- Publisher: Cambridge University Press
- Online publication date: October 2017
- Print publication year: 2017
- Online ISBN: 9781316271575
- https://doi.org/10.1017/9781316271575

- Publisher: Cambridge University Press
- Online publication date: October 2017
- Print publication year: 2017
- Online ISBN: 9781316271575
- https://doi.org/10.1017/9781316271575

Peter L. Montgomery has made significant contributions to computational number theory, introducing many basic tools such as Montgomery multiplication, Montgomery simultaneous inversion, Montgomery curves, and the Montgomery ladder. This book features state-of-the-art research in computational number theory related to Montgomery's work and its impact on computational efficiency and cryptography. Topics cover a wide range of topics such as Montgomery multiplication for both hardware and software implementations; Montgomery curves and twisted Edwards curves as proposed in the latest standards for elliptic curve cryptography; and cryptographic pairings. This book provides a comprehensive overview of integer factorization techniques, including dedicated chapters on polynomial selection, the block Lanczos method, and the FFT extension for algebraic-group factorization algorithms. Graduate students and researchers in applied number theory and cryptography will benefit from this survey of Montgomery's work.

Contents

References

[1] Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research, 2010. (Cited on page 24.) and .

[2] Proceedings of the 20th Annual Symposium on Foundations of Computer Science, SFCS 79, pages 55–60, Washington, DC, USA, 1979. IEEE Computer Society. (Cited on pages 139 and 140.) . A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In

[3] Proceedings of the 23rd Annual ACMSymposium on Theory of Computing, May 5–8, 1991, New Orleans, Louisiana, USA, pages 64–71, 1991. (Cited on pages 154 and 155.) . Factoring numbers using singular integers. In

[4] 199. (accessed April 20, 2017). (Cited on page 139.) . The story of sneakers, the movie and Len Adleman the mathematician. URL: http://www.usc.edu/dept/molecular-science/fm-sneakers.htm,

[5] The Design and Analysis of Computer Algorithms. Addison-Wesley, Reading, MA, 1974. (Cited on pages 195 and 196.) , , and .

[6] Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 107–118. Springer, Heidelberg, Aug. 2004. (Cited on page 40.) , , , and . A low-cost ECC coprocessor for smartcards. In and , editors,

[7] SAC 2001: 8th Annual International Workshop on Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 255–267. Springer, Heidelberg, Aug. 2001. (Cited on page 108.) . Fast simultaneous scalar multiplication on elliptic curve with Montgomery form. In and , editors,

[8] Number Theoretic and AlgebraicMethods in Computer Scienc. (Moscow 1993), pages 163–174. World Scientific, 1995. (Cited on pages 135 and 137.) and . Implementing the self-initializing quadratic sieve on a distributed network. In , , and , editors,

[9] Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14–17, 2015, pages 585–593. ACM, 2015. (Cited on page 123.) , , and . Fast matrix multiplication: Limitations of the Coppersmith-Winograd method. In and , editors,

[10] The Computer Journal, 55
(5):629–647, 2012. (Cited on page 37.) , , and L. Sousa. RNS-based elliptic curve point multiplication for massive parallel architectures.

[11] SAC 2013: 20th Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 3–25. Springer, Heidelberg, Aug. 2014. (Cited on pages 207 and 215.) , , , and . The realm of the pairings. In , , and , editors,

[12] Pairing-Based Cryptography – Pairing 2012, volume 7708 of Lecture Notes in Computer Science, pages 177–195. Springer, 2012. (Cited on page 207.) , , , , and . Implementing pairings at the 192-bit security level. In and , editors,

[13] Advances in Cryptology – EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pages 48–68. Springer, Heidelberg, May 2011. (Cited on pages 207 and 215.) , , , , and . Faster explicit formulas for computing pairings over ordinary curves. In , editor,

[14] Faster computation of the Tate pairing. Journal of Number Theory, 131
(5):842–857, 2011. (Cited on pages 221 and 222.) , , , and .

[15] Advances in Cryptology – ASIACRYPT'94, volume 917 of Lecture Notes in Computer Science, pages 263–277. Springer, Heidelberg, Nov. / Dec. 1995. (Cited on pages 135 and 153.) , , , and . The magic words are squeamish ossifrage. In and , editors,

[16] Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC Press, 2005. (Cited on pages 90, 244, and 245.) , , , , , , and .

[17] Factoring with cyclotomic polynomials. Mathematics of Computation, 52:201–219, 1989. (Cited on page 116.) and .

[18] 2015. (Cited on page 174.) , , , and . Better polynomials for GNFS. Mathematics of Computation, pages 1–12, December

[19] Root optimization of polynomials in the number field sieve. Mathematics of Computation, 84(295), 2015. (Cited on page 173.) , , and .

[20] 2009. http:// eprint.iacr.org/2009/54. (accessed May 3, 2017). (Cited on page 9.) , , , , , , , , , , , , , , , , , , , , , , and . Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541,

[21] Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. Journal of Cryptology, 14
(3):153–176, 2001. (Cited on page 215.) and .

[22] 19th IEEE Symposium on Computer Arithmetic – ARITH 2009, pages 25–32. IEEE Computer Society, 2009. (Cited on page 37.) , , and . Selected RNS bases for modular multiplication. In , , , and , editors,

[23] An RNS montgomery modular multiplication algorithm. IEEE Trans. Computers, 47
(7):766–776, 1998. (Cited on page 36.) , , and .

[24] A full RNS implementation of RSA. IEEE Transactions on Computers, 53(6):769–774, June 2004. (Cited on page 37.) and .

[25] Optimal tower fields. IEEE Transactions on Computers, 53
(10):1231–1243, 2004. (Cited on page 218.) and .

[26] 2013. (Cited on pages 4 and 94.) , , , , and . Finding ECM-friendly curves through a study of Galois properties. The Open Book Series – Proceedings of the Tenth Algorithmic Number Theory Symposium, pages 63–86,

[27] Advances in Cryptology – EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 1–16. Springer, Heidelberg, May 2014. (Cited on page 140.) , , , and . A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In and , editors,

[28] Some mathematical remarks on the polynomial selection in NFS. Mathematics of Computation, 86
(303):397–418, 2017. (Cited on page 172.) and .

[29] Advances in Cryptology – CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 354– 368. Springer, Heidelberg, Aug. 2002. (Cited on pages 207, 210, 212, and 231.) , , , and . Efficient algorithms for pairing-based cryptosystems. In , editor,

[30] Efficient implementation of pairingbased cryptosystems. Journal of Cryptology, 17(4):321–334, Sept. 2004. (Cited on pages 210, 212, and 231.) , , and .

[31] Advances in Cryptology – CRYPTO'86, volume 263 of Lecture Notes in Computer Science, pages 311–323. Springer, Heidelberg, Aug. 1987. (Cited on pages 11 and 48.) . Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In , editor,

[32] 1981. (Cited on pages 4 and 5.) . The System Builders: The Story of SDC. System Development Corporation,

[33] Arithmetic of Finite Fields, Third International Workshop, WAIFI 2010, Istanbul, Turkey, June 27-30, 2010. Proceedings, volume 6087 of Lecture Notes in Computer Science, pages 180–195. Springer, 2010. (Cited on page 215.) and . Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In and , editors,

[34] Algebraic coding theory. McGraw-Hill, 1968. (Cited on page 3.) .

[35] PKC 2006: 9th International Conference on Theory and Practice of Public Key Cryptography, volume 3958 of 238 Bibliography Lecture Notes in Computer Science, pages 207–228. Springer, Heidelberg, Apr. 2006. (Cited on pages 23, 83, 94, 98, and 106.) . Curve25519: New Diffie-Hellman speed records. In , , , and , editors,

[36] 2006. https://cr.yp.to/papers.html# diffchai. (accessed May 3, 2017). (Cited on pages 108 and 114.) . Differential addition chains,

[37] AFRICACRYPT 08: 1st International Conference on Cryptology in Africa, volume 5023 of Lecture Notes in Computer Science, pages 389–405. Springer, Heidelberg, June 2008. (Cited on page 90.) , , , , and . Twisted Edwards curves. In , editor,

[38] ECM using Edwards curves. Mathematics of Computation, 82
(282):1139–1179, 2013. (Cited on page 190.) , , , and .

