Book contents
- Frontmatter
- Contents
- Preface
- Acknowledgements
- 1 Introduction
- PART I BACKGROUND
- PART II ALGEBRAIC GROUPS
- PART III EXPONENTIATION, FACTORING AND DISCRETE LOGARITHMS
- PART IV LATTICES
- PART V CRYPTOGRAPHY RELATED TO DISCRETE LOGARITHMS
- PART VI CRYPTOGRAPHY RELATED TO INTEGER FACTORISATION
- PART VII ADVANCED TOPICS IN ELLIPTIC AND HYPERELLIPTIC CURVES
- Appendix A Background mathematics
- References
- Author index
- Subject index
- References
References
Published online by Cambridge University Press: 05 June 2012
Book contents
- Frontmatter
- Contents
- Preface
- Acknowledgements
- 1 Introduction
- PART I BACKGROUND
- PART II ALGEBRAIC GROUPS
- PART III EXPONENTIATION, FACTORING AND DISCRETE LOGARITHMS
- PART IV LATTICES
- PART V CRYPTOGRAPHY RELATED TO DISCRETE LOGARITHMS
- PART VI CRYPTOGRAPHY RELATED TO INTEGER FACTORISATION
- PART VII ADVANCED TOPICS IN ELLIPTIC AND HYPERELLIPTIC CURVES
- Appendix A Background mathematics
- References
- Author index
- Subject index
- References
Summary
A summary is not available for this content so a preview has been provided. Please use the Get access link above for information on how to access this content.
- Type
- Chapter
- Information
- Mathematics of Public Key Cryptography , pp. 579 - 602Publisher: Cambridge University PressPrint publication year: 2012
References
[1] , and , DHIES: An Encryption Scheme based on the Diffie–Hellman Problem, Preprint, 2001.
[2] and , A subexponential algorithm for discrete logarithms over all finite fields, Math. Comp. 61(203) (1993), 1–15.Google Scholar
[3] , and , On taking roots in finite fields, Foundations of Computer Science (FOCS), IEEE, 1977, 175–178.Google Scholar
[4] , and , A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In ANTS I ( and , eds.), LNCS, vol. 877, Springer, 1994, pp. 28–40.Google Scholar
[5] , , and , An implementation for a fast public-key cryptosystem, J. Crypt. 3(2) (1991), 63–79.Google Scholar
[7] , , and , Closest point search in lattices, IEEE Trans. Inf. Theory 48(8) (2002), 2201–2214.Google Scholar
[8] , Solving hidden number problem with one bit oracle and advice. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 337–354.Google Scholar
[9] , , and , RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput. 17(2) (1988), 194–209.Google Scholar
[10] , and , There are infinitely many Carmichael numbers, Ann. of Math. 139(3) (1994), 703–722.Google Scholar
[11] , , , , and , Accelerated verification of ECDSA signatures. In SAC 2005 ( and , eds.), LNCS, vol. 3897, Springer, 2006, pp. 307–318.Google Scholar
[12] , , and , Faster computation of the Tate pairing, J. Number Theory 131(5) (2011), 842–857.Google Scholar
[13] and , Random mappings with constraints on coalescence and number of origins, Pacific J. Math. 103 (1982), 269–294.Google Scholar
[16] , , , , , and , Handbook of Elliptic and Hyperelliptic Cryptography, Chapman & Hall/CRC, 2006.
[17] , On Lovász lattice reduction and the nearest lattice point problem, Combinatorica 6(1) (1986), 1–13.Google Scholar
[18] and , On the complexity of matrix group problems I, Foundations of Computer Science (FOCS) (1996), 229–240.Google Scholar
[19] , Bounds for primality testing and related problems, Math. Comp. 55(191) (1990), 355–380.Google Scholar
[22] and , Sieve algorithms for perfect power testing, Algorithmica 9 (1993), 313–328.Google Scholar
[23] and , On the efficiency of Pollard's rho method for discrete logarithms, CATS 2008 ( and , eds.), Australian Computer Society, 2008, pp. 125–131.Google Scholar
[24] , , , , , , , , , , , , , , , , , , , , , and , Breaking ECC2K-130, Cryptology ePrint Archive, Report 2009/541, 2009.Google Scholar
[25] and , The improbability that an elliptic curve has sub-exponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm, J. Crypt. 11(2) (1998), 141–145.Google Scholar
[26] , , and , Efficient pairing computation on supersingular abelian varieties, Des. Codes Crypt. 42(3) (2007), 239–271.Google Scholar
[27] , , and , Efficient algorithms for pairing-based cryptosystems, CRYPTO 2002 (, ed.), LNCS, vol. 2442, Springer, 2002, pp. 354–369.Google Scholar
[28] and , Pairing-friendly elliptic curves of prime order, SAC 2005 ( and , eds.), LNCS, vol. 3897, Springer, 2006, pp. 319–331.Google Scholar
[29] , Vers une généralisation rigoureuse des méthodes de Coppersmith pour la recherche de petites racines de polynmes, Ph.D. thesis, Université de Versailles Saint-Quentin-en-Yvelines, 2008.
[30] , and , A modular approach to the design and analysis of authentication and key exchange protocols, Symposium on the Theory of Computing (STOC), ACM, 1998, pp. 419–428.Google Scholar
[31] , and , Fast batch verification for modular exponentiation and digital signatures, EUROCRYPT 1998 (, ed.), LNCS, vol. 1403, Springer, 1998, pp. 236–250.Google Scholar
[32] , and , “Pseudo-Random” number generation within cryptographic algorithms: the DSS case, CRYPTO 1997 (, ed.), LNCS, vol. 1294, Springer, 1997, pp. 277–291.Google Scholar
[33] and , Multi-signatures in the plain public-key model and a general forking lemma, CCS 2006 (, and , eds.), ACM, 2006, pp. 390–399.Google Scholar
[34] , and , Authenticated key exchange secure against dictionary attacks, EUROCRYPT 2000 (, ed.), LNCS, vol. 1807, Springer, 2000, pp. 139–155.Google Scholar
[35] and , Random oracles are practical: a paradigm for designing efficient protocols, CCS 1993, ACM, 1993, pp. 62–73.Google Scholar
[36] Entity authentication and key distribution, CRYPTO 1993 (, ed.), LNCS, vol. 773, Springer, 1994, pp. 232–249.Google Scholar
[37] Optimal asymmetric encryption – how to encrypt with RSA, EUROCRYPT 1994 (, ed.), LNCS, vol. 950, Springer, 1995, pp. 92–111.Google Scholar
[38] The exact security of digital signatures – how to sign with RSA and Rabin. In EUROCRYPT 1996 (, ed.), LNCS, vol. 1070, Springer, 1996, pp. 399–416.Google Scholar
[39] , The equivalence between the DHP and DLP for elliptic curves used in practical applications, revisited. In IMA Cryptography and Coding (, ed.), LNCS, vol. 3796, Springer, 2005, pp. 376–391.Google Scholar
[40] , Theoretical and practical efficiency aspects in cryptography, Ph.D. thesis, University of Bristol, 2008.
[42] , and , On the correct use of the negation map in the Pollard rho method. In PKC 2011 (, , , and , eds.), LNCS, vol. 6571, Springer, 2011, pp. 128–146.Google Scholar
[43] , and , Curve 25519: New Diffie–Hellman speed records. In PKC 2006 (, , and , eds.), LNCS, vol. 3958, Springer, 2006, pp. 207–228.Google Scholar
[44] , and , Proving tight security for Rabin–Williams signatures. In EUROCRYPT 2008 (, ed.), LNCS, vol. 4965, Springer, 2008, pp. 70–87.Google Scholar
[46] , , , and , Twisted Edwards curves. In Africacrypt 2008 (, ed.), LNCS, vol. 5023, Springer, 2008, pp. 389–405.Google Scholar
[47] , , and , ECM using Edwards Curves, Cryptology ePrint Archive, Report 2008/016, 2008.
[49] and , Explicit Formulas Database, 2007 (www.hyperelliptic.org/EFD).
[50] Faster addition and doubling on elliptic curves. In ASIACRYPT 2007 (, ed.), LNCS, vol. 4833, Springer, 2007, pp. 29–50.
[51] Analysis and optimization of elliptic-curve single-scalar multiplication, Contemporary Mathematics 461 (2008), 1–19.Google Scholar
[52] Type-II optimal polynomial bases. In WAIFI 2010 ( and , eds.), LNCS, vol. 6087, Springer, 2010, pp. 41–61.Google Scholar
[53] , and , Binary Edwards curves. In CHES 2008, ( and , eds.), LNCS, vol. 5154, Springer, 2008, pp. 244–265.Google Scholar
[54] and , Computing the endomorphism ring of an ordinary elliptic curve over a finite field, J. Number Theory 131(5) (2011), 815–831.Google Scholar
[55] and , The number of partitions in Pollard rho, unpublished manuscript, 1998.
[56] and , Baby-step–giant-step algorithms for non-uniform distributions. In ANTS IV (, ed.), LNCS, vol. 1838, Springer, 2000, pp. 153–168.Google Scholar
[57] , , and , Computing logarithms in finite fields of characteristic two, SIAM J. Algebraic and Discrete Methods 5(2) (1984), 272–285.Google Scholar
[58] and , On the complexity of the discrete logarithm and Diffie–Hellman problems, J. Complexity 20(2–3) (2004), 148–170.Google Scholar
[59] , and , On the bit security of the Diffie–Hellman key, Appl. Algebra Eng. Commun. Comput. 16(6) (2006), 397–404.Google Scholar
[60] , and , Elliptic Curves in Cryptography, Cambridge University Press, 1999.
