A More Compact Representation of XTR Cryptosystem∗
IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2843
PAPER Special Section on Information Theory and Its Applications A More Compact Representation of XTR Cryptosystem∗
Masaaki SHIRASE†a), Member, Dong-Guk HAN††, Nonmember, Yasushi HIBINO†††, Member, Howon KIM††, Nonmember, and Tsuyoshi TAKAGI†, Member
SUMMARY XTR is one of the most efficient public-key cryptosystems After that, it has tried to make use of traces to repre- that allow us to compress the communication bandwidth of their ciphertext. sent and calculate powers of elements of a subgroup of a F The compact representation can be achieved by deploying a subgroup q2 ffi F finite field to achieve e cient and compact subgroup repre- of extension field q6 , so that the compression ratio of XTR cryptosystem ffi sentation. The LUC cryptosystem uses the trace over Fq to is 1/3. On the other hand, Dijk et al. proposed an e cient public-key cryp- ∗ F + F tosystem using a torus over q30 whose compression ratio is 4/15. It is represent elements of the order q 1 subgroup of q2 [16]. an open problem to construct an efficient public-key cryptosystem whose Compared to the traditional representation LUC leads to a compression ratio is smaller than 4/15. In this paper we propose a new factor 2 reduction in the representation size. The variant de- variant of XTR cryptosystem over finite fields with characteristic three 2 + + F∗ whose compression ratio is 1/6. The key observation is that there exists scribed in [7] uses the subgroup of order q q 1of q3 F F a trace map from q6 to q in the case of characteristic three. Moreover, instead, but as a result sizes are reduced by only a factor the cost of compression and decompression algorithm requires only about 1.5. In [2], Brouwer et al. introduced for the first time how 1% overhead compared with the original XTR cryptosystem. Therefore, the proposed variant of XTR cryptosystem is one of the fastest public-key the use of finite extension fields and subgroups can be com- cryptosystems with the smallest compression ratio. bined in such a way that the number of bits to be exchanged key words: cryptography, XTR cryptosystem, finite field, efficient imple- is reduced by a factor 3. More specifically, it was shown that mentation, compact representation F∗ elements of an order p subgroup of q6 can be represented 2 − + using 2 log2(q) bits if p divides q q 1. Despite its com- 1. Introduction munication efficiency, the method of it is rather troublesome and computationally not particularly efficient. ffi In the classical Di e-Hellman (DH) key exchange scheme, In 2000 Lenstra-Verheul introduced XTR [9], a cryp- two system parameters are fixed: a large prime number q tosystem using the trace over Fq2 to represent elements of the and a generator g of the multiplicative group of the basic order q2 − q + 1 subgroup of F∗ , there by achieving a factor F q6 prime field q. In the basic DH scheme the two parties each 3 size reduction. Also, the resulting calculations are appre- send a random power of g to the other party. Assuming both ciably faster than using the standard representation. XTR of parties know q and g, each party transmits about log2(q) bits security equivalent to 1024-bit RSA achieves speed compa- to the other party. rable to cryptosystems based on random elliptic curves over In [6], ElGamal suggested that finite extension fields random prime fields (ECC) of equivalent security. The cor- can be used instead of prime fields, but no direct computa- responding XTR public keys are only about 2∼3 times as tional or communication advantages where implied. In [14], large as ECC keys in practical key sizes, assuming global ffi Schnorr proposed a variant of the classical Di e-Hellman system parameters — without the last requirement the sizes scheme, in which g does not generate the whole multiplica- of XTR and ECC public keys are the same. Furthermore, F tive group of the prime field q, but only