Results 1  10
of
13
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 180 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Approximation Algorithms for GrammarBased Compression
 In Proceedings of the 13th ACMSIAM Symposium on Discrete Algorithms
, 2002
"... Several recentlyproposed data compression algorithms are based on the idea of representing a string by a contextfree grammar. Most of these algorithms are known to be asymptotically optimal with respect to a stationary ergodic source and to achieve a low redundancy rate. However, such results do n ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
Several recentlyproposed data compression algorithms are based on the idea of representing a string by a contextfree grammar. Most of these algorithms are known to be asymptotically optimal with respect to a stationary ergodic source and to achieve a low redundancy rate. However, such results do not reveal how effectively these algorithms exploit the grammarmodel itself; that is, are the compressed strings produced as small as possible? We address this issue by analyzing the approximation ratio of several algorithms, that is, the maximum ratio between the size of the generated grammar and the smallest possible grammar over all inputs. On the negative side, we show that every polynomialtime grammarcompression algorithm has approximation ratio at least 8569 8568 unless P = NP. Moreover, achieving an approximation ratio of o(log n= log log n) would require progress on an algebraic problem in a wellstudied area. We then upper and lower bound approximation ratios for the following four previouslyproposed grammarbased compression algorithms: Sequential, Bisection, Greedy, and LZ78, each of which employs a distinct approach to compression. These results seem to indicate that there is much room to improve grammarbased compression algorithms.
Minding Your P's and Q's
 In Advances in Cryptology  ASIACRYPT'96, LNCS 1163
, 1996
"... Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against them. In the process we elucidate a number of the design decisions behind the US Digital Signature Standard.
Approximation Algorithms for GrammarBased Data Compression
, 2002
"... This thesis considers the smallest grammar problem: find the smallest contextfree grammar that generates exactly one given string. We show that this problem is intractable, and so our objective is to find approximation algorithms. This simple question is connected to many areas of research. Most im ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
This thesis considers the smallest grammar problem: find the smallest contextfree grammar that generates exactly one given string. We show that this problem is intractable, and so our objective is to find approximation algorithms. This simple question is connected to many areas of research. Most importantly, there is a link to data compression; instead of storing a long string, one can store a small grammar that generates it. A small grammar for a string also naturally brings out underlying patterns, a fact that is useful, for example, in DNA analysis. Moreover, the size of the smallest contextfree grammar generating a string can be regarded as a computable relaxation of Kolmogorov complexity. Finally, work on the smallest grammar problem qualitatively extends the study of approximation algorithms to hierarchicallystructured objects. In this thesis, we establish hardness results, evaluate several previously proposed algorithms, and then present new procedures with much stronger approximation guarantees.
Differential addition chains
, 2006
"... Abstract. Differential addition chains (also known as strong addition chains, Lucas chains, and Chebyshev chains) are addition chains in which every sum is already accompanied by a difference. Lowcost differential addition chains are used to efficiently exponentiate in groups where the operation a, ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Differential addition chains (also known as strong addition chains, Lucas chains, and Chebyshev chains) are addition chains in which every sum is already accompanied by a difference. Lowcost differential addition chains are used to efficiently exponentiate in groups where the operation a, b, a/b ↦ → ab is fast: in particular, to perform xcoordinate scalar multiplication P ↦ → mP on an elliptic curve y 2 = x 3 + Ax 2 + x. Similarly, lowcost twodimensional differential addition chains are used to efficiently compute the function P, Q, P −Q ↦ → mP +nQ on an elliptic curve. This paper presents two new constructive upper bounds on the costs of twodimensional differential addition chains. The paper’s new “binary ” chain is very easy to compute and uses 3 additions (14 field multiplications in the ellipticcurve context) per exponent bit, with a uniform structure that helps protect against sidechannel attacks. The paper’s new “extendedgcd ” chain takes more time to compute, does not have the uniform structure, and is not easy to analyze, but experiments show that it takes only about 1.77 additions (9.97 field multiplications) per exponent bit. 1 What is a differential addition chain? A differential addition chain is an addition chain in which each sum is already accompanied by a difference: i.e., whenever a new chain element P +Q is formed by adding P and Q, the difference P − Q was already in the chain. Here is an example of a onedimensional differential addition chain starting from 0 and 1:
