DigitalDigital SignatureSignature SchemesSchemes BasedBased onon LFSRLFSR SequencesSequences

Guang Gong Department of Electrical & Computer Engineering University of Waterloo, PresentationPresentation OutlineOutline

Ø Overview of Digital Signature Schemes Ø Characteristic Sequences over GF() of Degree n and Commutative Law Ø Digital Signature Schemes Based on Characteristic Sequences and the Trace-Discrete-Logarithm Ø Efficient Digital Signature Schemes Based on the Sequences for n = 3 and n = 5 Ø Related work: LUC, XTR and Toris Based

@ G. Gong Bergen'04 2 OverviewOverview ofof DigitalDigital SignatureSignature SchemesSchemes

Ø Basics of Public- Cryptography Ø RSA and Digital Signature Ø ElGamal Digital Signature and DSS (Digital Signature Standard) Ø ECDSA (Elliptic Curve Digital Signature )

@ G. Gong Bergen'04 3 Bob’s public key

Bob’s private key

Plaintext Encryption Decryption algorithm algorithm Bob Alice

Simplified Model of Public-Key Encryption

@ G. Gong Bergen'04 4 Requirements of Public-key Cryptography One-way function: easy x f(x) infeasible

Trapdoor one-way function:

easy

x fk (x) infeasible if k is not known

easy if k is known

@ G. Gong Bergen'04 5 Therefore, security of public-key are based on the difficulty of different computational problems.

Most important ones are - Factoring large integers - Finite field discrete logarithms - Elliptic curve discrete logarithms

@ G. Gong Bergen'04 6 KeyKey pairspairs ofof thethe publicpublic--keykey systemsystem

In a secure network system, each user x has a pair of keys

(Ex, Dx):

• Ex is an encryption key which is put into a public key directory or a file (after certified), called a public-key of the user.

• Dx is a decrypted key kept private, called a private key of the user.

• Dx(Ex) = Ex(Dx) = identity map

• From known Ex, it is computational infeasible to obtain Dx

C = E (m) Alice b Bob: Db(C) = DbEb(m) = m

@ G. Gong Bergen'04 7 RequirementsRequirements ofof DigitalDigital SignaturesSignatures

Ø Everyone can verify digital signatures.

Ø Only the signer can sign; no one can forge the signer’s signature (this prevents forgery and denial attacks.)

Ø Once a dispute occurs, a third party can solve it.

@ G. Gong Bergen'04 8 RSARSA Digital Digital Signature Signature Algorithm Algorithm ( (RSARSA--DSA)DSA)

Signer: - Select p and q both prime; n = pq; e: gcd(e, f(n)) = 1, 1

Signer Verifier e • Computes h(m) and • computes r mod n • checks whether d r =h(m) modn r e = h( m ) (1) r is a digital signature of the message m If (1) is true, accepts as a valid signature. Otherwise, rejects it.

Remark: Most frequently used in wireless communications since e can be chosen as 3 which extremely saves the cost of the verification process. ElGamalElGamalDigitalDigital Signature Signature Algorithm Algorithm (1985) (1985) and and DigitalDigital Signature Signature Standard Standard (DSS) (DSS) ( ( NIST, NIST, 1994) 1994) - System public keys: p, a prime, Q, a factor of p -1, g an element in GF(p) with order Q - h(.): a hash function - Signer, private key: 0< x < Q with (x, Q) = 1, public key: y = gx.

Signing Verifying • setting u = h(m)t-1 mod Q • randomly picks k: 0 < k < Q -1 coprime with Q (per message) v = - r t mod Q • computes w = guyv • computes r = gk • checks whether • solves for t in the equation: w = r (1) h(m) º xr +kt (mod Q) If (1) is true, accept as a valid (r, t) is a digital signature of the signature. Otherwise, reject it. message m In ElGmal, Q = p – 1, and in DSS, Q is a 160 bit number. In elliptic curve digital signature algorithm (EC-DSA), g is replaced by a point on an elliptic curve, and the multiplicative group of GF(p) is replaced by an additive group of points on the curve. But the signing equation and all the procedures are preserved. ElGamal and DSS Signing Process

m m Message r s m y = g x r = g k

(r, s) signature Hash Sign

x: private key k: secret number per message

@ G. Gong Bergen'04 11 ElGamal and DSS Verifying Process

m Hash

r s Verifying

y = g x: public key

@ G. Gong Bergen'04 12 SecuritySecurity ofof thethe ElGamalElGamal--likelike SignatureSignature SchemeScheme

Consider

m = xr + ks mod p -1 (1)

If the attacker can compute y = g x to obtain x, then he can forge any signature since in (1) he can pick k to compute r, and therefore, obtain s.

