Compressing Elements in Discrete Logarithm Cryptography Philip Nicholas James Eagle, Esq. Submitted in total fulfilment of the requirements of the degree of Philosophiæ Doctor June 2008 Information Security Group Royal Holloway College, University of London Abstract In the modern world, the ubiquity of digital communication is driven by the constantly evolving world of cryptography. Consequently one must efficiently implement asymmetric cryptography in environments which have limited re- sources at their disposal, such as smart{cards, ID cards, vehicular microchips and many more. It is the primary purpose of this thesis to investigate methods for reducing the bandwidth required by these devices. Part I of this thesis considers compression techniques for elliptic curve cryp- tography (ECC). We begin this by analysing how much data is actually re- quired to establish domain parameters for ECC. Following the widely used cryptographic standards (for example: SEC 1), we show that na¨ıvely imple- mented systems use extensively more data than is actually required and suggest a flexible and compact way to better implement these. This is especially of use in a multi{curve environ- ment. We then investigate methods for reducing the inherent redundancy in the point represen- tation of Koblitz systems; a by{product of the best known Pollard{ρ based attacks by Wiener & Zuccherato and Gallant, Lambert & Vanstone. We present methods which allow such systems to operate (with a high confidence) as efficiently as generic ones whilst maintaining all of their com- putational advantages. Figure 1: Royal Holloway In Part II we investigate using disguised algebraic tori, LUC and XTR as candidates for black{box groups. It is well known that the specific representa- tion of groups affect their suitability to be used for cryptography. Black{box group cryptography, where little or nothing is known about the underlying group structure exploits this idea. Such group representations could potentially lead to new applications. This work is motivated by the trapdoor DDH groups of Dent & Galbraith based on earlier work by Frey. We detail specific attacks to undisguise these groups and make comments on future directions in this area. i Acknowledgements A great deal of heartfelt thanks goes to my supervisor Dr. S. D. Galbraith. It is impossible to articulate the depth of my debt to Steven, who has always been sagacious in his guidance and tireless in his support. Thank you. ii To my parents iii Contents Abstract i Acknowledgements ii 1 Motivation 1 2 Cryptographic Background 4 2.1 Complexity Theory . .4 2.1.1 Complexity Notation . .4 2.1.2 Complexity Classes . .5 2.2 Asymmetric Cryptography . .5 2.2.1 Computational Security and Hard Problems . .6 2.3 The Discrete Logarithm Problem . .6 2.4 Attacks on the DLP: Pohlig{Hellman . .7 2.5 Cryptographic Schemes Based on the DLP . .7 2.5.1 DHKA{Protocol . .7 2.5.2 ElGamal{Protocol . .8 3 Mathematical Background: Finite Fields 9 3.1 The Structure of Finite Fields . .9 3.2 Representing Finite Fields . 11 3.2.1 Polynomial Representation . 11 3.2.2 Normal Representation . 12 3.3 Computing Isomorphisms Between Finite Fields . 12 I Compression 14 4 Background 15 4.1 Elliptic Curves . 15 4.1.1 Addition Law for Curve Points . 17 4.1.2 Point Compression . 18 4.1.3 Seroussi's Point Compression for Curves E=F2n ...... 19 4.2 Koblitz Curves . 20 4.3 Edwards Curves . 21 4.4 Security Parameters . 22 5 Compression of Elliptic Curve Domain Parameters 23 5.1 Motivation . 23 5.2 Domain Parameters . 24 5.2.1 SEC 1: Elliptic Curve Domain Parameters . 24 5.2.2 Na¨ıve Representational Bit{Size for V in SEC 1 . 25 5.3 Previous Research: Smart . 28 5.4 Reducing Redundancy in the Definition of V ........... 29 5.4.1 Establishing the Order ` for General Finite Fields . 29 5.4.2 The Modified Cofactor . 30 5.5 Excluding Redundancy from V for SEC 1 . 31 5.6 Subfield Curves under SEC 1 . 32 iv 5.6.1 Establishing the Order ` when using Subfield Curves . 32 5.6.2 Performance Considerations . 34 5.6.3 Modified Trace Unsigning when Using Verification . 35 5.6.4 The Modified Cofactor for Subfield Curves . 37 5.7 Discussions & Conclusions . 37 6 Compact Domain Parameters 39 6.1 Motivation . 39 6.2 Previous Research: Smart . 40 6.3 Previous Research: Brown, Myers & Solinas . 41 6.4 Compact Domain Parameters V ................... 43 6.5 Defining the Field, F 2 V ...................... 44 6.5.1 Compactly Representing Special Primes; Hence Fp .... 