 # A group law for PKC purposes

Let F be a field, let V=F^3, and let A V→ V a linear map. The polynomial P(x)= (x_1I+x_2A+x_3A^2) does not depend on A but only on its characteristic polynomial χ(X). A law of composition ⊕ V× V → V is defined and it induces an Abelian group law on FP^2∖ P^-1(0). The cubic P^-1(0) is irreducible if and only if χ is irreducible in F[X], and in this case the group law ⊕ is cyclic.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Let be a field and let us consider a linear endomorphism

of the vector space

. We define the polynomial , where . The polynomial is homogeneous of degree , and does not depend on , but only on the characteristic polynomial of .

A new group law is proposed , which induces an Abelian group law on . The computation of the group law is carried out by means of a single set of formulas, involving coefficients from the base field, which are applicable to any element of the group, with no exception whatsoever.

If the characteristic polynomial is irreducible in , then . In this case, the group law extends to the whole set ; moreover, if the base field is a finite field , with characteristic different from or , then the group is proved to be cyclic.

The latter property permits us to apply the notion of discrete logarithm to the group . If we fix a generator , then any element of the group is the addition of with itself a finite number of times, say , so that . The number is the logarithm of to the base .

Given any element , and a generator of the group, the discrete logarithm problem, or DLP, consists in finding the smallest integer , such that . In this work, we prove that the DLP over with a proper choice of the generator is equivalent to the DLP over the multiplicative group .

Popular current cryptosystems are based on the discrete logarithm problem over different groups, such as the group of invertible elements in a finite field, or the group of points of an elliptic curve with the addition of points as group operation. Our proposal could fit perfectly well in the same niche.

As is the case for analogous public key protocols, the users of the presented proposal agree to a single base field but each one of them is allowed to select at will any (irreducible) polynomial

 χ(X)=X3−c1X2−c2X−c3,c1,c2,c3∈Fq.

The public system parameters consist of the base field , the coefficients , and the generator .

## 2 The group law defined

###### Lemma 2.1.

Let be a field and let be the vector space . If is a linear map such that the endomorphisms are linearly independent, then the homogeneous cubic polynomial does not depend on the matrix but only on the coefficients of its characteristic polynomial .

###### Proof.

Let be the algebraic closure of . As the endomorphisms are linearly independent, the annihilator polynomial of coincides with by virtue of the Cayley-Hamilton theorem. Hence there exists a basis of such that the matrix of in this basis equals one of the following three matrices:

 (1) M1 = ⎛⎜⎝α1000α2000α3⎞⎟⎠, M2 = ⎛⎜⎝α1000α2001α2⎞⎟⎠, M3 = ⎛⎜⎝α1001α1001α1⎞⎟⎠,

and from a simple calculation we obtain

 P(x) = det(x1I+x2Mi+x3(Mi)2) = −c2x1(x2)2+[(c2)2−2(c1c3)]x1(x3)2+c1(x1)2x2 +[(c1)2+2c2](x1)2x3−(c2c3)x2(x3)2+(c1c3)(x2)2x3 −(c1c2+3c3)x1x2x3+(x1)3+c3(x2)3+(c3)2(x3)3,

for every . ∎

###### Theorem 2.2.

Every linear map such that the endomorphisms are linearly independent, induces a law of composition

 ⊕:V×V→V,(x,y)↦z=x⊕y,

by the following formula:

 (3) z1I+z2A+z3A2=(x1I+x2A+x3A2)(y1I+y2A+y3A2),

where , , .

Moreover, the set of elements such that for some element coincides with the set , and induces a group law

 ⊕:(F3∖P−1(0))×(F3∖P−1(0))→(F3∖P−1(0)).

If denotes the projective cubic curve defined by , then the group law also induces a group law

 ⊕:(FP2∖C)×(FP2∖C)→FP2∖C.
###### Proof.

