A More Compact Representation of XTR Cryptosystem∗

IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2843

PAPER Special Section on Information Theory and Its Applications A More Compact Representation of XTR Cryptosystem∗

Masaaki SHIRASE†a), Member, Dong-Guk HAN††, Nonmember, Yasushi HIBINO†††, Member, Howon KIM††, Nonmember, and Tsuyoshi TAKAGI†, Member

SUMMARY XTR is one of the most efficient public-key cryptosystems After that, it has tried to make use of traces to repre- that allow us to compress the communication bandwidth of their ciphertext. sent and calculate powers of elements of a subgroup of a F The compact representation can be achieved by deploying a subgroup q2 ffi F finite field to achieve e cient and compact subgroup repre- of extension field q6 , so that the compression ratio of XTR cryptosystem ffi sentation. The LUC cryptosystem uses the trace over Fq to is 1/3. On the other hand, Dijk et al. proposed an e cient public-key cryp- ∗ F + F tosystem using a torus over q30 whose compression ratio is 4/15. It is represent elements of the order q 1 subgroup of q2 [16]. an open problem to construct an efficient public-key cryptosystem whose Compared to the traditional representation LUC leads to a compression ratio is smaller than 4/15. In this paper we propose a new factor 2 reduction in the representation size. The variant de- variant of XTR cryptosystem over finite fields with characteristic three 2 + + F∗ whose compression ratio is 1/6. The key observation is that there exists scribed in [7] uses the subgroup of order q q 1of q3 F F a trace map from q6 to q in the case of characteristic three. Moreover, instead, but as a result sizes are reduced by only a factor the cost of compression and decompression algorithm requires only about 1.5. In [2], Brouwer et al. introduced for the first time how 1% overhead compared with the original XTR cryptosystem. Therefore, the proposed variant of XTR cryptosystem is one of the fastest public-key the use of finite extension fields and subgroups can be com- cryptosystems with the smallest compression ratio. bined in such a way that the number of bits to be exchanged key words: cryptography, XTR cryptosystem, finite field, efficient imple- is reduced by a factor 3. More specifically, it was shown that mentation, compact representation F∗ elements of an order p subgroup of q6 can be represented 2 − + using 2 log2(q) bits if p divides q q 1. Despite its com- 1. Introduction munication efficiency, the method of it is rather troublesome and computationally not particularly efficient. ffi In the classical Di e-Hellman (DH) key exchange scheme, In 2000 Lenstra-Verheul introduced XTR [9], a cryp- two system parameters are fixed: a large prime number q tosystem using the trace over Fq2 to represent elements of the and a generator g of the multiplicative group of the basic order q2 − q + 1 subgroup of F∗ , there by achieving a factor F q6 prime field q. In the basic DH scheme the two parties each 3 size reduction. Also, the resulting calculations are appre- send a random power of g to the other party. Assuming both ciably faster than using the standard representation. XTR of parties know q and g, each party transmits about log2(q) bits security equivalent to 1024-bit RSA achieves speed compa- to the other party. rable to cryptosystems based on random elliptic curves over In [6], ElGamal suggested that finite extension fields random prime fields (ECC) of equivalent security. The cor- can be used instead of prime fields, but no direct computa- responding XTR public keys are only about 2∼3 times as tional or communication advantages where implied. In [14], large as ECC keys in practical key sizes, assuming global ffi Schnorr proposed a variant of the classical Di e-Hellman system parameters — without the last requirement the sizes scheme, in which g does not generate the whole multiplica- of XTR and ECC public keys are the same. Furthermore, F tive group of the prime field q, but only a small subgroup parameter initialization from scratch for XTR takes a neg- of which the order contain relatively small compared to q. ligible amount of computing time, unlike RSA and ECC. This considerably reduces the computational cost of the DH Combined with its very easy programmability, this makes ff scheme, but has no e ect on the number of bits to be ex- XTR an excellent public-key cryptosystem for a very wide changed. variety of environments, ranging from smart cards to web Manuscript received January 28, 2008. servers. Manuscript revised April 20, 2008. On the other hand, Rubin-Silverberg proposed a torus- † The authors are with Future University Hakodate (FUN), based cryptosystem CEILIDH over Fq6 whose compression Hakodate-shi, 041-8655 Japan. rate is same as XTR [13]. Dijk-Woodruff then presented ††The authors are with Electronics and Telecommunications that a torus-based cryptosystem over F n whose compres- Research Institute (ETRI), Korea. q †††The author is with Japan Advanced Institute of Science and sion ratio is asymptotically φ(n)/n where φ is the Euler tor- Technology (JAIST), Nomi-shi, 923-1292 Japan. sion function [4]. However, the cryptosystem proposed by ∗The preliminary version of this paper [15] was published at Dijk-Woodruff is not so efficient as RSA with the key length 5th International Conference Applied Cryptography and Network in practical applications. In 2005 Dijk et al. further pro- Security, ACNS 2007. posed a relatively efficient public-key cryptosystem using a a) E-mail: [email protected] F 30 φ / = / DOI: 10.1093/ietfec/e91–a.10.2843 torus over q whose compression ratio is (30) 30 4 15

