The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

Slides:



Advertisements
Similar presentations
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Advertisements

Key Management Nick Feamster CS 6262 Spring 2009.
Public Key Cryptosystem
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Scott CH Huang COM5336 Cryptography Lecture 14 XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10.
7. Asymmetric encryption-
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Great Theoretical Ideas in Computer Science.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Practical Cryptography in High Dimensional Tori Marten van Dijk 1, Robert Granger 2, Dan Page 2, Karl Rubin 3, Alice Silverberg 3, Martijn Stam 2, David.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Electronic Payment Systems Lecture 5: ePayment Security II
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Public Key Algorithms 4/17/2017 M. Chatterjee.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
ASYMMETRIC CIPHERS.
Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Bob can sign a message using a digital signature generation algorithm
The RSA Algorithm Rocky K. C. Chang, March
1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Lecture 10: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2009.
Information Security and Management 4. Finite Fields 8
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Great Theoretical Ideas in Computer Science.
CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Elliptical Curve Cryptography Manish Kumar Roll No - 43 CS-A, S-7 SOE, CUSAT.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
1 Public-Key Cryptography and Message Authentication.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
Public key ciphers 2 Session 6.
1 離散對數密碼系統 交通大學資訊工程系 陳榮傑. 2 Outline 離散對數問題 (Discrete Logarithm Problem) 離散對數演算法 (DL Algorithms) –A trivial algorithm –Shanks’ algorithm –Pollard’s algorithm.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Cryptography and Network Security Key Management and Other Public Key Cryptosystems.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Elliptic Curve Cryptography
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
CS 4803 Fall 04 Public Key Algorithms. Modular Arithmetic n Public key algorithms are based on modular arithmetic. n Modular addition. n Modular multiplication.
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
Lecture 11: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2008.
1 Network Security Dr. Syed Ismail Shah
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Great Theoretical Ideas in Computer Science.
1 Cryptanalysis Lab Elliptic Curves. Cryptanalysis Lab Elliptic Curves 2 Outline [1] Elliptic Curves over R [2] Elliptic Curves over GF(p) [3] Properties.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Motivation Basis of modern cryptosystems
Key Management public-key encryption helps address key distribution problems have two aspects of this: – distribution of public keys – use of public-key.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Lecture 5 Asymmetric Cryptography. Private-Key Cryptography Traditional private/secret/single key cryptography uses one key Shared by both sender and.
Elliptic Curve Public Key Cryptography Why ? ● ECC offers greater security for a given key size. ● The smaller key size also makes possible much more compact.
Network Security Design Fundamentals Lecture-13
RSA and El Gamal Cryptosystems
SIGNCRYPTION Dr. Attila A. Yavuz.
Cryptology Design Fundamentals
Network Security Design Fundamentals Lecture-13
Presentation transcript:

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul PricewaterhouseCoopers

XTR stands for ECSTR Efficient Compact Subgroup Trace Representation

Overview XTR background XTR security Comparison to traditional representation, RSA, and ECC XTR subgroup representation XTR subgroup exponentiation XTR multi-exponentiation XTR parameter generation Improved XTR parameter generation XTR application example Disadvantages? Related work Conclusion

XTR is not a new cryptosystem XTR is a traditional subgroup Discrete Logarithm system XTR uses an efficient and compact method to represent subgroup elements (like LUC, but better) The security of XTR is based on the Discrete Logarithm problem in the subgroup of GF(p 6 )  of order dividing p 2  p + 1 (LUC uses the subgroup of GF(p 2 )  of order dividing p + 1) XTR removes the distinction between conjugates (like LUC)

Subgroups of GF(p t )  # GF(p t )  =,  d (X) is the dth cyclotomic polynomial with Pohlig-Hellman: computing Discrete Logarithms in GF(p t )  is equivalent to computing Discrete Logarithms in all order  d (p) subgroups for d dividing t with d < t: the order  d (p) subgroup can efficiently be embedded in the multiplicative group GF(p d )  of true subfield GF(p d ) of GF(p t )  according to current (published) state of the art: for d dividing t with d < t the DL problem in the order  d (p) subgroups is easier than DL problem in GF(p t )   in general: the DL problem in the order  t (p) subgroup is as hard as the DL problem in GF(p t ) 

Subgroups of GF(p 6 )  p 6  1 = (p  1)(p + 1)(p 2 + p + 1)(p 2  p + 1) Subgroup of order p  1 can be embedded in GF(p)  Subgroup of order p + 1 can be embedded in GF(p 2 )  Subgroup of order p 2 + p + 1 can be embedded in GF(p 3 )  Subgroup of order  6 (p) = p 2  p + 1 cannot be embedded in GF(p t )  for t = 1, 2, 3  (Pohlig-Hellman) order p 2  p + 1 subgroup is as hard as GF(p 6 ) , or: if order p 2  p + 1 subgroup is easier than GF(p 6 )  then GF(p 6 )  is at most as hard as GF(p 3 )  (and that is unlikely)

