Results 1 
3 of
3
Algorithms for Multiexponentiation
 In Selected Areas in Cryptography – SAC 2001 (2001
, 2001
"... Abstract. This paper compares different approaches for computing power products � 1≤i≤k ge i i in commutative groups. We look at the conventional simultaneous exponentiation approach and present an alternative strategy, interleaving exponentiation. Our comparison shows that in general groups, someti ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper compares different approaches for computing power products � 1≤i≤k ge i i in commutative groups. We look at the conventional simultaneous exponentiation approach and present an alternative strategy, interleaving exponentiation. Our comparison shows that in general groups, sometimes the conventional method and sometimes interleaving exponentiation is more efficient. In groups where inverting elements is easy (e.g. elliptic curves), interleaving exponentiation with signed exponent recoding usually wins over the conventional method. 1
A Sender Verifiable MixNet and a New Proof of a Shuffle
, 2005
"... We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call this sende ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We introduce the first El Gamal based mixnet in which each mixserver partially decrypts and permutes its input, i.e., no reencryption is necessary. An interesting property of the construction is that a sender can verify noninteractively that its message is processed correctly. We call this sender verifiability. The mixnet is provably UCsecure against static adversaries corrupting any minority of the mixservers. The result holds under the decision DiffieHellman assumption, and assuming an ideal bulletin board and an ideal zeroknowledge proof of knowledge of a correct shuffle. Then we construct the first proof of a decryptionpermutation shuffle, and show how this can be transformed into a zeroknowledge proof of knowledge in the UCframework. The protocol is sound under the strong RSAassumption and the discrete logarithm assumption. Our proof of a shuffle is not a variation of existing methods. It is based on a novel idea of independent interest, and we argue that it is at least as efficient as previous constructions.
On the security of RDSA
 Advances in Cryptology  EUROCRYPT 2003, Lecture Notes in Computer Science
, 2003
"... Abstract. A variant of Schnorr’s signature scheme called RDSA has ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A variant of Schnorr’s signature scheme called RDSA has