Capacity factor: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>حيا
No edit summary
 
en>N-J-G-1
Line 1: Line 1:
Hi there. Let me start by introducing the author, her title is Sophia Boon but she by no means truly liked that title. What I adore doing psychic chat online - [http://koreanyelp.com/index.php?document_srl=1798&mid=SchoolNews koreanyelp.com], is soccer but I don't have the time lately. Her family lives in Alaska but her spouse wants them to transfer. My [http://brazil.amor-amore.com/irboothe psychic phone readings] working day job is an invoicing officer but I've already utilized for another 1.<br><br>my website: love psychic; [http://www.edmposts.com/build-a-beautiful-organic-garden-using-these-ideas/ edmposts.com],
In [[cryptography]], '''XTR''' is an [[algorithm]] for [[Public-key cryptography|public-key encryption]]. XTR stands for ‘ECSTR’, which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It is a method to represent elements of a subgroup of a multiplicative [[Group (mathematics)|group]] of a [[finite field]]. To do so, it uses the [[Field trace|trace]] over <math>GF(p^2)</math> to represent elements of a subgroup of <math>GF(p^6)^*</math>.
 
From a security point of view, XTR relies on the difficulty of solving [[discrete logarithm|Discrete Logarithm]] related problems in the full multiplicative group of a finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a finite field, XTR uses the generator <math>g</math> of a relatively small subgroup of some prime order  <math>q</math> of a subgroup of <math>GF(p^6)^*</math>. With the right choice of <math>q</math>, computing Discrete Logarithms in the group, generated by <math>g</math>, is, in general, as hard as it is in  <math>GF(p^6)^*</math> and thus cryptographic applications of XTR use <math>GF(p^2)</math> arithmetics while achieving full <math>GF(p^6)</math> security leading to substantial savings both in communication and [[overhead (computing)|computational overhead]] without compromising security. Some other advantages of XTR are its fast key generation, small key sizes and speed.
 
== Fundamentals of XTR ==
XTR uses a [[subgroup]], commonly referred to as ''XTR subgroup'' or just  ''XTR group'', of a subgroup called ''XTR supergroup'', of the multiplicative group of a [[finite field]] <math>GF(p^6)</math> with <math>p^6</math> elements. The XTR supergroup is of order <math>p^2-p+1</math>, where ''p'' is a prime such that a sufficiently large prime ''q'' divides <math>p^2-p+1</math>. The XTR subgroup has now order ''q'' and is, as a subgroup of <math>GF(p^6)^*</math>, a [[cyclic group]] <math>\langle g\rangle</math> with [[Group generator|generator]] ''g''The following three paragraphs will describe how elements of the XTR supergroup can be represented using an element of <math>GF(p^2)</math> instead of an element of <math>GF(p^6)</math> and how arithmetic operations  take place in <math>GF(p^2)</math> instead of in <math>GF(p^6)</math>.
 
===Arithmetic operations in <math>GF(p^2)</math> ===
Let ''p'' be a prime such that ''p''&nbsp;{{unicode|≡}}&nbsp;''2'' mod ''3'' and ''p<sup>2</sup> - p + 1'' has a sufficiently large prime factor ''q''. Since ''p<sup>2</sup>''&nbsp;{{unicode|≡}}&nbsp;''1'' mod ''3'' we see that ''p'' generates <math>(\mathbb{Z}/3\mathbb{Z})^*</math> and thus the third [[cyclotomic polynomial]]
<math>\Phi_3(x)=x^2+x+1</math>
is [[irreducible]] over <math>GF(p)</math>. It follows that the [[Root of a function|roots]] <math>\alpha</math> and <math>\alpha^p</math> form an optimal [[normal basis]] for <math>GF(p^2)</math> over <math>GF(p)</math> and
:<math>GF(p^2) \cong \{x_1 \alpha + x_2 \alpha^p : x_1, x_2 \in GF(p)\}.</math>
Considering that ''p'' {{unicode|≡}} ''2'' mod ''3'' we can reduce the exponents modulo ''3'' to get
:<math>GF(p^2) \cong \{y_1 \alpha + y_2 \alpha^2 : \alpha^2+\alpha+1=0, y_1, y_2 \in GF(p)\}.</math>
 
The cost of arithmetic operations is now given in the following Lemma labeled Lemma 2.21 in ''"An overview of the XTR public key system"'':<ref name="XTR-1">[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.104.2847&rep=rep1&type=pdf An overview of the XTR public key system]</ref>
 
'''Lemma'''
 
* Computing ''x''<sup>''p''</sup> is done without using multiplication
* Computing ''x''<sup>''2''</sup> takes two multiplications in <math>GF(p)</math>
* Computing ''xy'' takes three multiplications in <math>GF(p)</math>
* Computing ''xz-yz<sup>''p''</sup>'' takes four multiplications in <math>GF(p)</math>.
 
=== Traces over <math>GF(p^2)</math> ===
The [[Field trace|trace]] in XTR is always considered over <math>GF(p^2)</math>. In other words, the [[Conjugate element (field theory)|conjugates]] of <math>h \in GF(p^6)</math> over <math>GF(p^2)</math> are <math>h, h^{p^2}</math> and <math>h^{p^4}</math> and the trace of <math>h</math> is their sum:
:<math>Tr(h)=h + h^{p^2} + h^{p^4}.</math>
Note that <math>Tr(h) \in GF(p^2)</math> since
:<math>
\begin{align}
Tr(h)^{p^2} &= h^{p^2} + h^{p^4} + h^{p^6} \\
            &= h + h^{p^2} + h^{p^4} \\
            &= Tr(h)
\end{align}
</math>
 
Consider now the generator <math>g</math> of the XTR subgroup of a prime order <math>q</math>. Remember that <math>\langle g\rangle</math> is a subgroup of the XTR supergroup of order <math>p^2-p+1</math>, so <math>q \mid p^2-p+1</math>. In the [[XTR#Finite_field_and_subgroup_size_selection|following section]] we will see how to choose <math>p</math> and <math>q</math>, but for now it is sufficient to assume that <math>q>3</math>. To compute the trace of <math>g</math> note that modulo <math>p^2-p+1</math> we have
:<math>p^2 = p-1</math> and
:<math>p^4 = (p-1)^2 = p^2 -2p +1 = -p</math>
and thus
:<math>
\begin{align}
Tr(g) &= g + g^{p^2} + g^{p^4}\\
      &= g + g^{p-1} + g^{-p}.
\end{align}
</math>
Note also that the product of the conjugates of <math>g</math> equals <math>1</math>,
i.e., that <math>g</math> has [[field norm|norm]] 1.
 
The crucial observation in XTR is that the [[Minimal polynomial (field theory)|minimal polynomial]] of <math>g</math> over <math>GF(p^2)</math>
:<math>(x-g)\!\ (x-g^{p-1})(x-g^{-p})</math>
simplifies to
:<math>x^3-Tr(g)\!\ x^2 + Tr(g)^p x -1</math>
which is fully determined by <math>Tr(g)</math>. Consequently, conjugates of <math>g</math>, as roots of the minimal polynomial of <math>g</math> over <math>GF(p^2)</math>, are completely determined by the trace of <math>g</math>. The same is true for any power of <math>g</math>: conjugates of <math>g^n</math> are roots of polynomial
:<math>x^3-Tr(g^n)\!\ x^2 + Tr(g^n)^p x -1</math>
and this polynomial is completely determined by <math>Tr(g^n)</math>.
 
The idea behind using traces is to replace <math>g^n \in GF(p^6)</math> in cryptographic protocols, e.g. the [[Diffie-Hellman key exchange]] by <math>Tr(g^n) \in GF(p^2)</math> and thus obtaining a factor of 3 reduction in representation size. This is, however, only useful if there is a quick way to obtain <math>Tr(g^n)</math> given <math>Tr(g)</math>. The next paragraph gives an algorithm for the efficient computation of <math>Tr(g^n)</math>. In addition, computing <math>Tr(g^n)</math> given <math>Tr(g)</math> turns out to be quicker than computing <math>g^n</math> given <math>g</math>.<ref name="XTR-1"/>
 
=== Algorithm for the quick computation of <math>Tr(g^n)</math> given <math>Tr(g)</math> ===
A. Lenstra and E. Verheul give this algorithm in their paper titled ''The XTR public key system'' in.<ref name="XTR-2">[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.95.4291&rep=rep1&type=pdf The XTR public key system]</ref> All the definitions and lemmas necessary for the algorithm and the algorithm itself presented here, are taken from that paper.
 