XTR security XTR versions of cryptographic protocols provably as secure as traditional versions over GF(p 6 ) either XTR is secure (because GF(p 6 ) is secure) or XTR is not secure (and thus GF(p 6 ) is not secure) current state of the art: Discrete Logarithms in GF(p 6 )  are at least as hard as (or harder than) Discrete Logarithms in multiplicative group of 6log 2 (p)-bit prime field In general no additional risk in moving from prime fields to extension fields of comparable size, as long as subgroup order divides  t (p) (in GF(p t ) , p large)

 GF(p 6 ) , g of prime order q dividing p 2  p + 1 Comparison of traditional and XTR representation Bits to represent g m Multiplications in GF(p) to compute g m 6  log 2 (p) 21  log 2 (m) Traditional 2  log 2 (p) 8  log 2 (m) XTR (order  q subgroup of  6  log 2 (p)-bit prime field are even slower)

 GF(p 6 ) , g of prime order q dividing p 2  p + 1, h  Comparison of traditional and XTR representation Bits to represent g m, g m  h n Multiplications in GF(p) to compute g m, g m  h n with m  n 6  log 2 (p) 21  log 2 (m) 25.5  log 2 (m) 2  log 2 (p) 8  log 2 (m) 16  log 2 (m) Traditional XTR

XTR, RSA comparison Run times in milliseconds on 450MHz Pentium II NT, using generic sofware implementation 170-bit XTR1020-bit RSA Parameter/Key selection73 ms1224 ms Encrypting/Verifying23 ms5 ms for 32-bit e Decrypting/Signing11 ms40 ms (no CRT: 123 ms) Public Key size680 bits1050 bits ID-based Public Key size388 bits 510 bits

XTR, ECC comparison (for ECC over prime fields) Run time estimates (based on multiplication count in GF(p); from Cohen/Miyaji/Ono Asiacrypt’98 paper) 170-bit XTR170-bit ECC Parameter/Key selection73 mshours ? Encrypting23 ms (2720)28 ms (3400) Decrypting11 ms (1360)16 ms (1921) Public Key size680 bits766 bits ID-based Public Key size388 bits304 bits Shared Public Key size340 bits171 bits Signing11 ms (1360)14 ms (1700) Verifying23 ms (2754)  21 ms (2575)

How does it work?

XTR subgroup element representation  GF(p 6 ) , g of prime order q dividing p 2  p + 1, q > 3 Let F(c,X) = X 3  cX 2 + c p X  1, for c  GF(p 2 ) Then F(Tr(g),g) = 0  g and its conjugates can be represented by Tr(g)  GF(p 2 ) Let Tr(g) = g + g p + g p  GF(p 2 ) be the trace over GF(p 2 ) of g 2 4

XTR subgroup exponentiation  GF(p 6 ) , g of prime order q dividing p 2  p + 1, q > 3 F(Tr(g n ), g n ) = g 3n  Tr(g n ) g 2n + Tr(g n ) p g n  1 = 0  Tr(g m+n ) = Tr(g n )  Tr(g m )  Tr(g n ) p  Tr(g m  n ) + Tr(g m  2n )

XTR subgroup exponentiation  GF(p 6 ) , g of prime order q dividing p 2  p + 1, q > 3 F(Tr(g n ), g n ) = g 3n  Tr(g n ) g 2n + Tr(g n ) p g n  1 = 0  g 3n = Tr(g n ) g 2n  Tr(g n ) p g n + 1 multiply by g m  2n  g m+n = Tr(g n ) g m  Tr(g n ) p g m  n + g m  2n add this to its p 2 th and p 4 th power  Tr(g m+n ) = Tr(g n )  Tr(g m )  Tr(g n ) p  Tr(g m  n ) + Tr(g m  2n )

XTR subgroup exponentiation  GF(p 6 ) , g of prime order q dividing p 2  p + 1, q > 3 F(Tr(g n ), g n ) = g 3n  Tr(g n ) g 2n + Tr(g n ) p g n  1 = 0  Tr(g m+n ) = Tr(g n )  Tr(g m )  Tr(g n ) p  Tr(g m  n ) + Tr(g m  2n ) Thus: Tr(g 2n ) = Tr(g n ) 2  2Tr(g n ) p Tr(g n+2 ) = Tr(g)  Tr(g n+1 )  Tr(g) p  Tr(g n ) + Tr(g n  1 ) Tr(g 2n  1 ) = Tr(g n )  Tr(g n  1 )  Tr(g n ) p  Tr(g) p + Tr(g n+1 ) p Tr(g 2n+1 ) = Tr(g n )  Tr(g n+1 )  Tr(g n ) p  Tr(g) + Tr(g n  1 ) p

