The XTR cryptosystem

1

• The XTR cryptosystem
• ECC Brainpool
• Workshop Alternative Public-Key-Kryptosysteme
• Bochum, 8.4.2002
• Dr. Kim Nguyen
• BU ID - Cryptology Competence Center
• Philips Semiconductors

2
What is XTR ?

• XTRECSTR !
• ECSTREfficient and Compact Subgroup Trace
  Representation
• ClassificationXTR is a DL based cryptosystem
  working incyclic subgroups of composite fields
  GF(p6)
• Relation to Digital Signature Algorithm
  (DSA)this works in cyclic subgroups of prime
  fields GF(p).

3
Subfields and Traces

• Consider factorization p6-1(p-1)(p1)(p2p1)(p2-
  p1).
• Consider prime q dividing p2-p1 and an element
  g of order q of GF(p6).
• The cyclic subgroup Cltggt of GF(p6) cannot be
  embedded into any subfield of GF(p6).
• Consider field extensions GF(p6) - GF(p2) -
  GF(p).
• Have Trace map Tr GF(p6) ? GF(p2), given
  by Tr(x)xxp2xp4
• Have Tr(x)? GF(p2) for x? GF(p6).

4
Subfields and TracesThe XTR idea

• Main idea use Trace map in order to represent a
  special element g of GF(p6) with 2log2(p)
  instead of 6log2(p) bitsby replacing g with
  Tr(g) ? GF(p2) !
• Questionnormally DL systems are based on
  exponentiation g?gn,is it possible to replace
  this by Tr(g) ?Tr(gn) ?
• AnswerXTR is based on the following
  observationcomputation of Tr(gn) is possible
  given only Tr(g) and n.

5
Comparison between GF(p2) and GF(p6)

• Assume p2 mod 3. So GF(p2)/GF(p) has ONB.
• Operations in GF(p2)
• xp is free
• x2 takes two multiplications in GF(p).
• xy takes three multiplications in GF(p).
• Due to p2 mod 3, GF(p6)/GF(p) has ONB.
• Operations in GF(p6) (assuming 1Sq0.8Mul)
• x2 takes 14.4 multiplications in GF(p).
• xy takes 18 multiplications in GF(p).
• xa takes around 23.4log2(a) multiplications in
  GF(p).
• xaxb takes around 27.9log2(max(a,b))
  multiplications in GF(p).

6
XTR computations

• Consider the polynomialF(c,x)x3- cx2cpx-1 for
  c ? GF(p2).
• For cTr(g) the roots h0,h1,h2 of F(c,x)
  correspond to the conjugates of g over GF(p2).
• Set cnh0nh1nh2n.
• Observationwe have cnTr(gn).
• Set Sn(c)(cn-1,cn,cn1).
• Main theorem Given c, one can compute Sn(c)
  using 8log2(n) multiplications in GF(p).

7
XTR computations

• Assume cTr(g).
• Then Tr(gn) can be computed in 8log2(n mod q)
  multiplications in GF(p).
• This compares to 23.4log2(q) multiplications in
  GF(p) for the generic approach.
• Trace approach gives speed up of factor three.
• Have Tr(gn) ? GF(p2) , whereas gn ? GF(p6),so
  space requirements also go down by a factor of
  three.

8
Example for a crypto protocolKey exchange using
XTR

• Public key data p,q,Tr(g).
• A chooses a at random and computesSa(Tr(g))(Tr(g
  a-1),Tr(ga),Tr(ga1)),then sends Tr(ga) to B.
• B chooses b at random and computesSb(Tr(g))(Tr(g
  b-1),Tr(gb),Tr(gb1)),then sends Tr(gb) to B.
• A computes Sa(Tr(gb))(Tr(g(a-1)b),Tr(gab),Tr(g(a
  1)b)).
• B computes Sb(Tr(ga))(Tr(g(b-1)a),Tr(gba),Tr(g(b
  1)a)).
• Common secret is Tr(gab).

9
Other cryptographic protocols

• For signature schemes we need operations like
  gagbk.
• There is also a XTR technique available
  whichcomputes Tr(gagbk) in about 16log2(q)
  multiplications in GF(p).
• This compares to 27.9log2(q) multiplications in
  the generic GF(p6) situation, hence speedup is
  around 1.75.

10
Security of XTR

• Obvious attacks on XTR could focus on
• The DL problem in GF(p6).
• The XTR subgroup ltggt of order q.
• To be secure against the first attack, p has to
  be chosen such that the size of p6 is gt1024
  bits(Number Field Sieve).
• To be secure against the second attack, q has to
  be chosen such that the size of q is gt170 bits
  (generic attacks).

11
Connection to elliptic curves

• Crypto 2000 (Rump-Session)Menezes and Vanstone
  point out, that there is a mapE(GF(p2)) ?
  GF(p6) induced by the Tate pairingfor
  E(GF(p2)) a certain supersingular curve of order
  p2-p1.
• Verheul (Eurocrypt 2001) arguesSuch a curve
  E(GF(p2)) is cryptographically weaker than
  GF(p6). In E(GF(p2)) the DDHP problem can be
  solved effectively (also using the Tate
  pairing), while this does not seem to hold for
  GF(p6).

12
Choice of parameters

• Finding p and q of bit size P and Q
• Find r such that qr2-r1 is prime and of size at
  least Q.
• Find k such that prkq is prime and of size at
  least P.
• Finding the XTR subgroup
• Naive approach find element g of order q,
  compute Tr(g).
• Sophisticated approach note that the knowledge
  of g is not necessary !It suffices to know
  Tr(g).
• Pick c? GF(p2) until you find that F(c,x) is
  irreducible.
• Pick a root of F(c,x) in order to obtain Tr(g)
  for some g of order q.

13
Performance comparison

• Implementation on 450MHz Pentium II
  (Lenstra,Verheul).
• Comparison 170 bit XTR 1020 bit RSA
  -----------------------------
  ---------------------------Encrypt/Verify 23 ms
  5ms (32 bit e) Decrypt/Sign 11 ms 40ms CRT /
  123ms
• Comparison 170 bit XTR 170 bit ECC GF(p)
  --------------------------
  ------------------------------Encrypt 23
  ms 28 msDecrypt 11 ms 16 msSign 11
  ms 14 msVerify 23 ms lt 21 ms

14
Conclusion

• Pros
• XTR is a very clever and efficient way of
  implementing DSA
• Parameter and key generation is both easy and
  fast.
• Cons
• Size of p6 scales subexponential due to GNFS.
• Size of public key smaller than RSA, but bigger
  than for ECC.