'''Definition''' For c in <math>GF(p^2)</math> define
:<math>F(c,X) = X^3 - cX^2 + c^pX - 1 \in GF(p^2)[X].</math>
 
'''Definition''' Let <math>h_0,\!\ h_1, h_2</math> denote the, not necessarily distinct, roots of <math>F(c,X)</math> in <math>GF(p^6)</math> and let <math>n</math> be in <math>\mathbb{Z}</math>. Define
:<math>c_n=h_0^n + h_1^n + h_2^n.</math>
 
'''Properties of <math>c_n</math> and <math>F(c,X)</math>'''  
# <math>c=c_1</math>
# <math>c_{-n}=c_{np}=c_n^p</math>
# <math>c_n \in GF(p^2) \text{ for } n \in \mathbb{Z}</math>
# <math>c_{u+v}=c_u c_v - c_v^p c_{u-v} + c_{u-2v} \text{ for } u, v \in \mathbb{Z}</math>
# Either all <math>h_j</math> have order dividing <math>p^2-p+1</math> and <math> > 3</math> or all <math>h_j</math> are in <math>GF(p^2)</math>. In particular, <math>F(c,X)</math> is irreducible if and only if its roots have order diving <math>p^2-p+1</math> and <math> > 3</math>.
# <math>F(c,X)</math> is reducible over <math>GF(p^2)</math> if and only if <math>c_{p+1} \in GF(p)</math>
 
'''Lemma'''
Let <math>c,\!\ c_{n-1}, c_n, c_{n+1}</math> be given.
# Computing <math>c_{2n}  = c_n^2 - 2c_n^p</math> takes two multiplication in <math>GF(p)</math>.
# Computing <math>c_{n+2}  = c_{n+1} \cdot c  - c^p \cdot c_n  + c_{n-1}</math> takes four multiplication in <math>GF(p)</math>.
# Computing <math>c_{2n-1} = c_{n-1} \cdot c_n - c^p \cdot c_n^p + c_{n+1}^p</math> takes four multiplication in <math>GF(p)</math>.
# Computing <math>c_{2n+1} = c_{n+1} \cdot c_n - c \cdot c_n^p  + c_{n-1}^p</math> takes four multiplication in <math>GF(p)</math>.
 
'''Definition''' Let <math>S_n(c)=(c_{n-1}, c_n, c_{n+1}) \in GF(p^2)^3</math>.
 
'''Algorithm 1 for computation of <math>S_n(c)</math> given <math>n</math> and <math>c</math>'''
* If <math>n<0</math> apply this algorithm to <math>-n</math> and <math>c</math>, and apply Property 2 to the resulting value.
* If <math>n=0</math>, then <math>S_0(c)\!\ =(c^p, 3, c) </math>.
* If <math>n=1</math>, then <math>S_1(c)\!\ =(3, c, c^2-2c^p) </math>.
* If <math>n=2</math>, use the computation of <math>c_{n+2}= c_{n+1} \cdot c  - c^p \cdot c_n  + c_{n-1}</math> and <math>S_1(c)</math> to find <math>c_3</math> and thereby <math>S_2(c)</math>.
* If <math>n>2</math>, to compute <math>S_n(c)</math> define
:::<math>\bar{S}_i(c) = S_{2i+1}(c)</math>
::and <math>\bar{m}=n</math> if n is odd and <math>\bar{m}=n-1</math> otherwise. Let <math>\bar{m}=2m+1, k=1</math> and compute <math>\bar{S}_k(c) = S_3(c)</math> using the Lemma above and <math>S_2(c)</math>. Let further
:::<math>m=\sum_{j=0}^r m_j 2^j</math>
::with <math>m_j \in {0,1}</math> and <math>m_r=1</math>. For <math>j=r-1, r-2, ..., 0</math> in succession, do the following:
::* If <math>m_j=0</math>, use <math>\bar{S}_k(c)</math> to compute <math>\bar{S}_{2k}(c)</math>.
::* If <math>m_j=1</math>, use <math>\bar{S}_k(c)</math> to compute <math>\bar{S}_{2k+1}(c)</math>.
::* Replace <math>k</math> by <math>2k + m_j</math>.
When these iterations finish, <math>k=m</math> and <math>S_{\bar{m}}(c) = \bar{S}_{m}(c)</math>. If n is even use <math>S_{\bar{m}}(c)</math> to compute <math>\bar{S}_{m+1}(c)</math>.
 
== Parameter selection ==
 
===Finite field and subgroup size selection===
 
In order to take advantage of the above described representations of elements with their traces and furthermore ensure sufficient security, that will be discussed [[XTR#Security|below]], we need to find primes <math>p</math> and <math>q</math>, where <math>p</math> denotes the [[characteristic (algebra)|characteristic]] of the field <math>GF(p^6)</math> with <math>p\equiv 2\ \text{mod}\ 3</math> and <math>q</math> is the size of the subgroup, such that <math> q</math> divides <math> p^2-p+1</math>.
 
We denote with <math>P</math> and <math>Q</math> the sizes of <math>p</math> and <math>q</math> in bits. To achieve security comparable to 1024-bit [[RSA (algorithm)|RSA]], we should choose <math>6P</math> about 1024, i.e. <math> P\approx 170</math> and <math>Q</math> can be around 160.
 
A first easy algorithm to compute such primes <math>p</math> and <math>q</math> is the next Algorithm A:
 
'''Algorithm A'''
 
# Find <math>r\in\mathbb{Z}</math> such that <math>q=r^2-r+1</math> is a <math>Q</math>-bit prime.
# Find <math>k\in\mathbb{Z}</math> such that <math>p=r+k\cdot q</math> is a <math>P</math>-bit prime with <math>p\equiv 2\ \text{mod}\ 3</math>.
 
:''Correctness of Algorithm A:''
 
:It remains to check that <math>q\mid p^2-p+1</math> because all the other necessary properties are obviously satisfied per definition of <math>p</math> and <math>q</math>. We easily see that <math>p^2-p+1=r^2+2rkq+k^2q^2-r-kq+1=r^2-r+1+q(2rk+k^2q-k)=q(1+2rk+k^2q-k)</math> which implies that <math>q\mid p^2-p+1</math>.
 
Algorithm A is very fast and can be used to find primes <math>p</math> that satisfy a degree-two polynomial with small coefficients. Such <math>p</math> lead to fast arithmetic operations in <math>GF(p)</math>.
In particular if the search for <math>k</math> is restricted to <math>k=1</math>, which means looking for an <math>r</math> such that both <math>r^2-r+1\text{ and }r^2+1</math> are prime and such that <math>r^2+1\equiv 2 \text{ mod } 3</math>, the primes <math>p</math> have this nice form.
Note that in this case <math>r</math> must be even and <math>r\equiv 1\text{ mod }4</math>.
 
On the other hand such <math>p</math> may be undesirable from a security point of view because they may make an attack with the [[Discrete Logarithm]] variant of the [[Number Field Sieve]] easier.
 
The following Algorithm B doesn't have this disadvantage, but it also doesn't have the fast arithmetic modulo <math>p</math> Algorithm A has in that case.
 
'''Algorithm B'''
 
# Select a <math>Q</math>-bit prime <math>q</math> so that <math>q\equiv7\ \text{mod}\ 12</math>.
# Find the roots <math>r_1</math> and <math>r_2</math> of <math>X^2-X+1\ \text{mod}\ q</math>.
# Find a  <math>k\in\mathbb{Z}</math> such that <math>p=r_i+k\cdot q</math> is a <math>P</math>-bit prime with <math>p\equiv 2\ \text{mod}\ 3</math> for <math>i\in\{1,2\}</math>
 
:''Correctness of Algorithm B:''
:Since we chose  <math>q\equiv7\ \text{mod}\ 12</math> it follows immediately that  <math>q\equiv1\ \text{mod}\ 3</math> (because  <math>7\equiv1\ \text{mod}\ 3</math> and  <math>3\mid 12</math>). From that and [[quadratic reciprocity]] we can deduce that  <math>r_1</math> and <math>r_2</math> exist.
:To check that <math>q\mid p^2-p+1</math> we consider again <math>p^2-p+1</math> for <math>r_i\in\{1,2\}</math> and get that <math>p^2-p+1=r_i^2+2r_ikq+k^2q^2-r_i-kq+1=r_i^2-r_i+1+q(2rk+k^2q-k)=q(2rk+k^2q-k)</math>, since <math>r_1</math> and <math>r_2</math> are roots of <math>X^2-X+1</math> and hence <math>q\mid p^2-p+1</math>.
 
