The XTR cryptosystem ECC Brainpool Workshop „Alternative Public-Key-Kryptosysteme“ Bochum, 8.4.2002 Dr. Kim Nguyen BU ID

1. The XTR cryptosystem ECC Brainpool Workshop „Alternative Public-Key-Kryptosysteme“ Bochum, 8.4.2002 Dr. Kim Nguyen BU ID - Cryptology Competence Center Philips Semiconductors

2. What is XTR ? • XTR=ECSTR ! • ECSTR=Efficient and Compact Subgroup Trace Representation • Classification:XTR is a DL based cryptosystem working incyclic subgroups of composite fields GF(p6) • Relation to Digital Signature Algorithm (DSA):this works in cyclic subgroups of prime fields GF(p).

3. Subfields and Traces • Consider factorization p6-1=(p-1)(p+1)(p2+p+1)(p2-p+1). • Consider prime q dividing p2-p+1 and an element g of order q of GF(p6)*. • The cyclic subgroup C=<g> of GF(p6)* cannot be embedded into any subfield of GF(p6)*. • Consider field extensions GF(p6) - GF(p2) - GF(p). • Have Trace map Tr: GF(p6)  GF(p2), given by Tr(x)=x+xp^2+xp^4 • Have Tr(x) GF(p2) for x GF(p6).

4. Subfields and Traces:The XTR idea • Main idea:use Trace map in order to represent a special element g of GF(p6)* with 2log2(p) instead of 6log2(p) bitsby replacing g with Tr(g)  GF(p2) ! • Question:normally DL systems are based on exponentiation ggn,is it possible to replace this by Tr(g) Tr(gn) ? • Answer:XTR is based on the following observation:computation of Tr(gn) is possible given only Tr(g) and n.

5. Comparison between GF(p2) and GF(p6) • Assume p=2 mod 3. So GF(p2)/GF(p) has ONB. • Operations in GF(p2): • xpis free • x2 takes two multiplications in GF(p). • x*y takes three multiplications in GF(p). • Due to p=2 mod 3, GF(p6)/GF(p) has ONB. • Operations in GF(p6): (assuming 1Sq=0.8Mul) • x2 takes 14.4 multiplications in GF(p). • x*y takes 18 multiplications in GF(p). • xa takes around 23.4*log2(a) multiplications in GF(p). • xaxb takes around 27.9*log2(max(a,b)) multiplications in GF(p).

6. XTR computations • Consider the polynomial:F(c,x)=x3- cx2+cpx-1 for c  GF(p2). • For c=Tr(g) the rootsh0,h1,h2 of F(c,x) correspond to the conjugates of g over GF(p2). • Set cn=h0n+h1n+h2n. • Observation:we have cn=Tr(gn). • Set Sn(c)=(cn-1,cn,cn+1). • Main theorem: Given c, one can compute Sn(c) using 8log2(n) multiplications in GF(p).

7. XTR computations • Assume c=Tr(g). • Then Tr(gn) can be computed in 8log2(n mod q) multiplications in GF(p). • This compares to 23.4*log2(q) multiplications in GF(p) for the generic approach. • Trace approach gives speed up of factor three. • Have Tr(gn)  GF(p2) , whereas gn  GF(p6),so space requirements also go down by a factor of three.

8. Example for a crypto protocol:Key exchange using XTR • Public key data: p,q,Tr(g). • A chooses a at random and computesSa(Tr(g))=(Tr(ga-1),Tr(ga),Tr(ga+1)),then sends Tr(ga) to B. • B chooses b at random and computesSb(Tr(g))=(Tr(gb-1),Tr(gb),Tr(gb+1)),then sends Tr(gb) to B. • A computes Sa(Tr(gb))=(Tr(g(a-1)b),Tr(gab),Tr(g(a+1)b)). • B computes Sb(Tr(ga))=(Tr(g(b-1)a),Tr(gba),Tr(g(b+1)a)). • Common secret is Tr(gab).

9. Other cryptographic protocols • For signature schemes we need operations like gagbk. • There is also a XTR technique available whichcomputes Tr(gagbk) in about 16log2(q) multiplications in GF(p). • This compares to 27.9log2(q) multiplications in the generic GF(p6) situation, hence speedup is around 1.75.

10. Security of XTR • Obvious attacks on XTR could focus on • The DL problem in GF(p6)*. • The XTR subgroup <g> of order q. • To be secure against the first attack, p has to be chosen such that the size of p6 is >=1024 bits(Number Field Sieve). • To be secure against the second attack, q has to be chosen such that the size of q is >=170 bits (generic attacks).

11. Connection to elliptic curves • Crypto 2000 (Rump-Session):Menezes and Vanstone point out, that there is a mapE(GF(p2))  GF(p6)* induced by the Tate pairingfor E(GF(p2)) a certain supersingular curve of order p2-p+1. • Verheul (Eurocrypt 2001) argues:Such a curve E(GF(p2)) is cryptographically weaker than GF(p6)*. In E(GF(p2)) the DDHP problem can be solved effectively (also using the Tate pairing), while this does not seem to hold for GF(p6)*.

12. Choice of parameters • Finding p and q of bit size P and Q: • Find r such that q=r2-r+1 is prime and of size at least Q. • Find k such that p=r+kq is prime and of size at least P. • Finding the XTR subgroup: • ”Naive” approach: find element g of order q, compute Tr(g). • Sophisticated approach: note that the knowledge of g is not necessary !It suffices to know Tr(g). • Pick c GF(p2) until you find that F(c,x) is irreducible. • Pick a root of F(c,x) in order to obtain Tr(g) for some g of order q.

13. Performance comparison • Implementation on 450MHz Pentium II (Lenstra,Verheul). • Comparison 170 bit XTR 1020 bit RSA --------------------------------------------------------Encrypt/Verify 23 ms 5ms (32 bit e) Decrypt/Sign 11 ms 40ms CRT / 123ms • Comparison 170 bit XTR 170 bit ECC GF(p) --------------------------------------------------------Encrypt 23 ms 28 msDecrypt 11 ms 16 msSign 11 ms 14 msVerify 23 ms =< 21 ms

14. Conclusion Pro’s: • XTR is a very clever and efficient way of implementing DSA • Parameter and key generation is both easy and fast. Con’s: • Size of p6 scales subexponential due to GNFS. • Size of public key smaller than RSA, but bigger than for ECC.