Finite Field Cryptography

Transcription

1 Finite Field Cryptography Martijn Stam EPFL LACAL ECRYPT-II Winter School 2-6 February, 2009

2 Roadmap 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

3 Outline 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

4 Groups Cyclic Group A group G is cyclic if g u x Z u = g x ; g is called a generator, < g >= G. G l denotes a nite cyclic group of order l; Z l = {0,..., l 1} denotes the integers modulo l. If u = g x G l, then u l (x mod l) = 1 hence u = g we consider x Z l. For cyclic group G l and t l,!g t G l.

5 The Discrete Logarithm Problem Discrete Logarithm Let G l be cyclic group with generator g, then u!x Z l : u = g x u $ G A x? = log g u

6 The Discrete Logarithm Problem Discrete Logarithm Let G l be cyclic group with generator g, then u!x Z l : u = g x u $ G A x? = log g u Experiment Exp dlp GS,A (k) (G, g, l) Gen(1 k ) x $ Z l ; u g x x $ A((G, g, l), u) If x = x return 1 else return 0 Adv dlp def GS,A (k) = Pr[Exp dlp GS,A (k) = 1]

7 The Discrete Logarithm Problem Discrete Logarithm Let G l be cyclic group with generator g, then u!x Z l : u = g x u $ G A x? = log g u Experiment Exp dlp GS,A (k) (G, g, l) Gen(1 k ) x $ Z l ; u g x x $ A((G, g, l), u) If x = x return 1 else return 0 Adv dlp def GS,A (k) = Pr[Exp dlp GS,A (k) = 1] Let t l and G t G l then the DLP in G l is at least as hard as in G t. (Supergroup inherits security from subgroup)

8 The Computational Die-Hellman Problem (x, y) $ Z 2 l ; (g, g x, g y ) A w? = g xy Experiment Exp cdh GS,A(k) (G, g, l) Gen(1 k ) x, y $ Z l ; u g x ; v g y w $ A((G, g, l), (u, v)) If w = g xy return 1 else return 0 Adv cdh GS,A(k) def = Pr[Exp cdh GS,A(k) = 1] Again, supergroup inherits security from subgroup.

9 The Decisional Die-Hellman Problem (x, y, r) $ Z 3 l ; b $ {0, 1}; ( g, g x, g y, gxy if b=0 g r if b=1 A b? = b ) Experiment Exp ddh GS,A(k) (G, g, l) Gen(1 k ) x, y, r $ Z l ; u g x ; v g y b $ {0, 1} ; w g br+(1 b)xy b $ A((G, g, l), (u, v, w)) If b = b return 1 else return 0 Adv ddh GS,A(k) def = Pr[Expddh GS,A(k) = 1] 1 2 This time subgroup inherits security from supergroup.

10 Solving the DLP Baby-step-giant-step For any group G l the DLP can be solved using slightly over l multiplications and with l group elements of memory. Pollard ρ method For any group G l, the DLP can be solved using slightly over l multiplications and with constant memory. Pohlig-Hellman method For a composite order subgroup G l1l 2 it suces to solve in G l1 and G l2. (Sieve-based) Index Calculus Methods For nite elds the DLP can be solved in time subexponential in the eld size. Related to NFS for factoring.

11 Solving the DLP Baby-step-giant-step For any group G l the DLP can be solved using slightly over l multiplications and with l group elements of memory. Pollard ρ method For any group G l, the DLP can be solved using slightly over l multiplications and with constant memory. Pohlig-Hellman method For a composite order subgroup G l1l 2 it suces to solve in G l1 and G l2. (Sieve-based) Index Calculus Methods For nite elds the DLP can be solved in time subexponential in the eld size. Related to NFS for factoring.

12 Solving the DLP Baby-step-giant-step For any group G l the DLP can be solved using slightly over l multiplications and with l group elements of memory. Pollard ρ method For any group G l, the DLP can be solved using slightly over l multiplications and with constant memory. Pohlig-Hellman method For a composite order subgroup G l1l 2 it suces to solve in G l1 and G l2. (Sieve-based) Index Calculus Methods For nite elds the DLP can be solved in time subexponential in the eld size. Related to NFS for factoring.

13 Cryptographic Applications Large chunk of crypto is based on cyclic groups of known factored order: Discrete-log based: Basic primitives for key agreement, encryption, signatures, zero-knowledge proofs and arguments. Protocols for comparisons, credentials, electronic voting etc. Elliptic-curve based: The groups are based on elliptic curves, some deviating primitives and protocols. Pairing based: The groups are based on elliptic curves with small embedding degree. Completely dierent primitives and protocols, including new functionality, such as identity-based cryptography. DDH is easy in these groups!

14 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D A K? = K

15 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D A K? = K

16 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D A K? = K

17 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D A K? = K

18 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D A K? = K

19 Key Agreement Morphology 1 k params Kg params Enc Dec P 1 P 2 E D K K A K? = K

20 Key Agreement Weak Security against Eavesdroppers 1 k params Kg params Enc Dec P 1 P 2 E D K K A K? = K

21 Key Agreement Example: Die-Hellman Key Exchange 1 k (g, G l, l) Kg (g, G l, l) Enc Dec P 1 P 2 E D = g xy = A K? = K

22 Key Agreement Example: Die-Hellman Key Exchange 1 k (g, G l, l) Kg (g, G l, l) Enc X = g x Dec P 1 P 2 E D = g xy = A K? = K

23 Key Agreement Example: Die-Hellman Key Exchange 1 k (g, G l, l) Kg (g, G l, l) Enc X = g x Dec P 1 P 2 E Y = g y D = g xy = A K? = K

24 Key Agreement Example: Die-Hellman Key Exchange 1 k (g, G l, l) Kg (g, G l, l) Enc X = g x Dec P 1 P 2 E Y = g y D Y x = g xy = X y A K? = K

25 Key Agreement Example: Die-Hellman Key Exchange 1 k (g, G l, l) Kg (g, G l, l) Enc X = g x Dec P 1 P 2 E Y = g y D Y x = g xy = X y A Weakly secure K against? = K eavesdropper under the CDH assumption.