a small subgroup parameter initialization from scratch for XTR takes a neg- of which the order contain relatively small compared to q. ligible amount of computing time, unlike RSA and ECC. This considerably reduces the computational cost of the DH Combined with its very easy programmability, this makes ff scheme, but has no e ect on the number of bits to be ex- XTR an excellent public-key cryptosystem for a very wide changed. variety of environments, ranging from smart cards to web Manuscript received January 28, 2008. servers. Manuscript revised April 20, 2008. On the other hand, Rubin-Silverberg proposed a torus- † The authors are with Future University Hakodate (FUN), based cryptosystem CEILIDH over Fq6 whose compression Hakodate-shi, 041-8655 Japan. rate is same as XTR [13]. Dijk-Woodruff then presented ††The authors are with Electronics and Telecommunications that a torus-based cryptosystem over F n whose compres- Research Institute (ETRI), Korea. q †††The author is with Japan Advanced Institute of Science and sion ratio is asymptotically φ(n)/n where φ is the Euler tor- Technology (JAIST), Nomi-shi, 923-1292 Japan. sion function [4]. However, the cryptosystem proposed by ∗The preliminary version of this paper [15] was published at Dijk-Woodruff is not so efficient as RSA with the key length 5th International Conference Applied Cryptography and Network in practical applications. In 2005 Dijk et al. further pro- Security, ACNS 2007. posed a relatively efficient public-key cryptosystem using a a) E-mail: [email protected] F 30 φ / = / DOI: 10.1093/ietfec/e91–a.10.2843 torus over q whose compression ratio is (30) 30 4 15
Copyright c 2008 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2844
[5]. It is an open problem to construct a practical public-key XTR Exponentiation ([9], Algorithm 2.3.7) cryptosystem whose compression ratio is smaller than 4/15. INPUT: c and n where n > 2 OUTPUT: cn 1. Compute initial values: 1.1 Contribution of This Paper 1.1. C3 ← c, C0 ← D[C3], C1 ← A[C0, C3, C3, 3], and C2 ← D[C0] − In this paper we present a greatly improved version of XTR 1.2. If n is even, n replace n 1. = + = l j that leads to a factor 6 reduction in the representation size Let n 2m 1andm j=0 m j2 ∈{ } = compared to the traditional representation. That is to say, with m j 0, 1 and ml 1. 2. for j = l − 1downto0 we achieve a factor 2 reduction compared to the original ← 2.1. T1 D[Cm j ] XTR. We show that if the characteristic of q is three, i.e., ← 2.2. T2 D[C1+m j ] = 2k−1 q q q 3 for some integer k, then we can use the trace over 2.3. if (m j = 0) then T3 ← A[C0, C1, C , C ] 3 q2 Fq to represent elements of the order q − 3q + 1 subgroup if (m j = 1) then T3 ← A[C2, C1, C3, C ] ∗ 0 F 2.4. C0 ← T1 of q6 . Also, the resulting calculations such as exponenti- 2.5. C1 ← T3 ations are as faster as that of XTR. Given Tr(q6,q)(g)andn, ← n 2.6. C2 T2 Tr 6 (g ) takes about 1291 multiplications in F ,whichis (q ,q) q 3. If n is odd then return C1 only about 1% increase compared to the cost of computation else return C2 n of Tr(q6,q2)(h ) for given Tr(q6,q2)(h)andn, where the size of n is 160 bits. Therefore, the proposed scheme is one of the fastest public-key cryptosystems with the smallest compres- ONB) sion ratio (i.e., 1/6). If 2m + 1 is a prime and either of the following two condi- tions holds, In Sect. 2 we describe XTR, and in Sect. 3 we introduce • q is a primitive root modulo 2m + 1, XTR over characteristic three, which achieves a factor 2 re- • q is a quadratic residue modulo 2m + 1andq duction in the representation size compared to XTR. Sec- 1 mod (2m + 1), tion 4 shows efficient calculations of XTR exponentiation over characteristic three. Applications and comparisons to then the set {βm,βm−1, ··· ,β2,β} forms an optimal normal the original XTR are given in Sect. 5. We then describe con- basis of type II in Fqm and called Type-II ONB. Here, β = clusion in Sect. 6. γ + γ−1 and γ is the primitive (2m+1)-th root of unity.
