Advances in Elliptic Curve Cryptography 2nd Edition Ian F. Blake

Visit https://ebookultra.com to download the full version and
explore more ebooks
Advances in Elliptic Curve Cryptography 2nd
Edition Ian F. Blake
_____ Click the link below to download _____
https://ebookultra.com/download/advances-in-elliptic-
curve-cryptography-2nd-edition-ian-f-blake/
Explore and download more ebooks at ebookultra.com

Here are some suggested products you might be interested in.
Click the link to download
Advances in Elliptic Curve Cryptography 2nd Edition Ian F.
Blake
https://ebookultra.com/download/advances-in-elliptic-curve-
cryptography-2nd-edition-ian-f-blake/
Monitoring Ecological Change 2nd Edition Ian F.
Spellerberg
https://ebookultra.com/download/monitoring-ecological-change-2nd-
edition-ian-f-spellerberg/
Cryptography in C C 2nd Edition Michael Welschenbach
https://ebookultra.com/download/cryptography-in-c-c-2nd-edition-
michael-welschenbach/
Advances in Cancer Research George F. Vande Woude
https://ebookultra.com/download/advances-in-cancer-research-george-f-
vande-woude/

Curve Ball Jim Albert
https://ebookultra.com/download/curve-ball-jim-albert/
Java Cookbook 3rd Edition Ian F. Darwin
https://ebookultra.com/download/java-cookbook-3rd-edition-ian-f-
darwin/
Cryptography Algorithms 2nd Edition Massimo Bertaccini
https://ebookultra.com/download/cryptography-algorithms-2nd-edition-
massimo-bertaccini/
Elliptic Partial Differential Equations 2nd Edition Qing
Han
https://ebookultra.com/download/elliptic-partial-differential-
equations-2nd-edition-qing-han/
Piano For Dummies 2nd Edition Blake Neely
https://ebookultra.com/download/piano-for-dummies-2nd-edition-blake-
neely/

Advances in Elliptic Curve Cryptography 2nd Edition Ian
F. Blake Digital Instant Download
Author(s): Ian F. Blake; G. Seroussi; Nigel P. Smart
ISBN(s): 9780060839826, 0060839821
Edition: 2nd
File Details: PDF, 4.66 MB
Year: 2005
Language: english

This page intentionally left blank

LONDON MATHEMATICAL SOCIETY LECTURE NOTE SERIES
Managing Editor: Professor N.J. Hitchin, Mathematical Institute,
University of Oxford, 24–29 St Giles, Oxford OX1 3LB, United Kingdom
The titles below are available from booksellers, or from Cambridge University Press at www.cambridge.org
152 Oligomorphic permutation groups, P. CAMERON
153 L-functions and arithmetic, J. COATES & M.J. TAYLOR (eds)
155 Classification theories of polarized varieties, TAKAO FUJITA
158 Geometry of Banach spaces, P.F.X. MÜLLER & W. SCHACHERMAYER (eds)
159 Groups St Andrews 1989 volume 1, C.M. CAMPBELL & E.F. ROBERTSON (eds)
160 Groups St Andrews 1989 volume 2, C.M. CAMPBELL & E.F. ROBERTSON (eds)
161 Lectures on block theory, BURKHARD KÜLSHAMMER
163 Topics in varieties of group representations, S.M. VOVSI
164 Quasi-symmetric designs, M.S. SHRIKANDE & S.S. SANE
166 Surveys in combinatorics, 1991, A.D. KEEDWELL (ed)
168 Representations of algebras, H. TACHIKAWA & S. BRENNER (eds)
169 Boolean function complexity, M.S. PATERSON (ed)
170 Manifolds with singularities and the Adams-Novikov spectral sequence, B. BOTVINNIK
171 Squares, A.R. RAJWADE
172 Algebraic varieties, GEORGE R. KEMPF
173 Discrete groups and geometry, W.J. HARVEY & C. MACLACHLAN (eds)
174 Lectures on mechanics, J.E. MARSDEN
175 Adams memorial symposium on algebraic topology 1, N. RAY & G. WALKER (eds)
176 Adams memorial symposium on algebraic topology 2, N. RAY & G. WALKER (eds)
177 Applications of categories in computer science, M. FOURMAN, P. JOHNSTONE & A. PITTS (eds)
178 Lower K- and L-theory, A. RANICKI
179 Complex projective geometry, G. ELLINGSRUD et al
180 Lectures on ergodic theory and Pesin theory on compact manifolds, M. POLLICOTT
181 Geometric group theory I, G.A. NIBLO & M.A. ROLLER (eds)
182 Geometric group theory II, G.A. NIBLO & M.A. ROLLER (eds)
183 Shintani zeta functions, A. YUKIE
184 Arithmetical functions, W. SCHWARZ & J. SPILKER
185 Representations of solvable groups, O. MANZ & T.R. WOLF
186 Complexity: knots, colourings and counting, D.J.A. WELSH
187 Surveys in combinatorics, 1993, K. WALKER (ed)
188 Local analysis for the odd order theorem, H. BENDER & G. GLAUBERMAN
189 Locally presentable and accessible categories, J. ADAMEK & J. ROSICKY
190 Polynomial invariants of finite groups, D.J. BENSON
191 Finite geometry and combinatorics, F. DE CLERCK et al
192 Symplectic geometry, D. SALAMON (ed)
194 Independent random variables and rearrangement invariant spaces, M. BRAVERMAN
195 Arithmetic of blowup algebras, WOLMER VASCONCELOS
196 Microlocal analysis for differential operators, A. GRIGIS & J. SJÖSTRAND
197 Two-dimensional homotopy and combinatorial group theory, C. HOG-ANGELONI et al
198 The algebraic characterization of geometric 4-manifolds, J.A. HILLMAN
199 Invariant potential theory in the unit ball of Cn, MANFRED STOLL
200 The Grothendieck theory of dessins d’enfant, L. SCHNEPS (ed)
201 Singularities, JEAN-PAUL BRASSELET (ed)
202 The technique of pseudodifferential operators, H.O. CORDES
203 Hochschild cohomology of von Neumann algebras, A. SINCLAIR & R. SMITH
204 Combinatorial and geometric group theory, A.J. DUNCAN, N.D. GILBERT & J. HOWIE (eds)
205 Ergodic theory and its connections with harmonic analysis, K. PETERSEN & I. SALAMA (eds)
207 Groups of Lie type and their geometries, W.M. KANTOR & L. DI MARTINO (eds)
208 Vector bundles in algebraic geometry, N.J. HITCHIN, P. NEWSTEAD & W.M. OXBURY (eds)
209 Arithmetic of diagonal hypersurfaces over finite fields, F.Q. GOUVÉA & N. YUI
210 Hilbert C*-modules, E.C. LANCE
211 Groups 93 Galway / St Andrews I, C.M. CAMPBELL et al (eds)
212 Groups 93 Galway / St Andrews II, C.M. CAMPBELL et al (eds)
214 Generalised Euler-Jacobi inversion formula and asymptotics beyond all orders, V. KOWALENKO et al
215 Number theory 1992–93, S. DAVID (ed)
216 Stochastic partial differential equations, A. ETHERIDGE (ed)
217 Quadratic forms with applications to algebraic geometry and topology, A. PFISTER
218 Surveys in combinatorics, 1995, PETER ROWLINSON (ed)
220 Algebraic set theory, A. JOYAL & I. MOERDIJK
221 Harmonic approximation, S.J. GARDINER
222 Advances in linear logic, J.-Y. GIRARD, Y. LAFONT & L. REGNIER (eds)
223 Analytic semigroups and semilinear initial boundary value problems, KAZUAKI TAIRA
224 Computability, enumerability, unsolvability, S.B. COOPER, T.A. SLAMAN & S.S. WAINER (eds)
225 A mathematical introduction to string theory, S. ALBEVERIO et al
226 Novikov conjectures, index theorems and rigidity I, S. FERRY, A. RANICKI & J. ROSENBERG (eds)
227 Novikov conjectures, index theorems and rigidity II, S. FERRY, A. RANICKI & J. ROSENBERG (eds)
228 Ergodic theory of Zd actions, M. POLLICOTT & K. SCHMIDT (eds)
229 Ergodicity for infinite dimensional systems, G. DA PRATO & J. ZABCZYK
230 Prolegomena to a middlebrow arithmetic of curves of genus 2, J.W.S. CASSELS & E.V. FLYNN

231 Semigroup theory and its applications, K.H. HOFMANN & M.W. MISLOVE (eds)
232 The descriptive set theory of Polish group actions, H. BECKER & A.S. KECHRIS
233 Finite fields and applications, S. COHEN & H. NIEDERREITER (eds)
234 Introduction to subfactors, V. JONES & V.S. SUNDER
235 Number theory 1993–94, S. DAVID (ed)
236 The James forest, H. FETTER & B. GAMBOA DE BUEN
237 Sieve methods, exponential sums, and their applications in number theory, G.R.H. GREAVES et al
238 Representation theory and algebraic geometry, A. MARTSINKOVSKY & G. TODOROV (eds)
240 Stable groups, FRANK O. WAGNER
241 Surveys in combinatorics, 1997, R.A. BAILEY (ed)
242 Geometric Galois actions I, L. SCHNEPS & P. LOCHAK (eds)
243 Geometric Galois actions II, L. SCHNEPS & P. LOCHAK (eds)
244 Model theory of groups and automorphism groups, D. EVANS (ed)
245 Geometry, combinatorial designs and related structures, J.W.P. HIRSCHFELD et al
246 p-Automorphisms of finite p-groups, E.I. KHUKHRO
247 Analytic number theory, Y. MOTOHASHI (ed)
248 Tame topology and o-minimal structures, LOU VAN DEN DRIES
249 The atlas of finite groups: ten years on, ROBERT CURTIS & ROBERT WILSON (eds)
250 Characters and blocks of finite groups, G. NAVARRO
251 Gröbner bases and applications, B. BUCHBERGER & F. WINKLER (eds)
252 Geometry and cohomology in group theory, P. KROPHOLLER, G. NIBLO, R. STÖHR (eds)
253 The q-Schur algebra, S. DONKIN
254 Galois representations in arithmetic algebraic geometry, A.J. SCHOLL & R.L. TAYLOR (eds)
255 Symmetries and integrability of difference equations, P.A. CLARKSON & F.W. NIJHOFF (eds)
256 Aspects of Galois theory, HELMUT VÖLKLEIN et al
257 An introduction to noncommutative differential geometry and its physical applications 2ed, J. MADORE
258 Sets and proofs, S.B. COOPER & J. TRUSS (eds)
259 Models and computability, S.B. COOPER & J. TRUSS (eds)
260 Groups St Andrews 1997 in Bath, I, C.M. CAMPBELL et al
261 Groups St Andrews 1997 in Bath, II, C.M. CAMPBELL et al
262 Analysis and logic, C.W. HENSON, J. IOVINO, A.S. KECHRIS & E. ODELL
263 Singularity theory, BILL BRUCE & DAVID MOND (eds)
264 New trends in algebraic geometry, K. HULEK, F. CATANESE, C. PETERS & M. REID (eds)
265 Elliptic curves in cryptography, I. BLAKE, G. SEROUSSI & N. SMART
267 Surveys in combinatorics, 1999, J.D. LAMB & D.A. PREECE (eds)
268 Spectral asymptotics in the semi-classical limit, M. DIMASSI & J. SJÖSTRAND
269 Ergodic theory and topological dynamics, M.B. BEKKA & M. MAYER
270 Analysis on Lie groups, N.T. VAROPOULOS & S. MUSTAPHA
271 Singular perturbations of differential operators, S. ALBEVERIO & P. KURASOV
272 Character theory for the odd order theorem, T. PETERFALVI
273 Spectral theory and geometry, E.B. DAVIES & Y. SAFAROV (eds)
274 The Mandlebrot set, theme and variations, TAN LEI (ed)
275 Descriptive set theory and dynamical systems, M. FOREMAN et al
276 Singularities of plane curves, E. CASAS-ALVERO
277 Computational and geometric aspects of modern algebra, M.D. ATKINSON et al
278 Global attractors in abstract parabolic problems, J.W. CHOLEWA & T. DLOTKO
279 Topics in symbolic dynamics and applications, F. BLANCHARD, A. MAASS & A. NOGUEIRA (eds)
280 Characters and automorphism groups of compact Riemann surfaces, THOMAS BREUER
281 Explicit birational geometry of 3-folds, ALESSIO CORTI & MILES REID (eds)
282 Auslander-Buchweitz approximations of equivariant modules, M. HASHIMOTO
283 Nonlinear elasticity, Y. FU & R.W. OGDEN (eds)
284 Foundations of computational mathematics, R. DEVORE, A. ISERLES & E. SÜLI (eds)
285 Rational points on curves over finite fields, H. NIEDERREITER & C. XING
286 Clifford algebras and spinors 2ed, P. LOUNESTO
287 Topics on Riemann surfaces and Fuchsian groups, E. BUJALANCE, A.F. COSTA & E. MARTÌNEZ (eds)
288 Surveys in combinatorics, 2001, J. HIRSCHFELD (ed)
289 Aspects of Sobolev-type inequalities, L. SALOFF-COSTE
290 Quantum groups and Lie theory, A. PRESSLEY (ed)
291 Tits buildings and the model theory of groups, K. TENT (ed)
292 A quantum groups primer, S. MAJID
293 Second order partial differential equations in Hilbert spaces, G. DA PRATO & J. ZABCZYK
294 Introduction to the theory of operator spaces, G. PISIER
295 Geometry and integrability, LIONEL MASON & YAVUZ NUTKU (eds)
296 Lectures on invariant theory, IGOR DOLGACHEV
297 The homotopy category of simply connected 4-manifolds, H.-J. BAUES
299 Kleinian groups and hyperbolic 3-manifolds, Y. KOMORI, V. MARKOVIC, & C. SERIES (eds)
300 Introduction to Möbius differential geometry, UDO HERTRICH-JEROMIN
301 Stable modules and the D(2)-problem, F.E.A. JOHNSON
302 Discrete and continuous nonlinear Schrödinger systems, M.J. ABLOWITZ, B. PRINARI, & A.D. TRUBATCH
303 Number theory and algebraic geometry, MILES REID & ALEXEI SKOROBOGATOV (eds)
304 Groups St Andrews 2001 in Oxford Vol. 1, COLIN CAMPBELL, EDMUND ROBERTSON & GEOFF SMITH (eds)
305 Groups St Andrews 2001 in Oxford Vol. 2, C.M. CAMPBELL, E.F. ROBERTSON & G.C. SMITH (eds)
307 Surveys in combinatorics 2003, C.D. WENSLEY (ed)
309 Corings and comodules, TOMASZ BRZEZINSKI & ROBERT WISBAUER
310 Topics in dynamics and ergodic theory, SERGEY BEZUGLYI & SERGIY KOLYADA (eds)
312 Foundations of computational mathematics, Minneapolis 2002, FELIPE CUCKER et al (eds)