26 Public Key Encryption Morphology 1 k pk Kg sk Enc C Dec Enc Dec m E D ψ m

27 Public Key Encryption IND-CPA Security 1 k pk Kg sk Enc C b $ {0, 1} Dec AE (m 0, m 1 ) C = Enc pk (m b ) Enc E D b? = b Indistinguishability against chosen plaintext attacks (IND-CPA)

28 Public Key Encryption IND-CPA Security 1 k pk Kg sk C Enc C b $ {0, 1} Dec sk (C) Dec AE E b? = b (m 0, m 1 ) C = Enc pk (m b ) C C Dec sk (C) Enc Dec D Indistinguishability against chosen ciphertext attacks (IND-CCA2)

29 Public Key Encryption IND-CPA Security Experiment Exp cpa PKE,A (k) (pk, sk) Kg(1 k ) (m 0, m 1, St) A 1 (pk) s.t. m 0 = m 1 b $ {0, 1} ; C Enc(pk, m b ) b $ A 2 (C, St) If b = b return 1 else return 0 We dene the advantage of A in the experiment as Adv cpa def PKE,A (k) = Pr[Expcpa PKE,A (k) = 1] 1 2.

30 Public Key Encryption Example g G l, l prime X = g x Kg x Z l Enc C KDF Enc KDF m G l E (mx r, g r ) ElGamal: IND-CPA under DDH Assumption

31 Public Key Encryption Example g G l, l prime X = g x Kg x Z l Enc C Dec KDF Enc KDF Dec m G l E D (mx r, g r ) (ψ, c) ψc x ElGamal: IND-CPA under DDH Assumption

32 Public Key Encryption Example g G l, l prime X = g x Kg x Z l c = g r Enc C Dec KDF Enc KDF Dec m G l E D (mx r ) ψc x (ψ ) ElGamal: IND-CPA under DDH Assumption

33 Public Key Encryption Example g G l, l prime X = g x Kg x Z l c = g r Enc C Dec KDF K = X r KDF K = c x m G l E D (mk ) ψk 1 (ψ ) ElGamal: IND-CPA under DDH Assumption

34 Public Key Encryption Example g G l, l prime X = g x Kg x Z l c = g r Enc C Dec KDF X r KDF m E D c x K = H(X r ) K = H(c x ) (E K (m)) D K (ψ) (ψ ) Hybrid ElGamal: IND-CPA under DDH Assumption and suitable H, E

35 Signature Scheme Morphology 1 k sk Kg pk Sign C Vfy Sign Vfy m E D (m, σ) m

36 Signature Scheme EUF-CMA Security 1 k pk Kg sk Enc A E m σ Dec Sign D (m, σ ) Existential unforgeability against chosen message attacks (EUF-CMA)

37 Signature Scheme EUF-CMA Security 1 k pk Kg sk Enc A E (m, σ ) m σ Dec Sign D Experiment Exp euf-cma SigS,A (k) (pk, sk) Kg(1 k ) (m, σ ) A Sign(sk, ) (pk) If Vfy(pk, m, σ ) return 1 else 0 The adversary A is restricted not to output m that was queried to its Sign oracle. AdvSigS,A euf-cma (k) def = Pr[Exp euf-cma SigS,A (k) = 1]. Existential unforgeability against chosen message attacks (EUF-CMA)

38 Signature Scheme Example: Schnorr Signatures Let H : G l {0, 1} Z l g G l, l prime x Z l Kg X = g x r Z l a = g r c c = H(g r, m) t t = r + cx Z l c =? H(g t X c, m) EUF-CMA Secure under DLP hardness and idealized H (ROM).

39 Signature Scheme Example: Schnorr Signatures Let H : G l {0, 1} Z l g G l, l prime x Z l Kg X = g x r Z l m c = H(g r, m) σ = (c, t) t = r + cx Z l c =? H(g t X c, m) EUF-CMA Secure under DLP hardness and idealized H (ROM).

40 Cryptographic Aspects of Groups A group G l is suitable for (DLP-based) cryptography if: Ecient Arithmetic In particular multiplication and exponentiation. Compact Representation Of both the group and its elements. Elements ideally take only lg l bits. Hardness The DLP, CDH and possibly DDH should be hard. Prime Order Preferably l is prime. Attainable Convenient if there exists an eciently invertible injection from {0, 1} lg l to G l.

41 Cryptographic Aspects of Groups A group G l is suitable for (DLP-based) cryptography if: Ecient Arithmetic In particular multiplication and exponentiation. Compact Representation Of both the group and its elements. Elements ideally take only lg l bits. Hardness The DLP, CDH and possibly DDH should be hard. Prime Order Preferably l is prime. Attainable Convenient if there exists an eciently invertible injection from {0, 1} lg l to G l. For certain applications (Hybrid ElGamal, DH key agreement) a Z l -module instead of a group G l suces.

42 Outline 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

43 Groups and Rings Abelian Group An abelian group (G, ) is a set G together with a binary operation s.t. is associative: a,b,c (a b) c = a (b c); unity 1 s.t. a a 1 = 1 a = a; a inverse a 1 s.t. a 1 a = a 1 a = 1; is commutative: a,b a b = b a. Commutative Ring with Identity A commutative ring (R, +, ) with identity is a set R together with two binary operation s.t. (R, +) is an (additive) abelian group; The distributive laws hold: a,b,c a (b + c) = a b + a c, (b + c) a = b a + c a is a associative and commutative; unity 1 s.t. a a 1 = 1 a = a;

44 Fields Field A eld K is a commutative ring (R, +, ) for which additionally (R\{0}, ) forms an Abelian group. A subset L K is called a subeld if it is closed under + and and is a eld under those operations; in this case K is called an extension (eld) of L. The characteristic of a eld K is the smallest integer n > 0 such that a K [n]a = a + + a = 0 or 0 if no such n exists. If n > 0, it is always prime.

45 Fields Field A eld K is a commutative ring (R, +, ) for which additionally (R\{0}, ) forms an Abelian group. A subset L K is called a subeld if it is closed under + and and is a eld under those operations; in this case K is called an extension (eld) of L. The characteristic of a eld K is the smallest integer n > 0 such that a K [n]a = a + + a = 0 or 0 if no such n exists. If n > 0, it is always prime. Some elds of characteristic 0: Q the rationals, prime eld of characteristic 0; number elds; C the complex numbers, algebraically closed

46 Finite Fields Prime Fields A prime eld contains no proper subelds; it is isomorphic to either F p if the characteristic is p > 0 or Q if it is 0. We write F p = {0, 1,..., p 1} with addition and multiplication modulo prime p, and more generally F q for a nite eld with q elements. Theorem Let F q be a nite eld, then q = p m for prime p and integer m > 0; p is called the characteristic and m the extension degree.

