Results 11  20
of
31
Efficient generation of minimal length addition chains
 SIAM Journal on Computing
, 1999
"... Abstract. An addition chain for a positive integer n is a set 1 = a0
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. An addition chain for a positive integer n is a set 1 = a0 <a1 < ·· · <ar = n of integers such that for each i ≥ 1, ai = aj + ak for some k ≤ j<i. This paper is concerned with some of the computational aspects of generating minimal length addition chains for an integer n. Particular attention is paid to various pruning techniques that cut down the search time for such chains. Certain of these techniques are influenced by the multiplicative structure of n. Later sections of the paper present some results that have been uncovered by searching for minimal length addition chains.
New Modular Multiplication Algorithms for Fast Modular Exponentiation
 in “Advances in Cryptology—Proceedings of Eurocrypt ’96
, 1996
"... . A modular exponentiation is one of the most important operations in publickey cryptography. However, it takes much time because the modular exponentiation deals with very large operands as 512bit integers. The modular exponentiation is composed of repetition of modular multiplications. Therefore ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
. A modular exponentiation is one of the most important operations in publickey cryptography. However, it takes much time because the modular exponentiation deals with very large operands as 512bit integers. The modular exponentiation is composed of repetition of modular multiplications. Therefore, we can reduce the execution time of it by reducing the execution time of each modular multiplication. In this paper, we propose two fast modular multiplication algorithms. One is for modular multiplications between different integers, and the other is for modular squarings. These proposed algorithms require singleprecision multiplications fewer than those of Montgomery modular multiplication algorithms by 1/2 and 1/3 times, respectively. Implementing on PC, proposed algorithms reduce execution times by 50% and 30% compared with Montgomery algorithms, respectively. 1 Introduction Since Diffie and Hellman had proposed publickey cryptography in 1976, many publickey cryptosystems have been...
Redundant trinomials for finite fields of characteristic 2
 Proceedings of ACISP 05, LNCS 3574
, 2005
"... Abstract. In this paper we introduce socalled redundant trinomials to represent elements of nite elds of characteristic 2. The concept is in fact similar to almost irreducible trinomials introduced by Brent and Zimmermann in the context of random numbers generators in [BZ 2003]. See also [BZ]. In f ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. In this paper we introduce socalled redundant trinomials to represent elements of nite elds of characteristic 2. The concept is in fact similar to almost irreducible trinomials introduced by Brent and Zimmermann in the context of random numbers generators in [BZ 2003]. See also [BZ]. In fact, Blake et al. [BGL 1994, BGL 1996] and Tromp et al. [TZZ 1997] explored also similar ideas some years ago. However redundant trinomials have been discovered independently and this paper develops applications to cryptography, especially based on elliptic curves. After recalling well known techniques to perform e cient arithmetic in extensions of F2, we describe redundant trinomial bases and discuss how to implement them e ciently. They are well suited to build F2n when no irreducible trinomial of degree n exists. Depending on n ∈ [2, 10, 000] tests with NTL show that improvements for squaring and exponentiation are respectively up to 45 % and 25%. More attention is given to relevant extension degrees for doing elliptic and hyperelliptic curve cryptography. For this range, a scalar multiplication can be speeded up by a factor up to 15%. 1.