As , and

 A2⋅A2 =A⋅A3 =(c1c3)I+(c1c2+c3)A+[(c1)2+c2]A2,

from the formula in (3) it follows:

 (4)

In matrix notation, these formulas can equivalently be written as

 ⎛⎜⎝z1z2z3⎞⎟⎠=⎛⎜⎝x1c3x3c1c3x3+c3x2x2x1+c2x3c2x2+c3x3+c1c2x3x3x2+c1x3x1+(c1)2x3+c1x2+c2x3⎞⎟⎠⎛⎜⎝y1y2y3⎞⎟⎠,

and as a simple computation shows, the determinant of the linear system above is equal to , where is defined by the formula (2). Hence , for some , if and only if .

The commutativity of is a direct consequence of the invariance of the formula (4) under the substitutions , , .

Moreover, the formula (3) can also be written as follows:

 (x⊕y)1I+(x⊕y)2A+(x⊕y)3A2=(x1I+x2A+x3A2)(y1I+y2A+y3A2).

From the associativity of the composition law of endomorphisms we deduce

 (x⊕(y⊕z))1I+(x⊕(y⊕z))2A+(x⊕(y⊕z))3A2=(x1I+x2A+x3A2)⋅((y1I+y2A+y3A2)⋅(z1I+z2A+z3A2))=((x1I+x2A+x3A2)⋅(y1I+y2A+y3A2))⋅(z1I+z2A+z3A2)=((x⊕y)⊕z)1I+((x⊕y)⊕z)2A+((x⊕y)⊕z)3A2.

Hence , .

From (4) it follows that the unit element is the point , which does not belong to since .

By taking determinants in the equation (3) we obtain

 P(x⊕y)=P(x)P(y),∀x,y∈V.

Therefore the opposite element of exists and it is given by the following formulas:

 y1=c1x1x2+[(c1)2+2c2]x1x3−(c3+c1c2)x2x3+(x1)2−c2(x2)2+[(c2)2−c1c3](x3)2P(x),y2=−x1x2+(c1)2x2x3+c1(x2)2−(c1c2+c3)(x3)2P(x),y3=−x1x3+c1x2x3+(x2)2−c2(x3)2P(x).

Finally, if , are replaced by , , respectively, with , then transforms into , thus proving that the group law projects onto . ∎

###### Remark 2.3.

Note that the equations in (4), allowing one to compute the group operation in terms of the coefficients in the ground field, are applicable to any element of the group, with no exception at all.

###### Remark 2.4.

If , , , then from (2) we obtain , . Hence and belong to if and only if , i.e., when is invertible.

## 3 The basic cubic

###### Proposition 3.1.

Let be the polynomial introduced in Lemma 2.1 and let . If is the norm of the extension , then a point belongs to the cubic curve defined in Theorem 2.2 if and only if . In particular, if is irreducible in , then has no point in .

Moreover, the polynomial is irreducible in if and only if the cubic is irreducible.

###### Proof.

Every induces a -linear endomorphism given by , , and from the very definition of the norm we have . As a computation shows, we obtain , thus proving the first part of the statement. Moreover, is irreducible if and only if is a field and then the norm is injective, thus proving the second part of the statement.

Finally, if factors in , say , with , then we have

 P(x)=[(x1)2+(k2−2l)x1x3+l(x2)2−klx2x3+l2(x3)2−kx1x2][x1+hx2+h2x3].

Conversely, if is irreducible in , then according to Proposition 3.1, the only solution to the cubic equation is . Hence must be irreducible, as a reducible cubic admits non-trivial solutions in the ground field. ∎

###### Corollary 3.2.

If the characteristic polynomial of is irreducible in

, then there is no linear transformation

reducing the polynomial defined in (2) to Weierstrass form.

###### Proof.

Replacing by , , in (2) we obtain a cubic , which is in Weierstrass form (see [14, §2.1]) if and only if the coefficients , , and of the terms , , and , respectively, vanish. As a computation shows, we have , and we can conclude by applying Proposition 3.1. ∎

## 4 Cyclicity

###### Theorem 4.1.

If is a finite field of characteristic different from or and the polynomial introduced in Lemma 2.1 is irreducible in , then the group is cyclic.

