Public-key cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses. 1

Introduction to Arithmetic for Digital System Designers. New York, NY: Holt, Rinehart and Winston, 1982. #52# Y. Yacobi. Exponentiating faster with addition chains. In I. B. Damg#ard, editor, Advances in Cryptology --- EUROCRYPT 90, Lecture Notes in Computer Science, No. 473, pages 222#229. New York, NY: Springer-Verlag, 1990. #53# A. C.-C. Yao. On the evaluation of powers. SIAM Journal on Computing, 5#1#:100#103, March 1976. Bibliography 69 #25# C#. K. Ko#c and C. Y. Hung. Multi-operand modulo addition using carry save adders. Electronics Letters, 26#6#:361#363, 15th March 1990. #26# C# . K. Ko#c and C. Y. Hung. Bit-level systolic arrays for modular multiplication. Journal of VLSI Signal Processing, 3#3#:215#223, 1991. #27# C#. K. Ko#c and C. Y. Hung. Adaptive m-ary segmentation and canonical recoding algorithms for multiplication of large binary numbers. Computers and Mathematics with Ap

This paper addresses the smallest grammar problem: What is the smallest context-free grammar that generates exactly one given string σ? This is a natural question about a fundamental object connected to many fields, including data compression, Kolmogorov complexity, pattern identification, and addition chains. Due to the problem’s inherent complexity, our objective is to find an approximation algorithm which finds a small grammar for the input string. We focus attention on the approximation ratio of the algorithm (and implicitly, worst-case behavior) to establish provable performance guarantees and to address short-comings in the classical measure of redundancy in the literature. Our first results are a variety of hardness results, most notably that every efficient algorithm for the smallest grammar problem has approximation ratio at least 8569 unless P = NP. 8568 We then bound approximation ratios for several of the bestknown grammar-based compression algorithms, including LZ78, BISECTION, SEQUENTIAL, LONGEST MATCH, GREEDY, and RE-PAIR. Among these, the best upper bound we show is O(n 1/2). We finish by presenting two novel algorithms with exponentially better ratios of O(log 3 n) and O(log(n/m ∗)), where m ∗ is the size of the smallest grammar for that input. The latter highlights a connection between grammar-based compression and LZ77.

Abstract. Addition-subtraction-chains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the w-NAF. For scalars of the size commonly used in cryptographic applications, it leads to the current scalar multiplication algorithm of choice. However, we could find no formal proof of its optimality in the literature. This recoding is computed right-to-left. We solve two open questions regarding the w-NAF. We first prove that the w-NAF is a redundant radix-2 recoding of smallest weight among all those with integral coefficients smaller in absolute value than 2 w−1. Secondly, we introduce a left-toright recoding with the same digit set as the w-NAF, generalizing previous results. We also prove that the two recodings have the same (optimal) weight. Finally, we sketch how to prove similar results for other recodings.

Submission to IEEE P1363a A password authentication protocol called SNAPI is proposed for inclusion in the P1363a document. SNAPI provides mutual authentication between a client and server based solely on a password, and does not require the client to store any other information (except the code that runs the protocol). SNAPI is the rst protocol of this type that is provably secure against active adversaries (i.e., adversaries that can not only eavesdrop on communication, but also impersonate parties and replay messages), and in particular, does not reveal any information to active adversaries that would allow an o-line dictionary attack on the password. Security is proven in the random-oracle model and is based on the security of RSA. SNAPI also provides for key exchange (as secure as Di e-Hellman), allowing a secure session to be initiated. Avariant, SNAPI-X, is also proposed, in which the server stores a one-way function of the password, and does not allow anadversary who compromises the server to impersonate a client (without actually running a dictionary attack on the password le). The protocols described in this contribution are from the paper, Secure Network Authenti-cation with Password Identi cation [MS].

Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twenty-ve years ago, but it is still not widely understood or appreciated, although certain parts of it have recently been reinvented, republished, and popularized. This paper is an exposition of the state of the art in generic exponentiation algorithms|in particular, Pippenger's algorithm. 1.

Abstract. In the past years several authors have considered finite fields extensions of odd characteristic optimised for a given architecture to obtain performance gains. The considered fields were however very specific. We define a Processor Adequate Finite Field (PAFF) as a field of odd characteristic p < 2 w where w is a CPU related word length. PAFFs have several attractive properties for cryptography. In this paper we concentrate on arithmetic aspects. We present some algorithms usually providing better performance in PAFFs than in prime fields and in previously proposed instances of extension fields of comparable size.

Let q be an odd prime number. There are several methods known to compute square roots in Z=q: the quadratic-extension methods of Legendre, Pocklington, Cipolla, Lehmer, et al., and the discrete-logarithm methods of Tonelli, Shanks, et al. The quadratic-extension methods use (3 + o(1)) lg q multiplications and, on average, 2 + o(1) Jacobi-symbol computations mod q. The discrete-logarithm methods use only (1 + o(1)) lg q multiplications, after an easy precomputation of one element of Z=q, if ord2 (q 1) 2 o( p lg q). This paper presents an algorithm that uses only (1 + o(1)) lg q multiplications, after an easy precomputation of (lg q) O(1) elements of Z=q, if ord2 (q 1) 2 o( p lg q lg lg q). For example, the new algorithm can compute square roots in Z=q for q = 2 224 2 96 + 1 using 364 multiplications in Z=q and 1024 precomputed elements of Z=q. The same technique speeds up the Silver-Pohlig-Hellman algorithm for computing discrete logarithms in any cyclic group of smooth order.

This thesis considers the smallest grammar problem: find the smallest context-free grammar that generates exactly one given string. We show that this problem is intractable, and so our objective is to find approximation algorithms. This simple question is connected to many areas of research. Most importantly, there is a link to data compression; instead of storing a long string, one can store a small grammar that generates it. A small grammar for a string also naturally brings out underlying patterns, a fact that is useful, for example, in DNA analysis. Moreover, the size of the smallest context-free grammar generating a string can be regarded as a computable relaxation of Kolmogorov complexity. Finally, work on the smallest grammar problem qualitatively extends the study of approximation algorithms to hierarchically-structured objects. In this thesis, we establish hardness results, evaluate several previously proposed algorithms, and then present new procedures with much stronger approximation guarantees.

proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof.dr. R.A. van Santen, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op woensdag 4 juni 2003 om 16.00 uur door