A New RSA Variant Based on Elliptic Curves

Preprint

Article

A New RSA Variant Based on Elliptic Curves

Altmetrics

Downloads

140

Views

Comments

A peer-reviewed article of this preprint also exists.

This version is not peer-reviewed

Submitted:

01 June 2023

Posted:

01 June 2023

You are already at the latest version

Alerts

Abstract

We propose a new scheme based on ephemeral elliptic curves over the ring Z/nZ where n=pq is an RSA modulus with p=up^2+vp^2, q=uq^2+vq^2, up≡uq≡3(mod4). The new scheme is a variant of both the RSA and the KMOV cryptosystems. The scheme can be used for both signature and encryption. We study the security of the new scheme and show that is immune against factorization attacks, discrete logarithm problem attacks, sum of two squares attacks, sum of four squares attacks, isomorphism attacks, and homomorphism attacks. Moreover, we show that the private exponents can be much smaller than the ordinary exponents for RSA and KMOV, which makes the decryption phase in the new scheme more efficient.

Keywords:

Subject: Computer Science and Mathematics - Information Systems

1. Introduction

The RSA system was proposed in 1977 by Rivest, Shamir, and Adleman [37] as a public key cryptosystem. The algorithm is based on a trap door function that utilizes Fermat-Euler theorem. The RSA algorithm strength depends on the difficulty of factorizing a large integer n which is the product of two large primes p and q. In RSA, the public exponent is an integer e and the private exponent is an integer d such that

e d \equiv 1 (mod (p - 1) (q - 1))

Since its publication, the RSA cryptosystem has been intensively studied for vulnerabilities using various methods (see [4,16]). On the other hand, to improve the efficiency of RSA, many variants have been proposed such as Batch RSA [13], Multi-prime RSA [8], Prime-power RSA [41], CRT-RSA [10], Rebalanced-RSA [45], Dual RSA [40] and DRSA [34].

In 1985, Koblitz [21] and Miller [28] showed independently how to use elliptic curves over finite fields for the design of cryptosystems. Such schemes contribute to the elliptic curve cryptography (ECC) and their security is based on the hardness of the elliptic curve discrete logarithm (ECDLP). ECC offers high security with smaller keys and more efficient implementations than traditional public key cryptosystems such as RSA. ECC is increasingly used in industry for digital signatures such as ECDSA [30], key agreement such as ECDH [7] and Bitcoin [29].

In 1991, Koyama et al. [20] proposed a new scheme called KMOV, by adapting RSA to the elliptic curve with an equation

y^{2} \equiv x^{3} + b (mod n)

over the ring

Z / n Z

, where

n = p q

is an RSA modulus satisfying

p \equiv q \equiv 2 (mod 3)

. In KMOV, b is computed during the encryption process in terms of the plaintext

(x, y)

b \equiv y^{2} - x^{3} (mod n)

. The main property in KMOV is that

(p + 1) (q + 1) P = O

for any point P of the elliptic curve where

O

is the point at infinity. In 1993, Demytko [11] proposed a variant of RSA where the elliptic curve with the equation

y^{2} \equiv x^{3} + a x + b (mod n)

over

Z / n Z

is fixed. The advantage of Demytko’s scheme over KMOV is that it uses only the x-coordinate of the points of the elliptic curve. One of the common properties of both schemes is that their security is based on the hardness of factoring large composite integers.

In this paper, we propose a new RSA variant based on the elliptic curve with the equation

y^{2} = x^{3} + a x

over the ring

Z / n Z

where

n = p q

is an RSA modulus with

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

u_{p} \equiv 3 (mod 4)

and

u_{q} \equiv 3 (mod 4)

. The number of points of the elliptic curve

y^{2} = x^{3} + a x

over the finite field

F_{p}

p + 1 - 2 U_{p}

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

. Similarly, the number of points of the same elliptic curve over

F_{p}

q + 1 - 2 V_{p}

with

U_{q} \in {\pm u_{q}, \pm v_{q}}

The new scheme is a variant of both RSA and KMOV and works as follows. The public exponent is an integer e satisfying

gcd (e, ψ (n)) = 1

where

ψ (n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}),

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

, and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. To encrypt a message m, one generates a random integer r with

1 \leq r < n

, computes

a = \frac{m^{2} - r^{3}}{r} (mod n)

, and

C = (x_{C}, y_{C}) = e (r, m)

on the elliptic curve with equation

y^{2} = x^{3} + a x

over the ring

Z / n Z

. The point C is then the encrypted message. To decrypt C, one first computes

a \equiv \frac{y_{C}^{2} - x_{C}^{3}}{x_{C}} (mod n)

and the two values

U_{p}

and

U_{q}

such that

\begin{matrix} U_{p} = \{\begin{matrix} - u_{p} & if a^{\frac{p - 1}{4}} \equiv 1 (mod p), \\ u_{p} & if a^{\frac{p - 1}{4}} \equiv - 1 (mod p), \\ v_{p} & if a^{\frac{p - 1}{4}} \equiv \frac{u_{p}}{v_{p}} (mod p), \\ - v_{p} & if a^{\frac{p - 1}{4}} \equiv - \frac{u_{p}}{v_{p}} (mod p), \end{matrix} \end{matrix}

(1)

and

\begin{matrix} U_{q} = \{\begin{matrix} - u_{q} & if a^{\frac{q - 1}{4}} \equiv 1 (mod q), \\ u_{q} & if a^{\frac{q - 1}{4}} \equiv - 1 (mod q), \\ v_{q} & if a^{\frac{q - 1}{4}} \equiv \frac{u_{q}}{v_{q}} (mod q), \\ - v_{q} & if a^{\frac{q - 1}{4}} \equiv - \frac{u_{q}}{v_{q}} (mod q) . \end{matrix} \end{matrix}

(2)

Using

U_{p}

and

U_{q}

, one computes

ψ (n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

, and

d \equiv e^{- 1} (mod ψ (n))

. Finally, one computes the initial message

(r, m) = d (x_{C}, y_{C})

on the elliptic curve with equation

y^{2} = x^{3} + a x

over the ring

Z / n Z

We study the security of the new scheme regarding the modulus n, the private multiplier d and the elliptic curve with an equation

y^{2} \equiv x^{3} + a x (mod n)

. For the modulus

n = p q

, we study its resistance against factorization algorithms, and its decomposition as the sum of two or four squares. We show that knowing the order

ψ (n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

, and

U_{q} \in {\pm u_{q}, \pm v_{q}}

is not sufficient to factor n. For the private multiplier d, we show that the attacks based on the continued fraction algorithm or Coppersmith’s method are applicable only if

d < n^{0.133}

. For comparison, the former techniques are applicable for RSA and KMOV when their private exponent and multiplier

d^{'}

is such that

d^{'} < n^{0.292}

. Finally, we study the discrete logarithm problem for an elliptic curve with the equation

y^{2} \equiv x^{3} + a x (mod n)

. We also study the isomorphism and the homomorphism attacks and the way to overcome them.

The rest of the paper is organized as follows. In Section 2, we present three results that will be used in the paper. In Section 3 and Section 4, we present the theory of elliptic curves over a finite field

F_{p}

and a finite ring

Z / n Z

respectively. In Section 5, we present the new scheme. In Section 6, we present a detailed analysis of the security of the new scheme. We conclude the paper in Section 7.

2. Useful Lemmas

In this section, we present some results that will be convenient for the security analysis of our new scheme.

Let

n = p q

be an RSA modulus with balanced prime factors p and q, typically,

q < p < 2 q

. The following result gives upper and lower bounds for p and q in terms of n [31].

