Review: [Untitled]

Reviewed Work(s):
Elliptic Curves in Cryptography by Ian Blake; Gadiel Seroussi; Nigel Smart
Preda Mih#ilescu; F. Pappalardi

Mathematics of Computation, Vol. 70, No. 236. (Oct., 2001), pp. 1755-1759.

Stable URL:
http://links.jstor.org/sici?sici=0025-5718%28200110%2970%3A236%3C1755%3AECIC%3E2.0.CO%3B2-9

Mathematics of Computation is currently published by American Mathematical Society.

Your use of the JSTOR archive indicates your acceptance of JSTOR's Terms and Conditions of Use, available at
http://www.jstor.org/about/terms.html. JSTOR's Terms and Conditions of Use provides, in part, that unless you have obtained
prior permission, you may not download an entire issue of a journal or multiple copies of articles, and you may use content in
the JSTOR archive only for your personal, non-commercial use.

Please contact the publisher regarding any further use of this work. Publisher contact information may be obtained at
http://www.jstor.org/journals/ams.html.

Each copy of any part of a JSTOR transmission must contain the same copyright notice that appears on the screen or printed
page of such transmission.

The JSTOR Archive is a trusted digital repository providing for long-term preservation and access to leading academic
journals and scholarly literature from around the world. The Archive is supported by libraries, scholarly societies, publishers,
and foundations. It is an initiative of JSTOR, a not-for-profit organization with a mission to help the scholarly community take
advantage of advances in technology. For more information regarding JSTOR, please contact support@jstor.org.

http://www.jstor.org
Sun Dec 16 05:49:33 2007
 REVIETVS AND DESCRIPTIOVS O F TABLES XVD BOOKS 17.55

and St. Emilion, France. in 1996197 were devot,ed to this problem, and tlie cliapters
of this book are a select,ion of works presented there.
Tlie chapt,ers contain in the beginning ample background mat,erial t,o put the
new results int,o tlie riglit perspective. Not,ation. st,yle, and preseiit~at~ioii
in the
different cliapters. though written by different aut,liors, sho~va high uniformity.
Also cross-references between tlie chapters ha\-e been int,roduced.
In t,liis respect the editors have done a good job, also by adding two chapt,ers
cont,aining some useful matrix results and some material on unitary and hyperbolic
transformations. Thus the book gives a very good overvie~vof an exciting field.
The first four chapters deal with fast direct inethods for linear systems, and
Chapters 3-7 with iterative methods. Tlie last three chapters deal wit,h further
applications and generalizations. such as t,lie block case and tlie tensor case.
Following is a list of the cliapters of the book. with the authors in parent,lieses.
1. Displacement struct,ure and array algoritlims ( T . ICailatli)
2. Stabilized Schur algorithms (S. Chandrasekaraii. A. H. Sayed)
3. Fast st,able solvers for struct'ured linear systems (A. H. Sayed, S. Clian-
drasekaran)
4. Stability of fast algorithms for structured linear systems (R. Brent)
5. It,erat,ive met,hods for linear syst,eins with matrix structure ( R . Chan,
nr. K. sg)
6. -4symptotic spectral distribution of Toeplitz related inat,rices (P. Tilli)
7 , Kemt~on'sit,eration for structured matrices (V. Pan. S. Branham, R. Rosliolt,
-4. Zheng)
8. Fast algorithms ~vitliapplicat,ioiis to Markow chains and queueing models
(D. Bini. B , LIeini)
9. Tensor displacement st,ructures and polyspect,ral matching (V. Grigorascu.
P. Regalia)
10. hlinimal complexity realization of structured matrices (P. Den7ilde)

14[94-02. 94A6O. 14H521-Ellzptzc curres an cryptograplzy, by Ian Blake, Gadiel

Seioussi. and Nigel Smait, Cambridge Univeisity Piess. New York, KY, 1999.
x~ f204 pp., 23 cm. softcover. $39.93

