In conjunction with the "12th Workshop on Elliptic Curve Cryptography -- ECC 2008" we are organizing a summer school on elliptic and hyperelliptic curve cryptography. The summer school will take place immediately before ECC 2008, which will be held in Utrecht, the Netherlands. Eindhoven and Utrecht are 50 minutes apart by train.

The course is intended for young researchers and practitioners interested in learning the background of curve-based cryptography. The topics of the summer school range from the basic ideas of discrete logarithm based cryptography and finite field arithmetic to advanced topics such as pairings and point counting. During the week of lectures the participants get a full tour through most of the exciting background on elliptic curves. The summer school provides an excellent basis for attending ECC 2008, which is held just after the summer school.

This school will be similar to the ECRYPT summer school on ECC held 2004 in Bochum, the FICS-Summer School on "Elliptic Curves in Cryptography" held 2005 in Copenhagen, and the Summer School on Elliptic and Hyperelliptic Curve Cryptography held 2006 at the Fields Institute in Toronto. For this year we increase the number of exercise and solutions hours to ensure a deep understanding.


This course is intended for graduate students in cryptography and mathematics. The participants are expected to be familiar with finite fields; some experience with elliptic curves is helpful but not necessary.


The objective of the course is to prepare for the following ECC conference - but should be interesting as an individual course to get an overview of the area of curve cryptography, too. The course starts with an introduction to elliptic and hyperelliptic curves and details efficient arithmetic. Latest developments such as Edwards curves and other curve shapes are also covered. To avoid attacks by brute force, the group order must be large enough. The Hasse-Weil bound gives bounds on the number of points over finite fields and thus an approximation to the size of the group. However, since the DLP could be solved in subgroups and then computed for the big group with the help of the Chinese Remainder Theorem one needs to ensure that the group order is known and contains a large prime factor. For elliptic curves we explain Schoof's algorithm as a method to count points on curves over prime fields. We explain p-adic numbers which are used in point counting methods in the case of small characteristic fields. A comparably new topic in curve based cryptography is pairings. They have been studied in mathematics since many years but only the constructive application of pairings in cryptographic protocols raised interest in the efficient computation of the Weil and Tate-Lichtenbaum pairings. We introduce the pairings and explain optimizations for their implementation. A different approach is to construct curves using the CM method. Even though nowadays counting points via Schoof's algorithm is feasible for elliptic curves of cryptographic size this method is still of interest, e.g. it is the main way of constructing non-supersingular curves with low embedding degree which can be useful in pairing based protocols if one wants to avoid supersingular curves for some reason or if a larger embedding degree is desired.


The school will begin at 10 a.m. on September 15th and end around 1 p.m. on September 19th. For the evening of September 17th some social program and a conference dinner are planned.


The lectures will be delivered by the following list of speakers (some more are in discussion):


Wireless access will be provided in the lecture rooms. We're trying to get access to a few PCs for people without laptops.

Social Event

Wednesday evening we will have a joint dinner. We start with a reception in the Zwarte Doos and then have a short (walking) excursion through Eindhoven to the restaurant "Carioca" for the main course and deserts. After that we will walk together to the Trafalgar Pub (Dommelstraat, close to the train station); from that point on you're on your own.


The summer school is made possible due to support by the mathematics cluster DIAMANT.

For further information, please contact:

    Tanja Lange
    Coding Theory and Cryptology
    EIPSI - Eindhoven Institute for the Protection of Systems and Information