Lemma 1.

Let

n = p q

be the product of two unknown integers such that

q < p < 2 q

. Then

\frac{\sqrt{2}}{2} \sqrt{n} < q < \sqrt{n} < p < \sqrt{2} \sqrt{n} .

In 1990, Wiener [45] showed that RSA with a public key

(n = p q, e)

is insecure if the private exponents d satisfies

e d - k (p - 1) (q - 1) = 1

with

d < \frac{1}{3} n^{\frac{1}{4}}

. His method is based on the continued fraction algorithm and makes use of the following result (Theorem 184 of [15]).

Theorem 1.

Let ξ be a real number. Let a and b be two positive integers satisfying

gcd (a, b) = 1

and

|ξ - \frac{a}{b}| < \frac{1}{2 b^{2}} .

Then

\frac{a}{b}

is a convergent of the continued fraction expansion of ξ.

In 1996, Coppersmith [9] described a polynomial-time algorithm for finding small solutions of univariate modular polynomial equations. The method is based on lattice reduction. Since then, Coppersmith method has been extended to solve modular polynomial equations with more variables, and has been used for cryptanalysis, especially in regards with the RSA system. To illustrate this point, Boneh and Durfee [6] presented an attack on RSA by transforming the RSA key equation

e d - k (p - 1) (q - 1) = 1

into the small inverse problem

x (n + y) \equiv 1 (mod e)

. Using Coppersmith’s method, they improved Wiener’s attack up to

d < N^{0.292}

The following result is a generalization of the method of Boneh and Durfee for solving the small inverse problem (see [6,42,44]).

Lemma 2.

Let n and e be two distinct integers of the same size. Let x and y be two integers such that

| x | < n^{δ}

| y | < n^{β}

, and

x (n + y) \equiv 1 (mod e)

. If

\frac{1}{4} < β < 1

and

δ < 1 - \sqrt{β}

, then one can find x and y in polynomial time.

3. Elliptic Curves over the Finite Field $F_{p}$

In this section, we present the main definitions and properties of elliptic curves. For more properties, see [17,38,39,43].

Let p be a prime number and

F_{p}

be the finite field with p elements. An elliptic curve E over

F_{p}

is an algebraic curve with no singular points, given by the Weierstrass equation

y^{2} + a_{1} x y + a_{3} y = x^{3} + a_{2} x^{2} + a_{4} x + a_{6},

where

a_{i} \in F_{p}

for

i \in {1, 2, 3, 4, 6}

. When

p \geq 5

, the equation can be transformed into the short Weierstrass equation

y^{2} = x^{3} + a x + b,

with nonzero discriminant

Δ = - 16 (4 a^{3} + 27 b^{2}) \neq 0

. The set of points

P = (x, y)

satisfying the equation, along with the infinity point

O

is denoted

E (F_{p})

. The total number of points on

E (F_{p})

is called the order of E and is denoted

# E (F_{p})

. It is well known that

# E (F_{p})

can be written as

# E (F_{p}) = p + 1 - t

where t is bounded by the following result of Hasse

0 \leq | t | \leq 2 \sqrt{p}

. An addition law is defined over

E (F_{p})

using the chord-tangent method.

The following result is fundamental to find the exact value of

# E (F_{p})

for specific elliptic curves (see Theorem 5, page 307, Section 4, Chapter 18 of [18]).

Theorem 2.

Let

p = u_{p}^{2} + v_{p}^{2}

be a prime number with

p \equiv 1 (mod 4)

. Let

a \in F_{p}

with

a \neq 0

. Consider the elliptic curve

E_{p}

with equation

y^{2} = x^{3} + a x

over

F_{p}

. Then

# E (F_{p}) = p + 1 - \bar{{(\frac{- a}{π})}_{4}} π - {(\frac{- a}{π})}_{4} \bar{π},

where

π = u_{p} + i v_{p} \equiv 1 (mod (2 + 2 i))

i^{2} = - 1

, and

{(\frac{α}{π})}_{4} = α^{\frac{p - 1}{4}} (mod π)

is the biquadratic (or quartic) residue character of α modulo π.

The following result gives an explicit solution for

{(\frac{a}{π})}_{4} (mod π)

(See page 122, Proposition 9.8.2 of [18]).

Theorem 3.

Let

p = u_{p}^{2} + v_{p}^{2}

be a prime number with

p \equiv 1 (mod 4)

. Let

a \in F_{p}

with

a \neq 0

. Then

a^{\frac{p - 1}{4}} \equiv \pm 1, \pm i (mod π),

where

π = u_{p} + i v_{p}

i^{2} = - 1

The following result is valid when the residue quartic character is computed modulo p.

Lemma 3.

Let

p = u_{p}^{2} + v_{p}^{2}

be a prime number with

p \equiv 1 (mod 4)

. Let

a \in F_{p}

with

a \neq 0

. Then

a^{\frac{p - 1}{4}} \equiv \pm 1, \pm u_{p} v_{p}^{- 1} (mod p) .

Proof.

Let

p = u_{p}^{2} + v_{p}^{2}

be a prime number. First, we have

u_{p}^{2} + v_{p}^{2} \equiv 0 (mod p)

and

{(u_{p} v_{p}^{- 1})}^{2} \equiv - 1 (mod p)

. Next, let

a \in F_{p}

with

a \neq 0

. By Fermat’s Little Theorem, we have

a^{p - 1} \equiv 1 (mod p)

. Then

a^{\frac{p - 1}{2}} \equiv 1 (mod p)

a^{\frac{p - 1}{2}} \equiv - 1 (mod p)

. If

a^{\frac{p - 1}{2}} \equiv 1 (mod p)

, then

a^{\frac{p - 1}{4}} \equiv \pm 1 (mod p)

, and if

a^{\frac{p - 1}{2}} \equiv - 1 (mod p)

, then

a^{\frac{p - 1}{2}} \equiv {(u_{p} v_{p}^{- 1})}^{2} (mod p),

and

a^{\frac{p - 1}{4}} \equiv \pm u_{p} v_{p}^{- 1} (mod p)

. Summarizing, we have

a^{\frac{p - 1}{4}} \in {\pm 1, \pm u_{p} v_{p}^{- 1}}

modulo p. This terminates the proof. □

In the following result, we give a simple proof for the estimation of

# E (F_{p})

when

p \equiv 1 (mod 4)

. Alternative proofs can be found in [43] (Section 4.4 p. 115) and [18] (Section 4 in Chapter 18).

Lemma 4.

Let

p = u_{p}^{2} + v_{p}^{2}

be a prime number with

u_{p} = 4 u + 3

and

v_{p} = 4 v + 2

. For

a \in F_{p}

with

a \neq 0

, let

E_{a} (p)

be the elliptic curve with the equation

y^{2} = x^{3} + a x

over

F_{p}

. Then

# E (F_{p}) = \{\begin{matrix} p + 1 + 2 u_{p} & if a^{\frac{p - 1}{4}} \equiv 1 (mod p), \\ p + 1 - 2 u_{p} & if a^{\frac{p - 1}{4}} \equiv - 1 (mod p), \\ p + 1 - 2 v_{p} & if a^{\frac{p - 1}{4}} \equiv \frac{u_{p}}{v_{p}} (mod p), \\ p + 1 + 2 v_{p} & if a^{\frac{p - 1}{4}} \equiv - \frac{u_{p}}{v_{p}} (mod p), \end{matrix}

Proof.