Elliptic curves have been st,udied for more tlian a cent,ury from tlie perspectives of
modular forms, complex analysis, algebraic geomet,ry. and number theory. Schoof's
discovery [lo. 19841. that t,here is a polynomial t,iinc algorithm for establishing
the size of the ellipt,ic curve group over any finite field opened t,he way to various
computational applications of t,liese groups.
One by one, most applicat,ions which were customary in t,he multiplicative group
of finit,e fields were adapted to the elliptic curve group. In t,lie space of a few
years, elliptic curves emerged in primality proving [5]. integer factoring [6]. and
crypt,ograpliy [8]. The first tn70 applications take advantage of t,lie large variety of
a\-ailable groups of tlie chosen order of magnit,ude. while tlie interest of the latt,er
is based on the fact that in general no subexponential algorithm for computing the
discret,e logarit,hm in the elliptic curve group is kiiowii or likely to be found. Such
1756 REVIETVS .4ND D E S C R I P T I O N S O F TABLES AND B O O K S

algorithms had been li110~11for some time in the multiplicative groups. However,
many practical questions were still asking for improvements and clarity. so the last
15 years have seen intense research in this domain of applications.
The book at hand is a welcome. in-depth t,reat,ment of t,lie various research and
improvements up to 1999. It offers a compreliensive presentation of both the deeper
t,lleoretical background of algorithmic developmeilt,~and the implementat~ionalbot-
tlenecks. \Yhoever wants to deal wit,h algorithmal aspect,s of elliptic curves will find
liere an excellent and, in most cases. sufficient starting point. The book is t,herefore
not intended either as primary didactical material (proofs are scarcely given) nor
as a compendium of t,lie various short or long lived cryprographical inechanisms
related to elliptic curves. For the first. books such as [7] for the practical and 131 for
the inat,heinatical aspects, are recommendable. For the latter. the technical IEEE
standard P1363. ~ ~ ~ l l has
i c l lbeen mean~vhilereleased, is the relevant source for those
meclianisms which are likely to be spread in practice.
The first two chapters offer a succinct int,roduction to general ideas of public
key cryptography and the underlying arithmetic in finit,e fields. The important'
third chapter introduces the arit,hmet,icof elliptic curves together witli t,he various
coi1i1ections t,o division polynomials. Weil pairing. and modular functions, which
have found explicit use in applications. The fourth chapter gives an overview of
efticient impleinei1tations of ellipt,ic curves arithmetic for the practitioner. and t,lie
fifth treat,s the discrete logarithm problem on elliptic curves. From the sixth to
the eiglltll chapters t,he authors discuss the determinat,ion of the group order. by
Schoof's algorit,hin and it,s later improvement,^ and by an a priori choice of the
complex nlultiplicat~ioi1fields of t,lle t,arget curve. The book closes with an overview
of primalit,y proving and integer fact,oring using elliptic curves in the ilint,h chapt,er,
and with generalizat~ionsof cryptosystems t,o abelian variet,ies of higher genus in
the teilt,h chapter.
Let IF, be a finite field xvitli q elements. An elliptic curve E over F, is defined
by a long Weierstrass equation

n-liere a l . a2. as. ad, as E Fq ale such that the equation is nonsingula~. This is
equivalent to saj ing that the dzscrzmznant

