Results 1 
9 of
9
How to Securely Outsource Cryptographic Computations
 In Theory of Cryptography (2005
"... Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsourcesecure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for nbit exponents. The load reduces to O(log 2 n) for any exponentiationbased scheme where the honest device may use two untrusted exponentiation programs; we highlight the CramerShoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2secure encryption scheme using only one untrusted CramerShoup encryption program. 1
The composite discrete logarithm and secure authentication
 In Public Key Cryptography
, 2000
"... Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certifica ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zeroknowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witnessindistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witnessindistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witnessindistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.
Security and Performance of ServerAided RSA Computation Protocols
 Advances in Cryptology  CRYPTO ’95
, 1995
"... This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final resu ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A serveraided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multiround active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementationdependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.
Random small hamming weight products with applications to cryptography
 Issue 1  special issue on the 2000 com2MaC workshop on cryptography
, 2003
"... Abstract. There are many cryptographic constructions in which one uses a random power or multiple of an element in a group or a ring. We describe a fast method to compute random powers and multiples in certain important situations including powers in the Galois field �2 n, ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. There are many cryptographic constructions in which one uses a random power or multiple of an element in a group or a ring. We describe a fast method to compute random powers and multiples in certain important situations including powers in the Galois field �2 n,
Batching Schnorr Identification Scheme with Applications to PrivacyPreserving Authorization and LowBandwidth Communication Devices
, 2004
"... Abstract. We present a batch version of Schnorr’s identification scheme. Our scheme uses higher degree polynomials that enable the execution of several Schnorr’s protocol at a cost very close to that of a single execution. We present a full proof of security that our scheme is secure against imperso ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We present a batch version of Schnorr’s identification scheme. Our scheme uses higher degree polynomials that enable the execution of several Schnorr’s protocol at a cost very close to that of a single execution. We present a full proof of security that our scheme is secure against impersonation attacks. The main application of this result is a very efficient way for a party to prove that it holds several secret keys (i.e. identities), where each identity is linked to a specific authorization. This approach protects the privacy of the prover allowing her to prove only the required set of authorizations required to perform a given task, without disclosing whether she is in possession of other privileges or not. We also show that our scheme is suitable to be implemented on lowbandwidth communication devices. We present an implementation of a smart card employing recent technology for the use of LEDs (Light Emitting Diodes) for bidirectional communication. Another contribution of our paper is to show that this new technology allows the implementation of strong cryptography. 1
Speeding up Exponentiation using an Untrusted Computational Resource
 MEMO 469, MIT CSAIL COMPUTATION STRUCTURES GROUP
, 2003
"... We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocol ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiationbased verification in discrete logbased signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the squareandmultiply algorithm, without compromising security.
Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves
, 2001
"... We propose a method for increasing the speed of scalar multiplication on binary anomalous (Koblitz) elliptic curves. By introducing a generator which produces random pairs (k, [k]P ) of special shape, we exhibit a specific setting where the number of elliptic curve operations is reduced by 25% t ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We propose a method for increasing the speed of scalar multiplication on binary anomalous (Koblitz) elliptic curves. By introducing a generator which produces random pairs (k, [k]P ) of special shape, we exhibit a specific setting where the number of elliptic curve operations is reduced by 25% to 50% compared with the general case when k is chosen uniformly. This generator can be used when an ephemeral pair (k, [k]P ) is needed by a cryptographic algorithm, and especially for Elliptic Curve Di#eHellman key exchange, ECDSA signature and ElGamal encryption.
Special Course on Cryptology/Zero Knowledge: Zero Knowledge Proofs of Identity and Proofs of Knowledge
, 2001
"... Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropp ..."
Abstract
 Add to MetaCart
Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropping the communication can later impersonate the original authenticator (called the prover). A more advanced way for authentication is challengeresponse method, where a prover demonstrates the knowledge of a secret by responding to the verier's challenge in a way that is not directly reusable by the verier (e.g. encrypt a random challenge with a secret key). This method, however, might reveal something about the secret, especially so if the verier can choose the challenges that he sends (chosen text attack) [9]. So, the idea of zero knowledge protocols seems to be quite useful and natural in this context. In this survey, we will briey look at zero knowledge proofs of knowledge
unknown title
"... The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important developments appeared in print in a more or less timely fashion and the field moved forward in much the same way as other specialized disciplines. As l ..."
Abstract
 Add to MetaCart
The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important developments appeared in print in a more or less timely fashion and the field moved forward in much the same way as other specialized disciplines. As late as 1918, one of the most influential cryptanalytic papers of the twentieth century, William F. Friedman’s monograph The Index of Coincidence and Its Applications in Cryptography, appeared as a research report of the private Riverbank Laboratories [577]. And this, despite the fact that the work had been done as part of the war effort. In the same year Edward H. Hebern of Oakland, California filed the first patent for a rotor machine [710], the device destined to be a mainstay of military cryptography for nearly 50 years. After the First World War, however, things began to change. U.S. Army and Navy organizations, working entirely in secret, began to make fundamental advances in cryptography. During the thirties and forties a few basic papers did appear in the open literature and several treatises on the subject were published, but the latter were farther and farther behind the state of the art. By the end of the war the transition was complete. With one notable exception, the public literature had died. That exception was Claude Shannon’s paper “The Communication Theory of Secrecy Systems, ” which