Handbook of Applied Cryptography
Handbook of Applied Cryptography
Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem
Mathematics of Computation
Random small hamming weight products with applications to cryptography
Discrete Applied Mathematics - Special issue on the 2000 com2MaC workshop on cryptography
Analysis of Low Hamming Weight Products
Discrete Applied Mathematics
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
A note on discrete logarithms with special structure
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Practical threshold signatures
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Hard instances of the constrained discrete logarithm problem
ANTS'06 Proceedings of the 7th international conference on Algorithmic Number Theory
A new baby-step giant-step algorithm and some applications to cryptanalysis
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Hi-index | 754.84 |
Hoffstein and Silverman suggested the use of low Hamming weight product (LHWP) exponents to accelerate group exponentiation while maintaining the security level. With LHWP exponents, the computation costs on GF(2n) or Koblitz elliptic curves can be reduced significantly, where the cost of squaring and elliptic curve doubling is much lower than that of multiplication and elliptic curve addition, respectively. In this paper, we present a parameterized splitting system with an additional property, which is a refinement version of the system introduced in PKC'08. We show that it yields an algorithm for the discrete logarithm problem (DLP) with LHWP exponents with lower complexity than that of any previously known algorithms. To demonstrate its application, we attack the GPS identification scheme modified by Coron, Lefranc, and Poupard in CHES'05 and the DLP with Hoffstein and Silverman's (2,2,11)-exponent. The time complexity of our key recovery attack against the GPS scheme is 261,82, which was expected to be 278. Hoffstein and Silverman's (2,2,11)-exponent can be recovered with a time complexity of 253.02, which is the lowest among the known attacks.