Copyright c 2008 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2844

[5]. It is an open problem to construct a practical public-key XTR Exponentiation ([9], Algorithm 2.3.7) cryptosystem whose compression ratio is smaller than 4/15. INPUT: c and n where n > 2 OUTPUT: cn 1. Compute initial values: 1.1 Contribution of This Paper 1.1. C3 ← c, C0 ← D[C3], C1 ← A[C0, C3, C3, 3], and C2 ← D[C0] − In this paper we present a greatly improved version of XTR 1.2. If n is even, n replace n 1. = + = l j that leads to a factor 6 reduction in the representation size Let n 2m 1andm j=0 m j2 ∈{ } = compared to the traditional representation. That is to say, with m j 0, 1 and ml 1. 2. for j = l − 1downto0 we achieve a factor 2 reduction compared to the original ← 2.1. T1 D[Cm j ] XTR. We show that if the characteristic of q is three, i.e., ← 2.2. T2 D[C1+m j ] = 2k−1 q q q 3 for some integer k, then we can use the trace over 2.3. if (m j = 0) then T3 ← A[C0, C1, C , C ] 3 q2 Fq to represent elements of the order q − 3q + 1 subgroup if (m j = 1) then T3 ← A[C2, C1, C3, C ] ∗ 0 F 2.4. C0 ← T1 of q6 . Also, the resulting calculations such as exponenti- 2.5. C1 ← T3 ations are as faster as that of XTR. Given Tr(q6,q)(g)andn, ← n 2.6. C2 T2 Tr 6 (g ) takes about 1291 multiplications in F ,whichis (q ,q) q 3. If n is odd then return C1 only about 1% increase compared to the cost of computation else return C2 n of Tr(q6,q2)(h ) for given Tr(q6,q2)(h)andn, where the size of n is 160 bits. Therefore, the proposed scheme is one of the fastest public-key cryptosystems with the smallest compres- ONB) sion ratio (i.e., 1/6). If 2m + 1 is a prime and either of the following two condi- tions holds, In Sect. 2 we describe XTR, and in Sect. 3 we introduce • q is a primitive root modulo 2m + 1, XTR over characteristic three, which achieves a factor 2 re- • q is a quadratic residue modulo 2m + 1andq duction in the representation size compared to XTR. Sec- 1 mod (2m + 1), tion 4 shows eﬃcient calculations of XTR exponentiation over characteristic three. Applications and comparisons to then the set {βm,βm−1, ··· ,β2,β} forms an optimal normal the original XTR are given in Sect. 5. We then describe con- basis of type II in Fqm and called Type-II ONB. Here, β = clusion in Sect. 6. γ + γ−1 and γ is the primitive (2m+1)-th root of unity.

XTR uses F 2 arithmetic to achieve F 6 security, with- 2. XTR q q out requiring explicit construction of Fq6 .Letq be a prime that is 2 mod 3. It follows that (X3 − 1)/(X − 1) = X2 + X + 1 2.1 Description of XTR q is irreducible over Fq and the zeros α and α of it form an F F 2 Type-I ONB for q2 over q. In XTR elements of Gp are XTR uses a subgroup of prime order p of the order q −q+1 ∗ represented by their trace over F 2 .Forh ∈ F the trace F∗ q q6 subgroup of q6 . The latter group is referred to as the XTR Tr(q6,q2)(h) over Fq2 is defined as the sum of the conjugates supergroup denoted as G 2− + and the order p subgroup q q 1 q2 q4 over F 2 of h, i.e., Tr 6 2 (h) = h + h + h ∈ F 2 .Letp Gp is referred to as the XTR group. The XTR supergroup q (q ,q ) q and q be primes with p dividing q2 − q + 1. Also let h be G 2− + is not contained in any proper subfield of F 6 due to q q 1 q = the following fact. a generate of Gp and let c Tr(q6,q2)(h). Suggested lengths ≈ to provide adequate levels of security are log2(q) 170 and Fact 1: [10] Let p be a prime factor of Φ (q), where m-th ≈ m log2(p) 160. n cyclotomic polynomial for a positive integer m not divisible cn denotes Tr(q6,q2)(h ) ∈ Fq2 ,forsomeq and h of order F∗ 2 by q. Then the subgroup Gp of qm is not contained in any p dividing q − q + 1 as above. Efficient computation of cn proper subfield of Fqm . given q, p and c depends on the recurrence relation Combined with the choice of p it follows that comput- q cu+v = cucv − cv cu−v + cu−2v, (1) ing discrete logarithms in Gp is as hard, in general, as it is F∗ ∈ = in q6 [9]. for u,v Z. It simplifies for u v to Before describing XTR more detail, we introduce two 2 q c2u = c − 2cu. (2) definitions about optimal normal basis. u In [9], Lenstra and Verheul proved that computing c + Definition 1: Type I Optimal Normal Basis (Type-I ONB) u v ∗ and c2u take four and two multiplications in Fq respectively, If m+1 is a prime and q is a generator of F + , then the set m 1 when c , c , c − , and c − are given. {ωm,ωm−1, ··· ,ω2,ω} forms an optimal normal basis of u v u v u 2v type I in F m and called Type-I ONB. Here, ω is the primitive q 2.2 XTR Exponentiation (m+1)-th root of unity. n Definition 2: Type II Optimal Normal Basis (Type-II In XTR, an algorithm for computing Tr(q6,q2)(h )given SHIRASE et al.: A MORE COMPACT REPRESENTATION OF XTR CRYPTOSYSTEM 2845

