The State of Elliptic Curve Cryptography Neal Koblitz, Alfred Menezes, and Scott Vanstone summarize the development of elliptic curve cryptosystems since their introduction in 1985. Public-key cryptography, introduced by Diffie and Hellman in 1976, relied on the difficulty of solving the discrete logarithm problem. This problem was initially defined in the multiplicative group of integers modulo a prime, but it can be extended to arbitrary groups, including elliptic curve groups. Elliptic curve cryptosystems offer small key sizes, high speed, and strong security, making them suitable for applications with limited computational resources, such as smart cards and wireless devices. The discrete logarithm problem involves finding an exponent x such that α^x = β, where α and β are elements of a finite group. Groups used in cryptography include multiplicative groups of finite fields, the group of units of Z_n, and elliptic curve groups. Elliptic curves, studied for over a century, have found applications in coding theory, pseudorandom bit generation, and number theory algorithms. In 1985, Koblitz and Miller independently proposed using elliptic curve groups in discrete log cryptosystems. The advantage of elliptic curve systems is that they lack subexponential-time algorithms for solving discrete logs, allowing for smaller key sizes and faster implementations. However, elliptic curve analogues of RSA, proposed by Koyama et al, were later found to offer no significant advantages over RSA and are not discussed here. The paper is organized into sections reviewing elliptic curves, discussing elliptic curve discrete log cryptosystems, the elliptic curve discrete logarithm problem, and implementation issues. Elliptic curves over finite fields are defined by equations of the form y² = x³ + ax + b, with certain conditions on a and b. The paper provides a foundation for understanding elliptic curve cryptography and its applications.The State of Elliptic Curve Cryptography Neal Koblitz, Alfred Menezes, and Scott Vanstone summarize the development of elliptic curve cryptosystems since their introduction in 1985. Public-key cryptography, introduced by Diffie and Hellman in 1976, relied on the difficulty of solving the discrete logarithm problem. This problem was initially defined in the multiplicative group of integers modulo a prime, but it can be extended to arbitrary groups, including elliptic curve groups. Elliptic curve cryptosystems offer small key sizes, high speed, and strong security, making them suitable for applications with limited computational resources, such as smart cards and wireless devices. The discrete logarithm problem involves finding an exponent x such that α^x = β, where α and β are elements of a finite group. Groups used in cryptography include multiplicative groups of finite fields, the group of units of Z_n, and elliptic curve groups. Elliptic curves, studied for over a century, have found applications in coding theory, pseudorandom bit generation, and number theory algorithms. In 1985, Koblitz and Miller independently proposed using elliptic curve groups in discrete log cryptosystems. The advantage of elliptic curve systems is that they lack subexponential-time algorithms for solving discrete logs, allowing for smaller key sizes and faster implementations. However, elliptic curve analogues of RSA, proposed by Koyama et al, were later found to offer no significant advantages over RSA and are not discussed here. The paper is organized into sections reviewing elliptic curves, discussing elliptic curve discrete log cryptosystems, the elliptic curve discrete logarithm problem, and implementation issues. Elliptic curves over finite fields are defined by equations of the form y² = x³ + ax + b, with certain conditions on a and b. The paper provides a foundation for understanding elliptic curve cryptography and its applications.