Results 1  10
of
31
A Survey of Fast Exponentiation Methods
 Journal of Algorithms
, 1998
"... Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation de ..."
Abstract

Cited by 155 (0 self)
 Add to MetaCart
Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses. 1
Fast batch verification for modular exponentiation and digital signatures
, 1998
"... Abstract Many tasks in cryptography (e.g., digital signature verification) call for verification of a basicoperation like modular exponentiation in some group: given ( g, x, y) check that gx = y. Thisis typically done by recomputing gx and checking we get y. We would like to do it differently,and f ..."
Abstract

Cited by 129 (2 self)
 Add to MetaCart
Abstract Many tasks in cryptography (e.g., digital signature verification) call for verification of a basicoperation like modular exponentiation in some group: given ( g, x, y) check that gx = y. Thisis typically done by recomputing gx and checking we get y. We would like to do it differently,and faster. The approach we use is batching. Focusing first on the basic modular exponentiation operation, we provide some probabilistic batch verifiers, or tests, that verify a sequence of modular exponentiations significantly faster than the naive recomputation method. This yields speedupsfor several verification tasks that involve modular exponentiations.
Fast Key Exchange with Elliptic Curve Systems
, 1995
"... The DiffieHellman key exchange algorithm can be implemented using the group of points on an elliptic curve over the field F 2 n . A software version of this using n = 155 can be optimized to achieve computation rates that are significantly faster than nonelliptic curve versions with a similar leve ..."
Abstract

Cited by 99 (2 self)
 Add to MetaCart
The DiffieHellman key exchange algorithm can be implemented using the group of points on an elliptic curve over the field F 2 n . A software version of this using n = 155 can be optimized to achieve computation rates that are significantly faster than nonelliptic curve versions with a similar level of security. The fast computation of reciprocals in F 2 n is the key to the highly efficient implementation described here. March 31, 1995 Department of Computer Science The University of Arizona Tucson, AZ 1 Introduction The DiffieHellman key exchange algorithm [10] is a very useful method for initiating a conversation between two previously unintroduced parties. It relies on exponentiation in a large group, and the software implementation of the group operation is usually computationally intensive. The algorithm has been proposed as an Internet standard [13], and the benefit of an efficient implementation would be that it could be widely deployed across a variety of platforms, greatl...
Incremental Cryptography: The Case of Hashing and Signing
 In CRYPTO
, 1994
"... Abstract. We initiate the investigation of a new kind of efficiency for cryptographic transformations. The idea is that having once applied the transformation to some document M, the time to update the result upon modification of M should be “proportional ” to the “amount of modification” done to M. ..."
Abstract