Tr(q6,q2)(h) and a scalar n ∈ Z is needed like the algorithm for In this section, we define a new XTR group Gp = computing hn in public-key cryptosystems based on discrete which is a subgroup of G √ , namely, XTR uses a sub- q− 3q+1 logarithm problem. By using two formula (1), (2) above, group of prime order p of the order q − 3q + 1 subgroup of we define the following two functions called as XTR addi- ∗ F . The order p subgroup generated by g is referred tion and XTR doubling respectively; q6 as the New XTR group.Sincep does not divide any qs −1for q A[u,v,w,z] = u · v − v · w + z, s = 1, 2, 3, the new XTR group Gp generated by g cannot be D[u] = u2 − 2uq. embedded in the multiplicative group of any true subfield of Fq6 . Combined with the choice of p it follows that comput- Theorem 1: ([9], Theorem 2.3.8) Let c and a positive inte- ing discrete logarithms in Gp is as hard, in general, as it is th F∗ ger n be given. Computing the sum cn of the n powers of in 6 (cf. [9], Section 5). F q the roots takes 8 log2(n) multiplications in q. √ G = G G 2− + G 3+ (3) p q− 3q+1 q q 1 q 1 Thus, given the representation Tr(q6,q2)(h) ∈ Fq2 of the n ∈ F conjugates of h, the representation Tr(q6,q2)(h ) q2 of the Here, A B denotes A is a subgroup of B. th conjugates of the n power of h can be computed at the cost From q = 3t and t is odd it follows q is a generator of F ∗ −1 2 −2 of 8 log2(n) multiplications in q, for any integer n. F { + + } F 2 5,sothat ω ω ,ω ω form an Type-II ONB for q Denote the above XTR exponentiation with input c and 5 over Fq,whereω is a root of the polynomial (X − 1)/(X − n outputs cn as 1) = X4 + X3 + X2 + X + 1. For the simplicity, we denote −1 2 −2 x = x1 · (ω + ω ) + x2 · (ω + ω ) ∈ Fq2 as (x1, x2). XTR Exp[c, n] = cn. t Lemma 1: Let x,y,z ∈ Fq2 with q = 3 and t is odd. 2.3 XTR-DH Key Agreement i. Computing xq is for free. 2 ii. Computing x takes two multiplications in Fq. XTR can be used in any cryptosystem that relies on the dis- iii. Computing x ∗ z − y ∗ zq takes four multiplications in crete logarithm problem. This section contains a description Fq. of an application of XTR that provides confidentiality ser- = = = ∈ F ffi Proof 1: Let x (x1, x2),y (y1,y2)andz (z1, z2) q2 vice, for example Di e-Hellman key agreement. −1 q 2 −2 for xi,yi, zi ∈ Fq, i ∈{1, 2}.From(ω + ω ) = ω + ω Public Parameters : q, p, c = Tr 6 2 (h) 2 −2 q −1 q th (q ,q ) and (ω + ω ) = ω + ω , x = (x2, x1). It follows that q If Alice and Bob want to agree on a secret key K they powering in Fq2 does not require arithmetic operations and do the following. can thus be considered to be for free. 2 = + − + + − ∈ = From x (x1 x2)(x1 x2) 2x1 x2, 2(x1 x2)(x1 1. Alice selects at random a Zp,usesXTR Exp[c, a] 2 x2) + 2x1 x2 , x is obtained from two multiplications in Fq. c ∈ F 2 , and sends c to Bob. a q a Finally, to compute x ∗ z − y ∗ zq four multiplications in 2. Bob receives ca from Alice, selects at random b ∈ Zp, Fq suffice, because it is easily verified that uses XTR Exp[c, b] = cb ∈ F 2 , and sends cb to Alice. q q x ∗ z − y ∗ z = (x2 − 2x1 + y2 − y1) ∗ z1 + (x1 − x2 + 3. Alice receives cb from Bob, computes XTR Exp[cb, a] − ba 2y − y ) ∗ z ∗ (ω + ω 1) + (x − x + 2y − y ) ∗ z + (x − = cba, and determines K based on cba := Tr(q6,q2)(h ). 1 2 2 2 1 2 1 1 1 2x + y − y ) ∗ z ∗ (ω2 + ω−2). 4. Bob uses XTR Exp[ca, b] = cab, and determines K 2 1 2 2 ab based on cab := Tr(q6,q2)(h ). 3.2 Compression and Restoration 3. XTR over Characteristic Three For some q and g of order p dividing q − 3q + 1, define d and e as the trace Tr 6 2 (g) over F 2 and the trace The original XTR uses the trace over Fq2 to represent ele- (q ,q ) q ∗ F = ments of the order q2 −q+1 subgroup of F , thereby achiev- Tr(q6,q)(g) over q, respectively. We use the shorthand dn q6 n n Tr(q6,q2)(g )anden = Tr(q6,q)(g ), i.e., en and dn are the sum ing a factor 3 size reduction. This section shows that if q is n of the conjugates over Fq2 and Fq of g respectively. Imme- 3 to the odd power then elements in Gq2−q+1 can be repre- diately, d = d1 and e = e1. sented as elements in Fq using the trace over Fq. It achieves a factor 6 size reduction, which is the half size reduction n n nq2 nq4 dn = Tr(q6,q2)(g ) = g + g + g ∈ Fq2 compared to the original XTR representation. n en = Tr(q6,q)(g ) n nq nq2 nq3 nq4 nq5 3.1 New XTR Group = g + g + g + g + g + g ∈ Fq.