[61] , and , Advances in Elliptic Curve Cryptography, Cambridge University Press, 2005.Google Scholar
[62] , Generating ElGamal signatures without knowing the secret key, EUROCRYPT 1996 (, ed.), LNCS, vol. 1070, Springer, 1996, pp. 10–18.Google Scholar
[63] , Compressing Rabin signatures. In CT-RSA 2004 (, ed.), LNCS, vol. 2964, Springer, 2004, pp. 126–128.Google Scholar
[64] and , New attacks on RSA with small secret CRT-exponents. In PKC 2006 (, , and , eds.), LNCS, vol. 3958, Springer, 2006, pp. 1–13.Google Scholar
[65] and , Noisy polynomial interpolation and noisy Chinese remaindering. In EUROCRYPT 2000 (, ed.), LNCS, vol. 1807, Springer, 2000, pp. 53–69.Google Scholar
[66] and , Low secret exponent RSA revisited. In Cryptography and Lattices (CaLC) (, ed.), LNCS, vol. 2146, Springer, 2001, pp. 4–19.Google Scholar
[67] and , A tool kit for finding small roots of bivariate polynomials over the integers. In EUROCRYPT 2005 (, ed.), LNCS, vol. 3494, Springer, 2005, pp. 251–267.Google Scholar
[68] and , How to generate cryptographically strong sequences of pseudo-random bits, SIAM J. Comput. 13(4) (1984), 850–864.Google Scholar
[69] , Simplified OAEP for the RSA and Rabin functions. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 275–291.Google Scholar
[70] , Finding smooth integers in short intervals using CRT decoding, J. Comput. Syst. Sci. 64(4) (2002), 768–784.Google Scholar
[71] and , Short signatures without random oracles. In EUROCRYPT 2004 ( and , eds.), LNCS, vol. 3027, Springer, 2004, pp. 56–73.Google Scholar
[72] and , Short signatures without random oracles and the SDH assumption in bilinear groups, J. Crypt. 21(2) (2008), 149–177.Google Scholar
[73] and , Cryptanalysis of RSA with private key d less than N0.292, IEEE Trans. Inf. Theory 46(4) (2000), 1339–1349.Google Scholar
[74] , and , Factoring N = pr q for large r. In CRYPTO 1999 (, ed.), LNCS, vol. 1666, Springer, 1999, pp. 326–337.Google Scholar
[75] and , Identity based encryption from the Weil pairing. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 213–229.Google Scholar
[76] and , Identity based encryption from theWeil pairing, SIAM J. Comput. 32(3) (2003), 586–615.Google Scholar
[77] , and , Why textbook ElGamal and RSA encryption are insecure. In ASIACRYPT 2000 (, ed.), LNCS, vol. 1976, Springer, 2000, pp. 30–43.Google Scholar
[78] and , Algorithms for black-box fields and their application to cryptography. In CRYPTO 1996 (, ed.), LNCS, vol. 1109, Springer, 1996, pp. 283–297.Google Scholar
[79] and , On the unpredictability of bits of the elliptic curve Diffie–Hellman scheme. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 201–212.Google Scholar
[80] and , Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In CRYPTO 1996 (, ed.), LNCS, vol. 1109, Springer, 1996, pp. 129–142.Google Scholar
[81] and , Rounding in lattices and its cryptographic applications. In Symposium on Discrete Algorithms (SODA), ACM/SIAM, 1997, pp. 675–681.Google Scholar
[82] and , Breaking RSA may not be equivalent to factoring. In EUROCRYPT 1998 (, ed.), LNCS, vol. 1403, Springer, 1998, pp. 59–71.Google Scholar
[83] and , The Computational Complexity of Algebraic and Numeric Problems, Elsevier, 1975.Google Scholar
[85] , and , Pollard rho on the Playstation 3, Handouts of SHARCS 2009, 2009, pp. 35–50.
[86] , and , On the use of the negation map in the Pollard rho method. In ANTS IX (, and , eds.), LNCS, vol. 6197, Springer, 2010, pp. 66–82.Google Scholar
[87] and , Complete systems of two addition laws for elliptic curves, J. Number Theory 53 (1995), 229–240.Google Scholar
[88] , , and , Fast algorithms for computing isogenies between elliptic curves, Math. Comp. 77(263) (2008), 1755–1778.Google Scholar
[89] and , Protocols for authentication and key establishment, Information Security and Cryptography, Springer, 2003.Google Scholar
[90] , The uber-assumption family. In Pairing 2008 ( and , eds.), LNCS, vol. 5209, Springer, 2008, pp. 39–56.Google Scholar
[91] , and , Speeding up discrete log and factoring based schemes via precomputations. In EUROCRYPT 1998 (, ed.), LNCS, vol. 1403, Springer, 1998, pp. 221–235.Google Scholar
[92] , An efficient off-line electronic cash system based on the representation problem, Tech. report, CWI Amsterdam, 1993, CS-R9323.
[94] and , Factorization of the eighth Fermat number, Math. Comp. 36(154) (1981), 627–630.Google Scholar
[96] and , An O(M(n)logn) algorithm for the Jacobi symbol. In ANTS IX (, and , eds.), LNCS, vol. 6197, Springer, 2010, pp. 83–95.Google Scholar
[97] , , and , A generalization of DDH with applications to protocol analysis and computational soundness. In CRYPTO 2007 (, ed.), LNCS, vol. 4622, Springer, 2007, pp. 482–499.Google Scholar
[98] , , and , Design validations for discrete logarithm based signature schemes. In PKC 2000 ( and , eds.), LNCS, vol. 1751, Springer, 2000, pp. 276–292.Google Scholar
[99] , and , Cryptanalysis of RSA signatures with fixed-pattern padding. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 433–439.Google Scholar
[100] , Constructing supersingular elliptic curves, J. Comb. Number Theory 1(3) (2009), 269–273.Google Scholar
[101] , and , Evaluating large degree isogenies and applications to pairing based cryptography. In Pairing 2008 ( and , eds.), LNCS, vol. 5209, Springer, 2008, pp. 100–112.Google Scholar
[102] , and , Modular polynomials via isogeny volcanoes, http://arxiv.org/abs/1001.0402, 2010, to appear in Math. Comp..
[103] and , An explicit height bound for the classical modular polynomial, The Ramanujan Journal 22(3) (2010), 293–313.Google Scholar
[104] and , The static Diffie–Hellman problem, Cryptology ePrint Archive, Report 2004/306, 2004.
[105] and , Koblitz curves and integer equivalents of Frobenius expansions. In SAC 2007 (, and , eds.), LNCS, vol. 4876, Springer, 2007, pp. 126–137.Google Scholar
[106] and , Algorithmic Number Theory, MSRI Publications, Cambridge University Press, 2008.Google Scholar
[107] and , A secure and efficient conference key distribution system. In EUROCRYPT 1994 (, ed.), LNCS, vol. 950, Springer, 1995, pp. 267–275.Google Scholar
[108] , and , The random oracle model, revisited. In Symposium on the Theory of Computing (STOC), ACM, 1998, pp. 209–218.Google Scholar
[109] and , Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT 2001 (, ed.), LNCS, vol. 2045, Springer, 2001, pp. 453–474.Google Scholar
[110] , and , On a problem of Oppenheim concerning “factorisatio numerorum”, J. Number Theory 17(1) (1983), 1–28.Google Scholar
[111] , Computing in the Jacobian of an hyperelliptic curve, Math. Comp. 48(177) (1987), 95–101.Google Scholar
[112] , and , The twin Diffie–Hellman problem and applications. In EUROCRYPT 2008 (, ed.), LNCS, vol. 4965, Springer, 2008, pp. 127–145.Google Scholar
[115] and , Prolegomena to a Middlebrow Arithmetic of Curves of Genus 2, Cambridge University Press, 1996.Google Scholar
[117] , , and , Paillier's cryptosystem revisited. In CCS 2001, ACM, 2001, pp. 206–214.Google Scholar
[118] and , An elementary introduction to elliptic curves II, CCR Expository Report 34, Institute for Defense Analysis, 1990.
[119] and , An elementary introduction to elliptic curves, CRD Expository Report 31, 1988.
[120] , and , Cryptographic hash functions from expander graphs, J. Crypt. 22(1) (2009), 93–113.Google Scholar
[121] , and , Cryptographically strong undeniable signatures, unconditionally secure for the signer. In CRYPTO 1991 (, ed.), LNCS, vol. 576, Springer, 1992, pp. 470–484.Google Scholar
[122] , Security analysis of the strong Diffie–Hellman problem. In EUROCRYPT 2006 (, ed.), LNCS, vol. 4004, Springer, 2006, pp. 1–11.Google Scholar
[123] , Discrete logarithm problem with auxiliary inputs, J. Crypt. 23(3) (2010), 457–476.Google Scholar
[124] , and , Speeding up the Pollard rho method on prime fields. In ASIACRYPT 2008 (, ed.), LNCS, vol. 5350, Springer, 2008, pp. 471–488.Google Scholar
[125] and , Analysis of low Hamming weight products, Discrete Appl. Math. 156(12) (2008), 2264–2269.Google Scholar
[126] , On the connection between the discrete logarithms and the Diffie–Hellman problem, Discr. Math. Appl. 6(4) (1996), 341–349.Google Scholar
[128] , On the coefficients of the transformation polynomials for the elliptic modular function, Math. Proc. Cambridge Philos. Soc. 95(3) (1984), 389–402.Google Scholar
[130] , Fast evaluation of logarithms in fields of characteristic 2, IEEE Trans. Inf. Theory 30(4) (1984), 587–594.Google Scholar
[131] , Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Crypt. 10(4) (1997), 233–260.Google Scholar
[132] , Finding small solutions to small degree polynomials. In Cryptography and Lattices (CaLC) (, ed.) LNCS, vol. 2146, Springer, 2001, pp. 20–31.Google Scholar
[134] , , and , Low-exponent RSA with related messages In EUROCRYPT 1996 (, ed.), LNCS, vol. 1070, Springer, 1996, pp. 1–9.