===Subgroup selection===
 
In the last paragraph we have chosen the sizes <math>p</math> and <math>q</math> of the finite field <math>GF(p^6)</math> and the multiplicative subgroup of <math>GF(p^6)^*</math>, now we have to find a subgroup <math>\langle g\rangle</math> of <math>GF\!\ (p^6)^*</math> for some <math>g\in GF(p^6)</math> such that <math>\mid\!\!\langle g\rangle\!\!\mid=q</math>.
 
However, we do not need to find an explicit <math>g\in GF(p^6)</math>, it suffices to find an element <math>c\in GF(p^2)</math> such that <math>c=Tr(g)</math> for an element <math>g\in GF(p^6)</math> of order <math>q</math>. But, given <math>Tr(g)</math>, a generator <math>g</math> of the XTR (sub)group can be found by determining any root of <math>F(Tr(g),\ X)</math> which has been defined [[XTR#Algorithm_for_quick_computation_of_Tr.28gn.29_given_Tr.28g.29|above]].
To find such a <math>c</math> we can take a look at property 5 of <math>F(c,\ X)</math> [[XTR#Algorithm_for_quick_computation_of_Tr.28gn.29_given_Tr.28g.29|here]] stating that the roots of <math>F(c,\ X)</math> have an order dividing <math>p^2-p+1</math> if and only if <math>F(c,\ X)</math> is [[irreducible]]. After finding such <math>c</math> we need to check if it really is of order <math>q</math>, but first we focus on how to select <math>c\in GF(p^2)</math> such that <math>F(c,\ X)</math> is irreducible.
 
An initial approach is to select <math>c\in GF(p^2)\backslash GF(p)</math> randomly which is justified by the next lemma.
 
'''Lemma:''' ''For a randomly selected <math>c\in GF(p^2)</math> the probability that <math>F(c,\ X)=X^3-cX^2+c^pX-1\in GF(p^2)[X]</math> is irreducible is about one third.''
 
Now the basic algorithm to find a suitable <math>Tr(g)</math> is as follows:
 
'''Outline of the algorithm'''
 
# Pick a random <math>c\in GF(p^2)\backslash GF(p)</math>.
# If <math>F(c,\ X)</math> is reducible, then return to Step 1.
# Use Algorithm 1 to compute <math>d=c_{(p^2-p+1)/q}</math>.
# If <math>d</math> is not of order <math> q</math>, return to Step 1.
# Let <math>Tr(g)=d</math>.
 
It turns out that this algorithm indeed computes an element of <math>GF(p^2)</math> that equals <math>Tr(g)</math> for some <math>g\in GF(p^6)</math> of order <math>q</math>.
 
More details to the algorithm, its correctness, runtime and the proof of the Lemma can be found in ''"An overview of the XTR public key system"'' in.<ref name="XTR-1"/>
 
== Cryptographic schemes ==
 
In this section it is explained how the concepts above using traces of elements can be applied to cryptography. In general, XTR can be used in any cryptosystem that relies on the (subgroup) Discrete Logarithm problem. Two important applications of XTR are the [[Diffie-Hellman key agreement]] and the [[ElGamal encryption]]. We will start first with Diffie-Hellman.
 
=== XTR-DH key agreement ===
 
We suppose that both [[Alice and Bob]] have access to the XTR [[public key]] data <math>\left(p,q,Tr(g)\right)</math> and intend to agree on a [[shared secret]] [[secret key|key]] <math>K</math>. They can do this by using the following XTR version of the Diffie-Hellman key exchange:
 
# Alice picks <math>a\in\mathbb{Z}</math> randomly with <math>1<a<q-2</math>, computes with [[XTR#Algorithm_for_quick_computation_of_Tr.28gn.29_given_Tr.28g.29|Algorithm 1]] <math>S_a(Tr(g))=\left(Tr(g^{a-1}),Tr(g^a),Tr(g^{a+1})\right)\in GF(p^2)^3</math> and sends <math>Tr(g^a)\in GF(p^2)</math> to Bob.
# Bob receives <math>Tr(g^a)</math> from Alice, selects at random <math>b\in\mathbb{Z}</math> with <math>1<b<q-2</math>, applies Algorithm 1 to compute <math>S_b(Tr(g))=\left(Tr(g^{b-1}),Tr(g^b),Tr(g^{b+1})\right)\in GF(p^2)^3</math> and sends  <math>Tr(g^b)\in GF(p^2)</math> to Alice.
# Alice receives <math>Tr(g^b)</math> from Bob, computes with Algorithm 1 <math>S_a(Tr(g^b))=\left(Tr(g^{(a-1)b}),Tr(g^{ab}),Tr(g^{(a+1)b})\right)\in GF(p^2)^3</math> and determines <math>K</math> based on <math>Tr(g^{ab})\in GF(p^2)</math>.
# Bob analogously applies Algorithm 1 to compute <math>S_b(Tr(g^a))=\left(Tr(g^{a(b-1)}),Tr(g^{ab}),Tr(g^{a(b+1)})\right)\in GF(p^2)^3</math> and also determines <math>K</math> based on <math>Tr(g^{ab})\in GF(p^2)</math>.
 
=== XTR ElGamal encryption ===
 
For the ElGamal encryption we suppose now that Alice is the owner of the XTR public key data <math>(p,q,Tr(g))</math> and that she has selected a secret [[integer]] <math>k</math>, computed <math>Tr(g^k)</math> and published the result.
Given Alice's XTR public key data <math>\left(p,q,Tr(g),Tr(g^k)\right)</math>, Bob can encrypt a message <math>M</math>, intended for Alice, using the following XTR version of the ElGamal encryption:
 
# Bob selects randomly a <math>b\in\mathbb{Z}</math> with <math>1<b<q-2</math> and computes with [[XTR#Algorithm_for_quick_computation_of_Tr.28gn.29_given_Tr.28g.29|Algorithm 1]] <math>S_b(Tr(g))=\left(Tr(g^{b-1}),Tr(g^b),Tr(g^{b+1})\right)\in GF(p^2)^3</math>.
# Bob next applies Algorithm 1 to compute <math>S_b(Tr(g^k))=\left(Tr(g^{(b-1)k}),Tr(g^{bk}),Tr(g^{(b+1)k})\right)\in GF(p^2)^3</math>.
# Bob determines a symmetric encryption key <math>K</math> based on <math>Tr(g^{bk})\in GF(p^2)</math>.
# Bob uses an agreed upon symmetric encryption method with key <math>K</math> to encrypt his message <math>M</math>, resulting in the encryption <math>E</math>.
# Bob sends <math>(Tr(g^b),\ E)</math> to Alice.
 
Upon receipt of <math>(Tr(g^b),\ E)</math>, Alice decrypts the message in the following way:
 
# Alice computes <math>S_k(Tr(g^b))=\left(Tr(g^{b(k-1)}),Tr(g^{bk}),Tr(g^{b(k+1)})\right)\in GF(p^2)^3</math>.
# Alice determines the symmetric key <math>K</math> based on <math>Tr(g^{bk})\in GF(p^2)</math>.
# Alice uses the agreed upon symmetric encryption method with key <math>K</math> to decrypt <math>E</math>, resulting in the original message <math>M</math>.
 
The here described encryption scheme is based on a common [[hybrid cryptosystem|hybrid]] version of the ElGamal encryption, where the secret key <math>K</math> is obtained by an [[asymmetric key|asymmetric public key]] system and then the message is encrypted with a [[symmetric key]] encryption method Alice and Bob agreed to.
 
In the more traditional ElGamal encryption the message is restricted to the key space, which would here be <math>GF(p^2)</math>, because <math>Tr(g)\in GF(p^2)\ \forall p\in GF(p^6)^*</math>. The encryption in this case is the multiplication of the message with the key, which is an invertible operation in the key space <math>GF(p^2)</math>.
 
Concretely this means if Bob wants to encrypt a message <math>M\!\ '</math>, first he has to convert it into an element <math>M</math> of <math>GF(p^2)</math> and then compute the encrypted message <math>E</math> as <math>E=K\cdot M\in GF(p^2)</math>.
Upon receipt of the encrypted message <math>E</math> Alice can recover the original message <math>M</math> by computing <math>M=E\cdot K^{-1}</math>, where <math>K^{-1}</math> is the inverse of <math>K</math> in <math>GF(p^2)</math>.
 
==Security==
 
In order to say something about the security properties of the [[XTR#Cryptographic_schemes|above]] explained XTR encryption scheme, first it is important to check the security of the XTR group, which means how hard it is to solve the [[discrete logarithm|Discrete Logarithm problem]] there. The next part will then state the equivalency between the Discrete Logarithm problem in the XTR group and the XTR version of the discrete logarithm problem, using only the traces of elements.
 
