Normal bases in finite fields and Efficient Compact Subgroup Trace Representation

Size: px

Start display at page:

Download "Normal bases in finite fields and Efficient Compact Subgroup Trace Representation"

Milton Richardson
5 years ago
Views:

1 UNIVERSITÀ DEGLI STUDI ROMA TRE FACOLTÀ DI S.M.F.N. Graduation Thesis in Mathematics by Silvia Pastore Normal bases in finite fields and Efficient Compact Subgroup Trace Representation Supervisor Prof. Francesco Pappalardi The Candidate The Supervisor ACADEMIC YEAR Classification: 94A60 11T71 11Y16 Key Words: XTR, Normal Basis, Optimal Normal Basis.

2 A te che meritavi tanto, A te, Nico. 1

3 Contents Introduction Background Algebraic structures Normal bases The multiplication matrix Construction of the optimal normal bases Arithmetic operations in F p XTR supergroup and XTR subgroup Traces The polynomials F (c, X) Properties of F (c, X) and its roots The computation of c n XTR parameter and key selection Selection of p and q Selection of the subgroup Cryptographic applications XTR - Diffie Hellman and XTR - ElGamal Discrete logarithm A Karatsuba Algorithm 64 A.1 Karatsuba's algorithm

4 B Multi-exponentiation algorithm 68 References

5 Introduction In the last twenty years, with the development of coding theory and appearance of several cryptosystems, the study of nite elds has generated much interest. This impetus behind this interest has been the need to produce efficient algorithms that can be implemented in the hardware or software used for applications such as data encryption and public key distribution. The necessity to produce efficient algorithms is translated into solving mathematical problems involving computations in nite elds. From many years, normal bases have been used to represent nite elds and the advantages of this choice are been shown. Hensel (1888) pioneered the study of normal bases for nite elds and proved that they always exist. Eisenstein (1850) had already noted that normal bases always exist. Hensel, and also Ore (1934), determine exactly the number of these bases. In particular, in this thesis, we will show that the complexity of several hardware or software implementations, based on multiplication schemes, depends on the choice of the normal bases used. Hence is essential to nd normal basis with low complexity. So we are interested in nding a lower bound for this complexity and we will present a costruction of a normal basis with this complexity. Such a normal basis is called optimal normal basis. We will analyse the effects of optimal normal bases on computations in nite elds, in particular on the nite eld F p 2. We will also describe how, using optimal normal basis, the computations in F p 2 can be done efficently. In particular we will obtain that p th powers in F p 2 does not require any arithmetic operations. This last result, with others obtained in F p 2, are at the base of a new method that use arithmetic in F p 2, the so-called XTR. 4

6 XTR was introduced at Crypto 2000 [9] by Arjen K. Lenstra and Eric R. Verheul, it stands for ECSTR, which is an abbreviation for Ecient and Compact Subgroup Trace Representation. XTR is a new method to represent elements of a subgroup of a multiplicative group of a nite eld. XTR is based on the same idea introduced by Shannon that is to replace a generator of the full multiplicative group of a nite eld by the generator of a relatively small subgroup of sufficiently large prime order q. XTR, infact, uses a subgroup of prime order q of the order p 2 p + 1 subgroup of F p. 6 The cyclic group F p has order p 6 1, therefore only a cyclic subgroup 6 with order p 2 p + 1 exists. We will refer to this last group as the XTR supergroup X, while to the order q subgroup, with q dividing p 2 p + 1, as the XTR subgroup Y= g. We will show how XTR uses the trace over F p 2 to represent and calculate powers of elements of the XTR subgroup. In fact, the arbitrary powers of an element of g can be represented using a single element of the subeld F p 2 and such powers can be computed eciently using arithmetic operations in F p 2 while avoiding arithmetic in F p 6. This last result is useful for cryptographic purposes if there is a way to ecently compute T r(g n ) given T r(g). So we will nd an algorithm that not only solves our last problem, but is also three times faster than computing g n given g. Naturally, we will have to choose appropriate parameters p and q to obtain an optimal normal basis and such that the XTR subgroup Y, with order q, cannot be embedded in the multiplicative group of any true subfield of F p 6. Given p, q > 3, we will nd T r(g) F p 2 for an element g F p 6 of order q, through different methods. From a security point of view, XTR is a traditional system based on the diculty of solving discrete logarithm problems in the multiplicative group of a nite eld. 5

7 Therefore XTR can be used in any cryptosystem that relies on the subgroup discrete logarithm problem. To illustrate this, we will present the XTR version of the Diffie Hellman key agreement protocol and ElGamal encryption and decryption protocols. These versions follow by replacing the ordinary representation of subgroup elements with the XTR representation of subgroup elements of a multiplicative group that, as we have seen before, consists in replacing XTR group elements by their trace. We will also see that, through this representation, the computation of Diffie Hellman Key agreement protocol and ElGamal encryption and decryption protocols becomes three times faster than computing g n given g, as in their traditional versions. We know that the traditional versions base their security on the diculty to solve the discrete logarithm problem. We will show that there is, also, the XTR discrete logarithm problem version on wich the security of XTR - Diffie Hellman and XTR - ElGamal protocols is based. Moreover as Diffie Hellman problem and Diffie Hellman Decision problem are related to the Discrete Logarithm problem as, their XTR version, the XTR - Diffie Hellman problem and XTR - Diffie Hellman Decision problem, are related to XTR - Discrete Logarithm problem. There are, also, some equivalences between old a new problems. We will use these equivalences to prove that DL problem in XTR subgroup Y is as hard as F p 6. Because of the facts above, we can conclude that application of XTR in cryptographic protocols leads to the advantages in comunication and computational overhead without compromising security. Our work is organized in the following way. In the Chapter 1 we present some necessary denitions and properties. In particular it is necessary to dene nite elds, Frobenius automorsm, cyclotomic elds, cyclotomic polynomials and roots of unity, all in the context 6

8 in which they will be used in this thesis. It is presented a proof that shows that a normal basis exists for every nite extension of a nite eld. The existence of a normal basis allows for particularly simple multiplications of the elements of the eld. In fact, we show as it is possible to compute the multiplication between two elements in F p n, with respect to a normal bases N = {α, α p,..., α pn 1 }, using n n-matrix T N = (t i,k ) 0 i,k<n with entries in F p, dened by: α pi α = t i,k α pk for 0 i < n 0 k<n and as this multiplication is completely determined by T N. This result is a consequence of the property of symmetry of the normal basis N that allows to reduce the n n n-matrices, T k = (t k i,j) for k = 0,..., n 1, obtained by traditional multiplication between A and B, to the matrix T 0. Then through the relation: t (k) i,j = t i j,k j is set one correspondence between the matrix T 0 and the matrix T N. Therefore we use the matrix T N to compute the multiplication between A and B. This matrix is advantageous not only for the memory of the calculator saving, but also from computational costs point of view. We see that these costs depend by d N, the number of non-zero entries in T N. Thus we dene as d N the complexity of normal basis N, along with a proof that shows the lower bound for the complexity of any normal basis. A particular type of normal basis, whose complexity value achieves the lower bound, is called optimal normal basis. obtain, also, a lower bound for the computational cost. Then, by this last basis, we To construct the optimal normal basis, we prove the result: Theorem 1.5 (Optimal normal bases, see [14]) Let n + 1 be a prime and p be a primitive root modulo n + 1 (i.e. p modulo n + 1 generates F n+1 ). Let ς 7