Let

p = u_{p}^{2} + v_{p}^{2}

with

u_{p} = 4 u + 3

and

v_{p} = 4 v + 2

. We set

p = π \bar{π}

with

π = u_{p} + i v_{p}

. Then

\frac{p - 1}{4} = 4 u^{2} + 4 v^{2} + 6 u + 4 v + 3,

and

{(\frac{- 1}{π})}_{4} = {(- 1)}^{\frac{p - 1}{4}} = {(- 1)}^{3} = - 1 .

Also, we have

u_{p} + i v_{p} = 1 + (2 + 2 i) (1 + u - v + i (v - u)) \equiv 1 (mod 2 + 2 i) .

We apply Theorem 2 to the elliptic curve with equation

y^{2} = x^{3} + a x

over

F_{p}

. We get

\begin{matrix} # E (F_{p}) & = p + 1 - \bar{{(\frac{- a}{π})}_{4}} π - {(\frac{- a}{π})}_{4} \bar{π} \\ = p + 1 - \bar{{(\frac{- 1}{π})}_{4}} \bar{{(\frac{a}{π})}_{4}} π - \bar{{(\frac{- 1}{π})}_{4}} {(\frac{a}{π})}_{4} \bar{π} \\ = p + 1 + \bar{{(\frac{a}{π})}_{4}} π + {(\frac{a}{π})}_{4} \bar{π} . \end{matrix}

Theorem 3 asserts that

a^{\frac{p - 1}{4}} \equiv \pm 1, \pm u_{p} v_{p}^{- 1} (mod p)

. First, assume that

a^{\frac{p - 1}{4}} \equiv 1 (mod p)

. Then

a^{\frac{p - 1}{4}} \equiv 1 (mod π)

and

# E (F_{p}) = p + 1 + (u_{p} + i v_{p}) + (u_{p} - i v_{p}) = p + 1 + 2 u_{p} .

Next, assume that

a^{\frac{p - 1}{4}} \equiv - 1 (mod p)

. Then

a^{\frac{p - 1}{4}} \equiv - 1 (mod π)

and

# E (F_{p}) = p + 1 - (u_{p} + i v_{p}) - (u_{p} - i v_{p}) = p + 1 - 2 u_{p} .

Now, assume that

a^{\frac{p - 1}{4}} \equiv - \frac{u_{p}}{v_{p}} (mod p)

. Since

u_{p} + i v_{p} \equiv 0 (mod π)

, then

- u_{p} v_{p}^{- 1} - i \equiv 0 (mod π)

and

- u_{p} v_{p}^{- 1} \equiv i (mod π)

. Hence

a^{\frac{p - 1}{4}} \equiv i (mod π)

and

# E (F_{p}) = p + 1 - i (u_{p} + i v_{p}) + i (u_{p} - i v_{p}) = p + 1 + 2 v_{p} .

Finally, assume that

a^{\frac{p - 1}{4}} \equiv \frac{u_{p}}{v_{p}} (mod p)

. Then

u_{p} v_{p}^{- 1} \equiv - i (mod π)

and

a^{\frac{p - 1}{4}} \equiv - i (mod π)

which gives

# E (F_{p}) = p + 1 + i (u_{p} + i v_{p}) - i (u_{p} - i v_{p}) = p + 1 - 2 v_{p} .

This terminates the proof. □

4. Elliptic Curves over the Ring $Z / n Z$

In this section, we briefly describe the theory of elliptic curves over the ring

Z / n Z

where

n = p q

is an RSA modulus (see [43], Section 2.11 and [25] for more details).

Let

a, b \in Z / n Z

with

gcd (4 a^{3} + 27 b^{2}, n) = 1

. The elliptic curve

E_{n} (a, b)

is the set of points

P = (x, y)

satisfying the equation

y^{2} = x^{3} + a x + b (mod n),

together with the point at infinity, denoted

O_{n}

. By the Chinese remainder Theorem, the set

E_{n} (a, b)

is isomorphic to the direct sum

E_{p} (a, b) \oplus E_{q} (a, b)

where

E_{p} (a, b)

is the elliptic curve with equation

y^{2} = x^{3} + a x + b (mod p)

over

F_{p}

with the point at infinity

O_{p}

, and

E_{q} (a, b)

is the elliptic curve with equation

y^{2} = x^{3} + a x + b (mod q)

over

F_{q}

with the point at infinity

O_{q}

. Hence, the point at infinity of

E_{n} (a, b)

O_{n} = (O_{p}, O_{q})

. The points of the form

(O_{p}, P_{q})

with

P_{q} \neq O_{q}

and of the form

(P_{p}, O_{q})

with

P_{p} \neq O_{p}

are semi-zero points while ordinary points are of the form

P = (P_{p}, P_{q})

with

P_{p} \neq O_{p}

and

P_{q} \neq O_{q}

. A group law can be given for

E_{n} (a, b)

by the chord and tangent addition law. However, the addition law is not always well-defined when using analytical expressions since there are elements in

Z / n Z

that are not invertible modulo n. To overcome this, the projective coordinates

(x : y : z) \in P^{2} (Z_{n})

are used with the equation

y^{2} z = x^{3} + a x z^{2} + b z^{3} (mod n)

. Hence, for any point P of the elliptic curve

E_{n} (a, b)

, we have

lcm (# E_{p} (a, b), # E_{q} (a, b) \cdot P = O_{n} .

In this paper, the arithmetic of the new scheme is based on the elliptic curve

E_{n} (a, b)

with

a \in Z / n Z

and

b = 0

where

n = p q

with large prime numbers. Consequently, the sum of two points of

E_{n} (a, 0)

is defined with overwhelming probability.

The following result gives an explicit value for the order

# E_{n} (a, 0)

Theorem 4.

Let

n = p q

be an RSA modulus with

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

u_{p} \equiv u_{q} \equiv 3 (mod 4)

and

v_{p} \equiv v_{q} \equiv 2 (mod 4)

. For

a \in Z / n Z

with

gcd (a, n) = 1

, let

E_{n} (a)

be the elliptic curve with the equation

y^{2} = x^{3} + a x

over

Z / n Z

. Then for any point P on

E_{n} (a)

, we have

(p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) \cdot P = O_{n},

where

U_{p}

satisfies (1) and

U_{q}

satisfies (2).

5. The New Scheme

In this section, we present the new scheme and give a small numerical example.

5.1. The New Encryption Scheme

Key generation.

Choose a size $l \geq 4096$ for the modulus to guarantee at least 128 security level.
Choose two large integers $u_{1}$ and $v_{1}$ of size $l / 4$ .
Compute $u_{p} = 4 u_{1} + 3$ and $v_{p} = 4 v_{1} + 2$ .
Compute $p = u_{p}^{2} + v_{p}^{2}$ .
If p is not prime, return to Step 2.
Choose two large integers $u_{2}$ and $v_{2}$ of size $l / 4$ .
Compute $u_{q} = 4 u_{2} + 3$ and $v_{q} = 4 v_{2} + 2$ .
Compute $q = u_{q}^{2} + v_{q}^{2}$ .
If q is not prime, return to Step 6.
Compute $n = p q$ .
Choose an integer e such that

$gcd (e, ({(p + 1)}^{2} - 4 u_{p}^{2}) ({(q + 1)}^{2} - 4 u_{q}^{2})) = 1 .$

The pair $(n, e)$ represents the public key, and $(u_{p}, v_{p}, u_{q}, v_{q})$ represents the private key.

Encryption.

