## XTR Implementation on Reconfigurable Hardware (2004)

### Cached

### Download Links

- [www.dice.ucl.ac.be]
- [www.dice.ucl.ac.be]
- DBLP

### Other Repositories/Bibliography

Venue: | of Lecture Notes in Computer Science |

Citations: | 5 - 1 self |

### BibTeX

@INPROCEEDINGS{Peeters04xtrimplementation,

author = {Eric Peeters and Mathieu Ciet},

title = {XTR Implementation on Reconfigurable Hardware},

booktitle = {of Lecture Notes in Computer Science},

year = {2004},

pages = {386--399},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. Recently, Lenstra and Verheul proposed an efficient cryptosystem called XTR. This system represents elements of F ∗ p6 with order dividing p 2 − p + 1 by their trace over Fp2. Compared with the usual representation, this one achieves a ratio of three between security size and manipulated data. Consequently very promising performance compared with RSA and ECC are expected. In this paper, we are dealing with hardware implementation of XTR, and more precisely with Field Programmable Gate Array (FPGA). The intrinsic parallelism of such a device is combined with efficient modular multiplication algorithms to obtain effective implementation(s) of XTR with respect to time and area. We also compare our implementations with hardware implementations of RSA and ECC. This shows that XTR achieves a very high level of speed with small area requirements: an XTR exponentiation is carried out in less than 0.21 ms at a frequency beyond 150 MHz.

### Citations

113 |
Implementing the Rivest, Shamir and Adleman public key encryption algorithm on a standard digital signal processor
- Barrett
- 1987
(Show Context)
Citation Context .... The delay of a carry-save adder (CSA) is independent of the length of operands. Many different algorithms to compute modular multiplication using the shift-and-add technique exist in the literature =-=[2, 4, 17, 21, 23]-=-. Most of them suggest interleaving the reduction step with the accumulating one in order to save hardware resources and computation time. The usual principle is to compute or estimate the quotient Q ... |

85 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...upported by the FRIA Belgium fund. To appear in Cryptographic Hardware and Embedded Systems 2004 (CHES04) proceedings © IACR (URL: http://www.springer.de/comp/lncs/index.htlm)sXTR, first presented in =-=[12]-=-, has been designed as a classical discrete logarithm (crypto)system, see also [11]. However, element representation is done in a special form that allows efficient computation and small communication... |

39 | High-Radix montgomery modular exponentiation on reconfigurable hardware
- Blum, Paar
(Show Context)
Citation Context ...ith XTR cryptosystem implementation on reconfigurable hardware. Even if it is not fully satisfactory, we decided to compare it with the best existing implementations (as we know) of the RSA algorithm =-=[5, 16]-=- and elliptic curve processors [18, 19]. Table 2 indicates that our implementation is definitely competitive with respect to other designs for equivalent security. Note that no assumption on the form ... |

39 | The Montgomery Powering Ladder
- Joye, Yen
- 2003
(Show Context)
Citation Context ...consider elliptic curve cryptosystems point addition or doubling, many dependencies exist during computation, see [1]. This issue is removed using the Montgomery ladder principle, see for an overview =-=[8]-=-. Moreover each element of F ∗ p 2 is represented as a couple. Each component of the couple is evaluated at thesametimeand independently. Then computations for the α and α 2 components are similar and... |

35 |
Public-Key Cryptosystems Based on Cubic Finite Field Extensions
- Harn
- 1999
(Show Context)
Citation Context ...ublic key cryptosystem [24] based on Lucas function. This is an analog to discrete logarithm over F ∗ p 2 with elements of order p + 1 represented by their trace over Fp. More recently, Gong and Harn =-=[6]-=- used a similar idea with elements in F ∗ p 3 of order p 2 +p+1. Finally, Lentra and Verheul proposed XTR in [12], that represents elements of F ∗ p 6 with order (dividing) p 2 − p +1bytheir trace ove... |

32 | The area–time complexity of binary multiplication
- Brent, Kung
- 1981
(Show Context)
Citation Context ...(MHz) Nbr. Reg/Nbr. LUT (slices*cycles/freq.) of K-H 1,402 1,230 805 189.2 0.88 7.5 e-4 of LUT 1,450 1,246 857 203.3 0.86 7.6 e-4 Table 1. Evaluation of the performances between the two algorithms In =-=[3]-=-, the complexity of the implementation of a binary multiplication is formally defined. This definition includes many parameters such as the technology used, the area and time required and the length o... |

32 |
A fast modular multiplication algorithm with application to two key cryptography
- Brickell
(Show Context)
Citation Context .... The delay of a carry-save adder (CSA) is independent of the length of operands. Many different algorithms to compute modular multiplication using the shift-and-add technique exist in the literature =-=[2, 4, 17, 21, 23]-=-. Most of them suggest interleaving the reduction step with the accumulating one in order to save hardware resources and computation time. The usual principle is to compute or estimate the quotient Q ... |

22 |
Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields
- Lenstra
- 1997
(Show Context)
Citation Context ... Systems 2004 (CHES04) proceedings © IACR (URL: http://www.springer.de/comp/lncs/index.htlm)sXTR, first presented in [12], has been designed as a classical discrete logarithm (crypto)system, see also =-=[11]-=-. However, element representation is done in a special form that allows efficient computation and small communications. This system also has the advantage of very efficient parameter generations. As s... |

17 |
1363-2000. IEEE Standard Specifications for Public-Key Cryptography
- Std
(Show Context)
Citation Context ...f Sn(c), with n =4k or 4k +1, can becomputed independently. As an illustration, if we consider elliptic curve cryptosystems point addition or doubling, many dependencies exist during computation, see =-=[1]-=-. This issue is removed using the Montgomery ladder principle, see for an overview [8]. Moreover each element of F ∗ p 2 is represented as a couple. Each component of the couple is evaluated at thesam... |

7 | A comparison of CEILIDH and XTR
- Granger, Page, et al.
- 2004
(Show Context)
Citation Context ...mall communications. This system also has the advantage of very efficient parameter generations. As shown in [26], the performance of XTR is competitive with RSA in software implementations, see also =-=[7]-=- for a performance comparison of XTR and an alternative compression method proposed in [22]. Mainly two kinds of implementation have to be distinguished: software and hardware. The latter generally al... |

2 | Ikktwon Yie, Jaemoon Kim and Hongsub Lee. XTR Extended to GF(p 6m - Lim, Kim - 2001 |

1 |
Koç and Ching Yu Hung. A Fast Algorithm for Modular Reduction
- Kaya
- 1998
(Show Context)
Citation Context ...(using formulæ from App. A). if mj =1 then compute S2k+1(c) fromSk(c) (using formulæ from App. A). k ← 2k + mj if n is even then use Sm(c) to compute Sm+1(c) andm ← m +1. return Sn(c) =Sm(c) and Hung =-=[9]-=-. Based on these two algorithms, Section 3 presents the main results of this paper: implementation choices and performance obtained to compute an XTR exponentiation. We also make comparison between ha... |