Effective compression maps for torus-based cryptography

Abstract

We give explicit parametrizations of the algebraic tori \(\mathbb {T}_{n}\) over any finite field \(\mathbb {F}_{q}\) for any prime power \(n\). Applying the construction for \(n=3\) to a quadratic field \(\mathbb {F}_{q^2}\) we show that the set of \(\mathbb {F}_q\)-rational points of the torus \(\mathbb {T}_{6}\) is birationally equivalent to the affine part of a Singer arc in \(\mathbb {P}^2(\mathbb {F}_{q^2})\). This gives a simple, yet efficient compression and decompression algorithm from \(\mathbb {T}_{6}(\mathbb {F}_{q})\) to \(\mathbb {A}^2(\mathbb {F}_{q})\) that can be substituted in the faster implementation of CEILIDH (Granger et al., in Algorithmic number theory, pp 235–249, Springer, Berlin, 2004) achieving a theoretical 30 % speedup and that is also cheaper than the recently proposed factor-\(6\) compression technique in Karabina (IEEE Trans Inf Theory 58(5):3293–3304, 2012). The compression methods here presented have a wide class of applications to public-key and pairing-based cryptography over any finite field.

Appendix

1.1 Missing points: \(V(f)\) and \(U\)

We determine the points of \(V(f)\) and \(U\) in Sect. 5. We have that \(V(f)\) is defined by the equation \(f=v^{q+2}-2v^{q+1}-v^2+1=0\), for \(v=(v_1,v_2)\in \mathbb {A}^2(\mathbb {F}_{q})\). This gives the following equations defined over \(\mathbb {F}_{q}\):

$$\begin{aligned} v_1^3 - v_1^2v_2 - 3v_1^2 + v_1v_2^2 + 2v_1v_2 - v_2^2 + 1,\; v_1^2v_2 - v_1v_2^2 - 2v_1v_2 + v_2^3 + v_2^2. \end{aligned}$$

Computing a Groebner basis of the ideal generated by these two equations gives:

$$\begin{aligned}&v_1^3 - 3v_1^2 + v_2^3 + 1,\\&v_1^2v_2 + v_1v_2 + 2v_2^3 - v_2^2 - 3v_2,\\&v_1v_2^2 + v_1v_2 + v_2^3 - v_2^2 - 2v_2,\\&2v_1v_2 - v_2^2 - v_2,\\&3v_2^3 - 3v_2. \end{aligned}$$

It follows easily that the only zeros of this ideal are \((1,1)\) and \((0,-1)\), so that

$$\begin{aligned} V(f)=\left\{ (1,1),(0,-1)\right\} . \end{aligned}$$

(16)

We determine \(\mathbb {T}_6(\mathbb {F}_{q})\cap U\). Recall that \(U=\left\{ h(x) \mid x=(0,1,x_2)\right\} \cup \left\{ h(0,0,1)\right\} \), so that the elements of \(U\) have norm \(1\) over \(\mathbb {F}_{q^2}\). We computed \(h(0,0,1)=-(2,2,1)\) and see that this element is not in \(\mathbb {T}_6(\mathbb {F}_{q})\). Then, from the definition of \(\mathbb {T}_6(\mathbb {F}_{q})\) it follows that

$$\begin{aligned} \mathbb {T}_6(\mathbb {F}_{q})\cap U \;=\;\big \{h(x) \mid x=(0,1,x_2),\;\mathrm {N}_{\mathbb {F}_{q^6}/\mathbb {F}_{q^3}}(h(x))=1\big \}. \end{aligned}$$

Using the basis \(\left\{ 1,\gamma \right\} \) we set \(x_2=(a,b)\), with \(a,b\in \mathbb {F}_{q}\). Then, writing the condition above gives:

$$\begin{aligned} a^2 - ab - 4a + b^2 + 2b + 1=0, \quad 2a^2 - 2ab - 2a + 2b^2 + b - 1. \end{aligned}$$

Computing a Groebner basis of the ideal generated by these two equations we have:

$$\begin{aligned}&a^2 + a + 2b^2 - b - 3,\; ab + a + b^2 - b - 2, \\&\qquad 2a - b - 1,\;3b^2 - 3. \end{aligned}$$

Then, it follows \(x_2=(0,-1)\) or \(x_2=(1,1)\), i.e., \(x_2=-\zeta _3\) or \(x_2=-\zeta _3^2\). In particular, we computed \(h(0,1,-\zeta _3)=\zeta _3^2\) and \(h(0,1,-\zeta _3^2)=\zeta _3\), so that

$$\begin{aligned} \mathbb {T}_6(\mathbb {F}_{q})\cap U=\left\{ \zeta _3,\zeta _3^2\right\} . \end{aligned}$$

