Fast batch verification for modular exponentiation and digital signatures
Many tasks in cryptography (e.g., digital signature verification) call for verification of a basic operation like modular exponentiation in some group: given (g, x, y) check that gx = y. This is typically done by re-computing gx and checking we get y. We would like to do it differently, and faster.
The approach we use is batching. Focusing first on the basic modular exponentiation operation, we provide some probabilistic batch verifiers, or tests, that verify a sequence of modular exponentiations significantly faster than the naive re-computation method. This yields speedups for several verification tasks that involve modular exponentiations.
Focusing specifically on digital signatures, we then suggest a weaker notion of (batch) verification which we call “screening.” It seems useful for many usages of signatures, and has the advantage that it can be done very fast; in particular, we show how to screen a sequence of RSA signatures at the cost of one RSA verification plus hashing.
KeywordsSignature Scheme Random Oracle Security Parameter Modular Exponentiation Signature Verification
- 1.M. Bellare, J. Garay and T. Rabin. Distributed pseudo-random bit generators— a new way to speed-up shared coin tossing. Proceedings Fifteenth Annual Symposium on Principles of Distributed Computing, ACM, 1996.Google Scholar
- 2.M. Bellare, J. Garay and T. Rabin. Fast batch verification for modular expo-nentiation and digital signatures. Full version of this paper, available via http:// www-cse.ucsd.edu/users/mihir, 1998.Google Scholar
- 3.M. Bellare, J. Garay and T. Rabin. Batch verification with applications to cryptography and checking (Invited Paper), Latin American Theoretical INfor-matics 98 (LATIN '98) Proceedings, LNCS Vol. 1830, C. Lucchesi and A. Moura eds., Springer-Verlag, 1998.Google Scholar
- 4.M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. First ACM Conference on Computer and Communi-cations Security, ACM, 1994.Google Scholar
- 5.M. Bellare and P. Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. Advances in Cryptology — Eurocrypt 96 Proceedings, LNCS Vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
- 6.M. Beller and Y. Yacobi. Batch Diffie-Hellman key agreement systems and their application to portable communications. Advances in Cryptology — Euro-crypt 92 Proceedings, LNCS Vol. 658, R. Rueppel ed., Springer-Verlag, 1992.Google Scholar
- 7.M. Blum and S. Kannan. Designing programs that check their work. Proceed-ings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989.Google Scholar
- 8.J. Bos and M. Coster. Addition chain heuristics. Advances in Cryptology — Crypto 89 Proceedings, LNCS Vol. 435, G. Brassard ed., Springer-Verlag, 1989.Google Scholar
- 9.B. Brickell, D. Gordon, K. McCurley and D. Wilson. Fast exponentiation with precomputation. Advances in Cryptology — Eurocrypt 92 Proceedings, LNCS Vol. 658, R. Rueppel ed., Springer-Verlag, 1992.Google Scholar
- 10.E. Brickell, P. Lee and Y. Yacobi. Secure audio teleconference. Advances in Cryptology — Crypto 87 Proceedings, LNCS Vol. 293, C. Pomerance ed., Springer-Verlag, 1987.Google Scholar
- 12.National Institute for Standards and Technology. Digital Signature Standard (DSS). Federal Register, Vol. 56, No. 169, August 30, 1991.Google Scholar
- 13.C. Lim and P. Lee. More flexible exponentiation with precomputation. Advances in Cryptology — Crypto 94 Proceedings, LNCS Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
- 14.D. M'RaÏhi and D. Naccache. Batch exponentiation — A fast DLP based signa-ture generation strategy. 3rd ACM Conference on Computer and Communications Security, ACM, 1996.Google Scholar
- 15.D. Naccache, D. M'RaÏhi, S. Vaudenay and D. Raphaeli. Can D.S.A be improved? Complexity trade-offs with the digital signature standard. Advances in Cryptology — Eurocrypt 94 Proceedings, LNCS Vol. 950, A. De Santis ed., Springer-Verlag, 1994.Google Scholar
- 16.P. de Rooij. Efficient exponentiation using precomputation and vector addi-tion chains. Advances in Cryptology — Eurocrypt 94 Proceedings, LNCS Vol. 950, A. De Santis ed., Springer-Verlag, 1994.Google Scholar
- 18.J. Sauerbrey and A. Dietel. Resource requirements for the application of ad-dition chains modulo exponentiation. Advances in Cryptology — Eurocrypt 92 Proceedings, LNCS Vol. 658, R. Rueppel ed., Springer-Verlag, 1992.Google Scholar