9 be a primitive (n + 1)-th root of unity in an extension eld of F p and α = ς. Then N = {α, α p, α p2,..., α pn 1 } is an optimal normal basis of F p n over F p. Then knowing the conditions for which an optimal normal basis exists, we obtain, also, the semplication of the process of selecting nite elds for specic applications. In Chapter 2 we deal with the mathematic of XTR. To this purpose, at rst we present a representation of F p 2 and then we describe how the computations in F p 2 can be done efficiently. So we set p 2 (mod 3). Hence X 2 + X + 1 is an irriducible polynomial over F p. We represent F p 2 as: F p 2 = { } x 1 α + x 2 α p : α 2 + α + 1 = 0, x 1, x 2 F p where {α, α p } are the zeros of the polynomial X 2 +X+1 and form an optimal normal basis for F p 2 over F p, since p 2 (mod 3) and p is a primitive root modulo 3, i.e. p (mod 3) generates F 3. Considering the elements x, y, z F p 2, we see as it is possible to compute efficently x p, x 2, x y and x z y z p in F p. For comparison purposes, we compute the same relation in the case x, y, z F p 6. These results follow, also, by the use of Karatsuba's trick and multiexponentation algorithm, described in the appendices. In Chapter 3 we present the denition of the trace over F p 2 we show that it is F p 2-linear. We show that the trace of the element g F p of order q that 6 divides p 2 p + 1 is equal to the trace of its conjugates. Set p a prime and set F (c, X) for c F p 2 be the polynomial X 3 cx 2 + c p X 1 F p 2[X]; for n Z we denote by c n the sum of the n th powers of the roots of F (c, X) and so we prove the following result: Theorem 3.1. The roots of X 3 T r(g)x 2 + T r(g) p X 1 are the conjugates of g. Then the minimal polynomial of any g F p 6 of order dividing p 2 p + 1 8

10 and > 3 is equal to F (T r(g), X). Hence the fundamental idea of XTR is, as illustrated, that the trace value fully specifies g's minimal polynomial and thus the conjugates of g. In a similar way we illustrate that this last result is true for any power of n. In fact, for any integer n, the conjugates of g n are the roots of X 3 T r(g n )X 2 +T r(g n ) p X 1 F p 2 and the latter polynomial and the conjugates of g n are determined by T r(g n ) F p 2. Vice versa we show that if F (c, X) F p 2[X] is irreducible, then the roots of F (c, X) take the form h, h p2, h p4 for some h F p 6 of order dividing p 2 p+1 and > 3. This implies one of the property of c n, i.e. it is of the form T r(h n ) F p 2. Another result that we obtain on F (c, X) over F p 2 is the theorem: Theorem 3.3 F (c, X) is reducible over F p 2 if and only if c p+1 F p. Then, let g F p 6 with order q for a prime q > 3 dividing p 2 p + 1, it follows from the results cited above that F (T r(g n ), g n ) = 0 and c n = T r(g n ) F p 2. These results are useful for cryptographic purpose if, as we have said above, there is a way to efficiently compute T r(g n ) given T r(g). To this goal we describe an Algorithm that computes c n for any n Z and such that is three times faster than the algorithm that computes g n given g. The efficiency of this algorithm it is based on properties of c n that have been illustrated in this chapter. In Chapter 4 we describe fast and pratical methods that satisfy these two conditions: 1. p and n + 1 are prime numbers and p is a primitive root (mod n + 1). 2. Φ 6 (p) = p 2 p + 1 has a prime factor q. By these conditions we obtain that F p 2 has an optimal normal basis and that the XTR subgroup Y, with the order q, cannot be embedded in the multiplicative group of any proper subeld of F p 6. 9

11 So the primes p and q of appropriate sizes can be found using both the methods that we present in this thesis. In particular through the rst one, we nd a prime p that satises a second degree polynomial with small coefficients. Moreover, for k = 1, the prime p assumes a very nice form. Given p and q > 3, we must nd T r(g) F p 2 for an element g F p 6 of order q. We show that to nd a proper T r(g) it suffices to nd c F p 2 \ F p such that F (c, X) F p 2[X] is irreducible, such that c (p 2 p+1)/q 3 and to put T r(g) = c (p 2 p+1)/q. To nd c F p 2 such that F (c, X) is irreducible we consider the following result: Lemma 4.1 For a randomly selected c F p 2 the probability that F (c, X) F p 2[X] is irreducible is about one third. We close the chapter presenting an algorithm that it is based on the above Lemma and on the fact that F (c, x) is reducible if and only if c p+1 F p, that is a result of Chapter 3. In the Chapter 5, we deal with the XTR version of the Diffie Hellman key agreement protocol and ElGamal encryption and decryption protocols, since XTR can be used in any cryptosystem that relies on the subgroup discrete logarithm problems. This version is dierent to the traditional, since it is based on the XTR representation of the XTR group elements that consists in replacing the XTR elements with their trace. In these protocols there are two users A and B that already agreed upon XTR subgroup Y and on the XTR public key data (p, q, T r(g)), where the two primes p and q are as in chapter 4, and T r(g) is the trace of an generator of XTR subgroup Y. As is well-know, while in the XTR Diffie Hellman key agreement protocol the two users want to agree on a secret key K, in ElGamal encryption and decryption protocols, we suppose that B wants to encrypt a message M 10

12 intended for A and that A decrypts the message (T r(g b ), E) that he has received by B. For this reason, we suppose that in the key XTR public data of A there is also the value T r(g k ) that is computed and made public by A, for an integer k selected by A, that it is kept secret, the so-called private key. Analysing these algorithms, we note that they compute T r(g h ), where g h is an element in XTR subgroup with 0 < h < q 2, using the algorithm described in Chapter 3, to compute T r(g h ) given T r(g). For this reason the XTR Diffie Hellman key agreement protocol and XTR ElGamal encryption and decryption protocols are three times faster than their traditional versions. Moreover these last versions base their security on the diculty to solve the Discrete Logarithm (DL) problem and we show that Diffie Hellman (DH) problem and Diffie Hellman Decision (DHD) problem are related to DL problem. But since the XTR version of the protocols follows by replacing elements of the XTR group by their traces, then the security of these protocols is no longer based on the original DH, DHD or DL problems, but on their XTR versions. If we dene the equivalence between two problem through this result: Denition 5.1 We say that problem A is (a, b)-equivalent to problem B, if any istance of problem A (or B) can be solved by at most a (or b) calls to an algorithm solving problem B (or A). We obtain this fundamental equivalences between old and new problems: G. Theorem 5.1 The following equivalences hold: i. The XTR-DL problem is (1, 1)-equivalent to the DL problem in G. ii. The XTR-DH problem is (1, 2)-equivalent to the DH problem in G. iii. The XTR-DHD problem is (3, 2)-equivalent to the DHD problem in Then thanks to this last result, we prove that DL problem in XTR sub- 11