47 Finite Fields Prime Fields A prime eld contains no proper subelds; it is isomorphic to either F p if the characteristic is p > 0 or Q if it is 0. We write F p = {0, 1,..., p 1} with addition and multiplication modulo prime p, and more generally F q for a nite eld with q elements. Theorem Let F q be a nite eld, then q = p m for prime p and integer m > 0; p is called the characteristic and m the extension degree. Theorem Let F q be a nite eld, then F q is cyclic of order q 1. If l q 1, then!g l F q F q d is a subeld of F q n i d n.

48 Finite Fields Prime Fields A prime eld contains no proper subelds; it is isomorphic to either F p if the characteristic is p > 0 or Q if it is 0. We write F p = {0, 1,..., p 1} with addition and multiplication modulo prime p, and more generally F q for a nite eld with q elements. Theorem Let F q be a nite eld, then q = p m for prime p and integer m > 0; p is called the characteristic and m the extension degree. Theorem Let F q be a nite eld, then F q is cyclic of order q 1. If l q 1, then!g l F q F q d is a subeld of F q n i d n.

49 Finite Fields Field Homomorphism Let K and L be elds. Let φ : K L be a map. Then φ is a eld homomorphism if a,b K φ(a + b) = φ(a) + φ(b) a,b K φ(ab) = φ(a)φ(b) φ(1) = 1 or φ 0. If φ is bijective, it is an isomorphism and K and L are isomorphic. If additionally K = L we speak of an automorphism. Theorem Any two nite elds with the same order are isomorphic. Galois Group Let F q n be given. Consider the set of automorphisms that leave F q invariant, so a Fq φ(a) = a. Under function composition this set forms the Galois Group, denoted Gal(F q n/f q 1).

50 Finite Fields Field Homomorphism Let K and L be elds. Let φ : K L be a map. Then φ is a eld homomorphism if a,b K φ(a + b) = φ(a) + φ(b) a,b K φ(ab) = φ(a)φ(b) φ(1) = 1 or φ 0. If φ is bijective, it is an isomorphism and K and L are isomorphic. If additionally K = L we speak of an automorphism. Theorem Any two nite elds with the same order are isomorphic. Galois Group Let F q n be given. Consider the set of automorphisms that leave F q invariant, so a Fq φ(a) = a. Under function composition this set forms the Galois Group, denoted Gal(F q n/f q 1).

51 Frobenius, Trace and Norm Frobenius Isomorphism Let F q n be given. Then q-th powering, or σ(a) = a q, is an isomorphism, known as the Frobenius isomorphism. It generates Gal(F q n/f q 1). Let d n then dene N Fq n /F q d, Tr F q n /F q d : F q n F q d by n/d 1 N Fq n /F (g) = q d n/d 1 Tr Fq n /F (g) = q d i=0 i=0 g qdi g qdi = g 1+qd + +q n d = g + g qd + + g qn d

52 Extensions as Vector Space Let L be an extension eld of K, then L is a vector space over K: If a, b L then a + b L. If a K, b L then ab L. If it is nite dimensional, we call the dimension of L over K, denoted [L : K] the extension degree. If n = [L : K] then any basis θ 1,..., θ n induces a bijection K n L. If we want to forget some of K n 's structure we write A n (K) for n-dimensional ane space.

53 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I.

54 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I.

55 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I.

56 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I.

57 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I.

58 Polynomial Ring Polynomial Ring Let K be a eld, then K[x] is the ring of univariate polynomials with coecients in K. Suppose n = [L : K] and θ L, then 1, θ,..., θ n are K-linearly dependent in L (a 0,..., a n ) K n 0 : a 0 + a 1 θ +... a n θ n = 0. there is a nonzero polynomial in K[x] that θ is a root of. the polynomials in K[x] that θ is a root of form an ideal I. the lowest degree monic polynomial I is the minimal polynomial of θ over K. the minimal polynomial is irreducible (over K) and generates I. Theorem If f F q [x] is irreducible in F q [x] of degree n, then F q [x]/(f) is isomorphic to the nite eld F q n.

59 Polynomial Ring Theorem If f F q [x] is irreducible in F q [x] of degree m, then F q [x]/(f) is isomorphic to the nite eld F q m. Let f be irreducible in F q [x] of degree m f has roots α, α q, α q2,..., α qm 1 all distinct elements of F q m f = (x α)(x α q )... (x α qm 1 ) Let F q n = F q (θ), then the minimal polynomial of θ is of the form x n Tr Fq n /F q 1 (θ)xn ( 1) n N Fq n /F (θ) q 1

60 Polynomial Ring Theorem If f F q [x] is irreducible in F q [x] of degree m, then F q [x]/(f) is isomorphic to the nite eld F q m. Let f be irreducible in F q [x] of degree m f has roots α, α q, α q2,..., α qm 1 all distinct elements of F q m f = (x α)(x α q )... (x α qm 1 ) Let F q n = F q (θ), then the minimal polynomial of θ is of the form x n Tr Fq n /F q 1 (θ)xn ( 1) n N Fq n /F (θ) q 1

61 Basic Arithmetic in Quadratic Extensions Let F q 2 = F q (θ) with θ 2 + Aθ + B = 0. Then A = Tr Fq 2 /F q 1 (θ) = θ θq and B = N Fq 2 /F q 1 (θ) = θq+1. (a 1 θ + a 0 ) q = a 1 θ + a 0 Aa 1 (a 1 θ + a 0 )(b 1 θ + b 0 ) = (a 0 b 1 + a 1 b 0 Aa 1 b 1 )θ + a 0 b 0 Ba 1 b 1 (a 1 θ + a 0 ) 2 = (2a 0 a 1 Aa 2 1)θ + a 2 0 Ba 2 1

