COM5336 Cryptography Lecture 14 XTR Cryptosystem - PowerPoint PPT Presentation

com5336 cryptography lecture 14 xtr cryptosystem n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COM5336 Cryptography Lecture 14 XTR Cryptosystem PowerPoint Presentation
Download Presentation
COM5336 Cryptography Lecture 14 XTR Cryptosystem

play fullscreen
1 / 12
COM5336 Cryptography Lecture 14 XTR Cryptosystem
133 Views
Download Presentation
prisca
Download Presentation

COM5336 Cryptography Lecture 14 XTR Cryptosystem

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. COM5336 CryptographyLecture 14XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10

  2. XTR • XTR = ECSTR= Efficient Compact Subgroup Trace Representation. • Proposed by A Lenstra & E Verheul. • XTR uses an efficient and compact method to represent subgroup elements • XTR removes the distinction between conjugates • The security of XTR is based on the XTR-Discrete-Logarithm problem in the subgroup of GF(p6) of order dividing p2  p + 1. COM 5336

  3. Subgroups of GF(p6) • p6 1 = (p  1)(p + 1)(p2 + p + 1)(p2  p + 1) • Subgroup of order p  1 can be embedded in GF(p) • Subgroup of order p + 1 can be embedded in GF(p2) • Subgroup of order p2 + p + 1 can be embedded in GF(p3) • Subgroup of order 6(p) = p2  p + 1 cannot be embedded in GF(pt)for t = 1, 2, 3 • (Pohlig-Hellman)order p2  p + 1 subgroup is as hard as GF(p6), or if order p2  p + 1 subgroup is easier than GF(p6) then GF(p6) is at most as hard as GF(p3) (and that is unlikely) COM 5336

  4. Naïve XTR Basics • Let p,q be primes. • q | p2  p + 1 • Pick an element g of GF(p6) of order q. • Construct the cyclic subgroup <g>={1,g,g2,...gq-1}  GF(p6)* • Apply the GDLP to <g>. COM 5336

  5. XTR Subgroup Element Representation • If , then it can be proved that • For all and its conjugates can be represented by • XTR does not distinguish between and its conjugates. • We do not wish to work in . We wish to work in only. COM 5336

  6. XTR-Discrete-Logarithm Problem • XTR Setup • XTR-DLP: Given . Find • We do not need to find . We only need to find • We do not need to represent any elements in . We do not need to work in . We’ll only work in . • We are interested in the following Given . Compute . (Algorithm 2.37) COM 5336

  7. The XTR Paper Organization • Efficient algebraic computation in GF(p2) (§ 2.1) • Efficient computation of Tr(gn) given Tr(g) (§2.2-§2.3) • Algorithm 2.37 (main algorithm) • Efficient computation of Tr(ga.gbk) given Tr(g) and a,b with unknown k. (§2.4) • Algorithm 2.48 (main algorithm) COM 5336

  8. Advantages of XTR • The security of the subgroup <g> is believed to be as hard as GF(p6)*. • We normally need log p6 = 6 log p bits to represent GF(p6)*. • However, Tr(h) is in GF(p2)*, so we only need log p2 = 2 log p bits. • That's a 66% improvement compared to ordinary DLP-based schemes. COM 5336

  9. XTR vs RSA COM 5336

  10. XTR vs ECC over GF(p) COM 5336

  11. XTR Summary • XTR is secure, efficient, compact, easy to implement, with trivial parameter generation • Disadvantages: • Do we really trust GF(p6)? • Multiplication of Tr(gm) and Tr(gn) is non-trivial (but can usually be avoided) • p6 grows as fast as RSA moduli (i.e., fast) • q grows as fast as ECC subgroups (i.e., slow) • log2(q)  log2(p)  170 only for current security levels COM 5336

  12. Conclusion • ECC and XTR are both the most promising asymmetric cryptosystems nowadays. • Both cryptosystems are secure, efficient, and suitable for portable devices. • The lack of knowledge of their corresponding subgroups may contribute to their security. COM 5336