Sslshader: cheap ssl acceleration with commodity processors
 In Proceedings of the 8th USENIX conference on Networked systems and implementation, NSDI’11
, 2011
"... Secure endtoend communication is becoming increasingly important as more private and sensitive data is transferred on the Internet. Unfortunately, today’s SSL deployment is largely limited to security or privacycritical domains. The low adoption rate is mainly attributed to the heavy cryptographic ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Secure endtoend communication is becoming increasingly important as more private and sensitive data is transferred on the Internet. Unfortunately, today’s SSL deployment is largely limited to security or privacycritical domains. The low adoption rate is mainly attributed to the heavy cryptographic computation overhead on the server side, and the cost of good privacy on the Internet is tightly bound to expensive hardware SSL accelerators in practice. In this paper we present highperformance SSL acceleration using commodity processors. First, we show that modern graphics processing units (GPUs) can be easily converted to generalpurpose SSL accelerators. By exploiting the massive computing parallelism of GPUs, we accelerate SSL cryptographic operations beyond what stateoftheart CPUs provide. Second, we build a transparent SSL proxy, SSLShader, that carefully leverages the tradeoffs of recent hardware features such as AESNI and NUMA and achieves both high throughput and low latency. In our evaluation, the GPU implementation of RSA shows a factor of 22.6 to 31.7 improvement over the fastest CPU implementation. SSLShader achieves 29K transactions per second for small files while it transfers large files at 13 Gbps on a commodity server machine. These numbers are comparable to highend commercial SSL appliances at a fraction of their price.
Improved Privacy in Wallets with Observers (Extended Abstract)
 United States of America, SpringerVerlag
, 1994
"... ) R. J. F. Cramer 1 and T. P. Pedersen 2 1 CWI, The Netherlands 2 Aarhus University, Denmark ??? Abstract. Wallets with observers were suggested by David Chaum and have previously been described in [Ch92] and [CP92]. These papers argue that a particular combination of a tamperresistant ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
) R. J. F. Cramer 1 and T. P. Pedersen 2 1 CWI, The Netherlands 2 Aarhus University, Denmark ??? Abstract. Wallets with observers were suggested by David Chaum and have previously been described in [Ch92] and [CP92]. These papers argue that a particular combination of a tamperresistantunit and a small computer controlled by the user is very suitable as a personal device in consumer transaction systems. Using such devices, protocols are constructed that, simultaneously, achieve high levels of security for organizations and anonymity for individual users. The protocols from [CP92] offer anonymity to users, under the assumption that the information stored by observers is never revealed to the outside world. This paper extends [CP92] by defining additional requirements for the protocols which make it impossible to trace the behaviour of individuals in the system if one is also allowed to analyze a posteriori the information observers can collect. We propose two prot...
Fast Exponentiation Using Data Compression
, 1998
"... . We present the first exponentiation algorithm that uses the entropy of the source of the exponent to improve on existing exponentiation algorithms when the entropy is smaller than (1 + w(S)/l(S) ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
.<F3.836e+05> We present the first exponentiation algorithm that uses the entropy of the source of the exponent to improve on existing exponentiation algorithms when the entropy is smaller than (1 +<F3.39e+05><F3.836e+05><F3.39e+05><F3.836e+05><F3.39e+05><F3.836e+05><F3.39e+05><F3.836e+05> w(S)/l(S))<F2.852e+05><F2.83e+05> 1<F3.836e+05> , where<F3.39e+05><F3.836e+05><F3.39e+05><F3.836e+05> w(S) is the Hamming weight of the exponent, and<F3.39e+05><F3.836e+05><F3.39e+05><F3.836e+05> l(S) is its length. For entropy 1 it is comparable to the bestknown general purpose exponentiation algorithms.<F4.005e+05> Key words.<F3.836e+05> fast exponentiation, cryptography, discretelog, compression<F4.005e+05> AMS subject classifications.<F3.836e+05> 68P25, 68Q25<F4.005e+05> PII.<F3.836e+05> S0097539792234974<F4.77e+05> 1. Introduction.<F4.354e+05> Exponentiation with huge numbers is used heavily in modern cryptography, and the topic is the focus of attention of many researchers who try to achieve...