XTR subgroup exponentiation, continued (x 1  + x 2  2 ) p = x 2  + x 1  2 : pth powering in GF(p 2 ) is free p  2 mod 3,  with  2 +  + 1 = (  3  1 )/(   1) = 0, then { ,  p } = { ,  2 } forms normal basis for GF(p 2 ) over GF(p) Thus, given Tr(g) and Tr(g n ), Tr(g 2n ) = Tr(g n ) 2  2Tr(g n ) p takes two GF(p) multiplications and, with Tr(g n+1 ), Tr(g n  1 ), Tr(g n+2 ) = Tr(g)  Tr(g n+1 )  Tr(g) p  Tr(g n ) + Tr(g n  1 ) Tr(g 2n  1 ) = Tr(g n )  Tr(g n  1 )  Tr(g n ) p  Tr(g) p + Tr(g n+1 ) p Tr(g 2n+1 ) = Tr(g n )  Tr(g n+1 )  Tr(g n ) p  Tr(g) + Tr(g n  1 ) p take four GF(p) multiplications each

XTR subgroup exponentiation, continued Given Tr(g) and (Tr(g 2n ), Tr(g 2n+1 ), Tr(g 2n+2 )) it takes eight multiplications in GF(p) to compute (Tr(g 4n ), Tr(g 4n+1 ), Tr(g 4n+2 )) or (Tr(g 4n+2 ), Tr(g 4n+3 ), Tr(g 4n+4 )) iteration different from ordinary ‘multiply and square’: ‘bit off’ and ‘bit on’ computations are almost the same ‘bit off’ ‘bit on’  computing Tr(g m ) given Tr(g) takes 8log 2 (m) multiplications in GF(p) (of (m  1)/2)

XTR multi-exponentiation (signature verification) Given Tr(g) and Tr(g k ) for a secret k, compute Tr(g m  g kn ) compute e = m/n modulo q compute (Tr(g e  1 ), Tr(g e ), Tr(g e+1 )) compute V = V = with D = c 2p c p+1  4(c 3p + c 3 )  27  GF(p) and c = Tr(g)

XTR multi-exponentiation (signature verification) Given Tr(g) and Tr(g k ) for a secret k, compute Tr(g m  g kn ) compute e = m/n modulo q compute (Tr(g e  1 ), Tr(g e ), Tr(g e+1 )) compute Tr(g e+k ) = (Tr(g k  1 ), Tr(g k ), Tr(g k+1 ))  V need ‘neighbors’ of Tr(g k ) too, else k is not well-defined compute V = compute Tr(g (e+k)n ) = Tr(g m  g kn )

XTR parameter generation find r such that r 2  r + 1 is prime, let q = r 2  r + 1, find k such that r + k  q is prime (and 2 mod 3), let p = r + k  q find primes p  2 mod 3 and q > 3 with q dividing p 2  p + 1, and Tr(g) for g of order q (no need to compute g itself)  XTR parameter generation takes on average (3  8+8)log 2 (m) multiplications in GF(p) (plus the time to generate q and p) and: no additional software on top of XTR arithmetic pick a c  GF(p 2 ), assume: c = Tr(h) for h of order dividing p 2  p + 1, compute Tr(h p+1 ) using XTR exponentiation, then: assumption correct  Tr(h p+1 )  GF(p 2 )\GF(p), on average 3 trials for c suffice compute Tr(g) = Tr(h (p  p+1)/q ); pick new c if Tr(g) = 3 2

Improved XTR parameter generation Finding c such that c = Tr(h) for h of order dividing p 2  p + 1  F(c,X) irreducible over GF(p 2 )[X]  Tr(h p+1 )  GF(p 2 )\GF(p): 8  log 2 (m) multiplications in GF(p) F(c,X) no roots in GF(p 2 )[X]: using Scipione del Ferro expected 2.4  log 2 (m) multiplications in GF(p) F(c,X)  F(c p,X) = (X 2 + G 0 X + 1)(X 2 + G 1 X + 1)(X 2 + G 2 X + 1) with G i  GF(p 6 ), then P(c,X) = (X  G 0 )(X  G 1 )(X  G 2 )  GF(p)[X], P(c,X) = X 3 +(c p +c)X 2 +(c p+1 +c p +c  3)X +c 2p +c 2 +2  2c p  2c, and F(c,X) irreducible over GF(p 2 )  P(c,X) irreducible over GF(p)