[137] , On the exact security of full domain hash. In CRYPTO 2000 (, ed.), LNCS, vol. 1880, Springer, 2000, pp. 229–235.Google Scholar
[138]Optimal security proofs for PSS and other signature schemes. In EUROCRYPT 2002 (, ed.), LNCS, vol. 2332, Springer, 2002, pp. 272–287.Google Scholar
[139]Finding small roots of bivariate integer polynomial equations: a direct approach. In CRYPTO 2007 (, ed.), LNCS, vol. 4622, Springer, 2007, pp. 379–394.Google Scholar
[140] and , Deterministic polynomial-time equivalence of computing the RSA secret key and factoring, J. Crypt. 20(1) (2007), 39–50.Google Scholar
[141] , D. M'Raïhi and , Fast generation of pairs (k, [k]P) for Koblitz elliptic curves. In SAC 2001 ( and , eds.), vol. 2259, Springer, 2001, pp. 151–164.Google Scholar
[142] , , and , Practical cryptanalysis of ISO/IEC 9796-2 and EMV signatures. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 428–444.Google Scholar
[143] , Computing l-isogenies with the p-torsion. In ANTS II (, ed.), LNCS, vol. 1122, Springer, 1996, pp. 59–65.Google Scholar
[144] , and , Isogeny cycles and the Schoof–Elkies–Atkin algorithm, Research Report LIX/RR/96/03, 1996.
[146] , and D. O'Shea, Ideals, Varieties and Algorithms: an Introduction to Computational Algebraic Geometry and Commutative Algebra, 2nd edn, Springer, 1997.Google Scholar
[147] and , A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO 1998 (, ed.), LNCS, vol. 1462, Springer, 1998, pp. 13–25.Google Scholar
[148] and Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In EUROCRYPT 2002 (, ed.), LNCS, vol. 2332, Springer, 2002, pp. 45–64.Google Scholar
[149] and Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, SIAM J. Comput. 33(1) (2003), 167–226.Google Scholar
[151] , Linear Algebra: An Introductory Approach, Undergraduate Texts in Mathematics, Springer, 1984.Google Scholar
[152] , On the randomness of Legendre and Jacobi sequences. In CRYPTO 1988 (, ed.), LNCS, vol. 403, Springer, 1990, pp. 163–172.Google Scholar
[153] , and , Elementary Number Theory, Group Theory, and Ramanujan Graphs, Cambridge University Press, 2003.Google Scholar
[155] , On Schnorr's preprocessing for digital signature schemes, J.|Crypt. 10(1) (1997), 1–16.Google Scholar
[156] , Diffie–Hellman is as strong as discrete log for certain primes. In CRYPTO 1988 (, ed.), LNCS, vol. 403, Springer, 1990, pp. 530–539.Google Scholar
[157] and , A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In CRYPTO 1985 (, ed.), LNCS, vol. 218, Springer, 1986, pp. 516–522.Google Scholar
[159] , The GHS-attack in odd characteristic, J.|Ramanujan Math.|Soc. 18(1) (2003), 1–32.Google Scholar
[160] On the discrete logarithm problem in elliptic curves over non-prime finite fields, Lecture at ECC 2004, 2004.
[161]An index calculus algorithm for plane curves of small degree. In ANTS VII (, and , eds.), LNCS, vol. 4076, Springer, 2006, pp. 543–557.Google Scholar
[162] , An index calculus algorithm for non-singular plane curves of high genus, talk at ECC 2006.
[163]On the Discrete Logarithm Problem in Elliptic Curves, Compositio Math. 147 (2011), 75–104.Google Scholar
[164]On the discrete logarithm problem in class groups of curves, Math.|Comp. 80(273) (2011), 443–475.Google Scholar
[165] and é, Index calculus in class groups of non-hyperelliptic curves of genus three, J.|Crypt. 21(4) (2008), 593–611.
[166] and , New directions in cryptography, IEEE Trans.|Inf. Theory 22 (1976), 644–654.Google Scholar
[167] , and , Theory and applications of the double-base number system, IEEE Trans. Computers 48(10) (1999), 1098–1106.Google Scholar
[168] , K. U. Järvinen, , and , Provably sublinear point multiplication on Koblitz curves and its hardware implementation, IEEE Trans. Computers 57(11) (2008), 1469–1481.Google Scholar
[169] , and , Efficient scalar multiplication by isogeny decompositions. In PKC 2006 (, , and , eds.), LNCS, vol. 3958, Springer, 2006, pp. 191–206.Google Scholar
[171] , Class numbers for some hyperelliptic curves. In Arithmetic, Geometry and Coding Theory (, and , eds.), Walter de Gruyter, 1996, pp. 45–52.Google Scholar
[172] , and , Speeding up the discrete log computation on curves with automorphisms. In ASIACRYPT 1999 (, and , eds.), LNCS, vol. 1716, Springer, 1999, pp. 103–121.Google Scholar
[173] and , Tate pairing implementation for hyperelliptic curves y2 = xp – x + d. In ASIACRYPT 2003 (, ed.), LNCS, vol. 2894, Springer, 2003, pp. 111–123.Google Scholar
[174] , Le couplage Weil: de la géométrie à l'arithmétique, Notes from a seminar inRennes, 2002.
[176] , Commutative Algebra with a View Toward Algebraic Geometry, GTM, vol. 150, Springer, 1999.Google Scholar
[177] , A public key cryptosystem and a signature scheme based on discrete logarithms. In CRYPTO 1984 ( and , eds.), LNCS, vol. 196, Springer, 1985, pp. 10–18.Google Scholar
[178] , Elliptic and modular curves over finite fields and related computational issues. In Computational Perspectives on Number Theory ( and , eds.), Studies in Advanced Mathematics, AMS, 1998, pp. 21–76.Google Scholar
[179] , Computing modular polynomials in quasi-linear time, Math. Comp. 78(267) (2009), 1809–1824.Google Scholar
[180] and , A general framework for subexponential discrete logarithm algorithms, Acta Arith. 102 (2002), 83–103.Google Scholar
[181] and , An L(1/3 + ε) algorithm for the discrete logarithm problem for low degree In EUROCRYPT 2007 (, ed.), LNCS, vol. 4515, Springer, 2007, pp. 379– 393.Google Scholar
[182] , and , An L(1/3) discrete logarithm algorithm for low degree curves, J. Crypt. 24(1) (2011), 24–41.Google Scholar
[183] and , Smooth ideals in hyperelliptic function fields, Math. Comp. 71(239) (2002), 1219–1230.Google Scholar
[184] , , , and , Explicit formulas for real hyperelliptic curves of genus 2 in affine representation, WAIFI 2007 ( and , eds.), LNCS, vol. 4547, Springer, 2007, pp. 202–218.Google Scholar
[185] , Fast algorithms for towers of finite fields and isogenies, Ph.D. thesis, L'École Polytechnique, 2010.
[186] and , Stronger security proofs for RSA and Rabin bits, J. Crypt. 13(2) (2000), 221–244.Google Scholar
[187] and , Random mapping statistics. In EUROCRYPT 1989 ( and , eds.), LNCS, vol. 434, Springer, 1990, pp. 329–354.Google Scholar
[190] , , and , Field inversion and point halving revisited, IEEE Trans. Computers 53(8) (2004), 1047–1059.Google Scholar
[191] and , A survey of homomorphic encryption for nonspecialists, EURASIP Journal on Information Security 2007(15) (2007), 1–10.Google Scholar
[192] and , Isogeny volcanoes and the SEA algorithm. In ANTS V ( and , eds.), LNCS, vol. 2369, Springer, 2002, pp. 276–291.Google Scholar
[193] , , , and , More constructions of lossy and correlation-secure trapdoor functions. In PKC 2010 ( and , eds.), LNCS, vol. 6065, Springer, 2010, pp. 279–295.Google Scholar
[194] , and , A taxonomy of pairing-friendly elliptic curves, J. Crypt..23(2) (2010), 224–280.Google Scholar
[195] , How to disguise an elliptic curve, talk at ECC 1998, Waterloo, 1998.
[196] and , A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves, Math. Comp. 62(206) (1994), 865–874.Google Scholar
[197] and , Field Arithmetic, 3rd edn, Springer, 2008.
