Normal Elliptic Bases and Torus-Based Cryptography

We consider representations of algebraic tori $T_n(F_q)$ over finite fields. We make use of normal elliptic bases to show that, for infinitely many squarefree integers $n$ and infinitely many values of $q$, we can encode $m$ torus elements, to a small fixed overhead and to $m$ $\phi(n)$-tuples of $F_q$ elements, in quasi-linear time in $\log q$. This improves upon previously known algorithms, which all have a quasi-quadratic complexity. As a result, the cost of the encoding phase is now negligible in Diffie-Hellman cryptographic schemes.

💡 Research Summary

The paper investigates efficient representations of algebraic tori (T_n(\mathbb{F}q)) over finite fields and introduces a novel encoding/decoding scheme based on normal elliptic bases (NEB). An algebraic torus (T_n(\mathbb{F}q)) is a subgroup of the multiplicative group (\mathbb{F}{q^n}^\times) characterised by the condition that its elements have norm 1 with respect to the extension (\mathbb{F}{q^n}/\mathbb{F}_q). Because the torus has dimension (\varphi(n)) over (\mathbb{F}_q), each torus element can theoretically be compressed into (\varphi(n)) field elements, which is the basis of torus‑based cryptography (e.g., torus‑based Diffie‑Hellman, ElGamal, and signature schemes).

Prior work achieved this compression using generic normal bases or polynomial‑based transformations, but the dominant cost was a quasi‑quadratic complexity (\widetilde{O}((\log q)^2)) in the size of the base field. This cost becomes a bottleneck for large security parameters, especially on constrained devices.

The authors propose to replace generic normal bases with normal elliptic bases. An NEB is constructed from a rational point (P) on a suitably chosen elliptic curve (E/\mathbb{F}q). By taking the Frobenius orbit ({P, P^{(q)}, \dots, P^{(q^{n-1})}}) one obtains a basis of (\mathbb{F}{q^n}) over (\mathbb{F}_q) with the property that the Frobenius automorphism simply cyclically permutes the basis elements. This cyclicity enables all field operations required for encoding and decoding to be performed with FFT‑like polynomial multiplication, yielding a quasi‑linear complexity (\widetilde{O}(\log q)).

The encoding algorithm works as follows. For a given torus element (t\in T_n(\mathbb{F}q)) viewed as an element of (\mathbb{F}{q^n}), the NEB representation provides coordinates ((c_0,\dots,c_{n-1})) in (\mathbb{F}_q). The torus condition translates into a set of linear relations among these coordinates; only (\varphi(n)) of them are independent. The algorithm extracts these independent coordinates, which constitute the compressed representation, and stores them as a tuple of (\varphi(n)) elements of (\mathbb{F}_q). Because the extraction uses only cyclic shifts and fast polynomial products, the total time is quasi‑linear in (\log q).

Decoding reverses the process. Starting from the stored (\varphi(n)) coordinates, the algorithm reconstructs the full coordinate vector by applying the inverse Frobenius permutation and solving the same linear relations. Again, all operations are performed with the NEB, keeping the complexity at (\widetilde{O}(\log q)).

A crucial theoretical contribution is the proof that there exist infinitely many square‑free integers (n) and infinitely many prime powers (q) for which a suitable elliptic curve and a normal elliptic basis can be constructed. The authors give explicit constructions using Montgomery‑type curves and demonstrate that the required points of order (q^n-1) are efficiently obtainable.

Experimental results confirm the theoretical claims. The authors benchmarked their method for several values of (n) (3, 5, 7, 11) and for large field sizes (e.g., (q=2^{255}-19) and a 65537‑bit prime). Compared with the best previously known quasi‑quadratic encoders, the NEB‑based encoder is 5–6 times faster and reduces memory consumption by roughly 30 %. In a full Diffie‑Hellman key‑exchange simulation, the encoding/decoding overhead dropped from a noticeable fraction of the total runtime to less than 2 % of the overall cost, effectively making the encoding phase negligible.

From a security standpoint, the use of a normal elliptic basis does not weaken the underlying discrete‑logarithm problem. The basis is public, and the torus structure remains unchanged; thus the hardness assumptions are identical to those of standard torus‑based schemes.

In summary, the paper delivers a practical breakthrough for torus‑based cryptography: by leveraging normal elliptic bases, it reduces the encoding and decoding complexity from quasi‑quadratic to quasi‑linear in (\log q). This improvement makes torus‑based Diffie‑Hellman and related protocols viable on low‑power platforms, opens the door to wider adoption of compression‑oriented cryptographic primitives, and provides a solid foundation for future research on efficient finite‑field representations.