Create Presentation
Download Presentation

Download Presentation

COM5336 Cryptography Lecture 14 XTR Cryptosystem

Download Presentation
## COM5336 Cryptography Lecture 14 XTR Cryptosystem

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**COM5336 CryptographyLecture 14XTR Cryptosystem**Scott CH Huang COM 5336 Cryptography Lecture 10**XTR**• XTR = ECSTR= Efficient Compact Subgroup Trace Representation. • Proposed by A Lenstra & E Verheul. • XTR uses an efficient and compact method to represent subgroup elements • XTR removes the distinction between conjugates • The security of XTR is based on the XTR-Discrete-Logarithm problem in the subgroup of GF(p6) of order dividing p2 p + 1. COM 5336**Subgroups of GF(p6)**• p6 1 = (p 1)(p + 1)(p2 + p + 1)(p2 p + 1) • Subgroup of order p 1 can be embedded in GF(p) • Subgroup of order p + 1 can be embedded in GF(p2) • Subgroup of order p2 + p + 1 can be embedded in GF(p3) • Subgroup of order 6(p) = p2 p + 1 cannot be embedded in GF(pt)for t = 1, 2, 3 • (Pohlig-Hellman)order p2 p + 1 subgroup is as hard as GF(p6), or if order p2 p + 1 subgroup is easier than GF(p6) then GF(p6) is at most as hard as GF(p3) (and that is unlikely) COM 5336**Naïve XTR Basics**• Let p,q be primes. • q | p2 p + 1 • Pick an element g of GF(p6) of order q. • Construct the cyclic subgroup <g>={1,g,g2,...gq-1} GF(p6)* • Apply the GDLP to <g>. COM 5336**XTR Subgroup Element Representation**• If , then it can be proved that • For all and its conjugates can be represented by • XTR does not distinguish between and its conjugates. • We do not wish to work in . We wish to work in only. COM 5336**XTR-Discrete-Logarithm Problem**• XTR Setup • XTR-DLP: Given . Find • We do not need to find . We only need to find • We do not need to represent any elements in . We do not need to work in . We’ll only work in . • We are interested in the following Given . Compute . (Algorithm 2.37) COM 5336**The XTR Paper Organization**• Efficient algebraic computation in GF(p2) (§ 2.1) • Efficient computation of Tr(gn) given Tr(g) (§2.2-§2.3) • Algorithm 2.37 (main algorithm) • Efficient computation of Tr(ga．gbk) given Tr(g) and a,b with unknown k. (§2.4) • Algorithm 2.48 (main algorithm) COM 5336**Advantages of XTR**• The security of the subgroup <g> is believed to be as hard as GF(p6)*. • We normally need log p6 = 6 log p bits to represent GF(p6)*. • However, Tr(h) is in GF(p2)*, so we only need log p2 = 2 log p bits. • That's a 66% improvement compared to ordinary DLP-based schemes. COM 5336**XTR vs RSA**COM 5336**XTR vs ECC over GF(p)**COM 5336**XTR Summary**• XTR is secure, efficient, compact, easy to implement, with trivial parameter generation • Disadvantages: • Do we really trust GF(p6)? • Multiplication of Tr(gm) and Tr(gn) is non-trivial (but can usually be avoided) • p6 grows as fast as RSA moduli (i.e., fast) • q grows as fast as ECC subgroups (i.e., slow) • log2(q) log2(p) 170 only for current security levels COM 5336**Conclusion**• ECC and XTR are both the most promising asymmetric cryptosystems nowadays. • Both cryptosystems are secure, efficient, and suitable for portable devices. • The lack of knowledge of their corresponding subgroups may contribute to their security. COM 5336