Generate a random integer $r \in Z / n Z$ .
Use the message $y_{M}$ as $M = (r, y_{M}) \in Z / n Z \times Z / n Z$ .
Compute $a \equiv (y_{M}^{2} - r^{3}) r^{- 1} (mod n)$ . The elliptic curve $E_{n} (a)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
Compute $(x_{C}, y_{C}) = e (r, y_{M})$ on $E_{a} (n)$ . The point $(x_{C}, y_{C})$ is the encrypted message.

Decryption.

Compute $a \equiv (y_{C}^{2} - x_{C}^{3}) x_{C}^{- 1} (mod n)$ . The elliptic curve $E_{a} (n)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
Compute $U_{p}$ by one of the formulae (1), and $U_{q}$ by one of the formulae (2).
Compute $ϕ (a, n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})$ .
Compute $d \equiv e^{- 1} (mod ϕ (a, n))$ .
Compute $M = (r, y_{M}) = d (x_{C}, y_{C})$ on $E_{n} (a)$ . The point $(r, y_{M})$ is the original message.

The role of the random integer r is to serve as the x-coordinate of M on the elliptic curve with the equation

y^{2} \equiv x^{3} + a x (mod n)

. If the same message

y_{M}

is encrypted twice, this yields two different couples

(r, y_{M})

and

(r^{'}, y_{m})

, two values

a \equiv (y_{M}^{2} - r^{3}) r^{- 1} (mod n)

and

a^{'} \equiv (y_{M}^{2} - r^{' 3}) r^{' - 1} (mod n)

, and then two elliptic curves with different equations.

5.2. Numerical Example

The following is a numerical example with small integers demonstrating the system parameters and a pair of plaintext-ciphertext.

\begin{matrix} u_{1} & = 3253473156, v_{1} = 3239617290, \\ u_{p} & = 4 u_{1} + 3 = 13013892627, v_{p} = 4 v_{1} + 2 = 12958469162, \\ p & = u_{p}^{2} + v_{p}^{2} = 337283324329589943373, \\ u_{2} & = 4133795239, v_{2} = 4069844016, \\ u_{q} & = 4 u_{2} + 3 = 16535180959, v_{q} = 4 v_{2} + 2 = 16279376066, \\ q & = u_{q}^{2} + v_{q}^{2} = 538430294445129796037, \\ n & = p q = 181603559630213323475279432919469869812801, \\ e & = 233, \\ r & = 276576193905959805653341, \\ y_{M} & = 24123988022450690140866 . \end{matrix}

Then, one can compute the following parameters

\begin{matrix} a & \equiv \frac{y_{M}^{2} - r^{3}}{r} (mod n) \\ = 124892799480186717332460335305220886752546, \\ C & = e (r, y_{M}) = (x_{C}, y_{C}), \\ x_{C} & = 9895932661554916108079613524266560686478, \\ y_{C} & = 174838551993023162117462165695082973280827, \\ a^{\frac{p - 1}{4}} & \equiv 1 (mod p), hence U_{p} = - u_{p}, \\ a^{\frac{q - 1}{4}} & \equiv - 1 (mod q), hence U_{q} = u_{q}, \\ ϕ (a, n) & = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) \\ = 181603559633073389948874511533493403987360, \\ d & \equiv e^{- 1} (mod ϕ (a, n)) = 35073648856172972307722545145953661714297, \\ m & = d (x_{C}, y_{C}) = (r, y_{M}), \end{matrix}

which shows that the decryption is correct.

5.3. The New Signature Scheme

The encryption scheme can be transformed easily into a signature scheme using a hash function Hash as follows.

Key generation. The key generation scheme is similar to that of the encryption scheme 5.1.
Encryption.
- Generate a random integer $r \in Z / n Z$ .
- Represent the message as $M = (r, y_{M}) \in Z / n Z \times Z / n Z$ .
- Compute $a \equiv (y_{M}^{2} - r^{3}) r^{- 1} (mod n)$ . The elliptic curve $E_{n} (a)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
- Compute $(x_{C}, y_{C}) = e (r, y_{M})$ on $E_{a} (n)$ . The point $(x_{C}, y_{C})$ is the encrypted message.
- Compute the signature $s = Hash (r ∥ y_{M})$ .
Decryption.
- Compute $a \equiv (y_{C}^{2} - x_{C}^{3}) x_{C}^{- 1} (mod n)$ . The elliptic curve $E_{a} (n)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
- Compute $U_{p}$ by one of the formulae (1), and $U_{q}$ by one of the formulae (2).
- Compute $ϕ (a, n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})$ .
- Compute $d \equiv e^{- 1} (mod ϕ (a, n))$ .
- Compute $M = (r, y_{M}) = d (x_{C}, y_{C})$ on $E_{n} (a)$ .
- Compute $s^{'} = Hash (r ∥ y_{M})$
- Accept the message if $s^{'} = s$ .

As in the encryption scheme, the random number r serves as the x-coordinate of the point

M = (r, y_{M})

on the elliptic curve with the equation

y^{2} \equiv x^{3} + a x (mod n)

5.4. The New Signature Scheme

The encryption scheme can be transformed easily into a signature scheme using a hash function Hash as follows.

Key generation. The key generation scheme is similar to that of the encryption scheme 5.1.
Encryption.
- Generate a random integer $r \in Z / n Z$ .
- Represent the message as $M = (r, y_{M}) \in Z / n Z \times Z / n Z$ .
- Compute $a \equiv (y_{M}^{2} - r^{3}) r^{- 1} (mod n)$ . The elliptic curve $E_{n} (a)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
- Compute $(x_{C}, y_{C}) = e (r, y_{M})$ on $E_{a} (n)$ . The point $(x_{C}, y_{C})$ is the encrypted message.
- Compute the signature $s = Hash (r ∥ y_{M})$ .
Decryption.
- Compute $a \equiv (y_{C}^{2} - x_{C}^{3}) x_{C}^{- 1} (mod n)$ . The elliptic curve $E_{a} (n)$ is defined by the equation $y^{2} \equiv x^{3} + a x (mod n)$ .
- Compute $U_{p}$ by one of the formulae (1), and $U_{q}$ by one of the formulae (2).
- Compute $ϕ (a, n) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})$ .
- Compute $d \equiv e^{- 1} (mod ϕ (a, n))$ .
- Compute $M = (r, y_{M}) = d (x_{C}, y_{C})$ on $E_{n} (a)$ .
- Compute $s^{'} = Hash (r ∥ y_{M})$
- Accept the message if $s^{'} = s$ .

As in the encryption scheme, the random number r serves as the x-coordinate of the point

M = (r, y_{M})

on the elliptic curve with the equation

y^{2} \equiv x^{3} + a x (mod n)

. Note that r is random, which implies that the signature scheme is probabilistic.

6. Security Analysis

6.1. Resistance against Factorization Methods

When p and q are sufficiently large, factoring the RSA modulus

n = p q

is believed to be hard for all current known factorization algorithms (see [3,5] ). Indeed, Pollard’s rho method is not affective since its run time is

O (\sqrt{p} {(log (n))}^{2})

and depends on the size of the prime number p found. This is similar for Lenstra’s Elliptic Curve Method (ECM) for which the run time is

O (exp (\sqrt{2} \sqrt{ln p ln ln p}))

. The Number Field Sieve [26] is also ineffective for large primes p and q. Its run time is

O (exp (c \sqrt[3]{ln n} \sqrt[3]{{(ln ln n)}^{2}}))

where c is a constant.