===Discrete logarithms in a general <math>GF\left(p^t\right)</math>===
 
Let now <math>\langle \gamma\rangle</math> be a multiplicative group of order <math>\omega</math>. The security of the [[Diffie-Hellman|Diffie-Hellman protocol]] in <math>\langle \gamma\rangle</math> relies on the [[Diffie-Hellman problem|''Diffie-Hellman'' (DH) problem]] of computing <math>\gamma^{xy}\text{ given }\gamma, \gamma^x\text{ and }\gamma^y</math>. We write <math>DH(\gamma^x,\ \gamma^y)=\gamma^{xy}</math>.
There are two other problems related to the DH problem. The first one is the [[Decisional Diffie–Hellman assumption|''Diffie-Hellman Decision'' (DHD) problem]] to determine if <math>c=DH(a,b)</math> for given <math>a,b,c\in\langle\gamma\rangle</math> and the second one is the [[discrete logarithm problem|''Discrete Logarithm'' (DL) problem]] to find <math>x=DL(a)</math> for a given <math> a=\gamma^x\in\langle\gamma\rangle\text{ with }0\leq x<\omega</math>.
 
The DL problem is at least as difficult als the DH problem and it is generally assumed that if the DL problem in <math>\langle \gamma\rangle</math> is intractable, then so are the other two.  
 
Given the [[prime factorization]] of <math>\omega</math> the DL problem in <math>\langle \gamma\rangle</math> can be reduced to the DL problem in all subgroups of <math>\langle \gamma\rangle</math> with prime order due to the [[Pohlig-Hellman algorithm]]. Hence <math>\omega</math> can safely be assumed to be prime.
 
For a subgroup <math>\langle\gamma\rangle</math> of prime order <math>\omega</math> of the multiplicative group <math>GF\left(p^t\right)^*</math> of an extension field <math>GF(p^t)</math> of <math>GF(p)</math> for some <math>t</math>, there are now two possible ways to attack the system. One can either focus on the whole multiplicative group or on the subgroup. To attack the multiplicative group the best known method is the Discrete Logarithm variant of the [[Number Field Sieve]] or alternatively in the subgroup one can use one of several methods that take <math>\mathcal{O}(\sqrt{\omega})</math> operations in <math>\langle\gamma\rangle</math>, such as [[Pollard's rho algorithm|Pollard's rho method]].
 
For both approaches the difficulty of the DL problem in <math>\langle\gamma\rangle</math> depends on the size of the minimal surrounding subfield of <math>\langle\gamma\rangle</math> and on the size of its prime order <math>\omega</math>. If <math>GF\left(p^t\right)</math> itself is the minimal surrounding subfield of <math>\langle\gamma\rangle</math> and <math>\omega</math> is sufficiently large, then the DL problem in <math>\langle\gamma\rangle</math> is as hard as the general DL problem in <math>GF\left(p^t\right)</math>.
 
The XTR parameters are now chosen in such a way that <math>p</math> is not small, <math>q</math> is sufficiently large and <math>\langle g\rangle</math> cannot be embedded in a true subfield of <math>GF(p^6)</math>, since <math>q\mid p^2-p+1</math> and <math>p^2-p+1</math> is a divisor of <math>\mid\! GF(p^6)^*\! \mid=p^6-1</math>, but it does not divide <math>p^s-1\text{ for }s\in\{1,2,3\}</math> and thus <math>\langle g\rangle</math> cannot be a subgroup of <math>GF\!\ (p^s)^*</math> for <math>s\in\{1,2,3\}</math>.
It follows that the DL problem in the XTR group may be assumed as hard as the DL problem in <math>GF(p^6)</math>.
 
=== Security of XTR ===
 
Cryptographic protocols that are based on Discrete Logarithms can use many different types of subgroups like groups of points of [[elliptic curves]] or subgroups of the multiplicative group of a finite field like the XTR group.
As we have seen above the XTR versions of the Diffie-Hellman and ElGamal encryption protocol replace using elements of the XTR group by using their traces.
This means that the security of the XTR versions of these encryption schemes is no longer based on the original DH, DHD or DL problems.
Therefore the XTR versions of those problems need to be defined and we will see that they are equivalent (in the sense of the next definition) to the original problems.
 
'''Definitions:'''
*''We define the '''XTR-DH''' problem as the problem of computing <math>Tr(g^{xy})</math> given <math>Tr(g^x)</math> and <math>Tr(g^y)</math> and we write <math>XDH(g^x,\ g^y)=g^{xy}</math>.''
*''The '''XTR-DHD''' problem is the problem of determining whether <math>XDH(a,b)=c</math> for <math>a,b,c\in Tr(\langle g\rangle)</math>.''
*''Given <math>a\in Tr(\langle g\rangle)</math>, the '''XTR-DL''' problem is to find <math>x=XDL(a)</math>, i.e. <math>0\leq x<q </math> such that <math> a=Tr(g^x)</math>.''
*'' We say that problem <math>\mathcal{A}</math> is (a,b)-equivalent to problem <math>\mathcal{B}</math>, if any instance of problem <math>\mathcal{A}</math> (or <math>\mathcal{B}</math>) can be solved by at most a (or b) calls to an algorithm solving problem <math>\mathcal{B}</math> (or <math>\mathcal{A}</math>).''
 
After introducing the XTR versions of these problems the next theorem is an important result telling us the connection between the XTR and the non-XTR problems, which are in fact equivalent. This implies that the XTR representation of elements with their traces is, as can be seen above, faster by a factor of 3 than the usual representation without compromising security.
 
'''Theorem'''  ''The following equivalencies hold:''
:''i. The '''XTR-DL''' problem is (1,1)-equivalent to the '''DL''' problem in <math>\langle g\rangle</math>.''
:''ii. The '''XTR-DH''' problem is (1,2)-equivalent to the '''DH''' problem in <math>\langle g\rangle</math>.''
:''iii. The '''XTR-DHD''' problem is (3,2)-equivalent to the '''DHD''' problem in <math>\langle g\rangle</math>.''
 
This means that an algorithm solving either XTR-DL, XTR-DH or XTR-DHD with non-negligible probability can be transformed into an algorithm solving the corresponding non-XTR problem DL, DH or DHD with non-negligible probability and vice versa.
In particular part ''ii.'' implies that determining the small XTR-DH key (being an element of <math>GF(p^2)</math>) is as hard as determining the whole DH key (being an element of <math>GF(p^6)</math> ) in the representation group <math>\langle g \rangle</math>.
 
== References ==
* {{cite paper|first=Arjen K. | last = Lenstra | coauthors = Verheul, Eric R. | url=http://www.win.tue.nl/~klenstra/xtrsurvey.pdf|title=An overview of the XTR public key system|accessdate = 2008-03-22}}
* {{cite paper|first=Arjen K. | last = Lenstra | coauthors = Verheul, Eric R. | url=http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.95.4291&rep=rep1&type=pdf|title=The XTR public key system| accessdate = 2010-12-14}}
{{Reflist}}
 
{{Cryptography navbox | public-key}}
 
[[Category:Asymmetric-key algorithms]]
[[Category:Finite fields]]

Revision as of 21:41, 30 October 2013

In cryptography, XTR is an algorithm for public-key encryption. XTR stands for ‘ECSTR’, which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It is a method to represent elements of a subgroup of a multiplicative group of a finite field. To do so, it uses the trace over GF(p2) to represent elements of a subgroup of GF(p6)*.

From a security point of view, XTR relies on the difficulty of solving Discrete Logarithm related problems in the full multiplicative group of a finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a finite field, XTR uses the generator g of a relatively small subgroup of some prime order q of a subgroup of GF(p6)*. With the right choice of q, computing Discrete Logarithms in the group, generated by g, is, in general, as hard as it is in GF(p6)* and thus cryptographic applications of XTR use GF(p2) arithmetics while achieving full GF(p6) security leading to substantial savings both in communication and computational overhead without compromising security. Some other advantages of XTR are its fast key generation, small key sizes and speed.

Fundamentals of XTR

XTR uses a subgroup, commonly referred to as XTR subgroup or just XTR group, of a subgroup called XTR supergroup, of the multiplicative group of a finite field GF(p6) with p6 elements. The XTR supergroup is of order p2p+1, where p is a prime such that a sufficiently large prime q divides p2p+1. The XTR subgroup has now order q and is, as a subgroup of GF(p6)*, a cyclic group g with generator g. The following three paragraphs will describe how elements of the XTR supergroup can be represented using an element of GF(p2) instead of an element of GF(p6) and how arithmetic operations take place in GF(p2) instead of in GF(p6).

