.org/EF. (accessed May 3, 2017). (Cited on pages 83, 220, and 223.)
[49] D. J., Bernstein and A. K., Lenstra. A general number field sieve implementation. pages 103–126 in [234], 1992. (Cited on pages 149, 152, and 156.)
[50] G., Bertoni, J., Guajardo, and G., Orlando. Systolic and scalable architectures for digit-serial multiplication in fields GF(pm). In T., Johansson and S., Maitra, editors, Progress in Cryptology - INDOCRYPT 2003: 4th International Conference in Cryptology in India, volume 2904 of Lecture Notes in Computer Science, pages 349–362. Springer, Heidelberg, Dec. 2003. (Cited on pages 40 and 67.)
[51] J.-L., Beuchat, J. E., González-Díaz, S., Mitsunari, E., Okamoto, F., Rodríguez- Henríquez, and T., Teruya. High-speed software implementation of the optimal ate pairing over Barreto-Naehrig curves. In M., Joye, A., Miyaji, and A., Otsuka, editors, PAIRING 2010: 4th International Conference on Pairing-based Cryptography, volume 6487 of Lecture Notes in Computer Science, pages 21–39. Springer, Heidelberg, Dec. 2010. (Cited on pages 207 and 215.)
[52] K., Bigou and A., Tisserand. Single base modular multiplication for efficient hardware RNS implementations of ECC. In T., Güneysu and H., Handschuh, editors, Cryptographic Hardware and Embedded Systems – CHES 2015, volume 9293 of Lecture Notes in Computer Science, pages 123–140. Springer, Heidelberg, Sept. 2015. (Cited on page 37.)
[53] I. F., Blake, G., Seroussi, and N., P. Smart, editors. Elliptic Curves in Cryptography. Cambridge University Press, 1999. (Cited on page 208.)
[54] I. F., Blake, G., Seroussi, and N., P. Smart, editors. Advances in Elliptic Curve Cryptography. Cambridge University Press, 2005. (Cited on page 246.)
[55] D., Bleichenbacher. Efficiency and security of cryptosystems based on number theory. PhD thesis, ETH Zürich, 1996. https://cr.yp.to/bib/1996/bleichenbacher-thesis.pdf. (accessedMay 3, 2017). (Cited on pages 112 and 113.)
[56] L., Bluestein. A linear filtering approach to the computation of discrete Fourier transform. IEEE Transactions on Audio and Electroacoustics, 18 (4):451–455, 1970. (Cited on page 202.)
[57] D., Boneh, G., Di Crescenzo, R., Ostrovsky, and G., Persiano. Public key encryption with keyword search. In C., Cachin and J., Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 506–522. Springer, Heidelberg, May 2004. (Cited on page 226.)
[58] D., Boneh and M., K Franklin. Identity-based encryption from the Weil pairing. In J., Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer, Heidelberg, Aug. 2001. (Cited on page 206.)
[59] D., Boneh, E.-J, Goh, and K., Nissim. Evaluating 2-DNF formulas on ciphertexts. In J., Kilian, editor, TCC 2005: 2nd Theory of Cryptography Conference, volume 3378 of Lecture Notes in Computer Science, pages 325–341. Springer, Heidelberg, Feb. 2005. (Cited on page 206.)
[60] D., Boneh, B., Lynn, and H., Shacham. Short signatures from the Weil pairing. In C., Boyd, editor, Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 514–532. Springer, Heidelberg, Dec. 2001. (Cited on page 206.)
[61] D., Boneh, B., Lynn, and H., Shacham. Short signatures from the Weil pairing. Journal of Cryptology, 17(4):297–319, Sept. 2004. (Cited on page 206.)
[62] D., Boneh, A., Sahai, and B, Waters. Functional encryption: Definitions and challenges. In Y., Ishai, editor, TCC 2011: 8th Theory of Cryptography Conference, volume 6597 of Lecture Notes in Computer Science, pages 253–273. Springer, Heidelberg, Mar. 2011. (Cited on page 206.)
[63] J. W., Bos. High-performance modular multiplication on the Cell processor. In M. A., Hasan and T., Helleseth, editors, Workshop on the Arithmetic of Finite Fields – WAIFI 2010, volume 6087 of Lecture Notes in Computer Science, pages 7–24. Springer, 2010. (Cited on pages 27 and 32.)
[64] J. W., Bos, C., Costello, H., Hisil, and K., Lauter. Fast cryptography in genus 2. In T., Johansson and P. Q., Nguyen, editors, Advances in Cryptology – EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science, pages 194– 210. Springer, Heidelberg, May 2013. (Cited on pages 23 and 24.)
[65] J. W., Bos, C., Costello, H., Hisil, and K., Lauter. High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. In G., Bertoni and J.-S., Coron, editors, Cryptographic Hardware and Embedded Systems – CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 331–348. Springer, Heidelberg, Aug. 2013. (Cited on page 24.)
[66] J. W., Bos, C., Costello, P., Longa, and M., Naehrig. Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptographic Engineering, 6 (4):259–286, 2016. (Cited on page 25.)
[67] J. W., Bos and M. E., Kaihara. Montgomery multiplication on the Cell. In R, Wyrzykowski, J., Dongarra, K., Karczewski, and J., Wasniewski, editors, Parallel Processing and Applied Mathematics – PPAM 2009, volume 6067 of Lecture Notes in Computer Science, pages 477–485. Springer, Heidelberg, 2010. (Cited on pages 31 and 35.)
[68] J.W., Bos, M. E., Kaihara, T., Kleinjung, A. K., Lenstra, and P. L, Montgomery. On the security of 1024-bit RSA and 160-bit elliptic curve cryptography. Cryptology ePrint Archive, Report 2009/389, 2009. http://eprint.iacr.org. (accessed May 3, 2017). (Cited on page 4.)
[69] J. W., Bos, M. E., Kaihara, T., Kleinjung, A. K., Lenstra, and P. L., Montgomery. Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. International Journal of Applied Cryptography, 2 (3):212–228, 2012. (Cited on pages 4, 9, and 32.)
[70] J. W., Bos, M. E., Kaihara, and P. L., Montgomery. Pollard rho on the PlayStation 3. In Special-purposeHardware for Attacking Cryptographic Systems – SHARCS 2009, pages 35–50, 2009. http://www.hyperelliptic.org/tanja/SHARCS/record2.pdf. (accessed May 3, 2017). (Cited on page 4.)
[71] J. W., Bos, T., Kleinjung, A. K., Lenstra, and P. L., Montgomery. Efficient SIMD arithmetic modulo a Mersenne number. In E., Antelo, D., Hough, and P., Ienne, editors, IEEE Symposium on Computer Arithmetic – ARITH-20, pages 213–221. IEEE Computer Society, 2011. (Cited on pages 4, 23, and 199.)
[72] J. W., Bos, T., Kleinjung, R., Niederhagen, and P., Schwabe. ECC2K-130 on cell CPUs. In D. J., Bernstein and T., Lange, editors, AFRICACRYPT 10: 3rd International Conference on Cryptology in Africa, volume 6055 of Lecture Notes in Computer Science, pages 225–242. Springer, Heidelberg, May 2010. (Cited on page 32.)
[73] J. W., Bos, P. L., Montgomery, D., Shumow, and G. M., Zaverucha. Montgomery multiplication using vector instructions. In T., Lange, K., Lauter, and P., Lisonek, editors, SAC 2013: 20th Annual International Workshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 471–489. Springer, Heidelberg, Aug. 2014. (Cited on pages 4, 26, 27, 28, and 30.)
[74] J.W., Bos and D., Stefan. Performance analysis of the SHA-3 candidates on exotic multi-core architectures. In S., Mangard and F.-X., Standaert, editors, Cryptographic Hardware and Embedded Systems – CHES 2010, volume 6225 of Lecture Notes in Computer Science, pages 279–293. Springer, Heidelberg, Aug. 2010. (Cited on page 32.)
[75] A., Bosselaers, R., Govaerts, and J., Vandewalle. Comparison of three modular reduction functions. In D. R., Stinson, editor, Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 175–186. Springer, Heidelberg, Aug. 1994. (Cited on page 12.)
[76] R. P., Brent. New factors of Mersenne number. (preliminary report), II. AMS Abstracts, 3:132, 82T–10–22, 1982. (Cited on page 199.)
[77] R. P., Brent. Some integer factorization algorithms using elliptic curves. Australian Computer Science Communications, 8:149–163, 1986. (Cited on page 189.)
[78] R. P., Brent, P. L., Montgomery, H. J., J te Riele., H., Boender, M., Elkenbracht- Huizing, R., Silverman, and T., Sosnowski. Factorizations of an ± 1, 13 ≤ a 100: Update 2, 1996. (Cited on pages 7 and 148.)
[79] R. P., Brent and J. M., Pollard. Factorization of the eighth Fermat number. Mathematics of Computation, 36 (154):627–630, 1981. (Cited on pages 116 and 129.)
[80] R. P., Brent and P., Zimmermann. Modern Computer Arithmetic. Cambridge University Press, 2010. (Cited on pages 24 and 197.)
