## DOUBLE-EXPONENTIATION IN FACTOR-4 GROUPS AND ITS APPLICATIONS

Citations: | 2 - 2 self |

### BibTeX

@MISC{Karabina_double-exponentiationin,

author = {Koray Karabina},

title = {DOUBLE-EXPONENTIATION IN FACTOR-4 GROUPS AND ITS APPLICATIONS},

year = {}

}

### OpenURL

### Abstract

Abstract. In previous work we showed how to compress certain prime-order subgroups of the cyclotomic subgroups of orders 22m + 1 of the multiplicative groups of F ∗ 24m by a factor of 4. We also showed that single-exponentiation can be efficiently performed using compressed representations. In this paper we show that double-exponentiation can be efficiently performed using factor-4 compressed representation of elements. In addition to giving a considerable speed up to the previously known fastest single-exponentiation algorithm for general bases, double-exponentiation can be used to adapt our compression technique to ElGamal type signature schemes. 1.

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...ntiation algorithm for general bases, double-exponentiation can be used to adapt our compression technique to ElGamal type signature schemes. 1. Introduction The Diffie-Hellman key agreement protocol =-=[3]-=- can be used by two parties A and B to establish a shared secret by communicating over an unsecured channel. Let G = 〈g〉 be a prime-order subgroup of the multiplicative group F ∗ q of a finite field F... |

2467 | S.: Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...integer and a, b are half the bitlength of τ. Then gk can be precomputed and given τ, one can compute gτ = (gk) a · gb using simultaneous exponentiation (Straus-Shamir’s trick; see Algorithm 14.88 in =-=[14]-=-) much more efficiently than direct exponentiation by τ. As mentioned in the previous paragraph, it is not clear if one can favourably exploit this idea when the trace representation of elements is us... |

376 | The state of elliptic curve cryptography - Koblitz, Menezes, et al. |

230 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ... a from g a ; this is called the discrete logarithm problem in G. If q is prime (say q = p), then the fastest algorithms known for solving the discrete logarithm problem in G are Pollard’s rho method =-=[17]-=- and the number field sieve [9]. To achieve a 128-bit security level against these attacks, one needs to select #G ≈ 2 256 and p ≈ 2 3072 [6, Section 4.2]. Note that even though the order of G is appr... |

89 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
- 1984
(Show Context)
Citation Context ...72 bits in length. If q is a power of 2 or 3, then one needs to select #G ≈ 2 256 and q ≈ 2 4800 to achieve 128-bit security level against Pollard’s rho method and Coppersmith’s index-calculus attack =-=[2, 12]-=-. This brings an overhead both to the efficiency of the protocol and to the number of bits that need to be stored or transmitted. In recent years, there have been several proposals for compressing the... |

84 |
Message recovery for signature schemes based on the discrete logarithm problem
- Nyberg
- 1994
(Show Context)
Citation Context ... performed using the compressed representation of elements. As a second application, we give details on deploying factor-4 compressed representation of elements in the Nyberg-Rueppel signature scheme =-=[16]-=-; our method also reduces the size of public keys. The remainder of the paper is organized as follows. Section 2 introduces some terminology and sets the notation that we will use throughout the paper... |

80 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...protocol and to the number of bits that need to be stored or transmitted. In recent years, there have been several proposals for compressing the elements of certain subgroups of certain finite fields =-=[21, 8, 1, 13, 18, 5, 4, 20, 11]-=-. The compression methods in these works fall into two categories. They either use a rational parametrization of an algebraic torus [18, 5, 4], or use the trace representation of elements [21, 8, 1, 1... |

44 | Authenticated id-based key exchange and remote log-in with insecure token and pin number
- Scott
(Show Context)
Citation Context ...ng derived from an embedding degree k = 4 supersingular elliptic curve defined over a characteristic two field. If this pairing is used to implement the identity-based key aggrement protocol of Scott =-=[19]-=-, then the messages exchanged can be compressed by a factor of 4; moreover, the single-exponentiation in the protocol can be performed using the compressed representation of elements. As a second appl... |