We assume that q = 3t for any odd integer t,sayt = 2k − 1. Then, 3q = 3k is an integer and q2 − q + 1 is factorized as 3.2.1 Compression 2 q − q + 1 = (q + 3q + 1)(q − 3q + 1). From the deﬁnition of dn and en, en can be easily derived IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2846

from dn due to the following equation n,wherem is an integer arbitrary selected. We can compute it in the same way in XTR. To show that, it is enough to = + q en dn dn. (4) show = and gm has the same order as g, because m = + −1 + 2 + −2 ∈ F em is Trq6,q(g ) by the definition. For any dn x1(ω ω ) x2(ω ω ) q2 ,wehave m m −1 2 −2 ⊂: Any element contained in is that en = (x + x ) ∗ (ω + ω ) + (x + x ) ∗ (ω + ω ) ∈ Fq 1 2 1 2 represented as (gm)k for an integer k. Itisequaltog(mk), because of Lemma 1-i. Note that as dn ∈ F 2 and dn Fq, q then it is contained in . Consequently ⊂ x1 x2,wherex1 and x2 are in Fq. Define a compression function with input an element of was shown. ⊂: Any element contained in is F 2 represented by two elements of Fq,say(x , x ), outputs q 1 2 represented as gk for an integer k. Note that m 0modp an element of Fq. due to the order of g is a prime p and gm 1. Then m is Compression[x1, x2]= x1 + x2. coprime to p. Therefore there are integers α and β such that nα+ pβ = 1, which means k = (mα+ pβ)k. Note that gp = 1 because p is the order of g. Therefore gk = g(mα+pβ)k = 3.2.2 Restoration (gm)αk and gk is contained in . Consequently ⊂< gm > was shown. Contrary to the compression from dn to en, this section ex- gm has the same order as g: Because = and plains how to get dn from en, called it as restoration in this the order of g is a prime p. paper. √ 3q ffi 2 − + ∈ F 4. E cient Method of Restoration — Finding dn and Lemma 2: The roots of X enX en q[x]aredn and q q d from en dn. n √ q 3q As we have looked around at the previous section, we need Proof 2: It is sufficient to prove dn ∗ dn = en because + q = to solve the quadratic formula described in Lemma 2 to ex- dn dn √en from equation (4). For simplicity, we prove q tract dn and dn from en. In other words, we have to compute ∗ q = 3q = √ dn dn en when n 1. q 2 − 3 the square root extraction en 4en . q q2 q4 q q3 q5 d ∗ d = (g + g + g ) · (g + g + g ) In a finite field Frs where r ≡ 3(mod 4) and odd s, 3 5 2 2 3 = g1+q + g1+q + g1+q + gq +q + gq +q the best algorithm known [3], [11] to compute a squire root F 2 5 4 4 3 4 5 executes O(s log2 r) multiplications in rs . By that method, q +q q +q q +q q +q s + g + g + g + g 2 r +1 √ √ √ √ a solution of X = A is given by X = A 4 , assume that 2 3 = g 3q + gq 3q + gq 3q + gq 3q A is a quadratic residue. Recently, Barreto et al. (c.f. [1], √( ) (√ ) ( ) q4 3q q5 3q Section 4) presented an improvement to it. The complexity + (g ) + (g ) + 3 + F √ is reduced to O(log2 s log2 r) multiplications in rs .If 2 3 4 5 = g+gq +gq +gq +gq +gq 3q the characteristic r is fixed and small compared to s,the ( √ ) complexity is simply O(log s). = e 3q. 2 4.1 Square Root Extraction The third equality is derived from the series√ of subgroups √ gq+1 = g 3q in equation (3), that is to say, (from 3q − √ q3+1 Let R = e2 − 4e ∈ F . Here, q = 32k 1 for any inter G )andg = 1 (from Gq3+1). n n √ q q− 3q+1 q k.Asdn or dn Fq R is not an element of Fq. Thus, we q From Lemma 2, we can find two roots dn and dn by cannot utilize Barreto et al.’s method directly to compute solving the quadratic formula, which are square root of R even if q ≡ 3(mod 4). √ Fact 2: −1 has a square root in F if and only if q ≡ q q 2 3 en ± e − 4e 1(mod 4). {d , dq} = n n . (5) √ n n 2 As q ≡ 3(mod 4), −1 Fq,butinFq2 . √ Let en = z ∈ Fq and the roots of the quadratic equation √ − ∈ F − = 2 + 3q be {(x1, x2), (x2, x1)},wherex1, x2 ∈ Fq and x1 x2.Actu- Lemma 3: R q,where R 2en en . = + ally, z x1 x2. Define a restoration function with input en, F ∗ = n = n/2 ∈ F q Proof 3: Let q . g1 g1 q if n is even and outputs {d , d }∈F 2 . n n q n F n ∈ F ∗ (q−1)/2 2 = g1 is not in q if n is odd for g1 q .From(g1 ) 1 q (q−1)/2 Restoration[en]= {dn, dn}. F = − and g1 is a generator of q, g1 1. We confirm easily q − / q = 2k−1 R = gn1 Remark 1: In Sec. 3, we have explained how to compute that ( 1) 2 is odd if √ 3 . Then we see that 1 F − = · − = en from e1 and any integer n. In some cryptographic proto- for some odd n1 since R q. Hence R R ( 1) + − √ n1 (q 1)/2 + − − ∈ F cols, we also need to compute emn from em and any integer g1 and n1 (q 1)/2 is even. Therefore, R q. SHIRASE et al.: A MORE COMPACT REPRESENTATION OF XTR CRYPTOSYSTEM 2847

