Fast Irreducibility and Subgroup Membership Testing in XTR

  • Arjen K. Lenstra
  • Eric R. Verheul
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1992)


We describe a new general method to perform part of the setup stage of the XTR system introduced at Crypto 2000, namely finding the trace of a generator of the XTR group. Our method is substantially faster than the general method presented at Asiacrypt 2000. As a side result, we obtain an efficient method to test subgroup membership when using XTR.


  1. 1.
    I. Biehl, B. Meyer, V. Müller, Differential fault attacks on elliptic curve cryptosystems, Proceedings of Crypto 2000, LNCS 1880, Springer-Verlag, 2000, 131–146.Google Scholar
  2. 2.
    M.V.D. Burmester, A remark on the efficiency of identification schemes, Proceedings of Eurocrypt’90, LNCS 473, Springer-Verlag 1990, 493–495.Google Scholar
  3. 3.
    R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Proceedings of Crypto’98, LNCS 1462, Springer-Verlag 1998, 13–25.Google Scholar
  4. 4.
    A.K. Lenstra, E.R. Verheul, The XTR public key system, Proceedings of Crypto 2000, LNCS 1880, Springer-Verlag, 2000, 1–19; available from Scholar
  5. 5.
    A.K. Lenstra, E.R. Verheul, Key improvements to XTR, Proceedings of Asiacrypt 2000, LNCS 1976, Springer-Verlag, 2000, 220–233; available from Scholar
  6. 6.
    C.H. Lim, P.J. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, Proceedings of Crypto’97, LNCS 1294, Springer-Verlag 1997, 249–263.Google Scholar
  7. 7.
    W.K. Nicholson, Introduction to abstract algebra, PWS-Kent Publishing Company, Boston, 1993.MATHGoogle Scholar
  8. 8.
    P.C. van Oorschot, M.J. Wiener, On Diffie-Hellman key agreement with short exponents, Proceedings of Eurocrypt’ 96, LNCS 1070, Springer-Verlag 1996, 332–343.Google Scholar
  9. 9.
    S.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Trans. on IT, 24 (1978), 106–110.MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    H. Riesel, Prime numbers and computer methods for factorization, Birkhäuser, Boston, 1985.MATHGoogle Scholar
  11. 11.
    E.R. Verheul, M.P. Hoyle, Tricking the Chaum-Pedersen protocol, manuscript, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Arjen K. Lenstra
    • 1
  • Eric R. Verheul
    • 2
  1. 1.Citibank, N.A.Technical University EindhovenUSA
  2. 2.PricewaterhouseCoopersGRMS Crypto GroupKE EindhovenThe Netherlands

Personalised recommendations