6.2. Resistance against Decomposition as Sum of Two Squares

It is well known that if

n = p q

with

p \equiv q \equiv 1 (mod 4)

, then n can be expressed as the sum of two squares as

n = x^{2} + y^{2}

. In the new scheme, the modulus is in the form

n = p q = (u_{p}^{2} + v_{p}^{2}) (u_{q}^{2} + v_{q}^{2})

. Then, the Brahmagupta-Fibonacci identity expresses n as a sum of two squares in two different ways, namely

n = {(u_{p} u_{q} - v_{p} v_{q})}^{2} + {(u_{p} v_{q} + v_{p} u_{q})}^{2} = {(u_{p} u_{q} + v_{p} v_{q})}^{2} + {(u_{p} v_{q} - v_{p} u_{q})}^{2} .

Euler observed that if

n = x_{1}^{2} + y_{1}^{2} = x_{2}^{2} + y_{2}^{2}

with

x_{1} \equiv x_{2} \equiv 0 (mod 2)

and

x_{1} \neq \pm x_{2} (mod n)

, then

n = (\frac{r^{2}}{4} + \frac{u^{2}}{4}) (s^{2} + t^{2}),

where

r = gcd (x_{1} - x_{2}, y_{2} - y_{1}), u = gcd (x_{1} + x_{2}, y_{2} + y_{1}), s = \frac{x_{1} - x_{2}}{r}, t = \frac{y_{2} - y_{1}}{r} .

On the other hand, we have

{(x_{1} y_{1}^{- 1})}^{2} \equiv {(x_{2} y_{2}^{- 1})}^{2} \equiv - 1 (mod n)

. It follows that decomposing n as the sum of two squares in two different ways will give a solution to the equation

t_{1}^{2} \equiv t_{2}^{2} (mod n)

with

t_{1} \neq \pm t_{2} (mod n)

, and two solutions of the congruence

t^{2} = - 1 (mod n)

. This is known to be equivalent to factoring n as in the quadratic sieve factoring algorithm [35] and in Rabin’s cryptosystem [36].

It is also known that by applying the continued fraction algorithm to

\sqrt{n}

, it is possible to find one representation of n (see [12]) as

n = x^{2} + y^{2}

. This leads to one of the systems

\begin{matrix} u_{p} u_{q} - v_{p} v_{q} & = x, & u_{p} v_{q} + v_{p} u_{q} & = y, & u_{p} u_{q} + v_{p} v_{q} & = x, & u_{p} v_{q} - v_{p} u_{q} & = y . \end{matrix}

This is not sufficient the solve anyone of the two systems. Consequently, the representation of n as a sum of two squares by the continued fraction method is not sufficient to factor it.

6.3. Resistance against Decomposition as Sum of Four Squares

Lagrange’s four-square theorem states that every positive integer n is the sum of four squares (Theorem 369 in [15]), that is

n = x_{1}^{2} + x_{2}^{2} + x_{3}^{2} + x_{4}^{2} .

The number of decomposing n as a such a sum is denoted

r_{4} (n)

, and for odd n, Jacobi’s four-square theorem formula gives (Proposition 17.7.2 of [15])

r_{4} (n) = 8 \sum_{m | n} m .

For the modulus

n = p q = (u_{p}^{2} + v_{p}^{2}) (u_{q}^{2} + v_{q}^{2})

, a specific decomposition as sum of four squares is

n = {(u_{p} u_{q})}^{2} + {(u_{p} v_{q})}^{2} + {(v_{p} u_{q})}^{2} + {(v_{p} v_{q})}^{2} .

Conversely, let

n = x_{1}^{2} + x_{2}^{2} + x_{3}^{2} + x_{4}^{2}

be a decomposition of n leading to the factorization

n = p q = (u_{p}^{2} + v_{p}^{2}) (u_{q}^{2} + v_{q}^{2})

. Then

u_{p} u_{q} = | x_{1} |, u_{p} v_{q} = | x_{2} |, v_{p} u_{q} = | x_{3} |, v_{p} v_{q} = | x_{4} |,

from which we get

gcd (| x_{1} |, | x_{2} |) = gcd (u_{p} u_{q}, u_{p} v_{q}) = u_{p} gcd (u_{q}, v_{q}) = u_{p} .

Similarly, we have

v_{p} = gcd (| x_{3} |, | x_{4} |), u_{q} = gcd (| x_{1} |, | x_{3} |), v_{q} = gcd (| x_{2} |, | x_{4} |) .

As the decomposition of

p = u_{p}^{2} + v_{p}^{2}

with positive integers

u_{p}

and

v_{p}

satisfying

u_{p} \equiv 3 (mod 4)

is unique, then p can be decomposed as

p = r^{2} + s^{2}

with integers r and s in eight ways, namely

p = {(\pm u_{p})}^{2} + {(\pm v_{p})}^{2} = {(\pm v_{p})}^{2} + {(\pm u_{p})}^{2} .

This is also true for q. Consequently, among the representations of n as a sum of four squares

n = x_{1}^{2} + x_{2}^{2} + x_{3}^{2} + x_{4}^{2}

, only 64 decompositions can lead to the factorisation of n by using

u_{p} u_{q} = | x_{1} |, u_{p} v_{q} = | x_{2} |, v_{p} u_{q} = | x_{3} |, v_{p} v_{q} = | x_{4} | .

This is negligible compared to

r_{4} (n) = 8 (1 + p + q + n)

, the number of decompositions of a large modulus

n = p q

as the sum of four squares.

6.4. Resistance against Solving the Order

In RSA, it is well known that solving Euler’s totient function

ϕ (n) = (p - 1) (q - 1)

is equivalent to factoring

n = p q

. This is also true for solving the order

N_{n} = (p + 1) (q + 1)

in the KMOV system. For an elliptic curve E over a finite ring

Z / n Z

with an RSA modulus n, Martin et al. [27] proved that computing the order

# E

is as difficult as factoring n. Moreover, for our scheme, we have the following facts.

Let

a \in Z / n Z

be fixed. In our scheme, the order of the elliptic curves

E_{n} (a)

is of the form

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}),

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. Assume that the factorization of n is known. Then one can compute

# E_{p} (a) = p + 1 - 2 U_{p}

and

# E_{q} (a) = q + 1 - 2 U_{q}

by a specific algorithm to determine the order of an elliptic curve over a finite field such as the Schoof-Elkies-Atkin algorithm [1]. This implies that

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

can be computed. Conversely, assume that

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

is known where

U_{p} \in {\pm u_{p}, \pm v_{p}}

and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. Let

V_{p} \in {v_{p}, u_{p}}

and

V_{q} \in {v_{q}, u_{q}}

such that

V_{p}^{2} = p - U_{p}^{2}, V_{q}^{2} = q - U_{q}^{2} .

Assume that

u_{p}

and

v_{p}

are of the same size so that

u_{p} < 2 v_{p}

and

v_{p} < 2 u_{p}

. Then, if

U_{p} = \pm u_{p}

, we get

V_{p} = v_{p}

, and

p = U_{p}^{2} + V_{p}^{2} = u_{p}^{2} + v_{p}^{2} < 5 v_{p}^{2} = 5 V_{p}^{2} .

Also, if if

U_{p} = \pm v_{p}

, we get

V_{p} = u_{p}

, and

p = U_{p}^{2} + V_{p}^{2} = v_{p}^{2} + u_{p}^{2} < 5 v_{p}^{2} = 5 U_{p}^{2} .

Hence, using Lemma 1, we get

min (U_{p}^{2}, V_{p}^{2}) > \frac{p}{5} > \frac{\sqrt{n}}{5} .

Similarly, assuming that

u_{q}

and

v_{q}

are of the same size with

u_{q} < 2 v_{q}

and

v_{q} < 2 u_{p}

, we get

min (U_{q}^{2}, V_{q}^{2}) > \frac{q}{5} > \frac{\sqrt{2} \sqrt{n}}{10} .

