## Asymptotically optimal communication for torus-based cryptography (2004)

### Cached

### Download Links

- [www.almaden.ibm.com]
- [www.almaden.ibm.com]
- [researcher.watson.ibm.com]
- [www.iacr.org]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Advances in Cryptology (CRYPTO 2004), Springer LNCS 3152 |

Citations: | 11 - 1 self |

### BibTeX

@INPROCEEDINGS{Dijk04asymptoticallyoptimal,

author = {Marten Van Dijk and David Woodruff},

title = {Asymptotically optimal communication for torus-based cryptography},

booktitle = {In Advances in Cryptology (CRYPTO 2004), Springer LNCS 3152},

year = {2004},

pages = {157--178},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based public-key system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that required in traditional schemes, while the security offered remains the same. We also present a Diffie-Hellman key exchange protocol averaging only φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 1

### Citations

2582 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... ≤ a ≤ r − 1, let a be Alice’s private key and A = g a her public key. Let h : {0, 1} ∗ → Zr be a cryptographic hash function. We have the following generalized ElGamal signature scheme (see p.458 of =-=[18]-=- for background): Signature Generation (M): 1. Alice selects a random secret integer k, 1 ≤ k ≤ r, and computes d = gk . 2. Alice then computes e = k−1 (h(M) − ah(d)) mod r. 3. Alice expresses M ◦ e a... |

1158 | A public key cryptosystem and signature scheme based on discrete logarithm
- ElGamal
- 1985
(Show Context)
Citation Context ... cryptosystems. 1 Introduction In classical Diffie-Hellman key exchange there are two fixed system parameters - a large prime q and a generator g of the multiplicative group F ∗ q of the field Fq. In =-=[10]-=-, the idea of working in finite extension fields instead of prime fields was proposed, but no computational or communication advantages were implied. In [26] Schnorr proposed working in a relatively s... |

599 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...iplicative group F ∗ q of the field Fq. In [10], the idea of working in finite extension fields instead of prime fields was proposed, but no computational or communication advantages were implied. In =-=[26]-=- Schnorr proposed working in a relatively small subgroup of F ∗ q of prime order, improving the computational complexity of classical DH, but requiring the same amount of communication. In [4] it is s... |

314 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...ga , gb , gc ) for random a, b, and c. The hardness of both of these problems implies the hardness of the discrete logarithm problem (DL) in 〈g〉: find x given gx . Due to the Pohlig-Hellman algorithm =-=[21]-=-, the DL problem in 〈g〉 can be reduced to the DL problem in all prime order subgroups of 〈g〉, so we might as well assume that r is prime. There are two known approaches to solving the DL problem in 〈g... |

236 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ...plicative group of Fqn itself using the Discrete Logarithm variant of the Number Field Sieve, and one which concentrates directly on the subgroup 〈g〉 using Pollard’s Birthday Paradox based rho method =-=[22]-=-. Let s be the smallest divisor of n for which 〈g〉 can be embedded in F ∗ qs. The heuristic expected running time of the first attack is L[qs , 1/3, 1.923], where L[n, v, u] = exp((u+o(1))(ln n) v (ln... |

206 |
A Subexponential Algorithm for the Discrete Logarithm Problem with Applications to Cryptography
- Adleman
- 1979
(Show Context)
Citation Context ...the DL problem in 〈g〉 can be reduced to the DL problem in all prime order subgroups of 〈g〉, so we might as well assume that r is prime. There are two known approaches to solving the DL problem in 〈g〉 =-=[1, 7, 9, 13, 20, 27, 28]-=-, one which attacks the full multiplicative group of Fqn itself using the Discrete Logarithm variant of the Number Field Sieve, and one which concentrates directly on the subgroup 〈g〉 using Pollard’s ... |

94 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
(Show Context)
Citation Context ...the DL problem in 〈g〉 can be reduced to the DL problem in all prime order subgroups of 〈g〉, so we might as well assume that r is prime. There are two known approaches to solving the DL problem in 〈g〉 =-=[1, 7, 9, 13, 20, 27, 28]-=-, one which attacks the full multiplicative group of Fqn itself using the Discrete Logarithm variant of the Number Field Sieve, and one which concentrates directly on the subgroup 〈g〉 using Pollard’s ... |

84 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR =-=[14]-=- and recent CEILIDH [24] cryptosystems. 1 Introduction In classical Diffie-Hellman key exchange there are two fixed system parameters - a large prime q and a generator g of the multiplicative group F ... |