Thus the security of the ElGamal digital signature algorithm is based on the difficulty of solving discrete log problem in Fp .

Remark: The signing equation (1) can be changed to other forms. We will refer to all signature schemes using the ElGamal procedure with a different signing equation, or different group, or different order of g, as ElGamal-like signature schemes.

@ G. Gong Bergen'04 13 CharacteristicCharacteristic Sequences Sequences over over GF(GF(qq)) of of Degree Degree nn Third-orderandand Characteristic Commutative Commutative SequencesLaw Law

Ø Let q be a prime or a power of a prime,

n n-1 n-2 n-1 n f (x) = x - an-1x + an-2 x -L+ (-1) a1x + (-1) , ai ÎGF (q) irreducible over GF(q) with order Q,, and let a be a root of f(x) in the extension GF(qn). Ø A sequence s = {sk} is said to be an LFSR sequence generated by f(x) if

n-1 n s k+n= an-1sk+n-1 + an-2sk+n-2 -L+ (-1) a1sk+1 + (-1) sk , k = 0,1,L

Ø If an initial state of {sk} is given by

k sk = Tr(a ), k = 0,1,L, n -1

then {sk} is called a (nth-order) characteristic sequence.

We denote sk = sk (f), k = 0, 1, … .

@ G. Gong Bergen'04 14 Characteristic Sequences of Degree 3 n Let q be a prime or a power of a prime and f(x) = x3 – a x2 + bx – 1, a, b Î GF(q), be irreducible over GF(q). n A sequence {sk} is said to be an LFSR sequence generated by f(x) if

s3+k = as2+k + bs1+k + sk, k = 0, 1, … n If an initial state of {sk} is given by 2 s0 = 3, s1 = a, and s2 = a – 2b,

then {sk} is called a (3rd-order) characteristic sequence.

@ G. Gong Bergen'04 15 Example 1. Let K = GF(5), r = 3 and f(x) = x3 + x – 1 which is irreducible over K. The characteristic sequence generated by f(x):

3 0 3 3 2 0 1 2 4 4 3 0 1 3 4 3 4 1 4 3 2 1 1 1 0 0 1 0 4 1 1 ... which has period 31 = 52 + 5 + 1. The reciprocal polynomial of f(x) is f -1(x) = x3 - x2 -1

@ G. Gong Bergen'04 16 3 1 1 4 0 1 …

Output Output 3 0 3 3 2 0 ... 1 1 3 3 0 3

1 -1

Figure 2. A Pair of the Reciprocal LFSRs in Example 1

@ G. Gong Bergen'04 17 1 4 3 4 4 3 3 1 2 0 3 1 4 1 One period of the LFSR 3 4 1 f(x) = x + x – 1 and its reciprocal 2 0 1 0 0 1 0 2 4 3 1 3 1 3 0 @ G. Gong Bergen'04 18 ProfilesProfiles ofof nnthth--orderorder CharacteristicCharacteristic SequencesSequences

n Period : a factor of qn-1 + … + q + 1 n Trace representation: k k kq kqn-1 sk = Tr(a ) = a +a +L +a , k = 0,1,... n For any two positive integers k and e, let fk(x) be the minimal polynomial of ak over GF(q). Then

se ( fk ) = sek ( f ) = sk ( fe ) which is called the commutative law of the char. sequences. n Let f (x) = x n - a xn-1 +L+ (-1)n-1 a + (-1)n k n-1,k 1,k

Then s k = a n - 1 , k and s-k = a1,k

@ G. Gong Bergen'04 19 StateState TransitionTransition ofof LFSRLFSR SequencesSequences

