## Fast batch verification for modular exponentiation and digital signatures (1998)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.mathmagic.cn]
- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 137 - 2 self |

### BibTeX

@INPROCEEDINGS{Bellare98fastbatch,

author = {Mihir Bellare and Juan A. Garay and Tal Rabin},

title = {Fast batch verification for modular exponentiation and digital signatures},

booktitle = {},

year = {1998},

pages = {236--250},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract Many tasks in cryptography (e.g., digital signature verification) call for verification of a basicoperation like modular exponentiation in some group: given ( g, x, y) check that gx = y. Thisis typically done by re-computing gx and checking we get y. We would like to do it differently,and faster. The approach we use is batching. Focusing first on the basic modular exponentiation oper-ation, we provide some probabilistic batch verifiers, or tests, that verify a sequence of modular exponentiations significantly faster than the naive re-computation method. This yields speedupsfor several verification tasks that involve modular exponentiations.

### Citations

1384 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...enough requierement to guarantee security of this scheme based on the one-wayness of RSA. To get a better security guarantee without sacrificing performance, [5] appeals to the random oracle paradigm =-=[4]-=- and considers a couple of schemes in this setting. The simplest is the Full Domain Hash (FDH-MA) scheme, which assumes H is a random oracle mapping (0,l)’ to Z;, and they show that FDH-RSA scheme is ... |

735 | Proof Verification and the Hardness of Approximation Problems - Arora, Lund, et al. - 1998 |

350 | Self-testing/correcting with applications to numerical problems - BLUM, LUBY, et al. - 1990 |

338 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...e is to let Sign N,d(M ) = H(M )d mod N for some hash function H. A pair (M, x) is verified by checking that xe = H(M ) mod N . This was named the "hash-then-decrypt" paradigm and studied recently in =-=[7]-=- who point out that collision-freeness of H is not a strong enough requierement to guarantee security of this scheme based on the onewayness of RSA. To get a better security guarantee without sacrific... |

336 | Robust characterizations of polynomials with applications to program testing - RUBINFELD, SUDAN - 1993 |

311 | Designing Programs that Check Their Work
- Blum, Kannan
- 1995
(Show Context)
Citation Context ...Our approach, called batch program instance checking, permits fast checking, and also permits instance checking, not just program checking, in the sense that (in contrast to standard program checking =-=[11]-=-), a correct result is not rejected just because the program might be wrong on some other instance. We can do batch program instance checking for any function f whose corresponding graph (the relation... |

110 | Error correction of algebraic block codes - Berlekamp, Welch |

99 | Checking the correctness of memories - Blum, Evans, et al. - 1994 |

96 | A secure audio teleconference system - Steer, Strawczynski, et al. - 1990 |

86 | More Flexible Exponentiation with Precomputation
- Lim, Lee
- 1994
(Show Context)
Citation Context ...s. Following a brief discussion of previous work, we will look at all the above in more detail. Previous work. The modular exponentiation operation itself can be made more efficient via preprocessing =-=[14, 23]-=- or addition chain heuristics [13, 32, 27]. What we are saying is that performing modular exponentiation is only one way to perform verification, and if the interest is verification, one can do better... |

81 | Self-testing/correcting for polynomials and for approximate functions - GEMMELL, LIPTON, et al. - 1991 |

69 |
Fast Exponentiation with Precomputation
- Brickell, Gordon, et al.
- 1993
(Show Context)
Citation Context ...s. Following a brief discussion of previous work, we will look at all the above in more detail. Previous work. The modular exponentiation operation itself can be made more efficient via preprocessing =-=[14, 23]-=- or addition chain heuristics [13, 32, 27]. What we are saying is that performing modular exponentiation is only one way to perform verification, and if the interest is verification, one can do better... |

56 | de Graaf. An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations - Chaum, Evertse, et al. - 1988 |

45 |
Addition chain heuristics
- Bos, Coster
- 1989
(Show Context)
Citation Context ...vious work, we will look at all the above in more detail. Previous work. The modular exponentiation operation itself can be made more efficient via preprocessing [14, 23] or addition chain heuristics =-=[13, 32, 27]-=-. What we are saying is that performing modular exponentiation is only one way to perform verification, and if the interest is verification, one can do better than any of these ways. In particular, ou... |

34 | A modi of the Fiat-Shamir scheme - Ohta, Okamoto |

29 |
Efficient exponentiation using precomputation and vector addition chains
- Rooij
(Show Context)
Citation Context ...vious work, we will look at all the above in more detail. Previous work. The modular exponentiation operation itself can be made more efficient via preprocessing [14, 23] or addition chain heuristics =-=[13, 32, 27]-=-. What we are saying is that performing modular exponentiation is only one way to perform verification, and if the interest is verification, one can do better than any of these ways. In particular, ou... |

20 | Batch Exponentiation - A Fast DLP based Signature Generation Strategy
- M’Raithi, Naccache
- 1996
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[11, 15,6,14]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |

20 |
Improved Digital Signature suitable for Batch Veriffication
- Yen, Laih
- 1995
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[18, 25, 8, 24, 34]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |

15 | Error correction for algebraic block codes,” U.S. patent no - Welch, Berlekamp |

13 |
Batch Verification with Applications to Cryptography and Checking
- Bellare, Garay, et al.
- 1998
(Show Context)
Citation Context ...of generating shared distributed coins. An extended abstract of this paper appeared as [4]. An invited talk on batch verification including the material presented in this paper was given at LATIN '98 =-=[5]-=-. 2 Definitions Here we provide formal definitions of the main new notions underlying this work, extending the discussion in Section 1. 2.1 Batch verification Let R(*) be a boolean relation, meaning R... |

13 | Approximate checking of polynomials and functional equations, in - Ergün, Kumar, et al. - 1996 |

9 |
Batch Diffie-Hellman key agreement systems and their application to portable communications
- Beller, Yacobi
- 1992
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[18, 25, 8, 24, 34]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |

9 |
Batch checking with applications to linear functions
- Rubinfeld
- 1992
(Show Context)
Citation Context ...iers, so that the main technical problem is the construction of batch verifiers. See [2] for more information including explanations of how this differs from other notions like batch program checking =-=[17]-=-. The idea of batch verification introduced here was applied in [l] in the domain of fault-tolerant distributed computing. They design a batch verifiable secret sharing protocol and use it to construc... |

7 |
Resource requirements for the application of addition chains in modulo exponentiation
- Sauerbrey, Dietel
- 1992
(Show Context)
Citation Context ...vious work, we will look at all the above in more detail. Previous work. The modular exponentiation operation itself can be made more efficient via preprocessing [14, 23] or addition chain heuristics =-=[13, 32, 27]-=-. What we are saying is that performing modular exponentiation is only one way to perform verification, and if the interest is verification, one can do better than any of these ways. In particular, ou... |

5 |
be improved ? Complexity tradeoffs with the digital signature standard
- M’raïhi, Naccache, et al.
- 1995
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[11, 15,6,14]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |

4 |
Fast Checkers for Cryptography
- Kompella, Adleman
- 1990
(Show Context)
Citation Context ... we will use as a subroutine. Suppose a1, . . . , an 2 G. Suppose b1, . . . , bn are integers in the range 0, . . . , 2t -1 < |G|. We write them all as strings of length t, so that bi = bi[t] . . . bi=-=[1]-=-. The problem is to compute the product a = Qni=1 abii , the operations being in G. The naive way to do this is to compute ci = abii for i = 1, . . . , n and then compute a = Qni=1 ci. This takes ExpC... |

4 | Distributed pseudo-random bit generators— a new way to speed-up shared coin tossing
- Bellare, Garay, et al.
- 1996
(Show Context)
Citation Context .... In Appendix B we provide batch verification algorithms for degrees of polynomials, which has applications in verifiable secret sharing. The idea of batch verification introduced here was applied in =-=[3]-=- in the domain of fault-tolerant distributed computing. They design a batch verifiable secret sharing protocol and use it to construct "distributed pseudo-random bit generators," which are efficient w... |

4 | Secure Audio Teleconference - Brickell, Lee, et al. - 1988 |

2 | Proof Verification and Hardnessof Approximation Problems - Arora, Lund, et al. - 1992 |

2 | Secure Audio Teleconference: A Practical Solution - Heiman - 1992 |

2 | Designing Checkers for Programs that Run - Rubinfeld - 1996 |

1 |
Can D.S.A be improved? Complexitytrade-offs with the digital signature standard
- Naccache, M'Raihi, et al.
- 1994
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[18, 25, 8, 24, 34]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |

1 |
Checking with applications to linear functions. Information Processing Letters,42:77-80
- Batch
- 1992
(Show Context)
Citation Context ...so that the main technical problem is the construction of batch verifiers. See Section C for more information including explanations of how this differs from other notions like batch program checking =-=[28]-=-. In Appendix B we provide batch verification algorithms for degrees of polynomials, which has applications in verifiable secret sharing. The idea of batch verification introduced here was applied in ... |

1 |
Fast batch verification for modular expw nentiation and digital signatures. fill version of this paper, available via http : // ww-cse.ucsd.edu/users/mihir
- BELLARE, GARAY, et al.
- 1998
(Show Context)
Citation Context ...iable secret sharing and other robust distributed tasks. These, together with some applications of the results here, and all proofs, are omitted from this abstract, and can be found in our full paper =-=[2]-=- which is available on the web. Following a brief discussion of previous work, we will look at all the above in more detail. PREVIOUS WORK. The modular exponentiation operation itself can be made more... |

1 |
Diffie-Hellman key agreement systems and their application to portable communications
- Batch
- 1992
(Show Context)
Citation Context ...r exponentiation methods only make our batch verifiers even faster, because we use these methods as subroutines. The idea of batching in cryptography is of course not new: some previous instances are =-=[11, 15,6,14]-=-. However, there seems to have been no previous systematic look at the general problem of batch verification for modular exponentiation, and our first set of results indicates that by putting oneself ... |