Cited by 74 (4 self)
 Add to MetaCart
Abstract. We initiate the investigation of a new kind of efficiency for cryptographic transformations. The idea is that having once applied the transformation to some document M, the time to update the result upon modification of M should be “proportional ” to the “amount of modification” done to M. Thereby one obtains much faster cryptographic primitives for environments where closely related documents are undergoing the same cryptographic transformations. We provide some basic definitions enabling treatment of the new notion. We then exemplify our approach by suggesting incremental schemes for hashing and signing which are efficient according to our new measure. 1
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...
Optimal Lefttoright Binary SignedDigit Recoding
, 2000
"... This paper describes new methods for producing optimal binary signeddigit representations. This can be useful in the fast computation of exponentiations. Contrary to existing algorithms, the digits are scanned from left to right (i.e., from the most significant position to the least significant ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
This paper describes new methods for producing optimal binary signeddigit representations. This can be useful in the fast computation of exponentiations. Contrary to existing algorithms, the digits are scanned from left to right (i.e., from the most significant position to the least significant position). This may lead to better performances in both hardware and software.
Algorithms for Multiexponentiation
 In Selected Areas in Cryptography – SAC 2001 (2001
, 2001
"... Abstract. This paper compares different approaches for computing power products � 1≤i≤k ge i i in commutative groups. We look at the conventional simultaneous exponentiation approach and present an alternative strategy, interleaving exponentiation. Our comparison shows that in general groups, someti ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
Abstract. This paper compares different approaches for computing power products � 1≤i≤k ge i i in commutative groups. We look at the conventional simultaneous exponentiation approach and present an alternative strategy, interleaving exponentiation. Our comparison shows that in general groups, sometimes the conventional method and sometimes interleaving exponentiation is more efficient. In groups where inverting elements is easy (e.g. elliptic curves), interleaving exponentiation with signed exponent recoding usually wins over the conventional method. 1
Analysis of Sliding Window Techniques for Exponentiation
 Computers and Mathematics with Applications
, 1995
"... The mary method for computing x E partitions the bits of the integer E into words of constant length, and then performs as many multiplications as there are nonzero words. Variable length partitioning strategies have been suggested to reduce the number of nonzero words, and thus, the total number ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
The mary method for computing x E partitions the bits of the integer E into words of constant length, and then performs as many multiplications as there are nonzero words. Variable length partitioning strategies have been suggested to reduce the number of nonzero words, and thus, the total numberofmultiplications. Algorithms for exponentiation using such partitioning strategies are termed sliding window techniques. In this paper, we give algorithmic descriptions of two recently proposed sliding window techniques, and calculate the average number of multiplications by modeling the partitioning process as a Markov chain. We tabulate the optimal values of the partitioning parameters, and show that the sliding window algorithms require up to 8 # fewer multiplications than the mary method. Key Words: Analysis of algorithms, exponentiation, binary method, mary method, Markovchain. CR Categories: E.3, F.2.1, G.1.0. 1 Introduction The computation of x E for a positiveinteger E is req...
Efficiency and Security of Cryptosystems Based on Number Theory
, 1996
"... , 44 equivalent, 48 admissible, 19 associated, 48 binary addition chain, 45 binary method, 43, 63 Carmichael function, 4 Carmichael number, 16, 29 Chinese Remainder Theorem, 5 complex extension, 3 conjugate, 3 CRT, 5 Dickson polynomials, 11 doubling step, 63 dual, 48 Fermat test, 15, 16 graph reduce ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
, 44 equivalent, 48 admissible, 19 associated, 48 binary addition chain, 45 binary method, 43, 63 Carmichael function, 4 Carmichael number, 16, 29 Chinese Remainder Theorem, 5 complex extension, 3 conjugate, 3 CRT, 5 Dickson polynomials, 11 doubling step, 63 dual, 48 Fermat test, 15, 16 graph reduced, 48 group of units, 3 indegree, 45 Jacobi symbol, 6 Legendre symbol, 5 Lucas chain, 62 composite, 63 degenerate, 63 simple, 63 Lucas sequence, 8 Mathematica, 23, 41 MillerRabin test, 18 norm, 3 order of a group element, 7 outdegree, 45 Pocklington, 25 probable prime, 15 pseudoprimality, 2 BIBLIOGRAPHY 85 [R'ed48] L. R'edei. Uber eindeutig umkehrbare Polynome in endlichen Korpern. Acta Sci. Math., 11:7176, 194648. [Rie85] H. Riesel. Prime Numbers and Computer Methods for Factorization. Birkhauser, 1985. [RLS + 93] R. A. Rueppel, A. K. Lenstra, M. E. Smid, K. S. McCurley, Y. Desmedt, A. Odlyzko, and P. Landrock. Panel
Fast exponentiation with precomputation: Algorithms and lower bounds
 in Proc. of EUROCRYPT ’92
, 1995
"... In several cryptographic systems, a fixed element g of a group of order N is repeatedly raised to many different powers. In this paper we present a practical method of speeding up such systems, using precomputed values to reduce the number of multiplications needed. In practice this provides a subst ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
In several cryptographic systems, a fixed element g of a group of order N is repeatedly raised to many different powers. In this paper we present a practical method of speeding up such systems, using precomputed values to reduce the number of multiplications needed. In practice this provides a substantial improvement over the level of performance that can be obtained using addition chains, and allows the computation of g n for n < N in O(log N / log log N) multiplicaitons. We show that this method is asymptotically optimal given polynomial storage, and for specific cases, within a small factor of optimal. We also show how these methods can be parallelized, to compute powers in time O(log log N) with O(log N / log 2 log N) processors.