Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT
Contents 1.Background – XTR, torus-based crypto 2.Our Contributions 1.Relax a problem concerning tori 2.Solve the relaxation 3.Applications 1.Generalized ElGamal Signatures 2.Hybrid ElGamal Encryption 3.Conclusions
Diffie-Hellman Key Exchange gaga gbgb a 2 Z p Agree on key g ab b 2 Z p q = 2p + 1, g generates G p 2 GF(q) *, G p cyclic group of order p ElGamal: work in extension field GF(q d ) * Schnorr: work in small prime subgroup of GF(q) *
The XTR Public-Key System [BPV99] Combine ideas: use prime subgroup G of GF(q 6 ) * of w/order(G) = p | (q^2 – q + 1). Field representation of elts in G uses 6 log q bits [BPV99] More efficient representation of G 2log q bits/elt Known attacks ~ size of minimal field containing G => Can show this is GF(q 6 ) So 1/3 bits exchanged, yet full security of GF(q 6 ) * ! DL, CDH in p-subgroup of GF(q 6 ) * believed as hard as DL, CDH in p-subgroup of GF(P) where prime P ~ q 6 [LV00] XTR = this idea + efficient arithmetic
Why does it work? Background: N-th cyclotomic polynomial n (x) = 0< k<n : gcd(k, n) = 1 (x- e 2 i k/n ) deg( n (x)) = (n) |GF(q n ) * | = q n – 1 = d | n d (q) But 6 (q) = q 2 –q + 1 as in [BPV99] So 6 (q) | GF(q 6 ) *, can show GF(q 6 ) smallest such field. Recall: |G| | (q 2 – q + 1) Best attack number field sieve, uses field structure, so time ~ minimal field containing G
Representation problem Save even more? Use G ½ GF(q n ) * for n > 6 with |G| = n (q)? Savings: log |G| = (n) log q bits Vs. n log q Ratio approaches 1 / log log n for n prod. distinct primes But how to represent elts of G? Want < n log q bits, ideally (n) log q bits [BPV99] represent G, |G| | 6 (q), with 2log q bits. [BHV02, RS03] show no straightforward way to extend [BPV99] to n prod. ¸ 3 distinct primes
Torus-Based Cryptography [RS03]: group T n ½ GF(q n ) * of order n (q) is just GF(q) points of algebraic torus => Extending [BPV99] = rational parameterization of algebraic torus Only known how if n product · 2 prime powers. [RS03] give another cryptosystem for n = 6. But need n product ¸ 3 distinct primes for savings (n)/n to get better.
Our Relaxation 1.Dont need to rationally parameterize torus 2.Get optimal communication for signatures, + PK encryption 3.Get Asymptotically optimal communication for key exchange It suffices to represent a sequence of m elts of T n with m (n) log q + C bits, C independent of m Assume n (q) = |T n | prime, o.w. let G ½ T n have large prime order Relax rqmt of representing individual elts of T n and observe for some applications:
Solving the Relaxed Problem n product of first k primes Mobius function (n) = (-1) k Construct efficiently computable bijections, -1 : T n x (X d | n, (n/d) = -1 GF(q d ) * ) X d | n, (n/d) = +1 GF(q d ) *
Developing the Bijections n = 2*3*5 = 30 : T 30 x GF(q) * x GF(q 6 ) * x GF(q 10 ) * x GF(q 15 ) * ! GF(q 2 ) * x GF(q 3 ) * x GF(q 5 ) * x GF(q 30 ) * Strategy: For e = 1, 6, 10, 15, map GF(q e ) * into X d | e T d Collect tuple C = £ {e=1, 6, 10, 15} £ d | e T d Use T 30 and permute C to get C = £ e = 2, 3, 5, 30 £ d | e T d For e=2, 3, 5, 30, decompose C to map X d | e T d into GF(q e ) * Map -1 is similar.
The Bijections Question: Which map : GF(q e ) * to X d | e T d to use? If for all a,b | e, gcd(|T a |, |T b |) = 1, then domain & range of isomorphic follows from structure theorem: H 1, …, H k are cyclic groups s.t. 8 i j gcd(|H i |, |H j |) = 1, m = |H 1 | |H k |, and G m cyclic of order m. Then : G m -> H 1 x … x H k, and -1 are isomorphisms: ( ) = ( m/|Hi| ) i 2 [k] -1 ( 1, …, k ) = 1 e1 k ek, where i me i /|H i | = 1
: The General Case Example: Map GF(q 2 ) * to T 1 x T 2 |T 1 | = q-1, |T 2 | = q+1, so 2 | gcd(|T 1 |, |T 2 |) Suppose 2 | (q-1), 4 | (q+1), gcd(|T 1 |/2, |T 2 |/4) = 1 GF(q 2 ) * G 8 x G (q-1)/2 x G (q+1)/4 Bijection from G 8 to G 2 x G 4 using table lookup G 2 x G (q-1)/2 T 1 and G 4 x G (q+1)/4 T 2 + Isomorphisms are efficient using structure theorem + Table efficient since it is small GF(q e ) *, X d | e T d not if gcd(|T a |, |T b |) > 1 for a, b | e. Idea: divide out common factors U of |T d | and decompose into isomorphism + table lookup:
Parameter Selection Choose q wisely Want small table Heuristic algorithm for n = 30, 210 Choose random q certain size Check n (q) contains large prime factor by trial division Check U is small Theoretical algorithm for general n Choose random prime r first Choose q at random subject to r | n (q) Test q to ensure U is small Density theorems => terminates quickly w.h.p.
Applying the Bijections : T n x (X d | n, (n/d) = -1 GF(q d ) * ) -> X d | n, (n/d) = +1 GF(q d )* Let - = d | n, (n/d) = -1 d, + = d | n, (n/d) = +1 d Think of as map: T n £ F q - to F q + Negligibly few points where undefined Handle these points separately Use randomization to avoid bad points
Applications To represent x 1, …, x m in T n, choose seed s 1 2 F q - compute (x 1, s 1 ) = t 1 2 F q + split t 1 into s 2 x r 1 2 F q - x F q (n) compute (x 2, s 2 ) = t 2 2 F q + split t 2 into s 3 x r 2 2 F q - x F q (n) … Efficient representation for large m { Output r 1 … r m, s m+1
A Signature Scheme - Generalized ElGamal Signatures work for any group: use T n ElGamal Box alg outputs h 2 T n + other stuff I Message M in I Write I as I 1 x I 2 2 F q - x {0,1} * Output sig(M) = (h, I 1 ), I 2 Verifier inverts, uses ElGamal verification Key idea: Embed message into F q - so small signature
Hybrid ElGamal Encryption Let a 2 R {1, …, n (q)} be Alices private key Let g a be her public key, g generator of T n E = symmetric cipher Encrypt(m): (1) choose k 2 R {1,…, n (q)}, set e = g k (2) use g ak to get symmetric key k (4) compute E k (m) = (c, d) 2 F q - x {0,1} * (5) output (e, c), d Decryption: Use a, -1 to get k, E k (m) and then m Key idea: Embed E k (m) into F q - so small encryption
Conclusions & Future Work Results: Compact representation of sequences of elts of T n Protocols w/optimal communication ElGamal signature / encryption (both hybrid and almost non-hybrid) schemes Diffie-Hellman key exchange (asyptotically optimal) Future Work: Rational parameterization of algebraic torus => efficient representation of single elts of T n Our computational costs Improvements [vdWS] give ~ 21log q multiplications per evaluation of