###### Proof.

Since , the polynomial is separable and in its splitting field we have , the roots , , being pairwise distinct, and in a certain basis of the matrix of is given by the formula (1). As the Galois group acts transitively on the roots of , there exist two automorphisms such that and . If , , , is an element in , then for every positive integer we have

 (β1I+β2A+β3A2)n=⎛⎜⎝βn000σ2(βn)000σ3(βn)⎞⎟⎠.

Consequently, if is a generator of the multiplicative group , then the vector generates the group and its corresponding projective point generates the group , with . ∎

###### Remark 4.2.

It is important to keep in mind that the implication in Theorem 4.1 works only in the way in which it is worded. If one selects a generator of the group , it will in general be a generator of only a subgroup of the whole group. Consequently, when choosing a generator for , it is convenient to pick it from the set of generators in and, after that, project it onto .

###### Remark 4.3.

As the order of the group is , the statement of Theorem 4.1 means that there exists an element of order . According to the proof of Theorem 4.1 this is equivalent to saying that the matrix in (1) is of order in the linear group . A classical result (see [18, Theorem, p. 379]) states that such a collineation always exists, but we need a direct proof of this fact to be able to apply it below in section 5; also see [6, Proposition 2.1].

###### Remark 4.4.

When the polynomial is reducible, experimental tests carried out in the prime field show that the projective cubic curve defined as has a number of points from the set only. Since the projective space has a total of points, we have that the group is left, respectively, with points.

If the number of points of is either or , then the group is still cyclic, and has the expected number of generators, namely, either or , respectively, where is Euler’s totient function.

However none of the other two possibilities give rise to a cyclic group. Rather, for the case where has points, there appears a number of cyclic groups, whose cardinalities are the divisors of ; it is important to remark that the total number of points left for the group is precisely . Thus, the group can be decomposed as a direct sum of a number of cyclic groups such that the product of their cardinalities is .

As for the case when has points, the group is not cyclic either and can be decomposed as a direct sum of cyclic groups with points each. Remark that now the total number of points left for the group is , so again the numbers of points of the cyclic groups of this case match the divisors of .

## 5 Equivalence of DLP in G and (Fq3)∗

###### Proposition 5.1.

Let be a finite field of characteristic or . Assume the polynomial in Lemma 2.1 is irreducible in , and let be a root of .

If is a generator of the group and belongs to this group, then is a solution to the equation

 (β1,β2,β3)=(γ1,γ2,γ3)⊕(n…⊕(γ1,γ2,γ3),

if and only if is a solution to the equation in the multiplicative group , where , and .

Therefore, the DLP in the group is equivalent to the DLP in .

###### Proof.

Letting , the statement follows from the matrix formula in the proof of Theorem 4.1 taking the very definition of the group law by the formula (3) into account. ∎

In the context of computational complexity, there exists the concept of “problem reduction” (see, for example, [16, Ch. 8], [13, p. 5] whence the next paragraph is quoted):

The idea of a reduction argument is that you can show that hardness of one problem implies hardness of another problem —or, equivalently, that “easiness” of would imply easiness of —by showing that anyone who had an algorithm to solve could use it to solve with relatively little additional effort; in that case one says that reduces to .

In the present case, Proposition 5.1 states the “equivalence” because the reduction works both ways, namely, DLP in the group reduces to the DLP in and the other way around. Hence, Proposition 5.1 proves that the use of the group is safe for standard implementations in PKC (e.g., see [14, §1.6]), since the security it provides is equivalent to that of DLP in , as long as the caveat stated in Remark 4.2 is taken into account.

In terms of cryptanalysis, in principle the logarithm in can be computed using “generic” algorithms, i.e., those that assume no particular structure in (or extra knowledge of) the group. The most popular ones are Pohlig-Hellman, Shank’s Baby Step/Giant Step, and Pollard’s Rho algorithm. The first one is really a reduction of the computation in the whole group to the computation of the logarithm in all subgroups of prime order of .