XTR uses F 2 arithmetic to achieve F 6 security, with- 2. XTR q q out requiring explicit construction of Fq6 .Letq be a prime that is 2 mod 3. It follows that (X3 − 1)/(X − 1) = X2 + X + 1 2.1 Description of XTR q is irreducible over Fq and the zeros α and α of it form an F F 2 Type-I ONB for q2 over q. In XTR elements of Gp are XTR uses a subgroup of prime order p of the order q −q+1 ∗ represented by their trace over F 2 .Forh ∈ F the trace F∗ q q6 subgroup of q6 . The latter group is referred to as the XTR Tr(q6,q2)(h) over Fq2 is defined as the sum of the conjugates supergroup denoted as G 2− + and the order p subgroup q q 1 q2 q4 over F 2 of h, i.e., Tr 6 2 (h) = h + h + h ∈ F 2 .Letp Gp is referred to as the XTR group. The XTR supergroup q (q ,q ) q and q be primes with p dividing q2 − q + 1. Also let h be G 2− + is not contained in any proper subfield of F 6 due to q q 1 q = the following fact. a generate of Gp and let c Tr(q6,q2)(h). Suggested lengths ≈ to provide adequate levels of security are log2(q) 170 and Fact 1: [10] Let p be a prime factor of Φ (q), where m-th ≈ m log2(p) 160. n cyclotomic polynomial for a positive integer m not divisible cn denotes Tr(q6,q2)(h ) ∈ Fq2 ,forsomeq and h of order F∗ 2 by q. Then the subgroup Gp of qm is not contained in any p dividing q − q + 1 as above. Efficient computation of cn proper subfield of Fqm . given q, p and c depends on the recurrence relation Combined with the choice of p it follows that comput- q cu+v = cucv − cv cu−v + cu−2v, (1) ing discrete logarithms in Gp is as hard, in general, as it is F∗ ∈ = in q6 [9]. for u,v Z. It simplifies for u v to Before describing XTR more detail, we introduce two 2 q c2u = c − 2cu. (2) definitions about optimal normal basis. u In [9], Lenstra and Verheul proved that computing c + Definition 1: Type I Optimal Normal Basis (Type-I ONB) u v ∗ and c2u take four and two multiplications in Fq respectively, If m+1 is a prime and q is a generator of F + , then the set m 1 when c , c , c − , and c − are given. {ωm,ωm−1, ··· ,ω2,ω} forms an optimal normal basis of u v u v u 2v type I in F m and called Type-I ONB. Here, ω is the primitive q 2.2 XTR Exponentiation (m+1)-th root of unity. n Definition 2: Type II Optimal Normal Basis (Type-II In XTR, an algorithm for computing Tr(q6,q2)(h )given SHIRASE et al.: A MORE COMPACT REPRESENTATION OF XTR CRYPTOSYSTEM 2845
Tr(q6,q2)(h) and a scalar n ∈ Z is needed like the algorithm for In this section, we define a new XTR group Gp =
We assume that q = 3t for any odd integer t,sayt = 2k − 1. Then, 3q = 3k is an integer and q2 − q + 1 is factorized as 3.2.1 Compression 2 q − q + 1 = (q + 3q + 1)(q − 3q + 1). From the definition of dn and en, en can be easily derived IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2846
from dn due to the following equation n,wherem is an integer arbitrary selected. We can compute it in the same way in XTR. To show that, it is enough to = + q en dn dn. (4) show
√ q+1 Table 1 The number of multiplications in Fq for computation of dn and From Lemma 3, one of −R is (−R) 4 and it is effi- q d ,whereq = 3t and t = 2k − 1 for some integer k. ciently computed by using the idea of Barreto et al. [1]. The n F basic idea is as follows. Operation # of multiplications in q − They noticed that, if q = 32k 1 for some k: e2 1 √n − 3q + 2k−1 + k 2 en free using Type-II ONB q 1 3 1 2 i √ = = · + q+1 6 (3 ) 1, 2 + 3q − + − + 4 4 (2en en ) 4 log2(k 1) HW(k 1) 1 i=0 √ q+1 √ 2 + 3q · − (2en en ) 4 1 0 so that √ 3q q+1 √ − 2 (q+1)/4 k 2(32)i 3 2en ± (2e + en ) 4 · −1 log (k−1) + HW(k−1) + 2 − R = (−R)2 i=0 · (−R). n 2 k−2(32)i The quantity (−R)2 i=0 is efficiently computed in example, we may select k = 56, 71, 111, and 120, which an analogues fashion to Itoh-Teechai-Tsujii inversion [8], satisfy that Fq