Results 11  20
of
108
On the Selection of PairingFriendly Groups
, 2003
"... We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than prev ..."
Abstract

Cited by 54 (13 self)
 Add to MetaCart
(Show Context)
We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than previously reported implementations.
The function field sieve in the medium prime case
 Advances in Cryptology – EUROCRYPT 2006, LNCS 4004 (2006
"... Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logar ..."
Abstract

Cited by 54 (11 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logarithms in tori, using efficient torus representations. We show that when q is not too large, a very efficient L(1/3) variation of the function field sieve can be used. Surprisingly, using this algorithm, discrete logarithms computations over some of these fields are even easier than computations in the prime field and characteristic two field cases. We also show that this new algorithm has security implications on some existing cryptosystems, such as torus based cryptography in T30, short signature schemes in characteristic 3 and cryptosystems based on supersingular abelian varieties. On the other hand, cryptosystems involving larger basefields and smaller extension degrees, typically of degree at most 6, such as LUC, XTR or T6 torus cryptography, are not affected. 1
Unbelievable Security: Matching AES security using public key systems
 PROCEEDINGS ASIACRYPT 2001, LNCS 2248, SPRINGERVERLAG 2001, 67–86
, 2001
"... The Advanced Encryption Standard (AES) provides three levels of security: 128, 192, and 256 bits. Given a desired level of security for the AES, this paper discusses matching public key sizes for RSA and the ElGamal family of protocols. For the latter both traditional multiplicative groups of finit ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
(Show Context)
The Advanced Encryption Standard (AES) provides three levels of security: 128, 192, and 256 bits. Given a desired level of security for the AES, this paper discusses matching public key sizes for RSA and the ElGamal family of protocols. For the latter both traditional multiplicative groups of finite fields and elliptic curve groups are considered. The practicality of the resulting systems is commented upon. Despite the conclusions, this paper should not be interpreted as an endorsement of any particular public key system in favor of any other.
A knapsacktype public key cryptosystem based on arithmetic in finite fields
 IEEE TRANS. INFORM. THEORY
, 1988
"... A new knapsacktype public key cryptosystem is introduced. The system is based on a novel application of arithmetic in finite fields, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio betw ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
A new knapsacktype public key cryptosystem is introduced. The system is based on a novel application of arithmetic in finite fields, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio between the number of elements in the knapsack and their sue in bits. In particular, the density can be made high enough to foil “lowdensity ” attacks against our system. At the moment, no attacks capable of “breaking” this system in a reasonable amount of time are known.
A Knapsack Type Public Key Cryptosystem Based On Arithmetic in Finite Fields
 IEEE Trans. Inform. Theory
, 1988
"... { A new knapsack type public key cryptosystem is introduced. The system is based on a novel application of arithmetic in nite elds, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio between ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
(Show Context)
{ A new knapsack type public key cryptosystem is introduced. The system is based on a novel application of arithmetic in nite elds, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio between the number of elements in the knapsack and their size in bits. In particular, the density can be made high enough to foil \low density" attacks against our system. At the moment, no attacks capable of \breaking" this system in a reasonable amount of time are known. Research supported by NSF grant MCS{8006938. Part of this research was done while the rst author was visiting Bell Laboratories, Murray Hill, NJ. A preliminary version of this work was presented in Crypto 84 and has appeared in [8]. 1 1.
Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations
, 2004
"... Abstract. We present an implementation of elliptic curves and of hyperelliptic curves of genus 2 and 3 over prime fields. To achieve a fair comparison between the different types of groups, we developed an adhoc arithmetic library, designed to remove most of the overheads that penalize implementati ..."
Abstract

Cited by 37 (5 self)
 Add to MetaCart
Abstract. We present an implementation of elliptic curves and of hyperelliptic curves of genus 2 and 3 over prime fields. To achieve a fair comparison between the different types of groups, we developed an adhoc arithmetic library, designed to remove most of the overheads that penalize implementations of curvebased cryptography over prime fields. These overheads get worse for smaller fields, and thus for larger genera for a fixed group size. We also use techniques for delaying modular reductions to reduce the amount of modular reductions in the formulae for the group operations. The result is that the performance of hyperelliptic curves of genus 2 over prime fields is much closer to the performance of elliptic curves than previously thought. For groups of 192 and 256 bits the difference is about 14 % and 15 % respectively.
Batch RSA
, 1996
"... We present a variant of the RSA algorithm called Batch RSA with two important properties: • The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponent ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
We present a variant of the RSA algorithm called Batch RSA with two important properties: &bull; The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponentiations at the cost of a single modular exponentiation. This leads to a very fast RSAlike scheme whenever RSA is to be performed at some central site or when pureRSA encryption (vs. hybrid encryption) is to be performed. &bull; An additional important feature of Batch RSA is the possibility of using a distributed Batch RSA process that isolates the private key from the system, irrespective of the size of the system, the number of sites, or the number of private operations that need be performed.
On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in f 2
"... In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree one elements. To illustrate the efficiency of the method, we have successfully solved the DLP in the finite field with 2 1971 elements.
Test Embedding with Discrete Logarithms
 IEEE VLSI TEST SYMP
, 1994
"... When using BuiltIn Self Test (BIST) for testing VLSI circuits, a major concern is the generation of proper test patterns that detect the faults of interest. Usually a linear feedback shift register (LFSR) is used to generate test patterns. We first analyze the probability that an arbitrary pseudor ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
When using BuiltIn Self Test (BIST) for testing VLSI circuits, a major concern is the generation of proper test patterns that detect the faults of interest. Usually a linear feedback shift register (LFSR) is used to generate test patterns. We first analyze the probability that an arbitrary pseudorandom test sequence of short length detects all faults. The term short is relative to the probability of detecting the fault with the fewest test patterns. We then show how to guide the search for an initial state (seed) for a LFSR with a given primitive feedback polynomial so that all the faults of interest are detected by a minimum length test sequence. Our algorithm is based on finding the location of test patterns in the sequence generated by this LFSR. This is accomplished using the theory of discrete logarithms. We then select the shortest subsequence that includes test patterns for all the faults of interest, hence resulting in 100% fault coverage.
Doing more with fewer bits
 Proceedings Asiacrypt99, LNCS 1716, SpringerVerlag
, 1999
"... Abstract. We present a variant of the DiffieHellman scheme in which the number of bits exchanged is one third of what is used in the classical DiffieHellman scheme, while the offered security against attacks known today is the same. We also give applications for this variant and conjecture a exten ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a variant of the DiffieHellman scheme in which the number of bits exchanged is one third of what is used in the classical DiffieHellman scheme, while the offered security against attacks known today is the same. We also give applications for this variant and conjecture a extension of this variant further reducing the size of sent information. 1