... sn-1 s1 s0 n Let {sk} be generated by f(x), n State vector: n-2 n-1 an-1xn-1 + L+ (-1) x1 + (-1) x0 s j = (s j , s j +1, L, s j +n-1 ) n State transition matrix: Let é s j ù n-1 ê ú é 0 0 L 0 (-1) ù s ê ú ê j +1 ú 1 0 0 (-1)n-2 a M ( j) = ê 1 ú ê M ú A = ê n-3 ú 0 1 0 (-1) a2 ê ú ê ú s êL ú ëê j+n -1 ûú ê ú ë 0 0 1 an-1 û Property 1. -1 State transition formulas: sv+ j = sv (M (0) M ( j))

s j = (s j-1, s j , L, s j+n -2 )A Therefore, the (v+j)th term, sv+j , is the inner = L -1 product of sv and the first column of M ( 0 ) M ( j ) . j = (s0 , s1, L, sn-1 )A Motivation of the LFSR based public-key cryptography

n Develop a PKC whose security is based on the difficulty of solving the (DL) in GF(qn), but all computation are performed in GF(q). One important issue needs to be solved: th Fast computation algorithm for evaluating sk, the k term of the sequence. If we can find an algorithm which computes the kth term of s is faster than to compute ak in GF(qn) for some n, then we can have an efficient digital signature scheme.

@ G. Gong Bergen'04 21 AlgorithmsAlgorithms forfor kkththTermTerm ComputationComputation ofof Char.Char. SequencesSequences

Assumption A (kth Term Computation). For a given f(x) and k, there is an efficient algorithm to calculate the k kth term sk (compare it with calculating a . This will become for n = 3 and n = 5.)

Algorithm 1. (Mixed Term Computation) For given v and s j = ( s j , s j + 1, L , s j+ n - 1) (j is unknown), the (v+j)th term, s v + j , can be computed by the following procedure:

Step 1. Compute the vth state, sv, using Assumption A. Step 2. Compute s v + j by Property 1, which only involves matrix computation.

@ G. Gong Bergen'04 22 ElGamalElGamal--likelike DigitalDigital SignatureSignature AlgorithmAlgorithm BasedBased onon LFSRLFSR SequencesSequences -System public keys: f(X) with the constant term (-1)n, an irreducible polynomial over GF(q) of degree n with period Q; a a root of f(x) in GF(qn). - h(.): a hash function.

- Signer, private key: 0< x < Q with (x, Q) = 1, public key: y = sx , the xth state of the char. sequence of f(x). Verifying Signing • setting v = - h(m)r-1 mod Q • randomly picks k: 0 < k < Q u = - t r-1 mod Q

coprime with Q (per message) • Using Algorithm 1 to compute A = sv+x • computes fk , as a vector of n – 1 from v and sx. dimensional space, the minimal • Using Assumption A to compute k polynomial of a over GF(q), set r is an B = su(fk), the uth term of the char. integer converted from sk. sequence of fk. • solves for t in the equation: • checks whether h(m) º xr +kt (mod Q) A = B (1)

(fk, t) is the digital signature of the If (1) is true, accept as a valid message m. signature. Otherwise, reject it. Verifier: Signer: x m, r t, r

s x = (sx , sx+1, L, sx+n-1 ) v = -h(m)r -1 u = -tr -1 Signing for the message m: k s x f k A = sv+ x (Al 1) B = su ( f k )(Assu)

fk = (sk ,ak ,n -2, L,ak ,2 , s-k )

r = convert(sk ) A = ? B x k h(m) º xr + kt (mod Q) m Yes, accept it. No, reject it. t Sign and Verifi. of ElGamal-like LFSR-DSA Signature: (r, t). (fk transmitted). SecuritySecurity ofof ElGamalElGamal--likelike LFSRLFSR--DSADSA andand thethe TraceTrace DiscreteDiscrete LogarithmLogarithm ProblemProblem

How to forge a signature of the LFSR-DSA?

Ø There is a one-to-one correspondence between the set consisting of all states of the LFSR f(x) and the set consisting of all powers of a (a root of f(x)), which is the subgroup of the multiplication group of GF(qn).

So, if one solves the discrete logarithm problem (DLP) in a polynomial time (i.e., given a and b, solving for d such that b = a d ), then from the public-key sx, through the above one-to-one correspondence, the attacker can obtain the private key x. From this, he (she) can forge any signature as wish.

@ G. Gong Bergen'04 25 SecuritySecurity ofof ElGamalElGamal--likelike LFSRLFSR--DSADSA andand thethe TraceTrace DiscreteDiscrete LogarithmLogarithm ProblemProblem (Cont.)(Cont.)

Definition. Given b Î GF ( q ) , the trace discrete logarithm problem is of finding an index d such that Tr ( a d ) = b , or determining there is no such index .