√ q+1 Table 1 The number of multiplications in Fq for computation of dn and From Lemma 3, one of −R is (−R) 4 and it is effi- q d ,whereq = 3t and t = 2k − 1 for some integer k. ciently computed by using the idea of Barreto et al. [1]. The n F basic idea is as follows. Operation # of multiplications in q − They noticed that, if q = 32k 1 for some k: e2 1 √n − 3q + 2k−1 + k 2 en free using Type-II ONB q 1 3 1 2 i √ = = · + q+1 6 (3 ) 1, 2 + 3q − + − + 4 4 (2en en ) 4 log2(k 1) HW(k 1) 1 i=0 √ q+1 √ 2 + 3q · − (2en en ) 4 1 0 so that √ 3q q+1 √ − 2 (q+1)/4 k 2(32)i 3 2en ± (2e + en ) 4 · −1 log (k−1) + HW(k−1) + 2 − R = (−R)2 i=0 · (−R). n 2 k−2(32)i The quantity (−R)2 i=0 is efficiently computed in example, we may select k = 56, 71, 111, and 120, which an analogues fashion to Itoh-Teechai-Tsujii inversion [8], satisfy that Fq has Type-II ONB over F3. √ √ based on the Frobenius map in characteristic three. Let 3q q+1 k−2 2 i 2 + 4 ∗ − = (3 ) Note that a multiplication (2en en ) 1 is free A ∈ Fq. Then, one can compute A i 0 with no more than − + − − F from Lemma 5. log2(k 1) HW(k 1) 1 multiplications in q. Here, · and HW(·) denote the maximum integer less than its Theorem 2: Given en for any integer n, computing dn and q − + − + operand and the Hamming weight of its operand respec- dn take about log2(k 1) HW(k 1) 2 multiplications in − + − + F F F tively. Thus, we need at most log2(k 1) HW(k 1) 1 q under assumption that q has Type-II ONB over 3. multiplications in F to compute (−R)(q+1)/4 in total. q √ √ √ − ∈ F = − · √ Next we must find 1 q2 to compute R R 5. Compressed XTR Exponentiation −1. √ In this section it is shown how e can be computed based on − ∈ F + −1 − 2 + −2 − + n Lemma 4: 1 q2 is (ω ω ) (ω ω )or (ω e n −1 2 −2 1 and an arbitrary integer . ω ) + (ω + ω ). q Restoration - compute d1 and d1 from Restoration[e1]. Be- − − 2 { q} Proof 4: It is easily checked that (ω+ω 1)−(ω2+ω 2) = tween d1, d choose one of them at random, denoted d . 1 −1 because 1 + ω + ω2 + ω3 + ω4 = 0andω5 = 1. XTR exponentiation - compute dn from XTR Exp[d , n]described in Sect. 2.2. −1 2 −2 = + + + ∈ F 2 = + q Lemma√ 5: For any x x1(ω ω ) x2(ω ω ) q , Compression - compute Compression[dn] dn (dn) . = x · −1 is free. Actually, Compression[dn] en. √ −1 2 −2 At the compression step, we can easily check d + Proof 5: Because x1(ω + ω ) + x2(ω + ω ) · −1 = n d q = e d {d , dq} d = d − + −1 + 2 + −2 ( n) n. is one of 1 1 .If 1 then it is trivial x2(ω ω ) x1(ω ω ). = q because of the definition of en.Otherwise,i.e., d d1 then + q = q + ∈ F dn (dn) dn dn because dn q2 , which concludes the q 