### Abstract

We propose a new method to speed up discrete logarithm (DL)-based cryptosystems by considering a new variant of the DL problem, where the exponents are formed as e1 + αe2 for some fixed α and two integers e1,e2 with a low weight representation. We call this class of exponents split exponents, and we show that with certain choice of parameters the DL problem on split exponents is essentially as secure as the standard DL problem, while the exponentiation operation using exponents of this class is significantly faster than best exponentiation algorithms given for standard exponents. For example, the speed of scalar multiplication on the standard Koblitz curve K163 is estimated to be accelerated by up to 51.5% and 23.5% at the cost of memory for one precomputed point, compared to the TNAF and window TNAF methods, respectively. As for security, we show that the provable security of the DL problem using split exponents is only by a small constant, e.g., 1/4, worse than the security of the standard DL problem. Split exponents can be adopted to speed up various DL-based cryptosystems. We exemplify this on the recent CCA-secure public key encryption of Bellare, Kohno, and Shoup.

Original language | English |
---|---|

Article number | 5714254 |

Pages (from-to) | 1816-1826 |

Number of pages | 11 |

Journal | IEEE Transactions on Information Theory |

Volume | 57 |

Issue number | 3 |

DOIs | |

Publication status | Published - 2011 Mar 1 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Information Systems
- Computer Science Applications
- Library and Information Sciences

### Cite this

*IEEE Transactions on Information Theory*,

*57*(3), 1816-1826. [5714254]. https://doi.org/10.1109/TIT.2010.2059831

}

*IEEE Transactions on Information Theory*, vol. 57, no. 3, 5714254, pp. 1816-1826. https://doi.org/10.1109/TIT.2010.2059831

**Fast exponentiation using split exponents.** / Cheon, Jung Hee; Jarecki, Stanislaw; Kwon, Taekyoung; Lee, Mun Kyu.

Research output: Contribution to journal › Article

TY - JOUR

T1 - Fast exponentiation using split exponents

AU - Cheon, Jung Hee

AU - Jarecki, Stanislaw

AU - Kwon, Taekyoung

AU - Lee, Mun Kyu

PY - 2011/3/1

Y1 - 2011/3/1

N2 - We propose a new method to speed up discrete logarithm (DL)-based cryptosystems by considering a new variant of the DL problem, where the exponents are formed as e1 + αe2 for some fixed α and two integers e1,e2 with a low weight representation. We call this class of exponents split exponents, and we show that with certain choice of parameters the DL problem on split exponents is essentially as secure as the standard DL problem, while the exponentiation operation using exponents of this class is significantly faster than best exponentiation algorithms given for standard exponents. For example, the speed of scalar multiplication on the standard Koblitz curve K163 is estimated to be accelerated by up to 51.5% and 23.5% at the cost of memory for one precomputed point, compared to the TNAF and window TNAF methods, respectively. As for security, we show that the provable security of the DL problem using split exponents is only by a small constant, e.g., 1/4, worse than the security of the standard DL problem. Split exponents can be adopted to speed up various DL-based cryptosystems. We exemplify this on the recent CCA-secure public key encryption of Bellare, Kohno, and Shoup.

AB - We propose a new method to speed up discrete logarithm (DL)-based cryptosystems by considering a new variant of the DL problem, where the exponents are formed as e1 + αe2 for some fixed α and two integers e1,e2 with a low weight representation. We call this class of exponents split exponents, and we show that with certain choice of parameters the DL problem on split exponents is essentially as secure as the standard DL problem, while the exponentiation operation using exponents of this class is significantly faster than best exponentiation algorithms given for standard exponents. For example, the speed of scalar multiplication on the standard Koblitz curve K163 is estimated to be accelerated by up to 51.5% and 23.5% at the cost of memory for one precomputed point, compared to the TNAF and window TNAF methods, respectively. As for security, we show that the provable security of the DL problem using split exponents is only by a small constant, e.g., 1/4, worse than the security of the standard DL problem. Split exponents can be adopted to speed up various DL-based cryptosystems. We exemplify this on the recent CCA-secure public key encryption of Bellare, Kohno, and Shoup.

UR - http://www.scopus.com/inward/record.url?scp=79951905815&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79951905815&partnerID=8YFLogxK

U2 - 10.1109/TIT.2010.2059831

DO - 10.1109/TIT.2010.2059831

M3 - Article

VL - 57

SP - 1816

EP - 1826

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 3

M1 - 5714254

ER -