[81] E. F., Brickell. A fast modular multiplication algorithm with application to two key cryptography. In D., Chaum, R. L., Rivest, and A. T., Sherman, editors, Advances in Cryptology – CRYPTO'82, pages 51–60. Plenum Press, New York, USA, 1982. (Cited on page 27.)
[82] J., Brillhart, D. H., Lehmer, J. L., Selfridge, B., Tuckerman, and S. S., Wagstaff Jr. Factorizations of bn ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 Up to High Powers, volume 22 of Contemporary Mathematics. American Mathematical Society, First edition, 1983, Second edition, 1988, Third edition, 2002. Electronic book available at: http://homes.cerias.purdue.edu/∼ssw/cun/index.htm. (accessed May 3, 2017), 1983. (Cited on pages 117, 128, 145, and 146.)
[83] J., Buchmann, J., Loho, and J., Zayer. An implementation of the general number field sieve. In D. R., Stinson, editor, Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 159–165. Springer, Heidelberg, Aug. 1994. (Cited on pages 149, 152, and 153.)
[84] J. P., Buhler, H. W., Lenstra Jr., and C., Pomerance. Factoring integers with the number field sieve. pages 50–94 in [234], 1992. (Cited on pages 139, 141, 152, 153, 154, 155, 156, and 164.)
[85] J. P., Buhler, P., Montgomery, R., Robson, and R., Ruby. Technical report implementing the number field sieve. Oregon State University, Corvallis, OR, 1994. (Cited on page 166.)
[86] E., Canfield, P., Erdös, and C., Pomerance. On a problem of Oppenheim concerning “Factorisatio Numerorum.”. J. Number Theory, 17:1–28, 1983. (Cited on page 119.)
[87] D. G., Cantor and H., Zassenhaus. A new algorithm for factoring polynomials over finite fields. Mathematics of Computation, 36:587–592, 1981. (Cited on page 3.)
[88] T. R., Caron and R. D., Silverman. Parallel implementation of the quadratic sieve. J. Supercomput., 1:273–290, 1988. (Cited on pages 116, 135, and 136.)
[89] S., Cavallar. Strategies in filtering in the number field sieve. In W., Bosma, editor, ANTS, volume 1838 of Lecture Notes in Computer Science, pages 209–231. Springer, 2000. (Cited on pages 7, 124, and 125.)
[90] S., Cavallar. On the number field sieve integer factorisation algorithm. PhD thesis, Leiden University, 2002. (Cited on pages 7, 124, and 125.)
[91] S., Cavallar, B., Dodson, A. K., Lenstra, P. C., Leyland, W. M., Lioen, P. L., Montgomery, B., Murphy, H., te Riele, and P., Zimmermann. Factorization of RSA-140 using the number field sieve. In K.-Y., Lam, E., Okamoto, and C., Xing, editors, Advances in Cryptology – ASIACRYPT'99, volume 1716 of Lecture Notes in Computer Science, pages 195–207. Springer, Heidelberg, Nov. 1999. (Cited on pages 4 and 171.)
[92] S., Cavallar, B., Dodson, A. K., Lenstra, W. M., Lioen, P. L., Montgomery, B., Murphy, H., te Riele, K., Aardal, J., Gilchrist, G., Guillerm, P. C., Leyland, J., Marchand, F., Morain, A., Muffett, C., Putnam, C., Putnam, and P., Zimmermann. Factorization of a 512-bit RSA modulus. In B., Preneel, editor, Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 1–18. Springer, Heidelberg, May 2000. (Cited on pages 4, 124, 148, 153, and 176.)
[93] Ç. K., Koç, T., Acar, and B. S., Kaliski Jr. Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro, 16 (3):26–33, 1996. (Cited on pages 16 and 47.)
[94] D., Chaum. Blind signatures for untraceable payments. In D., Chaum, R. L., Rivest, and A. T., Sherman, editors, Advances in Cryptology – CRYPTO'82, pages 199– 203. Plenum Press, New York, USA, 1982. (Cited on page 77.)
[95] H.-C., Chen, C.-M., Cheng, S.-H., Hung, and Z.-C., Lin. Integer number crunching on the Cell processor. International Conference on Parallel Processing, pages 508–515, 2010. (Cited on page 32.)
[96] S. Y., Chiou and C. S., Laih. An efficient algorithm for computing the Luc chain. IEE Proceedings on Computers and Digital Techniques, 147:263–265, 2000. (Cited on page 112.)
[97] T., Chou. Sandy2x: New Curve25519 speed records. In O., Dunkelman and L., Keliher, editors, Selected Areas in Cryptography – SAC 2015, volume 9566 of Lecture Notes in Computer Science, pages 145–160. Springer, 2016. (Cited on page 94.)
[98] J., Chung and M. A., Hasan. Montgomery reduction algorithm for modular multiplication using low-weight polynomial form integers. In 18th IEEE Symposium on Computer Arithmeti. (ARITH-18), pages 230–239. IEEE Computer Society, 2007. (Cited on page 25.)
[99] M., Ciet, M., Joye, K., Lauter, and P. L., Montgomery. Trading inversions for multiplications in elliptic curve cryptography. Des. Codes Cryptography, 39(2):189– 206, 2006. (Cited on pages 4 and 228.)
[100] S., Circle. Blackphone website, 2017. (Cited on page 95.)
[101] S., Contini. Factoring integers with the self-initializing quadratic sieve. Masters Thesis, U. Georgia, 1997. (Cited on page 137.)
[102] S., Cook. On the minimum computation time of functions. PhD thesis, Harvard University, 1966. (Cited on page 15.)
[103] D., Coppersmith. Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory, 30:587–594, 1984. (Cited on page 140.)
[104] D., Coppersmith. Modifications to the number field sieve. Journal of Cryptology, 6 (3):169–180, 1993. (Cited on pages 117, 146, 153, 158, and 159.)
[105] D., Coppersmith. Solving linear equations over GF(2): Block Lanczos algorithm. Linear Algebra Appl., 192:33–60, Jan. 1993. (Cited on page 179.)
[106] D., Coppersmith. Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Mathematics of Computation, 62 (205):333–350, 1994. (Cited on pages 7, 123, 187, and 188.)
[107] D., Coppersmith, A. M., Odlyzko, and R., Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1 (1):1–15, 1986. (Cited on pages 123, 137, 139, 144, and 145.)
[108] D., Coppersmith and S., Winograd. Matrix multiplication via arithmetic progressions. J. Symbolic Comput., 9:251–280, 1990. (Cited on page 123.)
[109] C., Costello, H., Hisil, C., Boyd, J. M., Gonz ález Nieto, and K. K.-H., Wong. Faster pairings on special Weierstrass curves. In H., Shacham and B., Waters, editors, PAIRING 2009: 3rd International Conference on Pairing-based Cryptography, volume 5671 of Lecture Notes in Computer Science, pages 89–101. Springer, Heidelberg, Aug. 2009. (Cited on pages 221 and 222.)
[110] C., Costello, T., Lange, and M., Naehrig. Faster pairing computations on curves with high-degree twists. In P. Q., Nguyen and D., Pointcheval, editors, PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 224–242. Springer, Heidelberg, May 2010. (Cited on pages 220, 221, and 222.)
[111] N., Costigan and P., Schwabe. Fast elliptic-curve cryptography on the cell broadband engine. In B., Preneel, editor, AFRICACRYPT 09: 2nd International Conference on Cryptology in Africa, volume 5580 of Lecture Notes in Computer Science, pages 368–385. Springer, Heidelberg, June 2009. (Cited on page 32.)
[112] N., Costigan and M., Scott. Accelerating SSL using the vector processors in IBM's cell broadband engine for sony's playstation 3. Cryptology ePrint Archive, Report 2007/061, 2007. http://eprint.iacr.org/2007/06. (accessed May 4, 2017). (Cited on page 32.)
[113] J.-M., Couveignes. Computing a square root for the number field sieve. pages 95–102 in[234], 1992. (Cited on pages 8 and 156.)
[114] J., Cowie, B., Dodson, R. M., Elkenbracht-Huizing, A. K., Lenstra, P. L., Montgomery, and J., Zayer. A world wide number field sieve factoring record: On to 512 bits. In K., Kim and T., Matsumoto, editors, Advances in Cryptology – ASIACRYPT' 96, volume 1163 of Lecture Notes in Computer Science, pages 382– 394. Springer, Heidelberg, Nov. 1996. (Cited on page 153.)
[115] N., Coxon. Montgomery's method of polynomial selection for the number field sieve. Linear Algebra and its Applications, 485:72–102, 2015. (Cited on page 168.)
[116] A. J. C., Cunningham and H. J., Woodall. Factorizations of yn ± 1, y = 2, 3, 5, 6, 7, 10, 11, 12 up to high powers. Frances Hodgson, London, 1925. (Cited on pages 117, 145, and 146.)
[117] J. A., Davis, D. B., Holdridge, and G. J., Simmons. Status report on factorin. (at the Sandia national laboratories). In T., Beth, N., Cot, and I., Ingemarsson, editors, Advances in Cryptology – EUROCRYPT'84, volume 209 of Lecture Notes in Computer Science, pages 183–215. Springer, Heidelberg, Apr. 1985. (Cited on pages 133 and 134.)
