Results 1  10
of
10
How to Securely Outsource Cryptographic Computations
 In Theory of Cryptography (2005
"... Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsourcesecure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for nbit exponents. The load reduces to O(log 2 n) for any exponentiationbased scheme where the honest device may use two untrusted exponentiation programs; we highlight the CramerShoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2secure encryption scheme using only one untrusted CramerShoup encryption program. 1
exponentiation  A fast DLPbased signature generation strategy, 3rd ACM conference on communications and computer security
 3rd ACM Conference on Computer and Communications Security, ACM
, 1996
"... Abstract. The signature generation phase of most DLPbased signature schemes (for instance Schnorr [10], ElGamal [4] or the newly standardized D.S.A [3]) includes the timeconsuming computation of r = gk mod p where k is random. This paper introduces a new computational strategy that can apply in t ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Abstract. The signature generation phase of most DLPbased signature schemes (for instance Schnorr [10], ElGamal [4] or the newly standardized D.S.A [3]) includes the timeconsuming computation of r = gk mod p where k is random. This paper introduces a new computational strategy that can apply in this particular context: A batch exponentiation technique which allows the generation of large sets of exponentials without introducing any bias between the ks (that is, the signer can batchcompute the exponentials corresponding to arbitrarily imposed powersfor instance by an external random number generator). Our method offers real improvements over the prior art with various time and memory tradeoffs. 1 Introduction In many DLPbased signature schemes1 the signer performs the operation r = gk mod p where k is random. As the signer is often the "weak party " in thesignature protocol, several authors tried to accelerate the exponentiation by precomputing values [1], [5] or subcontracting a part of the exponentiationworkload to the verifier [6] (provided that a set of precautions is taken into consideration). Except the fact that some of these algorithms were broken [7],[8], extra memory storage is frequently an unrealistic assumption.
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Security and Performance of ServerAided RSA Computation Protocols
 Advances in Cryptology  CRYPTO ’95
, 1995
"... This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final resu ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A serveraided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multiround active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementationdependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.
Speeding up Exponentiation using an Untrusted Computational Resource
 MEMO 469, MIT CSAIL COMPUTATION STRUCTURES GROUP
, 2003
"... We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocol ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiationbased verification in discrete logbased signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the squareandmultiply algorithm, without compromising security.
A Provably Secure and Practical Signature Scheme for Smart Cards
"... By ”secure”, we mean that some welldefined computational assumption can be shown to be sufficient for the scheme not to be existentially forgeable, even under an adaptive chosen message attack. Most, if not all, signature schemes used in practice are based on a computational assumption that is cert ..."
Abstract
 Add to MetaCart
By ”secure”, we mean that some welldefined computational assumption can be shown to be sufficient for the scheme not to be existentially forgeable, even under an adaptive chosen message attack. Most, if not all, signature schemes used in practice are based on a computational assumption that is certainly necessary for this kind of security, not known to be sufficient. Since the work of Goldwasser, Micali and Rivest[?], many researches have been done for the secure signature schemes. We modify the CramerDamg˙ard scheme to implement a practical and secure signature scheme for smart cards. 1
Authenticated Session Keys and Their ServerAided Computation
"... Key exchange is one of the elementary prerequisites for secure communications. This paper first discusses some desirable properties of key exchange protocols, and then presents a set of protocols for DiffieHellman based authenticated key exchange. This paper then considers a serveraided approach t ..."
Abstract
 Add to MetaCart
(Show Context)
Key exchange is one of the elementary prerequisites for secure communications. This paper first discusses some desirable properties of key exchange protocols, and then presents a set of protocols for DiffieHellman based authenticated key exchange. This paper then considers a serveraided approach to fast computation of shared secrets, which may be useful for smart card implementation of key exchange. 1 Introduction One of the elementary prerequisites for secure communications is to establish a secret session key between the communicating parties. The session key can then be used to provide message confidentiality and/or message integrity using symmetric techniques. Entity authentication, a means of obtaining assurance of the communicating partner's identity, is another essential cryptographic mechanism for secure communications in today's distributed computing environment. Authentication and key exchange are often considered jointly. In particular, key exchange must accompany proper ...
How To Securely Outsource Cryptographic Computations
, 2005
"... 1 Introduction Modern computation has become pervasive: pretty much any device these days, from pacemakers to employee ID badges, is expected to be networked with other components of its environment. This includes devices, such as RFID tags, that are not designed to carry out expensive computations. ..."
Abstract
 Add to MetaCart
(Show Context)
1 Introduction Modern computation has become pervasive: pretty much any device these days, from pacemakers to employee ID badges, is expected to be networked with other components of its environment. This includes devices, such as RFID tags, that are not designed to carry out expensive computations. In fact, RFID tags do not even have a power source. This becomes a serious concern when we want to guarantee that these devices are integrated into the network securely: if a device is computationally incapable of carrying out cryptographic algorithms, how can we give it secure and authenticated communication channels?
Random Euclidean Addition Chain Generation and Its Application to Point Multiplication
"... Abstract. Efficiency and security are the two main objectives of every elliptic curve scalar multiplication implementations. Many schemes have been proposed in order to speed up or secure its computation, usually thanks to efficient scalar representation [30,10,24], faster point operation formulae [ ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Efficiency and security are the two main objectives of every elliptic curve scalar multiplication implementations. Many schemes have been proposed in order to speed up or secure its computation, usually thanks to efficient scalar representation [30,10,24], faster point operation formulae [8,25,13] or new curve shapes [2]. As an alternative to those general methods, authors have suggested to use scalar belonging to some subset with good computational properties [15,14,36,41,42], leading to faster but usually cryptographically weaker systems. In this paper, we use a similar approach. We propose to modify the key generation process using a small Euclidean addition chain c instead of a scalar k. This allows us to use a previous scheme, secure against side channel attacks, but whose efficiency relies on the computation of small chains computing the scalar. We propose two different ways to generate short Euclidean addition chains and give a first theoretical analysis of the size and distribution of the obtained keys. We also propose a new scheme in the context of fixed base point scalar multiplication.