Arithmetic operations in GF(p2)

Let p be a prime such that p PROPERTY builders did not have the simplest year, what with the cooling measures imposed in January and the loan curbs in June, but some still managed to do effectively while others made their first foray abroad.

As a public-listed company and a pioneer in the improvement of landed properties in Singapore, we have now been constructing some of Singapore's nicely-recognized, established residential estates for over 50 years. Our many developments in Singapore are an affidavit of our steady want to create not just high quality houses however communities for you and your family members Hotel Properties Limited (HPL) was listed on the Inventory Trade of Singapore in 1982. Beginning with simply the Hilton Lodge in Singapore, HPL has expanded rapidly through the years. As we speak HPL has pursuits in 19 resorts with almost 4000 rooms in 8 countries. An Choice or Settlement/Contract for the Buy of a Home or Flat will be formedin many ways e.g. A gaggle of persons, whether in partnership or otherwise

Certainly one of Asia's premier property firms, Keppel Land is recognised for its sterling portfolio of award-profitable residential developments and funding-grade business properties as well as excessive requirements of company governance and transparency. Keppel Land is without doubt one of the largest listed property corporations by total assets on the Singapore Change. The Group's total assets amounted to about $13.eight billion as at 31 March 2014. Additionally it is a component of a number of stock indices including the FTSE ST Real Property Index, FTSE ST China Prime Index, FTSE All-World Index, FTSE Asia Pacific ex-Japan Index, FTSE EPRA/NAREIT World Real Estate Index and EPRA/NAREIT Index. WOODSVALE PERSONAL CONDOMINIUM CONDOMINIUM WOODSVALE CLOSE, SINGAPORE (DISTRICT thirteen) Industrial

LINCOLN RESIDENCES, THE NON-PUBLIC CONDOMINIUM APARTMENT SURREY STREET, SINGAPORE (DISTRICT eleven) LUCIDA NON-PUBLIC CONDOMINIUM APARTMENT SUFFOLK ROAD, SINGAPORE (DISTRICT 11) LUMOS, THE PRIVATE CONDOMINIUM APARTMENT LEONIE HILL, SINGAPORE (DISTRICT 09) LUXURIE, THE PRIVATE CONDOMINIUM CONDOMINIUM COMPASSVALE BOW, SINGAPORE (DISTRICT 19) M66 NON-PUBLIC CONDOMINIUM RESIDENCE MOONSTONE LANE, SINGAPORE (DISTRICT 12) MARINA BAY SUITES PRIVATE CONDOMINIUM CONDOMINIUM CENTRAL BOULEVARD, SINGAPORE (DISTRICT 01) MEIER SUITES PERSONAL CONDOMINIUM house in singapore MARGATE STREET, SINGAPORE (DISTRICT 15) MKZ, THE NON-PUBLIC CONDOMINIUM CONDO MACKENZIE STREET, SINGAPORE (DISTRICT 09) MONTCLAIR @ WHITLEY CLUSTER STRATA HOUSE WHITLEY HIGHWAY, SINGAPORE (DISTRICT 11) Condominiums by District

The Singapore Property Awards recognise excellence in actual estate development initiatives or individual properties in terms of design, aesthetics, functionality, contribution to the constructed atmosphere and neighborhood at massive. It represents an outstanding achievement which developers, professionals and property house owners aspire to achieve. It bestows upon the winner the correct to use the coveted award emblem recognised extensively throughout the FIABCI network.

ADRIA NON-PUBLIC CONDOMINIUM CONDOMINIUM DERBYSHIRE HIGHWAY, THOMSON ROAD, SINGAPORE (DISTRICT eleven) AMBER RESIDENCES (PREPARED HOUSES) PRIVATE CONDOMINIUM RESIDENCE AMBER STREET, SINGAPORE (DISTRICT 15) ARC AT TAMPINES GOVERNMENT CONDOMINIUM APARTMENT TAMPINES AVENUE 8, SINGAPORE (DISTRICT 18) ARDMORE RESIDENCE NON-PUBLIC CONDOMINIUM CONDO ARDMORE PARK, SINGAPORE (DISTRICT 10) ARISTO @ AMBER , THE PRIVATE CONDOMINIUM CONDOMINIUM AMBER STREET, SINGAPORE (DISTRICT 15) ASPEN LINQ NON-PUBLIC CONDOMINIUM RESIDENCE INSTITUTION HILL, SINGAPORE (DISTRICT 09) BARTLEY RESIDENCES NON-PUBLIC CONDOMINIUM HOUSE BARTLEY HIGHWAY, SINGAPORE (DISTRICT 19) BEACON HEIGHTS PERSONAL CONDOMINIUM CONDO MAR THOMA STREET, SINGAPORE (DISTRCT 12) title searches and authorized requisitions on the property; and

Hongkong Land is a number one property funding, administration and growth group with a serious portfolio in Hong Kong and different property pursuits in Asia. As considered one of Singapore's largest property gamers, Singapore Land (SingLand) is synonymous with premier property developments in both prime and suburban areas. YHS made its first foray into property improvement with Tivoli Gardens, a 59-unit landed estate in District 19. This was adopted by the launch of The Sterling, a freehold condominium in Bukit Timah, and landed projects resembling Tai Keng Villas, Parry Inexperienced, Chuan Villas and Princeton Vale. Its newest growth is JARDIN, an exclusive property nestled alongside Bukit Timah/Dunearn Highway Learn More Can Singapore safely deflate its property market?

GPS Funding Sales operates like an entrepreneur group drawing on wealth of experiences with in depth insight locally and having a global perspective. We are in a position to provide investment methods that tailor-made to the clients profile. Our purchasers starting from Wealth Fund managers, Multinational Companies, Small Medium Enterprise companies, Property Developers and Ultra Networth Individual. En-bloc Sales Department Sustainability, property growth, sustainability initiatives, tripple backside line, measuring sustainability, reporting, metrics and benchmarks When you've loved what you've got read thus far why not sign up for our FREE property alert and online journal PropertyWire Confidential. District 23, ninety nine years Leasehold condominium BUILD TO ALTER 2 mod 3 and p2 - p + 1 has a sufficiently large prime factor q. Since p2 PROPERTY builders did not have the simplest year, what with the cooling measures imposed in January and the loan curbs in June, but some still managed to do effectively while others made their first foray abroad.

As a public-listed company and a pioneer in the improvement of landed properties in Singapore, we have now been constructing some of Singapore's nicely-recognized, established residential estates for over 50 years. Our many developments in Singapore are an affidavit of our steady want to create not just high quality houses however communities for you and your family members Hotel Properties Limited (HPL) was listed on the Inventory Trade of Singapore in 1982. Beginning with simply the Hilton Lodge in Singapore, HPL has expanded rapidly through the years. As we speak HPL has pursuits in 19 resorts with almost 4000 rooms in 8 countries. An Choice or Settlement/Contract for the Buy of a Home or Flat will be formedin many ways e.g. A gaggle of persons, whether in partnership or otherwise

Certainly one of Asia's premier property firms, Keppel Land is recognised for its sterling portfolio of award-profitable residential developments and funding-grade business properties as well as excessive requirements of company governance and transparency. Keppel Land is without doubt one of the largest listed property corporations by total assets on the Singapore Change. The Group's total assets amounted to about $13.eight billion as at 31 March 2014. Additionally it is a component of a number of stock indices including the FTSE ST Real Property Index, FTSE ST China Prime Index, FTSE All-World Index, FTSE Asia Pacific ex-Japan Index, FTSE EPRA/NAREIT World Real Estate Index and EPRA/NAREIT Index. WOODSVALE PERSONAL CONDOMINIUM CONDOMINIUM WOODSVALE CLOSE, SINGAPORE (DISTRICT thirteen) Industrial

LINCOLN RESIDENCES, THE NON-PUBLIC CONDOMINIUM APARTMENT SURREY STREET, SINGAPORE (DISTRICT eleven) LUCIDA NON-PUBLIC CONDOMINIUM APARTMENT SUFFOLK ROAD, SINGAPORE (DISTRICT 11) LUMOS, THE PRIVATE CONDOMINIUM APARTMENT LEONIE HILL, SINGAPORE (DISTRICT 09) LUXURIE, THE PRIVATE CONDOMINIUM CONDOMINIUM COMPASSVALE BOW, SINGAPORE (DISTRICT 19) M66 NON-PUBLIC CONDOMINIUM RESIDENCE MOONSTONE LANE, SINGAPORE (DISTRICT 12) MARINA BAY SUITES PRIVATE CONDOMINIUM CONDOMINIUM CENTRAL BOULEVARD, SINGAPORE (DISTRICT 01) MEIER SUITES PERSONAL CONDOMINIUM house in singapore MARGATE STREET, SINGAPORE (DISTRICT 15) MKZ, THE NON-PUBLIC CONDOMINIUM CONDO MACKENZIE STREET, SINGAPORE (DISTRICT 09) MONTCLAIR @ WHITLEY CLUSTER STRATA HOUSE WHITLEY HIGHWAY, SINGAPORE (DISTRICT 11) Condominiums by District

The Singapore Property Awards recognise excellence in actual estate development initiatives or individual properties in terms of design, aesthetics, functionality, contribution to the constructed atmosphere and neighborhood at massive. It represents an outstanding achievement which developers, professionals and property house owners aspire to achieve. It bestows upon the winner the correct to use the coveted award emblem recognised extensively throughout the FIABCI network.

