In cryptography, XTR is an algorithm for public-key encryption. XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It is a method to represent elements of a subgroup of a multiplicative group of a finite field. To do so, it uses the trace over to represent elements of a subgroup of .
From a security point of view, XTR relies on the difficulty of solving Discrete Logarithm related problems in the full multiplicative group of a finite field. Unlike many cryptographic protocols that are based on the generator of the full multiplicative group of a finite field, XTR uses the generator of a relatively small subgroup of some prime order of a subgroup of . With the right choice of , computing Discrete Logarithms in the group, generated by , is, in general, as hard as it is in and thus cryptographic applications of XTR use arithmetics while achieving full security leading to substantial savings both in communication and computational overhead without compromising security. Some other advantages of XTR are its fast key generation, small key sizes and speed.
XTR uses a subgroup, commonly referred to as XTR subgroup or just XTR group, of a subgroup called XTR supergroup, of the multiplicative group of a finite field with elements. The XTR supergroup is of order , where p is a prime such that a sufficiently large prime q divides . The XTR subgroup has now order q and is, as a subgroup of , a cyclic group with generator g. The following three paragraphs will describe how elements of the XTR supergroup can be represented using an element of instead of an element of and how arithmetic operations take place in instead of in .
Let p be a prime such that p ≡ 2 mod 3 and p2 - p + 1 has a sufficiently large prime factor q. Since p2 ≡ 1 mod 3 we see that p generates and thus the third cyclotomic polynomial is irreducible over . It follows that the roots and form an optimal normal basis for over and
Considering that p ≡ 2 mod 3 we can reduce the exponents modulo 3 to get
The cost of arithmetic operations is now given in the following Lemma labeled Lemma 2.21 in "An overview of the XTR public key system": [1]
Lemma
The trace in XTR is always considered over . In other words, the conjugates of over are and and the trace of is their sum:
Note that since
Consider now the generator of the XTR subgroup of a prime order . Remember that is a subgroup of the XTR supergroup of order , so . In the following section we will see how to choose and , but for now it is sufficient to assume that . To compute the trace of note that modulo we have
and thus
The product of the conjugates of equals , i.e., that has norm 1.
The crucial observation in XTR is that the minimal polynomial of over
simplifies to
which is fully determined by . Consequently, conjugates of , as roots of the minimal polynomial of over , are completely determined by the trace of . The same is true for any power of : conjugates of are roots of polynomial
and this polynomial is completely determined by .
The idea behind using traces is to replace in cryptographic protocols, e.g. the Diffie–Hellman key exchange by and thus obtaining a factor of 3 reduction in representation size. This is, however, only useful if there is a quick way to obtain given . The next paragraph gives an algorithm for the efficient computation of . In addition, computing given turns out to be quicker than computing given . [1]
A. Lenstra and E. Verheul give this algorithm in their paper titled The XTR public key system in. [2] All the definitions and lemmas necessary for the algorithm and the algorithm itself presented here, are taken from that paper.
Definition For c in define
Definition Let denote the, not necessarily distinct, roots of in and let be in . Define
Properties of and
Lemma Let be given.
Definition Let .
Algorithm 1 for computation of given and
When these iterations finish, and . If n is even use to compute .
In order to take advantage of the above described representations of elements with their traces and furthermore ensure sufficient security, that will be discussed below, we need to find primes and , where denotes the characteristic of the field with and is the size of the subgroup, such that divides .
We denote with and the sizes of and in bits. To achieve security comparable to 1024-bit RSA, we should choose about 1024, i.e. and can be around 160.
A first easy algorithm to compute such primes and is the next Algorithm A:
Algorithm A
Algorithm A is very fast and can be used to find primes that satisfy a degree-two polynomial with small coefficients. Such lead to fast arithmetic operations in . In particular if the search for is restricted to , which means looking for an such that both are prime and such that , the primes have this nice form. Note that in this case must be even and .