13 group Y is as hard as in F p 6. In fact we show that the Discrete Logarithm problem in F p 6, can be reduced to the discrete logarithm problems in multiplicative groups of proper subelds F p, F p 2 and F p 3 of F p 6 and in the subgroup of order p 2 p + 1 that cannot be embedded in any proper subfield of F p 6. Since the rst three problems are believed to be considerably easier than the problem in F p 6, we conclude that the hardness of computing discrete logarithm in the group F p 6 must reside in its subgroup of order p 2 p + 1. From this result, considering the XTR subgroup Y that has order a large prime q that divide p 2 p + 1 and that cannot be embedded into any proper subeld of F p 6, we have concluded that the discrete logarithm problem in Y is as hard as it is F p 6. Then the XTR version of the Diffie Hellman key agreement protocol and XTR ElGamal encryption and decryption protocols makes this protocol more fast and secure. At the end of this thesis there are two appendices, in which some of algorithms, used in Chapter 2, are discussed. In Appendix A, we describe the Karatsuba's trick for the multiplication of two polynomials of degree less than n and we show that this trick makes the computational cost of this multiplication lower. In fact, while with the classic multiplication algorithm the number of multiplication is O(n 2 ), with the Karatsuba's trick the number of multiplication it is reduced to O(n 1.59 ). In Appendix B, we deal with the Pekmestzi's algorithm, that is a method to compute the multi-exponentation, i.e. Z = 0<i k Xa i i mod N. In particular we consider the computation of X a Y b mod N and we show how this method is faster than the traditional computation that computes the two modular exponentations X a mod N and Y b mod N separetely. Naturally with the Pekmestzi's algorithm, the computational cost im- 12

14 proves and so it can be used to implement fast modern cryptosystems that have as a major task to obtain an efficient performance. 13

15 Chapter 1 Background In this chapter we present some basic facts about the algebraic structures that we shall use. In particular we focus our attention on the existence of normal bases over nite elds and in the construction of optimal normal bases in an extension nite eld. We shall debate, also, on the advantages to use normal and optimal normal basis from computational point of view. 1.1 Algebraic structures We report in this section some basic denitions and basic facts of the algebraic structures that are used in this thesis. For details and proofs we refer to book of Lidl & Niederreiter (1983). A nite eld F is a nite ring satisfying the property that (F\ {0}, ) is a commutative group. It is a standard fact that if F is a nite eld containing a subeld K with p elements, then F has p n elements, where n = [F : K] is the degree of extension of F over K. Two nite elds with the same number of elements are isomorphic. Thus we denote nite eld with q = p n elements, or the nite eld of order q = p n by F q, where the prime p is the characteristic of F and n is the degree of F over its prime subeld. 14

16 There are dierent ways to represent a nite eld with p n elements, one of these methods is to consider an irreducible polynomial over F p of degree n, f F p [x], then adjoining a root α of f to F p we get nite eld with p n elements and F p n = F p (α) (see [10], Theorem 2.14). Every element of F p n can be uniquely expressed as a polynomial in α over F p, of degree less than n (see [10], Theorem 1.86): F q = F p (f) = { A A n 1 α n 1 : A i F p for i = 0,..., n 1 and f(α) 0 } 1.2 Normal bases The importance of the normal bases is due to the development of coding theory and the implementation of several cryptosystems using nite elds. We see, before, that the advantages of this choice reside in the improvement of the computational cost (see [11]). Denition 1.1. Let F p n be an extension of F p and let α F p n. Then the elements α, α p, α p2,..., α pn 1 are called the conjugates of α with respect to F p Denition 1.2 (Normal basis, see [10]). Let F p n be an extension of F p. Then a basis of F p n over F p of the form N = {α,..., α pn 1 } consisting of the conjugates of a suitable element α F p n with respect to F p, is called a normal basis of F p n over F p. The element α is then called normal in F p n over F p. Then every A F p n may be uniquely expressed in term of N as n 1 A = A 0 α + A 1 α p A n 1 α pn 1 = A i α pi i=0 15

17 with coefcients A 0, A 1,..., A n 1 F p EXAMPLE (Normal and not normal elements) Let f(x) = x 3 + x + 1 an irreducible polynomial on F 2, then: F 8 = F 2 (x 3 + x + 1) = {a 0 + a 1 α + a 2 α 2 : a 0, a 1, a 2 F 2 and α 3 + α + 1 0} = {0, 1, α, α 2, α + 1, α 2 + 1, α 2 + α, α 2 + α + 1} Note that α is not normal since {α, α 2, α 4 α 2 + α} is not a base. While α + 1 is normal, since: (α + 1) (mod f) (α + 1) 2 = α (mod f) (α + 1) 4 = (α 2 + 1) 2 = α = α 2 + α + 1 (mod f) is a basis for F 2 [α] over F 2. If we compute the conjugates of all the elements of F 8, we obtain that: {0, 1, α, α 2, α 2 + α} are not normal elements, while {α + 1, α 2 + 1, α 2 + α} are normal elements. Now we present a proof that shows the existence of a normal basis in a nite eld extension and in the next section we show how the existence of a 16

18 normal basis allows for particularly simple multiplication of the elements of the eld. For this purpose we recall few useful denitions. Denition 1.3 (Frobenius automorsm, see [11]). Let F p n be an extension of F p, then the Frobenius automorphism is a map of F p n over F p of the form: σ : η η p, η F p n If we view F p n as a vector space of dimension n over F p then the Frobenius map σ is a linear transformation of F p n over F p, since σ(α + β) = σ(α) + σ(β) and σ(c α) = c σ(α) for all α, β F p n and c F p. Denition 1.4 (see [11]). Let Γ a linear transformation on a nite-dimensional vector space V over a (arbitrary) eld F, a polynomial f(x) = n i=0 A ix i in F [x] is said to annihilate Γ if f(γ) = A n Γ n + A n 1 Γ n Γ 0 I = 0 where I is the identity map and 0 is the zero map on V. The uniquely determined monic polynomial of least degree that satises the last property is called the minimal polynomial for Γ. In particular this polynomial divides any other polynomial in F [x] annihilating Γ and the cheracteristic polynomial for Γ (Cayley-Hamilton theorem). We say that a vector α V is a cyclic vector for T if the vectors T k α, k = 0, 1,... span V Lemma 1.1. (see [10]) Let T be a linear operator on the nite-dimensional vector space V. Then T has a cyclic vector if and only if the characteristic and minimal polynomials for T are identical. 17