London Mathematical Society Lecture Note Series. 317
Advances in Elliptic Curve
Cryptography
Edited by
Ian F. Blake
University of Toronto
Gadiel Seroussi
Hewlett-Packard Laboratories
Nigel P. Smart
University of Bristol

cambridge university press
Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo
Cambridge University Press
The Edinburgh Building, Cambridge cb2 2ru, UK
First published in print format
isbn-13 978-0-521-60415-4
isbn-13 978-0-511-11161-7
© Cambridge University Press 2005
2005
Information on this title: www.cambridge.org/9780521604154
This book is in copyright. Subject to statutory exception and to the provision of
relevant collective licensing agreements, no reproduction of any part may take place
without the written permission of Cambridge University Press.
isbn-10 0-511-11161-4
isbn-10 0-521-60415-x
Cambridge University Press has no responsibility for the persistence or accuracy of
urls for external or third-party internet websites referred to in this book, and does not
guarantee that any content on such websites is, or will remain, accurate or appropriate.
Published in the United States of America by Cambridge University Press, New York
www.cambridge.org
paperback
eBook (MyiLibrary)
eBook (MyiLibrary)
paperback

Contents
Preface page ix
Abbreviations and Standard Notation xi
Authors xv
Part 1. Protocols
Chapter I. Elliptic Curve Based Protocols
N.P. Smart 3
I.1. Introduction 3
I.2. ECDSA 4
I.3. ECDH/ECMQV 8
I.4. ECIES 12
I.5. Other Considerations 18
Chapter II. On the Provable Security of ECDSA
D. Brown 21
II.1. Introduction 21
II.2. Definitions and Conditions 23
II.3. Provable Security Results 32
II.4. Proof Sketches 33
II.5. Further Discussion 36
Chapter III. Proofs of Security for ECIES
A.W. Dent 41
III.1. Definitions and Preliminaries 42
III.2. Security Proofs for ECIES 50
III.3. Other Attacks Against ECIES 58
III.4. ECIES-KEM 61
v

vi Contents
Part 2. Implementation Techniques
Chapter IV. Side-Channel Analysis
E. Oswald 69
IV.1. Cryptographic Hardware 70
IV.2. Active Attacks 71
IV.3. Passive Attacks 72
IV.4. Simple SCA Attacks on Point Multiplications 77
IV.5. Differential SCA Attacks on Point Multiplications 84
Chapter V. Defences Against Side-Channel Analysis
M. Joye 87
V.1. Introduction 87
V.2. Indistinguishable Point Addition Formulæ 88
V.3. Regular Point Multiplication Algorithms 93
V.4. Base-Point Randomization Techniques 97
V.5. Multiplier Randomization Techniques 98
V.6. Preventing Side-Channel Analysis 100
Part 3. Mathematical Foundations
Chapter VI. Advances in Point Counting
F. Vercauteren 103
VI.1. p-adic Fields and Extensions 104
VI.2. Satoh’s Algorithm 105
VI.3. Arithmetic Geometric Mean 115
VI.4. Generalized Newton Iteration 121
VI.5. Norm Computation 128
VI.6. Concluding Remarks 132
Chapter VII. Hyperelliptic Curves and the HCDLP
P. Gaudry 133
VII.1. Generalities on Hyperelliptic Curves 133
VII.2. Algorithms for Computing the Group Law 136
VII.3. Classical Algorithms for HCDLP 140
VII.4. Smooth Divisors 142
VII.5. Index-Calculus Algorithm for Hyperelliptic Curves 144
VII.6. Complexity Analysis 146
VII.7. Practical Considerations 149
Chapter VIII. Weil Descent Attacks
F. Hess 151
VIII.1. Introduction – the Weil Descent Methodology 151
VIII.2. The GHS Attack 153
VIII.3. Extending the GHS Attack Using Isogenies 166

Contents vii
VIII.4. Summary of Practical Implications 173
VIII.5. Further Topics 175
Part 4. Pairing Based Techniques
Chapter IX. Pairings
S. Galbraith 183
IX.1. Bilinear Pairings 183
IX.2. Divisors and Weil Reciprocity 184
IX.3. Definition of the Tate Pairing 185
IX.4. Properties of the Tate Pairing 187
IX.5. The Tate Pairing over Finite Fields 189
IX.6. The Weil Pairing 191
IX.7. Non-degeneracy, Self-pairings and Distortion Maps 192
IX.8. Computing the Tate Pairing Using Miller’s Algorithm 196
IX.9. The MOV/Frey–Rück Attack on the ECDLP 197
IX.10. Supersingular Elliptic Curves 198
IX.11. Applications and Computational Problems from Pairings 201
IX.12. Parameter Sizes and Implementation Considerations 203
IX.13. Suitable Supersingular Elliptic Curves 204
IX.14. Efficient Computation of the Tate Pairing 205
IX.15. Using Ordinary Curves 208
Appendix: Proof of Weil Reciprocity 212
Chapter X. Cryptography from Pairings
K.G. Paterson 215
X.1. Introduction 215
X.2. Key Distribution Schemes 218
X.3. Identity-Based Encryption 221
X.4. Signature Schemes 228
X.5. Hierarchical Identity-Based Cryptography and Related Topics 235
X.6. More Key Agreement Protocols 240
X.7. Applications and Infrastructures 242
X.8. Concluding Remarks 250
Bibliography 253
Summary of Major LNCS Proceedings 271
Author Index 273
Subject Index 277

Preface
It is now more than five years since we started working on the book Elliptic
Curves in Cryptography and more than four years since it was published. We
therefore thought it was time to update the book since a lot has happened
in the intervening years. However, it soon became apparent that a simple
update would not be sufficient since so much has been developed in this area.
We therefore decided to develop a second volume by inviting leading experts
to discuss issues which have arisen.
Highlights in the intervening years which we cover in this volume include:
Provable Security. There has been considerable work in the last few years
on proving various practical encryption and signature schemes secure. In this
new volume we will examine the proofs for the ECDSA signature scheme and
the ECIES encryption scheme.
Side-Channel Analysis. The use of power and timing analysis against
cryptographic tokens, such as smart cards, is particularly relevant to elliptic
curves since elliptic curves are meant to be particularly suited to the con-
strained environment of smart cards. We shall describe what side-channel
analysis is and how one can use properties of elliptic curves to defend against
it.
Point Counting. In 1999 the only method for computing the group order of
an elliptic curve was the Schoof-Elkies-Atkin algorithm. However, for curves
over fields of small characteristic we now have the far more efficient Satoh
method, which in characteristic two can be further simplified into the AGM-
based method of Mestre. We shall describe these improvements in this book.
Weil Descent. Following a talk by Frey in 1999, there has been considerable
work on showing how Weil descent can be used to break certain elliptic curve
systems defined over “composite fields” of characteristic two.
Pairing-Based Cryptography. The use of the Weil and Tate pairings was
until recently confined to breaking elliptic curve protocols. But since the
advent of Joux’s tripartite Diffie–Hellman protocol there has been an interest
in using pairings on elliptic curves to construct protocols which cannot be
implemented in another way. The most spectacular example of this is the
ix

x PREFACE
identity-based encryption algorithm of Boneh and Franklin. We describe not
only these protocols but how these pairings can be efficiently implemented.
As one can see once again, the breadth of subjects we cover will be of
interest to a wide audience, including mathematicians, computer scientists
and engineers. Once again we also do not try to make the entire book relevant
to all audiences at once but trust that, whatever your interests, you can find
something of relevance within these pages.
The overall style and notation of the first book is retained, and we have
tried to ensure that our experts have coordinated what they write to ensure
a coherent account across chapters.
Ian Blake
Gadiel Seroussi
Nigel Smart

Abbreviations and Standard Notation
Abbreviations
The following abbreviations of standard phrases are used throughout the
book:
AES Advanced Encryption Standard
AGM Arithmetic Geometric Mean
BDH Bilinear Diffie–Hellman problem
BSGS Baby Step/Giant Step method
CA Certification Authority
CCA Chosen Ciphertext Attack
CDH Computational Diffie–Hellman problem
CM Complex Multiplication
CPA Chosen Plaintext Attack
DBDH Decision Bilinear Diffie–Hellman problem
DDH Decision Diffie–Hellman problem
DEM Data Encapsulation Mechanism
DHAES Diffie–Hellman Augmented Encryption Scheme
DHIES Diffie–Hellman Integrated Encryption Scheme
DHP Diffie–Hellman Problem
DLP Discrete Logarithm Problem
DPA Differential Power Analysis
DSA Digital Signature Algorithm
DSS Digital Signature Standard
ECDDH Elliptic Curve Decision Diffie–Hellman problem
ECDH Elliptic Curve Diffie–Hellman protocol
ECDHP Elliptic Curve Diffie–Hellman Problem
ECDLP Elliptic Curve Discrete Logarithm Problem
ECDSA Elliptic Curve Digital Signature Algorithm
ECIES Elliptic Curve Integrated Encryption Scheme
ECMQV Elliptic Curve Menezes–Qu–Vanstone protocol
GHS Gaudry–Hess–Smart attack
GRH Generalized Riemann Hypothesis
HCDLP Hyperelliptic Curve Discrete Logarithm Problem
HIBE Hierarchical Identity-Based Encryption
xi

xii ABBREVIATIONS AND STANDARD NOTATION
IBE Identity-Based Encryption
IBSE Identity-Based Sign and Encryption
ILA Information Leakage Analysis
KDF Key Derivation Function
KDS Key Distribution System
KEM Key Encapsulation Mechanism
MAC Message Authentication Code
MOV Menezes–Okamoto–Vanstone attack
NIKDS Non-Interactive Key Distribution System
PKI Public Key Infrastructure
RSA Rivest–Shamir–Adleman encryption scheme
SCA Side Channel Analysis
SEA Schoof–Elkies–Atkin algorithm
SHA Secure Hash Algorithm
SPA Simple Power Analysis
SSCA Simple Side-Channel Attack
TA Trusted Authority

ABBREVIATIONS AND STANDARD NOTATION xiii
Standard notation
The following standard notation is used throughout the book, often with-
out further definition. Other notation is defined locally near its first use.
Basic Notation
Z, Q, R, C integers, rationals, reals and complex numbers
Z>k integers greater than k; similarly for ≥, <, ≤
Z/nZ integers modulo n
#S cardinality of the set S
gcd(f, g), lcm(f, g) GCD, LCM of f and g
deg(f) degree of a polynomial f
φEul Euler totient function

·
p

Legendre symbol
logb x logarithm to base b of x; natural log if b omitted
O(f(n)) function g(n) such that |g(n)| ≤ c|f(n)| for some
constant c 0 and all sufficiently large n
o(f(n)) function g(n) such that limn→∞(g(n)/f(n)) = 0
Pn
projective space
Group/Field Theoretic Notation
Fq finite field with q elements
K ∗
, K+
, K for a field K, the multiplicative group, additive group
and algebraic closure, respectively
char(K) characteristic of K
g cyclic group generated by g
ord(g) order of an element g in a group
Aut(G) automorphism group of G
Zp, Qp p-adic integers and numbers, respectively
Trq|p(x) trace of x ∈ Fq over Fp, q = pn
µn nth roots of unity
NL/K norm map
Function Field Notation
deg(D) degree of a divisor
(f) divisor of a function
f(D) function evaluated at a divisor
∼ equivalence of divisors
ordP (f) multiplicity of a function at a point
Galois Theory Notation
Gal(K/F) Galois group of K over F
σ(P) Galois conjugation of point P by σ
fσ
Galois conjugation of coefficients of function f by σ

xiv ABBREVIATIONS AND STANDARD NOTATION
Curve Theoretic Notation
E elliptic curve (equation)
(xP , yP ) coordinates of the point P
x(P) the x-cordinate of the point P
y(P) the y-cordinate of the point P
E(K) group of K-rational points on E
[m]P multiplication-by-m map applied to the point P
E[m] group of m-torsion points on the elliptic curve E
End(E) endormorphism ring of E
O point at inﬁnity (on an elliptic curve)
℘ Weierstraß ‘pay’ function
ϕ Frobenius map
P, Qn Tate pairing of P and Q
en(P, Q) Weil pairing of P and Q
e(P, Q) pairing of P and Q
ê(P, Q) modiﬁed pairing of P and Q
Tr(P) trace map
T trace zero subgroup

Authors
We would like to acknowledge the following people who contributed chap-
ters to this book.
Dan Brown,
Certicom Corp.,
Mississauga,
Canada.
Steven Galbraith,
Mathematics Department,
Royal Holloway,
University of London,
United Kingdom.
Florian Hess,
Institut für Mathematik,
T.U. Berlin,
Germany.
Elisabeth Oswald,
Institute for Applied Information
Processing and Communications,
Graz University of Technology,
Austria.
Nigel Smart,
Deptartment of Computer Sci-
ence,
University of Bristol,
United Kingdom.
Alex Dent,
Mathematics Department,
Royal Holloway,
United Kingdom.
Pierrick Gaudry,
Laboratoire d’Informatique (LIX),
École Polytechnique ,
France.
Marc Joye,
Card Security Group,
Gemplus,
France.
Kenneth G. Paterson,
Info. Sec. Group,
Royal Holloway,
United Kingdom.
Frederik Vercauteren,
Department of Computer Science,
University of Bristol,
United Kingdom.
The editors would like to thank Marc Joye for various bits of LaTeX help
and Georgina Cranshaw and Ian Holyer for organizing our system for ex-
changing various ﬁles and keeping things up to date. As always, Roger Astley
xv

xvi AUTHORS
of Cambridge University Press was very helpful throughout the whole process.
The authors of each chapter would like to thank the following for helping
in checking and in the creation of their respective chapters:
• Nigel Smart: Alex Dent and Dan Brown.
• Dan Brown: Nigel Smart, Alex Dent, Kenneth Patterson and Ian
Blake.
• Alex Dent: Bill and Jean Dent, Steven Galbraith, Becky George,
Louis Granboulan, Victor Shoup, Andrew Spicer and Christine Swart
(twice).
• Steven Galbraith: Paulo Barreto, Dan Boneh, Young-Ju Choie,
Keith Harrison, Florian Hess, Neal Koblitz, Wenbo Mao, Kim Nguyen,
Kenny Paterson, Maura Paterson, Hans-Georg Rück, Adam Saunders,
Alice Silverberg, Lawrence Washington, Annegret Weng, Bill Williams
and The Nuﬃeld Foundation (Grant NUF-NAL 02).
• Elisabeth Oswald: The power traces presented in this chapter were
made with the FPGA measurement-setup which was built by Sıddıka
Berna Örs and has been presented in [268].
• Marc Joye: Benoı̂t Chevallier-Mames and Tanja Lange.
• Kenneth G. Paterson: Sattam Al-Riyami, Alex Dent, Steven Gal-
braith, Caroline Kudla and The Nuﬃeld Foundation (Grant NUF-NAL
02).