[39] Progress in Cryptology - LATINCRYPT 2015: 4th International Conference on Cryptology and Information Security in Latin America, volume 9230 of Lecture Notes in Computer Science, pages 269–294. Springer, Heidelberg, Aug. 2015. (Cited on page 97.) , , , and . Twisted Hessian curves. In and , editors,

[40] Cryptographic Hardware and Embedded Systems – CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages 316–334. Springer, Heidelberg, Sept. 2014. (Cited on page 94.) , , and . Curve41417: Karatsuba revisited. In and , editors,

[41] Advances in Cryptology – ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pages 317–337. Springer, Heidelberg, Dec. 2014. (Cited on page 83.) , , , and . Kummer strikes back: New DH speed records. In and , editors,

[42] Cryptographic Hardware and Embedded Systems – CHES 2011, volume 6917 of Lecture Notes in Computer Science, pages 124–142. Springer, Heidelberg, Sept. / Oct. 2011. (Cited on pages 83 and 94.) , , , , and . High-speed high-security signatures. In and , editors,

[43] , , , , and . EdDSA for more curves. Cryptology ePrint Archive, Report 2015/677, 2015. http://eprint .iacr.org/2015/67. (accessed May 3, 2017). (Cited on page 94.)

[44] Advances in Cryptology – ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 29–50. Springer, Heidelberg, Dec. 2007. (Cited on pages 90 and 91.) and . Faster addition and doubling on elliptic curves. In , editor,

[45] 2009. https://hyperelliptic.org/EFD/g1p/auto-edwards-yz.htm. (accessedMay 3, 2017). (Cited on page 97.) and . YZ coordinates with square d for Edwards curves,

[46] A complete set of addition laws for incomplete Edwards curves. Journal of Number Theory, 131:858–872, 2011. (Cited on page 91.) and .

[47] 2014. https://safecurves.cr.yp.t. (accessed May 3, 2017). (Cited on page 94.) and . SafeCurves: choosing safe curves for elliptic-curve cryptography,

[48] 2016. https:// hyperelliptic.org/EF. (accessed May 3, 2017). (Cited on pages 83, 220, and 223.) and . Explicit-Formulas Database,

[49] 1992. (Cited on pages 149, 152, and 156.) and . A general number field sieve implementation. pages 103–126 in [234],

[50] Progress in Cryptology - INDOCRYPT 2003: 4th International Conference in Cryptology in India, volume 2904 of Lecture Notes in Computer Science, pages 349–362. Springer, Heidelberg, Dec. 2003. (Cited on pages 40 and 67.) , , and . Systolic and scalable architectures for digit-serial multiplication in fields GF(pm). In and , editors,

[51] PAIRING 2010: 4th International Conference on Pairing-based Cryptography, volume 6487 of Lecture Notes in Computer Science, pages 21–39. Springer, Heidelberg, Dec. 2010. (Cited on pages 207 and 215.) , , , , , and . High-speed software implementation of the optimal ate pairing over Barreto-Naehrig curves. In , , and , editors,

[52] Cryptographic Hardware and Embedded Systems – CHES 2015, volume 9293 of Lecture Notes in Computer Science, pages 123–140. Springer, Heidelberg, Sept. 2015. (Cited on page 37.) and . Single base modular multiplication for efficient hardware RNS implementations of ECC. In and , editors,

[53] Elliptic Curves in Cryptography. Cambridge University Press, 1999. (Cited on page 208.) , , and , editors.

[54] Advances in Elliptic Curve Cryptography. Cambridge University Press, 2005. (Cited on page 246.) , , and , editors.

[55] 1996. https://cr.yp.to/bib/1996/bleichenbacher-thesis.pdf. (accessedMay 3, 2017). (Cited on pages 112 and 113.) . Efficiency and security of cryptosystems based on number theory. PhD thesis, ETH Zürich,

[56] A linear filtering approach to the computation of discrete Fourier transform. IEEE Transactions on Audio and Electroacoustics, 18
(4):451–455, 1970. (Cited on page 202.) .

[57] Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 506–522. Springer, Heidelberg, May 2004. (Cited on page 226.) , , , and . Public key encryption with keyword search. In and , editors,

[58] Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer, Heidelberg, Aug. 2001. (Cited on page 206.) and . Identity-based encryption from the Weil pairing. In , editor,

[59] TCC 2005: 2nd Theory of Cryptography Conference, volume 3378 of Lecture Notes in Computer Science, pages 325–341. Springer, Heidelberg, Feb. 2005. (Cited on page 206.) , , and . Evaluating 2-DNF formulas on ciphertexts. In , editor,

[60] Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 514–532. Springer, Heidelberg, Dec. 2001. (Cited on page 206.) , , and . Short signatures from the Weil pairing. In , editor,

[61] Short signatures from the Weil pairing. Journal of Cryptology,
17(4):297–319, Sept. 2004. (Cited on page 206.) , , and .

[62] TCC 2011: 8th Theory of Cryptography Conference, volume 6597 of Lecture Notes in Computer Science, pages 253–273. Springer, Heidelberg, Mar. 2011. (Cited on page 206.) , , and . Functional encryption: Definitions and challenges. In , editor,

[63] Workshop on the Arithmetic of Finite Fields – WAIFI 2010, volume 6087 of Lecture Notes in Computer Science, pages 7–24. Springer, 2010. (Cited on pages 27 and 32.) . High-performance modular multiplication on the Cell processor. In and , editors,

[64] Advances in Cryptology – EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science, pages 194– 210. Springer, Heidelberg, May 2013. (Cited on pages 23 and 24.) , , , and . Fast cryptography in genus 2. In and , editors,

[65] Cryptographic Hardware and Embedded Systems – CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 331–348. Springer, Heidelberg, Aug. 2013. (Cited on page 24.) , , , and . High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. In and , editors,

[66] Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptographic Engineering, 6
(4):259–286, 2016. (Cited on page 25.) , , , and .

[67] Parallel Processing and Applied Mathematics – PPAM 2009, volume 6067 of Lecture Notes in Computer Science, pages 477–485. Springer, Heidelberg, 2010. (Cited on pages 31 and 35.) and . Montgomery multiplication on the Cell. In , , , and , editors,

[68] 2009. http://eprint.iacr.org. (accessed May 3, 2017). (Cited on page 4.) , , , , and . On the security of 1024-bit RSA and 160-bit elliptic curve cryptography. Cryptology ePrint Archive, Report 2009/389,

[69] Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. International Journal of Applied Cryptography, 2
(3):212–228, 2012. (Cited on pages 4, 9, and 32.) , , , , and .

[70] 2009. http://www.hyperelliptic.org/tanja/SHARCS/record2.pdf. (accessed May 3, 2017). (Cited on page 4.) , , and . Pollard rho on the PlayStation 3. In Special-purposeHardware for Attacking Cryptographic Systems – SHARCS 2009, pages 35–50,

[71] IEEE Symposium on Computer Arithmetic – ARITH-20, pages 213–221. IEEE Computer Society, 2011. (Cited on pages 4, 23, and 199.) , , , and . Efficient SIMD arithmetic modulo a Mersenne number. In , , and , editors,

[72] AFRICACRYPT 10: 3rd International Conference on Cryptology in Africa, volume 6055 of Lecture Notes in Computer Science, pages 225–242. Springer, Heidelberg, May 2010. (Cited on page 32.) , , , and . ECC2K-130 on cell CPUs. In and , editors,

[73] SAC 2013: 20th Annual International Workshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 471–489. Springer, Heidelberg, Aug. 2014. (Cited on pages 4, 26, 27, 28, and 30.) , , , and . Montgomery multiplication using vector instructions. In , , and , editors,

[74] Cryptographic Hardware and Embedded Systems – CHES 2010, volume 6225 of Lecture Notes in Computer Science, pages 279–293. Springer, Heidelberg, Aug. 2010. (Cited on page 32.) and . Performance analysis of the SHA-3 candidates on exotic multi-core architectures. In and , editors,

[75] Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 175–186. Springer, Heidelberg, Aug. 1994. (Cited on page 12.) , , and . Comparison of three modular reduction functions. In , editor,

[76] New factors of Mersenne number. (preliminary report), II. AMS Abstracts, 3:132, 82T–10–22, 1982. (Cited on page 199.) .

[77] Some integer factorization algorithms using elliptic curves. Australian Computer Science Communications, 8:149–163, 1986. (Cited on page 189.) .

[78] 1996. (Cited on pages 7 and 148.) , , ., , , , and . Factorizations of an ± 1, 13 ≤ a 100: Update 2,

[79] Factorization of the eighth Fermat number. Mathematics of Computation, 36
(154):627–630, 1981. (Cited on pages 116 and 129.) and .

[80] Modern Computer Arithmetic. Cambridge University Press, 2010. (Cited on pages 24 and 197.) and .