If one cannot solves the DLP in a polynomial time, but can solve the trace- DLP in a polynomial time, then there is a forgery as follows. Let m be the message that the attacker wishes to forge a signature. The attacker may:

(1) randomly choose k, and compute fk by Assumption 1, so r is obtained. -1 (2) compute A = s v + x where v = - h ( m ) r by Al 1. (3) find an index d by solve the trace-DLP for A = Tr ( a d ) . (4) set t = - rdk - 1 (mod Q)

Then ( f k , t ) is a forged signature of m. Result. The security of the LFSR-DSA is based on the difficulty to solve the trace-DLP.

Question. What is the relationship between the complexity of the DLP and the complexity of the trace-DLP? The answer is that they are equivalent under some assumption (omitted here).

@ G. Gong Bergen'04 27 EfficientEfficient DigitalDigital SignatureSignature AlgorithmAlgorithm BasedBased onon LFSRLFSR SequencesSequences ofof DegreesDegrees 33 andand 55

Ø Fast Algorithm to Evaluate the kth term of Char. Sequences of Degree 3 Ø Cubic DSA and Applications in the Constrained Devices Ø Fast Algorithm to Evaluate the kth Term of Char. Sequences of Degree 5 ØQuintic DSA

@ G. Gong Bergen'04 28 FastFast algotihmalgotihmtoto evaluateevaluate thethe kkththtermterm ofof char.char. SequencesSequences withwith degreedegree 33

Let { s k } be the characteristic sequence over GF(q) generated by f (x) = x3 - ax2 + bx -1 and { s - k } , generated by the reciprocal of f(x), which is given by f -1 (x) = x 3 -bx 2 + ax -1

Lemma 1. For any two integers n and m, we have

(1) s2n = sn - 2s-n

(2) sn sm - sn- ms-m = sn+m - sn-2 m , n ¹ m

From this lemma, we can obtain an algorithm to compute the kth state and its reciprocal state, therefore, the kth term of the sequence.

@ G. Gong Bergen'04 29 Algorithm 2 (Reciprocal States Fast Evaluation Algorithm (RSEA), Gong-Harn, 1999)

r k = k 2r-i Let å i be the binary representation of k. Let T0 = k 0 ¹ 0 i=0

and Tj = k j + 2Tj-1 , 1 £ j £ r . So, Tr = k . Then the kth terms of a pair of the reciprocal char. sequences can be computed iteratively as follows:

For k j = 0,

s = s s - bs + s , T j -1 T j -1 T j -1 -1 -T j -1 -(T j -1 +1)

s = s2 - 2s , and T j T j -1 -T j -1

s = s s - as + s . T j +1 T j -1 T j -1 +1 -T j- 1 -(T j -1 -1)

For k j = 1,

s = s2 - 2s , Tj -1 Tj -1 -Tj -1

s = s s - as + s , and Tj Tj -1 Tj -1 +1 -Tj -1 -( Tj -1 -1)

s = s2 - 2s . Tj +1 Tj -1 +1 -(Tj -1 +1)

Thus evaluation of a pair of the kth terms sk and s-k needs 9logk multiplications in GF(q) in average.

RSEA outputs dual states of the LFSR f(x)

-1 B s -2 -(t+1) -a A-1 s -a -1 -t -2 A -b -2 s-(t-1)

kj = 0 kj = 1

s s + t+1 × + t’+1 ^2 s ^2 s + A t + t’ × × + s st-1 t’-1 + ^2 A B

t = Tj-1 and t’ = Tj = kj + 2Tj-1 RedundancyRedundancy identities identities of of States States of of the the 3rd 3rd-- OrderOrder CharacteristicCharacteristic Sequences Sequences

n Reciprocal operator: D(sk) = s-k n For given reciprocal terms (sk, sk+1) and (s-k, s-(k+1)),

if D = sk+1 s-(k+1) – ab ¹ 0, then

sk-1 = ( e s-(k+1) - b D(e))/D and s-(k-1) = D(sk-1 )

2 where e = sk + (ab - 3 ) s-k - a s-(k+1)

• This shows that three elements in any state of the 3rd-order characteristic sequences are not independent. @ G. Gong Bergen'04 32 Algorithm 3. An Algorithm for Computing a Mixed Term sv+j, j Unknown (Algorithm 1 in Degree 3 version)

Input: v and s j = ( s j , s j + 1 , s j+ 2 ) .