4.2 Computation of dn and dn justification of the compression step. Denote the above XTR exponentiation over character- Thanks to the Eq. (5) and the results of the previous section, istic three with input e1 and n outputs en as ∈ F for given en q = √ XTR Exp3[e1, n] en. ± q en R Theorem 3: Let e and a positive integer n ∈ Z be given. {dn, dn} = 1 p 2 √ √ Assume that Fq has Type-II ONB over F3. Then, comput- = · ± − · − + − + − + 2 (en R 1) ing en takes about 8 log2(n) log2(k 1) HW(k 1) 2 √ √ 3q q+1 multiplications in Fq. = ± 2 + 4 · − 2en (2en en ) 1. (6) Proof 6: Immediate from Theorem 2, XTR Exponentiation Table 1 shows the number of multiplications in Fq re- algorithm ([9], Algorithm 2.3.7), and Lemma 1. quired to compute equation (6), where as customary we do F not count the cost of additions and subtractions in q. ffi ∈ F 5.1 Application to XTR-DH For√ e cient computation of 3q-th power of en ( q), 3q F In this section we describe XTR version Diffie-Hellman key i.e., en , we should select q such that qhas optimal nor- F = 2k−1 = k agreement over characteristic three. mal basis (ONB) over 3.Asq 3 , 3q 3 . Thus, = 2k−1 = 3q-th power is performed by shift of coefficients when Public Parameters : q( 3 ), p, Tr(q6,q)(g): e Fq has ONB over F3.However,Fq never has Type-I ONB Suppose that Alice and Bob who both have access to over F3 since 2k is not prime. Therefore, we should check the XTR public key data, want to agree on a shared secret whether Fq has Type-II ONB over F3 or not for given k.For key K. This can be done using the following XTR version. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2848

XTR XTR ∈ = Table 2 Suitable k and costs of and 3. 1. Alice selects at random a Zp,usesXTR Exp3[e, a] 6 Cost of Cost of ea ∈ Fq, and sends ea to Bob. k |p| |q | XTR XTR3 2. Bob receives ea from Alice, selects at random b ∈ Zp, 56 156 1056 1248 1260 XTR Exp e, b = e ∈ F e uses 3[ ] b q, and sends b to Alice. 71 193 1341 1544 1555 3. Alice receives eb from Bob, computes XTR Exp3[eb, a] 111 225 2101 1792 1806 ba = eba, and determines K based on eba = Tr(q6,q)(g ). 120 378 2273 3024 3038 = 4. Bob uses XTR Exp3[ea, b] eab, and determines K ab based on eab = Tr(q6,q)(g ). Table 3 The sizes of public key data of XTR and XTR3. Public key data Public key data k |q| |p| 5.2 Comparison to Original XTR size of XTR size of XTR3 56 176 156 684 508 In this section, we compare XTR over characteristic three to 71 224 193 865 641 the original XTR. Let XTR and XTR3 denote the original 111 351 225 1278 927 XTR [9] and XTR over characteristic three respectively. 120 379 378 1515 1136