[81] Advances in Cryptology – CRYPTO'82, pages 51–60. Plenum Press, New York, USA, 1982. (Cited on page 27.) . A fast modular multiplication algorithm with application to two key cryptography. In , , and , editors,

[82] , , , , and . Factorizations of bn ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 Up to High Powers, volume 22 of Contemporary Mathematics. American Mathematical Society, First edition, 1983, Second edition, 1988, Third edition, 2002. Electronic book available at: http://homes.cerias.purdue.edu/∼ssw/cun/index.htm. (accessed May 3, 2017), 1983. (Cited on pages 117, 128, 145, and 146.)

[83] Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 159–165. Springer, Heidelberg, Aug. 1994. (Cited on pages 149, 152, and 153.) , , and . An implementation of the general number field sieve. In , editor,

[84] 1992. (Cited on pages 139, 141, 152, 153, 154, 155, 156, and 164.) , , and . Factoring integers with the number field sieve. pages 50–94 in [234],

[85] 1994. (Cited on page 166.) , , , and . Technical report implementing the number field sieve. Oregon State University, Corvallis, OR,

[86] On a problem of Oppenheim concerning “Factorisatio Numerorum.”. J. Number Theory, 17:1–28, 1983. (Cited on page 119.) , , and .

[87] A new algorithm for factoring polynomials over finite fields. Mathematics of Computation, 36:587–592, 1981. (Cited on page 3.) and .

[88] Parallel implementation of the quadratic sieve. J. Supercomput., 1:273–290, 1988. (Cited on pages 116, 135, and 136.) and .

[89] ANTS, volume 1838 of Lecture Notes in Computer Science, pages 209–231. Springer, 2000. (Cited on pages 7, 124, and 125.) . Strategies in filtering in the number field sieve. In , editor,

[90] On the number field sieve integer factorisation algorithm. PhD thesis, Leiden University, 2002. (Cited on pages 7, 124, and 125.) .

[91] Advances in Cryptology – ASIACRYPT'99, volume 1716 of Lecture Notes in Computer Science, pages 195–207. Springer, Heidelberg, Nov. 1999. (Cited on pages 4 and 171.) , , , , , , , , and . Factorization of RSA-140 using the number field sieve. In , , and , editors,

[92] Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 1–18. Springer, Heidelberg, May 2000. (Cited on pages 4, 124, 148, 153, and 176.) , , , , , , , , , , , , , , , , and . Factorization of a 512-bit RSA modulus. In , editor,

[93] Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro, 16
(3):26–33, 1996. (Cited on pages 16 and 47.) , , and .

[94] Advances in Cryptology – CRYPTO'82, pages 199– 203. Plenum Press, New York, USA, 1982. (Cited on page 77.) . Blind signatures for untraceable payments. In , , and , editors,

[95] 2010. (Cited on page 32.) , , , and . Integer number crunching on the Cell processor. International Conference on Parallel Processing, pages 508–515,

[96] An efficient algorithm for computing the Luc chain. IEE Proceedings on Computers and Digital Techniques, 147:263–265, 2000. (Cited on page 112.) and .

[97] Selected Areas in Cryptography – SAC 2015, volume 9566 of Lecture Notes in Computer Science, pages 145–160. Springer, 2016. (Cited on page 94.) . Sandy2x: New Curve25519 speed records. In and , editors,

[98] 18th IEEE Symposium on Computer Arithmeti. (ARITH-18), pages 230–239. IEEE Computer Society, 2007. (Cited on page 25.) and . Montgomery reduction algorithm for modular multiplication using low-weight polynomial form integers. In

[99] Trading inversions for multiplications in elliptic curve cryptography. Des. Codes Cryptography, 39(2):189– 206, 2006. (Cited on pages 4 and 228.) , , , and .

[100] 2017. (Cited on page 95.) . Blackphone website,

[101] Factoring integers with the self-initializing quadratic sieve. Masters Thesis, U. Georgia, 1997. (Cited on page 137.) .

[102] On the minimum computation time of functions. PhD thesis, Harvard University, 1966. (Cited on page 15.) .

[103] Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory, 30:587–594, 1984. (Cited on page 140.) .

[104] Modifications to the number field sieve. Journal of Cryptology, 6
(3):169–180, 1993. (Cited on pages 117, 146, 153, 158, and 159.) .

[105] Solving linear equations over GF(2): Block Lanczos algorithm. Linear Algebra Appl., 192:33–60, Jan. 1993. (Cited on page 179.) .

[106] Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Mathematics of Computation, 62
(205):333–350, 1994. (Cited on pages 7, 123, 187, and 188.) .

[107] Discrete logarithms in GF(p). Algorithmica, 1
(1):1–15, 1986. (Cited on pages 123, 137, 139, 144, and 145.) , , and .

[108] Matrix multiplication via arithmetic progressions. J. Symbolic Comput., 9:251–280, 1990. (Cited on page 123.) and .

[109] PAIRING 2009: 3rd International Conference on Pairing-based Cryptography, volume 5671 of Lecture Notes in Computer Science, pages 89–101. Springer, Heidelberg, Aug. 2009. (Cited on pages 221 and 222.) , , , , and . Faster pairings on special Weierstrass curves. In and , editors,

[110] PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 224–242. Springer, Heidelberg, May 2010. (Cited on pages 220, 221, and 222.) , , and . Faster pairing computations on curves with high-degree twists. In and , editors,

[111] AFRICACRYPT 09: 2nd International Conference on Cryptology in Africa, volume 5580 of Lecture Notes in Computer Science, pages 368–385. Springer, Heidelberg, June 2009. (Cited on page 32.) and . Fast elliptic-curve cryptography on the cell broadband engine. In , editor,

[112] and . Accelerating SSL using the vector processors in IBM's cell broadband engine for sony's playstation 3. Cryptology ePrint Archive, Report 2007/061, 2007. http://eprint.iacr.org/2007/06. (accessed May 4, 2017). (Cited on page 32.)

[113] 1992. (Cited on pages 8 and 156.) . Computing a square root for the number field sieve. pages 95–102 in[234],

[114] Advances in Cryptology – ASIACRYPT' 96, volume 1163 of Lecture Notes in Computer Science, pages 382– 394. Springer, Heidelberg, Nov. 1996. (Cited on page 153.) , , , , , and . A world wide number field sieve factoring record: On to 512 bits. In and , editors,

[115] Montgomery's method of polynomial selection for the number field sieve. Linear Algebra and its Applications, 485:72–102, 2015. (Cited on page 168.) .

[116] Factorizations of yn ± 1, y = 2, 3, 5, 6, 7, 10, 11, 12 up to high powers.
Frances Hodgson, London, 1925. (Cited on pages 117, 145, and 146.) and .

[117] Advances in Cryptology – EUROCRYPT'84, volume 209 of Lecture Notes in Computer Science, pages 183–215. Springer, Heidelberg, Apr. 1985. (Cited on pages 133 and 134.) , , and . Status report on factorin. (at the Sandia national laboratories). In , , and , editors,

[118] On the number of positive integers ≤. x and free of prime factors y, ii. Indag. Math., 38:239–247, 1966. (Cited on page 119.) .

[119] 2017. (Cited on page 159.) , , and . Analyses of number field sieve variants. manuscript in preparation,

[120] 1966. (page 16). (Cited on page 76.) . Security in the computing environment. Technical Report SP2440/000/01, System Development Corporation, August 18

[121] Advances in Cryptology – CRYPTO'93, volume 773 of Lecture Notes in Computer Science, pages 166–174. Springer, Heidelberg, Aug. 1994. (Cited on page 153.) , , , and . On the factorization of RSA-120. In , editor,

[122] Modified version of the Barrett algorithm. Technical report, DICE, Université Catholique de Louvain, 1994. (Cited on page 48.) .

[123] Design of an efficient public-key cryptographic library for RISC-based smart cards. PhD thesis, Université Catholique de Louvain, 1998. (Cited on page 48.) .

[124] Smart Card Research and Applications, CARDIS 98, volume 1820 of LNCS, pages 336–352. Springer-Verlag, 1998. (Cited on page 48.) and . Recent results on modular multiplications for smart cards. In

[125] and . The transport layer securit. (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), http://www.ietf.org/rfc/rfc5246.txt (accessed May 4, 2017), 2008. (Cited on page 94.)

[126] Newdirections in cryptography. IEEE Transactions on Information Theory, 22
(6):644–654, 1976. (Cited on pages 40 and 93.) and .