80 |
An Introduction to the Theory of Numbers, 5th edition
- Hardy, Wright
- 1979
(Show Context)
Citation Context ... constructing and querying this table is extremely efficient. 3 For an integer n, µ(n) = 1 if n = 1, µ(n) = 0 if n has a repeated factor, and µ(n) = (−1) k if n is a product of k distinct primes (see =-=[11]-=-, section 16.3).sOur choice of q and r for fixed n will also affect the security of our scheme. We give an efficient heuristic for choosing q and r for the practical cases of n = 30 and n = 210, where... |

67 | Discrete logarithms in GF(p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...the DL problem in 〈g〉 can be reduced to the DL problem in all prime order subgroups of 〈g〉, so we might as well assume that r is prime. There are two known approaches to solving the DL problem in 〈g〉 =-=[1, 7, 9, 13, 20, 27, 28]-=-, one which attacks the full multiplicative group of Fqn itself using the Discrete Logarithm variant of the Number Field Sieve, and one which concentrates directly on the subgroup 〈g〉 using Pollard’s ... |

44 |
Chebotarëv and his density theorem
- Stevenhagen, Lenstra
- 1996
(Show Context)
Citation Context ...ct that for any n > 6, φ(n) > n/(6 ln ln n), and for n the product of the first k distinct primes, φ(n) = Θ(n/ log log n). We use the following density theorem in our analysis: Theorem 2. (Chebotarev =-=[5, 16]-=-) For any integer n and any a ∈ Z ∗ n, the density of primes p (among the set of all primes) with p = a mod n is 1/φ(n). 3 The Bijection Let q be a prime power, n a positive integer, F ∗ qn the multip... |

30 |
Algebraic groups and their birational invariants
- Voskresenskiĭ
- 1998
(Show Context)
Citation Context ... specific versions of the conjecture in [4] made in [3] were shown to be false. Also in [24, 25, 23] it is shown that the group of order Φn(q) is isomorphic to the well-studied algebraic torus Tn(Fq) =-=[30]-=- and that a positive answer to the conjecture in [4] is possible if one can construct an efficient rational parameterization of Tn(Fq). However, such a construction is only known when n is a prime pow... |

28 | Doing more with fewer bits
- Brouwer, Pellikaan, et al.
- 1999
(Show Context)
Citation Context ...t representation of elements of the algebraic torus. This allows us to design a new discretelog based public-key system achieving the optimal communication rate, partially answering the conjecture in =-=[4]-=-. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that ... |

28 | Discrete logarithms: the past and the future
- Odlyzko
(Show Context)
Citation Context |

28 | Torus-based cryptography
- Rubin, Silverberg
- 2003
(Show Context)
Citation Context ...unication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH =-=[24]-=- cryptosystems. 1 Introduction In classical Diffie-Hellman key exchange there are two fixed system parameters - a large prime q and a generator g of the multiplicative group F ∗ q of the field Fq. In ... |

27 |
Implementation of a new primality test
- Cohen, Lenstra
- 1987
(Show Context)
Citation Context ...ved computation of θ −1 is similar, where we make sure to use the inverse of the coordinate permutation used in θ. 6.2 Complexity For background on efficient computations in fields and subgroups, see =-=[6, 12, 29]-=-. Consider � the algorithm for θ. In step 1, for d | n, µ(n/d) = −1, we perform 1 + e|d 1 exponentiations in Fqd. Notice that, in step 1b we do not need to compute Z vd,e d,e since it can be combined ... |

25 | Rounding in lattices and its cryptographic applications
- Boneh, Venkatesan
- 1997
(Show Context)
Citation Context ...y of this scheme is just that of the symmetric scheme E, assuming the key Q to E is chosen reasonably from e. To derive Q from e, one can extract bits that are hard to compute by an eavesdropper, see =-=[2]-=-. Almost Non-Hybrid ElGamal In the following, Alice will encrypt a sequence of m messages M1, . . . , Mm, each in F φ(n) q . She will form m + 1 encryptions, m of which are encryptions in Tn(Fq), and ... |

22 |
Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields
- Lenstra
- 1997
(Show Context)
Citation Context ...ciently represented using 2 log2 q bits if r divides q2 − q + 1, which is one third of the 6 log2 q bits required for elements of F ∗ q6. Since the smallest field containing G is F ∗ q6, one can show =-=[13]-=- that with respect to attacks known today, the security of working in G is the same as that of working in F ∗ q6 for r large enough. In [14, 15] the XTR public key system was developed using the metho... |