[118] N., De Bruijn. On the number of positive integers ≤. x and free of prime factors y, ii. Indag. Math., 38:239–247, 1966. (Cited on page 119.)
[119] M., Delcourt, T., Kleinjung, and A. K., Lenstra. Analyses of number field sieve variants. manuscript in preparation, 2017. (Cited on page 159.)
[120] R. L., Dennis. Security in the computing environment. Technical Report SP2440/000/01, System Development Corporation, August 18 1966. (page 16). (Cited on page 76.)
[121] T. F., Denny, B., Dodson, A. K., Lenstra, and M. S., Manasse. On the factorization of RSA-120. In D. R., Stinson, editor, Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 166–174. Springer, Heidelberg, Aug. 1994. (Cited on page 153.)
[122] J., Dhem. Modified version of the Barrett algorithm. Technical report, DICE, Université Catholique de Louvain, 1994. (Cited on page 48.)
[123] J., Dhem. Design of an efficient public-key cryptographic library for RISC-based smart cards. PhD thesis, Université Catholique de Louvain, 1998. (Cited on page 48.)
[124] J., Dhem and J., Quisquater. Recent results on modular multiplications for smart cards. In Smart Card Research and Applications, CARDIS 98, volume 1820 of LNCS, pages 336–352. Springer-Verlag, 1998. (Cited on page 48.)
[125] T., Dierks and E., Rescorla. The transport layer securit. (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), http://www.ietf.org/rfc/rfc5246.txt (accessed May 4, 2017), 2008. (Cited on page 94.)
[126] W., Diffie and M., E Hellman. Newdirections in cryptography. IEEE Transactions on Information Theory, 22 (6):644–654, 1976. (Cited on pages 40 and 93.)
[127] B., Dixon and A., K Lenstra. Massively parallel elliptic curve factoring. In R. A., Rueppel, editor, Advances in Cryptology – EUROCRYPT'92, volume 658 of Lecture Notes in Computer Science, pages 183–193. Springer, Heidelberg, May 1993. (Cited on pages 24 and 27.)
[128] J. D., Dixon. Asymptotically fast factorization of integers. Mathematics of Computation, 36 (153):255–260, 1981. (Cited on page 127.)
[129] C., Doche. Finite Field Arithmetic, chapter 11 in [16], pages 201–237. CRC press, 2005. (Cited on pages 215 and 218.)
[130] C., Doche, T., Icart, and D. R., Kohel. Efficient scalar multiplication by isogeny decompositions. In M., Yung, Y., Dodis, A., Kiayias, and T., Malkin, editors, PKC 2006: 9th International Conference on Theory and Practice of Public Key Cryptography, volume 3958 of Lecture Notes in Computer Science, pages 191– 206. Springer, Heidelberg, Apr. 2006. (Cited on page 97.)
[131] B., Dodson and A., K Lenstra. NFS with four large primes: An explosive experiment. In D., Coppersmith, editor, Advances in Cryptology – CRYPTO'95, volume 963 of Lecture Notes in Computer Science, pages 372–385. Springer, Heidelberg, Aug. 1995. (Cited on pages 152 and 153.)
[132] S., Duquesne and G., Frey. Background on Pairings, chapter 6 in [16], pages 115– 124. CRC press, 2005. (Cited on page 208.)
[133] S., Duquesne and G., Frey. Implementation of Pairings, chapter 16 in [16], pages 389–404. CRC press, 2005. (Cited on page 208.)
[134] S. R., Dussé and B. S., Kaliski Jr. A cryptographic library for the Motorola DSP56000. In I., Damgård, editor, Advances in Cryptology – EUROCRYPT'90, volume 473 of Lecture Notes in Computer Science, pages 230–244. Springer, Heidelberg, May 1991. (Cited on pages 16, 18, and 47.)
[135] W., Eberly and E., Kaltofen. On randomized Lanczos algorithm. In W.W., Küchlin, editor, ISSAC 97, page 176–183. ACM Press, 1997. Extended abstract. (Cited on page 178.)
[136] H. M., Edwards. Anormal form for elliptic curves. Bulletin of the AmericanMathematical Society, 44:393–422, July 2007. (Cited on pages 90 and 190.)
[137] K., Eisenträger, K., Lauter, and P. L., Montgomery. Fast elliptic curve arithmetic and improved Weil pairing evaluation. In M., Joye, editor, Topics in Cryptology – CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 343–354. Springer, Heidelberg, Apr. 2003. (Cited on pages 4, 8, 206, 207, 227, and 228.)
[138] K., Eisenträger, K. E., Lauter, and P. L., Montgomery. ImprovedWeil and Tate pairings for elliptic and hyperelliptic curves. In D.A., Buell, editor, Algorithmic Number Theory, 6th International Symposium, ANTS-VI, Burlington, VT, USA, June 13-18, 2004, Proceedings, volume 3076 of Lecture Notes in Computer Science, pages 169–183. Springer, 2004. (Cited on pages 4, 8, 206, 231, 232, and 233.)
[139] S. E., Eldridge and C. D., Walter. Hardware implementation of montgomery's modular multiplication algorithm. IEEE Transactions on Computers, 42(6):693– 699, June 1993. (Cited on pages 43 and 61.)
[140] T., ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985. (Cited on page 40.)
[141] T., ElGamal. A subexponential-time algorithm for computing discrete logarithms over GF(p2). IEEE Transactions on Information Theory, 31:473–481, 1985. (Cited on pages 139, 141, 142, 143, and 144.)
[142] M., Elkenbracht-Huizing. An implementation of the number field sieve. Experimental Mathematics, 5 (3):231–253, 1996. (Cited on pages 168 and 169.)
[143] M., Ercegovac, November 2015. Private communication. (Cited on pages 2 and 4.)
[144] P., Erdös, R. L., Graham, P. L., Montgomery, B. K., Rothschild, J., Spencer, and E. G., Strauss. Euclidean Ramsey theorems, I. Journal of Combinatorial Theory, Series A, 14 (3):341–363, 1973. (Cited on page 1.)
[145] P., Erdös, R. L., Graham, P. L., Montgomery, B.K., Rothschild, J., Spencer, and E. G., Strauss. Euclidean Ramsey theorems, II. In A., Hajnal, R., Rado, and V. T., Sós, editors, Colloquia Mathematica Societatis János Bolyai, 10, volume I of Infinite and Finite Sets, pages 529–557. North-Holland, Amsterdam-London, 1975. (Cited on page 1.)
[146] P., Erdös, R. L., Graham, P. L., Montgomery, B.K., Rothschild, J., Spencer, and E. G., Strauss. Euclidean Ramsey theorems, III. In A., Hajnal, R., Rado, and V. T., Sós, editors, Colloquia Mathematica Societatis János Bolyai, 10, volume I of Infinite and Finite Sets, pages 559–583. North-Holland, Amsterdam-London, 1975. (Cited on page 1.)
[147] J., Franke and T., Kleinjung. Continued fractions and lattice sieving. In Specialpurpose Hardware for Attacking Cryptographic Systems – SHARCS 2005, 2005. http://www.hyperelliptic.org/tanja/SHARCS/talks/FrankeKleinjung.pdf. (accessed May 4, 2017). (Cited on page 149.)
[148] D., Freeman, M., Scott, and E., Teske. A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology, 23(2):224–280, Apr. 2010. (Cited on pages 213, 223, and 224.)
[149] W. L., Freking and K. K., Parhi. Performance-scalable array architectures for modular multiplication. Journal of VLSI Signal Processing, 31:101–116, 2002. (Cited on page 68.)
[150] G., Frey, M., Müller, and H., Rück. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Transactions on Information Theory, 45 (5):1717–1719, 1999. (Cited on page 213.)
[151] G., Frey and H.-G., Rück. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62(206):pp. 865–874, 1994. (Cited on pages 206 and 213.)
[152] M., Fürer. Faster integer multiplication. In D. S., Johnson and U., Feige, editors, 39th Annual ACM Symposium on Theory of Computing, pages 57–66. ACM Press, June 2007. (Cited on page 15.)
[153] S. D., Galbraith. Pairings, chapter IX in [54], pages 183–214. Cambridge University Press, 2005. (Cited on page 208.)
[154] S. D., Galbraith, K., Harrison, and D., Soldera. Implementing the Tate pairing. In C., Fieker and D. R., Kohel, editors, Algorithmic Number Theory – ANTS, volume 2369 of Lecture Notes in Computer Science, pages 324–337. Springer, 2002. (Cited on page 207.)
[155] K., Gandolfi, C., Mourtel, and F., Olivier. Electromagnetic analysis: Concrete results. In Çetin Kaya, Koç, D., Naccache, and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 251–261. Springer, Heidelberg, May 2001. (Cited on page 77.)
[156] H. L., Garner. The residue number system. In Papers Presented at the the March 3–5, 1959,Western Joint Computer Conference, IRE-AIEE-ACM'5. (Western), pages 146–153, New York, NY, USA, 1959. ACM. (Cited on pages 36 and 46.)