[127] Advances in Cryptology – EUROCRYPT'92, volume 658 of Lecture Notes in Computer Science, pages 183–193. Springer, Heidelberg, May 1993. (Cited on pages 24 and 27.) and . Massively parallel elliptic curve factoring. In , editor,

[128] Asymptotically fast factorization of integers. Mathematics of Computation, 36
(153):255–260, 1981. (Cited on page 127.) .

[129] Finite Field Arithmetic, chapter 11 in [16], pages 201–237. CRC press, 2005. (Cited on pages 215 and 218.) .

[130] PKC 2006: 9th International Conference on Theory and Practice of Public Key Cryptography, volume 3958 of Lecture Notes in Computer Science, pages 191– 206. Springer, Heidelberg, Apr. 2006. (Cited on page 97.) , , and . Efficient scalar multiplication by isogeny decompositions. In , , , and , editors,

[131] Advances in Cryptology – CRYPTO'95, volume 963 of Lecture Notes in Computer Science, pages 372–385. Springer, Heidelberg, Aug. 1995. (Cited on pages 152 and 153.) and . NFS with four large primes: An explosive experiment. In , editor,

[132] Background on Pairings, chapter 6 in [16], pages 115– 124. CRC press, 2005. (Cited on page 208.) and .

[133] Implementation of Pairings, chapter 16 in [16], pages 389–404. CRC press, 2005. (Cited on page 208.) and .

[134] Advances in Cryptology – EUROCRYPT'90, volume 473 of Lecture Notes in Computer Science, pages 230–244. Springer, Heidelberg, May 1991. (Cited on pages 16, 18, and 47.) and . A cryptographic library for the Motorola DSP56000. In , editor,

[135] On randomized Lanczos algorithm. In , editor, ISSAC 97, page 176–183. ACM Press, 1997. Extended abstract. (Cited on page 178.) and .

[136] Anormal form for elliptic curves. Bulletin of the AmericanMathematical Society, 44:393–422, July 2007. (Cited on pages 90 and 190.) .

[137] Topics in Cryptology – CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 343–354. Springer, Heidelberg, Apr. 2003. (Cited on pages 4, 8, 206, 207, 227, and 228.) , , and . Fast elliptic curve arithmetic and improved Weil pairing evaluation. In , editor,

[138] Algorithmic Number Theory, 6th International Symposium, ANTS-VI, Burlington, VT, USA, June 13-18, 2004, Proceedings, volume 3076 of Lecture Notes in Computer Science, pages 169–183. Springer, 2004. (Cited on pages 4, 8, 206, 231, 232, and 233.) , , and . ImprovedWeil and Tate pairings for elliptic and hyperelliptic curves. In , editor,

[139] Hardware implementation of montgomery's modular multiplication algorithm. IEEE Transactions on Computers, 42(6):693– 699, June 1993. (Cited on pages 43 and 61.) and .

[140] A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985. (Cited on page 40.) .

[141] A subexponential-time algorithm for computing discrete logarithms over GF(p2). IEEE Transactions on Information Theory, 31:473–481, 1985. (Cited on pages 139, 141, 142, 143, and 144.) .

[142] An implementation of the number field sieve. Experimental Mathematics, 5
(3):231–253, 1996. (Cited on pages 168 and 169.) .

[143] , November 2015. Private communication. (Cited on pages 2 and 4.)

[144] Euclidean Ramsey theorems, I. Journal of Combinatorial Theory, Series A, 14
(3):341–363, 1973. (Cited on page 1.) , , , , , and .

[145] Colloquia Mathematica Societatis János Bolyai, 10, volume I of Infinite and Finite Sets, pages 529–557. North-Holland, Amsterdam-London, 1975. (Cited on page 1.) , , , , , and . Euclidean Ramsey theorems, II. In , , and , editors,

[146] Colloquia Mathematica Societatis János Bolyai, 10, volume I of Infinite and Finite Sets, pages 559–583. North-Holland, Amsterdam-London, 1975. (Cited on page 1.) , , , , , and . Euclidean Ramsey theorems, III. In , , and , editors,

[147] 2005. http://www.hyperelliptic.org/tanja/SHARCS/talks/FrankeKleinjung.pdf. (accessed May 4, 2017). (Cited on page 149.) and . Continued fractions and lattice sieving. In Specialpurpose Hardware for Attacking Cryptographic Systems – SHARCS 2005,

[148] A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology, 23(2):224–280, Apr. 2010. (Cited on pages 213, 223, and 224.) , , and .

[149] Performance-scalable array architectures for modular multiplication. Journal of VLSI Signal Processing, 31:101–116, 2002. (Cited on page 68.) and .

[150] The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Transactions on Information Theory, 45
(5):1717–1719, 1999. (Cited on page 213.) , , and .

[151] A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62(206):pp. 865–874, 1994. (Cited on pages 206 and 213.) and .

[152] 39th Annual ACM Symposium on Theory of Computing, pages 57–66. ACM Press, June 2007. (Cited on page 15.) . Faster integer multiplication. In and , editors,

[153] Pairings, chapter IX in [54], pages 183–214. Cambridge University Press, 2005. (Cited on page 208.) .

[154] Algorithmic Number Theory – ANTS, volume 2369 of Lecture Notes in Computer Science, pages 324–337. Springer, 2002. (Cited on page 207.) , , and . Implementing the Tate pairing. In and , editors,

[155] Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 251–261. Springer, Heidelberg, May 2001. (Cited on page 77.) , , and . Electromagnetic analysis: Concrete results. In , , and , editors,

[156] Papers Presented at the the March 3–5, 1959,Western Joint Computer Conference, IRE-AIEE-ACM'5. (Western), pages 146–153, New York, NY, USA, 1959. ACM. (Cited on pages 36 and 46.) . The residue number system. In

[157] Modern Computer Algebra. Cambridge University Press, Cambridge, 1999. https://cosec.bit.uni-bonn.de/science/mc. (accessed May 5, 2017). (Cited on page 192.) and .

[158] 2006. https://cr.yp.to/bib/2006/gaudry-toronto.pdf. (accessed May 4, 2017). (Cited on page 97.) . Variants of the Montgomery form based on Theta functions,

[159] The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields and Their Applications, 15:246–260, 2009. https://hal.inria.fr/inria-00266565v. (accessed May 4, 2017). (Cited on page 97.) and .

[160] Factoring large integerswith a quadratic sieve. Mathematics of Computation, 41:287–294, 1983. (Cited on pages 132 and 134.) .

[161] 1994. (Cited on pages 135, 148, 149, and 153.) , , and . Lattice sieving and trial division. In Algorithmic Number Theory Symposium – ANTS'94, volume 877 of LNCS, pages 18–27,

[162] Advances in Cryptology – CRYPTO 2013, Part II, volume 8043 of Lecture Notes in Computer Science, pages 109–128. Springer, Heidelberg, Aug. 2013. (Cited on page 140.) , , , and . On the function field sieve and the impact of higher splitting probabilities — application to discrete logarithms in F21971 and F23164. In and , editors,

[163] SAC 2008: 15th Annual International Workshop on Selected Areas in Cryptography, volume 5381 of Lecture Notes in Computer Science, pages 35–50. Springer, Heidelberg, Aug. 2009. (Cited on pages 225 and 226.) , , and . On software parallel implementation of cryptographic pairings. In , , and , editors,

[164] 2015. Private communication. (Cited on pages 1 and 4.) , November

[165] , , and . On the discrete logarithm problem in finite fields of fixed characteristic. Available from http://arxiv.org/abs/1507 .0149. (accessed May 4, 2017). (Cited on page 140.)

[166] Generalised Mersenne numbers revisited. Math. Comput., 82
(284):2389–2420, 2013. (Cited on page 25.) and .

[167] PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 209–223. Springer, Heidelberg, May 2010. (Cited on page 211.) and . Faster squaring in the cyclotomic subgroup of sixth degree extensions. In and , editors,

[168] and . On computing products of pairings. Cryptology ePrint Archive, Report 2006/172, 2006. http://eprint.iacr.org/2006/17. (accessed May 4, 2017). (Cited on page 227.)

[169] 3rd IEEE Symposium on Computer Arithmetic – ARITH 1975, pages 117–125. IEEE Computer Society, 1975. (Cited on page 36.) and . Base conversion in residue number systems. In and , editors,

[170] Cryptographic Hardware and Embedded Systems – CHES 2005, volume 3659 of Lecture Notes in Computer Science, pages 75–90. Springer, Heidelberg, Aug. / Sept. 2005. (Cited on page 44.) , , , and . Energy-efficient software implementation of long integer modular arithmetic. In and , editors,

[171] ACNS 03: 1st International Conference on Applied Cryptography and Network Security, volume 2846 of Lecture Notes in Computer Science, pages 418–434. Springer, Heidelberg, Oct. 2003. (Cited on page 47.) and . Architectural enhancements for Montgomery multiplication on embedded RISC processors. In , , and , editors,

[172] Advances in Cryptology – EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, Heidelberg, Apr. 2008. (Cited on page 226.) and . Efficient non-interactive proof systems for bilinear groups. In , editor,

[173] The Cell broadband engine: Exploiting multiple levels of parallelism in a chip multiprocessor. International Journal of Parallel Programming, 35:233–262, 2007. (Cited on page 32.) .