ADRIA NON-PUBLIC CONDOMINIUM CONDOMINIUM DERBYSHIRE HIGHWAY, THOMSON ROAD, SINGAPORE (DISTRICT eleven) AMBER RESIDENCES (PREPARED HOUSES) PRIVATE CONDOMINIUM RESIDENCE AMBER STREET, SINGAPORE (DISTRICT 15) ARC AT TAMPINES GOVERNMENT CONDOMINIUM APARTMENT TAMPINES AVENUE 8, SINGAPORE (DISTRICT 18) ARDMORE RESIDENCE NON-PUBLIC CONDOMINIUM CONDO ARDMORE PARK, SINGAPORE (DISTRICT 10) ARISTO @ AMBER , THE PRIVATE CONDOMINIUM CONDOMINIUM AMBER STREET, SINGAPORE (DISTRICT 15) ASPEN LINQ NON-PUBLIC CONDOMINIUM RESIDENCE INSTITUTION HILL, SINGAPORE (DISTRICT 09) BARTLEY RESIDENCES NON-PUBLIC CONDOMINIUM HOUSE BARTLEY HIGHWAY, SINGAPORE (DISTRICT 19) BEACON HEIGHTS PERSONAL CONDOMINIUM CONDO MAR THOMA STREET, SINGAPORE (DISTRCT 12) title searches and authorized requisitions on the property; and

Hongkong Land is a number one property funding, administration and growth group with a serious portfolio in Hong Kong and different property pursuits in Asia. As considered one of Singapore's largest property gamers, Singapore Land (SingLand) is synonymous with premier property developments in both prime and suburban areas. YHS made its first foray into property improvement with Tivoli Gardens, a 59-unit landed estate in District 19. This was adopted by the launch of The Sterling, a freehold condominium in Bukit Timah, and landed projects resembling Tai Keng Villas, Parry Inexperienced, Chuan Villas and Princeton Vale. Its newest growth is JARDIN, an exclusive property nestled alongside Bukit Timah/Dunearn Highway Learn More Can Singapore safely deflate its property market?

GPS Funding Sales operates like an entrepreneur group drawing on wealth of experiences with in depth insight locally and having a global perspective. We are in a position to provide investment methods that tailor-made to the clients profile. Our purchasers starting from Wealth Fund managers, Multinational Companies, Small Medium Enterprise companies, Property Developers and Ultra Networth Individual. En-bloc Sales Department Sustainability, property growth, sustainability initiatives, tripple backside line, measuring sustainability, reporting, metrics and benchmarks When you've loved what you've got read thus far why not sign up for our FREE property alert and online journal PropertyWire Confidential. District 23, ninety nine years Leasehold condominium BUILD TO ALTER 1 mod 3 we see that p generates (/3)* and thus the third cyclotomic polynomial Φ3(x)=x2+x+1 is irreducible over GF(p). It follows that the roots α and αp form an optimal normal basis for GF(p2) over GF(p) and

GF(p2){x1α+x2αp:x1,x2GF(p)}.

Considering that p PROPERTY builders did not have the simplest year, what with the cooling measures imposed in January and the loan curbs in June, but some still managed to do effectively while others made their first foray abroad.

As a public-listed company and a pioneer in the improvement of landed properties in Singapore, we have now been constructing some of Singapore's nicely-recognized, established residential estates for over 50 years. Our many developments in Singapore are an affidavit of our steady want to create not just high quality houses however communities for you and your family members Hotel Properties Limited (HPL) was listed on the Inventory Trade of Singapore in 1982. Beginning with simply the Hilton Lodge in Singapore, HPL has expanded rapidly through the years. As we speak HPL has pursuits in 19 resorts with almost 4000 rooms in 8 countries. An Choice or Settlement/Contract for the Buy of a Home or Flat will be formedin many ways e.g. A gaggle of persons, whether in partnership or otherwise

Certainly one of Asia's premier property firms, Keppel Land is recognised for its sterling portfolio of award-profitable residential developments and funding-grade business properties as well as excessive requirements of company governance and transparency. Keppel Land is without doubt one of the largest listed property corporations by total assets on the Singapore Change. The Group's total assets amounted to about $13.eight billion as at 31 March 2014. Additionally it is a component of a number of stock indices including the FTSE ST Real Property Index, FTSE ST China Prime Index, FTSE All-World Index, FTSE Asia Pacific ex-Japan Index, FTSE EPRA/NAREIT World Real Estate Index and EPRA/NAREIT Index. WOODSVALE PERSONAL CONDOMINIUM CONDOMINIUM WOODSVALE CLOSE, SINGAPORE (DISTRICT thirteen) Industrial

LINCOLN RESIDENCES, THE NON-PUBLIC CONDOMINIUM APARTMENT SURREY STREET, SINGAPORE (DISTRICT eleven) LUCIDA NON-PUBLIC CONDOMINIUM APARTMENT SUFFOLK ROAD, SINGAPORE (DISTRICT 11) LUMOS, THE PRIVATE CONDOMINIUM APARTMENT LEONIE HILL, SINGAPORE (DISTRICT 09) LUXURIE, THE PRIVATE CONDOMINIUM CONDOMINIUM COMPASSVALE BOW, SINGAPORE (DISTRICT 19) M66 NON-PUBLIC CONDOMINIUM RESIDENCE MOONSTONE LANE, SINGAPORE (DISTRICT 12) MARINA BAY SUITES PRIVATE CONDOMINIUM CONDOMINIUM CENTRAL BOULEVARD, SINGAPORE (DISTRICT 01) MEIER SUITES PERSONAL CONDOMINIUM house in singapore MARGATE STREET, SINGAPORE (DISTRICT 15) MKZ, THE NON-PUBLIC CONDOMINIUM CONDO MACKENZIE STREET, SINGAPORE (DISTRICT 09) MONTCLAIR @ WHITLEY CLUSTER STRATA HOUSE WHITLEY HIGHWAY, SINGAPORE (DISTRICT 11) Condominiums by District

The Singapore Property Awards recognise excellence in actual estate development initiatives or individual properties in terms of design, aesthetics, functionality, contribution to the constructed atmosphere and neighborhood at massive. It represents an outstanding achievement which developers, professionals and property house owners aspire to achieve. It bestows upon the winner the correct to use the coveted award emblem recognised extensively throughout the FIABCI network.

ADRIA NON-PUBLIC CONDOMINIUM CONDOMINIUM DERBYSHIRE HIGHWAY, THOMSON ROAD, SINGAPORE (DISTRICT eleven) AMBER RESIDENCES (PREPARED HOUSES) PRIVATE CONDOMINIUM RESIDENCE AMBER STREET, SINGAPORE (DISTRICT 15) ARC AT TAMPINES GOVERNMENT CONDOMINIUM APARTMENT TAMPINES AVENUE 8, SINGAPORE (DISTRICT 18) ARDMORE RESIDENCE NON-PUBLIC CONDOMINIUM CONDO ARDMORE PARK, SINGAPORE (DISTRICT 10) ARISTO @ AMBER , THE PRIVATE CONDOMINIUM CONDOMINIUM AMBER STREET, SINGAPORE (DISTRICT 15) ASPEN LINQ NON-PUBLIC CONDOMINIUM RESIDENCE INSTITUTION HILL, SINGAPORE (DISTRICT 09) BARTLEY RESIDENCES NON-PUBLIC CONDOMINIUM HOUSE BARTLEY HIGHWAY, SINGAPORE (DISTRICT 19) BEACON HEIGHTS PERSONAL CONDOMINIUM CONDO MAR THOMA STREET, SINGAPORE (DISTRCT 12) title searches and authorized requisitions on the property; and

Hongkong Land is a number one property funding, administration and growth group with a serious portfolio in Hong Kong and different property pursuits in Asia. As considered one of Singapore's largest property gamers, Singapore Land (SingLand) is synonymous with premier property developments in both prime and suburban areas. YHS made its first foray into property improvement with Tivoli Gardens, a 59-unit landed estate in District 19. This was adopted by the launch of The Sterling, a freehold condominium in Bukit Timah, and landed projects resembling Tai Keng Villas, Parry Inexperienced, Chuan Villas and Princeton Vale. Its newest growth is JARDIN, an exclusive property nestled alongside Bukit Timah/Dunearn Highway Learn More Can Singapore safely deflate its property market?