62 Basic Arithmetic in Quadratic Extensions Let F q 2 = F q (θ) with θ 2 + Aθ + B = 0. Then A = Tr Fq 2 /F q 1 (θ) = θ θq and B = N Fq 2 /F q 1 (θ) = θq+1. (a 1 θ + a 0 ) q = a 1 θ + a 0 Aa 1 (a 1 θ + a 0 )(b 1 θ + b 0 ) = (a 0 b 1 + a 1 b 0 Aa 1 b 1 )θ + a 0 b 0 Ba 1 b 1 (a 1 θ + a 0 ) 2 = (2a 0 a 1 Aa 2 1)θ + a 2 0 Ba 2 1 N Fq 2 /F q 1 (a 1θ + a 0 ) = (a 1 θ + a 0 )( a 1 θ + a 0 Aa 1 ) = a 2 0 Aa 0 a 1 + Ba 2 1 Tr Fq 2 /F q 1 (a 1θ + a 0 ) = 2a 0 Aa 1

63 Arithmetic in a Tailored Quadratic Extension The case q a prime congruent 3 mod 4 Let F q 2 = F q (ζ 4 ) with (ζ 4 ) 4 = 1. (a 1 ζ 4 + a 0 ) q = a 1 ζ 4 + a 0 Aa 1 (a 1 ζ 4 + a 0 )(b 1 ζ 4 + b 0 ) = (a 0 b 1 + a 1 b 0 Aa 1 b 1 )ζ 4 + a 0 b 0 Ba 1 b 1 (a 1 ζ 4 + a 0 ) 2 = (2a 0 a 1 Aa 2 1)ζ 4 + a 2 0 Ba 2 1 N Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = a 2 0 Aa 0 a 1 + Ba 2 1 Tr Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = 2a 0 Aa 1

64 Arithmetic in a Tailored Quadratic Extension The case q a prime congruent 3 mod 4 Let F q 2 = F q (ζ 4 ) with (ζ 4 ) 4 = 1. A = Tr Fq 2 /F q 1 (ζ 4) = ζ 4 ζ q 4 = 0 B = N Fq 2 /F q 1 (ζ 4) = ζ q+1 4 = 1 (a 1 ζ 4 + a 0 ) q = a 1 ζ 4 + a 0 Aa 1 (a 1 ζ 4 + a 0 )(b 1 ζ 4 + b 0 ) = (a 0 b 1 + a 1 b 0 Aa 1 b 1 )ζ 4 + a 0 b 0 Ba 1 b 1 (a 1 ζ 4 + a 0 ) 2 = (2a 0 a 1 Aa 2 1)ζ 4 + a 2 0 Ba 2 1 N Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = a 2 0 Aa 0 a 1 + Ba 2 1 Tr Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = 2a 0 Aa 1

65 Arithmetic in a Tailored Quadratic Extension The case q a prime congruent 3 mod 4 Let F q 2 = F q (ζ 4 ) with (ζ 4 ) 4 = 1. A = Tr Fq 2 /F q 1 (ζ 4) = ζ 4 ζ q 4 = 0 B = N Fq 2 /F q 1 (ζ 4) = ζ q+1 4 = 1 (a 1 ζ 4 + a 0 ) q = a 1 ζ 4 + a 0 (a 1 ζ 4 + a 0 )(b 1 ζ 4 + b 0 ) = (a 0 b 1 + a 1 b 0 )ζ 4 + a 0 b 0 a 1 b 1 (a 1 ζ 4 + a 0 ) 2 = (2a 0 a 1 )ζ 4 + a 2 0 a 2 1 N Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = a a 2 1 Tr Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = 2a 0

66 Arithmetic in a Tailored Quadratic Extension The case q a prime congruent 3 mod 4 Let F q 2 = F q (ζ 4 ) with (ζ 4 ) 4 = 1. A = Tr Fq 2 /F q 1 (ζ 4) = ζ 4 ζ q 4 = 0 B = N Fq 2 /F q 1 (ζ 4) = ζ q+1 4 = 1 (a 1 ζ 4 + a 0 ) q = a 1 ζ 4 + a 0 (a 1 ζ 4 + a 0 )(b 1 ζ 4 + b 0 ) = (a 0 b 1 + a 1 b 0 )ζ 4 + a 0 b 0 a 1 b 1 = ((a 0 + a 1 )(b 0 + b 1 ) a 0 b 0 a 1 b 1 )ζ 4 + a 0 b 0 a 1 b 1 (a 1 ζ 4 + a 0 ) 2 = (2a 0 a 1 )ζ 4 + a 2 0 a 2 1 = 2a 0 a 1 ζ 4 + (a 0 + a 1 )(a 0 a 1 ) N Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = a a 2 1 Tr Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = 2a 0

67 Arithmetic in a Tailored Quadratic Extension The case q a prime congruent 3 mod 4 Let F q 2 = F q (ζ 4 ) with (ζ 4 ) 4 = 1. A = Tr Fq 2 /F q 1 (ζ 4) = ζ 4 ζ q 4 = 0 B = N Fq 2 /F q 1 (ζ 4) = ζ q+1 4 = 1 (a 1 ζ 4 + a 0 ) q = a 1 ζ 4 + a 0 (a 1 ζ 4 + a 0 )(b 1 ζ 4 + b 0 ) = (a 0 b 1 + a 1 b 0 )ζ 4 + a 0 b 0 a 1 b 1 = ((a 0 + a 1 )(b 0 + b 1 ) a 0 b 0 a 1 b 1 )ζ 4 + a 0 b 0 a 1 b 1 (a 1 ζ 4 + a 0 ) 2 = (2a 0 a 1 )ζ 4 + a 2 0 a 2 1 = 2a 0 a 1 ζ 4 + (a 0 + a 1 )(a 0 a 1 ) N Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = a a 2 1 Tr Fq 2 /F q 1 (a 1ζ 4 + a 0 ) = 2a 0 Multiplication:3F q mults. Squaring: 2F q mults.

68 Left-to-Right Binary Exponentiation Let g G l, let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n using invariant: k 1 0 j k, a = n i 2 i j, i=j A = g a Algorithm (g, n) g n Set a 0, A 1 and j k; While j > 0 do Set a 2a and A A 2 ; If n j 1 = 1 then set a a + 1 and A g A; Set j j 1; End while Return A.

69 Left-to-Right Binary Exponentiation Let g G l, let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n using invariant: k 1 0 j k, a = n i 2 i j, i=j A = g a Algorithm (g, n) g n Set a 0, A 1 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A.