[157] J., Gathen and J., Gerhard. Modern Computer Algebra. Cambridge University Press, Cambridge, 1999. https://cosec.bit.uni-bonn.de/science/mc. (accessed May 5, 2017). (Cited on page 192.)
[158] P., Gaudry. Variants of the Montgomery form based on Theta functions, 2006. https://cr.yp.to/bib/2006/gaudry-toronto.pdf. (accessed May 4, 2017). (Cited on page 97.)
[159] P., Gaudry and D., Lubicz. The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields and Their Applications, 15:246–260, 2009. https://hal.inria.fr/inria-00266565v. (accessed May 4, 2017). (Cited on page 97.)
[160] J. L., Gerver. Factoring large integerswith a quadratic sieve. Mathematics of Computation, 41:287–294, 1983. (Cited on pages 132 and 134.)
[161] R., Golliver, A. K., Lenstra, and K., McCurley. Lattice sieving and trial division. In Algorithmic Number Theory Symposium – ANTS'94, volume 877 of LNCS, pages 18–27, 1994. (Cited on pages 135, 148, 149, and 153.)
[162] F., Göloglu, R., Granger, G., McGuire, and J., Zumbrägel. On the function field sieve and the impact of higher splitting probabilities — application to discrete logarithms in F21971 and F23164. In R., Canetti and J. A., Garay, editors, Advances in Cryptology – CRYPTO 2013, Part II, volume 8043 of Lecture Notes in Computer Science, pages 109–128. Springer, Heidelberg, Aug. 2013. (Cited on page 140.)
[163] P., Grabher, J., Großschädl, and D., Page. On software parallel implementation of cryptographic pairings. In R. M., Avanzi, L., Keliher, and F., Sica, editors, SAC 2008: 15th Annual International Workshop on Selected Areas in Cryptography, volume 5381 of Lecture Notes in Computer Science, pages 35–50. Springer, Heidelberg, Aug. 2009. (Cited on pages 225 and 226.)
[164] R., Graham, November 2015. Private communication. (Cited on pages 1 and 4.)
[165] R., Granger, T., Kleinjung, and J., Zumbrägel. On the discrete logarithm problem in finite fields of fixed characteristic. Available from http://arxiv.org/abs/1507 .0149. (accessed May 4, 2017). (Cited on page 140.)
[166] R., Granger and A., Moss. Generalised Mersenne numbers revisited. Math. Comput., 82 (284):2389–2420, 2013. (Cited on page 25.)
[167] R., Granger and M., Scott. Faster squaring in the cyclotomic subgroup of sixth degree extensions. In P. Q., Nguyen and D., Pointcheval, editors, PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 209–223. Springer, Heidelberg, May 2010. (Cited on page 211.)
[168] R., Granger and N., Smart. On computing products of pairings. Cryptology ePrint Archive, Report 2006/172, 2006. http://eprint.iacr.org/2006/17. (accessed May 4, 2017). (Cited on page 227.)
[169] R. T., Gregory and D. W., Matula. Base conversion in residue number systems. In T. R. N., Rao and D. W., Matula, editors, 3rd IEEE Symposium on Computer Arithmetic – ARITH 1975, pages 117–125. IEEE Computer Society, 1975. (Cited on page 36.)
[170] J., Großschädl, R. M., Avanzi, E., Savas, and S., Tillich. Energy-efficient software implementation of long integer modular arithmetic. In J. R., Rao and B., Sunar, editors, Cryptographic Hardware and Embedded Systems – CHES 2005, volume 3659 of Lecture Notes in Computer Science, pages 75–90. Springer, Heidelberg, Aug. / Sept. 2005. (Cited on page 44.)
[171] J., Großschädl and G.-A., Kamendje. Architectural enhancements for Montgomery multiplication on embedded RISC processors. In J., Zhou, M., Yung, and Y., Han, editors, ACNS 03: 1st International Conference on Applied Cryptography and Network Security, volume 2846 of Lecture Notes in Computer Science, pages 418–434. Springer, Heidelberg, Oct. 2003. (Cited on page 47.)
[172] J., Groth and A., Sahai. Efficient non-interactive proof systems for bilinear groups. In N. P., Smart, editor, Advances in Cryptology – EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, Heidelberg, Apr. 2008. (Cited on page 226.)
[173] M., Gschwind. The Cell broadband engine: Exploiting multiple levels of parallelism in a chip multiprocessor. International Journal of Parallel Programming, 35:233–262, 2007. (Cited on page 32.)
[174] J., Guajardo and C., Paar. Itoh-Tsujii inversion in standard basis and its application in cryptography and codes. Designs, Codes and Cryptography, 25:207–216, 2001. (Cited on page 215.)
[175] S., Gueron and V., Krasnov. Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptographic Engineering, 5 (2):141–151, 2015. (Cited on page 26.)
[176] J. E., Guzmán-Trampe, N. C., Cortés, L. J. D., Perez, D. O., Arroyo, and F., Rodríguez-Henríquez. Low-cost addition-subtraction sequences for the final exponentiation in pairings. Finite Fields and Their Applications, 29:1–17, 2014. (Cited on page 211.)
[177] G., Hachez and J.-J., Quisquater. Montgomery exponentiation with no final subtractions: Improved results. In Ç. K., Koç and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 293–301. Springer, Heidelberg, Aug. 2000. (Cited on pages 20 and 79.)
[178] M., Hamburg. Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, 2012. http://eprint.iacr.org/2012/30. (accessed May 4, 2017). (Cited on pages 24 and 25.)
[179] M., Hamburg. Ed448-goldilocks, a new elliptic curve. Cryptology ePrint Archive, Report 2015/625, 2015. http://eprint.iacr.org/2015/62. (accessed May 4, 2017). (Cited on page 94.)
[180] D., Hankerson, A. J., Menezes, and S., Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2004. (Cited on pages 40 and 216.)
[181] G. H., Hardy and E.M., Wright. An introduction to the theory of numbers. Oxford Univ. Press, 4th edition, 1960. (Cited on page 128.)
[182] O., Harrison and J., Waldron. Efficient acceleration of asymmetric cryptography on graphics hardware. In B., Preneel, editor, AFRICACRYPT 09: 2nd International Conference on Cryptology in Africa, volume 5580 of Lecture Notes in Computer Science, pages 350–367. Springer, Heidelberg, June 2009. (Cited on page 37.)
[183] L., Hars. Long modular multiplication for cryptographic applications. In M., Joye and J.-J., Quisquater, editors, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 45–61. Springer, Heidelberg, Aug. 2004. (Cited on page 24.)
[184] K., Hensel. Theorie der algebraischen Zahlen. Tuebner, Leipzig, 1908. (Cited on page 12.)
[185] F., Hess, N. P., Smart, and F., Vercauteren. The eta pairing revisited. IEEE Transactions on Information Theory, 52 (10):4595–4602, 2006. (Cited on pages 211 and 212.)
[186] H., Hisil, K. K.-H., Wong, G., Carter, and E., Dawson. Twisted Edwards curves revisited. In J., Pieprzyk, editor, Advances in Cryptology – ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, pages 326–343. Springer, Heidelberg, Dec. 2008. (Cited on page 91.)
[187] H. P., Hofstee. Power efficient processor architecture and the Cell processor. In High-Performance Computer Architecture – HPCA 2005, pages 258–262. IEEE, 2005. (Cited on page 32.)
[188] D., Husemöller. Elliptic Curves, volume 111 of Graduate Texts in Mathematics. Springer, 2004. (Cited on page 90.)
[189] Intel Corporation. Using streaming SIMD extension. (SSE2) to perform big multiplications, version 2.0. Technical Report AP-941, Intel, 2000. http://software.intel.com/sites/default/files/14/4f/24960. (Cited on pages 56 and 64.)
[190] S., Ionica and A., Joux. Another approach to pairing computation in Edwards coordinates. In D. R., Chowdhury, V., Rijmen, and A., Das, editors, Progress in Cryptology - INDOCRYPT 2008: 9th International Conference in Cryptology in India, volume 5365 of Lecture Notes in Computer Science, pages 400–413. Springer, Heidelberg, Dec. 2008. (Cited on pages 220 and 221.)
[191] T., Itoh and S., Tsujii. A fast algorithm for computing multiplicative inverses in GF(2∧m) using normal bases. Inf. Comput., 78 (3):171–177, 1988. (Cited on page 215.)
[192] K., Iwamura, T., Matsumoto, and H., Imai. Systolic-arrays for modular exponentiation using Montgomery metho. (extended abstract) (rump session). In R. A., Rueppel, editor, Advances in Cryptology – EUROCRYPT'92, volume 658 of Lecture Notes in Computer Science, pages 477–481. Springer, Heidelberg, May 1993. (Cited on page 27.)
[193] D. S., Johnson, T., Nishizeki, A., Nozaki, and H., S Wilf. Discrete algorithms and complexity. Academic Press, Boston, 1987. (Cited on page 255.)
[194] A., Joux. A one round protocol for tripartite diffie-hellman. In W., Bosma, editor, Algorithmic Number Theory, 4th International Symposium, ANTS-IV, Leiden, The Netherlands, July 2-7, 2000, Proceedings, volume 1838 of Lecture Notes in Computer Science, pages 385–394. Springer, 2000. (Cited on page 206.)