CHAPTER I
Elliptic Curve Based Protocols
N.P. Smart
I.1. Introduction
In this chapter we consider the various cryptographic protocols in which
elliptic curves are primarily used. We present these in greater detail than in
the book [ECC] and focus on their cryptographic properties. We shall only
focus on three areas: signatures, encryption and key agreement. For each of
these areas we present the most important protocols, as defined by various
standard bodies.
The standardization of cryptographic protocols, and elliptic curve proto-
cols in particular, has come a long way in the last few years. Standardization
is important if one wishes to deploy systems on a large scale, since differ-
ent users may have different hardware/software combinations. Working to a
well-defined standard for any technology aids interoperability and so should
aid the takeup of the technology.
In the context of elliptic curve cryptography, standards are defined so
that one knows not only the precise workings of each algorithm, but also the
the format of the transmitted data. For example, a standard answers such
questions as
• In what format are finite field elements and elliptic curve points to be
transmitted?
• How are public keys to be formatted before being signed in a certificate?
• How are conversions going to be performed between arbitrary bit strings
to elements of finite fields, or from finite field elements to integers, and
vice versa?
• How are options such as the use of point compression, (see [ECC,
Chapter VI]) or the choice of curve to be signalled to the user?
A number of standardization efforts have taken place, and many of these re-
duce the choices available to an implementor by recommending or mandating
certain parameters, such as specific curves and/or specific finite fields. This
not only helps aid interoperability, it also means that there are well-defined
sets of parameter choices that experts agree provide a given security level. In
addition, by recommending curves it means that not every one who wishes
to deploy elliptic curve based solutions needs to implement a point counting
method like those in Chapter VI or [ECC, Chapter VII]. Indeed, since many
3

4 I. ECC PROTOCOLS
curves occur in more than one standard, if one selects a curve from the in-
tersection then, your system will more likely interoperate with people who
follow a different standard from you.
Of particular relevance to elliptic curve cryptography are the following
standards:
• IEEE 1363: This standard contains virtually all public-key algo-
rithms. In particular, it covers ECDH, ECDSA, ECMQV and ECIES,
all of which we discuss in this chapter. In addition, this standard con-
tains a nice appendix covering all the basic number-theoretic algorithms
required for public-key cryptography.
• ANSI X9.62 and X9.63: These two standards focus on elliptic curves
and deal with ECDSA in X9.62 and ECDH, ECMQV and ECIES in
X9.63. They specify both the message formats to be used and give a
list of recommended curves.
• FIPS 186.2: This NIST standard for digital signatures is an update
of the earlier FIPS 186 [FIPS 186], which details the DSA algorithm
only. FIPS 186.2 specifies both DSA and ECDSA and gives a list of
recommended curves, which are mandated for use in U.S. government
installations.
• SECG: The SECG standard was written by an industrial group led
by Certicom. It essentially mirrors the contents of the ANSI standards
but is more readily available on the Web, from the site
http://www.secg.org/
• ISO: There are two relevant ISO standards: ISO 15946-2, which covers
ECDSA and a draft ISO standard covering a variant of ECIES called
ECIES-KEM; see [305].
I.2. ECDSA
ECDSA is the elliptic curve variant of the Digital Signature Algorithm
(DSA) or, as it is sometimes called, the Digital Signature Standard (DSS).
Before presenting ECDSA it may be illustrative to describe the original DSA
so one can see that it is just a simple generalization.
In DSA one first chooses a hash function H that outputs a bit-string of
length m bits. Then one defines a prime q, of over m bits, and a prime p of
n bits such that
• q divides p − 1.
• The discrete logarithm problem in the subgroup of Fp of order q is
infeasible.
With current techniques and computing technology, this second point means
that n should be at least 1024. Whilst to avoid birthday attacks on the hash
function one chooses a value of m greater than 160.

I.2. ECDSA 5
One then needs to find a generator g for the subgroup of order q in F∗
p.
This is done by generating random elements h ∈ F∗
p and computing
g = h(p−1)/q
(mod p)
until one obtains a value of g that is not equal to 1. Actually, there is only a
1/q chance of this not working with the first h one chooses; hence finding a
generator g is very simple.
Typically with DSA one uses SHA-1 [FIPS 180.1] as the hash function,
although with the advent of SHA-256, SHA-384 and SHA-512 [FIPS 180.2]
one now has a larger choice for larger values of m.
The quadruple (H, p, q, g) is called a set of domain parameters for the
system, since they are often shared across a large number of users, e.g. a user
domain. Essentially the domain parameters define a hash function, a group
of order q, and a generator of this group.
The DSA makes use of the function
f :

F∗
p −→ Fq
x −→ x (mod q),
where one interprets x ∈ F∗
p as an integer when performing the reduction
modulo q. This function is used to map group elements to integers modulo q
and is often called the conversion function.
As a public/private-key pair in the DSA system one uses (y, x) where
y = gx
(mod p).
The DSA signature algorithm then proceeds as follows:
Algorithm I.1: DSA Signing
INPUT: A message m and private key x.
OUTPUT: A signature (r, s) on the message m.
1. Choose k ∈R {1, . . . , q − 1}.
2. t ← gk
(mod p).
3. r ← f(t).
4. If r = 0 then goto Step 1.
5. e ← H(m)
6. s ← (e + xr)/k (mod q)
7. If s = 0 then goto Step 1.
8. Return (r, s).
The verification algorithm is then given by

6 I. ECC PROTOCOLS
Algorithm I.2: DSA Verification
INPUT: A message m, a public key y and a signature (r, s).
OUTPUT: Reject or Accept.
1. Reject if r, s ∈ {1, . . . , q − 1}.
2. e ← H(m).
3. u1 ← e/s (mod q), u2 ← r/s (mod q).
4. t ← gu1
yu2
(mod p).
5. Accept if and only if r = f(t).
For ECDSA, the domain parameters are given by (H, K, E, q, G), where
H is a hash function, E is an elliptic curve over the finite field K, and G
is a point on the curve of prime order q. Hence, the domain parameters
again define a hash function, a group of order q, and a generator of this
group. We shall always denote elliptic curve points by capital letters to aid
understanding. With the domain parameters one also often stores the integer
h, called the cofactor, such that
#E(K) = h · q.
This is because the value h will be important in other protocols and oper-
ations, which we shall discuss later. Usually one selects a curve such that
h ≤ 4.
The public/private-key pair is given by (Y, x), where
Y = [x]G,
and the role of the function f is taken by
f :

E −→ Fq
P −→ x(P) (mod q),
where x(P) denotes the x-coordinate of the point P and we interpret this as
an integer when performing the reduction modulo q. This interpretation is
made even when the curve is defined over a field of characteristic two. In the
case of even characteristic fields, one needs a convention as to how to convert
an element in such a field, which is usually a binary polynomial g(x), into an
integer. Almost all standards adopt the convention that one simply evaluates
g(2) over the integers. Hence, the polynomial
x5
+ x2
+ 1
is interpreted as the integer 37, since
37 = 32 + 4 + 1 = 25
+ 22
+ 1.
The ECDSA algorithm then follows immediately from the DSA algorithm
as:

I.2. ECDSA 7
Algorithm I.3: ECDSA Signing
INPUT: A message m and private key x.
OUTPUT: A signature (r, s) on the message m.
1. Choose k ∈R {1, . . . , q − 1}.
2. T ← [k]G.
3. r ← f(T).
4. If r = 0 then goto Step 1.
5. e ← H(m)
6. s ← (e + xr)/k (mod q).
7. If s = 0 then goto Step 1.
8. Return (r, s).
The verification algorithm is then given by
Algorithm I.4: ECDSA Verification
INPUT: A message m, a public key Y and a signature (r, s).
OUTPUT: Reject or Accept.
1. Reject if r, s ∈ {1, . . . , q − 1}.
2. e ← H(m).
3. u1 ← e/s (mod q), u2 ← r/s (mod q).
4. T ← [u1]G + [u2]Y .
5. Accept if and only if r = f(T).
One can show that ECDSA is provably secure, assuming that the elliptic
curve group is modelled in a generic manner and H is a “good” hash function;
see Chapter II for details.
An important aspect of both DSA and ECDSA is that the ephemeral
secret k needs to be truly random. As a simple example of why this is so,
consider the case where someone signs two different messages, m and m
, with
the same value of k. The signatures are then (r, s) and (r
, s
), where
r = r
= f([k]G);
s = (e + xr)/k (mod q), where e = H(m);
s
= (e
+ xr)/k (mod q), where e
= H(m
).
We then have that
(e + xr)/s = k = (e
+ xr)/s
(mod q).
In which case we can deduce
xr(s
− s) = se
− s
e,

8 I. ECC PROTOCOLS
and hence
x =
se
− s
e
r(s − s)
(mod q).
So from now on we shall assume that each value of k is chosen at random.
In addition, due to a heuristic lattice attack of Howgrave-Graham and
Smart [174], if a certain subset of the bits in k can be obtained by the
attacker, then, over a number of signed messages, one can recover the long
term secret x. This leakage of bits, often called partial key exposure, could
occur for a number of reasons in practical systems, for example, by using
a poor random number generator or by side-channel analysis (see Chapter
IV for further details on side-channel analysis). The methods of Howgrave-
Graham and Smart have been analysed further and extended by Nguyen and
Shparlinski (see [261] and [262]). Another result along these lines is the
attack of Bleichenbacher [31], who shows how a small bias in the random
number generator, used to produce k, can lead to the recovery of the long-
term secret x.
I.3. ECDH/ECMQV
Perhaps the easiest elliptic curve protocol to understand is the elliptic
curve variant of the Diffie–Hellman protocol, ECDH. In this protocol two
parties, usually called Alice and Bob, wish to agree on a shared secret over
an insecure channel. They first need to agree on a set of domain parame-
ters (K, E, q, h, G) as in our discussion on ECDSA. The protocol proceeds as
follows:
Alice Bob
a
[a]G
−→ [a]G
[b]G
[b]G
←− b
Alice can now compute
KA = [a]([b]G) = [ab]G
and Bob can now compute
KB = [b]([a]G) = [ab]G.
Hence KA = KB and both parties have agreed on the same secret key. The
messages transferred are often referred to as ephemeral public keys, since they
are of the form of discrete logarithm based public keys, but they exist for only
a short period of time.
Given [a]G and [b]G, the problem of recovering [ab]G is called the Elliptic
Curve Diffie–Hellman Problem, ECDHP. Clearly, if we can solve ECDLP
then we can solve ECDHP; it is unknown if the other implication holds. A
proof of equivalence of the DHP and DLP for many black box groups follows
from the work of Boneh, Maurer and Wolf. This proof uses elliptic curves in
a crucial way; see [ECC, Chapter IX] for more details.

I.3. ECDH/ECMQV 9
The ECDH protocol has particularly small bandwidth if point compression
is used and is very efficient compared to the standard, finite field based, Diffie–
Hellman protocol.
The Diffie–Hellman protocol is a two-pass protocol, since there are two
message flows in the protocol. The fact that both Alice and Bob need to be
“online” to execute the protocol can be a problem in some situations. Hence,
a one-pass variant exists in which only Alice sends a message to Bob. Bob’s
ephemeral public key [b]G now becomes a long-term static public key, and
the protocol is simply a mechanism for Alice to transport a new session key
over to Bob.
Problems can occur when one party does not send an element in the
subgroup of order q. This can either happen by mistake or by design. To
avoid this problem a variant called cofactor Diffie–Hellman is sometimes used.
In cofactor Diffie–Hellman the shared secret is multiplied by the cofactor h
before use, i.e., Alice and Bob compute
KA = [h]([a]([b]G)) and KB = [h]([b]([a]G)).
The simplicity of the Diffie–Hellman protocol can however be a disguise,
since in practice life is not so simple. For example, ECDH suffers from the
man-in-the-middle attack:
Alice Eve Bob
a
[a]G
−→ [a]G
[x]G
[x]G
←− x
y
[y]G
−→ [y]G
[b]G
[b]G
←− b
In this attack, Alice agrees a key KA = [a]([x]G) with Eve, thinking it is
agreed with Bob, and Bob agrees a key KB = [b]([y]G) with Eve, thinking
it is agreed with Alice. Eve can now examine communications as they pass
through her by essentially acting as a router.
The problem is that when performing ECDH we obtain no data-origin
authentication. In other words, Alice does not know who the ephemeral public
key she receives is from. One way to obtain data-origin authentication is to
sign the messages in the Diffie–Hellman key exchange. Hence, for example,
Alice must send to Bob the value
([a]G, (r, s)),
where (r, s) is her ECDSA signature on the message [a]G.
One should compare this model of authenticated key exchange with the
traditional form of RSA-based key transport, as used in SSL. In RSA-based
key transport, the RSA public key is used to encrypt a session key from one