has Type-II ONB over F3. √ √ based on the Frobenius map in characteristic three. Let 3q q+1 k−2 2 i 2 + 4 ∗ − = (3 ) Note that a multiplication (2en en ) 1 is free A ∈ Fq. Then, one can compute A i 0 with no more than − + − − F from Lemma 5. log2(k 1) HW(k 1) 1 multiplications in q. Here, · and HW(·) denote the maximum integer less than its Theorem 2: Given en for any integer n, computing dn and q − + − + operand and the Hamming weight of its operand respec- dn take about log2(k 1) HW(k 1) 2 multiplications in − + − + F F F tively. Thus, we need at most log2(k 1) HW(k 1) 1 q under assumption that q has Type-II ONB over 3. multiplications in F to compute (−R)(q+1)/4 in total. q √ √ √ − ∈ F = − · √ Next we must find 1 q2 to compute R R 5. Compressed XTR Exponentiation −1. √ In this section it is shown how e can be computed based on − ∈ F + −1 − 2 + −2 − + n Lemma 4: 1 q2 is (ω ω ) (ω ω )or (ω e n −1 2 −2 1 and an arbitrary integer . ω ) + (ω + ω ). q Restoration - compute d1 and d1 from Restoration[e1]. Be- − − 2 { q} Proof 4: It is easily checked that (ω+ω 1)−(ω2+ω 2) = tween d1, d choose one of them at random, denoted d . 1 −1 because 1 + ω + ω2 + ω3 + ω4 = 0andω5 = 1. XTR exponentiation - compute dn from XTR Exp[d , n]de- scribed in Sect. 2.2. −1 2 −2 = + + + ∈ F 2 = + q Lemma√ 5: For any x x1(ω ω ) x2(ω ω ) q , Compression - compute Compression[dn] dn (dn) . = x · −1 is free. Actually, Compression[dn] en. √ −1 2 −2 At the compression step, we can easily check d + Proof 5: Because x1(ω + ω ) + x2(ω + ω ) · −1 = n d q = e d {d , dq} d = d − + −1 + 2 + −2 ( n) n. is one of 1 1 .If 1 then it is trivial x2(ω ω ) x1(ω ω ). = q because of the definition of en.Otherwise,i.e., d d1 then + q = q + ∈ F dn (dn) dn dn because dn q2 , which concludes the q 4.2 Computation of dn and dn justification of the compression step. Denote the above XTR exponentiation over character- Thanks to the Eq. (5) and the results of the previous section, istic three with input e1 and n outputs en as ∈ F for given en q = √ XTR Exp3[e1, n] en. ± q en R Theorem 3: Let e and a positive integer n ∈ Z be given. {dn, dn} = 1 p 2 √ √ Assume that Fq has Type-II ONB over F3. Then, comput- = · ± − · − + − + − + 2 (en R 1) ing en takes about 8 log2(n) log2(k 1) HW(k 1) 2 √ √ 3q q+1 multiplications in Fq. = ± 2 + 4 · − 2en (2en en ) 1. (6) Proof 6: Immediate from Theorem 2, XTR Exponentiation Table 1 shows the number of multiplications in Fq re- algorithm ([9], Algorithm 2.3.7), and Lemma 1. quired to compute equation (6), where as customary we do F not count the cost of additions and subtractions in q. ffi ∈ F 5.1 Application to XTR-DH For√ e cient computation of 3q-th power of en ( q), 3q F In this section we describe XTR version Diffie-Hellman key i.e., en , we should select q such that qhas optimal nor- F = 2k−1 = k agreement over characteristic three. mal basis (ONB) over 3.Asq 3 , 3q 3 . Thus, = 2k−1 = 3q-th power is performed by shift of coefficients when Public Parameters : q( 3 ), p, Tr(q6,q)(g): e Fq has ONB over F3.However,Fq never has Type-I ONB Suppose that Alice and Bob who both have access to over F3 since 2k is not prime. Therefore, we should check the XTR public key data, want to agree on a shared secret whether Fq has Type-II ONB over F3 or not for given k.For key K. This can be done using the following XTR version. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2848