44 6.5.2 Representing Extension Fields . 50 6.5.3 Representing Extension Fields: Characteristic Two . 50 6.5.4 Representing Extension Fields; for Koblitz Curves . 52 6.5.5 Representing Extension Fields: Optimal Extension Fields 53 6.6 Specifying the Curve . 55 6.6.1 The Orders of the Curve: #E and ` ............ 56 6.6.2 Choosing the Coefficient b for Weierstraß Forms . 57 6.6.3 Probability of Occurring Orders of #E ........... 57 6.6.4 Choosing the Coefficient d for Edwards Forms . 61 6.6.5 Summary . 62 6.7 Specifying Base Points . 63 6.8 Definition and Generation of Multi{Curve CDPs . 64 6.8.1 For Prime Fields Fp ..................... 64 6.8.2 For Binary Fields F2n .................... 66 6.8.3 For Koblitz Curves E=F2n .................. 66 6.9 Discussions & Conclusions . 67 7 Point Compression for Koblitz Curves 69 7.1 Motivation . 69 7.1.1 Overhead in Koblitz Systems . 70 7.2 Reducing Bandwidth: Point Compression . 71 7.3 Compression & Decompression Algorithms . 71 7.4 Compressing Koblitz Abscissæ: Theory . 73 7.4.1 Equivalence Classes . 73 7.4.2 Compressing Koblitz Abscissæ up to Rotation . 74 7.5 DHKA using Compressed Points . 76 7.6 Bandwidth Reduction: Theoretical Expectations . 77 7.7 Bandwidth Reduction: Practical Results . 78 7.8 Using a Variable Length Communication Model . 79 7.9 Discussion of Practical Results & Conclusions . 79 II Disguising 81 8 Background 82 8.1 Subgroups and Algebraic Tori . 82 8.2 Rubin & Silverberg's Parameterisation of T2 ............ 83 v 8.3 Trace Based Cryptosystems: LUC . 85 8.4 Trace Based Cryptosystems: XTR . 87 9 Disguising Objects & Black{Boxes 89 9.1 Introduction to Black{Box Groups . 89 9.1.1 Generic Algorithms . 89 9.1.2 Black{Box Groups . 90 9.1.3 Security . 92 9.1.4 Computing Maps Between Representations . 93 9.1.5 Previous Research . 93 9.1.6 Our Contribution . 94 9.2 Disguising Finite Fields . 94 9.2.1 Construction . 94 9.2.2 Cryptanalysis of Disguised Finite Fields . 95 9.2.3 Attack Algorithm . 97 9.3 Disguising Using Affine Transformations U . 98 9.4 Disguising Tori . 99 9.4.1 Previous Research: Galbraith's Disguise of T2 ....... 99 9.4.2 Construction . 100 9.4.3 DHKA using Galbraith's Disguised T2 ........... 101 9.4.4 Cryptanalysis of Galbraith's Construction . 101 9.4.5 Disguising T2 | A New Approach . 103 9.4.6 Construction . 103 9.4.7 Examples . 105 9.4.8 Cryptanalysis of Our Disguised T2 ............. 106 9.4.9 Disguising Higher{Degree Tori . 107 9.5 Disguising Trace{Based Methods: LUC . 107 9.5.1 Construction . 108 9.5.2 Cryptanalysis of Disguised LUC . 109 9.6 Disguising Trace{Based Methods: XTR . 110 9.6.1 Construction . 110 9.6.2 Cryptanalysis of Disguised XTR . 111 9.7 Discussions & Remarks . 112 III Appendices 114 A Detailed Methods 115 A.1 SEC 1 Parameter Representation . 115 A.1.1 SEC 1: Bit{String{to{Octet{String conversion . 115 A.1.2 SEC 1: Representing Integers . 116 A.1.3 SEC 1: Representing Finite Field elements . 116 A.1.4 SEC 1: Representing Elliptic Curve Points . 117 B Tables 119 B.1 Prime Tables . 119 B.2 Miscellaneous Tables . 131 vi List of Tables 5.1 SEC 1: Example Bit Sizes for V................... 27 6.1 Special Prime Families. 44 6.2 NIST Key{Sizes. 44 6.3 Prime Family Densities. 45 6.4 Computed Type{1, 3 & 4 Maximal Encoded Element Bit{Sizes. 46 6.5 Computed Type{6 & 8 Maximal Encoded Element Bit{Sizes. 47 6.6 Computed IR δ to 4d.p........................ 48 6.7 Values (n; d) and (n; d2; d1; d0) for Low{Weight Prime Order Poly- nomials of Weight 3 and 5 respectively. 51 6.8 Relevant Degrees of n for Koblitz Curves. 52 6.9 Example Maximal Order Curves E=F2281 for a = 0. 61 6.10 Example Maximal Order Curves E=F2281 for a = 1. 61 7.1 Additional Bandwidth required for Koblitz Systems . 71 7.3 Observed Probability for Koblitz Point Compression . 80 B.1 Type{1 Primes p with 4 ≤ dlg pe ≤ 64. 119 B.2 Type{1 Primes p with 160 ≤ dlg pe ≤ 224. 120 B.3 Type{1 Primes p with 224 ≤ dlg pe ≤ 256. 120 B.4 Type{1 Primes p with 256 ≤ dlg pe ≤ 572. 122 B.5 Type{3 Primes p with 4 ≤ dlg pe ≤ 64. 122 B.6 Type{3 Primes p with 160 ≤ dlg pe ≤ 224. 123 B.7 Type{3 Primes p with 224 ≤ dlg pe ≤ 256. 123 B.8 Type{3 Primes p with 256 ≤ dlg pe ≤ 572. 124 B.9 Type{4 Primes p with 4 ≤ dlg pe ≤ 64. 124 B.10 Type{4 Primes p with 160 ≤ dlg pe ≤ 224. 124 B.11 Type{4 Primes p with 224 ≤ dlg pe ≤ 256. 125 B.12 Type{4 Primes p with 256 ≤ dlg pe ≤ 572. 127 B.13 Type{6 Primes p with 4 ≤ dlg pe ≤ 64. 127 B.14 Type{6 Primes p with 160 ≤ dlg pe ≤ 224.