10 I. ECC PROTOCOLS
user to the other. The use of a signed Diffie–Hellman key exchange has a
number of advantages over an RSA-based key transport:
• In key transport only one party generates the session key, while in
key agreement both can parties contribute randomness to the resulting
session key.
• Signed ECDH has the property of forward secrecy, whereas an RSA-
based key transport does not. An authenticated key agreement/transport
protocol is called forward secure if the compromise of the long-term
static key does not result in past session keys being compromized. RSA
key transport is not forward secure since once you have the long-term
RSA decryption key of the recipient you can determine the past ses-
sion keys; however, in signed ECDH the long-term private keys are only
used to produce signatures.
However, note that the one-pass variant of ECDH discussed above, being a
key transport mechanism, also suffers from the above two problems of RSA
key transport.
The problem with signed ECDH is that it is wasteful of bandwidth. To
determine the session key we need to append a signature to the message flows.
An alternative system is to return to the message flows in the original ECDH
protocol but change the way that the session key is derived. If the session
key is derived using static public keys, as well as the transmitted ephemeral
keys, we can obtain implicit authentication of the resulting session key. This
is the approach taken in the MQV protocol of Law, Menezes, Qu, Solinas and
Vanstone [216].
In the MQV protocol both parties are assumed to have long-term static
public/private key pairs. For example, we shall assume that Alice has the
static key pair ([a]G, a) and Bob has the static key pair ([c]G, c). To agree
on a shared secret, Alice and Bob generate two ephemeral key pairs; for
example, Alice generates the ephemeral key pair ([b]G, b) and Bob generates
the ephemeral key pair ([d]G, d). They exchange the public parts of these
ephemeral keys as in the standard ECDH protocol:
Alice Bob
b
[b]G
−→ [b]G
[d]G
[d]G
←− d.
Hence, the message flows are precisely the same as in the ECDH protocol.
After the exchange of messages Alice knows
a, b, [a]G, [b]G, [c]G and [d]G,
and Bob knows
c, d, [c]G, [d]G, [a]G and [b]G.
The shared secret is then determined by Alice via the following algorithm:

I.3. ECDH/ECMQV 11
Algorithm I.5: ECMQV Key Derivation
INPUT: A set of domain parameters (K, E, q, h, G)
and a, b, [a]G, [b]G, [c]G and [d]G.
OUTPUT: A shared secret G,
shared with the entity with public key [c]G.
1. n ← log2(#K) /2.
2. u ← (x([b]G) (mod 2n
)) + 2n
.
3. s ← b + ua (mod q).
4. v ← (x([d]G) (mod 2n
)) + 2n
.
5. Q ← [s]([d]G + [v]([c]G)).
6. If Q is at infinity goto Step 1.
7. Output Q.
Bob can also compute the same value of Q by swapping the occurance
of (a, b, c, d) in the above algorithm with (c, d, a, b). If we let uA, vA and sA
denote the values of u, v and s computed by Alice and uB, vB and sB denote
the corresponding values computed by Bob, then we see
uA = vB,
vA = uB.
We then see that
Q = [sA] ([d]G + [vA]([c]G))
= [sA][d + vAc]G
= [sA][d + uBc]G
= [sA][sB]G.
In addition, a cofactor variant can be used by setting Q ← [h]Q before the
test for whether Q is the point at infinity in Step 6.
In summary, the ECMQV protocol allows authentic key agreement to
occur over an insecure channel, whilst only requiring the same bandwidth as
an unauthenticated Diffie–Hellman.
One can also have a one-pass variant of the ECMQV protocol, which
enables one party to be offline when the key is agreed. Suppose Bob is the
party who is offline; he will still have a long-term static public/private key
pair given by [c]G. Alice then uses this public key both as the long-term key
and the emphemeral key in the above protocol. Hence, Alice determines the
shared secret via
Q = [sA] (([c]G) + [vA]([c]G)) = [sA][vA + 1]([c]G),

12 I. ECC PROTOCOLS
where, as before, sA = b + uAa, with a the long-term private key and b the
ephemeral private key. Bob then determines the shared secret via
Q = [sB] (([b]G) + vB([a]G)) ,
where sB is now fixed and equal to (1 + uB)c.
It is often the case that a key agreement protocol also requires key con-
firmation. This means that both communicating parties know that the other
party has managed to compute the shared secret. For ECMQV this is added
by slightly modifying the protocol. Each party, on computing the shared
secret point Q, then computes
(k, k
) ← H(Q),
where H is a hash function (or key derivation function). The key k is used as
the shared session key, whilst k
is used as a key to a Message Authentication
Code, MAC, to enable key confirmation.
This entire procedure is accomplished in three passes as follows:
Alice Bob
b
[b]G
−→ [b]G
[d]G
[d]G,M
←− d
M
−→
where
M = MACk (2, Bob, Alice, [d]G, [b]G),
M
= MACk (3, Alice, Bob, [b]G, [d]G).
Of course Alice needs to verify that M is correct upon recieving it, and Bob
needs to do likewise for M
.
I.4. ECIES
The elliptic curve integrated encryption system (ECIES) is the standard
elliptic curve based encryption algorithm. It is called integrated, since it is
a hybrid scheme that uses a public-key system to transport a session key
for use by a symmetric cipher. It is based on the DHAES/DHIES protocol
of Abdalla, Bellare and Rogaway [1]. Originally called DHAES, for Diffie–
Hellman Augmented Encryption Scheme, the name was changed to DHIES,
for Diffie–Hellman Integrated Encryption Scheme, so as to avoid confusion
with the AES, Advanced Encryption Standard.
ECIES is a public-key encryption algorithm. Like ECDSA, there is as-
sumed to be a set of domain parameters (K, E, q, h, G), but to these we also
add a choice of symmetric encryption/decryption functions, which we shall
denote Ek(m) and Dk(c). The use of a symmetric encryption function makes

I.4. ECIES 13
it easy to encrypt long messages. In addition, instead of a simple hash func-
tion, we require two special types of hash functions:
• A message authentication code MACk(c),
MAC : {0, 1}n
× {0, 1}∗
−→ {0, 1}m
.
This acts precisely like a standard hash function except that it has a
secret key passed to it as well as a message to be hashed.
• A key derivation function KD(T, l),
KD : E × N −→ {0, 1}∗
.
A key derivation function acts precisely like a hash function except
that the output length (the second parameter) could be quite large.
The output is used as a key to encrypt a message; hence, if the key is
to be used in a xor-based encryption algorithm the output needs to be
as long as the message being encrypted.
The ECIES scheme works like a one-pass Diffie–Hellman key transport,
where one of the parties is using a fixed long-term key rather than an ephemeral
one. This is followed by symmetric encryption of the actual message. In the
following we assume that the combined length of the required MAC key and
the required key for the symmetric encryption function is given by l.
The recipient is assumed to have a long-term public/private-key pair
(Y, x), where
Y = [x]G.
The encryption algorithm proceeds as follows:
Algorithm I.6: ECIES Encryption
INPUT: Message m and public key Y .
OUTPUT: The ciphertext (U, c, r).
1. Choose k ∈R {1, . . . , q − 1}.
2. U ← [k]G.
3. T ← [k]Y .
4. (k1 k2) ← KD(T, l).
5. Encrypt the message, c ← Ek1 (m).
6. Compute the MAC on the ciphertext, r ← MACk2 (c).
7. Output (U, c, r).
Each element of the ciphertext (U, c, r) is important:
• U is needed to agree the ephemeral Diffie–Hellman key T.
• c is the actual encryption of the message.
• r is used to avoid adaptive chosen ciphertext attacks.

14 I. ECC PROTOCOLS
Notice that the data item U can be compressed to reduce bandwidth, since
it is an elliptic curve point.
Decryption proceeds as follows:
Algorithm I.7: ECIES Decryption
INPUT: Ciphertext (U, c, r) and a private key x.
OUTPUT: The message m or an ‘‘Invalid Ciphertext’’ message.
1. T ← [x]U.
2. (k1 k2) ← KD(T, l).
3. Decrypt the message m ← Dk1 (c).
4. If r = MACk2 (c) then output ‘‘Invalid Ciphertext’’.
5. Output m.
Notice that the T computed in the decryption algorithm is the same as
the T computed in the encryption algorithm since
Tdecryption = [x]U = [x]([k]G) = [k]([x]G) = [k]Y = Tencryption.
One can show that, assuming various properties of the block cipher, key
derivation function and keyed hash function, the ECIES scheme is secure
against adaptive chosen ciphertext attack, assuming a variant of the Diffie–
Hellman problem in the elliptic curve group is hard; see [1] and Chapter
III.
In many standards, the function KD is applied to the x-coordinate of
the point T and not the point T itself. This is more efficient in some cases
but leads to the scheme suffering from a problem called benign malleability.
Benign malleability means that an adversary is able, given a ciphertext C,
to produce a different valid ciphertext C
of the same message. For ECIES,
if C = (U, c, r), then C
= (−U, c, r) since if KD is only applied to the x-
coordinate of U, so both C and C
are different valid ciphertexts corresponding
to the same message.
The problem with benign malleability is that it means the scheme cannot
be made secure under the formal definition of an adaptive chosen ciphertext
attack. However, the issue is not that severe and can be solved, theoretically,
by using a different but equally sensible definition of security. No one knows
how to use the property of benign malleability in a “real-world” attack, and
so whether one chooses a standard where KD is applied to T or just x(T) is
really a matter of choice.
In addition, to avoid problems with small subgroups, just as in the ECDH
and ECMQV protocols, one can select to apply KD to either T or [h]T. The
use of [h]T means that the key derivation function is applied to an element
in the group of order q, and hence if T is a point in the small subgroup one
would obtain [h]T = O.

I.4. ECIES 15
The fact that ECIES suffers from benign malleability, and the fact that
the cofactor variant can lead to interoperability problems, has led to a new
approach being taken to ECIES in the draft ISO standard [305].
The more modern approach is to divide a public-key encryption algorithm
into a key transport mechanism, called a Key Encapsulation Mechanism,
or KEM, and a Data Encapsulation Mechanism, or DEM. This combined
KEM/DEM approach has proved to be very popular in recent work because
it divides the public key algorithm into two well-defined stages, which aids in
the security analysis.
We first examine a generic DEM, which requires a MAC function MACk
of key length n bits and a symmetric cipher Ek of key length m bits. The
Data Encapsulation Mechanism then works as follows:
Algorithm I.8: DEM Encryption
INPUT: A key K of length n + m bits and a message M.
OUTPUT: A ciphertext C
1. Parse K as k1 k2,
where k1 has m bits and k2 has n bits.
2. c ← Ek1 (M).
3. r ← MACk2 (c).
4. C ← (c r).
Decryption then proceeds as follows:
Algorithm I.9: DEM Decryption
INPUT: A key K of length n + m bits and a ciphertext C.
OUTPUT: A message M or ‘‘Invalid Ciphertext’’.
1. Parse K as k1 k2,
where k1 has m bits and k2 has n bits.
2. Parse C as c r,
this could result in an ‘‘Invalid Ciphertext’’ warning.
3. Decrypt the message M ← Dk1 (c).
4. If r = MACk2 (c) then output ‘‘Invalid Ciphertext’’.
5. Output M.
To use a DEM we require a KEM, and we shall focus on one based on
ECIES called ECIES-KEM. A KEM encryption function takes as input a pub-
lic key and outputs a session key and the encryption of the session key under
the given public key. The KEM decryption operation takes as input a pri-
vate key and the output from a KEM encryption and produces the associated
session key.

16 I. ECC PROTOCOLS
As mentioned before, the definition of ECIES-KEM in the draft ISO stan-
dard is slightly different from earlier versions of ECIES. In particular, the
way the ephemeral secret is processed to deal with small subgroup attacks
and how chosen ciphertext attacks are avoided is changed in the following
scheme. The processing with the cofactor is now performed solely in the de-
cryption phase, as we shall describe later. First we present the encryption
phase for ECIES-KEM.
Again, the recipient is assumed to have a long-term public/private-key
pair (Y, x), where
Y = [x]G.
The encryption algorithm proceeds as follows:
Algorithm I.10: ECIES-KEM Encryption
INPUT: A public key Y and a length l.
OUTPUT: A session key K of length l and
an encryption E of K under Y .
1. Choose k ∈R {1, . . . , q − 1}.
2. E ← [k]G.
3. T ← [k]Y .
4. K ← KD(E T, l),
5. Output (E, K).
Notice how the key derivation function is applied to both the ephemeral
public key and the point representing the session key. It is this modification
that removes problems associated with benign malleability in chosen cipher-
text attacks and aids in the security proof. In addition, no modification to
the KEM is made when one wishes to deal with cofactors; this modification
is only made at decryption time.
To deal with cofactors, suppose we have a set of domain parameters
(K, E, q, h, G). We set a flag f as follows:
• If h = 1, then f ← 0.
• If h = 1, then select f ← 1 or f ← 2.
We can now describe the ECIES-KEM decryption operation.
Algorithm I.11: ECIES-KEM Decryption
INPUT: An encryption session key E, a private key x,
a length l and a choice for the flag f as above.
OUTPUT: A session key K of length l

I.4. ECIES 17
1. If f = 2 then check whether E has order q,
if not return ‘‘Invalid Ciphertext’’.
2. x
← x and E
← E.
3. If f = 1 then
4. x
← x
/h (mod q).
5. E
← [h]E
.
6. T ← [x
]E
.
7. If T = 0 then return ‘‘Invalid Ciphertext’’.
8. K ← KD(E T, l),
9. Output K.
We now explain how an encryption is performed with a KEM/DEM ap-
proach, where we are really focusing on using ECIES-KEM. We assume a
KEM and DEM that are compatible, i.e., a pair whose KEM outputs an l-bit
key and whose DEM requires an l-bit key as input.
Algorithm I.12: ECIES-KEM-DEM Encryption
INPUT: A public key Y , a message M.
OUTPUT: A ciphertext C.
1. (E, K) ← ECIES − KEMEnc(Y, l).
2. (c r) ← DEMEnc(K, M).
3. Output (E c r).
Algorithm I.13: ECIES-KEM/DEM Decryption
INPUT: A ciphertext C, a private key x.
OUTPUT: A message m or ‘‘Invalid Ciphertext’’.
1. Parse C as (E c r).
2. K ← ECIES − KEMDec(E, x, l).
3. If K equals ‘‘Invalid Ciphertext’’ then
4. Return ‘‘Invalid Ciphertext’’.
5. M ← DEMDec(K, (c r)).
6. If M equals ‘‘Invalid Ciphertext’’ then
7. Return ‘‘Invalid Ciphertext’’.
8. Output M.