ON THE EXISTENCE AND NONEXISTENCE OF ELLIPTIC PSEUDOPRIMES
"... Abstract. In a series of papers, D. Gordon and C. Pomerance demonstrated that pseudoprimes on elliptic curves behave in many ways very similar to pseudoprimes related to Lucas sequences. In this paper we give an answer to a challenge that was posted by D. Gordon in 1989. The challenge was to either ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In a series of papers, D. Gordon and C. Pomerance demonstrated that pseudoprimes on elliptic curves behave in many ways very similar to pseudoprimes related to Lucas sequences. In this paper we give an answer to a challenge that was posted by D. Gordon in 1989. The challenge was to either prove that a certain composite N ≡ 1mod4didnotexist, orto explicitly calculate such a number. In this paper, we both present such a specific composite (for Gordon’s curve with CM by Q ( √ −7)), as well as a proof of the nonexistence (for curves with CM by Q ( √ −3)). We derive some criteria for the group structure of CM curves that allow testing for all composites, including N ≡ 3 mod 4 which had been excluded by Gordon. This gives rise to another type of examples of composites where strong elliptic pseudoprimes are not Euler elliptic pseudoprimes. 1.
Lower Bounds for Lucas Chains
 SIAM J. COMPUTING
, 2002
"... Lucas chains are a special type of addition chains satisfying an extra condition: for the representation a k = a j + a i o ea eleme t a k i th hain th didderence a j a i us also co taine i th hain I analog t th relatio e ee addition hain an ex one tiation, Lat hain yiel computatio sequence foLmF f ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Lucas chains are a special type of addition chains satisfying an extra condition: for the representation a k = a j + a i o ea eleme t a k i th hain th didderence a j a i us also co taine i th hain I analog t th relatio e ee addition hain an ex one tiation, Lat hain yiel computatio sequence foLmF functions s ecia kin o linea recurrences. sh tha th grea m jori o natura u ers n d e no hL'6 hain shorte than # log # n fo a y 0 where # i th golde ratio. eteL Mo tgomer a th firs t consideLns hains i th earl eig ties H disc ered decom ositio theore foLmF hain an l e oun o their lengt in terms of Fibonacci u ers. His work was not published. Therefore several of Montgomery's original idea are represented in this paper.
Finding strong pseudoprimes to several bases. II

, 2003
"... Define ψm to be the smallest strong pseudoprime to all the first m prime bases. If we know the exact value of ψm, we will have, for integers n<ψm, a deterministic efficient primality testing algorithm which is easy to implement. Thanks to Pomerance et al. and Jaeschke, the ψm are known for 1 ≤ m ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Define ψm to be the smallest strong pseudoprime to all the first m prime bases. If we know the exact value of ψm, we will have, for integers n<ψm, a deterministic efficient primality testing algorithm which is easy to implement. Thanks to Pomerance et al. and Jaeschke, the ψm are known for 1 ≤ m ≤ 8. Upper bounds for ψ9,ψ10 and ψ11 were first given by Jaeschke, and those for ψ10 and ψ11 were then sharpened by the first author in his previous paper (Math. Comp. 70 (2001), 863–872). In this paper, we first follow the first author’s previous work to use biquadratic residue characters and cubic residue characters as main tools to tabulate all strong pseudoprimes (spsp’s) n < 1024 to the first five or six prime bases, which have the form n = pq with p, q odd primes and q − 1= k(p−1),k =4/3, 5/2, 3/2, 6; then we tabulate all Carmichael numbers < 1020, to the first six prime bases up to 13, which have the form n = q1q2q3 with each prime factor qi ≡ 3 mod 4. There are in total 36 such Carmichael numbers, 12 numbers of which are also spsp’s to base 17; 5 numbers are spsp’s to bases 17 and 19; one number is an spsp to the first 11 prime bases up to 31. As a result the upper bounds for ψ9,ψ10 and ψ11 are lowered from 20 and 22decimaldigit numbers to a 19decimaldigit number: ψ9 ≤ ψ10 ≤ ψ11 ≤ Q11 = 3825 12305 65464 13051 (19 digits) = 149491 · 747451 · 34233211. We conjecture that ψ9 = ψ10 = ψ11 = 3825 12305 65464 13051, and give reasons to support this conjecture. The main idea for finding these Carmichael numbers is that we loop on the largest prime factor q3 and propose necessary conditions on n to be a strong pseudoprime to the first 5 prime bases. Comparisons of effectiveness with Arnault’s, Bleichenbacher’s, Jaeschke’s, and Pinch’s methods for finding (Carmichael) numbers with three prime factors, which are strong pseudoprimes to the first several prime bases, are given.