70 Left-to-Right Binary Exponentiation Let g G l, let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n using invariant: k 1 0 j k, a = n i 2 i j, i=j A = g a Algorithm (g, n) g n Set a 0, A 1 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A. Cost for an "average" exponent n Z l : lg l squarings and 1 2 lg l multiplications

71 Cyclotomic Polynomial Cyclotomic Polynomial Let n N. An element z K is an n-th root of unity if z n = 1, it is primitive if z d 1 for all 0 < d < n. The n-th cyclotomic polynomial Φ n (x) is the product (x z) over all primitive n-th roots of unity. If K = C, then Φ n (x) Z[x], if char(k) = p, then Φ n (x) F p [x]. deg(φ n (x)) = ϕ(n) = {1 i n, gcd(i, n) = 1}. x n 1 = d n Φ n(x).

72 Cyclotomic Polynomial Cyclotomic Polynomial Let n N. An element z K is an n-th root of unity if z n = 1, it is primitive if z d 1 for all 0 < d < n. The n-th cyclotomic polynomial Φ n (x) is the product (x z) over all primitive n-th roots of unity. If K = C, then Φ n (x) Z[x], if char(k) = p, then Φ n (x) F p [x]. deg(φ n (x)) = ϕ(n) = {1 i n, gcd(i, n) = 1}. x n 1 = d n Φ n(x). Cyclotomic Subgroup Let n N and q a prime power. Dene G q,n as the unique subgroup of F q n of order Φ n(q)

73 Cyclotomic Polynomial Some identities involving cyclotomic polynomials. If n is prime, then Φ n (x) = n 1 i=0 xi. If m n then Φ mn (x) = Φ n (x m ). If m n, then Φ mn (x) = Φ n (x m )/Φ n (x). If n is odd, then Φ 2n (x) = Φ n ( x). Some cyclotomic polynomials Φ 1 (q) = q 1 Φ 2 (q) = q + 1 Φ 3 (q) = q 2 + q + 1 Φ 4 (q) = q Φ 6 (q) = q 2 q + 1

74 Cyclotomic Subgroup Cyclotomic Subgroup Let n N and q a prime power. Dene G q,n as the unique subgroup of F q n of order Φ n(q) Equivalent characterization G q,n = {g F q n : N F q n /F q d = 1 for all 1 d < n, d n} Hardness of DLP If g G q,n and ord(g) n then g F q d for d < n.

75 Cyclotomic Subgroup Cyclotomic Subgroup Let n N and q a prime power. Dene G q,n as the unique subgroup of F q n of order Φ n(q) Equivalent characterization G q,n = {g F q n : N F q n /F q d = 1 for all 1 d < n, d n} Hardness of DLP If g G q,n and ord(g) n then g F q d for d < n.

76 Outline 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

77 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g)

78 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g)

79 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g)

80 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g)

81 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g) (x g)(x g q )

82 Degree 2: LUC Compressing and Decompressing [SL93,SS94] Consider G q,2 F q so G 2 q,2 = q + 1. We want a map G q,2 F q. Two well-known mappings from F q 2 F q : norm and trace. Norm: G q,2 = {g F q : N 2 Fq 2 /F q (g) = 1} 1 Trace Compression: For g G q,2 it holds that g q+1 = 1, so g q = g 1 and Tr Fq 2 /F q 1 (g) = g + g 1 = Tr Fq 2 /F q 1 (gq ) Trace Decompression: Retrieving g G q,2 given v = Tr Fq 2 /F q 1 (g) (x g)(x g q ) = x 2 Tr Fq 2 /F q 1 (g)x + N F q 2 /F q 1 (g) = x2 vx + 1 So given v you can recover {g, g q },

83 Degree 2: LUC The Main Recurrence Relation Task Let generator g G q,2 and dene v n = Tr Fq 2 /F q 1 (gn ) for n Z. Let a, b G q,2, given Tr Fq 2 /F (a) and Tr q 1 F q 2 /F (b): q 1 how to compute Tr Fq 2 /F q (a b)? 1

84 Degree 2: LUC The Main Recurrence Relation Task Let generator g G q,2 and dene v n = Tr Fq 2 /F q 1 (gn ) for n Z. Let a, b G q,2, given Tr Fq 2 /F (a) and Tr q 1 F q 2 /F (b): q 1 how to compute Tr Fq 2 /F q (a b)? 1 a, b are in a cyclic group generated by g so write a = g n and b = g m (for possibly unknown n, m). Given v n and v m, need to compute v n+m.

85 Degree 2: LUC The Main Recurrence Relation Task Let generator g G q,2 and dene v n = Tr Fq 2 /F q 1 (gn ) for n Z. Let a, b G q,2, given Tr Fq 2 /F (a) and Tr q 1 F q 2 /F (b): q 1 how to compute Tr Fq 2 /F q (a b)? 1 a, b are in a cyclic group generated by g so write a = g n and b = g m (for possibly unknown n, m). Given v n and v m, need to compute v n+m. v n v m = (g n + g n )(g m + g m ) = g n+m + g n+m + g n m + g n m = (g n+m + g (n+m) ) + g n m + g (n m) = v n+m v n m

86 Degree 2: LUC The Main Recurrence Relation Task Let generator g G q,2 and dene v n = Tr Fq 2 /F q 1 (gn ) for n Z. Let a, b G q,2, given Tr Fq 2 /F (a) and Tr q 1 F q 2 /F (b): q 1 how to compute Tr Fq 2 /F q (a b)? 1 a, b are in a cyclic group generated by g so write a = g n and b = g m (for possibly unknown n, m). Given v n and v m, need to compute v n+m. v n v m = (g n + g n )(g m + g m ) = g n+m + g n+m + g n m + g n m = (g n+m + g (n+m) ) + g n m + g (n m) = v n+m v n m v n+m = v n v m v n m Multiplication possible if quotient is known.

87 Degree 2: LUC Auxiliary Recurrence Relations Theorem Let generator g G q,2 and dene v n = Tr Fq 2 /F q 1 (gn ) for n Z. v n+m = v n v m v n m v n = v n v n+1 = vv n v n 1 v 2n = vn 2 2 v 2n+1 = v n v n+1 v v 2n+2 = vn+1 2 2

88 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n using invariant: k 1 0 j k, a = n i 2 i j, A = g a i=j Algorithm ( g, n) g n Set a 0, A 1 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A.

