## COMPRESSION IN FINITE FIELDS AND TORUS-BASED CRYPTOGRAPHY

Citations: | 3 - 0 self |

### BibTeX

@MISC{Rubin_compressionin,

author = {K. Rubin and A. Silverberg},

title = {COMPRESSION IN FINITE FIELDS AND TORUS-BASED CRYPTOGRAPHY},

year = {}

}

### OpenURL

### Abstract

This paper is dedicated to the memory of the cat Ceilidh. Abstract. We present efficient compression algorithms for subgroups of multiplicative groups of finite fields, we use our compression algorithms to construct efficient public key cryptosystems called T2 and CEILIDH, we disprove some conjectures, and we use the theory of algebraic tori to give a better understanding of our cryptosystems, the Lucas-based, XTR and Gong-Harn cryptosystems, and conjectured generalizations. 1.

### Citations

468 |
Introduction to commutative algebra
- Atiyah, Macdonald
- 1969
(Show Context)
Citation Context ...zation of A ′ (resp., B ′ ) at pA ′ (resp., pB ′ ). Then Frac(A ′ (p) ) = Frac(A′ ) = Q(A 8 ) �= Q(XΓ) = Frac(B ′ ) = Frac(B ′ (p) ). (10.2) Since A ′ (p) pA ′ (p) is principal, by Proposition 9.2 of =-=[1]-=-, A′ (p) follows that B ′ (p) is a free A′ (p) is a Noetherian local domain of dimension one and its maximal ideal is a principal ideal domain. It -module, of rank > 1 by (10.2). Thus Fp(x1, . . . , x... |

43 |
Finite groups
- Huppert, Blackburn
- 1982
(Show Context)
Citation Context ...tive integer such that Φn(q) divides p k − 1. Since Φn(q) divides q n − 1, we have k ≤ mn. First suppose mn > 2. Since (n, q) �= (6, 2), it follows from a result of Zsigmondy (see Theorem 8.3, §IX of =-=[14]-=-) that Φmn(p) has a prime divisor ℓ that does not divide mn. By Lemma 4 of [27], mn is the order of p modulo ℓ. Since ℓ divides Φmn(p), which divides Φn(p m ), which divides p k − 1, we have mn ≤ k. T... |

32 |
Public-key cryptosystems based on cubic finite field extensions
- Gong, Harn
- 1999
(Show Context)
Citation Context ...of Fq, rather than one element of Fq2, thereby doubling the efficiency over Diffie-Hellman per unit of security against attacks on the discrete log problem in 〈g〉 ⊂ F × q2. The Gong-Harn cryptosystem =-=[10]-=-, which is based on linear feedback shift registers, can be viewed as using two symmetric functions to compress elements of Gq,3 ⊂ F × q3, namely the trace map Tr : Fq3 → Fq defined by Tr(x) = x + xq ... |

31 | On Small Characteristic Algebraic Tori in Pairing-Based Cryptography. In Cryptology ePrint Archive
- Granger, Page, et al.
- 2002
(Show Context)
Citation Context ...yptography take values in the algebraic tori considered here, our torus-based cryptography techniques can be used to improve the efficiency of pairing-based cryptography by compressing pairing values =-=[33, 12]-=-. In [31] we study analogues in the setting of elliptic curves and abelian varieties. 2. T2 compression and the T2-cryptosystem Let n = 2 and let q be a prime power. One can write Fq2 = Fq(δ) for some... |

27 | Doing more with fewer bits
- Brouwer, Pellikaan, et al.
- 1999
(Show Context)
Citation Context ... (with k = Fq and (F, L) = (Fq2, Fq6), (Fq, Fq3), and (Fq, Fq2), respectively). Theorem 9.11 below shows that in those cases, XF is rational. Theorem 9.11 can be viewed as a rephrasing of a result in =-=[5]-=-. Phrasing Theorem 9.11 in terms of quotients of algebraic tori and birational isomorphisms makes precise the underlying mathematics. This was useful to us both in helping us find counterexamples in m... |

27 | The function field sieve in the medium prime case
- Joux, Lercier
- 2006
(Show Context)
Citation Context ... has complexity O( √ q)) when q is a sufficiently large fifth power (and therefore this attack applies also to subgroups of F × q 30), but has not been compared to index calculus attacks. Joux et al. =-=[15, 16]-=- recently obtained efficient variants of the function field and number field sieve that bring the complexity of these attacks on the discrete log problem in F × pn to Lpn(1/3) for all finite fields Fp... |

22 |
Using cyclotomic polynomials to construct efficient discrete logarithm cryptosystems over finite fields
- Lenstra
- 1997
(Show Context)
Citation Context ...heme over Fqn. Examples of compression functions f that satisfy (i) above (but not (ii) or (iii)) are the trace functions used in the XTR and Lucas-based cryptosystems, which we now recall. (See also =-=[19, 2]-=-.) Lucas-based cryptosystems [25, 39, 40, 34, 35, 3], including LUC, are based on Lucas functions [23]. One way to interpret them is that they compress elements of Gq,2 ⊂ F × q2 using the trace map Tr... |

21 | Index calculus for abelian varieties and the elliptic curve discrete logarithm problem. Cryptology ePrint Archive, Report 2004/073. Available from http://eprint.iacr.org/2004/073
- Gaudry
(Show Context)
Citation Context ...t of view that needs to be fleshed out and studied more fully. Gaudry introduced a new probabilistic index calculus attack on the discrete logarithm problem for abelian varieties in his 2004 preprint =-=[9]-=-. Granger-Vercauteren [13] did an analogue of Gaudry’s attack for the multiplicative group Gm, which gives an attack on a subgroup of F × q 6 whose order is a 160-bit prime that is faster than Pollard... |