[174] Itoh-Tsujii inversion in standard basis and its application in cryptography and codes. Designs, Codes and Cryptography, 25:207–216, 2001. (Cited on page 215.) and .

[175] Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptographic Engineering, 5
(2):141–151, 2015. (Cited on page 26.) and .

[176] Low-cost addition-subtraction sequences for the final exponentiation in pairings. Finite Fields and Their Applications, 29:1–17, 2014. (Cited on page 211.) án-Trampe, és, , , and .

[177] Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 293–301. Springer, Heidelberg, Aug. 2000. (Cited on pages 20 and 79.) and . Montgomery exponentiation with no final subtractions: Improved results. In and , editors,

[178] 2012. http://eprint.iacr.org/2012/30. (accessed May 4, 2017). (Cited on pages 24 and 25.) . Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309,

[179] 2015. http://eprint.iacr.org/2015/62. (accessed May 4, 2017). (Cited on page 94.) . Ed448-goldilocks, a new elliptic curve. Cryptology ePrint Archive, Report 2015/625,

[180] Guide to Elliptic Curve Cryptography. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2004. (Cited on pages 40 and 216.) , , and .

[181] An introduction to the theory of numbers. Oxford Univ. Press, 4th edition, 1960. (Cited on page 128.) and .

[182] AFRICACRYPT 09: 2nd International Conference on Cryptology in Africa, volume 5580 of Lecture Notes in Computer Science, pages 350–367. Springer, Heidelberg, June 2009. (Cited on page 37.) and . Efficient acceleration of asymmetric cryptography on graphics hardware. In , editor,

[183] Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 45–61. Springer, Heidelberg, Aug. 2004. (Cited on page 24.) . Long modular multiplication for cryptographic applications. In and , editors,

[184] Theorie der algebraischen Zahlen. Tuebner, Leipzig, 1908. (Cited on page 12.) .

[185] The eta pairing revisited. IEEE Transactions on Information Theory, 52
(10):4595–4602, 2006. (Cited on pages 211 and 212.) , , and .

[186] Advances in Cryptology – ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, pages 326–343. Springer, Heidelberg, Dec. 2008. (Cited on page 91.) , , , and . Twisted Edwards curves revisited. In , editor,

[187] Power efficient processor architecture and the Cell processor. In High-Performance Computer Architecture – HPCA 2005, pages 258–262. IEEE, 2005. (Cited on page 32.) .

[188] Elliptic Curves, volume 111 of Graduate Texts in Mathematics. Springer, 2004. (Cited on page 90.) .

[189] Intel Corporation. Using streaming SIMD extension. (SSE2) to perform big multiplications, version 2.0. Technical Report AP-941, Intel, 2000. http://software.intel.com/sites/default/files/14/4f/24960. (Cited on pages 56 and 64.)

[190] Progress in Cryptology - INDOCRYPT 2008: 9th International Conference in Cryptology in India, volume 5365 of Lecture Notes in Computer Science, pages 400–413. Springer, Heidelberg, Dec. 2008. (Cited on pages 220 and 221.) and . Another approach to pairing computation in Edwards coordinates. In , , and , editors,

[191] A fast algorithm for computing multiplicative inverses in GF(2∧m) using normal bases. Inf. Comput., 78
(3):171–177, 1988. (Cited on page 215.) and .

[192] Advances in Cryptology – EUROCRYPT'92, volume 658 of Lecture Notes in Computer Science, pages 477–481. Springer, Heidelberg, May 1993. (Cited on page 27.) , , and . Systolic-arrays for modular exponentiation using Montgomery metho. (extended abstract) (rump session). In , editor,

[193] Discrete algorithms and complexity. Academic Press, Boston, 1987. (Cited on page 255.) , , , and .

[194] Algorithmic Number Theory, 4th International Symposium, ANTS-IV, Leiden, The Netherlands, July 2-7, 2000, Proceedings, volume 1838 of Lecture Notes in Computer Science, pages 385–394. Springer, 2000. (Cited on page 206.) . A one round protocol for tripartite diffie-hellman. In , editor,

[195] A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology, 17(4):263–276, Sept. 2004. (Cited on page 206.) .

[196] SAC 2013: 20th Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages 355–379. Springer, Heidelberg, Aug. 2014. (Cited on page 140.) . A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic. In , , and , editors,

[197] Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Mathematics of Computation, 72
(242):953–967, 2003. (Cited on page 165.) and .

[198] Cryptography and Security: From Theory to Applications, volume 6805 of LNCS, pages 3–7. Springer-Verlag, 2012. (Cited on page 48.) . On Quisquater's multiplication algorithm. In , editor,

[199] Cryptographic Hardware and Embedded Systems – CHES 2005, volume 3659 of Lecture Notes in Computer Science, pages 201– 210. Springer, Heidelberg, Aug. / Sept. 2005. (Cited on page 27.) and . Bipartite modular multiplication. In and , editors,

[200] A hardware algorithm for modular multiplication/ division. IEEE Transactions on Computers, 54
(1):12–21, 2005. (Cited on page 9.) and .

[201] Analysis of Coppersmith's block Wiedemann algorithm for the parallel solution of sparse linear systems. Mathematics of Computation, 64
(210):777–806, 1995. (Cited on page 187.) .

[202] Multiplication of many-digital numbers by automatic computers. Doklady Akad. Nauk SSSR, 145(2):293–294, 1962. Translation in Physics-Doklady 7, pp. 595–596, 1963. (Cited on pages 15 and 44.) and .

[203] Multiplication algorithms for VLSI – a review. International Journal on Computer Science and Engineerin. (IJCSE), 4(11):1761–1765, nov 2012. (Cited on page 44.) , , , , and .

[204] FC 2011Workshops, volume 7126 of Lecture Notes in Computer Science, pages 27–39. Springer, Heidelberg, Feb. / Mar. 2012. (Cited on page 23.) . Fast elliptic curve cryptography in OpenSSL. In , , and , editors,

[205] Advances in Cryptology – EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 523–538. Springer, Heidelberg, May 2000. (Cited on page 37.) , , , and . Cox-Rower architecture for fast parallelMontgomery multiplication. In , editor,

[206] On polynomial selection for the general number field sieve. Mathematics of Computation, 75
(256):2037–2047, 2006. (Cited on page 173.) .

[207] 200. (accessed May 4, 2017). (Cited on page 173.) . Polynomial selection, presented at the CADO workshop. See http://cado.gforge.inria.fr/workshop/slides/kleinjung.pdf,

[208] Quadratic sieving. Mathematics of Computation, 85:1861–1873, 2016. (Cited on page 137.) .

[209] Advances in Cryptology – CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 333–350. Springer, Heidelberg, Aug. 2010. (Cited on pages 4, 7, 117, 153, and 176.) , , , , E. Thomé, J.W. Bos, P. Gaudry, A. Kruppa, , , , , and . Factorization of a 768-bit RSA modulus. In , editor,

[210] Advances in Cryptology – ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pages 358–377. Springer, Heidelberg, Dec. 2014. (Cited on pages 117, 126, 146, 152, 158, and 159.) , , and . Mersenne factorization factory. In and , editors,

[211] A heterogeneous computing environment to solve the 768-bit RSA challenge. Cluster Computing. (15):53–68, 2012. (Cited on pages 4 and 7.) , , , , , , , , , , , , , and .

[212] Eurocrypt 2017, Part I, volume 10210 of Lecture Notes in Computer Science, pages 178–194. Springer, Heidelberg, 2017. (Cited on page 153.) , , , , and . Computation of a 768-bit prime field discrete logarithm. In and , editors,

[213] Faster interleaved modular multiplication based on Barrett and Montgomery reduction methods. IEEE Transactions on Computers, 59
(12):1715–1721, 2010. (Cited on page 48.) , , and .

[214] Arithmetic of Finite Fields –WAIFI, volume 6087 of Lecture Notes in Computer Science, pages 166– 179. Springer, 2010. (Cited on page 24.) , , and . Speeding up bipartite modular multiplication. In and , editors,

[215] Seminumerical Algorithms. The Art of Computer Programming. Addison-Wesley, Reading, Massachusetts, USA, 3rd edition, 1997. (Cited on page 11.) .