Output: sv+j, , the (v+j)th term of the Char. Sequence. Procedure:

Step 1: Applying Algorithm 2 to compute s v = ( s v , s v + 1 , s v + 2 ) , the vth state of the LFSR f(x). Step3: Pack the matrices M(0), and M(j):

é 3 a s2 ù é s j s j+1 s j+2 ù M (0) = ê a s s ú ê ú ê 2 3 ú M ( j) = ês j+1 s j+2 s j+3 ú ês s s ú ê ú ë 2 3 4 û ës j+2 s j+3 s j+4 û

compute the inner products of sv and the first column of M(0)-1 M( j) , which gives sv+j, ( s j+3 and s j+4 are computed from the linear recursive relation from sj). ElGamal-like Digital Signature Algorithm of Degree 3

- System public keys: p, a prime, q = pv , Q, a prime factor of q2 + q +1 for 2 2 v ¹ 2 and Q = P1P2 , P1 | p + p +1, P2 | p - p +1 for v = 2 res., and f(x) = x3 – a x2 + bx – 1, irreducible over GF(q) with period Q - h(.): a hash function (SHA-1)

- Signer, private key: 0< x < Q with (x, Q) = 1, public key y = ( s x , s x + 1 , x x + 2 ) .

Signer Verifier -1 • randomly picks k: 0 < k < Q • setting v = - h(m)t mod Q coprime with Q (per message) u = - r t-1 mod Q • applying Algorithm 2 to compute • computes A = sv+x by Algorithm 3 • by Algorithm 2, computes (sk , s-k ) B = s ( f ) , the uth term of the char. • setting r, an integer converted from sk u k • solves for t in the equation: sequence of the LFSR h(m) º xr +kt (mod Q) 3 2 fk (x) = x - sk x + s-k x -1 (r, t) is a digital signature of the • checks whether A = B (1) message m (s-k needs to be transmitted) If (1) is true, accepts. Otherwise, rejects. Verifier: Signer: x m, r, h(x) t, r

(sx , sx+1, sx+2 ) (Alg 2) v = -h(m)r -1 u = -tr -1 Signing for the message m:

k (sx , sx+1 , sx+2 ) (sk , s-k )

A = sv+ x (Alg 3) B = su ( f k )(Alg 2)

fk = (sk , s-k ) (Alg 2)

r = convert(sk ) A = ? B x k h(m) º xr + kt (mod Q) m Yes, accept it. No, reject it. t Sign and Verifi. of Cubic DSA Signature: (r, t). - System public keys: q = p = 5, Q = 52 + 5 +1 = 31, f(x) = x3 – (2 x2 + 1), irreducible over GF(5) with period 31 (in E.g. 1) - h(.) = 4x (mod 31) : a hash function.

- Signer, private key: 0< x = 7 < 31, public key (s7 , s8 , s9 ) = (2,4,4)

Verifier Signer • setting v = - h(m)t-1 = - 9 ´16 º 11 (mod 31) to sign message m = 10 u = - r t-1 = -22 ´16 º 20 (mod 31) • randomly picks k = 4. • computes A = s by Algorithm 3: • by Algorithm 2, computes v+x (1) Algorithm 2: s = s = (0,1,3) (s , s ) = (2,0) v 11 4 -4 (2) • setting r = sk = 2. s s s 2 4 4 • solves for t: é 7 8 9 ù é ù M (7) = ês s s ú = ê4 4 3ú ê 8 9 10 ú ê ú h(m) = 4m º 9 (mod 31) é1 3 0ù ëês9 s10 s11ûú ëê4 3 0ûú t º k -1(h(m) - xr) M (0) -1 M (7) = ê0 3 3ú ê ú -1 é3 0 3ù é3 1 4ù = 4 (9 - 7´ 2) º 22 (mod 31) ëê3 0 3ûú M (0) = ê0 3 3ú Þ M (0)-1 = ê1 3 4ú ê ú ê ú (2, 22) is a digital signature ëê3 3 2ûú ëê4 4 1ûú of the message m = 10 (s-k A = s = s ×(1,0,3) = 4, the first column of M (0)-1 M (7) = 0 needs to be transmitted) 11+ x 11

3 2 • Algorithm 2: B = s 20 ( f 4 ) = 4 , where f4 (x) = x - 2x -1 • Since A = B = 4, accept it. Sequences in the example of cubic DSA

