Results 1  10
of
18
A Survey of Fast Exponentiation Methods
 JOURNAL OF ALGORITHMS
, 1998
"... Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation de ..."
Abstract

Cited by 170 (0 self)
 Add to MetaCart
Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses.
On Parallel Hashing and Integer Sorting
, 1991
"... The problem of sorting n integers from a restricted range [1::m], where m is superpolynomial in n, is considered. An o(n log n) randomized algorithm is given. Our algorithm takes O(n log log m) expected time and O(n) space. (Thus, for m = n polylog(n) we have an O(n log log n) algorithm.) The al ..."
Abstract

Cited by 25 (8 self)
 Add to MetaCart
The problem of sorting n integers from a restricted range [1::m], where m is superpolynomial in n, is considered. An o(n log n) randomized algorithm is given. Our algorithm takes O(n log log m) expected time and O(n) space. (Thus, for m = n polylog(n) we have an O(n log log n) algorithm.) The algorithm is parallelizable. The resulting parallel algorithm achieves optimal speed up. Some features of the algorithm make us believe that it is relevant for practical applications. A result of independent interest is a parallel hashing technique. The expected construction time is logarithmic using an optimal number of processors, and searching for a value takes O(1) time in the worst case. This technique enables drastic reduction of space requirements for the price of using randomness. Applicability of the technique is demonstrated for the parallel sorting algorithm, and for some parallel string matching algorithms. The parallel sorting algorithm is designed for a strong and non standard mo...
Resource Fairness and Composability of Cryptographic Protocols
 In Cryptology ePrint Archive, http://eprint.iacr.org/2005/370
"... Abstract. We introduce the notion of resourcefair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our d ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of resourcefair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to “invest resources ” in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a “wrapper.”) Thus, by relaxing the notion of fairness, we avoid a wellknown impossibility result for fair multiparty computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a “commitprovefairopen ” functionality and design an efficient resourcefair protocol that securely realizes it, using a new variant of a cryptographic primitive known as “timelines.” With (the fairly wrapped version of) this functionality we show that some of the existing secure multiparty computation protocols can be easily transformed into resourcefair protocols while preserving their security. 1
Timed commitments (Extended Abstract)
 IN ADVANCES IN CRYPTOLOGY— CRYPTO ’00
, 2000
"... We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment sche ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timedcommitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a twoparty protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coinflipping, are discussed.
Efficient and Secure MultiParty Computation with Faulty Majority and Complete Fairness
 In Cryptology ePrint Archive, http://eprint.iacr.org/2004/019
, 2004
"... We study the problem of constructing secure multiparty computation (MPC) protocols that are completely fair  meaning that either all the parties learn the output of the function, or nobody does  even when a majority of the parties are corrupted. We first propose a framework for fair multi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
We study the problem of constructing secure multiparty computation (MPC) protocols that are completely fair  meaning that either all the parties learn the output of the function, or nobody does  even when a majority of the parties are corrupted. We first propose a framework for fair multiparty computation, within which we formulate a definition of secure and fair protocols. The definition follows the standard simulation paradigm, but is modified to allow the protocol to depend on the runing time of the adversary. In this way, we avoid a wellknown impossibility result for fair MPC with corrupted majority; in particular, our definition admits constructions that tolerate up to (n \Gamma 1) corruptions, where n is the total number of parties. Next, we define a "commitprovefair open" functionality and construct an efficient protocol that realizes it, using a new variant of a cryptographic primitive known as "timelines." With this functionality, we show that some of the existing secure MPC protocols can be easily transformed into fair protocols while preserving their security. Putting these results together, we construct efficient, secure MPC protocols that are completely fair even in the presence of corrupted majorities. Furthermore, these protocols remain secure when arbitrarily composed with any protocols, which means, in particular, that they are concurrentlycomposable and nonmalleable. Finally, as an example of our results, we show a very efficient protocol that fairly and securely solves the socialist millionaires' problem.