18 I. ECC PROTOCOLS
I.5. Other Considerations
When receiving a public key, whether in a digital certiﬁcate or as an
ephemeral key in ECDH, ECMQV or ECIES, one needs to be certain that
the ephemeral key is a genuine point of the correct order on the given curve.
This is often overlooked in many academic treatments of the subject.
The ANSI and SECG standards specify the following check, which should
be performed for each received public key.
Algorithm I.14: Public-Key Validation
and a public key Q
OUTPUT: Valid or Invalid
1. If Q ∈ E(K) then output ‘‘Invalid’’.
2. If Q = O then output ‘‘Invalid’’.
3. (Optional) If [q]Q = O then output ‘‘Invalid’’.
4. Output ‘‘Valid’’.
The last check is optional, because it can be quite expensive, especially if
h = 1 in the case of large prime characteristic or h = 2 in the case of even
characteristic. However, the check is needed to avoid problems with small
subgroups. It is because this check can be hard to implement that the option
of using cofactors in the key derivation functions is used in ECDH, ECMQV
and ECIES.
Just as public keys need to be validated, there is also the problem of
checking whether a given curve is suitable for use. The following checks
should be performed before a set of domain parameters is accepted; however,
this is likely to be carried out only once for each organization deploying elliptic
curve based solutions.
Algorithm I.15: Elliptic Curve Validation
OUTPUT: Valid or Invalid
1. Let l ← #K = pn
.
2. Check #E(K) = h · q, by generating random points
and verifying that they have order h, , q , or h · q.
3. Check that q is prime.
4. Check that q 2160
to avoid the BSGS/Rho attacks,
see [ECC, Chapter V] for details.
5. Check that q = p to avoid the anomalous attack,
again see [ECC, Chapter V] for reasons.
6. Check that lt
= 1 (mod q) for all t ≤ 20 to avoid the

I.5. OTHER CONSIDERATIONS 19
MOV/Frey--Rück attack, see [ECC, Chapter V].
7. Check that n is prime, to avoid attacks based on
Weil descent, see Chapter VIII of this volume.
8. Check that G lies on the curve and has order q.
But how do you know the curve has no special weakness known only to a
small (clever) subset of people? Since we believe that such a weak curve must
come from a very special small subset of all the possible curves, we generate
the curve at random. But even if you generate your curve at random, you
need to convince someone else that this is the case. This is done by generating
the curve in a veriﬁably random way, which we shall now explain in the case of
characteristic two curves. For other characteristics a similar method applies.
Algorithm I.16: Veriﬁable Random Generation of Curves
INPUT: A field K = F2n of characteristic two
OUTPUT: A set of domain parameters (K, E, q, h, G) and a seed S
1. Choose a random seed S.
2. Chain SHA-1 with input S to produce a bit string B of
length n.
3. Let b be the element of K with bit representation B.
4. Set E : Y 2
+ X · Y = X3
+ X2
+ b.
5. Apply the methods of Chapter VI of this volume
or [ECC, Chapter VII] to compute the group order
N ← #E(K).
6. If N = 2q with q prime then goto the Step 1.
7. Generate an element G ∈ E(K) of order q.
8. Check that (E, K, q, 2, G) passes Algorithm I.15,
if not then goto Step 1.
9. Output (K, E, q, 2, G) and S.
With the value of S, any other person can verify that the given elliptic
curve is determined by S. Now if the generator knew of a subset of curves
with a given weakness, to generate the appropriate S for a member of such
a subset, they would need to be able to invert SHA-1, which is considered
impossible.

CHAPTER II
On the Provable Security of ECDSA
D. Brown
II.1. Introduction
II.1.1. Background. The Elliptic Curve Digital Signature Algorithm is
now in many standards or recommendations, such as [ANSI X9.62], [SECG],
[FIPS 186.2], [IEEE 1363], [ISO 15946-2], [NESSIE] and [RFC 3278].
Organizations chose ECDSA because they regarded its reputational security
sufficient, on the grounds that (a) it is a very natural elliptic curve analogue of
DSA, and that (b) both elliptic curve cryptography and DSA were deemed to
have sufficiently high reputational security. The standardization of ECDSA
has created more intense public scrutiny. Despite this, no substantial weak-
nesses in ECDSA have been found, and thus its reputational security has
increased.
At one point, proofs of security, under certain assumptions, were found for
digital signature schemes similar to DSA and ECDSA. The proof techniques
in these initial proofs did not, and still do not, appear applicable to DSA and
ECDSA. Thus, for a time, provable security experts suggested a change to the
standardization of reputationally secure schemes, because slight modifications
could improve provable security.
Further investigation, however, led to new provable security results for
ECDSA. New proof techniques and assumptions were found that overcame
or avoided the difficulty in applying the initial techniques to ECDSA. This
chapter describes some of these results, sketches their proofs, and discusses
the impact and interpretation of these results.
Interestingly, in some cases, the new proof techniques did not apply to
DSA, which was the first, though mild, indication that ECDSA may have
better security than DSA. Furthermore, some of the new proof techniques
do not work for the modified versions of ECDSA for which the initial proof
techniques applied. Therefore, it can no longer be argued that the modified
versions have superior provable security; rather, it should be said that they
have provable security incomparable to ECDSA.
Cryptanalysis results are the converse to provable security results and are
just as important. In this chapter, conditional results are included, because
no successful, practical cryptanalysis of ECDSA is known. The hypotheses of
21

22 II. ON THE PROVABLE SECURITY OF ECDSA
a provable security result is a sufficient condition for security, while a crypt-
analysis result establishes a necessary condition for security. For example,
one conditional cryptanalysis result for ECDSA is that if a hash collision can
be found, then a certain type of forgery of ECDSA is possible. Therefore,
collision resistance of the message digest hash function is a necessary condi-
tion for the security of ECDSA. Note however that this is not yet a successful
cryptanalysis of ECDSA, because no collisions have been found in ECDSA’s
hash function.
II.1.2. Examining the ECDSA Construction. The primary purpose of
the provable security results are to examine the security of ECDSA. The
purpose is not to examine the security of the primitives ECDSA uses (elliptic
curve groups and hash functions). Even with the secure primitives, it does
not follow a priori that a digital signature built from these primitives will be
secure. Consider the following four signature scheme designs, characterized
by their verification equations for signatures (r, s). Each is based on ECDSA
but with the value r used in various different ways, and in all cases signatures
can be generated by the signer by computing r = [k]G and applying a signing
equation.
• The first scheme, with verification r = f([s−1
r]([H(m)]G + Y )), is
forgeable through (r, s) = (f([t]([H(m)]G + Y )), t−1
r), for any t and
message m. Evidently, the verification equation does not securely bind,
informally speaking, the five values r, s, m, G, Y .
• The second scheme, ECDSA, is verified with r = f([s−1
]([H(m)]G +
[r]Y )). Moving the position of r on the right-hand side of the verifica-
tion equation seems to turn an insecure scheme into a secure one. Now
all five values have become securely bound.
• The third scheme, verified with r = f([s−1
]([H(m, r)]G + Y )), has r
in yet another position. The third scheme seems secure, and the prov-
able security results of Pointcheval and Stern [276] using the Forking
Lemma seem adaptable to this scheme.
• A fourth scheme, verified with r = f([s−1
]([H(m, r)]G + [r]Y )), com-
bines the second and third in that r appears twice on the right, once
in each location of the second and third. Although the fourth scheme
could well have better security than both the second and third schemes,
it is argued that the overuse of r in the right-hand side of the third and
fourth schemes is an obstacle to certain security proof techniques. Be-
cause the value r occurs both inside a hash function evaluation and
as a scalar multiple in the elliptic curve group, formulating mild and
independent hypotheses about the two primitives is not obvious and
inhibits the construction of a security proof.

II.2. DEFINITIONS AND CONDITIONS 23
II.2. Definitions and Conditions
II.2.1. Security for Signatures. Goldwasser, Micali and Rivest introduced
in [150] the now widely accepted formal definition for signature schemes and
their security.
Definition II.1 (Signature Scheme). A signature scheme is a triple of prob-
abilistic algorithms Σ = (K, G, V ), such that K has no input (except random-
ness) and outputs a public key Y and private key x; G has input of the private
key x and an arbitrary message m and outputs a signature S; and V has input
of the public key Y , message m and signature S and outputs either valid or
invalid.
A signature scheme is correct if the following holds: For any message m
and any randomness, computing K :→ (x, Y ) and then G : (x, m) → S will
ensure the result V : (Y, m, S) → Valid. If G does not use its randomness
input, then Σ is said to be deterministic. If, for each message m and public
key Y , at most one signature S satisfies V (Y, m, S) = Valid, then Σ is said
to be verifiably deterministic.
Definition II.2. A forger of signature scheme (K, G, V ) is a probabilistic
algorithm F, having input of either a public key Y or a signature S and an
internal state X, and having output of a message m, state X, and R, which
is either a signature or a request for a signature of a message mi.
A forger F is measured by its ability to win the following game.
Definition II.3. The forgery game for a forger F of signature scheme Σ =
(K, G, V ) has multiple rounds, each consisting of two plays, the first by the
signer and the second by the forger.
• In Round 0, the signer uses K to output public key Y and a private
key x.
• Next, the forger is given input of the public key Y and a fixed initial
state X0, and it outputs a message mi, a state X1 and a request or
signature R1.
• For i ≥ 1, Round i works as follows.
– If Ri is a request for a signature, then the signer uses G with
input of x and the message mi to output a signature Si. Next, the
forger is called again with input of the signature Si and the state
Xi. It will then return a new message mi+1, a new state Xi+1,
and a new request or signature Ri+1.
– If Ri is a signature, not a request, then the game is over.
When the game ends, at Round i, the forger has won if both mi+1 = m1, . . . , mi
and V (Y, mi+1, Ri+1) = Valid; otherwise, the forger has lost.
We can now define a meaningful forger.

Definition II.4 (Forger). A forger F is a (p, Q, t)-forger of signature scheme
(K, G, V ) if its probability of winning the forgery game in at most Q rounds
using computational effort at most t is at least p. A signature Σ is (p, Q, t)-
secure if it does not have a (p, Q, t)-forger.
A (p, 0, t)-forger is called a passive forger, and a forger that is not passive
is called active when needed. It is important to realize that the forgers thus
defined are successful without regard to the quality or meaningfulness of the
forged message. To emphasize this limiting aspect, such forgers are called
existential forgers. A selective forger, by contrast, lacks this limitation and
is formally defined as follows.
Definition II.5 (Selective Forger). Let U be a probabilistic algorithm, with
no input except randomness, and output of a message. A selective forger is a
forger F with the following differences. The input of a public key also includes
a message. The selective forgery game for a selective forger F of signature
scheme (K, G, V ), with message selection oracle U, is the forgery game with
the following differences. In Round 0, U is called to generate a message m0,
which is given as input to F. The forger wins the game in Round i, only if
m0 = mi+1 is satisfied. A selective forger F is a (p, Q, t, U)-forger of signature
scheme (K, G, V ).
A selective forger can forge any message from a certain class of messages.
A selective forger is generally probably much more harmful than an existential
forger, depending on the distribution of messages given by U. In particular,
if U generates meaningful messages, then the selective forger can forge any
meaningful message it wants.
Generally, with p and t the same, a passive forger is more harmful than
an active one, and a selective forger is more harmful than an existential one.
Generally, passiveness and selectiveness are qualitative attributes of forgers,
and their importance depends on the usage of the signatures.
Definition II.6 (Signature Security). A signature scheme is (p, Q, t)-secure
against existential forgery if there exists no (p, Q, t)-forger.
A signature scheme is (p, Q, t, U)-secure against selective forgery if there
exists no (p, Q, t, U)-selective-forger.
II.2.2. Necessary Conditions. The conditions in Table II.1 on the com-
ponents of ECDSA can be shown to be necessary for the security of ECDSA
because otherwise forgery would be possible. These conditions are defined
below together with some of the reductions to attacks that prove their neces-
sity.
Intractable Semi-Logarithm : For a conversion function f and group
G, a semi-logarithm of a group element P to the base G is a pair of integers

Table II.1. Necessary Conditions with Associated Forgeries
Component Condition Forgery
Group (and Conver-
sion Function)
Intractable Discrete Loga-
rithm
Passive Selective
Intractable Semi-Logarithm Passive Selective
Conversion Function Almost Bijective Passive Selective
Random Number
Generator
Arithmetically Unbiased Active Selective
Range Checking Check r = 0 Passive Selective
Hash Function Rarely Zero Passive Selective
Zero Resistant Passive Existential
1st-Preimage Resistant Passive Existential
2nd-Preimage Resistant Active Selective
Collision Resistant Active Existential
(t, u) such that
t = f([u−1
](G + [t]P)).
Finding semi-logarithms needs to be intractable or else forgeries can be found
by setting P = [H(m)−1
]Y , where Y is the public key, for then (t, H(m)u) is
a forgery of message m. The resulting forgery is both passive and selective,
which is the most severe type. Therefore, the intractability of the semi-
logarithm problem is a necessary condition for the security of ECDSA.
A semi-logarithm may be regarded as an ECDSA signature of some mes-
sage whose hash is one (without actually supplying the message). Thus, at
first glance, the semi-logarithm might not seem to be significantly different
than the forging of a ECDSA signature. But semi-logarithms do not depend
on a hash function, unlike ECDSA. Therefore, the semi-logarithm problem is
formally different from the problem of forging of a ECDSA signature. One
reason for considering the semi-logarithm problem is to isolate the role of the
hash function and the group in analyzing the security of the ECDSA.
Intractable Discrete Logarithm : For a group G, the (discrete) loga-
rithm of a group element P to the base G is the integer x such that P = [x]G.
Finding the discrete logarithm of P allows one to find its semi-logarithm, via
(t, u) =

f([k]G), k−1
(1 + td)

,
therefore allowing the forging of ECDSA signatures. The forger is both pas-
sive and selective. Indeed, this forger recovers the elliptic curve private key,
which might potentially result in yet greater damage than mere forgery, if,
say, the key is used for other purposes.