19 Remark 1.1. We are not able to prove this last Lemma in the particular case of nite elds. Theorem 1.1 (Normal Basis Theorem, see [10, 11]). For any nite eld F p and any nite extension F p n of F p there exists a normal basis of F p n over F p. Proof. We have note before that the Frobenius automorphism σ is a linear operator on F p n. Thus we know that σ n (η) = η pn = η for every η F p n, then σ n = 1 and so σ satses the polynomial x n 1. We prove that x n 1 is the minimal polynomial of σ. We suppose that there is a polynomial n 1 f(x) = A i x i F p [x] of degree less than n that annihilates σ, therefore we have: n 1 f(x) = A i σ i = 0 Then ( n 1 i=0 i=0 ) n 1 n 1 A i σ i (η) = A i σ i (η) = η pi = 0 i=0 i=0 i=0 for any η F p n. Thus η is a root of the polynomial f(x). This is absurd because the degree of the polynomial f(x) is at most p n 1 and so f(x) cannot have p n > p n 1 roots in F p n. Hence x n 1 is the minimal polynomial of σ. Moreover the minimal polynomial of σ divides the characteristic polynomial of σ (Cayley-Hamilton theorem). But the characteristic polynomial of σ is monic and of degree n then the characteristic polynomial of σ is equal to the minimal polynomial of σ, namely x n 1. Thus there exists an element α F p n such that α, σ(α), σ 2 (α),... span F p n and form a basis of F p n over F p (cf. Lemma 1.1). But the elements of this basis are α and its conjugates with respect to F p so these elements form a normal basis of F p n over F p 18

20 1.2.1 The multiplication matrix The crucial point in normal basis arithmetic is multiplication. We rst consider the general multiplication scheme in F p n. Let F p n be an extension of F p, let B = {α 0, α 1,..., α n 1 } a basis over F p and let A = A i α i and B = B j α j with A i, B j F p 0 i<n 0 j<n be two elements in F p n with respect to B. Because F p n can be identied as F n p, i.e the set of all n tuples over F p, so we can write A and B in the form A = (A 0, A 1,..., A n 1 ) and B = (B 0, B 1,..., B n 1 ) Hence multiplication is: A B = A i B j α i α j 0 i,j<n Set we obtain where α i α j = C = A B = 0 k<n 0 i,j<n = 0 i,j<n = 0 k<n = 0 k<n c k = t (k) i,j α k with t (k) i,j F p (1.1) A i B j α i α j = A i B j ( ( 0 i,j<n c k α k 0 i,j<n 0 k<n A i B j t (k) i,j A i B j t (k) i,j t (k) i,j α k ) ) = α k = 19

21 and T k = (t k i,j) is an n n matrix over F p. Thus to implement the multiplication in F p n is necessary to compute c k for any k = 0, 1,..., n 1 and each c k require from computational point of view d k multiplications in F p where d k is the number of nonzero entries in T k for any k = 0, 1,..., n 1, then to compute C are necessary n d k multiplications for any k = 0, 1,..., n 1 and (d k 1) n additions in F p n. Now we consider a normal basis N = {α 0, α 1,..., α n 1 } of F p n over F p, where we have set α i = α pi. Let A = 0 i<n A iα i then A p = σ(a) = σ ( 0 i<n A i α i ) = 0 i<n A i σ(α i ) = 0 i<n A i 1 α i so the coordinate vectors of A are (A n 1, A 0,..., A n 2 ), then A p is obtained from A by one cyclic shift of the the coordinates of A and can be compute without any operations in F p. If we now consider the identity (1.1) and we raise both sides of equation to the p m -th powers one nds that: t (m) i,j = t (0) i m,j m for any 0 i, j, m < n Thus the matrix T 0 that we use to compute c 0 with the coordinates of A and B is the same matrix that we use to compute c m with the coordinates of A p m and B p m, but we know that A p m as B p m are obtain with m-cyclic shift of the vector representations of A and B, then we can compute any c k shifting the A and B vectors. From this property of symmetry of normal basis N it follows that the computational cost of the multiplication between A and B depend to the number of nonzero terms of T 0 (see [11]). Now we dene n n matrix T N = (t i,k ) 0 i,k<n with entries in F p by: α pi α = 0 k<n t i,k α pk for 0 i < n this matrix is called the multiplication matrix of N and is denoted with T N. 20

22 We shall show how is possible to compute the multiplication between A and B using T N and how the computational cost of their multiplication with this matrix improves. Let A = A i α pi and B = B j α pj 0 i<n 0 j<n be two elements in F p n with respect to N, it follows: ( ) ( ) C = AB = A i α pi B j α pj = 0 i<n 0 i<n 0 j<n 0 j<n A i B j α pi α pj (1.2) We can write: α pi α pj = ( ) p j α pi j α = and substituting in (1.2): 0 k<n C = AB = = t i j,k α pk+j 0 i<n 0 j<n = 0 i, j<n = 0 k<n = 0 k<n A i B j ( ( 0 k<n = 0 k<n A i B j α pi α pj 0 i, j<n ( 0 k<n t i j,k α pk ) pj t i j,k j α pk (1.3) t i j,k j α pk ) A i B j t i j,k j ) α pk C k α pk (1.4) where C k = 0 i, j<n A i B j t i j,k j are the coefcients C 0,..., C n 1 of the product C = A B. If we consider the identities (1.1) and (1.3), we obtain that t (k) i,j = t i j,k j 21

23 Therefore the number of non-zero entries in T 0 is the number of non-zero entries in T N and so the multiplication between A and B in the normal basis representation of F p n is completely determined by T N. Denition 1.5 (see [14]). Let d N = # { (i, k) {0,..., n 1} 2 : t i,k 0 } be the number of non-zero entries in T N. Then d N is the complexity of the normal basis N and the product of two elements in F p n with respect to this basis can be computed with at most n d N multiplication and at most (d N 1) n additions in F p as in general case. But while in the last one we must memorize a n n-matrix, in the rst case we must recall n n n-matrix. Obviously we wish to nd a normal basis such that d N is the smallest possible. The following theorem gives as a lower bound for d N. Theorem 1.2 (see [12]). Let N be a normal basis in F p n d N. Then d N 2n 1. over F p with density Proof. Let N = {α, α p, α p2,..., α pn 1 } be the normal basis over F p. Let T r(α) = n 1 i=0 αpi be the trace of α over F p and let T N = (t i,k ) 0 i,k<n be the multiplication matrix of N Since (α pi α) = 0 k<n t i,kα pk T r(α) α = (α pi α) 0 i<n we have T r(α) α = and comparing coefficients proves 0 i<n 0 k<n = 0 k<n ( 0 i<n t i,k α pk t i,k ) α pk (1.5) { T r(α) if k = 0 t i,k = 0 else 0 i<n (1.6) 22

