On Small Degree Extension Fields in Cryptology

This thesis studies the implications of using public key cryptographic primitives that are based in, or map to, the multiplicative group of finite fields with small extension degree. A central observation is that the multiplicative group of extension fields essentially decomposes as a product of algebraic tori, whose properties allow for improved communication efficiency. Part I of this thesis is concerned with the constructive implications of this idea. Firstly, algorithms are developed for the efficient implementation of torus-based cryptosystems and their performance compared with previous work. It is then shown how to apply these methods to operations required in low characteristic pairing-based cryptography. Finally, practical schemes for high-dimensional tori are discussed. Highly optimised implementations and benchmark timings are provided for each of these systems. Part II addresses the security of the schemes presented in Part I, i.e., the hardness of the discrete logarithm problem. Firstly, an heuristic analysis of the effectiveness of the Function Field Sieve in small characteristic is given. Next presented is an implementation of this algorithm for characteristic three fields used in pairing-based cryptography. Finally, a new index calculus algorithm for solving the discrete logarithm problem on algebraic tori is described and analysed

Black Box White Arrow

The present paper proposes a new and systematic approach to the so-called black box group methods in computational group theory. Instead of a single black box, we consider categories of black boxes and their morphisms. This makes new classes of black box problems accessible. For example, we can enrich black box groups by actions of outer automorphisms. As an example of application of this technique, we construct Frobenius maps on black box groups of untwisted Lie type in odd characteristic (Section 6) and inverse-transpose automorphisms on black box groups encrypting ${\rm (P)SL}_n(\mathbb{F}_q)$. One of the advantages of our approach is that it allows us to work in black box groups over finite fields of big characteristic. Another advantage is explanatory power of our methods; as an example, we explain Kantor's and Kassabov's construction of an involution in black box groups encrypting ${\rm SL}_2(2^n)$. Due to the nature of our work we also have to discuss a few methodological issues of the black box group theory. The paper is further development of our text "Fifty shades of black" [arXiv:1308.2487], and repeats parts of it, but under a weaker axioms for black box groups.Comment: arXiv admin note: substantial text overlap with arXiv:1308.248

Discrete logarithm computations over finite fields using Reed-Solomon codes

Cheng and Wan have related the decoding of Reed-Solomon codes to the computation of discrete logarithms over finite fields, with the aim of proving the hardness of their decoding. In this work, we experiment with solving the discrete logarithm over GF(q^h) using Reed-Solomon decoding. For fixed h and q going to infinity, we introduce an algorithm (RSDL) needing O (h! q^2) operations over GF(q), operating on a q x q matrix with (h+2) q non-zero coefficients. We give faster variants including an incremental version and another one that uses auxiliary finite fields that need not be subfields of GF(q^h); this variant is very practical for moderate values of q and h. We include some numerical results of our first implementations

On Index Calculus Algorithms for Subfield Curves

In this paper we further the study of index calculus methods for solving the elliptic curve discrete logarithm problem (ECDLP). We focus on the index calculus for subfield curves, also called Koblitz curves, defined over Fq with ECDLP in Fqn. Instead of accelerating the solution of polynomial systems during index calculus as was predominantly done in previous work, we define factor bases that are invariant under the q-power Frobenius automorphism of the field Fqn, reducing the number of polynomial systems that need to be solved. A reduction by a factor of 1/n is the best one could hope for. We show how to choose factor bases to achieve this, while simultaneously accelerating the linear algebra step of the index calculus method for Koblitz curves by a factor n2. Furthermore, we show how to use the Frobenius endomorphism to improve symmetry breaking for Koblitz curves. We provide constructions of factor bases with the desired properties, and we study their impact on the polynomial system solving costs experimentally.SCOPUS: cp.kinfo:eu-repo/semantics/publishe

Generic elements in Zariski-dense subgroups and isospectral locally symmetric spaces

The article contains a survey of results on length-commensurable and isospectral locally symmetric spaces and related problems in the theory of semi-simple algebraic groups.Comment: New material has been added in section

Weakly commensurable groups, with applications to differential geometry

The article contains a survey of our results on weakly commensurable arithmetic and general Zariski-dense subgroups, length-commensurable and isospectral locally symmetric spaces and of related problems in the theory of semi-simple agebraic groups. We have included a discussion of very recent results and conjectures on absolutely almost simple algebraic groups having the same maximal tori and finite-dimensional division algebras having the same maximal subfields.Comment: Improved exposition, updated bibliography. arXiv admin note: substantial text overlap with arXiv:1212.121

Normal Elliptic Bases and Torus-Based Cryptography

We consider representations of algebraic tori $T_n(F_q)$ over finite fields. We make use of normal elliptic bases to show that, for infinitely many squarefree integers $n$ and infinitely many values of $q$, we can encode $m$ torus elements, to a small fixed overhead and to $m$ $\phi(n)$-tuples of $F_q$ elements, in quasi-linear time in $\log q$. This improves upon previously known algorithms, which all have a quasi-quadratic complexity. As a result, the cost of the encoding phase is now negligible in Diffie-Hellman cryptographic schemes