5.2.1 XTR Group Gp (|p|, |q6|) = (225, 2101), and that also satisﬁes |p|≥224 and | 6|≥ = XTR : XTR group Gp = is a subgroup of Gq2−q+1, q 2048. k 120 corresponds to a larger parameter ∈ F∗ (|p|, |q6|) = (378, 2273). where h q6 . Table 2 shows the cost of XTR and XTR3 for the above – p and q are prime, and q ≡ 2(mod 3). ks. Note that the cost of XTR requires 8|p| multiplications F | | XTR : XTR group G =is a subgroup of in q, because the size of scalar n is equal to p .Onthe 3 p XTR G √ ,whereg ∈ F∗ . other hand, the cost of 3 additionally requires some q− 3q+1 q6 overheads appeared in Table 1. Here we estimate that the − XTR XTR – p is prime and q = 32k 1. cost of 3 increases by 1% compared with that of for the above ks. Note that suggested lengths to provide adequate levels ≈ ≈ of security are log2(q) 170 and log2(p) 160. 5.2.3 Communication Overhead

XTR 5.2.2 XTR Exponentiation The communication overhead of XTR-DH in 3 is about half of XTR-DH proposed in [9] and one six of traditional implementations of the Diffie-Hellman protocol that XTR : For given Tr(q6,q2)(h)andn ∈ Zp computing n F are based on subgroups of multiplicative groups of finite Tr(q6,q2)(h ) takes 8 log2(n) multiplications in q. fields, and that achieves the same level of security. – Fq2 has Type-I ONB over Fq. 5.2.4 Size of Public Key Parameter XTR3 : For given Tr(q6,q)(g)andn ∈ Zp computing n Tr(q6,q)(g ) takes 8 log (n)+ log (k−1) +HW(k−1)+2 2 2 XTR multiplications in Fq. In , the public key data are q, p,andTr(q6,q2)(h). Thus, the total length is 3|q| + |p|. However, in the case of XTR3, – F 2 has Type-II ONB over Fq. 2k−1 q the public key data are q(= 3 ), p,andTr 6 (g), and F F (q ,q) – q has Type-II ONB over 3. the total length of it is 2|q| + |p|. Table 3 shows the sizes XTR XTR Denote by |·|the bit length of “ · ”. In the proposed of public key data of and 3. The size of public XTR XTR3, we have to select k such that Fq has Type-II ONB key data of 3 is reduced by about 26% compared with 6 XTR over F3, and both order |p| of the subgroup and order |q | 3 for these ks. of the whole group are large enough. Therefore, we cannot construct the proposed XTR3 with arbitrary size of p un- 6. Conclusion like the original XTR. The security of 1024 bits (or 2048 bits) RSA cryptosystem corresponds to that of the discrete In this paper we presented a new variant of XTR cryptosys- logarithm problem in the 160 bits (or 224 bits) subgroup, tem with a compact representation of the ciphertext. The respectively [12]. compression ratio of the ciphertext becomes 1/6, which is In order to estimate the efficiency of the proposed the smallest among the previously known practical public- XTR3, we try to choose several ks in the following. k = 56 key cryptosystems. The computational overhead of the pro- provides (|p|, |q6|) closest to (160, 1024), namely (|p|, |q6|) = posed scheme over the original XTR is only about 1%. (156, 1056), however this |p| is a bit smaller than 160. k = Therefore, the proposed scheme is one of the fastest public- 71 is the smallest k such that |p|≥160 and |q6|≥1024. key cryptosystems with the smallest compression ratio. k = 111 provides (|p|, |q6|) closest to (224, 2048), namely It is a further research topic to construct a practical SHIRASE et al.: A MORE COMPACT REPRESENTATION OF XTR CRYPTOSYSTEM 2849 public-key cryptosystem that achieves the compression ra- Masaaki Shirase received the B.Sc. in tio smaller than 1/6. mathematics from Ibaraki University in 1994, and M.I.S. and Dr.I.S. degrees from JAIST Acknowledgements (Japan Advanced Institute of Science and Tech- nology) in 2003 and 2006, respectively. He is currently a Postdoctoral in the School of Sys- The work reported in this paper was supported by the IT tem Science Information at Future University- R&D program of MIC/IITA. [2005-S088-04, Development Hakodate. His research interests are algorithm of Security technology for Secure RFID/USN Service]. and implementation of cryptography.