where b2 = a: + +
4a2. b4 = a1a3 2a4,b6 = a: + +
4126,b8 = a:aG h 2 a 6 - alasa4 +
a 2 a i - a:. From the definit,ion of the discriminant,, it follo~vst,llat it has special
behavior in fields of cllaracterist,ic 2 or 3. In fact. most applications in finite fields
<
are treated differently in characterist,icp 3 and p > 3. I11 t,he book the clear choice
to deal only with the cases of charact,eristics 2 and prime fields F, witli p > 3 was
made. It is customary t o indicat,e by E(F,) the set of point,s on Fi of the equation
defining E together with an extra point 0 at infinity. which one may think of as
lying on the top of the y-axis. For two points. Pl = ( x l . yl), P 2 ( x 2 .y2) E E ( F q ) .
+
the sum is PI e P2 = (x3$y3) = (A2 alA - a2 - x l - 5 2 . -(A +
a1)x3 - p - a3).
where
This cornposit.ion rule snalces ( E ( F , ) , kz) into a coinnliltat,ive group with O as its
nel~t'rulclenlent and E ( F q ) Z (ZjrllZ) x (Z/d2Z); where dl dividcs 11oth d 2 and
"
q - 1. The 71,-fold addition of P t o itself is [n]P and Ei[n] ( Z jjn . Z))"s t,he
n-torsion group of 1,' over F,. The .c-coordinates of tlie 71, torsion points are ze-
roes of the division polynomials Q,,. These not,ions, togct,her with tlle more subtle
connections to moclul:t,r functions and conlplex multiplication. which we shall not
describe here. are introduced in tlle third chapter. yi~ldinga self-sufficient base
for thc underst,anding of all algorit~lzmstreated subscquently. The fotlrtlz chapter
is an exrensive overview of t,he main practical aspPct,s -c?-hichthe implementer will
encounter. froin aritl~metict,ricks t'o point compression--a technical torm (in cryp-
tograph,~)for t,he idca that a point on the curve carries essent,ially the information
of its x coordinate plus one bit allon,irig to distinguish a solution of a. quadra,tic
equat.ion.
The problein of taking the discrct,cl logarithm on t:lliptic curves is the door t,o
cryptographic applications of tlzest: groups. The known general techniques are
t,reat,t:d comprehensively in chapter fivt:. I11 the followiilg special cases. described in
this chapter: more pcrfornlant algorithms than the gciieric ones are possible: First,
the supersingular curves for which the ?Veil pairing yiclds an isonzorphisnl t,o the
roots of unity of the ground field or a snlall extension thereof. where silbexponential
index calculus met,hods can be applied. Second, the recent algorit,hsil of Smart for
conlputiizg t,he discrete logarit,hms on curves \vit,h the number of points equal t o
the (prime) charact,eristic of the field over which t,hey are defined.
Unsurprisingly, the. problein of determining t,he nlirnber of points in t,he ellipt,ic
curve group. which brought curves into comput~ationalalgebra. is covcred in three
ext,ensive chapt,ers. The first short one gives a n 01-crvit3u- of naive approaches and
problems related to subgroups of the elliptic curve group.
Thc sixth and sevc:nth chapt,ers cover the generic algorithm of Schoof and its
ulterior improvements and adaptations to tricky chiiract,eristics (i.e., p = 2 , 3 . with
special behavior of thct cliscriminant). The basic algoritllin of Schoof for colnputing
+E(I?,) (that we briefly outline being the first step in the journey of n-lzicll the
book is t,elliizg t,he st ory) is based on the fact that froill Hasse's Thcorem. izailiely
+
#E:(T?,) = q 1 - t with It( 5 2 4 . it is enough t o determine t modulo 1 for SUE-
<
ciently many small primes 1. A'Iore prt:cisely, it sufficc~to take primcs 1 l,,,,, with
ntllriiax 1 > 3fi. One uses the fact that the FYobeniils endolnorphisin d sat,isfies
the equation 02 - fa + q = 0. Considering a nositril-ial point P = (z: y) E E[1]:
one lets q, = q n ~ o dl . Then (x". y f j 2 ) + [ql](rr. y) = [ 7 1 ( 2 4 , y4) must be satisfied
exactly for T = t mod 1. The value of r can be found by computing sy-mbolically
+
(xq2,y q 2 ) iql](2. y) rnodulo the 1-dil-ision polynomials Q 1 and comparing with the
possible values of [ T ](zq. y4) (T = 1. . . . , I ) . The corliput,at,ions are polynoizlially
bounded bj- O(1og q) and the degree of the I-dil-ision polynomials. This degree
grows in practice quite fast: urhich makes the arithmetic izloclulo division polyno-
inials the essential bot-tleneck in tlle original version of Schoof's algorithm.
However, t,he division polynonlials are in general not irreducible and one can
sensibly reduce the complexity by rcplaciag Q r by some smaller- riot aecessar-
ily irreducible-fact,ors. Since E[l] ( Z / ( l . Z))'. there is a reprtsent~a~tion of
Gal(F,/B,) in GLajPl), x~hichyiclds inforn~ationon the fact,orization patterns of
Q l . This fact n-as hasically exploit,cd in the subseqncnt contribut~ionsdue t o Atkin,
1738 REVIEITS XVD D E S C R I P T I O V S O F TABLES AND B O O K S

