Public-key cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses. 1

We present a new off-line electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another

We show how to compute x k using multiplications and divisions. We use this method in the context of elliptic curves for which a law exists with the property that division has the same cost as multiplication. Our best algorithm is 11.11% faster than the ordinary binary algorithm and speeds up accordingly the factorization and primality testing algorithms using elliptic curves. 1. Introduction. Recent algorithms used in primality testing and integer factorization make use of elliptic curves defined over finite fields or Artinian rings (cf. Section 2). One can define over these sets an abelian law. As a consequence, one can transpose over the corresponding groups all the classical algorithms that were designed over Z/NZ. In particular, one has the analogue of the p \Gamma 1 factorization algorithm of Pollard [29, 5, 20, 22], the Fermat-like primality testing algorithms [1, 14, 21, 26] and the public key cryptosystems based on RSA [30, 17, 19]. The basic operation performed on an elli...

Let M be an s ×t matrix and let M T be the transpose of M . Let x and y be t - and s -dimensional indeterminate column vectors, respectively. We show that any linear algorithm A that computes M x has associated with it a natural dual linear algorithm denoted A T that computes M T y . Furthermore, if M has no zero rows or columns then the number of additions used by A T exceeds the number of additions used by A by exactly s -t . In addition, a strong correspondence is established between linear algorithms that compute the product M x and bilinear algorithms that compute the bilinear form y T M x . Key words. arithmetic complexity, linear forms, linear algorithms, matrix multiplication, graphs of algorithms, bilinear forms, bilinear algorithms, duality, monomials. - 2 - 1. Introduction Many numerical computations involve evaluating the product of a given matrix by a vector of indeterminates. Obviously, the number of arithmetic operations used in the evaluation of such a pro...

Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twenty-ve years ago, but it is still not widely understood or appreciated, although certain parts of it have recently been reinvented, republished, and popularized. This paper is an exposition of the state of the art in generic exponentiation algorithms|in particular, Pippenger's algorithm. 1.

In several cryptographic systems, a fixed element g of a group of order N is repeatedly raised to many different powers. In this paper we present a practical method of speeding up such systems, using precomputed values to reduce the number of multiplications needed. In practice this provides a substantial improvement over the level of performance that can be obtained using addition chains, and allows the computation of g n for n < N in O(log N / log log N) multiplicaitons. We show that this method is asymptotically optimal given polynomial storage, and for specific cases, within a small factor of optimal. We also show how these methods can be parallelized, to compute powers in time O(log log N) with O(log N / log 2 log N) processors.

Abstract not found

One of the major threats to the security of cryptosystems nowadays is the information leaked through side channels. For instance, power analysis attacks have been successfully mounted on cryptosystems embedded into small devices such as smart cards.

Abstract. We present our experience from implementing the public-key cryptosystem of González, Boyd and Dawson. We discuss different computational methods and compare their relative efficiency experimentally. We also compare the efficiency of this cryptosystem with that of the ElGamal cipher. 1

Abstract. An asymmetric pairing e: G2 × G1 → GT is considered such