Results 11  20
of
35
An algorithm for modular exponentiation
 Information Processing Letters
, 1998
"... A practical technique for improving the performance of modular exponentiations (ME) is described. The complexity of the ME algorithm is O modular multiplications (MMs), where n is the length of the exponent, requiring an O ( n 2) precomputed lookup table size with very small constant of proportiona ..."
Abstract

Cited by 26 (8 self)
 Add to MetaCart
A practical technique for improving the performance of modular exponentiations (ME) is described. The complexity of the ME algorithm is O modular multiplications (MMs), where n is the length of the exponent, requiring an O ( n 2) precomputed lookup table size with very small constant of proportionality. The algorithm uses a doublebased number system which we introduce in this paper. n ⎛ ⎞
Open Problems in Number Theoretic Complexity, II
"... this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...
Cascade Ciphers: The Importance of Being First
, 1993
"... The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that, if the ciphers commute, then a cascade is at least as difficult to break as the mostdifficulttobreak component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ci...
Secure Signature Schemes Based on Interactive Protocols
 IN ADVANCES IN CRYPTOLOGY: CRYPTO ’95
, 1994
"... A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
A method is proposed for constructing from interactive protocols digital signature schemes secure against adaptively chosen message attacks. Our main result is that practical secure signature schemes can now also be based on computationally difficult problems other than factoring (see [9]), such as the discrete logarithm problem. More precisely,
On the Security of a Practical Identification Scheme
 J. Cryptology
, 1996
"... We analyze the security of an interactive identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali and Rackoff to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
We analyze the security of an interactive identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali and Rackoff to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme is certainly not new, its security was apparently not fully understood. We prove that this scheme is secure if factoring integers is hard, even against active attacks where the adversary is first allowed to pose as a verifier before attempting impersonation.
On the fly authentication and signature schemes based on groups of unknown order
 Journal of Cryptology
, 2006
"... 3 E'cole normale supe'rieure, De'partement d'informatique 45 rue d'Ulm, F75230 Paris Cedex 05, ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
3 E'cole normale supe'rieure, De'partement d'informatique 45 rue d'Ulm, F75230 Paris Cedex 05,
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
On The Fly Signatures based on Factoring
 IN PROCEEDINGS OF THE 6TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY
, 1999
"... In response to the current need for fast, secure and cheap publickey cryptography largely induced by the fast development of electronic commerce, we propose a new on the fly signature scheme, i.e. a scheme that requires very small online work for the signer. It combines provable security based on ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
In response to the current need for fast, secure and cheap publickey cryptography largely induced by the fast development of electronic commerce, we propose a new on the fly signature scheme, i.e. a scheme that requires very small online work for the signer. It combines provable security based on the factorization problem, short public and secret keys, short transmission and minimal online computation. It is the first RSAlike signature scheme that can be used for both efficient and secure applications based on low cost or contactless smart cards.
Designing and detecting trapdoors for discrete log cryptosystems
 Advances in Cryptology CRYPTO '92
, 1993
"... Abstract. Using a number field sieve, discrete logarithms modulo primes of special forms can be found faster than standard primes. This has raised concerns about trapdoors in discrete log cryptosystems, such as the Digital Signature Standard. This paper discusses the practical impact of these trapdo ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract. Using a number field sieve, discrete logarithms modulo primes of special forms can be found faster than standard primes. This has raised concerns about trapdoors in discrete log cryptosystems, such as the Digital Signature Standard. This paper discusses the practical impact of these trapdoors, and how to avoid them. 1
The Hardness of the Hidden Subset Sum Problem and its Cryptographic Implications
 IN PROC. OF CRYPTO '99, VOLUME 1666 OF LNCS
, 1999
"... At Eurocrypt'98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the socalled hidden subset sum prob ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
At Eurocrypt'98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the socalled hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient latticebased attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smartcard implementation of Schnorr's identification scheme using these precomputations meth...