Almost-Bijective Conversion Function : The conversion function f is
α-clustered if some element t∗
of its range has a large preimage of size at
least α times the domain size. If f is not α-clustered, then it is said to be
almost bijective of strength 1/α. An α-clustered conversion function means
that random (t∗
, u) are semi-logarithms with probability at least α. Thus, an
average of about 1/α tries are needed to obtain a semi-logarithm.
Unguessable and Arithmetically Unbiased Private Key Generation :
Clearly, if the generator for the static private key x is guessable, in the sense
that an adversary can guess its values fairly easily, then passive selective
forgery is possible. Guessability, sometimes called min-entropy, is measured
by the maximum probability of any value of x. If the ephemeral private key
k is guessable, then active selective forgery is possible, since the private key
x is determined from k and a signature (r, s) by the formula x = r−1
(ks −
H(m)) (mod q).
Furthermore, a series of attacks has been published that show if the ran-
dom number generator used for k exhibits certain types of bias, the private
key x can be obtained. If k ever repeats for diﬀerent messages m and m
, then
the private key may be solved from the two respective signatures (r, s) and
(r
, s
) by x = (se
−s
e)/(s
r−sr
) (mod q). Bellare, Goldwasser and Miccian-
cio [21] showed that if a linear congruential random number generator were
used for k, then the private key could also be found; Smart and Howgrave-
Graham [174] and Nguyen and Shparlinski [261, 262] both showed that if
bits of k are known, due to partial key exposure, then x can be found using
lattice theory; and Bleichenbacher [31] showed that if k is biased towards a
certain interval, then x can be recovered with a larger but feasible amount of
work. Such biases result in active selective forgery, because the forger uses a
signing oracle to ﬁnd the private key and can then sign any message it wants.
Properly Implemented Range Checking : If an implementation does
not check that r = 0, then the following forgery is possible. The forger needs
to select the EC domain parameters in such a way that G = [t]Z, where Z is
a group element satisfying f(Z) = 0 and t ∈ Z. For the ECDSA conversion
function, such points Z, if they exist, can be found as follows. Let x have
the binary representation of qu for some integer u and try to solve for the
appropriate y such that (x, y) lies on the curve (here x is not to be confused
with the private key). Repeat until a point is found or until all legal values
of x are exhausted. Most of the NIST recommended curves have such points
Z. The forged signature is (0, t−1
H(m)).
This forgery is the severest kind: passive selective. Two limitations mit-
igate its severity, however. First, an implementation error is needed. Hence,
non-repudiation is not totally defeated because a trusted third party can use
a correct implementation to resolve the signature validity. Accordingly, the

owner of the key Y should never be held liable for such signatures. The sec-
ond limitation is that the forgery is a domain parameter attack. Usually, a
trusted third-party authority generates and distributes domain parameters,
including G. The attack presumes a corrupt authority. Note that a verifi-
ably random generation of G, which the revision of [ANSI X9.62] will allow,
prevents this attack without relying on the implementer to check that r = 0.
Rarely Zero Hash : If the effective hash function, which is the raw hash
truncated and reduced modulo q, has probability p of equalling 0, then passive
selective forgery is possible, as follows. The forger chooses signature (r, s) =
(f([t]Y ), t−1
r), for some t ∈ Z. If the selected message is a zero of the hash,
which happens with probability p, then the forged signature is valid because
f([s−1
]([H(m)]G + [r]Y )) = f([tr−1
]([0]G + [r]Y )) = f([t]Y ) = r.
This and other conditions on the hash function refer to the effective hash
function. This qualification is important for the security analysis because the
reduction modulo q might cause the condition to fail if q was chosen by an
adversary. If the adversary chose the elliptic curve domain parameters, then
it is possible that q was chosen as the output, or the difference between two
outputs, of the unreduced hash function, which would permit the adversary
to find a zero or a collision in the effective (reduced) hash function.
Notice that clustering at values other than zero does not necessarily lead to
a passive existential forgery. It can lead to other kind of attacks, as outlined
below, because clustering at certain values can lead to weakened second-
preimage resistance of the hash function.
Zero-Resistant Hash : A zero finder of a hash function is a probabilistic
algorithm that finds a message m such that H(m) = 0. A hash function
is zero-resistant if no zero finder exists. A passive existential forger can be
constructed from a zero finder in a similar manner to above. The forger
chooses signature (r, s) = (f([t]Y ), t−1
r) and, using the zero finder, finds a
message m such that H(m) = 0. Then (r, s) is a valid signature on m. Note
that the forger is only existential because the forger has no control on the m
found by the zero finder.
A zero-resistant hash function is clearly rarely zero. The converse is false:
a rarely zero hash function can fail to be zero-resistant. Note that this strict
separation of the properties is also reflected in the types of forgery they re-
late to, so therefore it is important to consider both properties in a security
analysis.
A special case of this attack was first described by Vaudenay [331] as a
domain parameter attack on DSA, where the zero is found by choosing q for
m such that H(m) ≡ 0 (mod q).

Another Random Scribd Document
with Unrelated Content

X.’s remarks, I would take a negative attitude toward the rising
impulse and laugh quite good naturedly at his statement. The laugh
was not forced, I entered into it heartily.” Subject C. finds himself at
times suddenly laughing at the most commonplace remarks when
mildly angry at an offence. It is a common device of subject B. to
burst out laughing at his behavior when mildly angry, as if he were
merely a spectator of his emotion and not a partaker of it. “I recalled
the offensive behavior of X. which had happened two hours before. I
found myself in an emotion of slight anger, followed by an explosive,
‘Damn that X.’ There was present much motor tension in arms and
face muscles, then noting my angry demonstrations I laughed
outright at myself and felt pleased.” The anger disappeared entirely
with the act. It is frequently reported that a sudden pause in the
midst of unpleasant anger to introspect, is pleasant when attention
is directed to the behavior, but when attention passes to the
situation exciting the emotion, anger tends to be reinstated again.
Observations like the following are reported: “Pausing to observe my
emotion, my whole behavior seemed so ludicrous that I had to
laugh.” The subject may suddenly assume his opponent’s point of
view, find a number of probable excuses for his behavior and at
times actually imagine himself as champion for his enemy against
himself. He does this heartily at times when there is no outside
compulsion and derives a feeling of pleasure in the act. The contrary
reaction may be hostilely resorted to in some instances. The subject
is aware that his aim is to humiliate his opponent by making him
ashamed and sorry; but it is usually reported that, after he has
assumed the over-friendly attitude with its hostile intent, there is a
self-satisfaction in the sudden breaking up of the unpleasant
conscious restraint. Subject D. observes, “I knew I was doing the
favor to make him feel ashamed; watching him, I saw he was not
ashamed in the least but I continued my friendliness and felt pleased
in doing it. There was no regret when I saw that he did not take the
matter as I had at first wished.” In the contrary reaction, a joke or
witticism may be employed, but it has an entirely different aim from
the joke discussed in attributive reaction. It lacks hostility. Its aim is

friendliness, the theme is contrary to the situation giving rise to
anger and serves to distract the attention from the emotion.
THE INDIFFERENT REACTION
The third class of mental reactions to anger is what has been called
the indifferent type. It is attitudinal in character. The subject
assumes for the time an indifferent attitude toward the situation and
person exciting the emotion. Eleven percent of the reactions of all
the subjects studied may be classified under this type. It occurs as
one of the last resorts when there is nothing else to be done. If it
appears in the initial stage of anger, the emotion does not fully
develop. It is not reported as actually pleasant but rather passively
relieving for the time. Subject B. had received a piece of adverse
information in a letter. He observes, “At first, I was angry and at
once threw the letter down on the table in an attitude of not caring
anything about it. I felt that nothing could be done. I had really
wanted the information badly. I threw up my hands and moved my
body suddenly with a ‘don’t care’ feeling.” B. reports that he recalled
the situation several times later, but the anger did not appear again.
The same subject recalling the offensive behavior of X. and Y.
became angry, and observes, “I found myself saying aloud, ‘Oh
confound them, I don’t care anything about them,’ and at once
started to attend to something else. My saying I did not care, made
me feel as if I did not care; in fact now I really did not care.” The
sudden assuming of an apathetic attitude toward the developing
anger is a frequent device of subject B. A. after a rather prolonged
emotional reaction in which he imagined cutting remarks and
planned how he would retaliate, suddenly changed his attitude,
saying, “What is the use anyway, it is just X., I don’t care anything
about him, I will let him go his way.” C. when angry at times
reenforces an assumed attitude of indifference by saying to himself,
“Here, you must not be bothered about such things, be a good sport
and play the game.” One at times assumes an attitude of accepting
the situation as it is, and dropping the matter.

CHAPTER THREE
DISAPPEARANCE OF ANGER
The anger consciousness is one of variability and change. The
emotion may disappear rather suddenly with the appearance of a
new emotion or it may disappear gradually. There are usually
fluctuating nodes of increasing and diminishing intensity
accompanying the changing direction of attention, ideational
behavior, and motor and mental activity in general. Attention again
to the situation exciting anger tends to increase its intensity, if the
situation from which it arises remains unchanged.
Any behavior, whether mental or motor, which changes the total
mental situation from which anger originates, tends to modify the
emotion itself. This total mental situation cannot remain unchanged
long. The affective processes which have been aroused usually serve
to redirect attention again and again to the situation exciting anger.
The aim of angry behavior may be said to be three fold, referring to
the total mental situation from which the three main types of anger
arise; (1) to enhance self-feeling which has been lowered; (2) to get
rid of the opposing obstacle to the continuity of associative
processes; (3) to recover from one’s wounded sense of justice.
The total feeling situation becomes modified in the course of the
disappearance or diminution of the emotion. Anger which springs
from a fore-period of irritable feelings disappears by a different set

of ideas than from anger arising from a fore-period of negative self-
feeling.
Pleasantness is an important condition in the diminution of anger.
There are but few instances that show no pleasantness in some
degree somewhere in the reactive stage of the emotion. The
pleasantness ranges from momentary mild relief to active delight.
Periods of restraint during anger are periods of unpleasantness.
Periods of lessened restraint are accompanied by relief or
pleasantness. Two periods in the development of anger are most
unpleasant. (1) The entire cumulative development of anger is
unpleasant. It is a frequent observation in the immediate fore-
period, “I wanted to get angry at somebody or something, I felt I
would feel better if I did.” (2) Often during the active stage of anger,
there are found one or more periods of unpleasant inhibition and
restraint. This is often a stage of experiment in imagination,
foreseeing unpleasant results of too drastic behavior, inhibiting,
choosing and selecting in the effort to discover some reaction which
may successfully meet the emotional crisis of the moment. There are
cases of anger with all the persons studied, which do not get beyond
this inhibitive unpleasant stage. Anger may be almost entirely
unpleasant or mostly pleasant. Some persons have a greater mental
versatility than others in finding a successful expression to anger,
consequently they have relatively a greater proportion of
pleasantness. Under the influence of fatigue, the ability for
successful expression is lessened and there is a correspondingly
increased tendency to emotive excitation and decreased emotional
control.
When a fully successful reaction is not found, anger dies hard. It
may become necessary to attend to something else voluntarily for
self protection. Anger disappearing unsuccessfully tends to recur
again and again, it may be. Its reappearance frequently allows the
unpleasant initial stage to be shortened or dropped entirely leaving a
mildly pleasant experience.

Anger disappears suddenly and pleasantly if the subject can gain the
subjective end of the emotion. Subject J. observes in the case of an
anger arising from a feeling of irritation, “At this moment (the
moment of successful expression) I felt pleased, my anger now
disappeared leaving a pleasant after-effect.” A case from A. will
illustrate further. A. got on the wrong street car. The conductor
refused to allow him to get off at his corner of the street. He
observes he was angry, not because he was hindered from getting
off, but because of the insulting attitude and remark of the
conductor, who said in a hostile manner, “Why did you not pay
attention to what I said, this car does not stop, you will have to go
on.” A. then became angry and demanded in rather severe language
to have the car stopped. At this point the conductor changed his
attitude and stopped with no further words. A. observes, “As I
stepped off I had a distinct feeling of pleasantness. I felt I had been
victorious. I was no longer angry. Sensations were still present in
chest, arm and leg muscles but these were now pleasant. Upon
recalling the incident, I had not the least resentment against the
conductor. On the whole, I now felt glad the incident had occurred.”
Pleasantness may appear on the observation of the offender’s failure
or humiliation. C. becoming angry at X., who was manipulating some
laboratory apparatus, observes, “I let him proceed rather hoping he
would spoil his results. When I noted he was failing and observed his
discomposure, I felt pleased. That satisfied my anger against him at
once.”
The imaginal humiliation and trouble coming to the offender, also
increases the feeling of pleasantness and diminishes for the moment
the anger. The imaginative verbal or physical attacks usually allow a
subject to come out victor. What D. observes is typical. “I imagined
he was stunned by my attack, and the result pleased me; that
satisfied my anger.”
If the offender acts friendly and accommodating, that affords a relief
to the offended person and is a condition for the rapid
disappearance of anger. F. observes, “He behaved so friendly that I

thanked him and felt relieved. My anger was now almost gone.” C.
became angry at X. for what he had interpreted as a hostile attitude.
Five minutes later X. sat down by him. C. observes, “He acted
sociable and I felt relieved, my anger was entirely gone, in fact I
now felt quite friendly toward him.” It is also commonly reported
that when the offender becomes submissive, it affords a relief to the
subject and usually kills the emotion. C. observes, “After he had
submitted, my anger had disappeared and I now felt a little
repentant at what I had done.” The same subject sometimes
observes that he imagines the absent offender at whom he is angry,
smiling and acting friendly in the usual way, and the imagined
friendly attitude is a relief to the emotion.
Anger which develops from a fore-period of negative self-feeling,
disappears when the subject is able to acquire a positive feeling
attitude toward the offender. It may be accomplished subjectively.
The subject tends to lower his opinion of his opponent, he enjoys an
idle gossip, it may be, at his expense, recalls ill reports he had
previously heard but ignored, and in fact may employ a number of
devices of imagination and make-believe. He at times tends to
magnify the offender’s unworthiness, and may come to the
conclusion that he is scarcely worth troubling about. Mental behavior
of this sort is commonly reported to enhance self-feeling. On the
other hand the subject may accomplish the same end by magnifying
his own personal feelings directly by dwelling on his own good
qualities and worth in comparison with that of the offender. Such
comparisons are almost always to the disadvantage of the opponent.
Subject C., in a controversy with X., became angry and walked away
when the emotion was still intense. “I now began to recall how
insignificant he is and how important I am. He is narrow, pedantic
and incapable of seeing a large point of view. I am not so narrow. All
was slightly pleasant and was accompanied by a decreased intensity
of my emotion. I now met X. and joked with him; my anger was
entirely gone.” The feeling of superiority kills anger of the type which
arises from a fore-period of humiliation. It has already been
indicated that when a positive feeling is maintained in receiving an

injury, anger does not arise. The would-be offender if he is regarded
as unworthy or unaccountable for his act, does not usually excite
anger. The same person, however, may stimulate anger by a process
of increased irritable feelings. Subject A. beginning to get angry at
X., (a person he holds in low esteem) observes the following
association. “Oh, it is just X., no use in my getting angry at a fellow
like that, he is not responsible anyway, and I would be foolish to be
bothered by him. I had started to ridicule him but now my emotion
was gone.”
A contemplated victory gives pleasure and diminishes anger even
before the victory is attained. The emotion disappears on assuming
a positive determined mental attitude, it may pass off in vehement
resolution as to further behavior. In fact, one may begin and finish
his fight through the medium of ideas and have no enthusiasm left
for the actual encounter.
With a third condition for the disappearance of anger, pleasantness
is present but usually in the form of mild relief. Positive self-feeling is
not so clearly marked in consciousness. The subject looks at the
offender’s point of view, finds excuses for his behavior, elevates his
opinion it may be of him. A new idea is added to the mental
situation exciting anger which entirely alters the feeling content, and
consequently anger disappears. Subject I. observes, “When I finally
concluded that X. meant well, my anger was almost gone.” G.
resentful at X. because he did not speak to him states, “I recalled
suddenly that he is cross-eyed and probably did not see me. I said
to myself, ‘He is a good fellow and is friendly toward me all right.’ My
emotion was now gone.” B. mildly angry at X. and Y. for intruding
upon him, observes the following soliloquy. “No, they have more
right here than I have. This room is for people to converse in rather
than for one man to occupy alone. My anger was now decreased but
not entirely gone.” Even a tentative excuse for the offender’s
behavior allays anger temporarily. The emotion may last for several
days, appearing at intervals, and with a sudden introduction of a
new idea providing an adequate excuse for the offence, the
condition exciting the emotion will be completely changed.

