Results 1  10
of
15
A Survey of Fast Exponentiation Methods
 JOURNAL OF ALGORITHMS
, 1998
"... Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation de ..."
Abstract

Cited by 154 (0 self)
 Add to MetaCart
Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses.
On Parallel Hashing and Integer Sorting
, 1991
"... The problem of sorting n integers from a restricted range [1::m], where m is superpolynomial in n, is considered. An o(n log n) randomized algorithm is given. Our algorithm takes O(n log log m) expected time and O(n) space. (Thus, for m = n polylog(n) we have an O(n log log n) algorithm.) The al ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
The problem of sorting n integers from a restricted range [1::m], where m is superpolynomial in n, is considered. An o(n log n) randomized algorithm is given. Our algorithm takes O(n log log m) expected time and O(n) space. (Thus, for m = n polylog(n) we have an O(n log log n) algorithm.) The algorithm is parallelizable. The resulting parallel algorithm achieves optimal speed up. Some features of the algorithm make us believe that it is relevant for practical applications. A result of independent interest is a parallel hashing technique. The expected construction time is logarithmic using an optimal number of processors, and searching for a value takes O(1) time in the worst case. This technique enables drastic reduction of space requirements for the price of using randomness. Applicability of the technique is demonstrated for the parallel sorting algorithm, and for some parallel string matching algorithms. The parallel sorting algorithm is designed for a strong and non standard mo...
Resource Fairness and Composability of Cryptographic Protocols
 In Cryptology ePrint Archive, http://eprint.iacr.org/2005/370
"... Abstract. We introduce the notion of resourcefair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our d ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Abstract. We introduce the notion of resourcefair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to “invest resources ” in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a “wrapper.”) Thus, by relaxing the notion of fairness, we avoid a wellknown impossibility result for fair multiparty computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a “commitprovefairopen ” functionality and design an efficient resourcefair protocol that securely realizes it, using a new variant of a cryptographic primitive known as “timelines.” With (the fairly wrapped version of) this functionality we show that some of the existing secure multiparty computation protocols can be easily transformed into resourcefair protocols while preserving their security. 1
Timed commitments (Extended Abstract)
 IN ADVANCES IN CRYPTOLOGY— CRYPTO ’00
, 2000
"... We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment sche ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a twoparty protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coinflipping, are discussed.
Efficient and Secure MultiParty Computation with Faulty Majority and Complete Fairness
 In Cryptology ePrint Archive, http://eprint.iacr.org/2004/019
, 2004
"... We study the problem of constructing secure multiparty computation (MPC) protocols that are completely fair  meaning that either all the parties learn the output of the function, or nobody does  even when a majority of the parties are corrupted. We first propose a framework for fair multi ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We study the problem of constructing secure multiparty computation (MPC) protocols that are completely fair  meaning that either all the parties learn the output of the function, or nobody does  even when a majority of the parties are corrupted. We first propose a framework for fair multiparty computation, within which we formulate a definition of secure and fair protocols. The definition follows the standard simulation paradigm, but is modified to allow the protocol to depend on the runing time of the adversary. In this way, we avoid a wellknown impossibility result for fair MPC with corrupted majority; in particular, our definition admits constructions that tolerate up to (n \Gamma 1) corruptions, where n is the total number of parties. Next, we define a "commitprovefair open" functionality and construct an efficient protocol that realizes it, using a new variant of a cryptographic primitive known as "timelines." With this functionality, we show that some of the existing secure MPC protocols can be easily transformed into fair protocols while preserving their security. Putting these results together, we construct efficient, secure MPC protocols that are completely fair even in the presence of corrupted majorities. Furthermore, these protocols remain secure when arbitrarily composed with any protocols, which means, in particular, that they are concurrentlycomposable and nonmalleable. Finally, as an example of our results, we show a very efficient protocol that fairly and securely solves the socialist millionaires' problem.
A SublinearTime Parallel Algorithm for Integer Modular Exponentiation
, 1999
"... The modular exponentiation problem is, given integers x; a; m with m ? 0, compute x a mod m. Let n denote the sum of the lengths of x, a, and m in binary. We present a parallel algorithm for this problem that takes O(n= log log n) time on the common CRCW PRAM using O(n 2+ffl ) processors. This ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
The modular exponentiation problem is, given integers x; a; m with m ? 0, compute x a mod m. Let n denote the sum of the lengths of x, a, and m in binary. We present a parallel algorithm for this problem that takes O(n= log log n) time on the common CRCW PRAM using O(n 2+ffl ) processors. This algorithm is based on Bernstein's Explicit Chinese Remainder Theorem combined with a fast method for parallel prefix summation. We also present a linear time algorithm for the EREW PRAM. 1 Introduction. In this paper we present a new parallel algorithm for the modular exponentiation problem. This problem is, given integers x; a and a positive integer m, compute x a mod m. Applications for this problem are quite numerous, and include primality testing, integer factoring, the discrete logarithm problem, and cryptographic protocols based on these problems such as RSA. It is not an overstatement to say that modular exponentiation is a fundamentally important problem, and fast algorithms for t...
