Results 1  10
of
11
Doing more with fewer bits
 Proceedings Asiacrypt99, LNCS 1716, SpringerVerlag
, 1999
"... Abstract. We present a variant of the DiffieHellman scheme in which the number of bits exchanged is one third of what is used in the classical DiffieHellman scheme, while the offered security against attacks known today is the same. We also give applications for this variant and conjecture a exten ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
Abstract. We present a variant of the DiffieHellman scheme in which the number of bits exchanged is one third of what is used in the classical DiffieHellman scheme, while the offered security against attacks known today is the same. We also give applications for this variant and conjecture a extension of this variant further reducing the size of sent information. 1
TwoParty Generation of DSA Signatures
, 2004
"... We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model and that is very practical. We also briefly outline a variation that requires more rounds of communication but that allows a proof of security for sequential execution without random oracles.
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,
Efficient Generation of Prime Numbers
, 2000
"... The generation of prime numbers underlies the use of most publickey schemes, essentially as a major primitive needed for the creation of key pairs or as a computation stage appearing during various cryptographic setups. Surprisingly, despite decades of intense mathematical studies on primality test ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
The generation of prime numbers underlies the use of most publickey schemes, essentially as a major primitive needed for the creation of key pairs or as a computation stage appearing during various cryptographic setups. Surprisingly, despite decades of intense mathematical studies on primality testing and an observed progressive intensification of cryptographic usages, prime number generation algorithms remain scarcely investigated and most reallife implementations are of rather poor performance. Common generators typically output a nbit prime in heuristic average complexity O(n^4) or O(n^4/log n) and these figures, according to experience, seem impossible to improve significantly: this paper rather shows a simple way to substantially reduce the value of hidden constants to provide much more efficient prime generation algorithms. We apply our...
Finding Secure Curves with the SatohFGH Algorithm and an EarlyAbort Strategy
 in B. P (ed), Advances in Cryptology  EUROCRYPT 2001, Lecture Notes in Computer Science 2045
, 2001
"... The use of elliptic curves in cryptography relies on the ability to count the number of points on a given curve. Before 1999, the SEA algorithm was the only ecient method known for random curves. Then Satoh proposed a new algorithm based on the canonical padic lift of the curve for p 5. In an ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
The use of elliptic curves in cryptography relies on the ability to count the number of points on a given curve. Before 1999, the SEA algorithm was the only ecient method known for random curves. Then Satoh proposed a new algorithm based on the canonical padic lift of the curve for p 5. In an earlier paper, the authors extended Satoh's method to the case of characteristics two and three. This paper presents an implementation of the SatohFGH algorithm and its application to the problem of nding curves suitable for cryptography. By combining SatohFGH and an earlyabort strategy based on SEA, we are able to nd secure random curves in characteristic two in much less time than previously reported. In particular we can generate curves widely considered to be as secure as RSA1024 in less than one minute each on a fast workstation.
Cryptanalysis of the Dual Elliptic Curve pseudorandom generator, Cryptology ePrint Archive, Report 2006/190
, 2006
"... ..."
TwoParty Generation of DSA Signatures (Extended Abstract)
 Advance in Cryptology – EUROCRYPT 2001
, 2001
"... Philip MacKenzie and Michael K. Reiter Bell Labs, Lucent Technologies, Murray Hill, NJ, USA Abstract. We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a cert ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Philip MacKenzie and Michael K. Reiter Bell Labs, Lucent Technologies, Murray Hill, NJ, USA Abstract. We describe a means of sharing the DSA signature function, so that two parties can e#ciently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concurrent execution in the random oracle model, and that is very practical. We also briefly outline a variation that requires more rounds of communication, but that allows a proof of security for sequential execution without random oracles.
Improving CutandChoose in Verifiable Encryption and Fair Exchange Protocols using Trusted Computing Technology ∗
, 2009
"... Cutandchoose is used in interactive zeroknowledge protocols in which a prover answers a series of random challenges that establish with high probability that the prover is honestly following the defined protocol. In this paper, we examine one such protocol and explore the consequences of replacin ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Cutandchoose is used in interactive zeroknowledge protocols in which a prover answers a series of random challenges that establish with high probability that the prover is honestly following the defined protocol. In this paper, we examine one such protocol and explore the consequences of replacing the statistical trust gained from cutandchoose with a level of trust that depends on the use of secure, trusted hardware. As a result, previous interactive protocols with multiple rounds can be improved to noninteractive protocols with computational requirements equivalent to a single round of the original protocol. Surprisingly, we accomplish this goal by using hardware that is not designed for our applications, but rather simply provides a generic operation that we call “certified randomness, ” which produces a oneway image of a random value along with an encrypted version that is signed by the hardware to indicate that these values are properly produced. It is important to stress that while we use this operation to improve cutandchoose protocols, the trusted operation does not depend in any way on the particular protocol or even data used in the protocol: it operates only with random data that it generates. This functionality can be achieved with minor extensions to the standard Trusted Platform Modules (TPMs) that are being used in many current systems. We demonstrate our technique through application to cutandchoose protocols for verifiable group encryption and optimistic fair exchange. In both cases we can remove or drastically reduce the amount of interaction required, as well as decrease the computational requirements significantly.
GENERALISED MERSENNE NUMBERS REVISITED
"... Abstract. Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 1862) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplica ..."
Abstract
 Add to MetaCart
Abstract. Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 1862) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twice as fast as integer multiplication; this property does not hold for prime GMNs, unless they are of Mersenne’s form. In this work we exploit an alternative generalisation of Mersenne numbers for which an analogue of the above property — and hence the same efficiency ratio — holds, even at bitlengths for which schoolbook multiplication is optimal, while also maintaining very efficient reduction. Moreover, our proposed primes are abundant at any bitlength, whereas GMNs are extremely rare. Our multiplication and reduction algorithms can also be easily parallelised, making our arithmetic particularly suitable for hardware implementation. Furthermore, the field representation we propose also naturally protects against sidechannel attacks, including timing attacks, simple power analysis and differential power analysis, which is essential in many cryptographic scenarios, in constrast to GMNs. 1.