Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zero-knowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witness-indistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witness-indistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witness-indistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.

Abstract. The signature generation phase of most DLP-based signature schemes (for instance Schnorr [10], El-Gamal [4] or the newly standardized D.S.A [3]) includes the time-consuming computation of r = gk mod p where k is random. This paper introduces a new computational strategy that can apply in this particular context: A batch exponentiation technique which allows the generation of large sets of exponentials without introducing any bias between the ks (that is, the signer can batch-compute the exponentials corresponding to arbitrarily imposed powers-for instance by an external random number generator). Our method offers real improvements over the prior art with various time and memory trade-offs. 1 Introduction In many DLP-based signature schemes1 the signer performs the operation r = gk mod p where k is random. As the signer is often the "weak party " in thesignature protocol, several authors tried to accelerate the exponentiation by pre-computing values [1], [5] or sub-contracting a part of the exponentiationworkload to the verifier [6] (provided that a set of precautions is taken into consideration). Except the fact that some of these algorithms were broken [7],[8], extra memory storage is frequently an unrealistic assumption.

Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsource-secure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for n-bit exponents. The load reduces to O(log 2 n) for any exponentiation-based scheme where the honest device may use two untrusted exponentiation programs; we highlight the Cramer-Shoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2-secure encryption scheme using only one untrusted Cramer-Shoup encryption program. 1

This paper investigates various security issues and provides possible improvements on server-aided RSA computation schemes, mainly focused on the two-phase protocols, RSA-S1M and RSA-S2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A server-aided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multi-round active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementation-dependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.

We present protocols for speeding up fixed-base exponentiation and variable-base exponentiation using an untrusted computation resource. In the fixed-base protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variable-base exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiation-based verification in discrete log-based signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the square-and-multiply algorithm, without compromising security.

Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropping the communication can later impersonate the original authenticator (called the prover). A more advanced way for authentication is challenge-response method, where a prover demonstrates the knowledge of a secret by responding to the verier's challenge in a way that is not directly reusable by the verier (e.g. encrypt a random challenge with a secret key). This method, however, might reveal something about the secret, especially so if the verier can choose the challenges that he sends (chosen text attack) [9]. So, the idea of zero knowledge protocols seems to be quite useful and natural in this context. In this survey, we will briey look at zero knowledge proofs of knowledge