Results 1  10
of
21
A Survey of Fast Exponentiation Methods
 Journal of Algorithms
, 1998
"... Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation de ..."
Abstract

Cited by 155 (0 self)
 Add to MetaCart
Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses. 1
HighSpeed RSA Implementation
, 1994
"... Introduction to Arithmetic for Digital System Designers. New York, NY: Holt, Rinehart and Winston, 1982. #52# Y. Yacobi. Exponentiating faster with addition chains. In I. B. Damg#ard, editor, Advances in Cryptology  EUROCRYPT 90, Lecture Notes in Computer Science, No. 473, pages 222#229. New York ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
Introduction to Arithmetic for Digital System Designers. New York, NY: Holt, Rinehart and Winston, 1982. #52# Y. Yacobi. Exponentiating faster with addition chains. In I. B. Damg#ard, editor, Advances in Cryptology  EUROCRYPT 90, Lecture Notes in Computer Science, No. 473, pages 222#229. New York, NY: SpringerVerlag, 1990. #53# A. C.C. Yao. On the evaluation of powers. SIAM Journal on Computing, 5#1#:100#103, March 1976. Bibliography 69 #25# C#. K. Ko#c and C. Y. Hung. Multioperand modulo addition using carry save adders. Electronics Letters, 26#6#:361#363, 15th March 1990. #26# C# . K. Ko#c and C. Y. Hung. Bitlevel systolic arrays for modular multiplication. Journal of VLSI Signal Processing, 3#3#:215#223, 1991. #27# C#. K. Ko#c and C. Y. Hung. Adaptive mary segmentation and canonical recoding algorithms for multiplication of large binary numbers. Computers and Mathematics with Ap
The Smallest Grammar Problem
 IEEE TRANSACTIONS ON INFORMATION THEORY
, 2005
"... This paper addresses the smallest grammar problem: What is the smallest contextfree grammar that generates exactly one given string σ? This is a natural question about a fundamental object connected to many fields, including data compression, Kolmogorov complexity, pattern identification, and addi ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
This paper addresses the smallest grammar problem: What is the smallest contextfree grammar that generates exactly one given string σ? This is a natural question about a fundamental object connected to many fields, including data compression, Kolmogorov complexity, pattern identification, and addition chains. Due to the problem’s inherent complexity, our objective is to find an approximation algorithm which finds a small grammar for the input string. We focus attention on the approximation ratio of the algorithm (and implicitly, worstcase behavior) to establish provable performance guarantees and to address shortcomings in the classical measure of redundancy in the literature. Our first results are a variety of hardness results, most notably that every efficient algorithm for the smallest grammar problem has approximation ratio at least 8569 unless P = NP. 8568 We then bound approximation ratios for several of the bestknown grammarbased compression algorithms, including LZ78, BISECTION, SEQUENTIAL, LONGEST MATCH, GREEDY, and REPAIR. Among these, the best upper bound we show is O(n 1/2). We finish by presenting two novel algorithms with exponentially better ratios of O(log 3 n) and O(log(n/m ∗)), where m ∗ is the size of the smallest grammar for that input. The latter highlights a connection between grammarbased compression and LZ77.
A note on the signed sliding window integer recoding and a lefttoright analogue
 in “Selected Areas in Cryptography – SAC 2004”, Lecture Notes in Computer Science 3357 (2005), 130– 143
, 2004
"... Abstract. Additionsubtractionchains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the wNAF. For scalars of ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. Additionsubtractionchains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the wNAF. For scalars of the size commonly used in cryptographic applications, it leads to the current scalar multiplication algorithm of choice. However, we could find no formal proof of its optimality in the literature. This recoding is computed righttoleft. We solve two open questions regarding the wNAF. We first prove that the wNAF is a redundant radix2 recoding of smallest weight among all those with integral coefficients smaller in absolute value than 2 w−1. Secondly, we introduce a lefttoright recoding with the same digit set as the wNAF, generalizing previous results. We also prove that the two recodings have the same (optimal) weight. Finally, we sketch how to prove similar results for other recodings.