Elkies and ~vorkedout and implemented by F . Morain. some of his st,udent,s.and

V.LIdler.
The applicat,ions of ellipt,ic curves to fact,oring and primality proving are briefly
outlined. for the sake of coinpletei~ess.in t,he ninth chapter. The last chapter
summarizes t,lie main ideas about crypt,ographic use of hyperelliptic curves at the
t,iine the was book print,ed.
For the int,erested reader. it may be important t,o inention some of t,he outstand-
ing results of t,he last few years. ~11ichare ulterior t,o the conception of this book
and t,hus not covered by it.
Count,ingpoints on curves over fields of small charact,eristics p have been sensibly
simplified by an algoritliin of Satoh [9]. based on p-adic logarithms. The algoritlim
has been implemented, and curves over the field Fasooe can be currently treated;
wit,hout Sat,oh's approach. t,he best met,liods could calculat,e t,he curve orders in
extensions of P a of degree up to 2000.
In the domain of implementation. a beaut,iful paper of H. Cohen. A. Lliyaji,
and T . Ono [2] studies a variet,y of curve representat,ions, wit,h the aim of optimiz-
ing the performance of group operations; this can certainly be of great help for
implementors. Fields of odd cliaracterist,ic ~~11ich are adapted to macliine world
lengtli-medium Gnlois fields or simply extension fields, according to different
t,erminologies-receive some att,ention. A run time st,udy, [12] by Smart, of im-
plementations of ellipt,ic curve operat,ions over fields of cliaracteristics of various
sizes suggests that these fields may ha\-e int,erest,ingpractical properties.
Finally. WeiL descen,ts ha\-e been proposed by G. Frey [4] as a possible met'hod
for solving special instances of the discrete logarithms problem. This has already
motivated a series of important research wit,h pro and con arguments, and is likely
to become an important research topic.

1. Blake; I. F.; Seroussi, G.; Smart. N. P.: Elliptic curves i n cryptography. Reprint of the 1999
original. London LIathematical Society Lecture Note Series. 263. Cambridge U~liversityPress,
Cambridge. 2000. CLIP 2000:15
2. Cohen, H.; hliyaji, A , ; Ono, T.: E f i c i e n t elliptzc curve exponeiitaation using mixed coor-
dznates, Asiacrypt 98. Lecture Notes in Comput. Sci., 1514, Springer, Berlin. 1998. CLIP
2000:06
+
3. Cox, D. A,:P r z ~ n e sof the form x2 7zy2. TT7ile>-Si Sons. 1989. hIR 90m:11016
1 . Fre>-,G.: Applications of a7ithmetacal geometry t o cryptographzc coiistructions, Preprint.
3. Goldw-asser, S.; Killian. J.: .limost all primes can be qzlackly certified. Proc. 18-th Annual
AChI Symp. 011 Theory of Computing (1986). 316-329.
6. Lenstra. H. TV.: FactO~ingintegers with elliptzc curves, Ann. of LIath.. 1 2 6 (1987), 649-673.
LIR 89g:11125
7. hlenezes, Alfred J.: Ellzptac curve public key cryptosystems, Kluw-er Academic Publishers;
1993. hIR 2000d:94023
8. LIiller. V.:Use of elliptic curves zn cryptography, Advances in Cryptolog>-, Proceedi~lgsof
CRYPT0'85. Lecture Notes in Comput. Sci. 218, Springer. Berlin. 1986; pp. 117-126. hIR
88b:68040
9. Satoh. T . : T h e canonzcal lzft of an ordiiiary elliptzc curve over a Jnate Jeld aiid zts point
couiitziig, J . Rama~lujallhIat11. Soc. 1 5 (2000); 110. 4, 247-270. CLIP 2001:05
10. Schoof, R.: Ellzptac curves over Jiizte fields and the computatzon of square roots mod p, hIat11.
Comp. 44. (1985). 483-494. hIR 86e:11122
11. Silverman; J . H.: T h e arithmetic of elliptic curves. Corrected reprint of the 1986 original.
Graduate Texts in hlathematics. 106. Springer-TTerlag. New York, 1999. hIR 95m:11051
 REVTbII S AND DESCHlPTIONS O F TABLES 4 N D 1300I<S 17.5'3

12. Sinart. N.: 4 con~parrsonof d2:fferent finite f i e i r i s for use an e l l z ~ ~ t icurve

c c?yptos?jsten~s,
Lniversity oi Bristol, Departnieilt of Computer Sciei~ce.June 2000 prepririt