[195] A., Joux. A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology, 17(4):263–276, Sept. 2004. (Cited on page 206.)
[196] A., Joux. A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic. In T., Lange, K., Lauter, and P., Lisonek, editors, SAC 2013: 20th Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 355–379. Springer, Heidelberg, Aug. 2014. (Cited on page 140.)
[197] A., Joux and R., Lercier. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Mathematics of Computation, 72 (242):953–967, 2003. (Cited on page 165.)
[198] M., Joye. On Quisquater's multiplication algorithm. In D., Naccache, editor, Cryptography and Security: From Theory to Applications, volume 6805 of LNCS, pages 3–7. Springer-Verlag, 2012. (Cited on page 48.)
[199] M. E., Kaihara and N., Takagi. Bipartite modular multiplication. In J. R., Rao and B., Sunar, editors, Cryptographic Hardware and Embedded Systems – CHES 2005, volume 3659 of Lecture Notes in Computer Science, pages 201– 210. Springer, Heidelberg, Aug. / Sept. 2005. (Cited on page 27.)
[200] M. E., Kaihara and N., Takagi. A hardware algorithm for modular multiplication/ division. IEEE Transactions on Computers, 54 (1):12–21, 2005. (Cited on page 9.)
[201] E., Kaltofen. Analysis of Coppersmith's block Wiedemann algorithm for the parallel solution of sparse linear systems. Mathematics of Computation, 64 (210):777–806, 1995. (Cited on page 187.)
[202] A. A., Karatsuba and Y., Ofman. Multiplication of many-digital numbers by automatic computers. Doklady Akad. Nauk SSSR, 145(2):293–294, 1962. Translation in Physics-Doklady 7, pp. 595–596, 1963. (Cited on pages 15 and 44.)
[203] P. S., Kasat, D. S., Bilaye, H. V., Dixit, R., Balwaik, and A., Jeyakumar. Multiplication algorithms for VLSI – a review. International Journal on Computer Science and Engineerin. (IJCSE), 4(11):1761–1765, nov 2012. (Cited on page 44.)
[204] E., Käsper. Fast elliptic curve cryptography in OpenSSL. In G., Danezis, S., Dietrich, and K., Sako, editors, FC 2011Workshops, volume 7126 of Lecture Notes in Computer Science, pages 27–39. Springer, Heidelberg, Feb. / Mar. 2012. (Cited on page 23.)
[205] S., Kawamura, M., Koike, F., Sano, and A., Shimbo. Cox-Rower architecture for fast parallelMontgomery multiplication. In B., Preneel, editor, Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 523–538. Springer, Heidelberg, May 2000. (Cited on page 37.)
[206] T., Kleinjung. On polynomial selection for the general number field sieve. Mathematics of Computation, 75 (256):2037–2047, 2006. (Cited on page 173.)
[207] T., Kleinjung. Polynomial selection, presented at the CADO workshop. See http://cado.gforge.inria.fr/workshop/slides/kleinjung.pdf, 200. (accessed May 4, 2017). (Cited on page 173.)
[208] T., Kleinjung. Quadratic sieving. Mathematics of Computation, 85:1861–1873, 2016. (Cited on page 137.)
[209] T., Kleinjung, K., Aoki, J., Franke, A. K., Lenstra, E. Thomé, J.W. Bos, P. Gaudry, A. Kruppa, P. L., Montgomery, D. A., Osvik, H. J., J. te Riele, A., Timofeev, and P., Zimmermann. Factorization of a 768-bit RSA modulus. In T., Rabin, editor, Advances in Cryptology – CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 333–350. Springer, Heidelberg, Aug. 2010. (Cited on pages 4, 7, 117, 153, and 176.)
[210] T., Kleinjung, J. W., Bos, and A. K., Lenstra. Mersenne factorization factory. In P., Sarkar and T., Iwata, editors, Advances in Cryptology – ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pages 358–377. Springer, Heidelberg, Dec. 2014. (Cited on pages 117, 126, 146, 152, 158, and 159.)
[211] T., Kleinjung, J. W., Bos, A. K., Lenstra, D. A., Osvik, K., Aoki, S., Contini, J., Franke, E., Thomé, P., Jermini, M., Thiémard, P., Leyland, P. L., Montgomery, A., Timofeev, and H., Stockinger. A heterogeneous computing environment to solve the 768-bit RSA challenge. Cluster Computing. (15):53–68, 2012. (Cited on pages 4 and 7.)
[212] T., Kleinjung, C., Diem, A. K., Lenstra, C., Priplata, and C., Stahlke. Computation of a 768-bit prime field discrete logarithm. In J.-S., Coron and J., Nielsen, editors, Eurocrypt 2017, Part I, volume 10210 of Lecture Notes in Computer Science, pages 178–194. Springer, Heidelberg, 2017. (Cited on page 153.)
[213] M., Kneževic, F., Vercauteren, and I., Verbauwhede. Faster interleaved modular multiplication based on Barrett and Montgomery reduction methods. IEEE Transactions on Computers, 59 (12):1715–1721, 2010. (Cited on page 48.)
[214] M., Kneževic, F., Vercauteren, and I., Verbauwhede. Speeding up bipartite modular multiplication. In M. A., Hasan and T., Helleseth, editors, Arithmetic of Finite Fields –WAIFI, volume 6087 of Lecture Notes in Computer Science, pages 166– 179. Springer, 2010. (Cited on page 24.)
[215] D. E., Knuth. Seminumerical Algorithms. The Art of Computer Programming. Addison-Wesley, Reading, Massachusetts, USA, 3rd edition, 1997. (Cited on page 11.)
[216] T., Kobayashi, H., Morita, K., Kobayashi, and F., Hoshino. Fast elliptic curve algorithm combining Frobenius map and table reference to adapt to higher characteristic. In J., Stern, editor, Advances in Cryptology – EUROCRYPT'99, volume 1592 of Lecture Notes in Computer Science, pages 176–189. Springer, Heidelberg, May 1999. (Cited on pages 215 and 216.)
[217] N., Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48 (177):203–209, 1987. (Cited on pages 22, 40, and 93.)
[218] N., Koblitz and A., Menezes. Pairing-based cryptography at high security level. (invited paper). In N. P., Smart, editor, 10th IMA International Conference on Cryptography and Coding, volume 3796 of Lecture Notes in Computer Science, pages 13–36. Springer, Heidelberg, Dec. 2005. (Cited on page 215.)
[219] Çetin Kaya., Koç and T., Acar. Montgomery multiplication in GF(2k). Designs, Codes and Cryptography, 14 (1):57–69, 1998. (Cited on pages 21 and 40.)
[220] P. C., Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In N., Koblitz, editor, Advances in Cryptology – CRYPTO'96, volume 1109 of Lecture Notes in Computer Science, pages 104–113. Springer, Heidelberg, Aug. 1996. (Cited on pages 77 and 79.)
[221] P. C., Kocher, J., Jaffe, and B., Jun. Differential power analysis. In M. J., Wiener, editor, Advances in Cryptology – CRYPTO'99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer, Heidelberg, Aug. 1999. (Cited on pages 12, 19, and 77.)
[222] P., Kornerup. A systolic, linear-array multiplier for a class of right-shift algorithms. IEEE Transactions on Computers, 43 (8):892–898, 1994. (Cited on page 76.)
[223] M., Koschuch, J., Lechner, A., Weitzer, J., Großschädl, A., Szekely, S., Tillich, and J., Wolkerstorfer. Hardware/software co-design of elliptic curve cryptography on an 8051 microcontroller. In L., Goubin and M., Matsui, editors, Cryptographic Hardware and Embedded Systems – CHES 2006, volume 4249 of Lecture Notes in Computer Science, pages 430–444. Springer, Heidelberg, Oct. 2006. (Cited on page 40.)
[224] M., Kraitchik. Théorie des nombres, Tome II. Gauthiers-Villars, Paris, 1926. (Cited on page 117.)
[225] M., Kraitchik. Recherches sur le théorie des nombres, Tome II. Gauthiers-Villars, Paris, 1929. (Cited on page 117.)
[226] B. A., LaMacchia and A. M., Odlyzko. Solving large sparse linear systems over finite fields. In A. J., Menezes and S. A., Vanstone, editors, Advances in Cryptology – CRYPTO'90, volume 537 of Lecture Notes in Computer Science, pages 109–133. Springer, Heidelberg, Aug. 1991. (Cited on pages 7, 123, 176, and 179.)
[227] K., Lauter, P. L., Montgomery, and M., Naehrig. An analysis of affine coordinates for pairing computation. In M., Joye, A., Miyaji, and A., Otsuka, editors, PAIRING 2010: 4th International Conference on Pairing-based Cryptography, volume 6487 of Lecture Notes in Computer Science, pages 1–20. Springer, Heidelberg, Dec. 2010. (Cited on pages 4, 8, and 206.)
[228] F., Le Gall. Powers of tensors and fast matrix multiplication. In Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation, ISSAC 14, pages 296–303, New York, NY, USA, 2014. ACM. (Cited on page 123.)