GPS Funding Sales operates like an entrepreneur group drawing on wealth of experiences with in depth insight locally and having a global perspective. We are in a position to provide investment methods that tailor-made to the clients profile. Our purchasers starting from Wealth Fund managers, Multinational Companies, Small Medium Enterprise companies, Property Developers and Ultra Networth Individual. En-bloc Sales Department Sustainability, property growth, sustainability initiatives, tripple backside line, measuring sustainability, reporting, metrics and benchmarks When you've loved what you've got read thus far why not sign up for our FREE property alert and online journal PropertyWire Confidential. District 23, ninety nine years Leasehold condominium BUILD TO ALTER 2 mod 3 we can reduce the exponents modulo 3 to get

GF(p2){y1α+y2α2:α2+α+1=0,y1,y2GF(p)}.

The cost of arithmetic operations is now given in the following Lemma labeled Lemma 2.21 in "An overview of the XTR public key system":[1]

Lemma

  • Computing xp is done without using multiplication
  • Computing x2 takes two multiplications in GF(p)
  • Computing xy takes three multiplications in GF(p)
  • Computing xz-yzp takes four multiplications in GF(p).

Traces over GF(p2)

The trace in XTR is always considered over GF(p2). In other words, the conjugates of hGF(p6) over GF(p2) are h,hp2 and hp4 and the trace of h is their sum:

Tr(h)=h+hp2+hp4.

Note that Tr(h)GF(p2) since

Tr(h)p2=hp2+hp4+hp6=h+hp2+hp4=Tr(h)

Consider now the generator g of the XTR subgroup of a prime order q. Remember that g is a subgroup of the XTR supergroup of order p2p+1, so qp2p+1. In the following section we will see how to choose p and q, but for now it is sufficient to assume that q>3. To compute the trace of g note that modulo p2p+1 we have

p2=p1 and
p4=(p1)2=p22p+1=p

and thus

Tr(g)=g+gp2+gp4=g+gp1+gp.

Note also that the product of the conjugates of g equals 1, i.e., that g has norm 1.

The crucial observation in XTR is that the minimal polynomial of g over GF(p2)

(xg)(xgp1)(xgp)

simplifies to

x3Tr(g)x2+Tr(g)px1

which is fully determined by Tr(g). Consequently, conjugates of g, as roots of the minimal polynomial of g over GF(p2), are completely determined by the trace of g. The same is true for any power of g: conjugates of gn are roots of polynomial

x3Tr(gn)x2+Tr(gn)px1

and this polynomial is completely determined by Tr(gn).

The idea behind using traces is to replace gnGF(p6) in cryptographic protocols, e.g. the Diffie-Hellman key exchange by Tr(gn)GF(p2) and thus obtaining a factor of 3 reduction in representation size. This is, however, only useful if there is a quick way to obtain Tr(gn) given Tr(g). The next paragraph gives an algorithm for the efficient computation of Tr(gn). In addition, computing Tr(gn) given Tr(g) turns out to be quicker than computing gn given g.[1]

Algorithm for the quick computation of Tr(gn) given Tr(g)

A. Lenstra and E. Verheul give this algorithm in their paper titled The XTR public key system in.[2] All the definitions and lemmas necessary for the algorithm and the algorithm itself presented here, are taken from that paper.

Definition For c in GF(p2) define

F(c,X)=X3cX2+cpX1GF(p2)[X].

Definition Let h0,h1,h2 denote the, not necessarily distinct, roots of F(c,X) in GF(p6) and let n be in . Define

cn=h0n+h1n+h2n.

Properties of cn and F(c,X)

  1. c=c1
  2. cn=cnp=cnp
  3. cnGF(p2) for n
  4. cu+v=cucvcvpcuv+cu2v for u,v
  5. Either all hj have order dividing p2p+1 and >3 or all hj are in GF(p2). In particular, F(c,X) is irreducible if and only if its roots have order diving p2p+1 and >3.
  6. F(c,X) is reducible over GF(p2) if and only if cp+1GF(p)

Lemma Let c,cn1,cn,cn+1 be given.

  1. Computing c2n=cn22cnp takes two multiplication in GF(p).
  2. Computing cn+2=cn+1ccpcn+cn1 takes four multiplication in GF(p).
  3. Computing c2n1=cn1cncpcnp+cn+1p takes four multiplication in GF(p).
  4. Computing c2n+1=cn+1cnccnp+cn1p takes four multiplication in GF(p).

Definition Let Sn(c)=(cn1,cn,cn+1)GF(p2)3.

Algorithm 1 for computation of Sn(c) given n and c

S¯i(c)=S2i+1(c)
and m¯=n if n is odd and m¯=n1 otherwise. Let m¯=2m+1,k=1 and compute S¯k(c)=S3(c) using the Lemma above and S2(c). Let further
m=j=0rmj2j
with mj0,1 and mr=1. For j=r1,r2,...,0 in succession, do the following:

When these iterations finish, k=m and Sm¯(c)=S¯m(c). If n is even use Sm¯(c) to compute S¯m+1(c).

Parameter selection

Finite field and subgroup size selection

In order to take advantage of the above described representations of elements with their traces and furthermore ensure sufficient security, that will be discussed below, we need to find primes p and q, where p denotes the characteristic of the field GF(p6) with p2mod3 and q is the size of the subgroup, such that q divides p2p+1.

We denote with P and Q the sizes of p and q in bits. To achieve security comparable to 1024-bit RSA, we should choose 6P about 1024, i.e. P170 and Q can be around 160.

A first easy algorithm to compute such primes p and q is the next Algorithm A:

Algorithm A

  1. Find r such that q=r2r+1 is a Q-bit prime.
  2. Find k such that p=r+kq is a P-bit prime with p2mod3.
Correctness of Algorithm A:
It remains to check that qp2p+1 because all the other necessary properties are obviously satisfied per definition of p and q. We easily see that p2p+1=r2+2rkq+k2q2rkq+1=r2r+1+q(2rk+k2qk)=q(1+2rk+k2qk) which implies that qp2p+1.

Algorithm A is very fast and can be used to find primes p that satisfy a degree-two polynomial with small coefficients. Such p lead to fast arithmetic operations in GF(p). In particular if the search for k is restricted to k=1, which means looking for an r such that both r2r+1 and r2+1 are prime and such that r2+12 mod 3, the primes p have this nice form. Note that in this case r must be even and r1 mod 4.

On the other hand such p may be undesirable from a security point of view because they may make an attack with the Discrete Logarithm variant of the Number Field Sieve easier.

The following Algorithm B doesn't have this disadvantage, but it also doesn't have the fast arithmetic modulo p Algorithm A has in that case.

Algorithm B

  1. Select a Q-bit prime q so that q7mod12.
  2. Find the roots r1 and r2 of X2X+1modq.
  3. Find a k such that p=ri+kq is a P-bit prime with p2mod3 for i{1,2}
Correctness of Algorithm B:
Since we chose q7mod12 it follows immediately that q1mod3 (because 71mod3 and 312). From that and quadratic reciprocity we can deduce that r1 and r2 exist.
To check that qp2p+1 we consider again p2p+1 for ri{1,2} and get that p2p+1=ri2+2rikq+k2q2rikq+1=ri2ri+1+q(2rk+k2qk)=q(2rk+k2qk), since r1 and r2 are roots of X2X+1 and hence qp2p+1.

Subgroup selection

In the last paragraph we have chosen the sizes p and q of the finite field GF(p6) and the multiplicative subgroup of GF(p6)*, now we have to find a subgroup g of GF(p6)* for some gGF(p6) such that g=q.

However, we do not need to find an explicit gGF(p6), it suffices to find an element cGF(p2) such that c=Tr(g) for an element gGF(p6) of order q. But, given Tr(g), a generator g of the XTR (sub)group can be found by determining any root of F(Tr(g),X) which has been defined above. To find such a c we can take a look at property 5 of F(c,X) here stating that the roots of F(c,X) have an order dividing p2p+1 if and only if F(c,X) is irreducible. After finding such c we need to check if it really is of order q, but first we focus on how to select cGF(p2) such that F(c,X) is irreducible.