89 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l and v = Tr Fq 2 /F q 1 (g) let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n v n using invariant: k 1 0 j k, a = n i 2 i j, A = g a i=j Algorithm ( g v, n) g n v n Set a 0, A 1 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A.

90 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l and v = Tr Fq 2 /F q 1 (g) let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n v n using invariant: k 1 0 j k, a = n i 2 i j, A = g a v a i=j Algorithm ( g v, n) g n v n Set a 0, A 1 2 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A.

91 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l and v = Tr Fq 2 /F q 1 (g) let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n v n using invariant: k 1 0 j k, a = n i 2 i j, A = g a v a i=j Algorithm ( g v, n) g n v n Set a 0, A 1 2 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 A 2 2 ; Else set a 2a + 1 and A g A 2 ; Set j j 1; End while Return A. v 2a = v 2 a 2 v 2a+1 = v a+1 v a v

92 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l and v = Tr Fq 2 /F q 1 (g) let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n v n using invariant: k 1 0 j k, a = n i 2 i j, A = g a v a, B = v a+1 i=j Algorithm ( g v, n) g n v n Set a 0, A 1 2 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 A 2 2 ; Else set a 2a + 1 and A g A 2 AB v ; Set j j 1; End while Return A. v 2a = v 2 a 2 v 2a+1 = v a+1 v a v

93 Degree 2: LUC Left-to-Right Binary Exponentiation Let g G l and v = Tr Fq 2 /F q 1 (g) let n Z l with n = k 1 i=0 n i for n i {0, 1}. Compute g n v n using invariant: k 1 0 j k, a = n i 2 i j, A = g a v a, B = v a+1 i=j Algorithm ( g v, n) g n v n Set a 0, A 1 2 and j k; While j > 0 do If n j 1 = 0 then set a 2a and A A 2 A 2 2 ; Else set a 2a + 1 and A g A 2 AB v ; B B 2 2; Set j j 1; End while Return A. v 2a = v 2 a 2 v 2a+1 = v a+1 v a v

94 Degree 2: LUC Left-to-Right Binary Exponentiation (Final) Let g G l, v = Tr Fq 2 /F q 1 (g) and n = k 1 i=0 n i Z l for n i {0, 1}. Compute v n using invariant: k 1 0 j k, a = n i 2 i j, A = v a, B = v a+1 i=j Algorithm (v, n) v n Set a 0, A 2, B v and j k; While j > 0 do If n j 1 = 0 then set a 2a and B AB v; A A 2 2; Else set a 2a + 1 and A AB v; B B 2 2; Set j j 1; End while Return A. Cost: lg l F q -squarings, lg l F q -multiplications

95 Degree 2: LUC Intermezzo LUC Overview Based on G q,2 F q 2, using Tr Fq 2 /F q 1 for compression. Exponentiation v n = Tr Fq 2 /F q 1 (gn ) based on Lucas' recurrence v n+m = v n v m v n m. Computating v n using a binary method costs lg l F q -multiplications and as many squarings. (Compared to 3.5 lg l F q -multiplications for naive F q (ζ 4 ).) This suces for Die-Hellman Key Agreement Hybrid ElGamal Without ever having to decompress

96 Degree 2: LUC Intermezzo LUC Overview Based on G q,2 F q 2, using Tr Fq 2 /F q 1 for compression. Exponentiation v n = Tr Fq 2 /F q 1 (gn ) based on Lucas' recurrence v n+m = v n v m v n m. Computating v n using a binary method costs lg l F q -multiplications and as many squarings. (Compared to 3.5 lg l F q -multiplications for naive F q (ζ 4 ).) This suces for Die-Hellman Key Agreement Hybrid ElGamal Without ever having to decompress But what about signatures? Verication of Schnorr Signatures involves g t X c or more generally the double exponentiation g n h m

97 Degree 2: LUC Double Exponentiation Standard double exponentiation: compute g n h m. Suppose v = Tr Fq 2 /F (g) and w = Tr q 1 F q 2 /F q (h), can we compute 1 Tr Fq 2 /F q 1 (gn h m ) for any given n and m?

98 Degree 2: LUC Double Exponentiation Standard double exponentiation: compute g n h m. Suppose v = Tr Fq 2 /F (g) and w = Tr q 1 F q 2 /F q (h), can we compute 1 Tr Fq 2 /F q 1 (gn h m ) for any given n and m? Problem is underdened: v and w dene {g, g q } and {h, h q } resp. But typically Tr Fq 2 /F (gh) Tr q 1 F q 2 /F q 1 (ghq ). Need the quotient Tr Fq 2 /F q (g/h) as well. 1

99 Degree 2: LUC Double Exponentiation Standard double exponentiation: compute g n h m. Suppose v = Tr Fq 2 /F (g) and w = Tr q 1 F q 2 /F q (h), can we compute 1 Tr Fq 2 /F q 1 (gn h m ) for any given n and m? Problem is underdened: v and w dene {g, g q } and {h, h q } resp. But typically Tr Fq 2 /F (gh) Tr q 1 F q 2 /F q 1 (ghq ). Need the quotient Tr Fq 2 /F q (g/h) as well. 1 Double Exponentiation Given v κ, v λ, v κ λ F q and integers n, m, compute v nκ+mλ.

100 Degree 2: LUC Double Exponentiation: Montgomery's PRAC algorithm Double Exponentiation Given v κ, v λ, v κ λ F q and integers n, m, compute v nκ+mλ. d > 0, e 0, ad + be = nκ + mλ, gcd(d, e) = gcd(n, m), A = v a, B = v b, C = v a b

101 Degree 2: LUC Double Exponentiation: Montgomery's PRAC algorithm Double Exponentiation Given v κ, v λ, v κ λ F q and integers n, m, compute v nκ+mλ. d > 0, e 0, ad + be = nκ + mλ, gcd(d, e) = gcd(n, m), A = v a, B = v b, C = v a b Algorithm (v κ, v λ, v κ λ, n, m) v nκ+mλ Set (d, e) (n, m), (a, b) (κ, λ), and (A, B, C) (v κ, v λ, v κ λ ); While e > 0 do Pick an admissable matrix S for (d, e); Set (d, e) (d, e)s and (a, b)s T ; Update A, B, and C accordingly, respecting the invariant; End while Run a single exponentiation algorithm with base A and exponent d; Return A d.