Securing RSA against fault analysis by double addition chain exponentiation
 CTRSA 2009. Volume 5473 of LNCS
, 2009
"... Abstract. Fault Analysis is a powerful cryptanalytic technique that enables to break cryptographic implementations embedded in portable devices more efficiently than any other technique. For an RSA implemented with the Chinese Remainder Theorem method, one faulty execution suffices to factorize the ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Fault Analysis is a powerful cryptanalytic technique that enables to break cryptographic implementations embedded in portable devices more efficiently than any other technique. For an RSA implemented with the Chinese Remainder Theorem method, one faulty execution suffices to factorize the public modulus and fully recover the private key. It is therefore mandatory to protect embedded implementations of RSA against fault analysis. This paper provides a new countermeasure against fault analysis for exponentiation and RSA. It consists in a selfsecure exponentiation algorithm, namely an exponentiation algorithm that provides a direct way to check the result coherence. An RSA implemented with our solution hence avoids the use of an extended modulus (which slows down the computation) as in several other countermeasures. Moreover, our exponentiation algorithm involves 1.65 multiplications per bit of the exponent which is significantly less than the 2 required by other selfsecure exponentiations. 1
Sparse RSA Secret Keys and Their Generation
 Queen's University
, 1996
"... In this paper we consider the problem of reducing the computational load by use of restricted key parameters in the RSA system. We present various methods for generating RSA key parameters that can produce the secret key with much smaller binary weight than the ordinary case. This will greatly reduc ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
In this paper we consider the problem of reducing the computational load by use of restricted key parameters in the RSA system. We present various methods for generating RSA key parameters that can produce the secret key with much smaller binary weight than the ordinary case. This will greatly reduce the number of multiplications required for RSA decryption in both software and hardware implementations. Security will be the most critical issue for their practical use. We also present preliminary analysis for every possible attack we could imagine. 1 Introduction Most public key systems widely used in practice, such as RSA [38], DiffieHellman [11] and ElGamal [14], are based on the difficulty of factoring integers and computing discrete logarithms. There are subexponential time algorithms to solve these problems. The most notable algorithm is the general number field sieve, which has the best asymptotic running time estimate (see [21] for a collection of related papers). The progress ...
On the design and implementation of efficient zeroknowledge proofs of knowledge
 In Software Performance Enhancements for Encryption and Decryption and Cryptographic Compilers – SPEEDCC 09
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for ma ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for many years now, design and implementation of sound ZKPoK remains challenging. In fact, there are security flaws in various protocols found in literatur. Especially for nonexperts in the field it is often hard to design ZKPoK, since a unified and easy to use theoretical framework on ZKPoK is missing. With this paper we overcome important challenges and facilitate the design and implementation of efficient and sound ZKPoK in practice. First, Camenisch et al. have presented at EUROCRYPT 2009 a first unified and modular theoretical framework for ZKPoK. This is compelling, but makes use of a rather inefficient 6move protocol. We extend and improve their framework in terms of efficiency and show how to realize it using efficient 3move Σprotocols. Second, we perform an exact security and efficiency analysis for our new protocol and various protocols found in the literature. The analysis yields novel and perhaps surprising results and insights. It reveals for instance that using a 2048 bit RSA modulus, as specified in the DAA standard, only guarantees an upper bound on the success probability of a malicious prover between 1/2 4 and 1/2 24. Also, based on that analysis we show how to select the most efficient protocol to realize a given proof goal. Finally, we also provide lowlevel support to a designer by presenting a compiler realizing our framework and optimization techniques, allowing easy implementation of efficient and sound protocols.
A loopless Gray code for minimal signedbinary representations
 in Proceedings of the 13th Annual European Symposium on Algorithms (ESA), Lecture
"... Abstract. Astring...a2a1a0 over the alphabet {−1, 0, 1} is said to be a minimal signedbinary representation of an integer n if n = � k k≥0 ak2 and the number of nonzero digits is minimal. We present a loopless (and hence a Gray code) algorithm for generating all minimal signed binary representatio ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. Astring...a2a1a0 over the alphabet {−1, 0, 1} is said to be a minimal signedbinary representation of an integer n if n = � k k≥0 ak2 and the number of nonzero digits is minimal. We present a loopless (and hence a Gray code) algorithm for generating all minimal signed binary representations of a given integer n. 1