In this chapter we have shown how to take advantage of the quotient group to which a pairing value naturally belongs in order to speed up exponentiations, and to obtain fast compression of pairing values. We have also proposed some sim- ple refinements to the Duursma-Lee algorithm to improve efficiency. Our results strongly indicate that there are definite advantages to implementing pairing-based cryptographic protocols in characteristic three: the often quoted value of ten for the ratio of the speed of a pairing evaluation to a point multiplication on the curve is really closer to three or four.
Some issues remain. One could certainly improve the exponentiation times for all three groups if there exists an efficiently computable ternary analogue of the Joint Sparse Form [147]. With regard to side channel attacks, such a method may be undesirable since one can not render cubing and multiplication in charcteristic three fields indistinguishable without a serious detriment to performance. As such, a cube-and-multiply-always method using the exponent splitting of Method 4 will half the cost of a secure full length expansion.
Also the exact security of the discrete logarithm problem in characateristic three using the ternary analogue of Coppersmith’s method has yet to be investi- gated [24, 25]. Preliminary research into this problem using Adleman’s Function Field Sieve has been conducted - see Chapters 7 and 8 - but the problem should still be considered open.
4.8 Conclusion and Open Problems
Lastly, do there exist methods for faster pairing evaluation using so-called MNT curves [104], which form a family of non-supersingular elliptic curves over large prime fields with embedding degree six also? Work by Page, Smart and Ver- cauteren [118] indicates that which method works best depends on the application. Recently however, special methods developed for supersingular curves [6, 30, 80], have to some extent been adapted to ordinary elliptic curves, see [63].
Chapter 5
Practical Cryptography in High
Dimensional Tori
In this chapter we present practical and efficient methods for the compression of sequences of elements of arbitrary algebraic tori, which are asymptotically optimal with the number of elements to be transmitted.
This chapter represents joint work with Marten van Dijk, Dan Page, Karl Rubin, Alice Silverberg, Martijn Stam and David Woodruff, and appeared in [156].
5.1
Introduction
At Crypto 2004, van Dijk and Woodruff introduced a new way of using the alge- braic toriTnin cryptography, and obtained an asymptotically optimaln/φ(n) sav-
ings in bandwidth and storage for a number of cryptographic applications. How- ever, the computational requirements of compression and decompression in their scheme were impractical, and it was left open to reduce them to a practical level. We give a new method that compresses orders of magnitude faster than the origi- nal, while also speeding up the decompression and improving on the compression factor (by a constant term). Further, we give the first efficient implementation that usesT30, compare its performance to CEILIDH, XTR and ECC, and present new
5.1 Introduction
for the compression of as few as two group elements. This allows us to apply our results to ElGamal encryption with a small message domain to obtain ciphertexts that are 10% smaller than in previous schemes.
Although Tn is not known to be rational in general, van Dijk and Woodruff
[157] show that one can obtain key agreement, signature and encryption schemes with a compression factor asymptoticallyn/φ(n) as the number of keys, signa-
tures, or messages grows, without relying on the rationality ofTn. The key prop-
erty of tori they use is thatTn is stably rational [161], i.e., for everyn there is an
m such that there is an “almost bijection”1betweenT
n(Fq) × Fmq andF φ(n)+m
q .
Using the fact thatTn is stably rational, van Dijk and Woodruff [157] devel-
oped bijections betweenTn(Fq) × Fmq andF φ(n)+m
q withm = Pd|n, µ(n/d)=−1d,
whereµ is the M¨obius function, leading to asymptotically optimal n/φ(n) savings
in bandwidth and storage. However, a major drawback of their solution is its large computational requirements.
The present chapter gives a new and efficient construction of bijections be- tween Tn(Fq) × Fmq and F
φ(n)+m
q with significantly smaller m than in [157], as
well as an optimised implementation whenn = 30. The latter builds upon the
techniques developed in Chapter 3 to efficiently implement CEILIDH.
Note that n = 30 = 2 · 3 · 5 is the next cryptographically interesting case, since its compression is up to 20% better than that of systems based on n = 6.
In addition to our computational savings, in this case we are able to reduce the original affine surplusm = 32 [157] to m = 2. As we show, this reduction has
immediate practical implications.
Since we are interested in the practicality of our construction, we perform timings for exponentiations, compression and decompression for both the new
T30(Fq) system and for a CEILIDH-based T6(FqL) system with qL ≈ q
5. For the
equivalent of1024-bit RSA security, the computational costs of the operations in
both systems are comparable, while the compression of our scheme is better by a factor of5/4 = (30/φ(30))/(6/φ(6)).
The chapter is organised as follows. In Section 5.2 we describe the central idea 1The maps may be undefined on a small number of points.
Practical Cryptography in High Dimensional Tori
behind the compression method of van Dijk and Woodruff [157]. In Section 5.3 we present our new mapping, and in Section 5.4 give some cryptographic applica- tions. In Section 5.5 we show how to implement our mapping, and in Section 5.6 we present implementation results.