[198] , , and , RSA-OAEP is secure under the RSA assumption, J. Crypt. 17(2) (2004), 81–104.Google Scholar
[199] , Algebraic Curves, Addison-Wesley, 1989, Out of print, but freely available here: www.math.lsa.umich.edu/∼wfulton/.Google Scholar
[200] , Constructing isogenies between elliptic curves over finite fields, LMS J. Comput. Math. 2 (1999), 118–138.Google Scholar
[201] , Supersingular curves in cryptography. In ASIACRYPT 2001 (, ed.), LNCS, vol. 2248, Springer, 2001, pp. 495–513.Google Scholar
[202] , and , Efficient hyperelliptic arithmetic using balanced representation for divisors. In ANTS VIII ( and , eds.), LNCS, vol. 5011, Springer, 2008, pp. 342–356.Google Scholar
[203] , and , Tunable balancing of RSA. In ACISP 2005 ( and , eds.), LNCS, vol. 3574, Springer, 2005, pp. 280–292.Google Scholar
[204] , and , Extending the GHS Weil descent attack. In EUROCRYPT 2002 (, ed.), LNCS, vol. 2332, Springer, 2002, pp. 29–44.Google Scholar
[205] , and , Aspects of pairing inversion, IEEE Trans. Inf. Theory 54(12) (2008), 5719–5728.Google Scholar
[206] and , A Non-Uniform Birthday Problem with Applications to Discrete Logarithms, Cryptology ePrint Archive, Report 2010/616, 2010.Google Scholar
[207] , and , Endomorphisms for faster elliptic curve cryptography on a large class of curves. In EUROCRYPT 2009 (, ed.), LNCS, vol. 5479, Springer, 2009, pp. 518–535.Google Scholar
[208] and , The probability that the number of points on an elliptic curve over a finite field is prime, J. Lond. Math. Soc. 62(3) (2000), 671–684.Google Scholar
[209] , and , Computing Discrete Logarithms in an Interval, Cryptology ePrint Archive, Report 2010/617, 2010.Google Scholar
[210] and , An improvement to the Gaudry–Schost algorithm for multidimensional discrete logarithm problems. In IMA Cryptography and Coding (, ed.), LNCS, vol. 5921, Springer, 2009, pp. 368–382.Google Scholar
[211] and , Using equivalence classes to accelerate solving the discrete logarithm problem in a short interval. In PKC 2010 ( and , eds.), LNCS, vol. 6056, Springer, 2010, pp. 368–383.Google Scholar
[212] and , A cryptographic application of Weil descent. In IMA Cryptography and Coding (, ed.), LNCS, vol. 1746, Springer, 1999, pp. 191–200.Google Scholar
[213] and , Improved Algorithm for the Isogeny Problem for Ordinary Elliptic Curves, Preprint, 2011.
[214] and , An analysis of the vector decomposition problem. In PKC 2008 (, ed.), LNCS, vol. 4939, Springer, 2008, pp. 308–327.Google Scholar
[215] , and , Improving the parallelized Pollard lambda search on binary anomalous curves, Math. Comp. 69 (2000), (232) 1699–1705.Google Scholar
[216] , and , Faster point multiplication on elliptic curves with efficient endomorphisms. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 190–200.Google Scholar
[217] , and , Lattice enumeration using extreme pruning. In EUROCRYPT 2010 (, ed.), LNCS, vol. 6110, Springer, 2010, pp. 257–278.Google Scholar
[218] , Normal bases over finite fields, Ph.D. thesis, Waterloo, 1993.
[219] , The generalised Weil pairing and the discrete logarithm problem on elliptic curves, Theor. Comput. Sci. 321(1) (2004), 59–72.Google Scholar
[221] and , Constructing normal bases in finite fields, J. Symb. Comput. 10(6) (1990), 547–570.Google Scholar
[222] , and , Finding points on curves over finite fields, SIAM J. Comput. 32(6) (2003), 1436–1448.Google Scholar
[223] , An algorithm for solving the discrete log problem on hyperelliptic curves. In EUROCRYPT 2000 (, ed.), LNCS, vol. 1807, Springer, 2000, pp. 19–34.Google Scholar
[224] , Fast genus 2 arithmetic based on theta functions, J. Math. Crypt. 1(3) (2007), 243–265.Google Scholar
[225] , Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem, J. Symb. Comput. 44(12) (2009), 1690–1702.Google Scholar
[226] , and , Constructive and destructive facets of Weil descent on elliptic curves, J. Crypt. 15 (2002), 19–46.Google Scholar
[227] and , The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines, Finite Fields Appl. 15 (2009), 246–260.Google Scholar
[228] and , A low-memory parallel version of Matsuo, Chao, and Tsujii's algorithm. In ANTS VI (, ed.), LNCS, vol. 3076, Springer, 2004, pp. 208–222.Google Scholar
[229] , , and , A double large prime variation for small genus hyperelliptic index calculus, Math. Comp. 76(257) (2007), 475–492.Google Scholar
[230] , The geometry of provable security: some proofs of security in which lattices make a surprise appearance, The LLL Algorithm ( and , eds.), Springer, 2010, pp. 391–426.Google Scholar
[231] , An identity-based identification scheme based on discrete logarithms modulo a composite number. In EUROCRYPT 1990 (, ed.), LNCS, vol. 473, Springer, 1991, pp. 481–486.Google Scholar
[232] , and , On the fly authentication and signature schemes based on groups of unknown order, J. Crypt. 19 (2006), 463–487.Google Scholar
[233] , and , Public-key cryptosystems from lattice reduction problem. In CRYPTO 1997 (, ed.), LNCS, vol. 1294, Springer, 1997, pp. 112–131.Google Scholar
[234] , and , Chinese remaindering with errrors, IEEE Trans. Inf. Theory 46(4) (2000), 1330–1338.Google Scholar
[235] , and , A digital signature scheme secure against adaptive chosen-message attacks, SIAM J. Comput. 17(2) (1988), 281–308.Google Scholar
[236] and , Public-key cryptosystems based on cubic finite field extensions, IEEE Trans. Inf. Theory 45(7) (1999), 2601–2605.Google Scholar
[237] , and , New results on the hardness of Diffie–Hellman bits, PKC 2004 (, and , eds.), LNCS, vol. 2947, Springer, 2004, pp. 159–172.Google Scholar
[238] and , On the security of Diffie–Hellman bits. In Cryptography and Computational Number Theory (, and , eds.), Progress in Computer Science and Applied Logic, Birkhäuser, 2001, pp. 257–268.Google Scholar
[240] and , Massively parallel computation of discrete logarithms. In CRYPTO 1992 (, ed.), LNCS, vol. 740, Springer, 1993, pp. 312–323.Google Scholar
[241] , , , and , Ate pairing on hyperelliptic curves. In EUROCRYPT 2007 (, ed.), LNCS, vol. 4515, Springer, 2007, pp. 430–447.Google Scholar
[242] and , On the discrete logarithm problem on algebraic tori. In CRYPTO 2005 (, ed.), LNCS, vol. 3621, Springer, 2005, pp. 66–85.Google Scholar
[243] , Smooth numbers: computational number theory and beyond. In Algorithmic Number Theory ( and , eds.), MSRI Proceedings, vol. 44, Cambridge University Press, 2008, pp. 267–323.Google Scholar
[244] , Heights and the special values of L-series. In CMS Conf. Proc., vol. 7, 1987, pp. 115–187.Google Scholar
[247] and , Asymptotically fast triangularization of matrices over rings, SIAM J. Comput. 20(6) (1991), 1068–1083.Google Scholar
[249] and , Improved analysis of Kannan's shortest lattice vector algorithm. In CRYPTO 2007 (, ed.), LNCS, vol. 4622, Springer, 2007, pp. 170–186.Google Scholar
[250] and , An Introduction to the Theory of Numbers, 5th edn, Oxford University Press, 1980.Google Scholar
[251] , Fast Arithmetic on Genus Two Curves, Preprint, 2000.
[253] and , The security of all RSA and discrete log bits, J. ACM 51(2) (2004), 187–230.Google Scholar
[254] , and , Extended GCD and Hermite normal form algorithms via lattice basis reduction, Experimental Math. 7(2) (1998), 125–136.Google Scholar
[255] , Algorithms to construct Minkowski reduced and Hermite reduced lattice bases, Theor. Comput. Sci. 41 (1985), 125–139.Google Scholar
[256] , A note on the Tate pairing of curves over finite fields, Arch. Math. 82 (2004), 28–32.Google Scholar
[257] , Pairing lattices. In Pairing 2008 ( and , eds.), LNCS, vol. 5209, Springer, 2008, pp. 18–38.Google Scholar
[258] , and , The eta pairing revisited, IEEE Trans. Inf. Theory 52(10) (2006), 4595–4602.Google Scholar
[260] , , and , The efficiency of solving multiple discrete logarithm problems and the implications for the security of fixed elliptic curves, Int. J. Inf. Secur. 3 (2004), 86–98.Google Scholar
[262] and , Random small Hamming weight products with applications to cryptography, Discrete Appl. Math. 130(1) (2003), 37–49.Google Scholar
[263] and , The group of signed quadratic residues and applications. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 637–653.Google Scholar
[264] and , Short and stateless signatures from the RSA assumption. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 654–670.Google Scholar
[265] and , Introduction to Automata Theory, Languages and Computation, Addison-Wesley, 1979.Google Scholar
[266] and , Random Cayley digraphs and the discrete logarithm. In ANTS V ( and , eds.), LNCS, vol. 2369, Springer, 2002, pp. 416–430.Google Scholar
[267] , On the group orders of elliptic curves over finite fields, Compositio Mathematica 85 (1993), 229–247.Google Scholar
[268] , Finding small roots of univariate modular equations revisited. In IMA Cryptography and Coding (, ed.), LNCS, vol. 1355, Springer, 1997, pp. 131–142.Google Scholar
[269] , Approximate integer common divisors, Cryptography and Lattices (CaLC) (, ed.), LNCS, vol. 2146, Springer, 2001, pp. 51–66.Google Scholar
[270] and , Lattice attacks on digital signature schemes, Des. Codes Crypt. 23 (2001), 283–290.Google Scholar
[273] , How to hash into elliptic curves. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 303–316.Google Scholar
[274] , , and , Construction of Frobenius maps of twist elliptic curves and its application to elliptic scalar multiplication. In Symposium on Cryptography and Information Security (SCIS) 2002, IEICE Japan, 2002, pp. 699–702.Google Scholar
[275] and , On the equivalence of generic group models. In ProvSec 2008 (, and , eds.), LNCS, vol. 5324, Springer, 2008, pp. 200–209.Google Scholar
[276] , and , On the bits of elliptic curve Diffie–Hellman keys. In INDOCRYPT 2007 (, and , eds.), LNCS, vol. 4859, Springer, 2007, pp. 33–47.Google Scholar
[277] , and , Do all elliptic curves of the same order have the same difficulty of discrete log?. In ASIACRYPT 2005 (, ed.), LNCS, vol. 3788, Springer, 2005, pp. 21–40.Google Scholar
[278] , and , Expander graphs based on GRH with an application to elliptic curve cryptography, J. Number Theory 129(6) (2009), 1491–1504.Google Scholar
[279] and , A subexponential algorithm for evaluating large degree isogenies. In ANTS IX (, and , eds.), LNCS, vol. 6197, Springer, 2010, pp. 219–233.Google Scholar
[280] and , Boneh–Boyen signatures and the strong Diffie–Hellman problem. In Pairing 2009 ( and , eds.), LNCS, vol. 5671, Springer, 2009, pp. 1–16.Google Scholar
[281] and , Bits security of the elliptic curve Diffie–Hellman secret keys. In CRYPTO 2008 (, ed.), LNCS, vol. 5157, Springer, 2008, pp. 75–92.Google Scholar
[282] , and , Polynomial analysis of DH secrete key and bit security, Wuhan University Journal of Natural Sciences 10(1) (2005), no. 1, 239–242.Google Scholar
[284] and , The function field sieve in the medium prime case. In EUROCRYPT 2006 (, ed.), LNCS, vol. 4004, Springer, 2006.Google Scholar
[285] , , and , The number field sieve in the medium prime case. In CRYPTO 2006 (, ed.), LNCS, vol. 4117, Springer, 2006, pp. 326–344.Google Scholar
[286] and , Identity-based cryptography, Cryptology and Information Security, vol. 2, IOS Press, 2008.Google Scholar
[287] and , Optimal left-to-right binary signed-digit recoding, IEEE Trans. Computers 49(7) (2000), 740–748.Google Scholar
[288] , , , and , Analysis of the Xedni calculus attack, Des. Codes Crypt. 20(1) (2000), 1–64.Google Scholar
[289] and , Computational aspects of NUCOMP. In ANTS V ( and , eds.), LNCS, vol. 2369, Springer, 2002, pp. 120–133.Google Scholar
[290] , On finding small solutions of modular multivariate polynomial equations. In EUROCRYPT 1998 (, ed.), LNCS, vol. 1403, Springer, 1998, pp. 158–170.Google Scholar
[291] and , Block reduction for arbitrary norms, Technical Report, Universität Frankfurt am Main, 1994.