[216] Advances in Cryptology – EUROCRYPT'99, volume 1592 of Lecture Notes in Computer Science, pages 176–189. Springer, Heidelberg, May 1999. (Cited on pages 215 and 216.) , , , and . Fast elliptic curve algorithm combining Frobenius map and table reference to adapt to higher characteristic. In , editor,

[217] Elliptic curve cryptosystems. Mathematics of Computation, 48
(177):203–209, 1987. (Cited on pages 22, 40, and 93.) .

[218] 10th IMA International Conference on Cryptography and Coding, volume 3796 of Lecture Notes in Computer Science, pages 13–36. Springer, Heidelberg, Dec. 2005. (Cited on page 215.) and . Pairing-based cryptography at high security level. (invited paper). In , editor,

[219] Montgomery multiplication in GF(2k). Designs, Codes and Cryptography, 14
(1):57–69, 1998. (Cited on pages 21 and 40.) and .

[220] Advances in Cryptology – CRYPTO'96, volume 1109 of Lecture Notes in Computer Science, pages 104–113. Springer, Heidelberg, Aug. 1996. (Cited on pages 77 and 79.) . Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In , editor,

[221] Advances in Cryptology – CRYPTO'99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer, Heidelberg, Aug. 1999. (Cited on pages 12, 19, and 77.) , , and . Differential power analysis. In , editor,

[222] A systolic, linear-array multiplier for a class of right-shift algorithms. IEEE Transactions on Computers, 43
(8):892–898, 1994. (Cited on page 76.) .

[223] Cryptographic Hardware and Embedded Systems – CHES 2006, volume 4249 of Lecture Notes in Computer Science, pages 430–444. Springer, Heidelberg, Oct. 2006. (Cited on page 40.) , , , , , , and . Hardware/software co-design of elliptic curve cryptography on an 8051 microcontroller. In and , editors,

[224] Théorie des nombres, Tome II. Gauthiers-Villars, Paris, 1926. (Cited on page 117.) .

[225] Recherches sur le théorie des nombres, Tome II. Gauthiers-Villars, Paris, 1929. (Cited on page 117.) .

[226] Advances in Cryptology – CRYPTO'90, volume 537 of Lecture Notes in Computer Science, pages 109–133. Springer, Heidelberg, Aug. 1991. (Cited on pages 7, 123, 176, and 179.) and . Solving large sparse linear systems over finite fields. In and , editors,

[227] PAIRING 2010: 4th International Conference on Pairing-based Cryptography, volume 6487 of Lecture Notes in Computer Science, pages 1–20. Springer, Heidelberg, Dec. 2010. (Cited on pages 4, 8, and 206.) , , and . An analysis of affine coordinates for pairing computation. In , , and , editors,

[228] Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation, ISSAC 14, pages 296–303, New York, NY, USA, 2014. ACM. (Cited on page 123.) . Powers of tensors and fast matrix multiplication. In

[229] . Proof of the factorization of the Scientific American challenge. http://www.joppebos.com/petmon/chap5_fig.pdf. (Cited on page 135.)

[230] Fast and rigorous factorization under the generalized Riemann hypothesis. IndagationesMathematicae, 50:443–454, 1988. (Cited on page 160.) .

[231] Advances in Cryptology – ASIACRYPT'98, volume 1514 of Lecture Notes in Computer Science, pages 1–10. Springer, Heidelberg, Oct. 1998. (Cited on page 24.) . Generating RSA moduli with a predetermined portion. In and , editors,

[232] Factoring polynomials with rational coefficients.
Mathematische Annalen, 261
(4):515–534, 1982. (Cited on pages 157 and 167.) , , and .

[233] Handbook of Theoretical Computer Scienc. (Volume A: Algorithms and Complexity), pages 673–715. Elsevier and MIT Press, 1990. (Cited on pages 119, 121, 123, 136, 137, 140, and 160.) and . Algorithms in number theory. In , editor,

[234] The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993. (Cited on pages 6, 116, 139, 239, 241, 243, 252, and 255.) and .

[235] 1989. (Cited on pages 7, 139, 141, 142, 143, 145, 146, 147, 148, 152, and 154.) , , , and . The number field sieve. pages 11–42 in [234],

[236] The factorization of the ninth Fermat number. Mathematics of Computation, 61(203):319– 349, 1993. (Cited on pages 125, 141, 146, and 148.) , ., , and .

[237] Advances in Cryptology – EUROCRYPT' 89, volume 434 of Lecture Notes in Computer Science, pages 355–371. Springer, Heidelberg, Apr. 1990. (Cited on pages 116, 135, 136, and 138.) and . Factoring by electronic mail. In and , editors,

[238] Factoring with two large primes. Mathematics of Computation, 63:785–798, 1994. (Cited on pages 132 and 137.) and .

[239] Factoring integers with elliptic curves. Annals of Mathematics, 126
(3):649–673, 1987. (Cited on pages 6, 8, 116, 121, and 189.) .

[240] A rigorous time bound for factoring integers. Journal of the AmericanMathematical Society, 5:483–516, 1992. (Cited on page 160.) . and .

[241] Algorithmic Number Theory, 5th International Symposium, ANTS-V, volume 2369 of Lecture Notes in Computer Science, pages 446–460. Springer, 2002. (Cited on page 137.) , , , , and . MPQS with three large primes. In and , editors,

[242] AFRICACRYPT 14: 7th International Conference on Cryptology in Africa, volume 8469 of Lecture Notes in Computer Science, pages 215–234. Springer, Heidelberg, May 2014. (Cited on pages 44 and 47.) and . New speed records for Montgomery modular multiplication on 8-bit AVR microcontrollers. In and , editors,

[243] Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 39
(5):1639–1646, 1993. (Cited on pages 206 and 213.) , , and .

[244] Improving digital computer performance using residue number theory. Electronic Computers, IEEE Transactions on, EC-13(2):93–101, April 1964. (Cited on page 36.) .

[245] Cryptographic Hardware and Embedded Systems – CHES'99, volume 1717 of Lecture Notes in Computer Science, pages 144–157. Springer, Heidelberg, Aug. 1999. (Cited on page 77.) , , and . Power analysis attacks of modular exponentiation in smartcards. In and , editors,

[246] Cryptographic Hardware and Embedded Systems – CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages 335–352. Springer, Heidelberg, Sept. 2014. (Cited on page 152.) , , , and . Cofactorization on graphics processing units. In and , editors,

[247] Advances in Cryptology – CRYPTO'85, volume 218 of Lecture Notes in Computer Science, pages 417–426. Springer, Heidelberg, Aug. 1986. (Cited on pages 22, 40, 93, and 95.) . Use of elliptic curves in cryptography. In , editor,

[248] TheWeil pairing, and its efficient calculation. Journal of Cryptology, 17(4):235–261, Sept. 2004. (Cited on pages 8 and 210.) .

[249] SAC 2001: 8th Annual International Workshop on Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 165–180. Springer, Heidelberg, Aug. 2001. (Cited on page 229.) . Algorithms for multi-exponentiation. In and , editors,

[250] Evaluation of boolean expressions on one's complement machines. SIGPLAN Notices, 13:60–72, 1978. (Cited on page 1.) .

[251] Modular multiplication without trial division. Mathematics of Computation, 44(170):519–521, April 1985. (Cited on pages 4, 5, 10, 13, 15, 17, 40, 42, and 81.) .

[252] Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 48
(177):243–264, 1987. (Cited on pages 5, 6, 8, 83, 85, 189, 197, 207, and 218.) .

[253] 1992. https://cr.yp.to/bib/1992/montgomery-lucas.pdf. (accessed May 4, 2017). (Cited on pages 85, 87, 111, 114, and 115.) . Evaluating recurrences of form Xm+n = f (Xm, Xn, Xmn) via Lucas chains,

[254] An FFT extension of the elliptic curvemethod of factorization. PhD thesis, University of California, 1992. (Cited on pages 2, 8, 94, 189, 190, 193, 194, 196, 197, and 198.) .

[255] Square roots of products of algebraic numbers. Mathematics of Computation 1943-1993: A Half-Century of Computational Mathematics, 48:567–571, 1994. (Cited on pages 7 and 157.) .

[256] A survey of modern integer factorization algorithms. CWI Quarterly, 7(4):337–366, December 1994. (Cited on page 168.) .