On the Power of Nonlinear SecretSharing
 In Conf. on Computational Complexity
, 2001
"... A secretsharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. The (monotone) collection of authorized sets is called an access structure, and is freely identified wit ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
A secretsharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. The (monotone) collection of authorized sets is called an access structure, and is freely identified with its characteristic monotone function f : 1}. A family of secretsharing schemes is called efficient if the total length of the n shares is polynomial in n. Most previously known secretsharing schemes belonged to a class of linear schemes, whose complexity coincides with the monotone span program size of their access structure. Prior to this work there was no evidence that nonlinear schemes can be significantly more efficient than linear schemes, and in particular there were no candidates for schemes efficiently realizing access structures which do not lie in NC.
Parallel Complexity of Integer Coprimality
, 2000
"... It is shown that integer coprimality testing is in NC. AMS classification codes: 68Q15, 68Q22, 68Q25 1 Introduction The object of this paper is to prove Theorem 1 Integer coprimality is in NC. 1.1 Background The parallel complexity of basic arithmetic operations has been closely investigated sin ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
It is shown that integer coprimality testing is in NC. AMS classification codes: 68Q15, 68Q22, 68Q25 1 Introduction The object of this paper is to prove Theorem 1 Integer coprimality is in NC. 1.1 Background The parallel complexity of basic arithmetic operations has been closely investigated since the 1960's. In the case of arithmetic, problem size is usually measured in terms of binary notation for the integer inputs. It is known that addition and multiplication of nbit integers can be done in NC1, i.e., by logspace computable Boolean circuit families of O(log n) depth and with n O(1) Boolean gates. Details about these classical results may be found in [12], and information about the parallel complexity class NC may be found in [11, 4]. It is also know that division can be done in the same time and size bounds, but slightly more than logspace is needed to build the requisite Boolean circuits. It is open whether or not division is in NC1. See [2, 5, 7] for more information abou...
Offline Submission with RSA TimeLock Puzzles
"... Abstract—We introduce a noninteractive RSA timelock puzzle scheme whose level of difficulty can be arbitrarily chosen by artificially enlarging the public exponent. Solving a puzzle for a message m means for Bob to encrypt m with Alice’s public puzzle key by repeated modular squaring. The number o ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract—We introduce a noninteractive RSA timelock puzzle scheme whose level of difficulty can be arbitrarily chosen by artificially enlarging the public exponent. Solving a puzzle for a message m means for Bob to encrypt m with Alice’s public puzzle key by repeated modular squaring. The number of squarings to perform determines the puzzle complexity. This puzzle is nonparallelizable. Thus, the solution time cannot be shortened significantly by employing many machines and it varies only slightly across modern CPUs. Alice can quickly verify the puzzle solution by decrypting the ciphertext with a regular private key operation. Our main contribution is an offline submission protocol which enables an author being currently offline to commit to his document before the deadline by continuously solving an RSA puzzle based on that document. When regaining Internet connectivity, he submits his document along with the puzzle solution which is a proof for the timely completion of the document. We have implemented a platformindependent tool performing all parts of our offline submission protocol: puzzle benchmark, issuing a timelock RSA certificate, solving a puzzle and finally verifying the solution for a submitted document. Two other applications we propose for RSA timelock puzzles are trial certificates from a wellknown CA and a CEO disclosing the signing private key to his deputy. I.
Efficient Algorithms for Computing the Jacobi Symbol (Extended Abstract)
 JOURNAL OF SYMBOLIC COMPUTATION
, 1998
"... We present two new algorithms for computing the Jacobi Symbol: the rightshift and leftshift kary algorithms. For inputs of at most n bits in length, both algorithms take O(n 2 = log n) time and O(n) space. This is asymptotically faster than the traditional algorithm, which is based in Euclid' ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We present two new algorithms for computing the Jacobi Symbol: the rightshift and leftshift kary algorithms. For inputs of at most n bits in length, both algorithms take O(n 2 = log n) time and O(n) space. This is asymptotically faster than the traditional algorithm, which is based in Euclid's algorithm for computing greatest common divisors. In practice, we found our new algorithms to be about two to three times faster for inputs of 100 to 1000 decimal digits in length. We also present parallel versions of both algorithms for the CRCW PRAM. One version takes O ffl (n= log log n) time using O(n 1+ffl ) processors, giving the first sublinear parallel algorithms for this problem, and the other version takes polylog time using a subexponential number of processors.