Results 1 
6 of
6
How to Securely Outsource Cryptographic Computations
 In Theory of Cryptography (2005
"... Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsourcesecure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for nbit exponents. The load reduces to O(log 2 n) for any exponentiationbased scheme where the honest device may use two untrusted exponentiation programs; we highlight the CramerShoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2secure encryption scheme using only one untrusted CramerShoup encryption program. 1
exponentiation  A fast DLPbased signature generation strategy, 3rd ACM conference on communications and computer security
 3rd ACM Conference on Computer and Communications Security, ACM
, 1996
"... Abstract. The signature generation phase of most DLPbased signature schemes (for instance Schnorr [10], ElGamal [4] or the newly standardized D.S.A [3]) includes the timeconsuming computation of r = gk mod p where k is random. This paper introduces a new computational strategy that can apply in t ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. The signature generation phase of most DLPbased signature schemes (for instance Schnorr [10], ElGamal [4] or the newly standardized D.S.A [3]) includes the timeconsuming computation of r = gk mod p where k is random. This paper introduces a new computational strategy that can apply in this particular context: A batch exponentiation technique which allows the generation of large sets of exponentials without introducing any bias between the ks (that is, the signer can batchcompute the exponentials corresponding to arbitrarily imposed powersfor instance by an external random number generator). Our method offers real improvements over the prior art with various time and memory tradeoffs. 1 Introduction In many DLPbased signature schemes1 the signer performs the operation r = gk mod p where k is random. As the signer is often the "weak party " in thesignature protocol, several authors tried to accelerate the exponentiation by precomputing values [1], [5] or subcontracting a part of the exponentiationworkload to the verifier [6] (provided that a set of precautions is taken into consideration). Except the fact that some of these algorithms were broken [7],[8], extra memory storage is frequently an unrealistic assumption.
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Security and Performance of ServerAided RSA Computation Protocols
 Advances in Cryptology  CRYPTO ’95
, 1995
"... This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final resu ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A serveraided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multiround active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementationdependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.
Speeding up Exponentiation using an Untrusted Computational Resource
 MEMO 469, MIT CSAIL COMPUTATION STRUCTURES GROUP
, 2003
"... We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocol ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiationbased verification in discrete logbased signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the squareandmultiply algorithm, without compromising security.
Special Course on Cryptology/Zero Knowledge: Zero Knowledge Proofs of Identity and Proofs of Knowledge
, 2001
"... Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropp ..."
Abstract
 Add to MetaCart
Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropping the communication can later impersonate the original authenticator (called the prover). A more advanced way for authentication is challengeresponse method, where a prover demonstrates the knowledge of a secret by responding to the verier's challenge in a way that is not directly reusable by the verier (e.g. encrypt a random challenge with a secret key). This method, however, might reveal something about the secret, especially so if the verier can choose the challenges that he sends (chosen text attack) [9]. So, the idea of zero knowledge protocols seems to be quite useful and natural in this context. In this survey, we will briey look at zero knowledge proofs of knowledge