[257] Advances in Cryptology – EUROCRYPT'95, volume 921 of Lecture Notes in Computer Science, pages 106– 120. Springer, Heidelberg,May 1995. (Cited on pages 7, 123, 179, 180, 183, 184, and 186.) . A block Lanczos algorithm for finding dependencies over GF(2). In and , editors,

[258] 2000. (Cited on page 186.) . Parallel block Lanczos, 2000. Slides of presentation at RSA- 2000, dated January 17,

[259] Five, six, and seven-term Karatsuba-like formulae. IEEE Transactions on Computers, 54
(3):362–369, 2005. (Cited on pages 4 and 217.) .

[260] 2006. (Cited on page 168.) . Searching for higher-degree polynomials for the general number field sieve. helper.ipam.ucla.edu/publications/scws1/scws1_6223.ppt, October

[261] Algorithmic Number Theory – ANTS-VIII, volume 5011 of Lecture Notes in Computer Science, pages 180–195. Springer, 2008. (Cited on pages 4, 8, 189, 200, 201, 202, and 204.) and . Improved stage 2 to P±1 factoring algorithms. In and , editors,

[262] The period of the Bell numbers modulo a prime. Mathematics of Computation, 79
(271):1793–1800, 2010. (Cited on page 4.) , , and .

[263] An FFT extension to th. p 1 factoring algorithm. Mathematics of Computation, 54
(190):839–854, 1990. (Cited on pages 8, 189, 190, and 200.) and .

[264] Amethod of factoring and the factorization of F7. Mathematics of Computation, 29
(129):183–205, 1975. (Cited on pages 116, 117, 127, and 128.) and .

[265] 11th IMA International Conference on Cryptography and Coding, volume 4887 of Lecture Notes in Computer Science, pages 364–383. Springer, Heidelberg, Dec. 2007. (Cited on page 37.) , , and . Toward acceleration of RSA using 3D graphics hardware. In , editor,

[266] Polynomial selection for the number field sieve integer factorisation algorithm. PhD thesis, Australian National University, 1999. (Cited on pages 6, 171, and 172.) .

[267] National Institute of Standards and Technolog. (NIST). Digital signature standard (dss). Technical Report FIPS Publication 186-4, July 2013. (Cited on page 40.)

[268] National Security Agenc. (NSA). Compromising emanations laboratory test requirements, electromagnetics (u). Technical Report National COMSEC Information Memorandum (NACSIM) 5100A, NSA, 1981. (Classified). (Cited on page 76.)

[269] ANTS, volume 1423 of Lecture Notes in Computer Science, pages 151–168. Springer, 1998. (Cited on page 157.) . A Montgomery-like square root for the number field sieve. In , editor,

[270] Advances in Cryptology – EUROCRYPT'84, volume 209 of Lecture Notes in Computer Science, pages 224–314. Springer, Heidelberg, Apr. 1985. (Cited on pages 123 and 140.) . Discrete logarithms in finite fields and their cryptographic significance. In , , and , editors,

[271] Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 348–363. Springer, Heidelberg, May 2001. (Cited on page 61.) and . A scalable GF(p) elliptic curve processor architecture for programmable hardware. In
, editors,

[272] Fast Software Encryption – FSE 2010, volume 6147 of Lecture Notes in Computer Science, pages 75–93. Springer, Heidelberg, Feb. 2010. (Cited on page 32.) , , , and . Fast software AES encryption. In and , editors,

[273] IEEE High Performance Extreme Computing Conferenc. (HPEC), pages 1–6. IEEE, 2013. (Cited on page 56.) , , , , and . SIMD acceleration of modular arithmetic on contemporary embedded platforms. In

[274] Parallel cryptographic arithmetic using a redundant Montgomery representation. IEEE Trans. Computers, 53
(11):1474–1482, 2004. (Cited on page 27.) and .

[275] A look-ahead Lanczos algorithm for unsymmetric matrices. Mathematics of Computation, 44(169):105–124, Jan. 1985. (Cited on pages 179 and 180.) , , and .

[276] Advances in Cryptology – CRYPTO'92, volume 740 of Lecture Notes in Computer Science, pages 324–332. Springer, Heidelberg, Aug. 1993. (Cited on page 137.) . A quadratic sieve on the n-dimensional cube. In , editor,

[277] Highly parallel modular multiplication in the residue number system using sum of residues reduction. Appl. Algebra Eng. Commun. Comput., 21
(3):249–255, 2010. (Cited on page 37.) , , and .

[278] Theorems on factorization and primality testing. Proceedings of the Cambridge Philosophical Society, 76:521–528, 1974. (Cited on pages 8, 116, 189, 190, 199, and 200.) .

[279] A Monte Carlo method for factorization. BIT Numerical Mathematics, 15
(3):331–334, 1975. (Cited on pages 116 and 121.) .

[280] 1988. (Cited on pages 138, 139, 145, 146, and 147.) . Factoring with cubic integers. pages 4–10 in [234],

[281] 1990. (Cited on pages 7, 148, and 149.) . The lattice sieve. pages 43–49 in [234],

[282] Computational methods in number theory I, volume 154 of Mathematical Centre Tracts, pages 89–139, Amsterdam, 1982. Mathematisch Centrum. (Cited on pages 6, 119, 126, 131, 132, and 137.) . Analysis and comparison of some integer factoring algorithms. In . , editors,

[283] 1987. (Cited on pages 121 and 160.) . Fast, rigorous factorization and discrete logarithm algorithms. pages 119–143 in [193],

[284] 1988. Private communication. (Cited on page 135.) , October

[285] A tale of two sieves. Notices of the AMS, 43(12):1473–1485, December 1996. (Cited on page 117.) .

[286] and . Reduction of huge, sparse matrices over finite

[287] A pipeline architecture for factoring large integers with the quadratic sieve algorithm. SIAM j. Comput., 17:387–403, 1988. (Cited on pages 6 and 137.) , , and .

[288] Advances in Cryptology – CRYPTO'83, pages 81– 85. Plenum Press, New York, USA, 1983. (Cited on page 127.) , , and . New ideas for factoring large integers. In , editor,

[289] Computing, 50
(2):93–104, 1993. (Cited on page 36.) and . Base extension using a convolution sum in residue number systems.

[290] Modulo reduction in residue number systems. IEEE Trans. Parallel Distrib. Syst., 6
(5):449–454, 1995. (Cited on page 36.) and .

[291] Non-linear polynomial selection for the number field sieve. J. Symb. Comput., 47
(4):401–409, 2012. (Cited on page 168.) and .

[292] Pacific-Asia Conference on Circuits, Communications and Systems, pages 614–616. IEEE, 2009. (Cited on page 20.) and . Montgomery exponentiation with no final comparisons: Improved results. In

[293] Smart Card Programming and Security, E-smart 2001, Cannes, France, September 19-21, 2001, volume 2140 of LNCS, pages 200–210. Springer-Verlag, 2001. (Cited on page 77.) and . Electromagnetic analysi. (EMA): measures and counter-measures for smart cards. In and , editors,

[294] A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21
(2):120–126, 1978. (Cited on pages 17, 20, 40, 117, 119, and 131.) , , and .

[295] 2015. Private communication. (Cited on page 1.) , November

[296] Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 457–473. Springer, Heidelberg, May 2005. (Cited on page 206.) and . Fuzzy identity-based encryption. In , editor,

[297] 2000. (Cited on page 206.) , , and . Cryptosystems based on pairing. In 2000 Symposium on Cryptography and Information Security – SCIS 2000,

[298] Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 277–292. Springer, Heidelberg, Aug. 2000. (Cited on pages 40 and 67.) , , and . A scalable and unified multiplier architecture for finite fields GF(p) and GF(2m). In and , editors,

[299] 2015. Private communication. (Cited on page 3.) , November

[300] Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 109–124. Springer, Heidelberg, Aug. 2000. (Cited on page 77.) . A timing attack against RSA with the Chinese remainder theorem. In and , editors,

[301] Schnelle multiplikation großer zahlen. Computing, 7(3-4):281–292, 1971. (Cited on page 15.) and .

[302] Computational methods in number theory II, volume 155 of Mathematical Centre Tracts, pages 235–286, Amsterdam, 1982. Mathematisch Centrum. (Cited on page 118.) . Quadratic fields and factorization. In
and , editors,

[303] 2015. Private communication. (Cited on pages 9, 116, 129, 130, 131, and 132.) , April

[304] Accelerating elliptic curve calculations with the reciprocal sharing trick. Mathematics of Public-Key Cryptograph. (MPKC), University of Illinois at Chicago, 2003. (Cited on page 225.) and .