On the other hand, such may be undesirable from a security point of view because they may make an attack with the Discrete Logarithm variant of the Number Field Sieve easier.
The following Algorithm B doesn't have this disadvantage, but it also doesn't have the fast arithmetic modulo Algorithm A has in that case.
Algorithm B
In the last paragraph we have chosen the sizes and of the finite field and the multiplicative subgroup of , now we have to find a subgroup of for some such that .
However, we do not need to find an explicit , it suffices to find an element such that for an element of order . But, given , a generator of the XTR (sub)group can be found by determining any root of which has been defined above. To find such a we can take a look at property 5 of here stating that the roots of have an order dividing if and only if is irreducible. After finding such we need to check if it really is of order , but first we focus on how to select such that is irreducible.
An initial approach is to select randomly which is justified by the next lemma.
Lemma:For a randomly selected the probability that is irreducible is about one third.
Now the basic algorithm to find a suitable is as follows:
Outline of the algorithm
It turns out that this algorithm indeed computes an element of that equals for some of order .
More details to the algorithm, its correctness, runtime and the proof of the Lemma can be found in "An overview of the XTR public key system" in. [1]
In this section it is explained how the concepts above using traces of elements can be applied to cryptography. In general, XTR can be used in any cryptosystem that relies on the (subgroup) Discrete Logarithm problem. Two important applications of XTR are the Diffie–Hellman key exchange and the ElGamal encryption. We will start first with Diffie–Hellman.
We suppose that both Alice and Bob have access to the XTR public key data and intend to agree on a shared secret key . They can do this by using the following XTR version of the Diffie–Hellman key exchange:
For the ElGamal encryption we suppose now that Alice is the owner of the XTR public key data and that she has selected a secret integer , computed and published the result. Given Alice's XTR public key data , Bob can encrypt a message , intended for Alice, using the following XTR version of the ElGamal encryption:
Upon receipt of , Alice decrypts the message in the following way:
The here described encryption scheme is based on a common hybrid version of the ElGamal encryption, where the secret key is obtained by an asymmetric public key system and then the message is encrypted with a symmetric key encryption method Alice and Bob agreed to.
In the more traditional ElGamal encryption the message is restricted to the key space, which would here be , because . The encryption in this case is the multiplication of the message with the key, which is an invertible operation in the key space .
Concretely this means if Bob wants to encrypt a message , first he has to convert it into an element of and then compute the encrypted message as . Upon receipt of the encrypted message Alice can recover the original message by computing , where is the inverse of in .
In order to say something about the security properties of the above explained XTR encryption scheme, first it is important to check the security of the XTR group, which means how hard it is to solve the Discrete Logarithm problem there. The next part will then state the equivalency between the Discrete Logarithm problem in the XTR group and the XTR version of the discrete logarithm problem, using only the traces of elements.
Let now be a multiplicative group of order . The security of the Diffie–Hellman protocol in relies on the Diffie–Hellman (DH) problem of computing . We write . There are two other problems related to the DH problem. The first one is the Diffie–Hellman Decision (DHD) problem to determine if for given and the second one is the Discrete Logarithm (DL) problem to find for a given .
The DL problem is at least as difficult as the DH problem and it is generally assumed that if the DL problem in is intractable, then so are the other two.
Given the prime factorization of the DL problem in can be reduced to the DL problem in all subgroups of with prime order due to the Pohlig–Hellman algorithm. Hence can safely be assumed to be prime.
For a subgroup of prime order of the multiplicative group of an extension field of for some , there are now two possible ways to attack the system. One can either focus on the whole multiplicative group or on the subgroup. To attack the multiplicative group the best known method is the Discrete Logarithm variant of the Number Field Sieve or alternatively in the subgroup one can use one of several methods that take operations in , such as Pollard's rho method.
For both approaches the difficulty of the DL problem in depends on the size of the minimal surrounding subfield of and on the size of its prime order . If itself is the minimal surrounding subfield of and is sufficiently large, then the DL problem in is as hard as the general DL problem in .