[229] A. K., Lenstra. Proof of the factorization of the Scientific American challenge. http://www.joppebos.com/petmon/chap5_fig.pdf. (Cited on page 135.)
[230] A. K., Lenstra. Fast and rigorous factorization under the generalized Riemann hypothesis. IndagationesMathematicae, 50:443–454, 1988. (Cited on page 160.)
[231] A. K., Lenstra. Generating RSA moduli with a predetermined portion. In K., Ohta and D., Pei, editors, Advances in Cryptology – ASIACRYPT'98, volume 1514 of Lecture Notes in Computer Science, pages 1–10. Springer, Heidelberg, Oct. 1998. (Cited on page 24.)
[232] A. K., Lenstra, H. W., Lenstra, and L., Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261 (4):515–534, 1982. (Cited on pages 157 and 167.)
[233] A. K., Lenstra and H. W., Lenstra Jr. Algorithms in number theory. In J., van Leeuwen, editor, Handbook of Theoretical Computer Scienc. (Volume A: Algorithms and Complexity), pages 673–715. Elsevier and MIT Press, 1990. (Cited on pages 119, 121, 123, 136, 137, 140, and 160.)
[234] A. K., Lenstra and H.W., Lenstra Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993. (Cited on pages 6, 116, 139, 239, 241, 243, 252, and 255.)
[235] A. K., Lenstra, H. W., Lenstra Jr., M. S., Manasse, and J. M., Pollard. The number field sieve. pages 11–42 in [234], 1989. (Cited on pages 7, 139, 141, 142, 143, 145, 146, 147, 148, 152, and 154.)
[236] A. K., Lenstra, H. W., Lenstra Jr., M. S., Manasse, and J. M., Pollard. The factorization of the ninth Fermat number. Mathematics of Computation, 61(203):319– 349, 1993. (Cited on pages 125, 141, 146, and 148.)
[237] A. K., Lenstra and M. S., Manasse. Factoring by electronic mail. In J.-J., Quisquater and J., Vandewalle, editors, Advances in Cryptology – EUROCRYPT' 89, volume 434 of Lecture Notes in Computer Science, pages 355–371. Springer, Heidelberg, Apr. 1990. (Cited on pages 116, 135, 136, and 138.)
[238] A. K., Lenstra and M. S., Manasse. Factoring with two large primes. Mathematics of Computation, 63:785–798, 1994. (Cited on pages 132 and 137.)
[239] H.W., Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 126 (3):649–673, 1987. (Cited on pages 6, 8, 116, 121, and 189.)
[240] H. W., Lenstra Jr. and C., Pomerance. A rigorous time bound for factoring integers. Journal of the AmericanMathematical Society, 5:483–516, 1992. (Cited on page 160.)
[241] P. C., Leyland, A. K., Lenstra, B., Dodson, A., Muffett, and S. S., Wagstaff Jr. MPQS with three large primes. In C., Fieker and D. R., Kohel, editors, Algorithmic Number Theory, 5th International Symposium, ANTS-V, volume 2369 of Lecture Notes in Computer Science, pages 446–460. Springer, 2002. (Cited on page 137.)
[242] Z., Liu and J., Großschädl. New speed records for Montgomery modular multiplication on 8-bit AVR microcontrollers. In D., Pointcheval and D., Vergnaud, editors, AFRICACRYPT 14: 7th International Conference on Cryptology in Africa, volume 8469 of Lecture Notes in Computer Science, pages 215–234. Springer, Heidelberg, May 2014. (Cited on pages 44 and 47.)
[243] A., Menezes, T., Okamoto, and S. A., Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 39 (5):1639–1646, 1993. (Cited on pages 206 and 213.)
[244] R. D., Merrill. Improving digital computer performance using residue number theory. Electronic Computers, IEEE Transactions on, EC-13(2):93–101, April 1964. (Cited on page 36.)
[245] T. S., Messerges, E. A., Dabbish, and R. H., Sloan. Power analysis attacks of modular exponentiation in smartcards. In Çetin Kaya, Koç and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES'99, volume 1717 of Lecture Notes in Computer Science, pages 144–157. Springer, Heidelberg, Aug. 1999. (Cited on page 77.)
[246] A., Miele, J.W., Bos, T., Kleinjung, and A. K., Lenstra. Cofactorization on graphics processing units. In L., Batina and M., Robshaw, editors, Cryptographic Hardware and Embedded Systems – CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages 335–352. Springer, Heidelberg, Sept. 2014. (Cited on page 152.)
[247] V. S., Miller. Use of elliptic curves in cryptography. In H. C., Williams, editor, Advances in Cryptology – CRYPTO'85, volume 218 of Lecture Notes in Computer Science, pages 417–426. Springer, Heidelberg, Aug. 1986. (Cited on pages 22, 40, 93, and 95.)
[248] V. S., Miller. TheWeil pairing, and its efficient calculation. Journal of Cryptology, 17(4):235–261, Sept. 2004. (Cited on pages 8 and 210.)
[249] B., Möller. Algorithms for multi-exponentiation. In S., Vaudenay and A. M., Youssef, editors, SAC 2001: 8th Annual International Workshop on Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 165–180. Springer, Heidelberg, Aug. 2001. (Cited on page 229.)
[250] P. L., Montgomery. Evaluation of boolean expressions on one's complement machines. SIGPLAN Notices, 13:60–72, 1978. (Cited on page 1.)
[251] P. L., Montgomery. Modular multiplication without trial division. Mathematics of Computation, 44(170):519–521, April 1985. (Cited on pages 4, 5, 10, 13, 15, 17, 40, 42, and 81.)
[252] P. L., Montgomery. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 48 (177):243–264, 1987. (Cited on pages 5, 6, 8, 83, 85, 189, 197, 207, and 218.)
[253] P. L., Montgomery. Evaluating recurrences of form Xm+n = f (Xm, Xn, Xmn) via Lucas chains, 1992. https://cr.yp.to/bib/1992/montgomery-lucas.pdf. (accessed May 4, 2017). (Cited on pages 85, 87, 111, 114, and 115.)
[254] P. L., Montgomery. An FFT extension of the elliptic curvemethod of factorization. PhD thesis, University of California, 1992. (Cited on pages 2, 8, 94, 189, 190, 193, 194, 196, 197, and 198.)
[255] P. L., Montgomery. Square roots of products of algebraic numbers. Mathematics of Computation 1943-1993: A Half-Century of Computational Mathematics, 48:567–571, 1994. (Cited on pages 7 and 157.)
[256] P. L., Montgomery. A survey of modern integer factorization algorithms. CWI Quarterly, 7(4):337–366, December 1994. (Cited on page 168.)
[257] P. L., Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In L. C., Guillou and J.-J., Quisquater, editors, Advances in Cryptology – EUROCRYPT'95, volume 921 of Lecture Notes in Computer Science, pages 106– 120. Springer, Heidelberg,May 1995. (Cited on pages 7, 123, 179, 180, 183, 184, and 186.)
[258] P. L., Montgomery. Parallel block Lanczos, 2000. Slides of presentation at RSA- 2000, dated January 17, 2000. (Cited on page 186.)
[259] P. L., Montgomery. Five, six, and seven-term Karatsuba-like formulae. IEEE Transactions on Computers, 54 (3):362–369, 2005. (Cited on pages 4 and 217.)
[260] P. L., Montgomery. Searching for higher-degree polynomials for the general number field sieve. helper.ipam.ucla.edu/publications/scws1/scws1_6223.ppt, October 2006. (Cited on page 168.)
[261] P. L., Montgomery and A., Kruppa. Improved stage 2 to P±1 factoring algorithms. In A. J., van der Poorten and A., Stein, editors, Algorithmic Number Theory – ANTS-VIII, volume 5011 of Lecture Notes in Computer Science, pages 180–195. Springer, 2008. (Cited on pages 4, 8, 189, 200, 201, 202, and 204.)
[262] P. L., Montgomery, S., Nahm, and S. S, Wagstaff Jr. The period of the Bell numbers modulo a prime. Mathematics of Computation, 79 (271):1793–1800, 2010. (Cited on page 4.)
[263] P. L., Montgomery and R. D., Silverman. An FFT extension to th. p 1 factoring algorithm. Mathematics of Computation, 54 (190):839–854, 1990. (Cited on pages 8, 189, 190, and 200.)
[264] M. A., Morrison and J., Brillhart. Amethod of factoring and the factorization of F7. Mathematics of Computation, 29 (129):183–205, 1975. (Cited on pages 116, 117, 127, and 128.)
[265] A., Moss, D., Page, and N. P., Smart. Toward acceleration of RSA using 3D graphics hardware. In S. D., Galbraith, editor, 11th IMA International Conference on Cryptography and Coding, volume 4887 of Lecture Notes in Computer Science, pages 364–383. Springer, Heidelberg, Dec. 2007. (Cited on page 37.)
[266] B. A., Murphy. Polynomial selection for the number field sieve integer factorisation algorithm. PhD thesis, Australian National University, 1999. (Cited on pages 6, 171, and 172.)
[267] National Institute of Standards and Technolog. (NIST). Digital signature standard (dss). Technical Report FIPS Publication 186-4, July 2013. (Cited on page 40.)