Anger diminishes and disappears more frequently in the change of
attention than by any other one condition. A pause in the midst of
anger to attend to one’s mental behavior affords a diminution of the
affective process. It is often reported as amusing when a subject
suddenly ceases attending to the situation exciting the emotion and
observes his mental behavior; laughter at this point is often
reported. Close attention to the act of managing the irritating or
humiliating incident, allows a rather gradual diminution of anger.
Anger does not arise when the subject is rigidly attending to the
damage done, but only when he begins to feel the damage as
humiliating, irritating or as contrary to justice. One subject hums or
sings when angry. A joke or witticism will break the crust of
conscious tension allowing the attention to be distracted elsewhere.
The subject may suddenly assume an apathetic attitude toward the
whole incident and kill the emotion at least temporarily. The mental
situation from which anger arises, is one contrary to indifference, in
fact, the lack of indifference is one of the essential characteristics of
the fore-condition of anger, and consequently when this attitude is
present, anger is cut off.
A resolution or a settled judgment has a relieving effect. Whenever
the subject comes to a definite conclusion whether it refers to the
emotional situation or a contemplated mode of behavior toward the
offender, there is reported a sudden drop in the intensity of the
emotion, even though the attitude is but a tentative and temporary
one. The reason for this is evidently that such a mental attitude is
contrary to the immediate mental situation from which anger arises.
Anger springs from the fact that there is lacking a definite mental
attitude as to what should be done during the reactive stage of the
emotion. One of the most efficient controls is to have a well planned
reaction to meet the emotional crisis before it appears; when the
injury occurs, if there is a preparedness as to what should be done,
even though the response is but a subjective one purely attitudinal
in its nature, anger fails to develop to its intense stage.

SUCCESSFUL DISAPPEARANCE
The success with which the emotion of anger disappears is a matter
of wide individual difference with the persons studied. With some
the reporting of the emotion from the introspection notes tended to
reinstate the emotion. One subject was frequently disturbed by the
reappearance of the emotion during the report. In one instance he
refused to report to the writer for three days afterward. He reports
he could not recall the situation without the reappearance of the
anger in its unpleasant form. Other persons could rarely reinstate an
emotion in any unpleasant form over night. At times the anger was
reinstated in its pleasant aspect. Sometimes a feeling of exaltation
was displayed. The subject showed he enjoyed recalling the
emotion. Imagined and carefully devised schemes of retaliation were
often rehearsed with pleasure. Again the observation would be a
feeling of indifference, as something past and finished. Often the
statement was given, “The whole thing seems ludicrous and
amusing to me now.”
It is rather pleasing to recall the situation exciting anger when the
original emotion is short-circuited, as it were, allowing a pleasurable,
gossipy vituperation against the offender without the initially
unpleasant stage of anger. In fact the subject may re-experience a
little of the unpleasant humiliation through imaginative stimulus, if
the pleasantly reactive stage is successful enough to compensate. If
the subject is aware he has a sympathetic hearer, it is far easier to
pass over the initially unpleasant stage of the reinstated anger and
enjoy a hostile, gossipy reaction. The writer in the course of the
study became so intimately acquainted with the private emotional
life of the subjects studied and had been a sympathetic listener of
the emotional experiences so long, that after the period of
observation had ended, he would find himself the recipient of
emotional confidences which the subjects took pleasure in relating to
him. Says one on reporting, “I really was not interested so much in
the scientific side of this emotion as I was to tell you of my
resentment, and as I look over it now, I am really aware that I

assumed a scientific interest as a means of gaining full sympathy
and giving me full freedom to speak everything in mind.” Another
subject says, “I went to tell X. for I believed he would get angry too
and I hoped that he would.” The same situation does not usually
allow anger to continue to reappear in its unpleasant form, for
repeated appearance tends to eliminate the active unpleasant stage.
An emotion of anger which has been unsuccessfully expressed may
continue to reappear in consciousness again and again. Crowded
out, it will suddenly return at times by chance associations. It may
become so insistent that it is an unpleasant distraction from business
affairs and the subject must find some sort of reaction to satisfy it. F.
observes, “I could not do my work. Just as I would get started, the
idea would reappear suddenly and I would find myself angry,
tending to think cutting remarks and planning what I should do.
Each time I tried to escape from it, it would come back again. Finally
I determined deliberately to get rid of it. I recalled all the good
qualities of X., what favors he had bestowed upon me and in fact felt
quite friendly toward him. Before I had finished, the anger had
disappeared and did not return. Later, as I recalled the situation
incidentally, I felt indifferent toward it.” Such deliberate behavior is
unusual. The reaction to an emotion is mostly involuntary. In many
instances, when emotion is prolonged, it is much like a trial and
error process, one reaction after another is tried out in imagination
until a rather successful one is found. This reappearance of an
emotion when it has been repressed gives opportunity for a new trial
and mode of attack.
There are two general conditions under which anger disappears
most successfully. First, if the mental situation from which anger
arises is changed directly by the addition of a new idea that gives an
entirely new meaning content to the incident so that it will no longer
be humiliating or irritating, as when the subject can thoroughly come
to believe that the motives of the opponent’s offense were not
hostile but friendly, anger disappears rather successfully with no
unpleasant after effects; the anger is cut off directly at its source. To
illustrate, C.’s anger at X. which had been a source of unpleasant

disturbance for two days, completely disappeared when he was
finally informed that what X. did was not meant as personal. The
subject at times finds himself trying to assume a little of the attitude
of make-believe. He really wants to believe the offender meant well.
A second successful condition for the removal of anger is when the
subject reacts so that he feels he has fully mastered his opponent.
He has given full restitution for the offense and feels a pleasureable
satisfaction in the results. Feeling is an essential factor, whatever the
method employed. If a feeling of complete victorious satisfaction is
accomplished in connection with the disappearance of anger it is
usually successful. The circumstances are rare in which the direct
verbal or physical attack would be fully satisfactory. A substitution in
the form of hostile wit, teasing, irony, or it may be a favor bestowed
with a hostile intent, may accomplish the same result as far as
feelings are concerned and completely satisfy the anger. The
imagined victory, or a make-believe one, may serve the same
purpose.
The most unsuccessful condition for the disappearance of anger is
one commonly used in emergencies—that of changing the attention
and avoiding the offensive idea. Intense anger usually returns when
diminished in this manner. The attitude of indifference and over-
politeness usually serves only as a temporary device of removal for
the purpose of expeditious control. Mere repression is not always
most successful.

CHAPTER FOUR
CONSCIOUS AFTER-EFFECTS
Anger has an important influence upon mental life and behavior long
after the emotion itself has disappeared. The functional effect of
anger may be disclosed in a period after the emotion proper has
disappeared. Other emotions may immediately follow anger, such as
pity, regret, sorrow, joy, shame, remorse, love and fear. Feelings and
tendencies are left over which the subject is fully aware are directly
related to the previous emotion. For purposes of study, the period
after the emotion will be divided into two parts; first, that
immediately after the emotion has disappeared, and second, the
more or less remote period of indefinite time. The reaction while the
emotion is present, and the way in which the emotion disappears,
are conditions which determine to a large extent what will
consciously appear after the emotion has passed away. With the aim
of finding out what mental factors follow in the wake of anger, the
subjects were instructed to keep account of any sort of
consciousness of which they were aware as referring either directly
or indirectly to the previous emotion observed.
Pity is frequently associated with anger. Mild anger may merge into
pity at the point where attention changes from the situation exciting
anger to the effects of angry behavior on the offender. Pity often
follows the imaginal humiliation of the person committing the
offense. It follows more readily when the emotion is against
children, servants, dependents or persons with whom there is close

intimacy. A kind of self-pity is sometimes associated with anger. With
one subject, a mildly pleasant self-pity would frequently follow anger
at an injury. At times there is found a curious mixture of anger and
self-pity. H. observes, “At times I would be angry, then at other
times I would find myself taking a peculiar pleasure in rehearsing my
injuries and feeling rather pitiful for one who had been mistreated
like myself.” An observation from C. will illustrate the suddenness of
the transition from mild anger to pity. Angry at a clerk for a slight
offense, he observes, “As I turned away I said to myself, ‘I wish that
fellow would lose his place,’ but at once I felt a little pity for him and
said, ‘No, that would be too bad, he has a hard time putting up with
all these people.’” Subject A., angry at a child observes, “I found
myself tending to punish him, I saw his face, it looked innocent and
trusting, that restrained me, I now thought, ‘Poor little fellow, he
does not know any better,’ and I felt a pity for him to think that such
a person as myself had the correcting of him.”
Shame may follow in the wake of anger. It arises rather suddenly in
the disappearing stage of the emotion when attention is directed to
the results of the angry behavior just finished. Both shame and pity,
following anger, are usually a condition of immunity against the
reappearance of the same emotion. After shame appears, a reaction
usually follows in the effort to compensate in some fashion. Subject
C. observes, “Becoming aware of my act and how it appeared, I now
felt ashamed and humiliated at what I had said. In a few minutes I
brought it about to offer him a favor and felt pleased when it was
accepted. I had really been trying to convince him that I was not
angry, and now felt that I was doing it.” Subject C. observes, “I
noted that they saw I was angry and at once I felt ashamed. I now
began to laugh the matter off as if trying to show I was not.” At
times during mild anger when the emotion is displayed too
impulsively and the bounds of caution have been overstepped,
exposing one’s self to a too easy attack from an opponent, an
uncomfortable feeling of chagrin appears. The anger may be
displayed in too crude a fashion, consequently an advantage is given
to the opponent which was not intended. Anxiety that the opponent

may take the hostile thrust too seriously or fear of the consequence,
may suddenly displace anger. Instead of an offending person, the
same person now suddenly becomes one exciting anxiety or fear.
A fourth affective condition of the immediate after-period of anger is
an active pleasantness. Anger disappears and joy takes its place.
The condition, originally exciting anger, is no longer able to
reproduce the emotion as the subject has become the victor and the
offense is recompensed. The goal of anger from its impulsive and
feeling side is to be found in the pleasurable victorious affection in
the after-period of the emotion. Any anger possesses possibilities of
pleasantness in its after-stage. If an objective victory cannot be had,
a subjective one plays the part of a surrogate. The processes of
imagination, make-believe and disguise, as previously discussed,
become devices directly referring to the aim of pleasurable feelings
in the after-period of anger. The motivation is to avoid the
unpleasant emotions and feelings in the wake of anger and acquire
the feeling of victory. The tendency to humor and jocular behavior
after anger is sometimes observed. The subject tends to recall his
feelings of success and relive them, self-confidence and positive self-
feelings are increased.
The feeling of friendliness toward the offender may follow anger
which has been successfully expressed. Spinoza was right when he
said, “An act of offense may indirectly give origin to love.” It is
frequently observed in the after-period of anger, “I felt more friendly
toward him after my emotion had disappeared.” In fact an unusual
friendliness with a desire to bestow favors was often observed. We
like a man better after we have been angry at him in a successful
manner. The emotional attitude is entirely changed toward an
opponent who has been overcome, if he allows the victory. It is the
unreasoning person who never becomes aware of his defeat, against
whom hate follows anger.
Feelings of unpleasant irritation usually follow anger when social or
other conditions prevent adequate expression. These feelings seem
to be the medium by which the situation exciting anger is repeatedly

recalled. The emotion which appears from the imagined situation
usually does not leave such intense unpleasant feelings, as the
subject tends to attain in his deliberate moments, to some degree,
an inner victory over his opponent, or to find an adequate excuse for
his behavior. Either of these reactions may be successful enough to
exclude irritable feelings in the after-period. Irritation after controlled
anger is the medium for the so-called transfer of the emotion from
an offending to an unoffending object, which is so often observed.
In the after-period of irritation, it is a rather common observation of
the subjects, “I was looking for something or somebody at whom I
could get angry.” “I felt I wanted to hurt somebody.” In fact irritation
in the after-period becomes an essentially affective element in a
situation from which may arise a new anger of a different type. The
first anger may have arisen from a fore-period of humiliation, while
the latter is from that of irritation.
There is evidence that the affective state in the after-period of anger
has a compensating relation to the emotion that has just passed, not
unlike the compensation role played between the anger proper and
the feeling fore-stage from which it arises. The reactive stage of
anger tends to over-compensate for the unpleasant feelings of
irritation and humiliation in the fore-period of anger by either
increasing the pleasantness or diminishing unpleasantness. If the
reaction is incomplete and has not adequately met the emotional
crisis of the moment, irritation may follow with a tendency to
continue further the emotion, or if the reaction has gone too far, it is
paid for by the appearance in the after-stage of other emotions of
social origin, such as fear, shame, pity, etc. The feeling of relief
occurs after the expression has nearly restored consciousness to
about the same affective level as before the beginning of the
emotion; but with active pleasure, a higher affective level has been
attained and the subject feels he was glad to have been angry.
There is a heightened effect in the affective state following anger; a
sort of over-compensation, which is a little out of proportion to the
behavior apart from the anger itself. If the after-period is one of
pleasantness, the feeling is increased far more because of what the

