## Looking beyond XTR (2002)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www.iacr.org]
- [www.iacr.org]
- [www.cs.ru.nl]
- DBLP

### Other Repositories/Bibliography

Venue: | IN ADVANCES IN CRYPTOLOGY — ASIACRYPT 2002, LECT. NOTES IN COMP. SCI. 2501 |

Citations: | 13 - 0 self |

### BibTeX

@INPROCEEDINGS{Bosma02lookingbeyond,

author = {Wieb Bosma and James Hutton and Eric R. Verheul},

title = {Looking beyond XTR},

booktitle = {IN ADVANCES IN CRYPTOLOGY — ASIACRYPT 2002, LECT. NOTES IN COMP. SCI. 2501},

year = {2002},

pages = {46--63},

publisher = {Springer}

}

### OpenURL

### Abstract

XTR is a general methodthat can be appliedto discrete logarithm based cryptosystems in extension fields of degree six, providing a compact representation of the elements involved. In this paper we present a precise formulation of the Brouwer-Pellikaan-Verheul conjecture, originally posedin [4], concerning the size of XTR-like representations of elements in extension fields of arbitrary degree. If true this conjecture wouldprovide even more compact representations of elements than XTR in extension fields of degree thirty. We test the conjecture by experiment, showing that in fact it is unlikely that such a compact representation of elements can be achieved in extension fields of degree thirty.

### Citations

2928 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...meter of the system. We require that exponentiation is efficient in G but that the DL problem is believed to be hard. The seminal example of DL-based cryptosystems is Diffie-Hellman key exchange (see =-=[6]-=-), a method that enables two parties (Alice and Bob) to establish a shared secret key by exchanging messages over an open channel. Alice generates a random key 2 ≤ a<#G and sends A = g a to Bob. Simil... |

695 |
The Magma algebra system I: The user language
- Bosma, Cannon, et al.
- 1997
(Show Context)
Citation Context ...ed in the table at the end of Section 7. 6 The Magma programs In order to test the conjectures formulated in the previous section we performed some experiments using the computer algebra system Magma =-=[3]-=-. Algorithm 0 (Find relations) Input: integers p, k, d, u, v, j. Output: a set Q of polynomials in Z[X1, . . . , Xu, Y ]. Description: Determine a prime divisor q of Φk(p) not dividing k (Lemma 1), an... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...ange uses G = Fp ∗ where the prime p and a generator g of G are public parameters. There are other choices for the group G. For example Claus Schnorr proposed usinga prime order subgroup of Fp ∗ (see =-=[21]-=-). Alternatively one can use the group of points on certain elliptic curves. Y. Zheng (Ed.): ASIACRYPT 2002, LNCS 2501, pp. 46–63, 2002. c○ Springer-Verlag Berlin Heidelberg 2002sLooking beyondXTR 47 ... |

561 |
Finite Fields
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ... a field Fpk we call a subgroup of prime order q with q | Φk(p) and q ∤ k a cyclotomic subgroup and denote it by Gq,p,k. (Here Φk(p) denotes the k-th cyclotomic polynomial evaluated in p, see [8] and =-=[15]-=-.) We call the group of all elements of order dividing Φk(p) the (p, k)-cyclotomic group and denote it by Gp,k. The original Diffie-Hellman protocol uses the (p, 1)-cyclotomic group Gp,1, while Schnor... |

244 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ...t effective known methods of (passive) attack against DL-systems are based on the Birthday Paradox or use of the Number Field Sieve. Birthday Paradox based algorithms (such as Pollard’s rho algorithm =-=[20]-=-) have expected runningtimes of order √ q elementary operations in G, where q is the largest prime factor of the order of G. The Discrete Logarithm variant of the Number Field Sieve has a heuristic ex... |

84 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ... 2(g x ) and y. Efficient methods for performingthe calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see =-=[10]-=-, [11], [12], [13]) and Lenstra and Stam (see [23]). As with LUC these methods are computationally more efficient than the correspondingcalculations performed in Gq,p,6 without usingtraces. We conclud... |

41 |
A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms
- Smith, Skinner
- 1995
(Show Context)
Citation Context ...ons that each party must perform are significantly quicker than in the conventional system. These calculations use so-called Lucas recurrent sequences. For full details the reader should consult [2], =-=[22]-=- (where the name ‘LUCDIF’ was proposed), [17], [16], [19] and [14].sLooking beyondXTR 49 Of course it is essential that the benefits achieved by applyingLUC do not compromise the security of the syste... |

35 |
Public-Key Cryptosystems Based on Cubic Finite Field Extensions
- Harn
- 1999
(Show Context)
Citation Context ...resented by φ(k) log p bits, in support of the BPV conjecture. Note that one can base generalisations of LUC on this example. In fact such a variant was published by G. Gongand L. Harn for k = 3 (see =-=[7]-=-). Here recurrent Lucas sequences similar to those used in LUC are employed. However this system has an ‘improvement factor’ k/φ(k) of just 3/2. Example 4. Let k = 6, so that the extension field has t... |

28 | Doing more with fewer bits
- Brouwer, Pellikaan, et al.
- 1999
(Show Context)
Citation Context ...nsion fields of degree six, providing a compact representation of the elements involved. In this paper we present a precise formulation of the Brouwer-Pellikaan-Verheul conjecture, originally posedin =-=[4]-=-, concerning the size of XTR-like representations of elements in extension fields of arbitrary degree. If true this conjecture wouldprovide even more compact representations of elements than XTR in ex... |

