Scott CH Huang COM5336 Cryptography Lecture 14 XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10

Scott CH Huang COM 5336 XTR XTR = ECSTR= Efficient Compact Subgroup Trace Representation. Proposed by A Lenstra & E Verheul. XTR uses an efficient and compact method to represent subgroup elements XTR removes the distinction between conjugates The security of XTR is based on the XTR-Discrete-Logarithm problem in the subgroup of GF(p 6 )  of order dividing p 2  p + 1.

Scott CH Huang COM 5336 Subgroups of GF(p 6 )  p 6  1 = (p  1)(p + 1)(p 2 + p + 1)(p 2  p + 1) Subgroup of order p  1 can be embedded in GF(p)  Subgroup of order p + 1 can be embedded in GF(p 2 )  Subgroup of order p 2 + p + 1 can be embedded in GF(p 3 )  Subgroup of order  6 (p) = p 2  p + 1 cannot be embedded in GF(p t )  for t = 1, 2, 3  (Pohlig-Hellman) order p 2  p + 1 subgroup is as hard as GF(p 6 ) , or if order p 2  p + 1 subgroup is easier than GF(p 6 )  then GF(p 6 )  is at most as hard as GF(p 3 )  (and that is unlikely)

Scott CH Huang COM 5336 Naïve XTR Basics Let p,q be primes. q | p 2  p + 1 Pick an element g of GF(p 6 ) of order q. Construct the cyclic subgroup ={1,g,g 2,...g q-1 }  GF(p 6 )* Apply the GDLP to.

Scott CH Huang COM 5336 XTR Subgroup Element Representation If, then it can be proved that For all and its conjugates can be represented by XTR does not distinguish between and its conjugates. We do not wish to work in. We wish to work in only.

Scott CH Huang COM 5336 XTR-Discrete-Logarithm Problem XTR Setup XTR-DLP: Given. Find We do not need to find. We only need to find We do not need to represent any elements in. We do not need to work in. We’ll only work in. We are interested in the following Given. Compute. (Algorithm 2.37)

Scott CH Huang COM 5336 The XTR Paper Organization Efficient algebraic computation in GF(p 2 ) (§ 2.1) Efficient computation of Tr(g n ) given Tr(g) (§2.2-§2.3) – Algorithm 2.37 (main algorithm) Efficient computation of Tr(g a ． g bk ) given Tr(g) and a,b with unknown k. (§2.4) – Algorithm 2.48 (main algorithm)

Scott CH Huang COM 5336 Advantages of XTR The security of the subgroup is believed to be as hard as GF(p 6 )*. We normally need log p 6 = 6 log p bits to represent GF(p 6 )*. However, Tr(h) is in GF(p 2 )*, so we only need log p 2 = 2 log p bits. That's a 66% improvement compared to ordinary DLP-based schemes.

Scott CH Huang COM 5336 XTR vs RSA 170-bit XTR1020-bit RSA Parameter/Key selection73 ms1224 ms Encrypting/Verifying23 ms5 ms (32-bit e) Decrypting/Signing11 ms40 ms (no CRT: 123 ms) Public Key size680 bits1050 bits ID-based Public Key size388 bits510 bits

Scott CH Huang COM 5336 XTR vs ECC over GF(p) 170-bit XTR170-bit ECC Parameter/Key selection73 mshours? Encrypting23 ms (2720)28 ms (3400) Decrypting11 ms (1360)16 ms (1921) Signing11 ms (1360)14 ms (1700) Verifying23 ms (2754)  21 ms (2575) Public Key size680 bits766 bits ID-based Public Key size388 bits304 bits Shared Public Key size340 bits171 bits

Scott CH Huang COM 5336 XTR Summary XTR is secure, efficient, compact, easy to implement, with trivial parameter generation Disadvantages: Do we really trust GF(p 6 )? Multiplication of Tr(g m ) and Tr(g n ) is non-trivial (but can usually be avoided) p 6 grows as fast as RSA moduli (i.e., fast) q grows as fast as ECC subgroups (i.e., slow) log 2 (q)  log 2 (p)  170 only for current security levels

Scott CH Huang COM 5336 Conclusion ECC and XTR are both the most promising asymmetric cryptosystems nowadays. Both cryptosystems are secure, efficient, and suitable for portable devices. The lack of knowledge of their corresponding subgroups may contribute to their security.