The XTR parameters are now chosen in such a way that is not small, is sufficiently large and cannot be embedded in a true subfield of , since and is a divisor of , but it does not divide and thus cannot be a subgroup of for . It follows that the DL problem in the XTR group may be assumed as hard as the DL problem in .
Cryptographic protocols that are based on Discrete Logarithms can use many different types of subgroups like groups of points of elliptic curves or subgroups of the multiplicative group of a finite field like the XTR group. As we have seen above the XTR versions of the Diffie–Hellman and ElGamal encryption protocol replace using elements of the XTR group by using their traces. This means that the security of the XTR versions of these encryption schemes is no longer based on the original DH, DHD or DL problems. Therefore, the XTR versions of those problems need to be defined and we will see that they are equivalent (in the sense of the next definition) to the original problems.
Definitions:
After introducing the XTR versions of these problems the next theorem is an important result telling us the connection between the XTR and the non-XTR problems, which are in fact equivalent. This implies that the XTR representation of elements with their traces is, as can be seen above, faster by a factor of 3 than the usual representation without compromising security.
TheoremThe following equivalencies hold:
This means that an algorithm solving either XTR-DL, XTR-DH or XTR-DHD with non-negligible probability can be transformed into an algorithm solving the corresponding non-XTR problem DL, DH or DHD with non-negligible probability and vice versa. In particular part ii. implies that determining the small XTR-DH key (being an element of ) is as hard as determining the whole DH key (being an element of ) in the representation group .
In computational complexity theory, bounded-error quantum polynomial time (BQP) is the class of decision problems solvable by a quantum computer in polynomial time, with an error probability of at most 1/3 for all instances. It is the quantum analogue to the complexity class BPP.
In mathematics, especially in the area of abstract algebra known as combinatorial group theory, the word problem for a finitely generated group is the algorithmic problem of deciding whether two words in the generators represent the same element of . The word problem is a well-known example of an undecidable problem.
Shor's algorithm is a quantum algorithm for finding the prime factors of an integer. It was developed in 1994 by the American mathematician Peter Shor. It is one of the few known quantum algorithms with compelling potential applications and strong evidence of superpolynomial speedup compared to best known classical (non-quantum) algorithms. On the other hand, factoring numbers of practical significance requires far more qubits than available in the near future. Another concern is that noise in quantum circuits may undermine results, requiring additional qubits for quantum error correction.
In quantum computing, Grover's algorithm, also known as the quantum search algorithm, is a quantum algorithm for unstructured search that finds with high probability the unique input to a black box function that produces a particular output value, using just evaluations of the function, where is the size of the function's domain. It was devised by Lov Grover in 1996.
In mathematics, a presentation is one method of specifying a group. A presentation of a group G comprises a set S of generators—so that every element of the group can be written as a product of powers of some of these generators—and a set R of relations among those generators. We then say G has presentation
Spectral methods are a class of techniques used in applied mathematics and scientific computing to numerically solve certain differential equations. The idea is to write the solution of the differential equation as a sum of certain "basis functions" and then to choose the coefficients in the sum in order to satisfy the differential equation as well as possible.
Multi-task learning (MTL) is a subfield of machine learning in which multiple learning tasks are solved at the same time, while exploiting commonalities and differences across tasks. This can result in improved learning efficiency and prediction accuracy for the task-specific models, when compared to training the models separately. Inherently, Multi-task learning is a multi-objective optimization problem having trade-offs between different tasks. Early versions of MTL were called "hints".
In group theory, the Pohlig–Hellman algorithm, sometimes credited as the Silver–Pohlig–Hellman algorithm, is a special-purpose algorithm for computing discrete logarithms in a finite abelian group whose order is a smooth integer.