26 | Speeding Up XTR
- Stam, Lenstra
(Show Context)
Citation Context ...e calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see [10], [11], [12], [13]) and Lenstra and Stam (see =-=[23]-=-). As with LUC these methods are computationally more efficient than the correspondingcalculations performed in Gq,p,6 without usingtraces. We conclude this section by discussingsome security issues. ... |

22 |
Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields
- Lenstra
- 1997
(Show Context)
Citation Context ... where q is the largest prime factor of the order of G. The Discrete Logarithm variant of the Number Field Sieve has a heuristic expected asymptotic runningtime of L[p, 1/3, 1.923+ o(1)] (see [1] and =-=[9]-=-). The security of the original Diffie-Hellman system, which uses Gp,1, depends not only on the size of p but also on that of the largest prime factor of p − 1;s50 Wieb Bosma, James Hutton, andEric R.... |

15 | Key improvements to XTR
- Lenstra, Verheul
(Show Context)
Citation Context ... ) and y. Efficient methods for performingthe calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see [10], =-=[11]-=-, [12], [13]) and Lenstra and Stam (see [23]). As with LUC these methods are computationally more efficient than the correspondingcalculations performed in Gq,p,6 without usingtraces. We conclude this... |

10 | Fast irreducibility and subgroup membership testing
- Lenstra1, Verheul
(Show Context)
Citation Context ... y. Efficient methods for performingthe calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see [10], [11], =-=[12]-=-, [13]) and Lenstra and Stam (see [23]). As with LUC these methods are computationally more efficient than the correspondingcalculations performed in Gq,p,6 without usingtraces. We conclude this secti... |

10 | An overview of the XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...icient methods for performing the calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see [10], [11], [12], =-=[13]-=-) and Lenstra and Stam (see [23]). As with LUC these methods are computationally more efficient than the corresponding calculations performed in Gq,p,6 without using traces. We conclude this section b... |

6 |
Polynomial Functions in Modern Cryptology, Contributions to General Algebra 3
- Muller
- 1985
(Show Context)
Citation Context ...quicker than in the conventional system. These calculations use so-called Lucas recurrent sequences. For full details the reader should consult [2], [22] (where the name ‘LUCDIF’ was proposed), [17], =-=[16]-=-, [19] and [14].sLooking beyondXTR 49 Of course it is essential that the benefits achieved by applyingLUC do not compromise the security of the system. In fact it is easily shown that breaking the LUC... |

4 |
An overview of the XTR public key system, in Publickey cryptography and computational number theory (Warsaw, 2000), de Gruyter
- Lenstra, Verheul
- 2001
(Show Context)
Citation Context ...ficient methods for performingthe calculations required for XTR variants of cryptosystems such as Diffie-Hellman key exchange and DSA have been developed by Lenstra and Verheul (see [10], [11], [12], =-=[13]-=-) and Lenstra and Stam (see [23]). As with LUC these methods are computationally more efficient than the correspondingcalculations performed in Gq,p,6 without usingtraces. We conclude this section by ... |

4 |
Introduction to abstract algebra, PWS-Kent
- Nicholson
- 1993
(Show Context)
Citation Context ...4 (1, 24) 8 12 12 10 (1, 10) 4 5 5 24 (2, 12) 4 6 6 12 (1, 12) 4 6 6 24 (3, 8) 3 4 4 14 (1, 14) 6 7 7 25 (1, 25) 20 24 24 15 (1, 15) 8 14 14 26 (1, 26) 12 13 13 15 (3, 5) 3 4 4 27 (1, 27) 18 26 26 18 =-=(1, 18)-=- 6 9 9 27 (3, 9) 6 6, 7, 8 8 18 (2, 18) 3 4 4 28 (1, 28) 12 14 14 20 (1, 20) 8 10 10 28 (2, 14) 6 7 7 20 (2, 10) 4 5 5 30 (1, 30) 8 15 15 21 (1, 21) 12 20 20 30 (2, 15) 4 7 7 21 (3, 7) 4 5, 6 6 30 (3,... |

4 |
Cryptanalysis of the Rédei Scheme, Contributions to general Algebra 3
- Nöbauer
- 1985
(Show Context)
Citation Context ...r than in the conventional system. These calculations use so-called Lucas recurrent sequences. For full details the reader should consult [2], [22] (where the name ‘LUCDIF’ was proposed), [17], [16], =-=[19]-=- and [14].sLooking beyondXTR 49 Of course it is essential that the benefits achieved by applyingLUC do not compromise the security of the system. In fact it is easily shown that breaking the LUCDIF va... |

3 |
DeMarrais A subexponentional algorithm over all finite fields
- Adleman, J
(Show Context)
Citation Context ...ns in G, where q is the largest prime factor of the order of G. The Discrete Logarithm variant of the Number Field Sieve has a heuristic expected asymptotic runningtime of L[p, 1/3, 1.923+ o(1)] (see =-=[1]-=- and [9]). The security of the original Diffie-Hellman system, which uses Gp,1, depends not only on the size of p but also on that of the largest prime factor of p − 1;s50 Wieb Bosma, James Hutton, an... |

1 |
The Magma Algebra System I:The User Language
- Bosma, Cannon, et al.
- 1997
(Show Context)
Citation Context ...ted in the table at the end of Section 7. 6 The Magma Programs In order to test the conjectures formulated in the previous section we performed some experiments usingthe computer algebra system Magma =-=[3]-=-. Algorithm 0 (Find relations). Input: integers p, k, d, u, v, j. Output: a set Q of polynomials in Z[X1,...,Xu,Y]. Description: Determine a prime divisor q of Φk(p) not dividing k (Lemma 1), and a ge... |