24 Thus the sum of rows of T N is an n-tuple with T r(α) in position 1 and zeros elsewhere. Since α is nonzero and {αα pi : 0 i < n} is also a basis of F p n over F p, then the rows of T N are linearly indipendent. Therefore each column of T N must contain at least one nonzero element. Moreover with respect to (1.6) there are at least two nonzero elements in each column with the possible exception of column one. So the total number of nonzero elements in T N is at least 2n 1 Denition 1.6 (Optimal normal bases (1), see [12, 14]). We say that N is an optimal normal basis of F p n if d N = 2n 1. Now we illustrate through an example a common way to compute the multiplication matrix T N with respect to a normal basis N = {α,..., α pn 1 }. EXAMPLE (Construction of T N ) 1. We consider an irreducible minimal polynomial f F 2 [x] and let α be one of its roots. Thus we have the eld F 2 F 2 5 = (x 5 + x 2 + 1) = { } = a i α i : a i F 2 and f(α) 0 0 i<5 Set β = α 3, then {β, β 2, β 4, β 8, β 16 } is a normal basis, in fact β = α 3 (mod f) β 2 = α 6 α 3 + α (mod f) β 4 = α 12 α 3 + α 2 + α (mod f) β 8 = α 24 α 4 + α 3 + α 2 + α (mod f) β 16 = α 48 α 4 + α + 1 (mod f) 23

25 Then we have: (β, β 2, β 4, β 8, β 16 ) = (1, α, α 2, α 3, α 4 ) and The computation of the products β pi β for 0 i < 5 in F 2 5 gives β β = α 3 α 3 α 3 + α (mod f) β 2 β = α 6 α 3 α 4 + α 3 + α (mod f) β 4 β = α 12 α 3 α 4 + α 3 + α 2 + α + 1 (mod f) β 8 β = α 24 α 3 α 3 + α + 1 (mod f) β 16 β = α 48 α 3 α 3 + α 2 (mod f) 3. Now we write a matrix T such that in the left part contains the coefficient of the polynomial basis representation of β 2i for i = 0,..., 4, while in the right part contains the coefficient of the polynomial repre- 24

26 sentation of β 2i β T = We can perform Gaussian elimination on T to write β β, β 2 β, β 4 β, β 8 β, β 16 β as a linear combination of the conjugates of β. ( I4 T ) with I 5 the 5 5-identity matrix and T = The output is then 4. The multiplication matrix T N is the transposed matrix of T. Then β β = β 2 β 2 β = β 2 + β 22 + β 23 β 22 β = β + β 2 + β 22 + β 24 β 23 β = β + β 22 + β 23 + β 24 β 24 β = β + β 2 + β 22 and so the density of the matrix T N is d N = Construction of the optimal normal bases We will now consider one construction of the optimal normal bases with the help of roots of unity and cyclotomic polynomials, for this reason we review some classical results: 25

27 Denition 1.7 (see [10]). Let n be a positive integer and let K (n) the splitting eld of x n 1 over a eld K. The roots of x n 1 in K (n) are called the n-th roots of unity over K and the set of this roots is denoted by E (n). Denition 1.8 (see [10, 14]). Let K a eld of characteristic p and n a positive integer not divisible by p. An element ς in a extension eld of K is called a primitive n-th root of unity if ς n = 1 and ς s 1 for 0 < s < n. Thus the primitive n-th root of unity over K is a generator of the cyclic group E (n). Under the same condition of Denition 1.8 the polynomial Φ n (x) = n s=1 gcd(s,n)=1 (x ς s ) is called the n-th cyclotomic polynomial over K and ς 0, ς 1,..., ς ϕ(n) are the ϕ(n) primitive n-th roots of unity. Moreover every n-th root of unity over K is a primitive d-th root of unity over K, for exactly one positive divisor d of n. In fact, let ς be a primitive n-th root of unity over K and let ς s be an arbitrary n-th root of unity over K, then d = n/gcd(s, n) is the order of ς s, but since: x n 1 = n (x ς s ) s=1 If we collect the factors (x ς s ) for which ς s is a primitive dth root of unity over K, we obtain the formula: x n 1 = d n Q d (x) and so it follows that Φ n (x) = xn 1 Φ d (x) d n d n 26

28 Theorem 1.3 (see [10, 13]). Let p be a prime power and let n be a positive integer such that gcd(n, p) = 1. Let d be the last positive integer such that p d 1 (mod n). Then F p d is the splitting eld of Φ n and Φ n is the product of φ(n)/d distinct monic irreducible polynomials of degree d. Proof. Let α be any primitive n-th root of unity over F p. If α F p k, α pk = α and so p k 1 (mod n). Since d is the least positive integer exponent such that p d 1 (mod n) then k is a multiple of d and so α F p d. Now, since n divides p d 1 then the cyclic group F p d has a unique subgroup of order n and so this subgroup contains all n-th roots of unity, i.e. all the roots of Φ n are in F p d, then F p d is the splitting eld of Φ n. Since d is the least positive integer such that α F p d then the minimal polynomial of α over F p has degree d and because there are φ(n) primitive n-th roots of unity then Φ n can be factorized in φ(n)/d distinct irreducible polynomials of degree d, each one is a minimal polynomial of a primitive n-th roots of unity We note that from the last theorem it follows that Theorem 1.4. Φ n is irreducible over F p if and only if q φ(n) 1 (mod n). Then from this we know when Φ n is irreducible over a nite eld and we shall use these results in the next theorem that describes some optimal normal bases. Theorem 1.5 (Optimal normal bases (2), see [14]). Let n + 1 be a prime and p be a primitive root modulo n + 1 (i.e. p modulo n + 1 generates F n+1 ). Let ς be a primitive (n + 1)-th root of unity in an extension eld of F p and α = ς. Then N = {α, α p, α p2,..., α pn 1 } is an optimal normal basis of F p n over F p. Proof. From Theorem 1.2 and Theorem 1.3 we have that since p is a primitive root in F n+1, the minimal polynomial of α is Φ n+1 = (Xn+1 1) (X 1) = X n + X n F p [X] 27

29 and the (n + 1)-th roots of unity are linearly indipendent. Thus the set of the conjugates of α, N = {α, α p,..., α pn }, is a normal basis for F p n. This basis, as we have shown, is equal to the basis {α, α 2,..., α n }. Now we denote with M = {α α i : i = 1,..., n} the set of rows of T N and we note that the number of nonzero terms in the matrix T N is also the number of nonzero terms in the expansion of the set M in the basis N. Thus we have α α i = α i+1 = α j for 1 j < n and α α n = 1 = 1 i n Therefore there are exactly (n 1) + n = 2n 1 nonzero terms in T N and so N is an optimal normal basis Theorem 1.6 (see [4]). Let n+1 be a prime, let p be a primitive root modulo n + 1 so that α i = α i (mod n+1). The basis {α, α p, α p2,..., α pn 1 } for F p n over F p is the same as the basis {α, α 2,..., α n } for F p n over F p. Proof. It is sufcient to show that {1, p, p 2,..., p n 1 } = {1, 2,..., n} in F n+1. Suppose 0 j i n 1 and p i p j (mod n + 1). Then p j (p i j 1) 0 (mod n + 1) and so p i j 1 (mod n + 1). Furthermore the order of p, that is n, divides i j. But i j < n then i = j. Hence {1, p, p 2,..., p n 1 } are all distinct and {1, p, p 2,..., p n 1 } = {1, 2,..., n} We note, also, that the basis {α, α 2,..., α n } is dierent but similar to the traditional power basis {1, α,..., α n 1 } for F p n over F p. For switch quickly between these two bases we use the identities: α n = α n 1 α n 2... α 1 and α 0 = α n α n 1... α Moreover we can reduce the exponents of α that are > n using the relation α i = α i (mod n+1) and the relation α 0 = α n α n 1... α can be used 28 α i