[292] and , The generalized Gauss reduction algorithm, Journal of Algorithms 21(3) (1996), 565–578.Google Scholar
[293] , Elliptic curves and cryptography: a pseudorandom bit generator and other tools, Ph.D. thesis, MIT, 1988.
[294] , Complexity of the Havas, Majewski, Matthews LLL Hermite normal form algorithm, J. Symb. Comput. 30(3) (2000), 329–337.Google Scholar
[295] , Improved algorithms for integer programming and related lattice problems. In Symposium on the Theory of Computing (STOC), ACM, 1983, pp. 193–206.Google Scholar
[296] , Minkowski's convex body theorem and integer programming, Mathematics of Operations Research 12(3) (1987), 415–440.Google Scholar
[297] and , Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix, SIAM J. Comput. 8 (1979), 499–507.Google Scholar
[298] , , and , Some improved algorithms for hyperelliptic curve cryptosystems using degenerate divisors. In ICISC 2004 ( and , eds.), LNCS, vol. 3506, Springer, 2004, pp. 296–312.Google Scholar
[299] , , and , Novel efficient implementations of hyperelliptic curve cryptosystems using degenerate divisors. In WISA 2004 ( and , eds.), LNCS, vol. 3325, Springer, 2004, pp. 345–359.Google Scholar
[301] , , and , A birthday paradox for Markov chains, with an optimal bound for collision in the Pollard rho algorithm for discrete logarithm. In ANTS VIII ( and , eds.), LNCS, vol. 5011, Springer, 2008, pp. 402–415.Google Scholar
[302] , and , Near optimal bounds for collision in Pollard rho for discrete log. In Foundations of Computer Science (FOCS), IEEE, 2007, pp. 215–223.Google Scholar
[303] , A point compression method for elliptic curves defined over GF(2n). In PKC 2004 (, , and , eds.), LNCS, vol. 2947, Springer, 2004, pp. 333–345.Google Scholar
[304] and , A parameterized splitting system and its application to the discrete logarithm problem with low Hamming weight product exponents. In PKC 2008 (, ed.), LNCS, vol. 4939, Springer, 2008, pp. 328–343.Google Scholar
[305] and , Introduction to Measure Theory and Probability, Cambridge University Press, 1966.Google Scholar
[306] , Finding the closest lattice vector when it's unusually close, Symposium on Discrete Algorithms (SODA), ACM/SIAM, 2000, pp. 937–941.Google Scholar
[307] , Elliptic scalar multiplication using point halving. In ASIACRYPT 1999 (, and , eds.), LNCS, vol. 1716, Springer, 1999, pp. 135–149.Google Scholar
[308] , Art of Computer Programming, Volume 2: Semi-Numerical Algorithms, 3rd edn, Addison-Wesley, 1997.Google Scholar
[310] , Primality of the number of points on an elliptic curve over a finite field, Pacific J. Math. 131(1) (1988), 157–165.Google Scholar
[312] , CM curves with good cryptographic properties. In CRYPTO 1991 (, ed.), LNCS, vol. 576, Springer, 1992, pp. 279–287.Google Scholar
[313] , A Course in Number Theory and Cryptography, 2nd edn, GTM vol. 114, Springer, 1994.Google Scholar
[314] and , Montgomery multplication in GF(2k), Des. Codes Crypt. 14(1) (1998), 57–69.Google Scholar
[315] , Endomorphism rings of elliptic curves over finite fields, Ph.D. thesis, University of California, Berkeley, 1996.
[316] , Constructive and Destructive Facets of Torus-based Cryptography, Preprint, 2004.
[317] and , On exponential sums and group generators for elliptic curves over finite fields. In ANTS IV (, ed.), LNCS, vol. 1838, Springer, 2000, pp. 395–404.Google Scholar
[318] , and , Remarks on Cheon's algorithms for pairing-related problems, Pairing 2007 (, , and , eds.), LNCS, vol. 4575, Springer, 2007, pp. 302–316.
[320] and , Random walks revisited: extensions of Pollard's rho algorithm for computing multiple discrete logarithms. In SAC 2001 ( and , eds.), LNCS, vol. 2259, Springer, 2001, pp. 212–229.Google Scholar
[321] , Curves of genus 2 with split Jacobian, Trans. Amer. Math. Soc. 307(1) (1988), 41–49.Google Scholar
[322] and , Complexity of SVP – a reader's digest, SIGACT News, Complexity Theory Column 32 (2001), 13.Google Scholar
[323] and , A new paradigm of hybrid encryption scheme. In CRYPTO 2004 (, ed.), LNCS, vol. 3152, Springer, 2004, pp. 426–442.Google Scholar
[324] , and , Korkin–Zolotarev bases and successive minima of a lattice and its reciprocal lattice, Combinatorica 10(4) (1990), 333–348.Google Scholar
[325] , Solution of systems of linear equations by minimized iterations, J. Res. Nat. Bureau of Standards 49 (1952), 33–53.Google Scholar
[331] , and , Efficient and Generalized Pairing Computation on Abelian Varieties, IEEE Trans. Inf. Theory 55(4) (2009), 1793–1803.Google Scholar
[332] , Factorization of polynomials. In Computational Methods in Number Theory, ( and , eds.) Mathematical Center Tracts 154, Mathematisch Centrum Amsterdam, 1984, pp. 169–198.Google Scholar
[334] and , The Development of the Number Field Sieve, LNM, vol. 1554, Springer, 1993.Google Scholar
[335] , and , Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515–534.Google Scholar
[336] and , Selective forgery of RSA signatures with fixed-pattern padding. In PKC 2002 ( and , eds.), LNCS, vol. 2274, Springer, 2002, pp. 228–236.Google Scholar
[337] and , The XTR public key system. In CRYPTO 2000 (, ed.), LNCS, vol. 1880, Springer, 2000, pp. 1–19.Google Scholar
[338] and , Fast irreducibility and subgroup membership testing in XTR. In PKC 2001 (, ed.), LNCS, vol. 1992, Springer, 2001, pp. 73–86.Google Scholar
[339] , Factoring integerswith elliptic curves, Annals of Mathematics 126(3) (1987), 649–673.Google Scholar
[340] , Elliptic curves and number theoretic algorithms. In Proc. International Congr. Math., Berkeley 1986, AMS, 1988, pp. 99–120.Google Scholar
[341] , Finding isomorphisms between finite fields, Math. Comp. 56(193) (1991), 329–347.Google Scholar
[342] , and , A hyperelliptic smoothness test I, Phil. Trans. R. Soc. Lond. A 345 (1993), 397–408.Google Scholar
[343] and , A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5(3) (1992), no. 3, 483–516.Google Scholar
[344] , Computing isogenies in F2n. In ANTS II (, ed.), LNCS, vol. 1122, Springer, 1996, pp. 197–212.Google Scholar
[345] and , Algorithms for computing isogenies between elliptic curves, Computational Perspectives on Number Theory ( and , eds.), Studies in Advanced Mathematics, vol. 7, AMS, 1998, pp. 77–96.Google Scholar
[346] and , On Elkies subgroups of ℓ-torsion points in elliptic curves defined over a finite field, J. Théor. Nombres Bordeaux 20(3) (2008), 783–797.Google Scholar
[347] and , How risky is the random oracle model?. In CRYPTO 2009 (, ed.), LNCS, vol. 5677, Springer, 2009, pp. 445–464.Google Scholar
[348] and , Moduli of supersingular abelian varieties, LNM, vol. 1680, Springer, 1998.Google Scholar
[349] , and , Hidden number problem with the trace and bit security of XTR and LUC. In CRYPTO 2002 (, ed.), LNCS, vol. 2442, Springer, 2002, pp. 433–448.Google Scholar
[350] and , Introduction to Finite Fields and Their Applications, Cambridge University Press, 1994.Google Scholar
[352] and , Better key sizes (and attacks) for LWE-based encryption, CT-RSA 2011 (, ed.), LNCS, vol. 6558, 2011, pp. 1–23.Google Scholar
[353] , On the discriminant of a hyperelliptic curve, Trans. Amer. Math. Soc. 342(2) (1994), 729–752.Google Scholar
[354] and , The discrete logarithm hides O(log n) bits, SIAM J. Comput. 17(2) (1988), 363–372.Google Scholar
[355] , An Invitation to Arithmetic Geometry, Graduate Studies in Mathematics, vol. 106, AMS, 1993.Google Scholar
[357] and , The generalized basis reduction algorithm, Mathematics of Operations Research 17(3) (1992), 751–764.Google Scholar
[358] and , Rigorous discrete logarithm computations in finite fields via smooth polynomials. In Computational Perspectives on Number Theory ( and , eds.), Studies in Advanced Mathematics, vol. 7, AMS, 1998, pp. 221–232.Google Scholar
[360] , On a little but useful algorithm. In AAECC-3, 1985 (, ed.), LNCS, vol. 229, Springer, 1986, pp. 296–301.Google Scholar
[361] and , On finite pseudorandom binary sequences I: measure of pseudorandomness, the Legendre symbol, Acta Arith. 82 (1997), 365–377.