[268] National Security Agenc. (NSA). Compromising emanations laboratory test requirements, electromagnetics (u). Technical Report National COMSEC Information Memorandum (NACSIM) 5100A, NSA, 1981. (Classified). (Cited on page 76.)
[269] P. Q., Nguyen. A Montgomery-like square root for the number field sieve. In J., Buhler, editor, ANTS, volume 1423 of Lecture Notes in Computer Science, pages 151–168. Springer, 1998. (Cited on page 157.)
[270] A. M., Odlyzko. Discrete logarithms in finite fields and their cryptographic significance. In T., Beth, N., Cot, and I., Ingemarsson, editors, Advances in Cryptology – EUROCRYPT'84, volume 209 of Lecture Notes in Computer Science, pages 224–314. Springer, Heidelberg, Apr. 1985. (Cited on pages 123 and 140.)
[271] G., Orlando and C., Paar. A scalable GF(p) elliptic curve processor architecture for programmable hardware. In Çetin Kaya. Koç, D. Naccache, C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 348–363. Springer, Heidelberg, May 2001. (Cited on page 61.)
[272] D. A., Osvik, J. W., Bos, D., Stefan, and D., Canright. Fast software AES encryption. In S., Hong and T., Iwata, editors, Fast Software Encryption – FSE 2010, volume 6147 of Lecture Notes in Computer Science, pages 75–93. Springer, Heidelberg, Feb. 2010. (Cited on page 32.)
[273] K., Pabbuleti, D., Mane, A., Desai, C., Albert, and P., Schaumont. SIMD acceleration of modular arithmetic on contemporary embedded platforms. In IEEE High Performance Extreme Computing Conferenc. (HPEC), pages 1–6. IEEE, 2013. (Cited on page 56.)
[274] D., Page and N., P Smart. Parallel cryptographic arithmetic using a redundant Montgomery representation. IEEE Trans. Computers, 53 (11):1474–1482, 2004. (Cited on page 27.)
[275] B. N., Parlett, D. R., Taylor, and Z. A., Liu. A look-ahead Lanczos algorithm for unsymmetric matrices. Mathematics of Computation, 44(169):105–124, Jan. 1985. (Cited on pages 179 and 180.)
[276] R., Peralta. A quadratic sieve on the n-dimensional cube. In E. F., Brickell, editor, Advances in Cryptology – CRYPTO'92, volume 740 of Lecture Notes in Computer Science, pages 324–332. Springer, Heidelberg, Aug. 1993. (Cited on page 137.)
[277] B. J., Phillips, Y., Kong, and Z., Lim. Highly parallel modular multiplication in the residue number system using sum of residues reduction. Appl. Algebra Eng. Commun. Comput., 21 (3):249–255, 2010. (Cited on page 37.)
[278] J. M., Pollard. Theorems on factorization and primality testing. Proceedings of the Cambridge Philosophical Society, 76:521–528, 1974. (Cited on pages 8, 116, 189, 190, 199, and 200.)
[279] J. M., Pollard. A Monte Carlo method for factorization. BIT Numerical Mathematics, 15 (3):331–334, 1975. (Cited on pages 116 and 121.)
[280] J. M., Pollard. Factoring with cubic integers. pages 4–10 in [234], 1988. (Cited on pages 138, 139, 145, 146, and 147.)
[281] J. M., Pollard. The lattice sieve. pages 43–49 in [234], 1990. (Cited on pages 7, 148, and 149.)
[282] C., Pomerance. Analysis and comparison of some integer factoring algorithms. In J., HendrikW. LenstraTijdeman, R., editors, Computational methods in number theory I, volume 154 of Mathematical Centre Tracts, pages 89–139, Amsterdam, 1982. Mathematisch Centrum. (Cited on pages 6, 119, 126, 131, 132, and 137.)
[283] C., Pomerance. Fast, rigorous factorization and discrete logarithm algorithms. pages 119–143 in [193], 1987. (Cited on pages 121 and 160.)
[284] C., Pomerance, October 1988. Private communication. (Cited on page 135.)
[285] C., Pomerance. A tale of two sieves. Notices of the AMS, 43(12):1473–1485, December 1996. (Cited on page 117.)
[286] C., Pomerance and J., W. Smith. Reduction of huge, sparse matrices over finite
[287] C., Pomerance, J. W., Smith, and R., Tuler. A pipeline architecture for factoring large integers with the quadratic sieve algorithm. SIAM j. Comput., 17:387–403, 1988. (Cited on pages 6 and 137.)
[288] C., Pomerance, J. W., Smith, and S. S., Wagstaff. New ideas for factoring large integers. In D., Chaum, editor, Advances in Cryptology – CRYPTO'83, pages 81– 85. Plenum Press, New York, USA, 1983. (Cited on page 127.)
[289] K., Posch and R., Posch. Base extension using a convolution sum in residue number systems. Computing, 50 (2):93–104, 1993. (Cited on page 36.)
[290] K. C., Posch and R., Posch. Modulo reduction in residue number systems. IEEE Trans. Parallel Distrib. Syst., 6 (5):449–454, 1995. (Cited on page 36.)
[291] T., Prest and P., Zimmermann. Non-linear polynomial selection for the number field sieve. J. Symb. Comput., 47 (4):401–409, 2012. (Cited on page 168.)
[292] Q., Pu and X., Zhao. Montgomery exponentiation with no final comparisons: Improved results. In Pacific-Asia Conference on Circuits, Communications and Systems, pages 614–616. IEEE, 2009. (Cited on page 20.)
[293] J., Quisquater and D., Samyde. Electromagnetic analysi. (EMA): measures and counter-measures for smart cards. In I., Attali and T., Jensen, editors, Smart Card Programming and Security, E-smart 2001, Cannes, France, September 19-21, 2001, volume 2140 of LNCS, pages 200–210. Springer-Verlag, 2001. (Cited on page 77.)
[294] R. L., Rivest, A., Shamir, and L.M., Adleman. A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21 (2):120–126, 1978. (Cited on pages 17, 20, 40, 117, 119, and 131.)
[295] B., Rothschild, November 2015. Private communication. (Cited on page 1.)
[296] A., Sahai and B. R, Waters. Fuzzy identity-based encryption. In R., Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 457–473. Springer, Heidelberg, May 2005. (Cited on page 206.)
[297] R., Sakai, K., Ohgishi, and M., Kasahara. Cryptosystems based on pairing. In 2000 Symposium on Cryptography and Information Security – SCIS 2000, 2000. (Cited on page 206.)
[298] E., Savas, A. F., Tenca, and Ç. K., Koç. A scalable and unified multiplier architecture for finite fields GF(p) and GF(2m). In Ç. K., Koç and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 277–292. Springer, Heidelberg, Aug. 2000. (Cited on pages 40 and 67.)
[299] M., Schacher, November 2015. Private communication. (Cited on page 3.)
[300] W., Schindler. A timing attack against RSA with the Chinese remainder theorem. In Ç. K., Koç and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 109–124. Springer, Heidelberg, Aug. 2000. (Cited on page 77.)
[301] A., Schönhage and V., Strassen. Schnelle multiplikation großer zahlen. Computing, 7(3-4):281–292, 1971. (Cited on page 15.)
[302] R. J., Schoof. Quadratic fields and factorization. In J., Hendrik W., Lenstra and R., Tijdeman, editors, Computational methods in number theory II, volume 155 of Mathematical Centre Tracts, pages 235–286, Amsterdam, 1982. Mathematisch Centrum. (Cited on page 118.)
[303] R., Schroeppel, April 2015. Private communication. (Cited on pages 9, 116, 129, 130, 131, and 132.)
[304] R., Schroeppel and C., Beaver. Accelerating elliptic curve calculations with the reciprocal sharing trick. Mathematics of Public-Key Cryptograph. (MPKC), University of Illinois at Chicago, 2003. (Cited on page 225.)
[305] M., Scott. Computing the Tate pairing. In A., Menezes, editor, Topics in Cryptology – CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 293–304. Springer, Heidelberg, Feb. 2005. (Cited on page 227.)
[306] M., Scott. On the efficient implementation of pairing-based protocols. In L., Chen, editor, Cryptography and Coding – IMACC, volume 7089 of Lecture Notes in Computer Science, pages 296–308. Springer, 2011. (Cited on page 227.)
[307] M., Scott, N., Benger, M., Charlemagne, L. J. D., Perez, and E. J., Kachisa. On the final exponentiation for calculating pairings on ordinary elliptic curves. In H., Shacham and B, Waters, editors, Pairing-Based Cryptography - Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12-14, 2009, Proceedings, volume 5671 of Lecture Notes in Computer Science, pages 78–88. Springer, 2009. (Cited on page 211.)
[308] H., Seo, Z., Liu, J., Großschädl, J., Choi, and H., Kim. Montgomery modular multiplication on ARM-NEON revisited. In J., Lee and J., Kim, editors, Information Security and Cryptology – ICISC 2014, volume 8949 of Lecture Notes in Computer Science, pages 328–342. Springer, 2015. (Cited on pages 26 and 47.)