References

Dong-Guk Han received his B.S. degree [1] P. Barreto, H.Y. Kim, B. Lynn, and M. Scott, “Efficient algo- in mathematics from Korea University in 1999, rithms for pairing-based cryptosystems,” Crypto 2002, LNCS 2442, and his M.S. degrees in mathematics from Ko- pp.354–369, 2002. rea University in 2002, respectively. He re- [2] A. Brouwer, R. Pellikaan, and E.R. Verheul, “Doing more with fewer ceived Ph.D. of engineering in Information Se- bits,” Asiacrypt’99, LNCS 1716, pp.321–332, 1999. curity from Korea University in 2005. He [3] H. Cohen, A Course in Computational Algebraic Number Theory, was a Post.Doc. in Future University-Hakodate, Springer, 1993. Japan. After finishing the doctor course, he [4] M. van Dijk and D. Woodruff, “Asymptotically optimal commu- had been an exchange student in Dep. of Com- nication for torus-based cryptography,” Crypto 2004, LNCS 3152, puter Science and Communication Engineering pp.157–178, 2004. in Kyushu University in Japan from April 2004 [5] M. van Dijk, R. Granger, D. Page, K. Rubin, A. Silverberg, M. Stam, to March 2005. Now, he is a senior researcher in Electronics and Telecom- and D. Woodruff, “Practical cryptography in high dimensional Tori,” munications Research Institute (ETRI) from June 2006. He is a member of Eurocrypt 2005, LNCS 3494, pp.234–250, 2005. KIISC, IEEK, and IACR. [6] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol.31, no.4, pp.469–472, 1985. [7] G. Gong and L. Harn, “Public key cryptosystems based on cu- Yasushi Hibino is a professor in School bic finite field extensions,” IEEE Trans. Inf. Theory, vol.45, no.7, of Information Science at Japan Advanced In- pp.2601–2605, 1999. stitute of Science and Technology (JAIST). He [8] T. Itoh, O. Teechai, and S. Tsujii, “A fast algorithm for computing m received B.S. and M.S. degrees from Tokyo In- multiplicative inverses in GF(2 ) using normal bases,” Inf. Com- stitute of Technology, Tokyo, 1970 and 1972 re- put., vol.78, pp.171–177, 1988. spectively, and a Ph.D. degree in computer en- [9] A. Lenstra and E. Verheul, “The XTR public key system,” Crypto gineering from same institution in 1995. He 2000, LNCS 1800, pp.1–20, 2000. worded as a researcher in Electrical Commu- ffi [10] A. Lenstra, “Using cyclotomic polynomials to construct e cient dis- nication Laboratory of Nippon Telegraph and crete logarithm cryptosystems over finite fields,” ACISP’97, LNCS Telephone (Public) Corporation from 1972 to 1270, pp.127–138, 1997. 1992, where he engaged in development of a [11] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Ap- Lisp Machine ELIS. He joined JAIST in 1993 and his current research is plied Cryptography, CRC Press, 1997. focused on wave pipeline architecture. He is a member of IEEE, ACM and [12] National Institute of Standards and Technology, Special Publication IPSJ. 800-56: Recommendation on key establishment schemes, Draft 2.0, 2003. [13] K. Rubin and A. Silverberg, “Torus-based cryptography,” Crypto 2003, LNCS 2729, pp.349–365, 2003. Howon Kim received his B.S.E.E. degree ffi [14] C. Schnorr, “E cient signature generation by smart cards,” J. Cryp- from KyungPook National University, DaeGu, tol., vol.4, pp.161–174, 1991. Korea, in 1993 and the M.S. and Ph.D. de- [15] M. Shirase, D.-G. Han, Y. Hibino, H.W. Kim, and T. Takagi, “Com- grees in Electronic and Electrical Engineering pressed XTR,” ACNS 2007, LNCS 4521, pp.420–431, 2007. from Pohang University of Science and Tech- [16] P. Smith and C. Skinner, “A public-key cryptosystem and a digital nology (POSTECH), Pohang, Korea, in 1995 signature system based on the Lucas function analogue to discrete and 1999, respectively. From July 2003 to June logarithms,” Asiacrypt’94, LNCS 917, pp.357–364, 1995. 2004, he studied at the COSY group at the Ruhr- [17] M. Stam and A. Lenstra, “Speeding up XTR,” Asiacrypt 2001, University of Bochum, Germany. He was a se- LNCS 2248, pp.125–143, 2001. nior member of technical staff at the Electron- ics and Telecommunications Research Institute (ETRI), DaeJeon, Korea. He is currently working as an assistant professor at the department of computer engineering in Pusan National University, Busan, Korea. His research interests include RFID technology, sensor network, information security and computer architecture. Currently, his main research focus is on mobile RFID technology and sensor network, public key cryptosystem and its security issues. He is a member of the IEEE, IEEE Computer Society, and IACR. IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2850

Tsuyoshi Takagi received the B.Sc. and M.Sc. degrees in mathematics from Nagoya University in 1993 and 1995, respectively. He had engaged in the research on network security at NTT Laboratories from 1995 to 2001. He received the Dr.rer.nat degree from Technis- che Universitat¨ Darmstadt in 2001. He was an Assistant Professor in the Department of Com- puter Science at Technische Universitat¨ Darm- stadt until 2005. He is currently a Professor in the School of Systems Infomation Science at Future University-Hakodate. His current research interests are information security and cryptography. Dr. Takagi is a member of International Asso- ciation for Cryptologic Research (IACR).