[362] , Towards the equivalence of breaking the Diffie–Hellman protocol and computing discrete logarithms. In CRYPTO 1994 (, ed.), LNCS, vol. 839, Springer, 1994, pp. 271–281.Google Scholar
[363] , Fast generation of prime numbers and secure public-key cryptographic parameters, J. Crypt. 8(3) (1995), 123–155.Google Scholar
[364] , Abstract models of computation in cryptography. In IMA Int. Conf. (, ed.), LNCS, vol. 3796, Springer, 2005, pp. 1–12.Google Scholar
[365] and , Diffie–Hellman oracles. In CRYPTO 1996 (, ed.), LNCS, vol. 1109, Springer, 1996, pp. 268–282.Google Scholar
[366] and , On the complexity of breaking the Diffie–Hellman protocol, Technical Report 244, Institute for Theoretical Computer Science, ETH Zurich, 1996.
[367] and , Lower bounds on generic algorithms in groups. In EUROCRYPT 1998 (, ed.), LNCS, vol. 1403, Springer, 1998, pp. 72–84.Google Scholar
[368] and , The relationship between breaking the Diffie–Hellman protocol and computing discrete logarithms, SIAM J. Comput. 28(5) (1999), 1689–1721.Google Scholar
[370] , New RSA Vulnerabilities Using Lattice Reduction Methods, Ph.D. thesis, Paderborn, 2003.
[371] , Using LLL-reduction for solving RSA and factorization problems: a survey. In The LLL Algorithm ( and , eds.), Springer, 2010, pp. 315–348.Google Scholar
[372] , Subtleties in the distribution of the numbers of points on elliptic curves over a finite prime field, J. London Math. Soc. 59(2) (1999), 448–460.Google Scholar
[373] and , Efficient multiplication on certain non-supersingular elliptic curves. In CRYPTO 1992 (, ed.), LNCS, vol. 740, Springer, 1993, pp. 333–344.Google Scholar
[374] and , The implementation of elliptic curve cryptosystems. In AUSCRYPT 1990 ( and , eds.), LNCS, vol. 453, Springer, 1990, pp. 2–13.Google Scholar
[375] , and , Reducing elliptic curve logarithms to a finite field, IEEE Trans. Inf. Theory 39(5) (1993), 1639–1646.Google Scholar
[377] , La méthode des graphes. exemples et applications, Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number fields (Katata, 1986), Nagoya University, 1986, pp. 217–242.Google Scholar
[378] and , Complexity of Lattice Problems: A Cryptographic Perspective, Kluwer, 2002.Google Scholar
[379] and , Lattice-based cryptography. In Post Quantum Cryptography (, and , eds.), Springer, 2009, pp. 147–191.Google Scholar
[380] and , Faster exponential time algorithms for the shortest vector problem. In SODA (, ed.), SIAM, 2010, pp. 1468–1480.Google Scholar
[381] and , A linear space algorithm for computing the Hermite normal form. In ISSAC, 2001, pp. 231–236.Google Scholar
[382] and , Spectral analysis of Pollard rho collisions. In ANTS VII (, and , eds.), LNCS, vol. 4076, Springer, 2006, pp. 573–581.Google Scholar
[383] , Short programs for functions on curves, Unpublished manuscript, 1986.
[384] , Use of elliptic curves in cryptography. In CRYPTO 1985 (, ed.), LNCS, vol. 218, Springer, 1986, pp. 417–426.Google Scholar
[385] , The Weil pairing, and its efficient calculation, J. Crypt. 17(4) (2004), 235–261.Google Scholar
[386] , and , Efficient elliptic curve exponentiation. In ICICS 1997 (, and , eds.), LNCS, vol. 1334, Springer, 1997, pp. 282–291.Google Scholar
[387] , Algorithms for multi-exponentiation. In SAC 2001 ( and , eds.), LNCS, vol. 2259, Springer, 2001, pp. 165–180.Google Scholar
[388] , Improved techniques for fast exponentiation. In ICISC 2002 ( and , eds.), LNCS, vol. 2587, Springer, 2003, pp. 298–312.Google Scholar
[389] , Fractional windows revisited: improved signed-digit representations for efficient exponentiation. In ICISC 2004 ( and , eds.), LNCS, vol. 3506, Springer, 2005, pp. 137–153.Google Scholar
[390] and , How long does it take to catch a wild kangaroo?. In Symposium on Theory of Computing (STOC), 2009, pp. 553–559.Google Scholar
[391] , Modular multiplication without trial division, Math. Comp. 44(170) (1985), 519–521.Google Scholar
[392] , Speeding the Pollard and elliptic curve methods of factorization, Math. Comp. 48(177) (1987), 243–264.Google Scholar
[393] and , On Cornacchia's Algorithm for Solving the Diophantine Equation u2 + dv2 = m, Preprint, 1990.
[394] and , Speeding up the computations on an elliptic curve using addition subtraction chains. In Theoretical Informatics and Applications, vol. 24, 1990, pp. 531–543.Google Scholar
[396] , Universal lattice decoding: principle and recent advances, Wireless Communications and Mobile Computing 3(5) (2003), 553–569.Google Scholar
[397] , Fast multiplication on elliptic curves over small fields of characteristic two, J. Crypt. 11(4) (1998), 219–234.Google Scholar
[401] and , Group structure of elliptic curves over finite fields and applications, Topics in Geometry, Coding Theory and Cryptography ( and , eds.), Springer-Verlag, 2006, pp. 167–194.Google Scholar
[402] , and , The equivalence between the DHP and DLP for elliptic curves used in practical applications, LMS J. Comput. Math. 7 (2004), 50–72.Google Scholar
[403] , , and , Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In EUROCRYPT 1994 (, ed.), LNCS, vol. 950, Springer, 1995, pp. 77–85.Google Scholar
[404] and , Divisibility, smoothness and cryptographic applications, Algebraic Aspects of Digital Communications ( and , eds.) NATO Series for Peace and Security, 24 IOS Press, 2009, pp. 115–173.Google Scholar
[405] , Complexity of a determinate algorithm for the discrete logarithm, Mathematical Notes 55(2) (1994), 165–172.Google Scholar
[406] , and , Hash function requirements for Schnorr signatures, J. Math. Crypt. 3(1) (2009), 69–87.Google Scholar
[407] and , Floating-point LLL revisited. In EUROCRYPT 2005 (, ed.), LNCS, vol. 3494, Springer, 2005, pp. 215–233.Google Scholar
[408] and , Low-dimensional lattice basis reduction revisited, ACM Transactions on Algorithms 5(4:46) (2009), 1–48.Google Scholar
[409] , Public key cryptanalysis. In Recent Trends in Cryptography (, ed.), AMS, 2009, pp. 67–119.Google Scholar
[410] and , Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In EUROCRYPT 2006 (, ed.), LNCS, vol. 4004, Springer, 2006, pp. 271–288.Google Scholar
[411] and , The insecurity of the digital signature algorithm with partially known nonces, J. Crypt. 15(3) (2002), 151–176.Google Scholar
[412] and , The insecurity of the elliptic curve digital signature algorithm with partially known nonces, Des. Codes Crypt. 30(2) (2003), 201–217.Google Scholar
[413] and , Low-dimensional lattice basis reduction revisited. In ANTS VI (, ed.), LNCS, vol. 3076, Springer, 2004, pp. 338–357.Google Scholar
[414] and , Lattice reduction in cryptology: an update. In ANTS IV (, ed.), LNCS, vol. 1838, Springer, 2000, pp. 85–112.Google Scholar
[415] and , The two faces of lattices in cryptology. In Cryptography and Lattices (CaLC) (, ed.), LNCS, vol. 2146, Springer, 2001, pp. 146–180.Google Scholar
[416] and , The LLL algorithm: survey and applications, Information Security and Cryptography, Springer, 2009.Google Scholar
[417] and , Sieve algorithms for the shortest vector problem are practical, J. Math. Crypt. 2(2) (2008), 181–207.Google Scholar
[418] , A new efficient factorization algorithm for polynomials over small finite fields, Applicable Algebra in Engineering, Communication and Computing 4(2) (1993), 81–87.Google Scholar
[421] , Discrete logarithms in finite fields and their cryptographic significance. In EUROCRYPT 1984 (, and , eds.), LNCS, vol. 209, Springer, 1985, pp. 224–314.Google Scholar
[422] and , On Diffie–Hellman key agreement with short exponents. In EUROCRYPT 1996 (, ed.), LNCS, vol. 1070, Springer, 1996, pp. 332–343.Google Scholar
[423] and , Parallel collision search with cryptanalytic applications, J. Crypt. 12(1) (1999), 1–28.Google Scholar
[424] , Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT 1999 (, ed.), LNCS, vol. 1592, Springer, 1999, pp. 223–238.Google Scholar
[425] , Impossibility proofs for RSA signatures in the standard model. In CT-RSA 2007 (, ed.), LNCS, vol. 4377, Springer, 2007, pp. 31–48.Google Scholar
[426] and , Discrete-log-based signatures may not be equivalent to discrete log.In ASIACRYPT 2005 (, ed.), LNCS, vol. 3788, Springer, 2005, pp. 1–20.Google Scholar
[427] and , Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In ASIACRYPT 2006 ( and , eds.), LNCS, vol. 4284, Springer, 2006, pp. 252–266.Google Scholar
[428] and , An efficient discrete log pseudo random generator. In CRYPTO 1998 (, ed.), LNCS, vol. 1462, Springer, 1998, pp. 304–317.Google Scholar
[429] and , Real and imaginary quadratic representations of hyperelliptic function fields, Math. Comp. 68(227) (1999), 1233–1241.Google Scholar
[430] , Simultaneous security of bits in the discrete log. In EUROCRYPT 1985 (, ed.), LNCS, vol. 219, Springer, 1986, pp. 62–72.Google Scholar
[431] , Ramanujan graphs. In Computational Perspectives on Number Theory ( and , eds.), Studies in Advanced Mathematics, vol. 7, AMS, 1998, pp. 159–178.Google Scholar
[432] and , An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Trans. Inf. Theory 24 (1978), 106–110.Google Scholar
[433] and , Security arguments for digital signatures and blind signatures, J. Crypt. 13(3) (2000), 361–396.Google Scholar
[434] and , On provable security for digital signature algorithms, Technical report LIENS 96-17, École Normale Supérieure, 1996.