Our proposal is to use a group of prime order , over a ground prime field . Hence, we are left essentially with Shank’s and Pollard’s algorithms, which need and group operations respectively to compute a logarithm. In view of these facts, we conjecture that the expected security level of the DLP in is . Observe that to offer the same security level, the elliptic curve logarithm needs to operate over a ground field such that has twice as many bits.

In any case, when the group law introduced above is implemented, it seems sensible to avoid using small characteristics in view of recent cryptanalysis to DLP in (cf. , , , ), and also extensions of moderate characteristic included in the range of the following cryptanalysis:  (specially), , , , , , , which might prove also applicable to our proposal.

## 6 Example of application: a key agreement protocol

The group lends readily itself as a building block for standard cryptographic applications to be constructed upon it. One of such applications is a Diffie-Hellman-like key agreement protocol, which will be described in the following sections.

### 6.1 System set-up and system parameters

In the following, we provide the necessary steps to set up the system. Moreover, the users also need to fix some system parameters.

System set-up

To set up the system, the following steps are in order:

1. Choose a ground field with characteristic different from or .

2. Select elements such that the polynomial

 χ(X)=X3−c1X2−c2X−c3

is irreducible in .

3. Consider . Select such that it is a generator of .

4. Compute the coordinates of seen as a vector over , which will be denoted as .

5. Under the canonical projection , compute .

System parameters

Following the previous notation, the system parameters are defined by the set .

### 6.2 Key agreement protocol

The key agreement follows the well-known Diffie-Hellman paradigm. Any two users , willing to agree on a common value, which remains secret, set up a system and agree on its parameters, as stated previously.

The protocol runs as follows:

1. User selects , with , computes

 [γA1,γA2,γA3]=⊕nA[β1,β2,β3]∈FqP2

and sends it to user B.

2. User selects , computes

 [γB1,γB2,γB3]=⊕nB[β1,β2,β3]∈FqP2

and sends it to user A.

3. User computes .

4. User computes .

According to the definitions, the following equalities clearly hold:

 kA=⊕nA[γB1,γB2,γB3] = ⊕nA(⊕nB[β1,β2,β3]) = ⊕nB(⊕nA[β1,β2,β3]) = ⊕nB[γA1,γA2,γA3]=kB.

Hence, the properties of the operation in ensure that actually , which is the common value expected as the output of the protocol.

### 6.3 Cost of the ⊕ operation in G

Let and be the number of field operations in order to perform an addition and a multiplication respectively in . From the formulas (4) it follows that the total number of operations for computing is equal to , once the precomputations of , , and are assumed.

Additionally, two multiplications and one inversion are needed to eventually project the resulting point back to . However, in a typical setting their cost can be neglected when compared with the relatively much larger number of sums that are to be carried out.

### 6.4 A toy example

If we take the prime field , with , it is case that is also prime. Accordingly, the group is cyclic. We set the parameters , , , since the polynomial is irreducible in .

Let us take the projective point as a generator of . If we select now another projective point , we find by exhaustive search the integer such that :

 [126,16,1]→[117,130,1]→[11,15,1]→[71,56,1]→[16,98,1]→[72,62,1]→[111,125,1]→[110,130,1]→[130,114,1]→[86,120,1].

Since the operation has been iterated ten times, we conclude for this particular pair, so that .

### 6.5 Experimental results

We have conducted several experiments in order to assess the computation time of the operation in . The basic setup consists in selecting prime fields, , such that has increasing bit lengths. For each particular bit length, we repeat the operation a number of times and take the mean computation time value.

In order to compare computation times, we repeated the same experiment for the point addition in elliptic curves over , using the same range of bit lengths. Choosing the point addition operation in elliptic curves as the term of comparison with the operation seems sensible since both operations share a relatively large number of basic operations (namely, additions, multiplications and inversions) in the ground field. In particular, we used projective coordinates according to the formulas given in [4, §13.2.1.b].

We implemented the experiments using Java SE Runtime Environment version 1.8.0_171-b11 and the execution was carried out on an Intel Core i7-4790 platform running at GHz. We performed the experiment in the range bits in steps of bits. The experiments yielded the results shown in Table 1, where for each bit length we give the average computation time of one operation measured in microseconds.