30 for exponents of α that are zero modulo n + 1. Thus as a consequence of the optimality of the bases the reduction stage of the multiplication in F p n requires only 2n 1 additions in F p (see [7]). 29

31 Chapter 2 Arithmetic operations in F p 2 Now we describe how the computations in F p 2 can be done eciently; for this purpose a rapresentation of F p 2 is needed that allows ecient arithmetic operations. Let p 2 (mod 3), it follows that (X 3 1)/(X 1) = X 2 + X + 1 is irriducibele over F p. In fact we have that one root of the polynomial has the form α = and so X 2 + X + 1 is irriducible if and only if 3 is a quadratic non-residue modulo p. Using the Legendre symbol 1 it follows that: ( a p then ( ) 3 = p ( ) 1 p ( ) 3 = ( 1) p 1 2 p ( ) 3 p 1 We recall that if a is an integer and p > 2 a prime, we dene the ) Legendre symbol to equal 0, 1 or 1, as follows: (see [5]) ( ) a = p 0 if p a 1 if a is a quadratic residue (mod p) 1 if a is a nonresidue (mod p) 30

32 if p 1 2 is even p 1 (mod 4) and so ( 1) p 1 2 if p 1 2 is odd p 3 (mod 4) and so ( 1) p 1 2 ( ( 3 p 3 p ) = 1 ) = ( 1) (1) = 1 Therefore 3 is a quadratic non-residue modulo p and X 2 irriducible over F p [X], so F p 2 = F p [X]/(X 2 + X + 1). + X + 1 is Moreover, since p 2 (mod 3), p is a primitive root modulo 3, i.e. p (mod 3) generates F 3. Then considering Theorem 1.5 the zeros α and α p of the polynomial (X 3 1)/(X 1) = X 2 + X + 1 form an optimal normal basis for F p 2 over F p, i.e. F p 2 = {x 1 α + x 2 α p : x 1, x 2 F p }. From α i = α i (mod 3) it follows that α p = α 2+3k = α 2 1 k = α 2 and so F p 2 = { } x 1 α + x 2 α 2 : α 2 + α + 1 = 0, x 1, x 2 F p. Note that in this representation of F p 2 an element t of F p is represented by tα tα 2, e.g. 3 is represented by 3α 3α 2 (see [8]). Arithmetic operations in F p 2 are carried out as follows. Lemma 2.1 (see [8]). Let x, y, z F p 2 with p 2 (mod 3) prime. Not couting additions or subtractions in F p : i. Computing x p is for free. ii. Computing x 2 takes two multiplications in F p. iii. Computing x y takes three multiplications in F p. iv. Computing x z y z p takes four multiplications in F p. Proof. Let x = x 1 α + x 2 α 2 F p 2 we have that: x p = x p 1α p + x p 2α 2p = x 2 α + x 1 α 2 It follows that p th powering in F p 2 does not require arithmetic operations and thus can be considered to be for free, this prove i. 31

33 For squaring, we write: (x 1 α + x 2 α 2 ) 2 = x 2 1α 2 + x 2 2α 4 + 2x 1 x 2 α 3 ( ) because α 3 1 α α 2 and α 4 α both modulo α 2 + α + 1 it follows ( ) = x 2 1α 2 +x 2 2α 2x 1 x 2 α 2x 1 x 2 α 2 = x 1 (x 1 2x 2 )α 2 + x 2 (x 2 2x 1 )α that prove ii. Let x = x 1 α + x 2 α 2 and y = y 1 α + y 2 α 2 F p 2 and we compute x y = (x 1 α + x 2 α 2 ) (y 1 α + y 2 α 2 ) = = (x 1 y 1 α 2 + x 1 y 2 + x 2 y 1 + x 2 y 2 α) = = (x 2 y 2 x 1 y 2 x 2 y 1 )α + (x 1 y 1 x 1 y 2 x 2 y 1 )α 2 using Karatsuba method (see Appendix A), rst compute x 1 y 1, x 2 y 2 and (x 1 + x 2 )(y 1 + y 2 ), after which x 1 y 2 + x 2 y 1 and thus x y follow using four subtractions. Finally let x = x 1 α + x 2 α 2, y = y 1 α + y 2 α 2, z = z 1 α + z 2 α 2 F p 2, it follows that: x z y z p = = (x 1 α + x 2 α 2 ) (z 1 α + z 2 α 2 ) (y 1 α + y 2 α 2 ) (z 1 α + z 2 α 2 ) p = = (x 1 α + x 2 α 2 ) (z 1 α + z 2 α 2 ) (y 1 α + y 2 α 2 ) (z1α p p + z2α p 2p ) = = (x 1 α + x 2 α 2 ) (z 1 α + z 2 α 2 ) (y 1 α + y 2 α 2 ) (z 1 α 2 + z 2 α) with α 2 + α it follows = x 1 z 1 α 2 + x 1 z 2 + x 2 z 1 + x 2 z 2 α y 1 z 1 y 1 z 2 α 2 y 2 z 1 α y 2 z 2 = = x 1 z 1 α 2 + x 1 z 2 ( α α 2 ) + x 2 z 1 ( α α 2 ) + x 2 z 2 α y 1 z 1 ( α α 2 ) y 1 z 2 α 2 y 2 z 1 α y 2 z 2 ( α α 2 ) = = (z 1 (y 1 x 2 y 2 ) + z 2 (x 2 x 1 + y 2 ))α + + (z 1 (x 1 x 2 + y 1 ) + z 2 (y 2 x 1 y 1 )α 2 ) 32

34 that prove iv. For comparison purposes we review the following results. Lemma 2.2 (see [9]). 2 Let x, y, z F p 6 with p 5 (mod 7), and let s, t Z with 0 < s, t < p. i. Computing x y takes 18 multiplications in F p. ii. Computing x 2 takes 18 squarings in F p. iii. Computing x s takes an expected 9 log 2 s multiplications and 18 log 2 s squarings in F p. iv. Computing x s x t takes an expected 13.5 log 2 max(s, t) multiplications and 18 log 2 max(s, t) squarings in F p. Proof. Since p 5 (mod 7), p generates F 7 and Φ 7 (X) = X 6 + X 5 + X 4 + X 3 + X 2 + X + 1. Let α denote a root of Φ 7 (X), then F p 6 can be represented using the optimal normal bases {α, α 2,..., α 6 } over F p. So multiplication and squarings in F p 6 can be done in 18 multiplications and squarings in F p respectively, rather than 36 as it is required by the classic algorithm for the multiplications. In fact, let 5 5 x = x i α i+1 and y = y j α j+1 i=0 j=0 using the Karatsuba algorithm, with proper adjustment of the powers of α, i.e. x = X 0 α + X 1 α 4 and y = Y 0 α + Y 1 α 4 where X 0, X 1, Y 0, Y 1 are the second degree polynomials, we have that: x y = (X 0 α + X 1 α 4 ) (Y 0 α + Y 1 α 4 ) = X 1 Y 1 α 8 + (X 0 Y 1 + X 1 Y 0 )α 5 + X 0 Y 0 α 2 2 We remark that in the article [9] p is 2 (mod 3). Instead, our choice to take p 2 (mod 7) is a trick to have an optimal normal basis, as conrmed by a sent us by Martijn Stam, a A. K. Lenstra's student. 33