[435] , Theorems on factorisation and primality testing, Proc. Camb. Phil. Soc. 76 (1974), 521–528.Google Scholar
[437] , Monte Carlo methods for index computation (mod p), Math. Comp. 32(143) (1978), 918–924.Google Scholar
[441] and , Rigorous and efficient short lattice vectors enumeration. In ASIACRYPT 2008 (, ed.), LNCS, vol. 5350, Springer, 2008, pp. 390–405.Google Scholar
[442] and , RSA signature algorithm for microcontroller implementation. In CARDIS 1998 ( and , eds.), LNCS, vol. 1820, Springer, 2000, pp. 353–356.Google Scholar
[443] and , Fast decipherment algorithm for RSA public-key cryptosystem, Electronics Letters (21) (1982), 905–907.Google Scholar
[444] , Digitalized signatures and public-key functions as intractable as factorization, Tech. Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979.
[445] and , Security Issues in the Diffie–Hellman Key Agreement Protocol, Preprint, 2000.
[446] , The learning with errors problem (invited survey), 25th Annual IEEE Conference on Computational Complexity, IEEE, 2010, pp. 191–204.Google Scholar
[448] , Graded rings and varieties in weighted projective space, Chapter of unfinished book, 2002.
[449] , Binary arithmetic, Advances in Computers 1 (1960), 231–308.
[450] , Formalizing human ignorance. In VIETCRYPT 2006 (, ed.), LNCS, vol. 4341, Springer, 2006, pp. 211–228.Google Scholar
[452] and , Torus-based cryptography. In CRYPTO 2003 (, ed.), LNCS, vol. 2729, Springer, 2003, pp. 349–365.Google Scholar
[453] and , Compression in finite fields and torus-based cryptography, SIAM J. Comput. 37(5) (2008), 1401–1428.Google Scholar
[454] , A note on elliptic curves over finite fields, Math. Comp. 49(179) (1987), 301–304.Google Scholar
[455] , On the discrete logarithm in the divisor class group of curves, Math. Comp. 68(226) (1999), 805–806.Google Scholar
[456] , , , and , Sufficient conditions for intractability over black-box groups: generic lower bounds for generalized DL and DH problems. In ASIACRYPT 2008 (, ed.), LNCS, vol. 5350, Springer, 2008, pp. 489–505.Google Scholar
[457] and , Assumptions related to discrete logarithms: why subtleties make a real difference. In EUROCRYPT 2001 (, ed.), LNCS, vol. 2045, Springer, 2001, pp. 244–261.Google Scholar
[458] and , On pseudorandomness in families of sequences derived from the Legendre symbol, Periodica Math. Hung. 54(2) (2007), 163–173.Google Scholar
[459] , On Generalization of Cheon's Algorithm, Cryptology ePrint Archive, Report 2009/058, 2009.Google Scholar
[460] and , Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Comment. Math. Univ. St. Paul. 47(1) (1998), 81–92.Google Scholar
[461] and , Generating random walks in groups, Ann. Univ. Sci. Budapest. Sect. Comput. 6 (1985), 65–79.Google Scholar
[462] and , On equations y2 = xn + k in a finite field, Bull. Polish Acad. Sci. Math. 52(3) (2004), 223–226.Google Scholar
[463] , Using number fields to compute logarithms in finite fields, Math. Comp. 69(231) (2000), 1267–1283.Google Scholar
[465] , The impact of the number field sieve on the discrete logarithm problem in finite fields. In Algorithmic Number Theory ( and , eds.), MSRI publications, vol. 44, Cambridge University Press, 2008, pp. 397–420.Google Scholar
[466] , The number field sieve for integers of low weight, Math. Comp. 79(269) (2010), 583–602.Google Scholar
[467] , and , Discrete logarithms: the effectiveness of the index calculus method. In ANTS II (, ed.), LNCS, vol. 1122, Springer, 1996, pp. 337–361.Google Scholar
[468] , A hierarchy of polynomial time lattice basis reduction algorithms, Theor. Comput. Sci. 53 (1987), 201–224.Google Scholar
[469] , Efficient identification and signatures for smart cards. In CRYPTO 1989 (, ed.), LNCS, vol. 435, Springer, 1990, pp. 239–252.Google Scholar
[470] , Efficient signature generation by smart cards, J. Crypt. 4(3) (1991), 161–174.Google Scholar
[471] , Security of almost all discrete log bits, Electronic Colloquium on Computational Complexity (ECCC) 5(33) (1998), 1–13.Google Scholar
[472] , Progress on LLL and lattice reduction. In> The LLL Algorithm ( and , eds.), Springer, 2010, pp. 145–178.Google Scholar
[473] and , Lattice basis reduction: improved practical algorithms and solving subset sum problems, Math. Program. 66 (1994), 181–199.Google Scholar
[474] and , A Monte Carlo factoring algorithm with linear storage, Math. Comp. 43(167) (1984), 289–311.Google Scholar
[475] , Elliptic curves over finite fields and the computation of square roots (mod)p, Math. Comp. 44(170) (1985), 483–494.Google Scholar
[476] , Nonsingular plane cubic curves over finite fields, J. Combin. Theory Ser. A 46 (1987), 183–211.Google Scholar
[477] , Counting points on elliptic curves over finite fields, J. Théor. Nombres Bordeaux 7 (1995), 219–254.Google Scholar
[479] , , and , Fast key exchange with elliptic curve systems. In CRYPTO 1995 (, ed.), LNCS, vol. 963, Springer, 1995, pp. 43–56.Google Scholar
[480] , Collision search in a random mapping: some asymptotic results, Presentation at ECC 2000, Essen, Germany, 2000.
[481] , Faster pairings using an elliptic curve with an efficient endomorphism. In INDOCRYPT 2005 (, and , eds.), LNCS, vol. 3797, Springer, 2005, pp. 258–269.Google Scholar
[482] , and , The complexity of finding cycles in periodic functions, SIAM J. Comput. 11(2) (1982), 376–390.Google Scholar
[483] , On waiting time in the scheme of random allocation of coloured particles, Discrete Math. Appl. 5(1) (1995), 73–82.Google Scholar
[484] , Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Math. Comp. 67(221) (1998), 353–356.Google Scholar
[485] , A 3-dimensional lattice reduction algorithm. In Cryptography and Lattices (CaLC) (, ed.), LNCS, vol. 2146, Springer, 2001, pp. 181–193.Google Scholar
[486] , Summation Polynomials and the Discrete Logarithm Problem on Elliptic Curves, Cryptology ePrint Archive, Report 2004/031, 2004.
[487] , Sur la topologie des variétés algébriques en charactéristique p. In Symp. Int. Top. Alg., Mexico, 1958, pp. 24–53.Google Scholar
[491] and , Construction of rational points on elliptic curves over finite fields. In ANTS VII (, and , eds.), LNCS, vol. 4076, Springer, 2006, pp. 510–524.Google Scholar
[492] , Five number-theoretic algorithms, Proceedings of the Second Manitoba Conference on Numerical Mathematics, Congressus Numerantium, No. VII, Utilitas Math., Winnipeg, Man., 1973, pp. 51–70.