Secure network authentication with password identification
 IEEE P1363a
, 1999
"... Submission to IEEE P1363a A password authentication protocol called SNAPI is proposed for inclusion in the P1363a document. SNAPI provides mutual authentication between a client and server based solely on a password, and does not require the client to store any other information (except the code tha ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Submission to IEEE P1363a A password authentication protocol called SNAPI is proposed for inclusion in the P1363a document. SNAPI provides mutual authentication between a client and server based solely on a password, and does not require the client to store any other information (except the code that runs the protocol). SNAPI is the rst protocol of this type that is provably secure against active adversaries (i.e., adversaries that can not only eavesdrop on communication, but also impersonate parties and replay messages), and in particular, does not reveal any information to active adversaries that would allow an oline dictionary attack on the password. Security is proven in the randomoracle model and is based on the security of RSA. SNAPI also provides for key exchange (as secure as Di eHellman), allowing a secure session to be initiated. Avariant, SNAPIX, is also proposed, in which the server stores a oneway function of the password, and does not allow anadversary who compromises the server to impersonate a client (without actually running a dictionary attack on the password le). The protocols described in this contribution are from the paper, Secure Network Authentication with Password Identi cation [MS].
Faster Square Roots in Annoying Finite Fields
"... Let q be an odd prime number. There are several methods known to compute square roots in Z=q: the quadraticextension methods of Legendre, Pocklington, Cipolla, Lehmer, et al., and the discretelogarithm methods of Tonelli, Shanks, et al. The quadraticextension methods use (3 + o(1)) lg q multiplic ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Let q be an odd prime number. There are several methods known to compute square roots in Z=q: the quadraticextension methods of Legendre, Pocklington, Cipolla, Lehmer, et al., and the discretelogarithm methods of Tonelli, Shanks, et al. The quadraticextension methods use (3 + o(1)) lg q multiplications and, on average, 2 + o(1) Jacobisymbol computations mod q. The discretelogarithm methods use only (1 + o(1)) lg q multiplications, after an easy precomputation of one element of Z=q, if ord2 (q 1) 2 o( p lg q). This paper presents an algorithm that uses only (1 + o(1)) lg q multiplications, after an easy precomputation of (lg q) O(1) elements of Z=q, if ord2 (q 1) 2 o( p lg q lg lg q). For example, the new algorithm can compute square roots in Z=q for q = 2 224 2 96 + 1 using 364 multiplications in Z=q and 1024 precomputed elements of Z=q. The same technique speeds up the SilverPohligHellman algorithm for computing discrete logarithms in any cyclic group of smooth order.
Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures
 In Selected Areas in Cryptology – SAC 2003, SpringerVerlag LNCS 3006
, 2004
"... Abstract. In the past years several authors have considered finite fields extensions of odd characteristic optimised for a given architecture to obtain performance gains. The considered fields were however very specific. We define a Processor Adequate Finite Field (PAFF) as a field of odd characteri ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. In the past years several authors have considered finite fields extensions of odd characteristic optimised for a given architecture to obtain performance gains. The considered fields were however very specific. We define a Processor Adequate Finite Field (PAFF) as a field of odd characteristic p < 2 w where w is a CPU related word length. PAFFs have several attractive properties for cryptography. In this paper we concentrate on arithmetic aspects. We present some algorithms usually providing better performance in PAFFs than in prime fields and in previously proposed instances of extension fields of comparable size.
Pippenger's Exponentiation Algorithm
, 2002
"... Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twentyve years ago, but it is still not widely understood or appreciated, although certain ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twentyve years ago, but it is still not widely understood or appreciated, although certain parts of it have recently been reinvented, republished, and popularized. This paper is an exposition of the state of the art in generic exponentiation algorithmsin particular, Pippenger's algorithm. 1.
Approximation Algorithms for GrammarBased Data Compression
, 2002
"... This thesis considers the smallest grammar problem: find the smallest contextfree grammar that generates exactly one given string. We show that this problem is intractable, and so our objective is to find approximation algorithms. This simple question is connected to many areas of research. Most im ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
This thesis considers the smallest grammar problem: find the smallest contextfree grammar that generates exactly one given string. We show that this problem is intractable, and so our objective is to find approximation algorithms. This simple question is connected to many areas of research. Most importantly, there is a link to data compression; instead of storing a long string, one can store a small grammar that generates it. A small grammar for a string also naturally brings out underlying patterns, a fact that is useful, for example, in DNA analysis. Moreover, the size of the smallest contextfree grammar generating a string can be regarded as a computable relaxation of Kolmogorov complexity. Finally, work on the smallest grammar problem qualitatively extends the study of approximation algorithms to hierarchicallystructured objects. In this thesis, we establish hardness results, evaluate several previously proposed algorithms, and then present new procedures with much stronger approximation guarantees.
Order computations in generic groups
 PHD THESIS MIT, SUBMITTED JUNE 2007. RESOURCES
, 2007
"... ..."