[305] Topics in Cryptology – CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 293–304. Springer, Heidelberg, Feb. 2005. (Cited on page 227.) . Computing the Tate pairing. In , editor,

[306] Cryptography and Coding – IMACC, volume 7089 of Lecture Notes in Computer Science, pages 296–308. Springer, 2011. (Cited on page 227.) . On the efficient implementation of pairing-based protocols. In , editor,

[307] Pairing-Based Cryptography - Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12-14, 2009, Proceedings, volume 5671 of Lecture Notes in Computer Science, pages 78–88. Springer, 2009. (Cited on page 211.) , , , , and . On the final exponentiation for calculating pairings on ordinary elliptic curves. In and , editors,

[308] Information Security and Cryptology – ICISC 2014, volume 8949 of Lecture Notes in Computer Science, pages 328–342. Springer, 2015. (Cited on pages 26 and 47.) , , , , and . Montgomery modular multiplication on ARM-NEON revisited. In and , editors,

[309] A probabilistic factorization algorithm with quadratic forms of negative discriminant. Mathematics of Computation, 48:757–780, 1987. (Cited on pages 128 and 160.) .

[310] 11th Symposium on Computer Arithmetic, pages 252–259. IEEE Computer Society, 1993. (Cited on pages 12 and 20.) and . Fast implementations of RSA cryptography. In , , and , editors,

[311] Symposia in Pure Mathematics, volume 20, pages 415–440. American Mathematical Society, 1971. (Cited on page 118.) . Class number, a theory of factorization, and genera. In , editor,

[312] Fast base extension using a redundant modulus in RNS. Computers, IEEE Transactions on, 38
(2):292–297, 1989. (Cited on page 36.) and .

[313] Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26
(5):1484–1509, 1997. (Cited on page 153.) .

[314] The Arithmetic of Elliptic Curves, volume 106 of Graduate texts in mathematics. Springer-Verlag, 1986. (Cited on page 208.) .

[315] The multiple polynomial quadratic sieve. Mathematics of Computation, 48:329–339, 1987. (Cited on pages 6, 134, and 136.) fields via created catastrophes. Experiment. Math., 1:89–94, 1992. (Cited on pages 7, 123, 124, and 125.) .

[316] Generalized Mersenne numbers. Technical Report CORR 99– 39, Centre for Applied Cryptographic Research, University of Waterloo, 1999. (Cited on page 22.) .

[317] 2003. https://dx.doi.org/10.6100/IR564670. (Cited on pages 108, 114, and 115.) . Speeding up subgroup cryptosystems. PhD thesis, Technische Universiteit Eindhoven,

[318] Advances in Cryptology – CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 55–69. Springer, Heidelberg, Aug. 2009. (Cited on page 32.) , , , , , , and . Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In , editor,

[319] Gaussian elimination is not optimal. Numer. Math., 13:354–356, 1969. (Cited on page 123.) .

[320] An algorithm for division. Information processing machines, 9(25- 34):28, 1963. (Cited on page 24.) .

[321] Residue arithmetic and its applications to computer technology. McGraw-Hill, 1967. (Cited on pages 36 and 37.) and .

[322] Cryptographic Hardware and Embedded Systems – CHES 2008, volume 5154 of Lecture Notes in Computer Science, pages 79–99. Springer, Heidelberg, Aug. 2008. (Cited on page 37.) and . Exploiting the power of GPUs for asymmetric cryptography. In and , editors,

[323] International conference on Computer-aided design – ICCAD 2005, pages 111–117. IEEE Computer Society, 2005. (Cited on page 32.) , , , , , , , , , , , , and . The circuit design of the synergistic processor element of a Cell processor. In

[324] WAIFI, volume 7369 of Lecture Notes in Computer Science, pages 208–224. Springer, 2012. (Cited on pages 156 and 157.) . Square root algorithms for the number field sieve. In and , editors,

[325] European Solid-State Circuits Conference – ESSCIRC 2002, Florence, 24–26 Sept. 2002, pages 403–406. Università di Bologna, 2002. (Cited on page 81.) , , and . A dynamic and differential CMOS logic with signal independent power consumption towithstand differential power analysis on smart cards. In

[326] Design, Automation and Test in Europe Conference and Exposition –. (DATE 2004), Paris, 16–20 February 2004, pages 246–251. IEEE, 2004. (Cited on page 81.) and . A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In

[327] The complexity of a scheme of functional elements realizing the multiplication of integers. Soviet Mathematics Doklady, 3
(4):714–716, 1963. (Cited on page 15.) .

[328] Computing short Lucas chains for elliptic curve cryptosystems. IEICE Transactions on Fundamentals, E84-A(5):1227–1233, 2001. (Cited on pages 113 and 115.) .

[329] 421191. (Abstract). (Cited on page 76.) . Portable data carrier including a microprocessor. US Patent and Trademark Office, July 8 1980. US Patent No.

[330] U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standar. (DSS). FIPS-186-4, 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf (accessed May 4, 2017). (Cited on page 22.)

[331] Generation of elements with small modular squares and provably fast integer factoring algorithms. Mathematics of Computation, 56:823–849, 1991. (Cited on page 160.) .

[332] Electromagnetic radiation from video display units: An eavesdropping risk?
Computers and Security, 4(4):269–286, Dec. 1985. (Cited on page 76.) .

[333] Optimal pairings. IEEE Transactions on Information Theory, 56
(1):455–461, 2010. (Cited on page 212.) .

[334] Fast modular multiplication using 2-power radix. International J. Computer Mathematics, 39(1-2):21–28, 1991. (Cited on page 48.) .

[335] Advances in Cryptology – CRYPTO'91, volume 576 of Lecture Notes in Computer Science, pages 313–323. Springer, Heidelberg, Aug. 1992. (Cited on page 65.) . Faster modular multiplication by operand scaling. In , editor,

[336] Systolic modular multiplication. IEEE Transactions on Computers, 42(3):376–378, Mar. 1993. (Cited on pages 27, 67, 68, 69, and 76.) .

[337] Montgomery exponentiation needs no final subtractions. Electronics Letters, 35(21):1831–1832, Oct. 1999. (Cited on pages 20 and 79.) .

[338] An improved linear systolic array for fast modular exponentiation. IEE Computers and Digital Techniques, 147(5):323–328, Sept. 2000. (Cited on pages 75 and 76.) .

[339] Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 286–299. Springer, Heidelberg, May 2001. (Cited on page 80.) . Sliding windows succumbs to big mac attack. In . , and , editors,

[340] Topics in Cryptology – CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 30–39. Springer, Heidelberg, Feb. 2002. (Cited on pages 20, 78, and 79.) . Precise bounds for Montgomery modular multiplication and some potentially insecure RSA moduli. In , editor,

[341] SAC 2003: 10th Annual International Workshop on Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science, pages 42–57. Springer, Heidelberg, Aug. 2004. (Cited on pages 78 and 79.) . Longer keys may facilitate side channel attacks. In and , editors,

[342] Topics in Cryptology – CTRSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 192–207. Springer, Heidelberg, Apr. 2001. (Cited on pages 20, 21, and 77.) and S.|Thompson. Distinguishing exponent digits by observing modular subtractions. In , editor,

[343] 1998. (Cited on page 145.) . Computing discrete logarithms with quadratic number rings. In EUROCRYPT'98, pages 171–183,

[344] SAC 2014: 21st Annual InternationalWorkshop on Selected Areas in Cryptography, volume 8781 of Lecture Notes in Computer Science, pages 363–379. Springer, Heidelberg, Aug. 2014. (Cited on page 9.) and . Solving the discrete logarithm of a 113-bit Koblitz curve with an FPGA cluster. In and , editors,

[345] Tables of indices and primitive roots. Royal Society Mathematical Tables, vol 9, Cambridge University Press, 1968. (Cited on pages 117, 139, and 140.) and .|Miller.

[346] WhatsApp Inc. WhatsApp website, 2017. (Cited on page 94.)

[347] Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory, IT-32(1):54–62, Jan. 1986. (Cited on pages 123 and 176.) .

[348] p + 1 method of factoring. Mathematics of Computation, 39
(159):225–234, 1982. (Cited on pages 116, 191, and 199.) .

[349] Algorithmic Number Theory – ANTS-VII, volume 4076 of Lecture Notes in Computer Science, pages 525–542. Springer-Verlag. Erratum: http://www.loria.fr/∼zimmerma/papers/, 2006. (Cited on pages 189, 190, 191, and 197.) and . 20 years of ECM. In , , and , editors,

* Views captured on Cambridge Core between 25th October 2017 - 24th February 2018. This data will be updated every 24 hours.