|
Abstract : |
The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's ae-method. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically defined over GF (p) or GF (2 m), the attack time can be reduced by a factor or p 2, a small improvement. For subfield curves, those defined over GF (2 ed) with coefficients defining the curve restricted to GF (2 e, |