The 4-decimation of S (k = 4), f(x) = x3 + x – 1, irreducible over which is generated by 3 2 GF(5) with period 31. The f4 (x) = x - 2x -1 characteristic sequence generated is given by by f(x):

S = 3 2 4 1 4 2 0 4 0 0 3 0 3 3 2 0 1 2 4 4 4 3 1 1 0 1 3 1 3 4 3 0 1 3 4 3 4 1 4 3 4 1 1 1 3 2 0 3 3 1 2 1 1 1 0 0 1 0 4 1 0 1

A B

Red marked terms are computed by Signer, and the green ones computed by Verifier. Profile of cubic DSA for the version q = p

n Security: the difficulty of solving discrete logarithm in the finite field GF(p3) n 341 bits Cubic DSA Û 170 bits EC-DSA Û 1024 bit RSA Û 1024 bits DSA

@ G. Gong Bergen'04 38 Related Public-key XTR (Lenstra and Verheul, 2000) ¾ using special characteristic sequences

System public parameters: p, a prime number and q = p2 f(x) = x3 – a x2 + ap x – 1, irreducible over GF(q) with period Q | p2 – p + 1

@ G. Gong Bergen'04 39 Applications:Applications: TheThe BasicBasic InternetInternet KeyKey ExchangeExchange (IKE)(IKE) ProtocolProtocol

* System setup: Primes p, q, q|p-1, and g of order q in Zp . Each user has a private key for a signature algorithm SIG, and all have the public verification keys of the other users in the network. The protocol also uses a message code: MAC, and a pseudorandom function generator PRF. The protocol messages: A = Initiator , B = Responser Start message (A ® B): s, g a s, ID , SIG ("1",s, g a , g b ),MAC ("1",s, ID ) Response message (B ® A): b b k1 b Finish message (A ® B): ID ,SIG ("0",s, g b , g a ), MAC ("0", s, ID ) a a k1 a (Optional) ACK message (B ® A): MAC ("1") k1 The protocol messages passing Alice Bob

s, g a

s, ID , SIG ("1",s, g a , gb ), MAC ("1",s, ID ) b b k1 b

ID , SIG ("0", s, g b , g a ), MAC ("0", s, ID ) a a k1 a

MAC ("1") k1

(IKE does not have this round currently!)

The shared session key: k = PRF (0) MAC key: 0 g ab k1 = PRFg ab (1)

The DH and DSA can be replaced by the cubic DH and cubic DSA. Blackberry Screen Captures: System Setup.

GH-DH = cubic DH, GH- DSS = cubic DSA, are implemented at RIM’s Blackberry handheld.

@ G. Gong Bergen'04 42 FastFast AlgorithmAlgorithm toto EvaluateEvaluate thethe kkththTermTerm ofof Char.Char. SequencesSequences ofof DegreeDegree 55 A. Characteristic Sequences of Degree 5 v n Let q = p and f ( x) = x5 - ax4 + bx3 - cx2 + dx -1, a,b,c,d ÎGF(q) be irreducibleAlgorithm over 4. GF(Triple(q) -andand a-addbe -asubtract root of algorithm)f(x) in GF(q5). n The characteristic sequence {sk} generated by f(x) is given by

sk +5 = ask +4 -bsk +3 + csk +2 - dsk +1 + sk , k = 0,1,L with the initial state:

2 3 s0 = 5, s1 = a, s2 = a - 2b, s3 = a -3ab + 3c, 4 2 2 s4 = a - 4a b + 2b - 4d + 4ac or equivalently, k sk = Tr(a ), k = 0,1,L

2 n The XTR analogue: let q = p , and the period of f(x), say Q, is a factor of p4 - p3 + p2 - p +1 , then f (x) = x5 - ax4 + bx3 -b p x 2 + a p x -1, a,bÎGF( p 2 ) We may write the minimal polynomial of ak as follows:

5 4 3 p 2 p fk (x) = x - sk x +tk x - tk x + sk x -1

where S = { s k } and { s - k }, T = { t k } and { t - k } are pairs of reciprocal sequences, p p and s-k = sk and t-k = tk .

@ G. Gong Bergen'04 44 Algorithm 4. Fifth-Order Algorithm for Evaluating the kth Terms of S and T Sequences.

n i 1. Let k = åci 3 , ci Î{-1,0,1}. i=0

2. Set m =1 and u = (s-1, s0 , s1, s2 , s3 ) and v = (t-1,t0 ,t1 ,t2 ,t3 ) 3. For i = 0,... , n (a) Set d = 3m + c , and compute u = (s , s , s , s , s ) and v = (t , t ,t ,t ,t ) i i di -2 di -1 di di +1 di +2 di -2 di -1 di di +1 di +2

(b) m = di

Output (sm ,tm )

In the loop 3-(a), use the following relations, obtained from Lemma 1.

