Results 1  10
of
18
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 560 (31 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
The XTR public key system
, 2000
"... This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromis ..."
Abstract

Cited by 80 (11 self)
 Add to MetaCart
This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security.
Oneway signature chaining: a new paradigm for group cryptosystems
 International Journal of Information and Computer Security
"... In this paper, we describe a new cryptographic primitive called (OneWay) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a “link ” of the chain. The onewayness implies that the chaini ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
In this paper, we describe a new cryptographic primitive called (OneWay) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a “link ” of the chain. The onewayness implies that the chaining process is oneway in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures (CS). We give precise definitions of chain signatures and discuss some applications in trust transfer. We then present a practical construction of a CS scheme that is secure (in the random oracle model) under the Computational DiffieHellman (CDH) assumption in bilinear maps.
Signature calculus and discrete logarithm problems
 In Proc. ANTS VII, LNCS 4076
, 2006
"... This is the third in a series of papers in which we develop a unified method for treating the discrete logarithm problem (DLP) in various contexts. In [HR1], we described a formalism using global duality for a unified approach to the DLP for the multiplicative group and for elliptic ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
This is the third in a series of papers in which we develop a unified method for treating the discrete logarithm problem (DLP) in various contexts. In [HR1], we described a formalism using global duality for a unified approach to the DLP for the multiplicative group and for elliptic
MOV attack in various subgroups on elliptic curves
 Illinois J. Math
"... Abstract. We estimate the probabilities that the MenezesOkamotoVanstone reduction of the discrete logarithm problem on an elliptic curve E to the discrete logarithm problem in a certain finite field succeeds for various groups on points on E. Our bounds imply that in all interesting cases these pr ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We estimate the probabilities that the MenezesOkamotoVanstone reduction of the discrete logarithm problem on an elliptic curve E to the discrete logarithm problem in a certain finite field succeeds for various groups on points on E. Our bounds imply that in all interesting cases these probabilities are exponentially small. This extends results of Balasubramanian and Koblitz who have treated the instance in which the order of the group of points on E is prime. 1.
Isomorphism Classes of Genus2 Hyperelliptic Curves Over Finite Fields
"... We propose a reduced equation for hyperelliptic curves of genus 2 over finite fields F q of q elements with characteristic different from 2 and 5. We determine the number of isomorphism classes of genus2 hyperelliptic curves having an F q rational Weierstrass point. These results have applications ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We propose a reduced equation for hyperelliptic curves of genus 2 over finite fields F q of q elements with characteristic different from 2 and 5. We determine the number of isomorphism classes of genus2 hyperelliptic curves having an F q rational Weierstrass point. These results have applications to hyperelliptic curve cryptography.
A General Polynomial Sieve
 Designs, Codes and Crpyotgraphy
, 1999
"... An important component of the index calculus methods for finding discrete logarithms is the acquisition of smooth polynomial relations. Gordon and McCurley (1992) developed a sieve to aid in finding smooth Coppersmith polynomials for use in the index calculus method. We discuss their approach and so ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
An important component of the index calculus methods for finding discrete logarithms is the acquisition of smooth polynomial relations. Gordon and McCurley (1992) developed a sieve to aid in finding smooth Coppersmith polynomials for use in the index calculus method. We discuss their approach and some of the difficulties they found with their sieve. We present a new sieving method that can be applied to any affine subspace of polynomials over a finite field.
What is the Inverse of Repeated Square and Multiply Algorithm?
, 2007
"... It is well known that the repeated square and multiply algorithm is an efficient way of modular exponentiation. The obvious question to ask is if this algorithm has an inverse which would calculate the discrete logarithm and what is its time compexity. The technical hitch is in fixing the right sign ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
It is well known that the repeated square and multiply algorithm is an efficient way of modular exponentiation. The obvious question to ask is if this algorithm has an inverse which would calculate the discrete logarithm and what is its time compexity. The technical hitch is in fixing the right sign of the square root and this is the heart of the discrete logarithm problem over finite fields of characteristic not equal to 2. In this paper a couple of probabilistic algorithms to compute the discrete logarithm over finite fields and their time complexity are given by bypassing this difficulty. One of the algorithms was inspired by the famous 3x + 1 problem. Key words. Discrete logarithm, Legendre symbol, 3x+1 problem. 1 1
Hard Instances of the Constrained Discrete Logarithm Problem
"... Abstract. The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent x belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we st ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent x belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we study explicit construction of sets for which the constrained DLP is hard. We draw on earlier results due to Erdös et al. and Schnorr, develop geometric tools such as generalized Menelaus’ theorem for proving lower bounds on the complexity of the constrained DLP, and construct explicit sets with provable nontrivial lower bounds. 1