[493] , , , and , Compressed XTR. In ACNS 2007 ( and , eds.), LNCS, vol. 4521, Springer, 2007, pp. 420–431.Google Scholar
[494] , Lower bounds for discrete logarithms and related problems. In EUROCRYPT 1997 (, ed.), LNCS, vol. 1233, Springer, 1997, pp. 256–266.Google Scholar
[495] , On formal models for secure key exchange (version 4), 15 November 1999, Tech. report, IBM, 1999, Revision of Report RZ 3120.
[496] , OAEP reconsidered. In CRYPTO 2001 (, ed.), LNCS, vol. 2139, Springer, 2001, pp. 239–259.Google Scholar
[497] , A Computational Introduction to Number Theory and Algebra, Cambridge University Press, 2005.Google Scholar
[498] , Computing Jacobi symbols modulo sparse integers and polynomials and some applications, J. Algorithms 36 (2000), 241–252.Google Scholar
[499] , Cryptographic Applications of Analytic Number Theory, Birkhauser, 2003.
[500] , Playing “hide-and-seek” with numbers: the hidden number problem, lattices and exponential sums. In Public-Key Cryptography ( and , eds.), Proceedings of Symposia in Applied Mathematics, vol. 62, AMS, 2005, pp. 153–177.Google Scholar
[501] and , A nonuniform algorithm for the hidden number problem in subgroups. In PKC 2004 (, and , eds.), LNCS, vol. 2947, Springer, 2004, pp. 416–424.Google Scholar
[502] and , A hidden number problem in small subgroups, Math. Comp. 74(252) (2005), 2073– 2080.Google Scholar
[503] , Design and analysis of provably secure pseudorandom generators, Ph.D. thesis, Eindhoven, 2007.
[506] , Advanced Topics in the Arithmetic of Elliptic Curves, GTM, vol. 151, Springer, 1994.Google Scholar
[507] and , Elliptic curve discrete logarithms and the index calculus. In ASIACRYPT 1998 ( and , eds.), LNCS, vol. 1514, Springer, 1998, pp. 110–125.Google Scholar
[510] , Points on elliptic curves over finite fields, Acta Arith. 117(3) (2005), 293–301.Google Scholar
[511] , The discrete logarithm problem on elliptic curves of trace one, J. Cryptology 12(3) (1999), 193–196.Google Scholar
[512] , Elliptic curve cryptosystems over small fields of odd characteristic, J. Crypt. 12(2) (1999), 141–151.Google Scholar
[514] , Isogenies and the discrete logarithm problem in Jacobians of genus 3 hyperelliptic curves, J. Crypt. 22(4) (2009), 505–529.Google Scholar
[515] and , LUC: a new public key system. In International Conference on Information Security (, ed.), IFIP Transactions, vol. A-37, North-Holland, 1993, pp. 103–117.Google Scholar
[516] and , A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms. In ASIACRYPT 1994 ( and , eds.), LNCS, vol. 917, Springer, 1994, pp. 357–364.Google Scholar
[518] , Low-weight binary representations for pairs of integers, Technical Report CORR 2001-41, 2001.
[519] , On Montgomery-like representations of elliptic curves over GF(2k). In PKC 2003 (, ed.), LNCS, vol. 2567, Springer, 2003, pp. 240–253.Google Scholar
[520] , Speeding up subgroup cryptosystems, Ph.D. thesis, Eindhoven, 2003.
[521] and , Speeding up XTR. In ASIACRYPT 2001 (, ed.), LNCS, vol. 2248, Springer, 2001, pp. 125–143.Google Scholar
[522] , Class-numbers of complex quadratic fields. In Modular Functions of One Variable I (, ed.), LNM, vol. 320, Springer, 1972, pp. 153–174.Google Scholar
[523] , Floating point LLL: Theoretical and practical aspects. In The LLL Algorithm ( and , eds.), Springer, 2010, pp. 179–213.Google Scholar
[524] and , A binary recursive GCD algorithm. In ANTS VI (, ed.), LNCS, vol. 3076, Springer, 2004, pp. 411–425.Google Scholar
[525] , The number field sieve. In Algorithmic Number Theory ( and , eds.), MSRI publications, Cambridge University Press, 2008, pp. 83–99.Google Scholar
[527] and , Algebraic Number Theory and Fermat's Last Theorem, 3rd edn, AK Peters, 2002.Google Scholar
[528] , Die Hasse–Witt Invariante eines Kongruenzfunktionenkörpers, Arch. Math. 33 (1979), 357–360.Google Scholar
[530] and , On the structure of the divisor class group of a class of curves over finite fields, Arch. Math. 65 (1995), 141–150.Google Scholar
[531] , Some baby-step–giant-step algorithms for the low Hamming weight discrete logarithm problem, Math. Comp. 71(237) (2001), 379–391.Google Scholar
[533] and , Asymptotically fast computation of Hermite normal forms of integer matrices, ISSAC 1996, ACM Press, 1996, pp. 259–266.
[534] , Addition chains of vectors, American Mathematical Monthly 71(7) (1964), 806–808.Google Scholar
[535] , Cryptanalysis of RSA with lattice attacks, MSc thesis, University of Illinois at Urbana-Champaign, 2003.
[536] , Order computations in generic groups, Ph.D.thesis, MIT, 2007.
[537] , Structure computation and discrete logarithms in finite abelian p-groups, Math. Comp. 80(273) (2011), 477–500.Google Scholar
[538] , Fast RSA-type cryptosystem modulo pkq. In CRYPTO 1998 (, ed.), LNCS, vol. 1462, Springer, 1998, pp. 318–326.
[539] and , Complexity and Cryptography: An Introduction, Cambridge University Press, 2006.Google Scholar
[540] , Endomorphisms of abelian varieties over finite fields, Invent. Math. 2 (1966), 134– 144.Google Scholar
[541] , A space efficient algorithm for group structure computation, Math. Comp. 67(224) (1998), 1637–1663.Google Scholar
[542] , Speeding up Pollard's rhomethod for computing discrete logarithms. In ANTS III (, ed.), LNCS, vol. 1423, Springer, 1998, pp. 541–554.
[543] , On random walks for Pollard's rho method, Math. Comp. 70(234) (2001), 809–825.Google Scholar
[544] , Computing discrete logarithms with the parallelized kangaroo method, Discrete Appl. Math. 130 (2003), 61–82.Google Scholar
[545] , Index calculus attack for hyperelliptic curves of small genus. In ASIACRYPT 2003 (, ed.), LNCS, vol. 2894, Springer, 2003, pp. 75–92.
[546] , Algorithmes de calcul de logarithmes discrets dans les corps finis, Ph.D. thesis, L'École Polytechnique, 2003.
[548] , Group of points of an elliptic curve over a finite field, Theory of Numbers and Its Applications, Tbilisi, 1985, pp. 286–287.Google Scholar
[549] , Fast arithmetic operations on numbers and polynomials, Computational Methods in Number Theory, Part 1, Mathematical Centre Tracts 154, Amsterdam, 1984.Google Scholar
[550] , Une approche géométrique de la réduction de réseaux en petite dimension, Ph.D. thesis, Université de Caen, 1986.
[552] , Hidden collisions on DSS. In CRYPTO 1996 (, ed.), LNCS, vol. 1109, Springer, 1996, pp. 83–88.Google Scholar
[553] , A Classical Introduction to Cryptography, Springer, 2006.
[555] , Certificates of recoverability with scale recovery agent security. In PKC 2000 ( and , eds.), LNCS, vol. 1751, Springer, 2000, pp. 258–275.Google Scholar
[556] , Evidence that XTR is more secure than supersingular elliptic curve cryptosystems, J. Crypt. 17(4) (2004), 277–296.Google Scholar
[557] and , Cryptanalysis of ‘less short’ RSA secret exponents, Applicable Algebra in Engineering, Communication and Computing 8(5) (1997), 425–435.Google Scholar
[559] , A note on elliptic curves over finite fields, Bulletin de la Société Mathématique de France 116(4) (1988), 455–458.Google Scholar
[561] , Abelian varieties over finite fields, Ann. Sci. Ecole Norm. Sup. 2 (1969), 521–560.Google Scholar
[562] , Solving sparse linear equations over finite fields, IEEE Trans. Inf. Theory 32 (1986), 54–62.Google Scholar
[563] , Bounds on Birthday Attack Times, Cryptology ePrint Archive, Report 2005/318.
[564] , Cryptanalysis of short RSA secret exponents, IEEE Trans. Inf. Theory 36(3) (1990), 553–558.Google Scholar
[565] and , Faster attacks on elliptic curve cryptosystems. In SAC 1998 ( and , eds.), LNCS, vol. 1556, Springer, 1998, pp. 190–200.Google Scholar
[566] , A modification of the RSA public key encryption procedure, IEEE Trans. Inf. Theory 26(6) (1980), 726–729.Google Scholar
[570] and , Improved digital signature suitable for batch verification, IEEE Trans. Computers 44(7) (1995), 957–959.Google Scholar
[571] , , and , Multi-exponentiation, IEEE Proceedings Computers and Digital Techniques 141(6) (1994), 325–326.Google Scholar
[572] , On the jacobian varieties of hyperelliptic curves over fields of characteristic p > 2, J. Algebra 52 (1978), 378–410.Google Scholar
[573] and , Commutative Algebra (Vol. I and II), Van Nostrand, Princeton University Press, 1960.Google Scholar
[574] , A conversion algorithm for logarithms on G F(2n), J. Pure Appl. Algebra 4 (1974), 353–356.Google Scholar
[575] , Private communication, 10 March 2009.