As a consequence, we have

\begin{matrix} p + 1 - 2 U_{p} = {(U_{p} - 1)}^{2} + V_{p}^{2} > V_{p}^{2} > \frac{\sqrt{n}}{5}, \end{matrix}

and

\begin{matrix} q + 1 - 2 U_{q} = {(U_{q} - 1)}^{2} + V_{q}^{2} > V_{q}^{2} > \frac{\sqrt{2} \sqrt{n}}{10} . \end{matrix}

Combining the former inequalities, we get

\begin{matrix} (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) > \frac{\sqrt{n}}{5} \cdot \frac{\sqrt{2} \sqrt{n}}{10} = \frac{\sqrt{2}}{50} n . \end{matrix}

(3)

This implies that the order

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

is sufficiently large and there is no efficient method to factor it. Hence, finding p and q is not feasible in general.

It is important to notice that the work of Kunihiro and Koyama [22] on the equivalence between factoring n and counting the number of points on elliptic curves over

Z / n Z

does not apply when the order

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

is known for a fixed a. The reason is that in [22] an oracle is needed that count the number of points on every elliptic curve over

Z / n Z

, while, in our situation, just

# E_{n} (a) = (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

is known.

6.5. Resistance against Small Private Exponent Attacks

The main small private exponent attacks on RSA are based on the key equation

e d^{'} - k^{'} (p - 1) (q - 1) = 1

. Wiener’s attack is based on the continued fraction algorithm which exploits the approximation

(p - 1) (q - 1) = n + 1 - p - q \approx n

. It leads to the factorization of n under the condition

d^{'} < \frac{1}{3} n^{\frac{1}{4}}

. The attack of Boneh and Durfee is based on Coppersmith’s method and exploits the existence of a small solution

(x, k^{'})

to the modular equation

k^{'} (n + 1 - x) \equiv 1 (mod e)

. It works for

d^{'} < n^{0.292}

In the following, we show that the private exponent d in our scheme can be small enough without undermining its security. Typically, it should be larger than

n^{0.133}

while it should be larger than

n^{0.292}

for RSA.

Lemma 5.

Let

n = p q

be an RSA modulus with

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

u_{p} \equiv u_{q} \equiv 3 (mod 4)

u_{p} \approx v_{p}

, and

u_{q} \approx v_{q}

. If d satisfies the key equation

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1

where

U_{p} \in {\pm u_{p}, \pm v_{p}}

and

U_{q} \in {\pm u_{q}, \pm v_{q}}

, then

{| e d - k n | < 7 k (2 n)}^{\frac{3}{4}} .

Proof.

Rewrite the key equation in the form

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1,

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

U_{q} \in {\pm u_{q}, \pm v_{q}}

. We have

(p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = n + p (1 - 2 U_{q}) + q (1 - 2 U_{p}) + (1 - 2 U_{p}) (1 - 2 U_{q}) .

Then

\begin{matrix} \begin{matrix} | e d - k n | & = | k (p + 1 - 2 U_{p}) (p + 1 - 2 U_{q}) + 1 - k n | \\ = | k ((p + 1 - 2 U_{p}) (p + 1 - 2 U_{q}) - n) + 1 | \\ = | k (p (1 - 2 U_{q}) + q (1 - 2 U_{p}) + (1 - 2 U_{p}) (1 - 2 U_{q})) + 1 | \\ \leq k p | 1 - 2 U_{q} | + k q | 1 - 2 U_{p} | + k | 1 - 2 U_{p} | | 1 - 2 U_{q} | + 1 . \end{matrix} \end{matrix}

Suppose that

u_{p}

and

v_{p}

are of the same bit-size so that

u_{p} < 2 v_{p}

and

v_{p} < 2 u_{p}

. Then

max {(u_{p}, v_{p})}^{2} < 2 u_{p} v_{p} < u_{p}^{2} + v_{p}^{2} = p .

Hence

max (u_{p}, v_{p}) < \sqrt{p},

from which we deduce

| 1 - 2 U_{p} | \leq 2 | U_{p} | + 1 < 2 \sqrt{p} + 1 < 3 \sqrt{p} .

(4)

Similarly, we get

| 1 - 2 U_{q} | < 3 \sqrt{q} .

(5)

This leads to

\begin{matrix} | e d - k n | & \leq & k p | 1 - 2 U_{q} | + k q | 1 - 2 U_{p} | + k | 1 - 2 U_{p} | | 1 - 2 U_{q} | + 1 \\ < & 3 k p \sqrt{q} + 3 k q \sqrt{p} + 9 k \sqrt{p} \sqrt{q} + 1 \\ < & 3 k p \sqrt{p} + 3 k p \sqrt{p} + 9 k \sqrt{p} \sqrt{q} + 1 \\ < & 6 k p \sqrt{p} + 10 k \sqrt{p} \sqrt{q} \\ < & 7 k p \sqrt{p}, \end{matrix}

where we used

10 k \sqrt{p} \sqrt{q} + 1 < k p \sqrt{p}

which is valid since

10 \sqrt{q} < p

. Using Lemma 1, we get

| e d - k n | < 7 k p \sqrt{p} < 7 k {(2 n)}^{\frac{3}{4}} .

This terminates the proof. □

The following result shows that, in regard to Wiener’s attack, the private exponent d can be very small in our scheme comparing to the private exponent in RSA.

Theorem 5.

Let

n = p q

be an RSA modulus with

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

and

u_{p} \equiv u_{q} \equiv 3 (mod 4)

. Let e be a public exponent such that

e < (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

, and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. If d satisfies the equation

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1

with

d < \frac{\sqrt{2}}{4} n^{\frac{1}{8}}

, then one can find d and k in polynomial time.

Proof.

The key equation is in the form

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1,

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

, and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. Then, Lemma 5 gives

{| e d - k n | < 7 k (2 n)}^{\frac{3}{4}} .

Dividing by

n d

, we get

\begin{matrix} |\frac{e}{n} - \frac{k}{d}| < \frac{7 k {(2 n)}^{\frac{3}{4}}}{n d} . \end{matrix}

(6)

Using the key equation

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1

, we get

k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = e d - 1 < e d .

Then

\frac{k}{d} < \frac{e}{(p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})} .

Assuming

e < (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

, this implies that

k < d

. Then (6) implies

|\frac{e}{n} - \frac{k}{d}| < \frac{7 {(2 n)}^{\frac{3}{4}}}{n} .

The solutions in d of the inequality

\frac{7 {(2 n)}^{\frac{3}{4}}}{n} < \frac{1}{2 d^{2}}

satisfy

d < \frac{1}{\sqrt{14 \cdot 2^{\frac{3}{4}}}} n^{\frac{1}{8}} .

For such solutions, we have

|\frac{e}{n} - \frac{k}{d}| < \frac{1}{2 d^{2}} .

This implies that

\frac{k}{d}

can be found amongst the convergents of the continued expansion of

\frac{e}{n}

. Since the continued fraction algorithm computes the convergents of

\frac{e}{n}

with complexity

O (log (n))

, then one finds k and d in polynomial time. □

The following result makes use of lattice reduction techniques.

Theorem 6.

Let

n = p q

be an RSA modulus with

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

and

u_{p} \equiv u_{q} \equiv 3 (mod 4)

. Let e be a public exponent such that

e < (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q})

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

, and

U_{q} \in {\pm u_{q}, \pm v_{q}}

. If d satisfies the equation

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1

with

d < n^{0.133}

, then one can find d and k in polynomial time.