35 so that with z 0 = X 0 Y 0, z 1 = X 1 Y 1 and z 2 = (X 0 + X 1 ) (Y 0 + Y 1 ) x y = z 1 α 8 + (z 2 z 1 z 0 )α 5 + z 0 α 2 Each of this z i can be computed using 6 multiplication, in fact, because X 0 = x 0 + x 1 α + x 2 α 2 and Y 0 = y 0 + y 1 α + y 2 α 2 we have that: z 0 = X 0 Y 0 = = x 0 y 0 + (x 0 y 1 + x 1 y 0 )α + (x 0 y 2 + x 1 y 1 + x 2 y 0 )α (x 1 y 2 + x 2 y 1 )α 3 + x 2 y 2 α 4 so that using Karatsuba method again, we set: z 0 = x 0 y 0, z 1 = x 1 y 1, z 2 = x 2 y 2, z 3 = (x 0 + x 1 ) (y 0 + y 1 ), z 4 = (x 0 + x 2 ) (y 0 + y 2 ), z 5 = (x 1 + x 2 ) (y 1 + y 2 ) thus z 0 = z 0 + (z 3 z 0 z 1 )α + (z 1 + z 4 z 0 z 2 )α (z 5 z 1 z 2 )α 3 + z 2 α 4 z 1 and z 2 can be computed in a similar way. It follows that 18 multiplications (or squarings) are suce to compute x y (or x 2 ) and this proves i and ii. For iii we use the ordinary square and multiply method. Therefore we get log 2 s squarings and expected 0.5 log 2 s multiplications in F p 6 and so considering the result of i and ii we have 9 log 2 s multiplications and 18 log 2 s squarings in F p. For iv we use standard multi-exponentiation (see Appendix B) and so we obtain log 2 (max(s, t)) squarings and 0.75 log 2 (max(s, t)) multiplications in F p 6 which are equivalent to 13.5 log 2 (max(s, t)) multiplications and 18 log 2 (max(s, t)) squarings in F p. 34

36 Chapter 3 XTR supergroup and XTR subgroup The XTR work environment is the multiplicative group of the nite eld F p 6. This cyclic group has order p 6 1, therefore only one cyclic subgroup with order p 2 p + 1 exsist (see [8]). The latter group is reffered to as the XTR supergroup, X. Because p 2 p + 1 not divide any p s 1 for s = 1, 2, 3, X cannot be embedded in the multiplicative group of any true subeld of F p 6. Let g be an element of order q > 3 dividing p 2 p + 1. The order q subgroup Y = g genereted by g is referred to as XTR subgroup (see [8]). We show, here below, that arbitrary powers of g can be represented using a single element of the subeld F p 2, and that such powers can be computed eciently using arithmetic operations in F p 2, avoiding arithmetic in F p 6 (see [9]). 3.1 Traces Denition 3.1. The trace T r(h) over F p 2 of h F p 6 is the sum of the conjugates over F p 2 of h, i.e., T r(h) = h + h p2 + h p4 35

37 Because h F p 6, the order of h divides p 6 1 and so h p6 = h p6 1 h = h, it follows that T r(h) p2 = (h + h p2 + h p4 ) p2 = h p2 + h p4 + h p6 = h p2 + h p4 + h = T r(h) so that T r(h) F p 2 (see [8, 9]). Proposition 3.1. The function T r from F p 6 to F p 2 is an F p 2-linear application, i.e. T r(h + k) = T r(h) + T r(k) T r(c h) = c T r(h) Proof. Let c F p 2 such that c p2 = c, and let h, k F p 6 we have that T r(h + k) = (h + k) + (h + k) p2 + (h + k) p4 = h + k + h p2 + k p2 + h p4 + k p4 = T r(h) + T r(k) T r(c h) = c h + c p2 h p2 + c p4 h p4 = c h + c h p2 + c h p4 = c ( h + h p2 + h p4 ) = c T r(h) Now let g F p be an element of order q > 3 and such that q divides 6 p 2 p+1. The conjugates of g which order divide p 2 p+1 are g, g p2 = g p 1, since p 2 p 1 (mod p 2 p + 1), g p4 = g p, since p 4 (p 1) 2 p 2 2p + 1 p 1 2p + 1 p (mod p 2 p + 1) and so T r(g) = g + g p2 + g p4 = g + g p 1 + g p Mereover, since the order of g divides p 6 1 the trace over F p 2 the trace of the conjugates over F p 2 of g: of g equals 36

38 T r(g) = T r(g p2 ) = T r(g p4 ) From this last result and since in XTR elements of X are represented by their trace over F p 2, it follows that XTR makes no distinction between an element of Y = g and its conjugates over F p 2 (see [16]). 3.2 The polynomials F (c, X) Denition 3.2 (see [9]). For c F p 2 dene the polynomial F (c, X) = X 3 cx 2 + c p X 1 F p 2[X] with (not necessarily distinct) roots h 0, h 1, h 2 F p 6[X], and dene c n = h n 0 + h n 1 + h n 2 for n Z. Now we considered c of the form T r(g) for g of order > 3 and dividing p 2 p + 1. We have the following result: Theorem 3.1 (see [9]). The roots of X 3 T r(g)x 2 + T r(g) p X 1 are the conjugates of g. Proof. We compare the coefficients of X 3 T r(g)x 2 + T r(g) p X 1 with the coefficients of the polynomial (X g)(x g p 1 )(X g p ). The coefficients of X 2 follows from g + g p 1 + g p = T r(g). The coefficients of X equals: g g p + g g p 1 + g p g p 1 = g p + g 1 p + g 1 Since 1 p p 2 mod p 2 p + 1 and 1 p 2 p mod p 2 p + 1 we nd that: g p + g 1 p + g 1 = g p + g p2 + g p2 p = (g + g p + g p 1 ) p = T r(g) p 37