19 | Generalizations of the Karatsuba Algorithm for Efficient Implementations
- Weimerskirch, Paar
(Show Context)
Citation Context ... 2, ρ2(10) = 2, ρ5(10) = 30, ρ10(10) = 30, ρ1(6) = 3, ρ2(6) = 30, ρ3(6) = 3, ρ6(6) = 30, ρ1(1) = 30, ρ30 = 30. We use f(30) = 234, f(15) = 78, f(10) = 45, f(6) = 18, f(5) = 15, f(3) = 6, and f(2) = 3 =-=[31]-=-. In step 1, we compute x ′ 15 , x′ 10 , x′ 6 , and x′ 1 using single exponentiations by using the square and multiply method [18, p. 614]. This costs in total 3(78 · 15 + 45 · 10 + 18 · 6 + 1)(log q)... |

13 | Looking beyond XTR
- Bosma, Hutton, et al.
- 2002
(Show Context)
Citation Context ...action of the number of bits needed in classical DH, while achieving the same level of security. For n the product of the first k primes, φ(n)/n → 0 as k → ∞, so the savings get better and better. In =-=[3, 24]-=-, evidence that the techniques of [4] cannot generalize to arbitrary n was presented, and in [3, 24], some specific versions of the conjecture in [4] made in [3] were shown to be false. Also in [24, 2... |

13 | Using primitive subgroups to do more with fewer bits
- Rubin, Silverberg
(Show Context)
Citation Context ... semantic security, for all i it must hold that θ−1 (Mi ◦ R) ∈ 〈g〉 × F σ− (n) q , which in general may be strictly contained in Tn(Fq) × F σ− (n) q . For this we adopt the technique in section 3.7 of =-=[25]-=-. Namely, by reserving a few bits of each Mi to be “redundancy bits”, if 〈g〉 has small enough index in Tn(q), then for any R we need only try a few random settings of these bits until θ−1 (Mi◦R) ∈ 〈g〉... |

8 | Speeding up subgroup cryptosystems
- Stam
- 2003
(Show Context)
Citation Context ...ved computation of θ −1 is similar, where we make sure to use the inverse of the coordinate permutation used in θ. 6.2 Complexity For background on efficient computations in fields and subgroups, see =-=[6, 12, 29]-=-. Consider � the algorithm for θ. In step 1, for d | n, µ(n/d) = −1, we perform 1 + e|d 1 exponentiations in Fqd. Notice that, in step 1b we do not need to compute Z vd,e d,e since it can be combined ... |

7 | Die Bestimmung der Dichtigkeit einer Menge von Primzahlen, welche zu einer gegebenen Substitutionsklasse gehören - Chebotarev - 1926 |

7 |
Discrete logarithms: the effectiveness of the index calculus method
- Denny
- 1996
(Show Context)
Citation Context |

5 |
Discrete Logarithms and Local
- Schirokauer
- 1993
(Show Context)
Citation Context |

4 | An overview of the XTR public key system, in Publickey cryptography and computational number theory (Warsaw, 2000), de Gruyter - Lenstra, Verheul - 2001 |

4 |
Algebraic tori in cryptography, to appear
- Rubin, Silverberg
(Show Context)
Citation Context ...3, 24], evidence that the techniques of [4] cannot generalize to arbitrary n was presented, and in [3, 24], some specific versions of the conjecture in [4] made in [3] were shown to be false. Also in =-=[24, 25, 23]-=- it is shown that the group of order Φn(q) is isomorphic to the well-studied algebraic torus Tn(Fq) [30] and that a positive answer to the conjecture in [4] is possible if one can construct an efficie... |

2 |
Ikktwon Yie, Jaemoon Kim and Hongsub Lee. XTR Extended to GF(p 6m
- Lim, Kim
- 2001
(Show Context)
Citation Context ... is at the optimal |M| + log r + φ(n) log q for ElGamal signature schemes, even for one message (as long as M is large enough).sThis beats the |M| + log r + (n/3) log q communication of the scheme in =-=[4, 17]-=- when n ≥ 30, in particular for the practical values n = 30 and n = 210. Our communication is the same as that in [24], but we do not rely on any conjectures. Note that our map θ may fail since M need... |

1 |
The Cyclotomic Polynomials” and “The Prime Divisors of the Cyclotomic Polynomial”, 46 and 48 in Introduction to Number Theory
- Nagell
- 1951
(Show Context)
Citation Context ...omputational complexity of our bijections, and we conclude in section 7. 2 Preliminaries 2.1 Cyclotomic Polynomials and Algebraic Tori We first state a few facts about the cyclotomic polynomials. See =-=[19]-=- for more background. Definition 1. Let n be a positive integer and let ζn = e 2πi/n . The nth cyclotomic polynomial Φn(x) is defined by: Φn(x) = � 1≤k≤n, gcd(k,n)=1 (x − ζ k n). It is easy to see tha... |