The hidden subgroup problem (HSP) is a topic of research in mathematics and theoretical computer science. The framework captures problems such as factoring, discrete logarithm, graph isomorphism, and the shortest vector problem. This makes it especially important in the theory of quantum computing because Shor's algorithms for factoring and finding discrete logarithms in quantum computing are instances of the hidden subgroup problem for finite abelian groups, while the other problems correspond to finite groups that are not abelian.
In computational algebra, the Cantor–Zassenhaus algorithm is a method for factoring polynomials over finite fields.
In mathematics, the Cameron–Martin theorem or Cameron–Martin formula is a theorem of measure theory that describes how abstract Wiener measure changes under translation by certain elements of the Cameron–Martin Hilbert space.
In the mathematical subject of group theory, the rank of a groupG, denoted rank(G), can refer to the smallest cardinality of a generating set for G, that is
In the mathematical subject of group theory, small cancellation theory studies groups given by group presentations satisfying small cancellation conditions, that is where defining relations have "small overlaps" with each other. Small cancellation conditions imply algebraic, geometric and algorithmic properties of the group. Finitely presented groups satisfying sufficiently strong small cancellation conditions are word hyperbolic and have word problem solvable by Dehn's algorithm. Small cancellation methods are also used for constructing Tarski monsters, and for solutions of Burnside's problem.
In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.
In statistics and physics, multicanonical ensemble is a Markov chain Monte Carlo sampling technique that uses the Metropolis–Hastings algorithm to compute integrals where the integrand has a rough landscape with multiple local minima. It samples states according to the inverse of the density of states, which has to be known a priori or be computed using other techniques like the Wang and Landau algorithm. Multicanonical sampling is an important technique for spin systems like the Ising model or spin glasses.
Quantum refereed game in quantum information processing is a class of games in the general theory of quantum games. It is played between two players, Alice and Bob, and arbitrated by a referee. The referee outputs the pay-off for the players after interacting with them for a fixed number of rounds, while exchanging quantum information.
In machine learning, the kernel embedding of distributions comprises a class of nonparametric methods in which a probability distribution is represented as an element of a reproducing kernel Hilbert space (RKHS). A generalization of the individual data-point feature mapping done in classical kernel methods, the embedding of distributions into infinite-dimensional feature spaces can preserve all of the statistical features of arbitrary distributions, while allowing one to compare and manipulate distributions using Hilbert space operations such as inner products, distances, projections, linear transformations, and spectral analysis. This learning framework is very general and can be applied to distributions over any space on which a sensible kernel function may be defined. For example, various kernels have been proposed for learning from data which are: vectors in , discrete classes/categories, strings, graphs/networks, images, time series, manifolds, dynamical systems, and other structured objects. The theory behind kernel embeddings of distributions has been primarily developed by Alex Smola, Le Song , Arthur Gretton, and Bernhard Schölkopf. A review of recent works on kernel embedding of distributions can be found in.
In mathematics, specifically group theory, a descendant tree is a hierarchical structure that visualizes parent-descendant relations between isomorphism classes of finite groups of prime power order , for a fixed prime number and varying integer exponents . Such groups are briefly called finitep-groups. The vertices of a descendant tree are isomorphism classes of finite p-groups.
Non-commutative cryptography is the area of cryptology where the cryptographic primitives, methods and systems are based on algebraic structures like semigroups, groups and rings which are non-commutative. One of the earliest applications of a non-commutative algebraic structure for cryptographic purposes was the use of braid groups to develop cryptographic protocols. Later several other non-commutative structures like Thompson groups, polycyclic groups, Grigorchuk groups, and matrix groups have been identified as potential candidates for cryptographic applications. In contrast to non-commutative cryptography, the currently widely used public-key cryptosystems like RSA cryptosystem, Diffie–Hellman key exchange and elliptic curve cryptography are based on number theory and hence depend on commutative algebraic structures.
In the mathematical subject of group theory, a one-relator group is a group given by a group presentation with a single defining relation. One-relator groups play an important role in geometric group theory by providing many explicit examples of finitely presented groups.