Improved XTR parameter generation Finding c such that c = Tr(h) for h of order dividing p 2  p + 1  F(c,X) irreducible over GF(p 2 )[X]  Tr(h p+1 )  GF(p 2 )\GF(p): 8  log 2 (m) multiplications in GF(p) F(c,X) no roots in GF(p 2 )[X]: using Scipione del Ferro expected 2.4  log 2 (m) multiplications in GF(p) X 3 +(c p +c)X 2 +(c p+1 +c p +c  3)X +c 2p +c 2 +2  2c p  2c  GF(p)[X] no roots in GF(p)[X]:using Scipione del Ferro expected 0.9  log 2 (m) multiplications in GF(p) c = (27   )/19  GF(p 2 ) or c = (  27  2  24  )/19  GF(p 2 ) if p is not 8 modulo 9: expected 0  log 2 (m) multiplications in GF(p)

XTR parameter generation if p is not 8 modulo 9 a = 1/2 results in c = (27  + 3  2 )/19  GF(p 2 ) a = 2 results in c = (  27   24  2 )/19  GF(p 2 ) If p is not 8 modulo 9: (Z 9  1)/(Z 3  1) = Z 6 + Z is irreducible over GF(p)  GF(p 6 )  GF(p)(  ) with  6 +  3 +1 = 0 Q = (p 6  1)/(p 2  p + 1), a  GF(p), p  2 mod 9,  trace over GF(p 2 ) of (  + a) Q (of order dividing p 2  p + 1) equals  3 ( (a 2  1) 3  + a 3 (a 3  3a + 1)  2 ) /(a 6  a 3 + 1)  GF(p 2 )

XTR parameter generation if p is not 8 modulo 9 a = 1/2 results in c = (27  + 3  2 )/19  GF(p 2 ) a = 2 results in c = (  27   24  2 )/19  GF(p 2 ) If p is not 8 modulo 9: (Z 9  1)/(Z 3  1) = Z 6 + Z is irreducible over GF(p)  GF(p 6 )  GF(p)(  ) with  6 +  3 +1 = 0 Q = (p 6  1)/(p 2  p + 1), a  GF(p), p  5 mod 9,  trace over GF(p 2 ) of (  + a) Q (of order dividing p 2  p + 1) equals  3 ( (a 2  1) 3  2 + a 3 (a 3  3a + 1)  ) /(a 6  a 3 + 1)  GF(p 2 )

XTR application example: Diffie-Hellman A picks a, computes Tr(g a ), sends it to B given primes p  2 mod 3 and q > 3 with q dividing p 2  p + 1, and Tr(g) for g of order q B receives Tr(g a ), picks b, computes Tr(g b ), sends it to A, and computes common key Tr(g ab ) A receives Tr(g b ), computes common key Tr(g ab )

XTR is secure, efficient, compact, easy to implement, with trivial parameter generation Any disadvantages? Do we really trust GF(p 6 )? Multiplication of Tr(g m ) and Tr(g n ) is non-trivial (but can usually be avoided) Signature verification is slow (just like other DL based schemes) Signature verification needs Tr(g k ), Tr(g k  1 ), Tr(g k+1 ) (secret k) But: Tr(g k  1 ) follows from Tr(g k ) and Tr(g k+1 ) and Tr(g k+1 ) can be computed quickly given Tr(g k )

XTR is secure, efficient, compact, easy to implement, with trivial parameter generation Any disadvantages? Do we really trust GF(p 6 )? Multiplication of Tr(g m ) and Tr(g n ) is non-trivial (but can usually be avoided) p 6 grows as fast as RSA moduli (i.e., fast) (q grows as fast as ECC subgroups (i.e., slow)): Signature verification is slow (just like other DL based schemes) It’s new Signature verification needs Tr(g k ), Tr(g k  1 ), Tr(g k+1 ) (secret k)  log 2 (q)  log 2 (p)  170 only for current security levels

Related previous work XTR is based on the paper Doing more with fewer bits by Brouwer, Pellikaan, Verheul at Asiacrypt’99 : XTR has same communication advantage but is much faster LUC: order p + 1 subgroup of GF(p 2 )  : factor 2 improvement XTR: order p 2  p + 1 subgroup of GF(p 6 )  : factor 3 improvement G. Gong, L. Harn, Public key cryptosystems based on cubic finite field extensions, IEEE Trans. I.T., nov 1999: order p 2 + p + 1 subgroup of GF(p 3 )  : factor 1.5 improvement

Conclusion XTR may be a nice way to implement DSA for current and near future security levels: XTR is a useful alternative to Elliptic Curve Cryptosystems (low powered devices, WAP, …) if many decryptions have to be performed (SSL): XTR may be preferable to RSA Either XTR is secure or GF(p 6 )  is not as secure as believed papers available from