NOTES ON SOME NEW KINDS OF PSEUDOPRIMES
"... Abstract. J. Browkin defined in his recent paper (Math. Comp. 73 (2004), pp. 1031–1037) some new kinds of pseudoprimes, called Sylow ppseudoprimes and elementary Abelian ppseudoprimes. He gave examples of strong pseudoprimes to many bases which are not Sylow ppseudoprime to two bases only, where ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. J. Browkin defined in his recent paper (Math. Comp. 73 (2004), pp. 1031–1037) some new kinds of pseudoprimes, called Sylow ppseudoprimes and elementary Abelian ppseudoprimes. He gave examples of strong pseudoprimes to many bases which are not Sylow ppseudoprime to two bases only, where p = 2 or 3. In this paper, in contrast to Browkin’s examples, we give facts and examples which are unfavorable for Browkin’s observation to detect compositeness of odd composite numbers. In Section 2, we tabulate and compare counts of numbers in several sets of pseudoprimes and find that most strong pseudoprimes are also Sylow 2pseudoprimes to the same bases. In Section 3, we give examples of Sylow ppseudoprimes to the first several prime bases for the first several primes p. We especially give an example of a strong pseudoprime to the first six prime bases, which is a Sylow ppseudoprime to the same bases for all p ∈{2, 3, 5, 7, 11, 13}. In Section 4, we define n to be a kfold Carmichael Sylow pseudoprime, ifitisaSylowppseudoprime to all bases prime to n for all the first k smallest odd prime factors p of n − 1. We find and tabulate all three 3fold Carmichael Sylow pseudoprimes < 1016. In Section 5, we define a positive odd composite n to be a Sylow uniform pseudoprime to bases b1,...,bk, or a Sylupsp(b1,...,bk) for short, if it is a Sylppsp(b1,...,bk) for all the first ω(n − 1) − 1 small prime factors p of n − 1, where ω(n − 1) is the number of distinct prime factors of n − 1. We find and tabulate all the 17 Sylupsp(2, 3, 5)’s < 1016 and some Sylupsp(2, 3, 5, 7, 11)’s < 1024. Comparisons of effectiveness of Browkin’s observation with Miller tests to detect compositeness of odd composite numbers are given in Section 6. 1.
Signature Schemes Based on the Strong RSA Assumption \Lambda
, 1999
"... Abstract We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled strong RSA assumption ..."
Abstract
 Add to MetaCart
Abstract We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled strong RSA assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA assumption. 1 Introduction We describe new, efficient digital signature schemes whose security is based on the strong RSA assumption. By security, we mean security against an adaptive chosen message attack, as defined in [11]. To prove that our new schemes are secure, we need to make the strong RSA assumption, recently introduced by [2]. We also need a collisionresistant hash functionactually, as we shall see, a universal oneway hash function [16] is sufficient.