(17)

1.2 Missing points: \(V_1\)

Recall that \(V_1=\left\{ (x_1,x_2)\in \mathbb {A}^2(\mathbb {F}_{q^2}) \mid g=x_1^2 -x_1x_2 + x_2^2 - 1=0 \right\} \) and \(\rho \circ h_1^{-1}\) gives a birational map from \(\mathbb {T}_6(\mathbb {F}_{q}){\setminus } U_1\) to the affine space \(\mathbb {A}^2(\mathbb {F}_{q})\). When defining \(h_1\circ \rho ^{-1}\) we must avoid considering the elements \(v\in \mathbb {A}^2(\mathbb {F}_{q})\) such that \(\rho ^{-1}(v)\in V_1\). Let \(v=(v_1,v_2)\) with \(v_1,v_1\in \mathbb {F}_{q}\), the condition \(g(\rho ^{-1}(v))=0\) gives two equation defined over \(\mathbb {F}_{q}\). Computing a Groebner basis of the ideal \(I\) generated by this two equations, it turns out that the zeros of \(I\) must be solutions of:

$$\begin{aligned} v_1^2 + 6v_1v_2^2 - v_1v_2 - 2v_1 - 3v_2^3 - 2v_2^2 + v_2&= 0, \nonumber \\ 3v_2^2+1=0\;\;or\;\;3v_2^2-1&= 0. \end{aligned}$$

(18)

Since we are assuming \(q\equiv 2\) mod \(9,\, 3v_2^2+1\) has no root in \(\mathbb {F}_{q}\). Also, \(3v_2^2-1\) factorizes over \(\mathbb {Q}(\zeta _9)\) as \(3(x+\frac{t}{3})(x-\frac{t}{3})\) with \(t=\zeta _9-1\). In the case \(\zeta _9\in \mathbb {F}_{q}\) we have two possible zeros of \(I\) with \(v_2=\pm \frac{1}{\sqrt{3}}\). Then, the zeros of \(I\) are at most \(4\), since, given \(v_2\pm \frac{1}{\sqrt{3}}\), \(v_1\) is a solution of a second degree equation over \(\mathbb {F}_q\). This shows that, when defining the birational mapping \(h_1\circ \rho ^{-1}\), we may further exclude at most \(4\) points (the number of points depends on \(q\)) from \(\mathbb {A}^2(\mathbb {F}_{q})\), so that in practical settings the number of missing points of \(\mathbb {T}_6(\mathbb {F}_{q})\) is at most \(4\). Given \(q\) the missing points in \(\mathbb {A}^2(\mathbb {F}_{q})\) and in \(\mathbb {T}_6(\mathbb {F}_{q})\) can be explicitly determined by solving second degree equations over \(\mathbb {F}_q\).

1.3 Equivalent maps for \(\mathbb {T}_n\)

Let \(n\) be a positive integer and denote by \(p_i\), for \(i=1,\ldots ,r\), its distinct prime factors. Set \(F=\mathbb {F}_{q^n}\) and \(F_i=\mathbb {F}_{q^{n/p_i}}\). We have that:

$$\begin{aligned} \mathbb {T}_{n}(\mathbb {F}_{q})=\left\{ y\in F^* \mid \mathrm {N}_{F/F_i}(y)=1,\;i=1,\ldots ,r\right\} , \end{aligned}$$

i.e., \(\mathbb {T}_{n}(\mathbb {F}_{q})=\bigcap _{i=1}^r\mathbb {T}_{p_i}(F_i)\). Then, given \(y\in \mathbb {T}_{n}(\mathbb {F}_{q})\), we may apply the birational maps to the affine spaces \(\mathbb {A}^{p_i-1}(F_i)\) for any \(\mathbb {T}_{p_i}(F_i)\) and get \(r\) distinct affine-images of \(y\), say \(x_i\in \mathbb {A}^{p_i-1}(F_i)\). We point out that these maps are substantially equivalent: given \(1\le i,j\le r\) with \(i\ne j\), we can obtain \(x_i\) from \(x_j\). In fact, we have \(x_i^{q^{n/p_i}-1}=y=x_j^{q^{n/p_j}-1}\), so that \(x_i^{q^{n/p_i}}x_j=x_ix_j^{q^{n/p_j}}\). Given \(x_j\), the latter condition gives a set of linear equations in \(x_i\) which can be easily solved. In particular, for \(n=6\) we have that given a partially-compressed element \(x_1\in \mathbb {A}^2(\mathbb {F}_{q^2})\) (in our representation) we can compute the correspondent CEILIDH-partially-compressed element \(x_2\in \mathbb {A}^3(\mathbb {F}_{q})\) and vice-versa (see [29]).