Cryptology ePrint Archive: Report 2021/1659

XTR and Tori

Martijn Stam

Abstract: At the turn of the century, 80-bit security was the standard. When considering discrete-log based cryptosystems, it could be achieved using either subgroups of 1024-bit finite fields or using (hyper)elliptic curves. The latter would allow more compact and efficient arithmetic, until Lenstra and Verheul invented XTR. Here XTR stands for 'ECSTR', itself an abbreviation for Efficient and Compact Subgroup Trace Representation. XTR exploits algebraic properties of the cyclotomic subgroup of sixth degree extension fields, allowing representation only a third of their regular size, making finite field DLP-based systems competitive with elliptic curve ones. Subsequent developments, such as the move to 128-bit security and improvements in finite field DLP, rendered the original XTR and closely related torus-based cryptosystems no longer competitive with elliptic curves. Yet, some of the techniques related to XTR are still relevant for certain pairing-based cryptosystems. This chapter describes the past and the present of XTR and other methods for efficient and compact subgroup arithmetic.

Category / Keywords: public-key cryptography / implementation, number theory, public key cryptography

Original Publication (in the same form): Computational Cryptography

Date: received 17 Dec 2021

Contact author: martijn at simula no

Available format(s): PDF | BibTeX Citation

Note: This material will be published in revised form in Computational Cryptography edited by Joppe W. Bos and Martijn Stam and published by Cambridge University Press. See

Version: 20211217:143432 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]