Abstract not found

We survey four variants of RSA designed to speed up RSA decryption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA.

In this article we present a classification scheme for quantum computing technologies that is based on the characteristics most relevant to computer systems architecture. The engineering trade-offs of execution speed, decoherence of the quantum states, and size of systems are described. Concurrency, storage capacity, and interconnection network topology influence algorithmic efficiency, while quantum error correction and necessary quantum state measurement are the ultimate drivers of logical clock speed. We discuss several proposed technologies. Finally, we use our taxonomy to explore architectural implications for common arithmetic circuits, examine the implementation of quantum error correction, and discuss cluster-state quantum computation.

A critical step when factoring large integers by the Number Field Sieve [8] consists of finding dependencies in a huge sparse matrix over the field F2 , using a Block Lanczos algorithm. Both size and weight (the number of non-zero elements) of the matrix critically affect the running time of Block Lanczos. In order to keep size and weight small the relations coming out of the siever do not flow directly into the matrix, but are filtered first in order to reduce the matrix size. This paper discusses several possible filter strategies and their use in the recent record factorizations of RSA-140, R211 and RSA-155. 2000 Mathematics Subject Classification: Primary 11Y05. Secondary 11A51. 1999 ACM Computing Classification System: F.2.1. Keywords and Phrases: Number Field Sieve, factoring, filtering, Structured Gaussian elimination, Block Lanczos, RSA. Note: Work carried out under project MAS2.2 "Computational number theory and data security". This report will appear in the proceed...

In this paper we describe how the half-gcd algorithm can be adapted in order to speed up the sequential stage of Coppersmith's block Wiedemann algorithm for solving large sparse linear systems over any finite field. This very stage solves a sub-problem than can be seen as the computation of a linear generator for a matrix sequence. Our primary realm of interest is the field $\GF{q}$ for large prime power $q$. For the solution of a $N\times N$ system, the complexity of this sequential part drops from $O(N²)$ to $O(\mathsf{M}(N)\log N)$ where $\mathsf{M}(d)$ is the cost for multiplying two polynomials of degree $d$. We discuss the implications of this improvement for the overall cost of the block Wiedemann algorithm and how its parameters should be chosen for best efficiency.

We describe how we reached a new factoring milestone by completing the first special number field sieve factorization of a number having more than 1024 bits, namely the Mersenne number 2 1039 − 1. Although this factorization is orders of magnitude ‘easier ’ than a factorization of a 1024-bit RSA modulus is believed to be, the methods we used to obtain our result shed new light on the feasibility of the latter computation.

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

. In the scope of the European project NESSIE 1 there was issued a Call for Cryptographic Primitives [NESSIE] soliciting proposals for block ciphers, stream ciphers, hash functions, pseudo-random functions and public key primitives for digital signatures, encryption and identification. Since the security of all popular puplic key cryptosystems is based on unproven assumptions and therefore nobody can guarantee that schemes based on factoring or the computation of discrete logarithms in some group, like the multiplicative group of a finite field or the jacobian of (hyper-) elliptic curves over finite fields, will stay secure forever, it is especially important to provide a variety of different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. In this work we propose three different public key families based on the discrete logarithm problem in quadratic orders to be considered for NESSIE. The two families based on (maximal) real...

Abstract. This paper investigates the relationships between identity-based non-interactive key distribution (ID-NIKD) and identity-based encryption (IBE). It provides a new security model for ID-NIKD, and a generic construction that converts a secure ID-NIKD scheme into a secure IBE scheme. This conversion is used to explain the relationship between the ID-NIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of ID-NIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure ID-NIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally well-resourced, but clients performing encryption/decryption are highly constrained. Keywords: Identity-based encryption; identity-based non-interactive key distribution; trapdoor discrete logs. 1

Abstract. Since the appearance of public-key cryptography in the seminal Diffie-Hellman paper, many schemes have been proposed, but many have been broken. Indeed, for many people, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, very few practical schemes can be proven in this so-called “standard model ” because such a security level rarely meets with efficiency. A convenient way to achieve some kind of validation of efficient schemes has been to identify some concrete cryptographic objects with ideal random ones: hash functions are considered as behaving like random functions, in the so-called “random oracle model”, and groups are used as black-box groups, in which one has to ask for additions to get new elements, in the so-called “generic model”. In this paper we present some generic designs for asymmetric encryption with provable security in the random oracle model.