19 |
Factoring with cyclotomic polynomials
- Bach, Shallit
- 1989
(Show Context)
Citation Context ...heme over Fqn. Examples of compression functions f that satisfy (i) above (but not (ii) or (iii)) are the trace functions used in the XTR and Lucas-based cryptosystems, which we now recall. (See also =-=[19, 2]-=-.) Lucas-based cryptosystems [25, 39, 40, 34, 35, 3], including LUC, are based on Lucas functions [23]. One way to interpret them is that they compress elements of Gq,2 ⊂ F × q2 using the trace map Tr... |

16 |
Some remarks on Lucas-based cryptosystems
- Bleichenbacher, Bosma, et al.
- 1995
(Show Context)
Citation Context ...on functions f that satisfy (i) above (but not (ii) or (iii)) are the trace functions used in the XTR and Lucas-based cryptosystems, which we now recall. (See also [19, 2].) Lucas-based cryptosystems =-=[25, 39, 40, 34, 35, 3]-=-, including LUC, are based on Lucas functions [23]. One way to interpret them is that they compress elements of Gq,2 ⊂ F × q2 using the trace map Tr : Fq2 → Fq defined by Tr(x) = x + xq . In Lucas-bas... |

13 | Looking beyond XTR
- Bosma, Hutton, et al.
- 2002
(Show Context)
Citation Context ... for the elements of the subgroup of order q+1 in F × q2. We use our compression algorithms to create efficient public key cryptosystems, called CEILIDH and T2. We also disprove some conjectures from =-=[4]-=- about efficient compression in F × q n. In addition, we show that our compression algorithms, Lucas-based, XTR, Gong-Harn compression, and conjectural generalizations rely on the mathematical propert... |

11 | Asymptotically optimal communication for torusbased cryptography
- Dijk, Woodruff
(Show Context)
Citation Context ...o represent elements of Gq,n in F ϕ(n) q , it does allow one to represent elements of Gq,n×F r q in F ϕ(n)+r q for a suitable r. In the language of the mathematical framework of this paper, the paper =-=[8]-=- of van Dijk and Woodruff can be viewed as a way to make clever use of the stable rationality of the algebraic tori Tn by encoding the message to be encrypted or signed in the extra affine piece A r .... |

10 | On the discrete logarithm problem on algebraic tori
- Granger, Vercauteren
- 2005
(Show Context)
Citation Context ...e fleshed out and studied more fully. Gaudry introduced a new probabilistic index calculus attack on the discrete logarithm problem for abelian varieties in his 2004 preprint [9]. Granger-Vercauteren =-=[13]-=- did an analogue of Gaudry’s attack for the multiplicative group Gm, which gives an attack on a subgroup of F × q 6 whose order is a 160-bit prime that is faster than Pollard ρ (which has complexity O... |

8 |
de Bruijn, On the factorization of cyclic groups
- G
- 1955
(Show Context)
Citation Context ...iven by (4.3) (with V = Gm) restricts to an isomorphism T L/k −→ ∼ TG (defined over L). The next result is used to prove Lemma 5.6 and Proposition 5.8 below. For a proof, see for example Theorem 1 of =-=[6]-=- or Theorem 2 of [32]. We thank D. Bernstein and H. Lenstra for pointing out these references. Lemma 5.5. For every positive integer n, Φn(x) and the set � n x − 1 xt � : t | n and 1 ≤ t �= n − 1 gene... |

8 | Practical cryptography in high dimensional tori
- Dijk, Granger, et al.
(Show Context)
Citation Context ... and F s q where r = � d|n,µ(n/d)=−1 d|n d, s = � d|n,µ(n/d)=1 In particular, this gave an “almost bijection” between Gq,30 × F 32 q and F 40 q , from which they obtained public key cryptosystems. In =-=[7]-=-, the rationality of T6, the ideas of [8], and the polynomial identity r−1 � Φn(x) Φp1···pi (xpi+2···pr ) = Φp1p2 (xp3···pr ), i=2 where n = p1 · · · pr is a product of r ≥ 2 distinct primes, are used... |

8 |
On the rationality of tori with cyclic splitting field, in Arithmetic and geometry of varieties, Kuybyshev Univ
- Klyachko
- 1988
(Show Context)
Citation Context ...if n = [L : k], there is a birational isomorphism over k TL/k � � ��� A ϕ(n) . By work of Klyachko and Voskresenskiĭ, this conjecture is known to hold when n is a product of at most two prime powers (=-=[17]-=-; see also §6.3 of [36]). In §3.2 and §2 above we gave explicit birational isomorphisms in some cases where n = 6 and 2. A Tn-cryptosystem arises for every n for which Voskresenskiĭ’s Conjecture is tr... |

2 |
Constructive and destructive facets of torus-based cryptography. Available from the author
- Kohel
- 2004
(Show Context)
Citation Context ... k = mn, as desired. If n = 1, then clearly k = m. If n = 2 and m = 1, then clearly k = 2. This gives (i). Part (ii) follows from (i) since |Gq,n| = Φn(q) and q n = p mn . � In a 2004 preprint, Kohel =-=[18]-=- suggests attacking cryptography on Gq,n by using the fact that when n is odd and relatively prime to q, the tori Tn and T2n are subschemes of the generalized Jacobian of a singular hyperelliptic curv... |

1 |
A comparison of CEILIDH
- Granger, Page, et al.
- 2004
(Show Context)
Citation Context ...6 and 2). This is especially useful for signature schemes. However XTR and LUC have computational efficiency advantages over CEILIDH and T2 (key agreement can be performed with fewer operations). See =-=[11]-=- for a comparison of CEILIDH and XTR. Since the pairings in pairing-based cryptography take values in the algebraic tori considered here, our torus-based cryptography techniques can be used to improve... |