@ G. Gong Bergen'04 45 Comparisons of Several Approaches for Computing the kth Terms of S and T Sequences and Representations

@ G. Gong Bergen'04 46 XTRXTR--AnalogueAnalogue ofof QuinticQuinticDSADSA

-System public keys: p, a prime, q = p2 , Q, a prime factor of p4 - p3 + p2 - p +1 for f (x) = x5 - ax4 + bx3 -b p x 2 + a p x -1, a,bÎGF( p 2 ) irreducible over GF(q) with period Q - h(.): a hash function (SHA-1) - Signer, private key: 0< x < Q with (x, Q) = 1, public key: s x = ( s x , s. x + 1 , sx +2 , sx +3 , sx +4 ) Verifier Signer • setting v = - h(m)t-1 mod Q • randomly picks k: 0 < k < Q u = - r t-1 mod Q coprime with Q (per message) • computes A = sv+x by Algorithm 1 (in • applying Algorithm 2 to compute which Assumption 1 is replaced by

(sk ,tk ) Algorithm 4) • by Algorithm 4, computes • setting r, an integer converted from sk • solves for t in the equation: B = s u ( f k ) , the uth term of the char. h(m) º xr +kt (mod Q) sequence of the LFSR

5 4 3 p 2 p (r, t) is a digital signature of the fk (x) = x - sk x +tk x - tk x + sk x -1 • checks whether message m (tk needs to be transmitted) A = B (1) If (1) is true, accepts. Otherwise, rejects. The Contents of the talk is taking from the following research work:

1. G. Gong and L. Harn, A new approach for public key distribution, the Proceedings of China-Crypto'98, May 1998, Chengdu, China. 2. G. Gong and L. Harn, Public-key cryptosystems based on cubic finite field extensions, IEEE Trans. on Inform. Theory, vol. 45, No.7, November 1999, pp. 2601-2605. 3. G. Gong, L. Harn and H.P. Wu, The GH public-key cryptosystems, Selected Areas in Cryptography, Lecture Notes in Computer Science , S. Vaudenay and A. M. Youssef (Ed). Berlin, Germany, Springer-Verlag, 2001, vol. 2259, p.284-300. 4. K. Giuliani and G. Gong, Analogues to the Gong-Harn and XTR cryptosystems, Technical report, University of Waterloo, CORR 2003-34, accessible at www.cacr.math.uwaterloo.ca. 5. K. Giuliani and G. Gong, Efficient key agreement and signature schemes using compact represenations in $GF(p^{10})$, will be appeared at the Proceedings of the ISIT 2004, July 2004. 6. K. Giuliani and G. Gong, Signature schemes based on the trace discrete log problem (Trace-DLP), will be appeared soon as Technical report, University of Waterloo, February, 2004 (submitted to Crypto04). References of Some Related Work n W. Diffie and M.E. Hellman, “New directions in cryptography,” IEEE Trans. On Inform. Theory, vol. IT-22, November 1976, pp.644-654. Comments: Exponentiation in DH can be considered as evaluating kth term of a first order LFSR sequence over GF(q). n W.B. Müller and W. Nöbauer, " of the Dickson-scheme, " Advances in Cryptology, Proceedings of Eurocrypt'85, pp. 71-76. n P. Smith, "LUC public-key encryption, " Dr. Dobb's Journal, pp. 44-49, January 1993. Comments: The mathematical function used in this family of the public-key cryptosystems is a 2nd-order LFSR characteristic sequence over GF(p). n A.K. Lenstra and E.R. Verheul, The XTR public key systems, Advances in Cryptology, Proceedings of Crypto2000, pp. 1-19, August, 2000. Comments: the mathematical function is a 3rd-order LFSR characteristic sequence over GF(p2) which is a special case of the sequences used in the GH public key . n Karl Rubin and Alice Silverberg, Torus-based cryptography, Advances in Cryptology, Proceedings of Crypto2003, August 2003. Comments: Generalize GH and XTR in a general model using an algebraic tool: Tori.

@ G. Gong Bergen'04 49