39 The constant coefficients is the product of the conjugates: g g p g p 1 = g 1 p + p 1 = g 0 = 1 which completes the proof. Therefore (X g)(x g p 1 )(X g p ) = X 3 T r(g)x 2 + T r(g) p X 1 F p 2[X] is actually the minimal polynomial of g over F p 2 and so this polynomial and the conjugates of g are fully determined by T r(g) F p 2. The same holds for any power of g, in fact for any integer n the conjugates of g n are the roots of X 3 T r(g n )X 2 + T r(g n ) p X 1 F p 2[X], and the latter polynomial and the conjugates of g n are determined by T r(g n ) F p 2. This observation is useful for cryptographic purposes if there is a way to eciently compute T r(g n ) given T r(g). In cryptographic protocols, then, g n F p 6 can be replaced by T r(g n ) F p 2, thereby obtaining a saving of a factor 3 in the rapresentation size (see [8]). We will show that T r(g n ) can indeed be computed quickly given T r(g), so that a considerable speed advantage is obtained. For this purpose now we consider the properties of the polynomial X 3 cx 2 + c p X 1 for general c F p 2 as in Denition Properties of F (c, X) and its roots Lemma 3.1. Properties of F (c, X), see [9] i. F (c, h p j ) = 0 for j = 0, 1, 2. ii. Either all h j have order dividing p 2 p + 1 and > 3 or all h j F p 2. Proof i. From F (c, h j ) = h 3 j ch 2 j + c p h j 1 = 0 it follows that h j 0 38

40 and that 0 = F (c, h j ) p = = h 3p j = h 3p j = h 3p j c p h 2p j + c p2 h p j 1 = ( 1 + c p h p j F (c, h p j ) ch 2p j + h 3p j ) = where h j 0 and c p2 = c. Therefore F (c, h p j ) = 0 and thus for all root h j, its power h p j is also root of the polynomial F (c, X). Proof ii. From i it follows, without loss of generality, that we have three possibility: 1. h j = h p j for j = 0, 1, h 0 = h p 0, h 1 = h p 2, h 2 = h p h j = h p j+1 mod 3 for j = 0, 1, 2. In the rst case all h j have order dividing p + 1 and thus in F p 2, in fact we have: h p+1 j = h j h p j = h j h 1 j In the second case, h 0 has order dividing p + 1 because h 0 = h p 0. While h 1 = h p 2 = h p2 1 and h 2 = h p 1 = h p2 2, so that h 1 and h 2 both have orders dividing p 2 1 and thus h 1, h 2 F p 2. In the last case it follows from 1 = h 0 h 1 h 2 that 1 = h 0 h 1 h 2 = h 0 h p 2 h p 0 = h 0 h p2 0 h p 0 = h p2 p so that h 0 and similarly h 1 and h 2 have order dividing p 2 p + 1 Moreover if either one, say h 0, has order at most 3, then h 0 has order 1 or 3 since p 2 p + 1 is odd. Since 3 divide p 2 1, in fact p 2 1 mod 3, it follows that the order of h 0 divides p 2 1 so that h 0 F p 2. But then h 1 and h 2 are in F p 2 because they are power of h 0. as well, 39

41 It follows that while in the rst and second case the roots are in F p 2, in the last case either all h j have order dividing p 2 p + 1 and > 3, i.e. h j X for j = 0, 1, 2, or all h j are in F p 2. Recall that, as in Denition 3.2, c n = h n 0 + h n 1 + h n 2. Now we show its properties. Lemma 3.2. Properties of c n, see [9] i. c = c 1. ii. c n = h n 0 h n 1 + h n 0 h n 2 + h n 1 h n 2 iii. c n = c np = c p n for n Z. iv. c n F p 2 for n Z. for n Z. v. c u+v = c u c v c p v c u v + c u 2v for u, v Z. Proof. The proof follows from the denition of c n in Denition 3.2, in fact it follows that c 1 = h 0 + h 1 + h 2 = c For ii, because h 0 h 1 h 2 = 1 it follows that therefore h 1 h 2 = h 1 0 (h 1 h 2 ) n = h n 0 h 0 h 2 = h 1 1 (h 0 h 2 ) n = h n 1 h 0 h 1 = h 1 2 (h 0 h 1 ) n = h n 2 (h 1 h 2 ) n + (h 0 h 2 ) n + (h 0 h 1 ) n = h n 1 h n 2 + h n 0 h n 2 + h n 0 h n 1 = = h n 0 + h n 1 + h n 2 = c n Now we consider the three cases of the proof of ii in Lemma 3.1 (Properties of F (c, X)): 1. If h j = h p j for j = 0, 1, 2 then h np j h n 1 + h n 2 = h np 0 + h np 1 + h np 2 = c np. = h n j and thus c n = h n

42 2. If h 0 = h p 0, h 1 = h p 2 and h 2 = h p 1 then c n = h n 0 + h n 1 + h n 2 = h np 0 + h np 1 + h np 2 = c np. 3. if h j = h p j+1 mod 3 for j = 0, 1, 2 then c n = h n 0 + h n 1 + h n 2 = h np 1 + h np 2 + h np 0 = c np. Moreover c np = (h n 0 + h n 1 + h n 2) p = c p n that proves iii. If all h j F p 2, then iv is immediate. Otherwise, it follows from Lemma 3.1.ii that 1 F (c, X) F p 2[X] is irreducible if and only if its roots have order dividing p 2 p + 1 and are > 3, so we have that F (c, X) is irreducible and its roots are the conjugates of h 0. Thus c n = T r(h n 0) F p 2, which concludes the proof of iv. By the denition of c n, c n = c p n (cf. Property iii) and the relationship h n 0 + h n 1 + h n 2 = 1, the proof of v follows from a staightforward computation. In fact we have that c u c v c p v c u v + c u 2v = = (h u 0 + h u 1 + h u 2) (h v 0 + h v 1 + h v 2) (h v 0 + h v 1 + h v 2) p (h u v 0 + h u v 1 + h u v 2 ) + (h u 2v 0 + h u 2v 1 + h u 2v 2 ) = By the relationship c n = c p n it follows = h u+v 0 + h u+v 1 + h u+v 2 + h u 0 h v 1 + h u 0 h v 2 + h u 1 h v 0 + h u 1 h v h u 2 h v 0 + h u 2 h v 1 (h v 0 + h v 1 + h v 2 ) (h u v 0 + h u v 1 + h u v 2 ) + + (h u 2v 0 + h u 2v 1 + h u 2v 2 ) = = h u+v 0 + h u+v 1 + h u+v 2 + h u 0 h v 1 + h u 0 h v 2 + h u 1 h v 0 + h u 1 h v h u 2 h v 0 + h u 2 h v 1 h u 2v 0 h u 2v 1 h u 2v 2 h v 0 h u v 1 + h v 0 h u v 2 h v 1 h u v 0 h v 1 h u v 2 h v 2 h u v h v 2 h u v 1 + h u 2v 0 + h u 2v 1 + h u 2v 2 = ( ) 1 We remember that The polynomial f F [X] of degree 2 or 3 is irriducible in F [X] if and only if f has no root in F (see [10], Theorem 1.69). 41

An overview of the XTR public key system

An overview of the XTR public key system Arjen K. Lenstra 1, Eric R. Verheul 2 1 Citibank, N.A., and Technische Universiteit Eindhoven, 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A., arjen.lenstra@citicorp.com