Results 1  10
of
29
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 562 (29 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 52 (16 self)
 Add to MetaCart
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
Classical and modular approaches to exponential Diophantine equations I. Fibonacci and Lucas perfect powers
 Annals of Math
"... Abstract. This is the second in a series of papers where we combine the classical approach to exponential Diophantine equations (linear forms in logarithms, Thue equations, etc.) with a modular approach based on some of the ideas of the proof of Fermat’s Last Theorem. In this paper we use a general ..."
Abstract

Cited by 33 (13 self)
 Add to MetaCart
Abstract. This is the second in a series of papers where we combine the classical approach to exponential Diophantine equations (linear forms in logarithms, Thue equations, etc.) with a modular approach based on some of the ideas of the proof of Fermat’s Last Theorem. In this paper we use a general and powerful new lower bound for linear forms in three logarithms, together with a combination of classical, elementary and substantially improved modular methods to solve completely the LebesgueNagell equation for D in the range 1 ≤ D ≤ 100. x 2 + D = y n, x, y integers, n ≥ 3, 1.
Efficient Solution of Rational Conics
 Math. Comp
, 1998
"... this paper (section 2), and to Denis Simon for the reference [10]. ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
this paper (section 2), and to Denis Simon for the reference [10].
An absolute bound for the size of Diophantine mtuples
 J. Number Theory
, 2001
"... A set of m positive integers is called a Diophantine mtuple if the product of its any two distinct elements increased by 1 is a perfect square. We prove that if b, c} is a Diophantine triple such that b > 4a and c > max{b or c > max{b then there is unique positive integer d such that d ..."
Abstract

Cited by 18 (12 self)
 Add to MetaCart
A set of m positive integers is called a Diophantine mtuple if the product of its any two distinct elements increased by 1 is a perfect square. We prove that if b, c} is a Diophantine triple such that b > 4a and c > max{b or c > max{b then there is unique positive integer d such that d > c and is a Diophantine quadruple. Furthermore, we prove that there does not exist a Diophantine 9tuple and that there are only finitely many Diophantine 8tuples. 1
Solving Quadratic Equations Using Reduced Unimodular Quadratic Forms
 Math. of Comp
, 2005
"... Abstract. Let Q be an n × n symmetric matrix with integral entries and with det Q � = 0, but not necesarily positive definite. We describe a generalized LLL algorithm to reduce this quadratic form. This algorithm either reduces the quadratic form or stops with some isotropic vector. It is proved to ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. Let Q be an n × n symmetric matrix with integral entries and with det Q � = 0, but not necesarily positive definite. We describe a generalized LLL algorithm to reduce this quadratic form. This algorithm either reduces the quadratic form or stops with some isotropic vector. It is proved to run in polynomial time. We also describe an algorithm for the minimization of a ternary quadratic form: when a quadratic equation q(x, y, z) =0issolvable over Q, a solution can be deduced from another quadratic equation of determinant ±1. The combination of these algorithms allows us to solve efficiently any general ternary quadratic equation over Q, and this gives a polynomial time algorithm (as soon as the factorization of the determinant of Q is known). There are various methods in the literature for solving homogeneous quadratic equations q(x, y, z) =0overQ. Mathematicians seem to be unanimous in saying that the first step consists of reducing to the diagonal case, that is, to Legendre equations of the type ax 2 + by 2 + cz 2 = 0. As we will see in Section 4.2, this is a good idea in theory, but disastrous in practice: the determinant of the new equation
A parametric family of quartic Thue equations
, 2002
"... In this paper we prove that the Diophantine equation where c 3 is an integer, has only the trivial solutions (1, 0), (0, 1). ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
In this paper we prove that the Diophantine equation where c 3 is an integer, has only the trivial solutions (1, 0), (0, 1).
A family of quartic Thue inequalities
 Acta Arith
, 2004
"... In this paper we prove that the only primitive solutions of the 1). 1 ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
In this paper we prove that the only primitive solutions of the 1). 1
On the representation of unity by binary cubic forms
 Trans. Amer. Math. Soc
"... Abstract. If F (x, y) is a binary cubic form with integer coefficients such that F (x, 1) has at least two distinct complex roots, then the equation F (x, y) =1 possesses at most ten solutions in integers x and y, nineifF has a nontrivial automorphism group. If, further, F (x, y) is reducible over Z ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. If F (x, y) is a binary cubic form with integer coefficients such that F (x, 1) has at least two distinct complex roots, then the equation F (x, y) =1 possesses at most ten solutions in integers x and y, nineifF has a nontrivial automorphism group. If, further, F (x, y) is reducible over Z[x, y], then this equation has at most 2 solutions, unless F (x, y) is equivalent under GL2(Z)action to either x(x 2 − xy − y 2)orx(x 2 − 2y 2). The proofs of these results rely upon the method of ThueSiegel as refined by Evertse, together with lower bounds for linear forms in logarithms of algebraic numbers and techniques from computational Diophantine approximation. Along the way, we completely solve all Thue equations F (x, y) =1forF cubic and irreducible of positive discriminant DF ≤ 10 6. As corollaries, we obtain bounds for the number of solutions to more general cubic Thue equations of the form F (x, y) =m and to Mordell’s equation y 2 = x 3 + k, wherem and k are nonzero integers. 1.
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for