A SublinearTime Parallel Algorithm for Integer Modular Exponentiation
, 1999
"... The modular exponentiation problem is, given integers x; a; m with m ? 0, compute x a mod m. Let n denote the sum of the lengths of x, a, and m in binary. We present a parallel algorithm for this problem that takes O(n= log log n) time on the common CRCW PRAM using O(n 2+ffl ) processors. This ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
The modular exponentiation problem is, given integers x; a; m with m ? 0, compute x a mod m. Let n denote the sum of the lengths of x, a, and m in binary. We present a parallel algorithm for this problem that takes O(n= log log n) time on the common CRCW PRAM using O(n 2+ffl ) processors. This algorithm is based on Bernstein's Explicit Chinese Remainder Theorem combined with a fast method for parallel prefix summation. We also present a linear time algorithm for the EREW PRAM. 1 Introduction. In this paper we present a new parallel algorithm for the modular exponentiation problem. This problem is, given integers x; a and a positive integer m, compute x a mod m. Applications for this problem are quite numerous, and include primality testing, integer factoring, the discrete logarithm problem, and cryptographic protocols based on these problems such as RSA. It is not an overstatement to say that modular exponentiation is a fundamentally important problem, and fast algorithms for t...
On the Power of Nonlinear SecretSharing
 In Conf. on Computational Complexity
, 2001
"... A secretsharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. The (monotone) collection of authorized sets is called an access structure, and is freely identified wit ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
A secretsharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. The (monotone) collection of authorized sets is called an access structure, and is freely identified with its characteristic monotone function f : 1}. A family of secretsharing schemes is called efficient if the total length of the n shares is polynomial in n. Most previously known secretsharing schemes belonged to a class of linear schemes, whose complexity coincides with the monotone span program size of their access structure. Prior to this work there was no evidence that nonlinear schemes can be significantly more efficient than linear schemes, and in particular there were no candidates for schemes efficiently realizing access structures which do not lie in NC.
Parallel Complexity of Integer Coprimality
, 2000
"... It is shown that integer coprimality testing is in NC. AMS classification codes: 68Q15, 68Q22, 68Q25 1 Introduction The object of this paper is to prove Theorem 1 Integer coprimality is in NC. 1.1 Background The parallel complexity of basic arithmetic operations has been closely investigated sin ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
It is shown that integer coprimality testing is in NC. AMS classification codes: 68Q15, 68Q22, 68Q25 1 Introduction The object of this paper is to prove Theorem 1 Integer coprimality is in NC. 1.1 Background The parallel complexity of basic arithmetic operations has been closely investigated since the 1960's. In the case of arithmetic, problem size is usually measured in terms of binary notation for the integer inputs. It is known that addition and multiplication of nbit integers can be done in NC1, i.e., by logspace computable Boolean circuit families of O(log n) depth and with n O(1) Boolean gates. Details about these classical results may be found in [12], and information about the parallel complexity class NC may be found in [11, 4]. It is also know that division can be done in the same time and size bounds, but slightly more than logspace is needed to build the requisite Boolean circuits. It is open whether or not division is in NC1. See [2, 5, 7] for more information abou...
Offline Submission with RSA TimeLock Puzzles
 in: CIT 2010: Proceedings of the 10th IEEE International Conference on Computer and Information Technology
"... ..."
(Show Context)
NonParallelizable and NonInteractive Client Puzzles from Modular Square Roots
"... Abstract—Denial of Service (DoS) attacks aiming to exhaust the resources of a server by overwhelming it with bogus requests have become a serious threat. Especially protocols that rely on public key cryptography and perform expensive authentication handshakes may be an easy target. A wellknown coun ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Denial of Service (DoS) attacks aiming to exhaust the resources of a server by overwhelming it with bogus requests have become a serious threat. Especially protocols that rely on public key cryptography and perform expensive authentication handshakes may be an easy target. A wellknown countermeasure against DoS attacks are client puzzles. The victimized server demands from the clients to commit computing resources before it processes their requests. To get service, a client must solve a cryptographic puzzle and submit the right solution. Existing client puzzle schemes have some drawbacks. They are either parallelizable, coarsegrained or can be used only interactively. In case of interactive client puzzles where the server poses the challenge an attacker might mount a counterattack on the clients by injecting fake packets containing bogus puzzle parameters. In this paper we introduce a novel scheme for client puzzles which relies on the computation of square roots modulo a prime. Modular square root puzzles are nonparallelizable, i. e., the solution cannot be obtained faster than scheduled by distributing the puzzle to multiple machines or CPU cores, and they can be employed both interactively and noninteractively. Our puzzles provide polynomial granularity and compact solution and verification functions. Benchmark results demonstrate the feasibility of our approach to mitigate DoS attacks on hosts in 1 or even 10 GBit networks. In addition, we show how to raise the efficiency of our puzzle scheme by introducing a bandwidthbased cost factor for the client. Keywords—client puzzles, Denial of Service (DoS), network protocols, authentication, computational puzzles