Proof.

Since d satisfies an equation of the form

e d - k (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = 1,

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

U_{q} \in {\pm u_{q}, \pm v_{q}}

, we rewrite

\begin{matrix} (p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) & = & n + p (1 - 2 U_{q}) + q (1 - 2 U_{p}) + (1 - 2 U_{p}) (1 - 2 U_{q}) \\ = & n - s, \end{matrix}

where

s = - p (1 - 2 U_{q}) - q (1 - 2 U_{p}) - (1 - 2 U_{p}) (1 - 2 U_{q})

. Then the key equation can be transformed into the modular equation

\begin{matrix} (- k) (n - s) \equiv 1 (mod e) . \end{matrix}

(7)

We set the bound

k < X = e^{δ}

for some

δ > 0

. On the other hand, we have

\begin{matrix} | s | & = & | p (1 - 2 U_{q}) + q (1 - 2 U_{p}) + (1 - 2 U_{p}) (1 - 2 U_{q}) | \\ \leq & p | 1 - 2 U_{q} | + q | 1 - 2 U_{p} | + | 1 - 2 U_{p} | | 1 - 2 U_{q} | . \end{matrix}

Using (4) and (5), and combining with Lemma 1, we get

| s | < 3 p \sqrt{q} + 3 q \sqrt{p} + 9 \sqrt{p q} < 7 p \sqrt{p} < 7 {(2 n)}^{\frac{3}{4}} .

Then, we set the bound

| s | < Y = 7 {(2 n)}^{\frac{3}{4}} = n^{β}

with

β \approx \frac{3}{4}

. Now, we can apply Lemma 2 to the equation (7). It allows to find k and s in polynomial time under the condition

δ < 1 - \sqrt{β} = 1 - \sqrt{\frac{3}{4}} \approx 0.133

. Using k and s, one can find d since

d = \frac{k (n - s) + 1}{e}

. □

The bound on d in Theorem 6 is slightly better than the bound in Theorem 5. In both cases, one can find d and k which gives

(p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) = \frac{e d - 1}{k},

with

U_{p} \in {\pm u_{p}, \pm v_{p}}

U_{q} \in {\pm u_{q}, \pm v_{q}}

. By 3, we know that

(p + 1 - 2 U_{p}) (q + 1 - 2 U_{q}) > \frac{\sqrt{2}}{50} n

. This is large enough, and in general is hard to factor when n is large. Consequently, the method described in [32] to extract p and q can not be applied. As a consequence, finding p and q by the continued fraction method, or by lattice reduction techniques when the multiplier d is small is infeasible.

6.6. Resistance against Discrete Logarithm Problem

The elliptic curve discrete logarithm problem (ECDLP) over a finite field

F_{p}

is the following computational problem: Given an elliptic curve E over

F_{p}

and two points

P, Q \in E (F_{p})

, find an integer x, if any, such that

Q = a P

in E. ECDLP is still resistant to several non quantum algorithms and is behind the security of the elliptic curve cryptography (see [14] for more details).

For an elliptic curve defined over a finite ring such as

Z / n Z

where

n = p q

is an RSA modulus, the elliptic curve discrete logarithm problem can be solved if one knows p and q and if one can solve ECDLP in both

E (F_{p})

and

E (F_{p})

. Hence, solving ECDLP on

E (Z / n Z)

is more difficult. This problem is used to build several elliptic curve based cryptosystems [11,19,20,24,33].

One more and crucial fact in our scheme is that a new elliptic curve is generated each time that a message is encrypted. This will make any generic or global discrete logarithm attack on our scheme infeasible.

6.7. Resistance against Isomorphism and Homomorphism Attacks

Let

E_{n} (a)

and

E_{n} (a^{'})

be two elliptic curves with equations

y^{2} \equiv x^{3} + a x (mod n)

and

y^{2} \equiv x^{3} + a^{'} x (mod n)

, arising from our scheme. Then

E_{n} (a)

and

E_{n} (a^{'})

are isomorphic if and only if

a^{'} = u^{4} a

for some

u \in Z / n Z

. As in KMOV [20], it is possible to launch an isomorphism attack on our scheme. Moreover, the encryption and decryption are homomorphic, that is

enc (m_{1} + m_{2}) = enc (m_{1}) + enc (m_{2}), and dec (c_{1} + c_{2}) = dec (c_{1}) + dec (c_{2}),

when using the same elliptic curve. Also, it is possible to launch a homomorphism attack on our scheme, similar to that on KMOV. To overcome the isomorphism as well as the homomorphism attack, a hash function should be applied as shown in the signature scheme 5.4. This is sufficient to make the new scheme immune against the two kind of attacks.

6.8. Other Attacks

There are more attacks in the literature that are related to some elliptic variants of RSA.

In [2], Bleichenbacher proposed four attacks on KMOV when one of the following situations is satisfied.

The ciphertext and half of the plaintext are known.
Three encryptions of the same message are encrypted with distinct public keys.
Six encryptions of linearly related messages are encrypted with distinct public keys.
Two encryptions of linearly related messages are encrypted with the same public key.

Similarly, in [23], Kurosawa et al. showed that both the KMOV scheme and Demytko’s scheme are not secure when the same message is encrypted with a suitably large number of distinct keys.

We note that the former attacks are not applicable to our scheme since the encryption process is probabilistic. This implies that, to the contrary of the KMOV scheme and Demytko’s scheme, if we encrypt the same message twice even with the same key in the new scheme, then the cyphertexts are different with a high probability because they depend on a randomly generated number in the encryption phase.

7. Conclusions

We proposed a new variant of RSA with a modulus of the form

n = p q

where p and q are large prime numbers satisfying

p = u_{p}^{2} + v_{p}^{2}

q = u_{q}^{2} + v_{q}^{2}

u_{p} \equiv 3 (mod 4)

and

u_{q} \equiv 3 (mod 4)

. The arithmetic of the new scheme uses elliptic curves with equations

y^{2} = x^{3} + a x

over the finite ring

Z / n Z

. The encryption is probabilistic such that each encryption generates a new curve which result in new ciphertext in each call. We analyzed the security of the scheme and show that it is at least as hard as factoring.

Conflicts of Interest

The authors declare no conflict of interest.