XTR XTR ∈ = Table 2 Suitable k and costs of and 3. 1. Alice selects at random a Zp,usesXTR Exp3[e, a] 6 Cost of Cost of ea ∈ Fq, and sends ea to Bob. k |p| |q | XTR XTR3 2. Bob receives ea from Alice, selects at random b ∈ Zp, 56 156 1056 1248 1260 XTR Exp e, b = e ∈ F e uses 3[ ] b q, and sends b to Alice. 71 193 1341 1544 1555 3. Alice receives eb from Bob, computes XTR Exp3[eb, a] 111 225 2101 1792 1806 ba = eba, and determines K based on eba = Tr(q6,q)(g ). 120 378 2273 3024 3038 = 4. Bob uses XTR Exp3[ea, b] eab, and determines K ab based on eab = Tr(q6,q)(g ). Table 3 The sizes of public key data of XTR and XTR3. Public key data Public key data k |q| |p| 5.2 Comparison to Original XTR size of XTR size of XTR3 56 176 156 684 508 In this section, we compare XTR over characteristic three to 71 224 193 865 641 the original XTR. Let XTR and XTR3 denote the original 111 351 225 1278 927 XTR [9] and XTR over characteristic three respectively. 120 379 378 1515 1136
5.2.1 XTR Group Gp (|p|, |q6|) = (225, 2101), and that also satisfies |p|≥224 and | 6|≥ = XTR : XTR group Gp =
XTR 5.2.2 XTR Exponentiation The communication overhead of XTR-DH in 3 is about half of XTR-DH proposed in [9] and one six of tradi- tional implementations of the Diffie-Hellman protocol that XTR : For given Tr(q6,q2)(h)andn ∈ Zp computing n F are based on subgroups of multiplicative groups of finite Tr(q6,q2)(h ) takes 8 log2(n) multiplications in q. fields, and that achieves the same level of security. – Fq2 has Type-I ONB over Fq. 5.2.4 Size of Public Key Parameter XTR3 : For given Tr(q6,q)(g)andn ∈ Zp computing n Tr(q6,q)(g ) takes 8 log (n)+ log (k−1) +HW(k−1)+2 2 2 XTR multiplications in Fq. In , the public key data are q, p,andTr(q6,q2)(h). Thus, the total length is 3|q| + |p|. However, in the case of XTR3, – F 2 has Type-II ONB over Fq. 2k−1 q the public key data are q(= 3 ), p,andTr 6 (g), and F F (q ,q) – q has Type-II ONB over 3. the total length of it is 2|q| + |p|. Table 3 shows the sizes XTR XTR Denote by |·|the bit length of “ · ”. In the proposed of public key data of and 3. The size of public XTR XTR3, we have to select k such that Fq has Type-II ONB key data of 3 is reduced by about 26% compared with 6 XTR over F3, and both order |p| of the subgroup and order |q | 3 for these ks. of the whole group are large enough. Therefore, we cannot construct the proposed XTR3 with arbitrary size of p un- 6. Conclusion like the original XTR. The security of 1024 bits (or 2048 bits) RSA cryptosystem corresponds to that of the discrete In this paper we presented a new variant of XTR cryptosys- logarithm problem in the 160 bits (or 224 bits) subgroup, tem with a compact representation of the ciphertext. The respectively [12]. compression ratio of the ciphertext becomes 1/6, which is In order to estimate the efficiency of the proposed the smallest among the previously known practical public- XTR3, we try to choose several ks in the following. k = 56 key cryptosystems. The computational overhead of the pro- provides (|p|, |q6|) closest to (160, 1024), namely (|p|, |q6|) = posed scheme over the original XTR is only about 1%. (156, 1056), however this |p| is a bit smaller than 160. k = Therefore, the proposed scheme is one of the fastest public- 71 is the smallest k such that |p|≥160 and |q6|≥1024. key cryptosystems with the smallest compression ratio. k = 111 provides (|p|, |q6|) closest to (224, 2048), namely It is a further research topic to construct a practical SHIRASE et al.: A MORE COMPACT REPRESENTATION OF XTR CRYPTOSYSTEM 2849 public-key cryptosystem that achieves the compression ra- Masaaki Shirase received the B.Sc. in tio smaller than 1/6. mathematics from Ibaraki University in 1994, and M.I.S. and Dr.I.S. degrees from JAIST Acknowledgements (Japan Advanced Institute of Science and Tech- nology) in 2003 and 2006, respectively. He is currently a Postdoctoral in the School of Sys- The work reported in this paper was supported by the IT tem Science Information at Future University- R&D program of MIC/IITA. [2005-S088-04, Development Hakodate. His research interests are algorithm of Security technology for Secure RFID/USN Service]. and implementation of cryptography.
