Abstract. This paper explains the design and implementation of a highsecurity elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1

Cooperation and competition are opposing forces in Multi-Provider Distributed Systems (MPDSs) such as the Internet routing infrastructure. Often, competitive needs cause providers to keep certain information confidential thereby hindering cooperation and leading to undesirable behavior. For instance, recent work has shown that lack of interdomain cooperation in performing intra-domain routing changes may cause more congestion. We argue that MPDSs should be designed with mechanisms that enable cooperation without violating confidentiality requirements. We illustrate this design principle by developing such mechanisms to solve well-known problems in the most successful MPDS, inter-domain routing. We also briefly discuss the need for such mechanisms in MPDSs for content distribution and policy-based resource allocation. Our mechanisms leverage secure multi-party computation primitives. 1

We consider the set of slopes of lines formed by joining all pairs of points in some subset S of a Desarguesian ane plane of prime order p. If all the slopes are distinct and non-innite, we have a slope packing; if every possible non-innite slope occurs, then we have a slope covering. We review and unify some results on these problems that can be derived from the study of Sidon sets and sum covers. Then we report some computational results we have obtained for small values of p. Finally, we point out some connections between slope packings and coverings and generic algorithms for the discrete logarithm problem in prime order (sub)groups. Our results provide a combinatorial characterization of such algorithms, in the sense that any generic algorithm implies the existence of a certain slope packing or covering, and conversely. 1

We analyze a fairly standard idealization of Pollard’s Rho algorithm for finding the discrete logarithm in a cyclic group G. It is found that, with high probability, a collision occurs in O ( � |G | log |G | log log |G|) steps, not far from the widely conjectured value of Θ ( � |G|). This improves upon a recent result of Miller–Venkatesan which showed an upper bound of O ( � |G | log 3 |G|). Our proof is based on analyzing an appropriate nonreversible, non-lazy random walk on a discrete cycle of (odd) length |G|, and showing that the mixing time of the corresponding walk is O(log |G | log log |G|). 1

Abstract — With the widespread use of mobile devices, the privacy of mobile location information becomes an important issue. In this paper, we present the requirements on protecting mobile privacy in wireless networks, and identify the privacy weakness of the third generation partnership project- authentication and key agreement (3GPP-AKA) by showing a practical attack to it. We then propose a scheme that meets these requirements, and this scheme does not introduce security vulnerability to the underlying authentication scheme. Another feature of the proposed scheme is that on each use of wireless channel, it uses a one-time alias to conceal the real identity of the mobile station with respect to both eavesdroppers and visited (honest or false) location registers. Moreover, the proposed scheme achieves this goal of identity concealment without sacrificing authentication efficiency. Index Terms — mobile privacy, mobile authentication, user untraceability, one-time alias, 3GPP-AKA, elliptic curve cryptosystems. I.

chains, with an optimal bound

edition, 1978. An introduction to the theory of analytic functions of one

[2] D. Abramovich. Formal finiteness and the torsion conjecture on elliptic curves. A footnote to a paper: “Rational torsion of prime order in elliptic curves over number fields” [Astérisque No. 228 (1995), 3, 81–100] by S. Kamienny and B. Mazur. Astérisque,

These doctoral studies were conducted under the supervision of Professor

The discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h ∈ G such that g x = h. We give the first rigorous proof that Pollard’s Kangaroo method finds the discrete logarithm in expected time (3+o(1)) √ b − a for the worst value of x ∈ [a, b], and (2 + o(1)) √ b − a when x ∈uar [a, b]. This matches the conjectured time complexity and, rare among the analysis of algorithms based on Markov chains, even the lead constants 2 and 3 are correct.