102 Degree 2: LUC Double Exponentiation: Sample S d > 0, e 0, ad + be = nκ + mλ, gcd(d, e) = gcd(n, m), A = v a, B = v b, C = v a b Pick an admissable matrix S for (d, e); Set (d, e) (d, e)s and (a, b)s T ; Update A, B, and C accordingly, respecting the invariant; Consider (d, e) (e, d e) from the subtractive Euclidean alg. Then S = ( ) 0 1, S T = 1 1 ( ) So (a, b) (a + b, a) and (A, B, C) (AB C, A, B).

103 Degree 2: LUC Double Exponentiation: Sample S d > 0, e 0, ad + be = nκ + mλ, gcd(d, e) = gcd(n, m), A = v a, B = v b, C = v a b Pick an admissable matrix S for (d, e); Set (d, e) (d, e)s and (a, b)s T ; Update A, B, and C accordingly, respecting the invariant; Consider (d, e) ((d e)/2, e) from the binary Euclidean alg. Then S = ( 1 ) 2 0 1, S T = 2 1 ( ) So (a, b) (2a, a + b) and (A, B, C) (A 2 2, AB C, C).

104 Degree 2: LUC Double Exponentiation: Sample S d > 0, e 0, ad + be = nκ + mλ, gcd(d, e) = gcd(n, m), A = v a, B = v b, C = v a b Pick an admissable matrix S for (d, e); Set (d, e) (d, e)s and (a, b)s T ; Update A, B, and C accordingly, respecting the invariant; Heuristic Runtime For two random exponents in Z l, a double exponentiation takes 1.5 lg l F q -mults and 0.33 lg l F q -squarings on average. (Compare to 1.5 lg l F q -mults and lg l F q -squarings for F q 2 method.)

105 Degree 2: LUC Signature Protocol Let l prime, < g >= G l G q,2 F q 2, and H : G l {0, 1} Z l v = Tr Fq 2 /F q 1 (g) x Z l Kg v x, v x 1 r Z l m c = H(v r, m) σ = (c, t) t = r + cx Z l c =? H(Tr Fq 2 /F q 1 (gt X c ), m) Where Tr Fq 2 /F q 1 (gt X c ) = PRAC((v x, v, v x 1 ), (l c, t))

106 Degree 6: XTR Ecient Compact Subgroup Trace Representation (ECSTR) [LV00] Consider G q,6 F q so G 6 q,6 = q 2 q + 1. We want a map G q,6 (F q ) 2. LUC: Based on Tr Fq 2 /F : G q 1 q,2 F q 1 XTR: Based on Tr Fq 6 /F : G q 2 q,6 F q 2

107 Degree 6: XTR Ecient Compact Subgroup Trace Representation (ECSTR) [LV00] Consider G q,6 F q 6 so G q,6 = q 2 q + 1. We want a map G q,6 (F q ) 2. LUC: Based on Tr Fq 2 /F q 1 : G q,2 F q 1 XTR: Based on Tr Fq 6 /F q 2 : G q,6 F q 2 Trace Compression: For g G q,6 it holds that g q2 q+1 = 1, so g q2 = g q 1 and g q4 = g q. c = Tr Fq 6 /F q 2 (g) = g + gq 1 + g q = Tr Fq 6 /F q 2 (gq2 ) = Tr Fq 6 /F q 2 (gq4 ) c q = Tr Fq 6 /F q 2 (gq ) = g q + g 1 + g q+1 = Tr Fq 6 /F q 2 (g 1 )

108 Degree 6: XTR Decompressing Consider G q,6 F q 6 so G q,6 = q 2 q + 1. Retrieving g G q,6 given c = Tr Fq 6 /F q 2 (g) (x g)(x g q2 )(x g q4 )

109 Degree 6: XTR Decompressing Consider G q,6 F q 6 so G q,6 = q 2 q + 1. Retrieving g G q,6 given c = Tr Fq 6 /F q 2 (g) (x g)(x g q2 )(x g q4 ) = x 3 Tr Fq 6 /F q 2 (g)x2 + (g 1+q2 + g 1+q4 + g q2 +q 4 )x N Fq 6 /F q 2 (g) = x 3 cx 2 + (g q + g 1 q + g 1 )x 1 = x 3 cx 2 + c q x 1 So given c you can recover {g, g q2, g q4 },

110 Degree 6: XTR The Main Recurrence Relation Task Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. Given c n and c m, how to compute c n+m?

111 Degree 6: XTR The Main Recurrence Relation Task Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. Given c n and c m, how to compute c n+m? c n c m = (g n + g (q 1)n + g qn )(g m + g (q 1)m + g qm )

112 Degree 6: XTR The Main Recurrence Relation Task Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. Given c n and c m, how to compute c n+m? c n c m = (g n + g (q 1)n + g qn )(g m + g (q 1)m + g qm ) =...

113 Degree 6: XTR The Main Recurrence Relation Task Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. Given c n and c m, how to compute c n+m? c n c m = (g n + g (q 1)n + g qn )(g m + g (q 1)m + g qm ) =... c n+m = c n c m c q nc n m + c n 2m Multiplication possible if quotient and squary quotient are known.

114 Degree 6: XTR Auxiliary Recurrence Relations Theorem Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. c n+m = c n c m c q nc n m + c n 2m c n = c q n c n+1 = cc n c q nc n 1 + c n 2 c 2n 1 = c n c n 1 c q n 1 c 1 + c q n+1 c 2n = c 2 n 2c q n c 2n+1 = c n c n+1 c q n+1 c + cq n 1 c 2n+2 = c 2 n+1 2c q n

115 Degree 6: XTR Exponentiation Runtimes Based on F q 2 = F q (ζ 3 ) or F q (ζ 4 ) arithmetic. Binary Single Exponentiation For any exponent in Z l, a single exponentiation takes 8 lg l F q -mults. Euclidean Double Exponentiation For two random exponents in Z l, a double exponentiation takes 7.4 lg l F q -mults on average.