References
Dong-Guk Han received his B.S. degree [1] P. Barreto, H.Y. Kim, B. Lynn, and M. Scott, “Efficient algo- in mathematics from Korea University in 1999, rithms for pairing-based cryptosystems,” Crypto 2002, LNCS 2442, and his M.S. degrees in mathematics from Ko- pp.354–369, 2002. rea University in 2002, respectively. He re- [2] A. Brouwer, R. Pellikaan, and E.R. Verheul, “Doing more with fewer ceived Ph.D. of engineering in Information Se- bits,” Asiacrypt’99, LNCS 1716, pp.321–332, 1999. curity from Korea University in 2005. He [3] H. Cohen, A Course in Computational Algebraic Number Theory, was a Post.Doc. in Future University-Hakodate, Springer, 1993. Japan. After finishing the doctor course, he [4] M. van Dijk and D. Woodruff, “Asymptotically optimal commu- had been an exchange student in Dep. of Com- nication for torus-based cryptography,” Crypto 2004, LNCS 3152, puter Science and Communication Engineering pp.157–178, 2004. in Kyushu University in Japan from April 2004 [5] M. van Dijk, R. Granger, D. Page, K. Rubin, A. Silverberg, M. Stam, to March 2005. Now, he is a senior researcher in Electronics and Telecom- and D. Woodruff, “Practical cryptography in high dimensional Tori,” munications Research Institute (ETRI) from June 2006. He is a member of Eurocrypt 2005, LNCS 3494, pp.234–250, 2005. KIISC, IEEK, and IACR. [6] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol.31, no.4, pp.469–472, 1985. [7] G. Gong and L. Harn, “Public key cryptosystems based on cu- Yasushi Hibino is a professor in School bic finite field extensions,” IEEE Trans. Inf. Theory, vol.45, no.7, of Information Science at Japan Advanced In- pp.2601–2605, 1999. stitute of Science and Technology (JAIST). He [8] T. Itoh, O. Teechai, and S. Tsujii, “A fast algorithm for computing m received B.S. and M.S. degrees from Tokyo In- multiplicative inverses in GF(2 ) using normal bases,” Inf. Com- stitute of Technology, Tokyo, 1970 and 1972 re- put., vol.78, pp.171–177, 1988. spectively, and a Ph.D. degree in computer en- [9] A. Lenstra and E. Verheul, “The XTR public key system,” Crypto gineering from same institution in 1995. He 2000, LNCS 1800, pp.1–20, 2000. worded as a researcher in Electrical Commu- ffi [10] A. Lenstra, “Using cyclotomic polynomials to construct e cient dis- nication Laboratory of Nippon Telegraph and crete logarithm cryptosystems over finite fields,” ACISP’97, LNCS Telephone (Public) Corporation from 1972 to 1270, pp.127–138, 1997. 1992, where he engaged in development of a [11] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Ap- Lisp Machine ELIS. He joined JAIST in 1993 and his current research is plied Cryptography, CRC Press, 1997. focused on wave pipeline architecture. He is a member of IEEE, ACM and [12] National Institute of Standards and Technology, Special Publication IPSJ. 800-56: Recommendation on key establishment schemes, Draft 2.0, 2003. [13] K. Rubin and A. Silverberg, “Torus-based cryptography,” Crypto 2003, LNCS 2729, pp.349–365, 2003. Howon Kim received his B.S.E.E. degree ffi [14] C. Schnorr, “E cient signature generation by smart cards,” J. Cryp- from KyungPook National University, DaeGu, tol., vol.4, pp.161–174, 1991. Korea, in 1993 and the M.S. and Ph.D. de- [15] M. Shirase, D.-G. Han, Y. Hibino, H.W. Kim, and T. Takagi, “Com- grees in Electronic and Electrical Engineering pressed XTR,” ACNS 2007, LNCS 4521, pp.420–431, 2007. from Pohang University of Science and Tech- [16] P. Smith and C. Skinner, “A public-key cryptosystem and a digital nology (POSTECH), Pohang, Korea, in 1995 signature system based on the Lucas function analogue to discrete and 1999, respectively. From July 2003 to June logarithms,” Asiacrypt’94, LNCS 917, pp.357–364, 1995. 2004, he studied at the COSY group at the Ruhr- [17] M. Stam and A. Lenstra, “Speeding up XTR,” Asiacrypt 2001, University of Bochum, Germany. He was a se- LNCS 2248, pp.125–143, 2001. nior member of technical staff at the Electron- ics and Telecommunications Research Institute (ETRI), DaeJeon, Korea. He is currently working as an assistant professor at the department of computer engineering in Pusan National University, Busan, Korea. His research interests include RFID technology, sensor net- work, information security and computer architecture. Currently, his main research focus is on mobile RFID technology and sensor network, public key cryptosystem and its security issues. He is a member of the IEEE, IEEE Computer Society, and IACR. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2850
Tsuyoshi Takagi received the B.Sc. and M.Sc. degrees in mathematics from Nagoya University in 1993 and 1995, respectively. He had engaged in the research on network secu- rity at NTT Laboratories from 1995 to 2001. He received the Dr.rer.nat degree from Technis- che Universitat¨ Darmstadt in 2001. He was an Assistant Professor in the Department of Com- puter Science at Technische Universitat¨ Darm- stadt until 2005. He is currently a Professor in the School of Systems Infomation Science at Future University-Hakodate. His current research interests are information security and cryptography. Dr. Takagi is a member of International Asso- ciation for Cryptologic Research (IACR).