subject has done during the emotion, for it is evident if the same
mental processes and behavior occur without anger, the
pleasantness is less. Joy is a good example of the intensification of
the emotion in the after-period of anger which is out of proportion to
the idea stimulating it. The relation between the fore-period, the
anger proper, and the after-period is so intimate in anger that the
writer has had it repeatedly impressed upon him in making the
present study, that to solve some of the important problems of our
emotional life, this relation must be taken into account. The entire
gamut of the emotional consciousness for each emotion must be
studied from the initial feeling stage to the termination of the
conscious content after the emotion has disappeared. The emotions
do not appear as separate effective entities, but have an intimate
relation which is important in the study of their psychology.
Mild anger may leave the subject in a state of curiosity. A feeling of
doubt as to the motivation of the offender may appear, and curiosity
follows with an awareness of a tendency for anger to reappear if the
occasion should arise. After the emotion has passed, the subject is
aware of tendencies or attitudes, referring directly to the mental
behavior, which were present during the emotion. An attitude of
indifference toward the offender and offending situation follows what
has been called the indifferent type of reaction. The emotion of
anger may leave the subject in a state of confidence toward himself,
positive self-feelings have been reached as a result of the entire
experience. On the other hand, slightly reduced self-feelings may
follow if the reaction to anger has been unsuccessful. It may leave
the subject in either a heightened or a lowered opinion of the
offender. A previously friendly interest in the person committing the
offense may be increased or otherwise. A feeling of amusement at
one’s behavior when recalling it after the emotion has disappeared,
is often reported. The subject stands off, as it were, and views his
own response to anger as if he were a spectator rather than a
partaker of his emotion. What the subject did when angry seems so
incongruous with his mental state after the emotion has
disappeared, that it strikes him as ludicrous. Laughter and

amusement frequently appear in the recall of the emotional
situation.
An attitude of caution often follows. After a period of stressed
inhibition, in which the evil consequences of a too impulsive behavior
have been pre-perceived, there is assumed an attitude of control
and at the same time a readiness to respond to a suitable stimulus.
Anger may leave in its place an attitude of greater determination to
make one’s point, or if the emotion has been entirely satisfactory,
the subject takes the attitude that the score has been settled. An
attitude of belief or conviction as to a future course of action toward
a like offense may follow in the period after anger, which is a direct
result of the conclusion reached when the emotion was present. Mild
anger may have changed the feeling tone but little, but leaves the
subject primed and ready to respond more quickly to another
offense. The result of anger may be purely a practical attitude as to
what should be done in such cases with little marked feeling
accompanying it. The subject is left not in a fighting attitude, but in
one of preparedness to prevent the offense recurring. It is usually
necessary in the after-period to reconstruct or modify the revengeful
plans or conclusions which were formed when the emotion was
intense. What seemed so justifiable during the emotion proper, after
it has disappeared becomes strikingly inopportune. If the emotion
has disappeared unsuccessfully and resentful feelings still linger, the
subject wishes to execute the plans previously formed; but in the act
of doing it, he usually finds difficulties of which he was not aware
when the emotion was intense. An instance from A. will illustrate. He
had been intensely angry at X. and had planned to tell him his
opinion of his conduct. By the time he had opportunity to speak, the
emotion had subsided. He observes, “I had at this point a severe
struggle with myself. I wanted to tell him what I had planned; I felt I
was inconsistent if I did not. On the other hand I was slightly
apprehensive, not of X., but of making myself ludicrous. I recognized
what I had not before, that I was not fully justified, and partially
excused him for what he had done. But the tendency to do what I
had planned still persisted, and I felt I would give anything if I could

do it.” He reports further that although the emotion was now fear, at
this point “the tendency to execute the plan, formed during the
anger, persisted for about fifteen minutes of intense struggle with
myself before it disappeared.” Tendencies in the after-period of the
emotion, which refer to conclusions or resolutions reached during its
active stage, at times, when they appear are passed over lightly and
even with amusement.
The effects of anger may extend far beyond the period immediately
after the emotion has disappeared. The more remote after-period,
after the immediate effects have passed off or been modified, have
important results in our mental life. The momentum, acquired during
anger by determined emotional outburst, may be a reenforcement to
volitional action and may allow old habits to be more quickly broken
down and new ones formed. If an error has been repeatedly made
with increased irritation, till the subject has been thoroughly aroused
to anger at himself, the tendency to repeat the error is usually
successfully forestalled by an attitude of caution and determination
following the emotion. The possible failure may be prevented by mild
anger at the imagined humiliating result, which increases volitional
action to a point insuring success, and a new momentum is acquired
which may have far reaching influences. Slight habitual mistakes,
like errors in typewriting or speaking, repeated forgetting of details,
and social blunders, are reported as cured by anger.
Mild prolonged anger which has not had a fully satisfactory
expression may leave in its wake a fighting attitude which if
transferred into work enables the subject to acquire new levels of
activity. A record from C. will illustrate. He observes, “I would not
allow myself to be dejected, but have planned to fight and dig into it
like everything. These emotions are the greatest stimuli I have. I get
angry, then I want to get down to work for all I am worth.” On the
other hand, anger which has been successfully expressed may be
followed by a feeling of satisfaction in the result and an attitude of
success, which gives momentum for increased volitional action in the
future.

There is usually a residuum from intense anger which may appear
long after the anger has consciously disappeared. The recall of the
situation which had previously excited anger may have little or no
feeling; merely indifference is present. Sometimes feelings of
resentment and dislike are observed, while at other times, there is
amusement. It frequently happens that while the situation which has
previously excited the emotion may be accompanied by indifference
upon its being recalled either voluntarily or involuntarily, there
follows an emotion of dislike and hate. The incident itself may be
almost forgotten, or not recalled at all, but the result of anger is to
be observed in tendencies and emotional dispositions left in the
wake of the emotion. An over-critical attitude, with something of a
gossipy tendency and hostile suspicion in which the bounds of
justice are partly ignored, may long continue to reappear after the
emotion itself has passed away and the situation has been forgotten.
It is rather probable that a single strong outburst of anger does not
leave the hostile emotional disposition in its wake. It is usually the
mild anger, preceded by much feeling of humiliation and anger which
tends to recur again and again till it has settled to a hostile
disposition toward the offender. It is reported in some instances to
refer to the offender’s way of talking, laughing, manner of walking,
his mode of dressing; in fact any chance idea of the offender’s
behavior may be sufficient to allow a feeling of dislike and disgust to
appear.
It may be said that anger which disappears in an unsatisfactory
manner leaves an emotional disposition which possesses
potentialities of both pleasant and unpleasant feelings. Some
persons seem to derive much satisfaction in picking the sores of
their unhealed resentments; little acts of revenge and retaliation are
suddenly hit upon; even hate may have its pleasures. Small acts of
revenge and retaliation are observed with an affective state which
cannot be called anger, but the subject is aware that it refers to the
anger which is passed. One subject became severely angry at his
grocer and went to trade with another merchant near by. He states
that on several occasions just after the anger, when buying at

another place he felt pleased at the other man’s having lost his
trade. Once he observes, “I believe I bought several things I did not
need, I felt I was retaliating and enjoyed it.” The emotional
disposition following anger may be a source of rather intense
enjoyment. Laughter and mirth are observed with the appearance of
an idea that has humiliated the offender. In such cases the laughter
is purely spontaneous with no recall of anger. Subject J. broke out
laughing when told that X. was on unfavorable terms with Y. His
laughter, he observes, referred to a resentment a few days before
against X. In fact laughter frequently springs rather suddenly from
the mental disposition which has followed from anger. Such cases
afford another instance of the close intimacy of our emotions with
each other. The residuum of potential feelings from an emotion of
anger appears in the form of less active pleasantness.
There is a relation between the immediate after-period of anger and
the more remote one that is important. If anger is immediately
followed by such emotions as pity, shame, regret or fear, any
positive tendency left over in the remote after-period from the
emotion itself is apparently lacking. There is, however, a negative
effect. The subject is immune to re-experience the same emotion
from the same emotional situation again, but anger which has
disappeared with unpleasant feelings may tend to recur in a rather
prolonged after-period and may finally settle into an emotional
disposition and mental attitude which play an important role in
behavior and later feelings. It seems to be true, that when anger
disappears consciously in such a manner that the subject is aware
that his wishes have not been satisfied and the disappearance is
followed by unpleasant feelings, the immediate after-period is rather
barren as compared with the out-cropping which appears in a more
remote period after the emotion. In anger, when sudden control is
required, the subject is forced to attend to something else or react
contrary to the emotional tendency to save himself a later
humiliation. The immediate after-period is usually one of
unpleasantness and tension. Under such circumstances, the
tendency to recur again and again is characteristic and if, in some

later recurrence or expression through the imaginative process, it
does not end satisfactorily, it may settle down to an emotional
disposition and mental attitude.
Anger that arises from a fore-period of irritation in which the subject
suddenly bursts out with emotion may have an immediate after-
period of irritation, but it leaves little in the remote after-period; the
subject is aware that the emotion is finished. Anger which ends with
active pleasantness of victory leaves an attitude of confidence and
success toward the situation which has excited the emotion. There is
little tendency for the emotion, disappearing in this fashion, to
reappear except in its pleasant stage. With a consciousness of
complete victory in the immediate after-period, there is established
an attitude of positive self-feeling and confidence toward the
situation exciting the emotion so that a practical immunity against
the reappearance of anger in its unpleasant stage is reached as a
negative result of the emotion. There are wide individual differences
in the ability of the subjects studied to allow anger to disappear,
leaving a pleasant after-period. C. reports but few instances in which
his anger disappeared with a fully satisfactory result. He
consequently has a wealth of emotional dispositions and mental
attitudes following anger. On the other hand F. and E., whose anger
emotions are less intense, are early able either to attain an inner
victory or to react contrary to the emotion and leave an after-period
of immunity against its reappearance from the same mental
situation. Hence the tendencies and dispositions left over in the
after-period of their anger are less. E.’s dislikes are short lived. It is
probable that some subjects have acquired the habit of shortening
their emotions of anger, short-cutting the unpleasant period of
restraint and early acquiring the after-period of relief, humor or it
may be indifference, before the emotion has developed far.
Classifications. Anger might be classified according to a number of
schemes that would serve the purpose of emphasizing its
characteristics. From the standpoint of feeling, anger might be
classed as pleasant or unpleasant. Some emotions of anger are

observed to be almost entirely pleasant from their early beginning
including their final ending. Other cases have fluctuating pleasant
and unpleasant stages. There are few instances of anger that have
no flash of pleasantness anywhere, in some degree before the
emotion is finally completed. The unsatisfactorily expressed emotion
is almost entirely unpleasant. Even anger of this kind usually shows
some flash of pleasantness or relief at the moment of the angry
outburst.
Secondly, anger might be classified as exciting or calm. The exciting
anger has greater tension during the period of the emotion proper.
There is usually less co-ordination and greater intensity of feeling
which may be either pleasant or unpleasant. The motor reactions are
more prominent than the mental reactions. On the other hand, calm
anger usually has a longer observable fore and after-period of the
emotion. Mental processes are intensified, the motor expression is
correspondingly less.
Anger may be classified according to its function. The emotion may
be merely an end in itself. It relieves the tension of unpleasant
feelings. It is purgative in its effect in removing an unpleasant
mental situation. The underlying purpose of such anger is not to
increase volitional action, in fact, it may disturb co-ordination to any
purposive end. This type serves primarily to remove the tension of
unpleasant accumulations of feelings in some act of expression. If
successful in its purpose, it may have an indirect hygienic effect on
mental action. Further, anger may be of a kind which intensifies
volitional action, accomplishes work, and serves the end of survival.
A residuum in mental attitude and emotional disposition follows,
which has possibilities either of morbidity or a source of energy
which is sublimated into work.
Anger may be classified genetically on the basis of sentiments which
are violated in its origin. Anger which springs from a thwarting of
desires is primary in its origin. This is the usual type of anger of
young children and animals. Anger which has its source in the self-
feelings, such as the sentiments of honor and self respect and in

social feelings, of injustice, of fairness, are genetically later in their
development.
Types. Three rather definite types appear. First is anger which rises
from a fore-period of irritable feelings. It develops by a cumulative
process of irascible feelings, through a series of stimuli till the point
of anger is suddenly reached. An idea is present at the point of
anger which serves as a vehicle of expression. It may be an idea not
directly associated with the situation exciting the emotion. In fact an
apparently irrelevant idea may break the crust of unpleasant feeling
tension and serve as an objective reference for the emotion. Anger
of this type is scattered. It is not necessary that the emotion be
referred to the actual thwarting idea, it frequently refers to
inanimate objects and often arises from the irritation accompanying
pain. The active period of this type of emotion is mostly voco-motor
tension and reaction of larger muscles. The immediate after-period
may be a feeling of relief, irascible irritation, or other emotions such
as pity, shame, regret and fear. Its increased volitional action may
establish a mental attitude of caution and determination against a
future thwarting when it is finished. A new emotion may arise
however from the same background of irritation. The after effects of
an emotion of this type are shallow and easily forgotten. It does not
leave hate or dislike in its wake, there is nothing left over for
revengeful behavior.
A second type of anger is predetermined by another sort of mental
disposition. Self-feelings are its source. An idea excites negative self-
feeling and anger follows as a reaction with the purpose of restoring
positive feelings of self. It usually has a greater proportion of
pleasantness than the type described above. Its end is to attain
pleasantness in some form of positive self-feeling, and when that is
successfully reached the emotion disappears. Any idea from a
subjective or objective source which intensifies positive feelings of
self, tends to diminish emotion of this type. The thwarting of a
desire, due to the damage and inconvenience done, is insignificant
as compared with the thrust that one’s pride and self-respect have

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
ebookultra.com

Advances in Elliptic Curve Cryptography 2nd Edition Ian F. Blake

More Related Content

Similar to Advances in Elliptic Curve Cryptography 2nd Edition Ian F. Blake (20)

Recently uploaded (20)

Advances in Elliptic Curve Cryptography 2nd Edition Ian F. Blake