References

Blake, I.; Seroussi, G.; Smart, N. Elliptic curves in cryptography, volume 265 of London Math. Soc. Lecture Note Ser. Cambridge University Press, (1999).
Bleichenbacher, D. On the security of the KMOV public key cryptosystem, LNCS 1294, Proc. Crypto 97, Springer-Verlag, (1997), pp. 235–-248.
Brent, R.P. Recent Progress and Prospects for Integer Factorisation Algorithms, In: Du DZ., Eades P., Estivill-Castro V., Lin X., Sharma A. (eds) Computing and Combinatorics. COCOON 2000. Lecture Notes in Computer Science, vol 1858. Springer, Berlin, Heidelberg.
Boneh, D. Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (2), (1999), pp. 203–213.
Boneh, D.; Durfee, G.; Howgrave-Graham, N. Factoring N = p^rq for Large r. In M. Wiener, Ed., Crypto’99, Lecture Notes in Computer Science 1666, Springer- Verlag, (1999), pp. 326–337.
Boneh, D., Durfee, G. Cryptanalysis of RSA with private key d less than N^0.292, Advances in Cryptology-Eurocrypt’99, Lecture Notes in Computer Science Vol. 1592, Springer-Verlag, (1999), pp. 1–11.
Certicom Research. Standards for efficient cryptography 2: Recommended elliptic curve domain parameters. Standard SEC2, Certicom, 2000.
T. Collins, D. Hopkins, S. Langford, and M. Sabin. Public Key Cryptographic Apparatus and Method. US Patent #5,848,159. Jan. 1997.
Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 10(4), (1997), pp. 233–260.
Couvreur, C., Quisquater, J.J. Fast Decipherment Algorithm for RSA Public-Key Cryptosystem. Electronics Letters 18, (1982), pp. 905–907.
Demytko N. A new elliptic curve based analogue of RSA, in T. Helleseth (ed.), EUROCRYPT 1993, Lecture Notes in Computer Science 765, Springer-Verlag, (1994), pp. 40–49.
Elia, M. Continued Fractions and Factoring, arXiv:1905.10704 (2019) https://arxiv.org/abs/1905.10704.
A. Fiat, A. Batch RSA, In G. Brassard (ed.), Proceedings of Crypto 1989, vol. 435 of LNCS. Springer-Verlag (1989), pp. 175–185.
Galbraith, S.D., Gaudry, P. Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 78, (2016), pp. 51–72.
Hardy, G.H., Wright, E.M. An Introduction to Theory of Numbers, 5th Edition, The Clarendon Press Oxford University Press, New York (1979).
Hinek, M. Cryptanalysis of RSA and its Variants, Chapman & Hall/CRC, Cryptography and Network Security Series, Boca Raton (2009).
Husemöller, D. Elliptic Curves, 2nd edn., Springer, 2004.
Ireland, K.; M. Rosen. M. A Classical Introduction to Modern Number Theory, volume 84 of Graduate Texts in Mathematics. Springer-Verlag, 2nd edition (1990).
Koyama K. Fast RSA type scheme based on singular cubic curve y² + axy = x³ (mod n). Proc. Eurocrypt’95, Lecture Notes in Computer Science, vo.921, Springer, Berlin, 1995, (1995), pp. 329–339.
Koyama, K.; Maurer, U.M.; Okamoto, T.; . Vanstone, S.A. New Public-Key Schemes Based on Elliptic Curves over the Ring Z_n, CRYPTO 1991, Lecture Notes in Computer Science 576, pp. 252–266.
Koblitz, N. Elliptic curve cryptosystems. Mathematics of Computation, 48: (1987), pp. 203–209.
N. Kunihiro N.; Koyama, K. Equivalence between counting the number of points on elliptic curves over the ring Z_n and factoring n, LNCS 1403, Proceedings of Eurocrypt 1998, (1998), pp. 47–58.
Kurosawa, K.; Okada, K.; Tsujii, S. Low exponent attack against elliptic curve RSA, Information Processing Letters, Volume 53, Issue 2, 1995, pp. 77–83.
Kuwakado, H.; Koyama, K.; and Tsuruoka, Y. A new RSA-type scheme based on singular cubic curves y² = x³ + bx² (modn), IEICE Transactions on Fundamentals, vol. E78-A (1995) pp. 27–33.
Lenstra, H. Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126, (1987), pp. 649–673.
Lenstra, A.K.; Lenstra, H.W. Jr. The Development of the Number Field Sieve, Lecture Notes in Mathematics 1554, Springer-Verlag (1993).
Martín, S.; Morillo, P.; Villar, J.L. Computing the order of points on an elliptic curve modulo N is as difficult as factoring N, Applied Mathematics Letters Volume 14, Issue 3, April 2001, (2001), pp. 341–346.
Miller, V.S. Use of elliptic curves in cryptography. In H. C. Williams, editor, Advances in Cryptology - CRYPTO’85, Vol. 218 of Lecture Notes in Computer Science, Springer-Verlag, (1986), pp. 417–426.
Nakamoto. S. Bitcoin: A peer-to-peer electronic cash system (2009) https://bitcoin.org/bitcoin.pdf.
NIST: National Institute of Standards and Technology, Digital Signature Standard, FIPS PUB 186-2 (2000).
Nitaj, A. Another generalization of Wiener’s attack on RSA, In: Vaudenay, S. (eds.) Africacrypt 2008. LNCS, vol. 5023. . Springer, Heidelberg (2008), pp. 174-–190.
Nitaj, A.; Fouotsa, E. A new attack on RSA and Demytko’s elliptic curve cryptosystem, Journal of Discrete Mathematical Sciences and Cryptography 22 (3), (2019), pp. 391–409.
Paillier, P. Trapdooring Discrete Logarithms on Elliptic Curves over Rings. In: Okamoto T. (eds) Advances in Cryptology — ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976, Springer, Berlin, Heidelberg, (2000), pp. 573–584.
Pointcheval, D. New public key cryptosystem based on the dependent RSA problem, Eurocrypt’99 Springer-Verlag, 1999, 1592: pp. 239–254.
Pomerance, C. The quadratic sieve factoring algorithm, Advances in Cryptology, Proc. Eurocrypt’84, LNCS 209, Springer-Verlag, Berlin, (1985), pp. 169-–182.
Rabin, M.O. Digital signatures and public key functions as intractable as factoring. MIT Technical Report, MIT/LCS/TR-212 (1979).
Rivest, R., Shamir, A., Adleman, L. A Method for Obtaining digital signatures and public-key cryptosystems, Communications of the ACM, Vol. 21 (2), (1978), pp. 120–126.
Schmitt, S.; Zimmer; H.G.; ProQuest (Firm): Elliptic curves : a computational approach, Walter de Gruyter, Berlin, New York (2003).
Silverman, J.H. The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, Springer-Verlag, 106 (1986).
Sun, H.M.; Wu, M.E; Ting, W.C.; Hinek, M.J. Dual RSA and its security analysis, IEEE Transactions on Information Theory, 2007; 53(8), pp. 2922–2933.
Takagi, T. Fast RSA-type Cryptosystem Modulo p^kq. In H. Krawczyk, ed., Proceedings of Crypto 1998, vol. 1462 of LNCS, pp. 318–326. Springer-Verlag, (1998).
Takayasu, A.; Kunihiro N. General bounds for small inverse problems and its applications to multi-prime RSA, Proc. ICISC 2014, LNCS 8949, Springer (2014), pp. 3–17.
Washington, L.C. Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC, Florida, 2003.
de Weger, B. Cryptanalysis of RSA with small prime difference, Applicable Algebra in Engineering, Communication and Computing 13, (2002), pp. 17–28.
Wiener, M. Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, Vol. 36, (1990), pp. 553–558.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.

MDPI Initiatives

Important Links

Choose an area of interest and we will send you notifications of new preprints at your preferred frequency.

Disclaimer

A New RSA Variant Based on Elliptic Curves

Abstract

1. Introduction

2. Useful Lemmas

3. Elliptic Curves over the Finite Field F p

4. Elliptic Curves over the Ring Z / n Z

5. The New Scheme

5.1. The New Encryption Scheme

5.2. Numerical Example

5.3. The New Signature Scheme

5.4. The New Signature Scheme

6. Security Analysis

6.1. Resistance against Factorization Methods

6.2. Resistance against Decomposition as Sum of Two Squares

6.3. Resistance against Decomposition as Sum of Four Squares

6.4. Resistance against Solving the Order

6.5. Resistance against Small Private Exponent Attacks

6.6. Resistance against Discrete Logarithm Problem

6.7. Resistance against Isomorphism and Homomorphism Attacks

6.8. Other Attacks

7. Conclusions

Conflicts of Interest

References

MDPI Initiatives

Important Links

Subscribe

3. Elliptic Curves over the Finite Field $F_{p}$

4. Elliptic Curves over the Ring $Z / n Z$