42 | Unbelievable security. Matching AES security using public key systems - Lenstra - 2001 |

39 |
A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete Logarithms
- Smith, Skinner
- 2004
(Show Context)
Citation Context ...protocol and to the number of bits that need to be stored or transmitted. In recent years, there have been several proposals for compressing the elements of certain subgroups of certain finite fields =-=[21, 8, 1, 13, 18, 5, 4, 20, 11]-=-. The compression methods in these works fall into two categories. They either use a rational parametrization of an algebraic torus [18, 5, 4], or use the trace representation of elements [21, 8, 1, 1... |

32 |
Public-key cryptosystems based on cubic finite field extensions
- Gong, Harn
- 1999
(Show Context)
Citation Context ...protocol and to the number of bits that need to be stored or transmitted. In recent years, there have been several proposals for compressing the elements of certain subgroups of certain finite fields =-=[21, 8, 1, 13, 18, 5, 4, 20, 11]-=-. The compression methods in these works fall into two categories. They either use a rational parametrization of an algebraic torus [18, 5, 4], or use the trace representation of elements [21, 8, 1, 1... |

27 | Doing more with fewer bits
- Brouwer, Pellikaan, et al.
- 1999
(Show Context)
Citation Context |

25 |
Discrete logarithms in GF (p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ... discrete logarithm problem in G. If q is prime (say q = p), then the fastest algorithms known for solving the discrete logarithm problem in G are Pollard’s rho method [17] and the number field sieve =-=[9]-=-. To achieve a 128-bit security level against these attacks, one needs to select #G ≈ 2 256 and p ≈ 2 3072 [6, Section 4.2]. Note that even though the order of G is approximately 2 256 , the natural r... |

13 |
Evaluation recurrences of form xm+n = f(xm,xn,xm−n) via Lucas chains
- Montgomery
- 1992
(Show Context)
Citation Context ...lse S e > d 0 1 A double-exponentiation algorithm was presented by Stam and Lenstra [22] for seconddegree and third-degree recursive sequences. Their algorithm is an adaptation of Montgomery’s method =-=[15]-=- to compute second-degree recursive sequences. In this section, we adapt the techniques used in [22, 15] and present a double-exponentiation algorithm for fourth-degree recursive sequences. Algorithm ... |

11 | Asymptotically optimal communication for torusbased cryptography
- Dijk, Woodruff
(Show Context)
Citation Context |

8 | Practical cryptography in high dimensional tori
- Dijk, Granger, et al.
(Show Context)
Citation Context |

6 | New LFSR-based cryptosystems and the trace discrete log problem (TraceDLP
- Giulian, Gong
- 2005
(Show Context)
Citation Context ...ad specify one bit to help Bob distinguish ck+1 from the other root of Pk. Consider the matrix Mu = ⎛ ⎜ ⎝ cu cu+1 cu cu+1 cu+1 cu+2 cu+3 cu+4 cu+2 cu+3 cu+4 cu+5 cu+3 cu+4 cu+5 cu+6 Giuliani and Gong =-=[7]-=- showed that the characteristic polynomial of the matrix M −1 u ·Mu+k is equal to the characteristic polynomial of gk over Fq, namely fgk(x) = x4 + ckx3 + ct kx2 + 1. In particular, using Lemma 3.2(i)... |

3 | Factor-4 and 6 compression of cyclotomic subgroups of F ∗ 24m and F∗ 36m
- Karabina
(Show Context)
Citation Context |

3 | Compression in finite fields and torus-based cryptography
- Rubin, Silverberg
(Show Context)
Citation Context |

3 |
A more compact representation of XTR cryptosystem
- Shirase, Han, et al.
(Show Context)
Citation Context |

1 |
Speeding up
- Stam, Lenstra
(Show Context)
Citation Context ...ly than direct exponentiation by τ. As mentioned in the previous paragraph, it is not clear if one can favourably exploit this idea when the trace representation of elements is used. Lenstra and Stam =-=[22]-=- show that in the case of factor-2 and factor-3 compression in largeprime characteristic fields one can perform double-exponentiation very efficiently and they discuss some related applications such a... |