[309] M., Seysen. A probabilistic factorization algorithm with quadratic forms of negative discriminant. Mathematics of Computation, 48:757–780, 1987. (Cited on pages 128 and 160.)
[310] M., Shand and J., Vuillemin. Fast implementations of RSA cryptography. In E. E. S., Jr., M. J., Irwin, and G. A., Jullien, editors, 11th Symposium on Computer Arithmetic, pages 252–259. IEEE Computer Society, 1993. (Cited on pages 12 and 20.)
[311] D., Shanks. Class number, a theory of factorization, and genera. In D. J., Lewis, editor, Symposia in Pure Mathematics, volume 20, pages 415–440. American Mathematical Society, 1971. (Cited on page 118.)
[312] A., Shenoy and R., Kumaresan. Fast base extension using a redundant modulus in RNS. Computers, IEEE Transactions on, 38 (2):292–297, 1989. (Cited on page 36.)
[313] P.W., Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26 (5):1484–1509, 1997. (Cited on page 153.)
[314] J. H., Silverman. The Arithmetic of Elliptic Curves, volume 106 of Graduate texts in mathematics. Springer-Verlag, 1986. (Cited on page 208.)
[315] R. D., Silverman. The multiple polynomial quadratic sieve. Mathematics of Computation, 48:329–339, 1987. (Cited on pages 6, 134, and 136.) fields via created catastrophes. Experiment. Math., 1:89–94, 1992. (Cited on pages 7, 123, 124, and 125.)
[316] J. A., Solinas. Generalized Mersenne numbers. Technical Report CORR 99– 39, Centre for Applied Cryptographic Research, University of Waterloo, 1999. (Cited on page 22.)
[317] M., Stam. Speeding up subgroup cryptosystems. PhD thesis, Technische Universiteit Eindhoven, 2003. https://dx.doi.org/10.6100/IR564670. (Cited on pages 108, 114, and 115.)
[318] M., Stevens, A., Sotirov, J, Appelbaum, A. K., Lenstra, D., Molnar, D.A., Osvik, and B., deWeger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In S., Halevi, editor, Advances in Cryptology – CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 55–69. Springer, Heidelberg, Aug. 2009. (Cited on page 32.)
[319] V., Strassen. Gaussian elimination is not optimal. Numer. Math., 13:354–356, 1969. (Cited on page 123.)
[320] A., Svoboda. An algorithm for division. Information processing machines, 9(25- 34):28, 1963. (Cited on page 24.)
[321] N. S., Szabo and R. I., Tanaka. Residue arithmetic and its applications to computer technology. McGraw-Hill, 1967. (Cited on pages 36 and 37.)
[322] R., Szerwinski and T., Güneysu. Exploiting the power of GPUs for asymmetric cryptography. In E., Oswald and P., Rohatgi, editors, Cryptographic Hardware and Embedded Systems – CHES 2008, volume 5154 of Lecture Notes in Computer Science, pages 79–99. Springer, Heidelberg, Aug. 2008. (Cited on page 37.)
[323] O., Takahashi, R., Cook, S., Cottier, S. H., Dhong, B., Flachs, K., Hirairi, A., Kawasumi, H., Murakami, H., Noro, H., Oh, S., Onish, J., Pille, and J., Silberman. The circuit design of the synergistic processor element of a Cell processor. In International conference on Computer-aided design – ICCAD 2005, pages 111–117. IEEE Computer Society, 2005. (Cited on page 32.)
[324] E., Thomé. Square root algorithms for the number field sieve. In F., Özbudak and F., Rodríguez-Henríquez, editors, WAIFI, volume 7369 of Lecture Notes in Computer Science, pages 208–224. Springer, 2012. (Cited on pages 156 and 157.)
[325] K., Tiri, M., Akmal, and I., Verbauwhede. A dynamic and differential CMOS logic with signal independent power consumption towithstand differential power analysis on smart cards. In European Solid-State Circuits Conference – ESSCIRC 2002, Florence, 24–26 Sept. 2002, pages 403–406. Università di Bologna, 2002. (Cited on page 81.)
[326] K., Tiri and I., Verbauwhede. A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In Design, Automation and Test in Europe Conference and Exposition –. (DATE 2004), Paris, 16–20 February 2004, pages 246–251. IEEE, 2004. (Cited on page 81.)
[327] A., Toom. The complexity of a scheme of functional elements realizing the multiplication of integers. Soviet Mathematics Doklady, 3 (4):714–716, 1963. (Cited on page 15.)
[328] Y., Tsuruoka. Computing short Lucas chains for elliptic curve cryptosystems. IEICE Transactions on Fundamentals, E84-A(5):1227–1233, 2001. (Cited on pages 113 and 115.)
[329] M., Ugon. Portable data carrier including a microprocessor. US Patent and Trademark Office, July 8 1980. US Patent No. 421191. (Abstract). (Cited on page 76.)
[330] U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standar. (DSS). FIPS-186-4, 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf (accessed May 4, 2017). (Cited on page 22.)
[331] B., Vallée. Generation of elements with small modular squares and provably fast integer factoring algorithms. Mathematics of Computation, 56:823–849, 1991. (Cited on page 160.)
[332] W., van Eck. Electromagnetic radiation from video display units: An eavesdropping risk? Computers and Security, 4(4):269–286, Dec. 1985. (Cited on page 76.)
[333] F., Vercauteren. Optimal pairings. IEEE Transactions on Information Theory, 56 (1):455–461, 2010. (Cited on page 212.)
[334] C. D., Walter. Fast modular multiplication using 2-power radix. International J. Computer Mathematics, 39(1-2):21–28, 1991. (Cited on page 48.)
[335] C. D., Walter. Faster modular multiplication by operand scaling. In J., Feigenbaum, editor, Advances in Cryptology – CRYPTO'91, volume 576 of Lecture Notes in Computer Science, pages 313–323. Springer, Heidelberg, Aug. 1992. (Cited on page 65.)
[336] C. D, Walter. Systolic modular multiplication. IEEE Transactions on Computers, 42(3):376–378, Mar. 1993. (Cited on pages 27, 67, 68, 69, and 76.)
[337] C. D, Walter. Montgomery exponentiation needs no final subtractions. Electronics Letters, 35(21):1831–1832, Oct. 1999. (Cited on pages 20 and 79.)
[338] C. D, Walter. An improved linear systolic array for fast modular exponentiation. IEE Computers and Digital Techniques, 147(5):323–328, Sept. 2000. (Cited on pages 75 and 76.)
[339] C. D., Walter. Sliding windows succumbs to big mac attack. In Çetin, Kaya. Koç, D., Naccache, and C., Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 286–299. Springer, Heidelberg, May 2001. (Cited on page 80.)
[340] C. D., Walter. Precise bounds for Montgomery modular multiplication and some potentially insecure RSA moduli. In B., Preneel, editor, Topics in Cryptology – CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 30–39. Springer, Heidelberg, Feb. 2002. (Cited on pages 20, 78, and 79.)
[341] C. D., Walter. Longer keys may facilitate side channel attacks. In M., Matsui and R. J., Zuccherato, editors, SAC 2003: 10th Annual International Workshop on Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science, pages 42–57. Springer, Heidelberg, Aug. 2004. (Cited on pages 78 and 79.)
[342] C. D., Walter and S.|Thompson. Distinguishing exponent digits by observing modular subtractions. In D., Naccache, editor, Topics in Cryptology – CTRSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 192–207. Springer, Heidelberg, Apr. 2001. (Cited on pages 20, 21, and 77.)
[343] D., Weber. Computing discrete logarithms with quadratic number rings. In EUROCRYPT'98, pages 171–183, 1998. (Cited on page 145.)
[344] E., Wenger and P., Wolfger. Solving the discrete logarithm of a 113-bit Koblitz curve with an FPGA cluster. In A., Joux and A. M., Youssef, editors, SAC 2014: 21st Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8781 of Lecture Notes in Computer Science, pages 363–379. Springer, Heidelberg, Aug. 2014. (Cited on page 9.)
[345] A. E., Western and J. C., P.|Miller. Tables of indices and primitive roots. Royal Society Mathematical Tables, vol 9, Cambridge University Press, 1968. (Cited on pages 117, 139, and 140.)
[346] WhatsApp Inc. WhatsApp website, 2017. (Cited on page 94.)
[347] D. H., Wiedemann. Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory, IT-32(1):54–62, Jan. 1986. (Cited on pages 123 and 176.)
[348] H. C., Williams. p + 1 method of factoring. Mathematics of Computation, 39 (159):225–234, 1982. (Cited on pages 116, 191, and 199.)
[349] P., Zimmermann and B., Dodson. 20 years of ECM. In F., Hess, S., Pauli, and M. E., Pohst, editors, Algorithmic Number Theory – ANTS-VII, volume 4076 of Lecture Notes in Computer Science, pages 525–542. Springer-Verlag. Erratum: http://www.loria.fr/∼zimmerma/papers/, 2006. (Cited on pages 189, 190, 191, and 197.)

Metrics

Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Book summary page views

Total views: 0 *
Loading metrics...

* Views captured on Cambridge Core between #date#. This data will be updated every 24 hours.

Usage data cannot currently be displayed