An initial approach is to select cGF(p2)GF(p) randomly which is justified by the next lemma.

Lemma: For a randomly selected cGF(p2) the probability that F(c,X)=X3cX2+cpX1GF(p2)[X] is irreducible is about one third.

Now the basic algorithm to find a suitable Tr(g) is as follows:

Outline of the algorithm

  1. Pick a random cGF(p2)GF(p).
  2. If F(c,X) is reducible, then return to Step 1.
  3. Use Algorithm 1 to compute d=c(p2p+1)/q.
  4. If d is not of order q, return to Step 1.
  5. Let Tr(g)=d.

It turns out that this algorithm indeed computes an element of GF(p2) that equals Tr(g) for some gGF(p6) of order q.

More details to the algorithm, its correctness, runtime and the proof of the Lemma can be found in "An overview of the XTR public key system" in.[1]

Cryptographic schemes

In this section it is explained how the concepts above using traces of elements can be applied to cryptography. In general, XTR can be used in any cryptosystem that relies on the (subgroup) Discrete Logarithm problem. Two important applications of XTR are the Diffie-Hellman key agreement and the ElGamal encryption. We will start first with Diffie-Hellman.

XTR-DH key agreement

We suppose that both Alice and Bob have access to the XTR public key data (p,q,Tr(g)) and intend to agree on a shared secret key K. They can do this by using the following XTR version of the Diffie-Hellman key exchange:

  1. Alice picks a randomly with 1<a<q2, computes with Algorithm 1 Sa(Tr(g))=(Tr(ga1),Tr(ga),Tr(ga+1))GF(p2)3 and sends Tr(ga)GF(p2) to Bob.
  2. Bob receives Tr(ga) from Alice, selects at random b with 1<b<q2, applies Algorithm 1 to compute Sb(Tr(g))=(Tr(gb1),Tr(gb),Tr(gb+1))GF(p2)3 and sends Tr(gb)GF(p2) to Alice.
  3. Alice receives Tr(gb) from Bob, computes with Algorithm 1 Sa(Tr(gb))=(Tr(g(a1)b),Tr(gab),Tr(g(a+1)b))GF(p2)3 and determines K based on Tr(gab)GF(p2).
  4. Bob analogously applies Algorithm 1 to compute Sb(Tr(ga))=(Tr(ga(b1)),Tr(gab),Tr(ga(b+1)))GF(p2)3 and also determines K based on Tr(gab)GF(p2).

XTR ElGamal encryption

For the ElGamal encryption we suppose now that Alice is the owner of the XTR public key data (p,q,Tr(g)) and that she has selected a secret integer k, computed Tr(gk) and published the result. Given Alice's XTR public key data (p,q,Tr(g),Tr(gk)), Bob can encrypt a message M, intended for Alice, using the following XTR version of the ElGamal encryption:

  1. Bob selects randomly a b with 1<b<q2 and computes with Algorithm 1 Sb(Tr(g))=(Tr(gb1),Tr(gb),Tr(gb+1))GF(p2)3.
  2. Bob next applies Algorithm 1 to compute Sb(Tr(gk))=(Tr(g(b1)k),Tr(gbk),Tr(g(b+1)k))GF(p2)3.
  3. Bob determines a symmetric encryption key K based on Tr(gbk)GF(p2).
  4. Bob uses an agreed upon symmetric encryption method with key K to encrypt his message M, resulting in the encryption E.
  5. Bob sends (Tr(gb),E) to Alice.

Upon receipt of (Tr(gb),E), Alice decrypts the message in the following way:

  1. Alice computes Sk(Tr(gb))=(Tr(gb(k1)),Tr(gbk),Tr(gb(k+1)))GF(p2)3.
  2. Alice determines the symmetric key K based on Tr(gbk)GF(p2).
  3. Alice uses the agreed upon symmetric encryption method with key K to decrypt E, resulting in the original message M.

The here described encryption scheme is based on a common hybrid version of the ElGamal encryption, where the secret key K is obtained by an asymmetric public key system and then the message is encrypted with a symmetric key encryption method Alice and Bob agreed to.

In the more traditional ElGamal encryption the message is restricted to the key space, which would here be GF(p2), because Tr(g)GF(p2)pGF(p6)*. The encryption in this case is the multiplication of the message with the key, which is an invertible operation in the key space GF(p2).

Concretely this means if Bob wants to encrypt a message M, first he has to convert it into an element M of GF(p2) and then compute the encrypted message E as E=KMGF(p2). Upon receipt of the encrypted message E Alice can recover the original message M by computing M=EK1, where K1 is the inverse of K in GF(p2).

Security

In order to say something about the security properties of the above explained XTR encryption scheme, first it is important to check the security of the XTR group, which means how hard it is to solve the Discrete Logarithm problem there. The next part will then state the equivalency between the Discrete Logarithm problem in the XTR group and the XTR version of the discrete logarithm problem, using only the traces of elements.

Discrete logarithms in a general GF(pt)

Let now γ be a multiplicative group of order ω. The security of the Diffie-Hellman protocol in γ relies on the Diffie-Hellman (DH) problem of computing γxy given γ,γx and γy. We write DH(γx,γy)=γxy. There are two other problems related to the DH problem. The first one is the Diffie-Hellman Decision (DHD) problem to determine if c=DH(a,b) for given a,b,cγ and the second one is the Discrete Logarithm (DL) problem to find x=DL(a) for a given a=γxγ with 0x<ω.

The DL problem is at least as difficult als the DH problem and it is generally assumed that if the DL problem in γ is intractable, then so are the other two.

Given the prime factorization of ω the DL problem in γ can be reduced to the DL problem in all subgroups of γ with prime order due to the Pohlig-Hellman algorithm. Hence ω can safely be assumed to be prime.

For a subgroup γ of prime order ω of the multiplicative group GF(pt)* of an extension field GF(pt) of GF(p) for some t, there are now two possible ways to attack the system. One can either focus on the whole multiplicative group or on the subgroup. To attack the multiplicative group the best known method is the Discrete Logarithm variant of the Number Field Sieve or alternatively in the subgroup one can use one of several methods that take 𝒪(ω) operations in γ, such as Pollard's rho method.

For both approaches the difficulty of the DL problem in γ depends on the size of the minimal surrounding subfield of γ and on the size of its prime order ω. If GF(pt) itself is the minimal surrounding subfield of γ and ω is sufficiently large, then the DL problem in γ is as hard as the general DL problem in GF(pt).

The XTR parameters are now chosen in such a way that p is not small, q is sufficiently large and g cannot be embedded in a true subfield of GF(p6), since qp2p+1 and p2p+1 is a divisor of GF(p6)*=p61, but it does not divide ps1 for s{1,2,3} and thus g cannot be a subgroup of GF(ps)* for s{1,2,3}. It follows that the DL problem in the XTR group may be assumed as hard as the DL problem in GF(p6).

Security of XTR

Cryptographic protocols that are based on Discrete Logarithms can use many different types of subgroups like groups of points of elliptic curves or subgroups of the multiplicative group of a finite field like the XTR group. As we have seen above the XTR versions of the Diffie-Hellman and ElGamal encryption protocol replace using elements of the XTR group by using their traces. This means that the security of the XTR versions of these encryption schemes is no longer based on the original DH, DHD or DL problems. Therefore the XTR versions of those problems need to be defined and we will see that they are equivalent (in the sense of the next definition) to the original problems.

Definitions:

After introducing the XTR versions of these problems the next theorem is an important result telling us the connection between the XTR and the non-XTR problems, which are in fact equivalent. This implies that the XTR representation of elements with their traces is, as can be seen above, faster by a factor of 3 than the usual representation without compromising security.

Theorem The following equivalencies hold:

i. The XTR-DL problem is (1,1)-equivalent to the DL problem in g.
ii. The XTR-DH problem is (1,2)-equivalent to the DH problem in g.
iii. The XTR-DHD problem is (3,2)-equivalent to the DHD problem in g.

This means that an algorithm solving either XTR-DL, XTR-DH or XTR-DHD with non-negligible probability can be transformed into an algorithm solving the corresponding non-XTR problem DL, DH or DHD with non-negligible probability and vice versa. In particular part ii. implies that determining the small XTR-DH key (being an element of GF(p2)) is as hard as determining the whole DH key (being an element of GF(p6) ) in the representation group g.

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

Template:Cryptography navbox