IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2843 PAPER Special Section on Information Theory and Its Applications A More Compact Representation of XTR Cryptosystem∗ Masaaki SHIRASE†a), Member, Dong-Guk HAN††, Nonmember, Yasushi HIBINO†††, Member, Howon KIM††, Nonmember, and Tsuyoshi TAKAGI†, Member SUMMARY XTR is one of the most efficient public-key cryptosystems After that, it has tried to make use of traces to repre- that allow us to compress the communication bandwidth of their ciphertext. sent and calculate powers of elements of a subgroup of a F The compact representation can be achieved by deploying a subgroup q2 ffi F finite field to achieve e cient and compact subgroup repre- of extension field q6 , so that the compression ratio of XTR cryptosystem ffi sentation. The LUC cryptosystem uses the trace over Fq to is 1/3. On the other hand, Dijk et al. proposed an e cient public-key cryp- ∗ F + F tosystem using a torus over q30 whose compression ratio is 4/15. It is represent elements of the order q 1 subgroup of q2 [16]. an open problem to construct an efficient public-key cryptosystem whose Compared to the traditional representation LUC leads to a compression ratio is smaller than 4/15. In this paper we propose a new factor 2 reduction in the representation size. The variant de- variant of XTR cryptosystem over finite fields with characteristic three 2 + + F∗ whose compression ratio is 1/6. The key observation is that there exists scribed in [7] uses the subgroup of order q q 1of q3 F F a trace map from q6 to q in the case of characteristic three. Moreover, instead, but as a result sizes are reduced by only a factor the cost of compression and decompression algorithm requires only about 1.5. In [2], Brouwer et al. introduced for the first time how 1% overhead compared with the original XTR cryptosystem. Therefore, the proposed variant of XTR cryptosystem is one of the fastest public-key the use of finite extension fields and subgroups can be com- cryptosystems with the smallest compression ratio. bined in such a way that the number of bits to be exchanged key words: cryptography, XTR cryptosystem, finite field, efficient imple- is reduced by a factor 3. More specifically, it was shown that mentation, compact representation F∗ elements of an order p subgroup of q6 can be represented 2 − + using 2 log2(q) bits if p divides q q 1. Despite its com- 1. Introduction munication efficiency, the method of it is rather troublesome and computationally not particularly efficient. ffi In the classical Di e-Hellman (DH) key exchange scheme, In 2000 Lenstra-Verheul introduced XTR [9], a cryp- two system parameters are fixed: a large prime number q tosystem using the trace over Fq2 to represent elements of the and a generator g of the multiplicative group of the basic order q2 − q + 1 subgroup of F∗ , there by achieving a factor F q6 prime field q. In the basic DH scheme the two parties each 3 size reduction. Also, the resulting calculations are appre- send a random power of g to the other party. Assuming both ciably faster than using the standard representation. XTR of parties know q and g, each party transmits about log2(q) bits security equivalent to 1024-bit RSA achieves speed compa- to the other party. rable to cryptosystems based on random elliptic curves over In [6], ElGamal suggested that finite extension fields random prime fields (ECC) of equivalent security. The cor- can be used instead of prime fields, but no direct computa- responding XTR public keys are only about 2∼3 times as tional or communication advantages where implied. In [14], large as ECC keys in practical key sizes, assuming global ffi Schnorr proposed a variant of the classical Di e-Hellman system parameters — without the last requirement the sizes scheme, in which g does not generate the whole multiplica- of XTR and ECC public keys are the same. Furthermore, F tive group of the prime field q, but only a small subgroup parameter initialization from scratch for XTR takes a neg- of which the order contain relatively small compared to q. ligible amount of computing time, unlike RSA and ECC. This considerably reduces the computational cost of the DH Combined with its very easy programmability, this makes ff scheme, but has no e ect on the number of bits to be ex- XTR an excellent public-key cryptosystem for a