116 Degree 6: XTR Exponentiation Runtimes Based on F q 2 = F q (ζ 3 ) or F q (ζ 4 ) arithmetic. Binary Single Exponentiation For any exponent in Z l, a single exponentiation takes 8 lg l F q -mults. Euclidean Double Exponentiation For two random exponents in Z l, a double exponentiation takes 7.4 lg l F q -mults on average. Euclidean Single Exponentiation For a random exponent in Z l, a single exponentiation takes 6.6 lg l F q -mults on average.

117 Outline 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

118 Algebraic Set Given a eld K, let I K[X 1,..., X n ] be an ideal, then dene V I A n as V I = {P A n : f(p ) = 0 for all f I} An algebraic set is any set of that form, for a given V the ideal is denoted I(V ) = {f K[X] : f(p ) = 0 for all P V } For a given V it is dened over K if its ideal can be generated by polynomials in K[X] we write V/K. We can then also dene the set of K-rational points of V as V (K) = V A n (K)

119 Torus Algebraic Torus The algebraic torus T n is the algebraic set in A n (F q ). V ({N Fq n /F q (f(g)) 1 : 1 d < n, d n}) d Where f : A n (F q ) F q n bijective. T n (F q ) is group isomorphic to G q,n.

120 Rationality Rational map A rational map between algebraic varieties is a function dened by quotients of polynomials that is dened almost everywhere. A birational isomorphism between algebraic varieties is a rational map with a rational inverse. A d-dimensional variety over K is rational over K if it is birationally isomorphic over K to A d.

121 Rationality Rational map A rational map between algebraic varieties is a function dened by quotients of polynomials that is dened almost everywhere. A birational isomorphism between algebraic varieties is a rational map with a rational inverse. A d-dimensional variety over K is rational over K if it is birationally isomorphic over K to A d. Theorem T n (F q ) is rational for all n that are the product of at most two prime powers. There are birational isormorphisms T 2 (F q ) A 1 (F q ) and T 6 (F q ) A 2 (F q ).

122 Outline 1 Groups Denitions Cryptographic Applications 2 Finite Fields Basics F q 2 Arithmetic Cyclotomic Subgroups 3 Trace-Based Cryptosystems Degree 2: LUC Degree 6: XTR 4 Torus-Based Cryptography Mathematical Background Dimension 2: T 2 5 Exercises

123 Exercise 1 Right-to-Left Binary Exponentiation 1 Give a Right-to-Left analogue of the Left-to-Right Binary exponention algorithm. 2 What are possible advantages of one over the other?

124 Exercise 2 Baby-step-giant-step DLP Solver Given g, X G l, we want to compute log g X. Let 0 < k l be an integer. Compute giant steps G i = g ki for i = 0,..., l k and baby steps B j = Xg j for j = 0,..., k 1. 1 Show that a colliding pair (i, j) for which G i = B j leads to recovery of log g X. 2 Is such a colliding pair guaranteed? 3 What is the time (in G l -multiplications) and memory (in G l -elements) complexity of this method? 4 What value of k minimizes the runtime?

125 Exercise 3 DLP Solver in 2-smooth groups. Show that the DLP in G 2 k is easy for any k.

126 Exercise 4 ElGamal is IND-CPA secure 1 Show that ElGamal is IND-CPA secure if DDH is hard. 2 Let n > 0 be an integer satisfying 2 n < l. Describe a secure variant of ElGamal with message space {0, 1} n for which decryption complexity is of order 2 n2. 3 Show that ElGamal is not IND-CCA secure even if DDH is hard. 4 If G l is a subgroup of a larger group, it is important to check subgroup membership. Show how to recover the secret key x under a Chosen Ciphertext Attack when G l G 2 lg l l and the decryption oracle behaves as if the scheme is dened over this supergroup.

127 Exercise 5 Bad ElGamal is insecure Suppose l Φ 2 (p) with l and p prime. Let g generate G l and let X = g x G l be a public key. Encrypt m F p by (m g rx, g r ) (for r $ Z l ). 1 Give a simple example that shows this scheme is not IND-CPA secure. 2 Show how to recover m 2 given just m g rx (and g). (Hint: 2 = gcd(φ 1 (p), Φ 2 (p)).) 3 Show how to recover m given g r and g x as well.

128 Exercise 6 F p 2 arithmetic when p 2 mod 3 Let p 2 mod 3, so ζ 3 is a primitive third root of unity. 1 Show that F p 2 arithmetic based on F p (ζ 3 ) is comparable in eciency to that of F p (ζ 4 ) (never mind the dierent congruency restriction on p. 2 Let a, b, c F p 2. Show that ab a p c can be computed with 4 F p multiplications (also for F p (ζ 4 ) ).

129 Exercise 7 Cyclotomic Subgroups 1 Prove the identities for cyclotomic polynomials; 1 deg(φ n(x)) = ϕ(n) = {1 i n, gcd(i, n) = 1}. 2 x n 1 = d n Φn(x). 3 If n is prime, then Φ n(x) = n 1 i=0 xi. 4 If m n then Φ mn(x) = Φ n(x m ). 5 If m n, then Φ mn(x) = Φ n(x m )/Φ n(x). 6 If n is odd, then Φ 2n(x) = Φ n( x). 7 Give Φ n(q) for n {1, 2, 3, 4, 5, 6, 30}.

130 Exercise 8 More Exponentiation Algorithms for LUC and XTR 1 Describe a Left-to-Right binary exponentiaton algorithm for XTR (Hint: Use invariant a = 1 + k 1 i=j+1 n i2 i j and (A, B, C) = (c a, c a+1, c a 1 )); 2 What happens if you would use invariant a = k 1 i=j n i2 i j instead? 3 Describe a Right-to-Left binary exponentiation algorithm for LUC; 4 Describe a Right-to-Left binary exponentiation algorithm for XTR; 5 How do they compare to the Left-to-Right versions; how does the comparison compare to the comparison for ordinary exponentiation? 6 How can you use the Euclidean double exponentiation for single exponentiation?

131 Exercise 9 XTR Recurrence Relation Let generator g G q,6 and dene c n = Tr Fq 6 /F q 2 (gn ) for n Z. Verify that indeed c n+m = c n c m c q nc n m + c n 2m

132 Exercise 10 Beyond XTR 1 How would key generation look like?

133 Exercise 10 Bad ElGamal still insecure 1 Show that the DDH in G n,q is relatively easy. 2 Let G l T 2 (F q ). For message m F p encrypt by ψ (g r s) + m. Show this is not IND-CPA.