A graph of the combined results for both the operation in and for point addition in elliptic curves over is shown in Figure 1. The -axis represents each bit-length step and the -axis show the mean computation time for one operation, both taken from Table 1.

Since elliptic curve logarithm needs twice as many bits as the logarithm in to provide an equivalent security level, we present in Figure 2 the comparison between computation times for equivalent bit lengths.

The following is remarkable:

• The computation times shown in Figure 1 for both settings show a essentially linear growth.

• Though the point addition is slightly slower than the operation in , they keep a rather constant ratio between them, which is roughly equal to .

• Observing Figure 2, it is apparent that the operation is much faster than its counterpart in elliptic curves of an equivalent security level. For example, when using bits in , equivalent to bit in elliptic curves, the operation is roughly times as fast as the sum of points in the equivalent elliptic curve (see Table 1).

Acknowledgments: This research has been partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain) under project reference S2013/ICE-3095-CIBERDINE-CM, also co-funded by European Union FEDER funds.

## References

•  G. Adj, A. Menezes, T. Oliveira, F. Rodríguez-Henríquez. Computing discrete logarithms using Joux’s algorithm. ACM Comm. Computer Algebra 49 (2): 60 (2015).
•  R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain. New record in , Catrel Workshop, École Polytechnique, October 2015, URL: https://webusers.imj-prg.fr/~razvan.barbaud/p3dd52.pdf.
• 

R. Barbulescu, P. Gaudry, A. Joux, E. Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. Advances in Cryptology-EUROCRYPT 2014, Lecture Notes in Comput. Sci., 8441, 1–16 (2014).

•  H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, F. Vercauteren. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman and Hall/CRC, Taylor & Francis Group, New York, USA, 2005.
•  A. Cossidente, M.J. de Resmini. Remarks on Singer cyclic groups and their normalizers. Des. Codes Cryptogr. 32: 97–112 (2004).
•  S. R. Ghorpade, S. U. Hasan, M. Kumari. Primitive polynomials, Singer cycles and word-oriented linear feedback shift registers. Des. Codes Cryptogr. 58: 123–134 (2011).
•  R. Granger, T. Kleinjung, J. Zumbrägel. Indiscreet logarithms in finite fields of small characteristic. arXiv:1604.03837v1 [math.NT].
•  R. Granger, T. Kleinjung, J. Zumbrägel. On the discrete logarithm problem in finite fields of fixed characteristic. arXiv:1507.01495v2 [math.NT].
•  K. Hayasaka, K.Aoki, T. Kobayashi, T. Takagi. A construction of 3-dimensional lattice sieve for number field sieve over . Cryptology ePrint Archive, 2015/1179 (2015).
•  A. Joux, A. Odlyzko, C. Pierrot. The past, evolving present, and future of the discrete logarithm. Open problems in mathematics and computational science, 5–36 (2014).
•  A. Joux, C. Pierrot. Technical history of discrete logarithms in small characteristic finite fields: The road from subexponential to quasi-polynomial complexity. Des. Codes Cryptogr. 78 (1): 73–85 (2016).
•  T. Kleinjung, C. Diem, A. K. Lenstra, C. Priplata, C. Stahlke. Computation of a -Bit Prime Field Discrete Logarithm, Advances in Cryptology-EUROCRYPT 2017, Lecture Notes in Comput. Sci., 10210, 185–201 (2017).
•  N. Koblitz, A.J. Menezes. Another look at “Provable Security”. J. Cryptology 20: 3–37 (2007).
•  A.J. Menezes. Elliptic Curve Public Key Cryptosystems. The Kluwer International Series in Engineering and Computer Science, 234. Communications and Information Theory. Kluwer Academic Publishers, Boston, MA, 1993.
•  A. M. Odlyzko. Discrete logarithms in finite fields and their cryptographic significance. Advances in Cryptology-EUROCRYPT 1984, Lecture Notes in Comput. Sci., 209, 224–314 (1985).