very wide changed. variety of environments, ranging from smart cards to web Manuscript received January 28, 2008. servers. Manuscript revised April 20, 2008. On the other hand, Rubin-Silverberg proposed a torus- † The authors are with Future University Hakodate (FUN), based cryptosystem CEILIDH over Fq6 whose compression Hakodate-shi, 041-8655 Japan. rate is same as XTR [13]. Dijk-Woodruff then presented ††The authors are with Electronics and Telecommunications that a torus-based cryptosystem over F n whose compres- Research Institute (ETRI), Korea. q †††The author is with Japan Advanced Institute of Science and sion ratio is asymptotically φ(n)/n where φ is the Euler tor- Technology (JAIST), Nomi-shi, 923-1292 Japan. sion function [4]. However, the cryptosystem proposed by ∗The preliminary version of this paper [15] was published at Dijk-Woodruff is not so efficient as RSA with the key length 5th International Conference Applied Cryptography and Network in practical applications. In 2005 Dijk et al. further pro- Security, ACNS 2007. posed a relatively efficient public-key cryptosystem using a a) E-mail: [email protected] F 30 φ / = / DOI: 10.1093/ietfec/e91–a.10.2843 torus over q whose compression ratio is (30) 30 4 15 Copyright c 2008 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. FUNDAMENTALS, VOL.E91–A, NO.10 OCTOBER 2008 2844 [5]. It is an open problem to construct a practical public-key XTR Exponentiation ([9], Algorithm 2.3.7) cryptosystem whose compression ratio is smaller than 4/15. INPUT: c and n where n > 2 OUTPUT: cn 1. Compute initial values: 1.1 Contribution of This Paper 1.1. C3 ← c, C0 ← D[C3], C1 ← A[C0, C3, C3, 3], and C2 ← D[C0] − In this paper we present a greatly improved version of XTR 1.2. If n is even, n replace n 1. = + = l j that leads to a factor 6 reduction in the representation size Let n 2m 1andm j=0 m j2 ∈{ } = compared to the traditional representation. That is to say, with m j 0, 1 and ml 1. 2. for j = l − 1downto0 we achieve a factor 2 reduction compared to the original ← 2.1. T1 D[Cm j ] XTR. We show that if the characteristic of q is three, i.e., ← 2.2. T2 D[C1+m j ] = 2k−1 q q q 3 for some integer k, then we can use the trace over 2.3. if (m j = 0) then T3 ← A[C0, C1, C , C ] 3 q2 Fq to represent elements of the order q − 3q + 1 subgroup if (m j = 1) then T3 ← A[C2, C1, C3, C ] ∗ 0 F 2.4. C0 ← T1 of q6 . Also, the resulting calculations such as exponenti- 2.5. C1 ← T3 ations are as faster as that of XTR. Given Tr(q6,q)(g)andn, ← n 2.6. C2 T2 Tr 6 (g ) takes about 1291 multiplications in F ,whichis (q ,q) q 3. If n is odd then return C1 only about 1% increase compared to the cost of computation else return C2 n of Tr(q6,q2)(h ) for given Tr(q6,q2)(h)andn, where the size of n is 160 bits. Therefore, the proposed scheme is one of the fastest public-key cryptosystems with the smallest compres- ONB) sion ratio (i.e., 1/6). If 2m + 1 is a prime and either of the following two condi- tions holds, In Sect. 2 we describe XTR, and in Sect. 3 we introduce • q is a primitive root modulo 2m + 1, XTR over characteristic three, which achieves a factor 2 re- • q is a quadratic residue modulo 2m + 1andq duction in the representation size compared to XTR. Sec- 1 mod (2m + 1), tion 4 shows efficient calculations of XTR exponentiation over characteristic three. Applications and comparisons to then the set {βm,βm−1, ··· ,β2,β} forms an optimal normal the original XTR are given in Sect. 5. We then describe con- basis of type II in Fqm and called Type-II ONB. Here, β = clusion in Sect. 6. γ + γ−1 and γ is the primitive (2m+1)-th root of unity. XTR uses F 2 arithmetic to achieve F 6 security, with- 2. XTR q q out requiring explicit construction of Fq6 .Letq be a prime that is 2 mod 3. It follows that (X3 − 1)/(X − 1) = X2 + X + 1 2.1 Description of XTR q is irreducible over Fq and the zeros α and α of it form an F F 2 Type-I ONB for q2 over q. In XTR elements of Gp are XTR uses a subgroup of prime order p of the order q −q+1 ∗ represented by their trace over F 2 .Forh ∈ F the trace F∗ q q6 subgroup of q6 . The latter group is referred to as the XTR Tr(q6,q2)(h) over Fq2 is defined as the sum of the conjugates supergroup denoted as G 2− + and the order p subgroup q q 1 q2 q4 over F 2 of h, i.e., Tr 6 2 (h) = h + h + h ∈ F 2 .Letp Gp is referred to as the XTR group.