Abstract
We propose a generalization of an RSA-like scheme based on Rédei rational functions over the Pell hyperbola. Instead of a modulus which is a product of two primes, we define the scheme on a multi-factor modulus, i.e. on a product of more than two primes. This results in a scheme with a decryption which is quadratically faster, in the number of primes factoring the modulus, than the original RSA, while preserving a better security. The scheme reaches its best efficiency advantage over RSA for high security levels, since in these cases the modulus can contain more primes. Compared to the analog schemes based on elliptic curves, as the KMOV cryptosystem, the proposed scheme is more efficient. Furthermore a variation of the scheme with larger ciphertext size does not suffer of impossible group operation attacks, as it happens for schemes based on elliptic curves.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
RSA is the most widespread asymmetric encryption scheme. Its security is based on the fact that the trapdoor function \(\tau _{N,e}(x) = x^e \mod N\), where \(N=pq\) is the product of two large prime integers, and e an invertible element in \(\mathbb {Z}_{\phi (N)} (\phi (N)\) being the Euler totient function), cannot be inverted by a polynomial-time in N algorithm without knowing either the integers p, q, \(\phi (N)\) or the inverse d of e modulo \(\phi (N)\). Thus the pair (N, e), called the public key, is known to everyone, while the triple (p, q, d), called the secret key, is only known to the receiver of an encrypted message. Both encryption and decryption are performed through an exponentiation modulo N. Precisely, the ciphertext C is obtained as \(C=M^e \pmod N\), and the original message M is obtained with the exponentiation \(M = C^d \pmod N\). While usually the encryption exponent is chosen to be small, the decryption exponent is about the size of N, implying much slower performances during decryption with respect to encryption. Through the years many proposal have been presented trying to speed up the decryption process.
In this work we present the fastest, to the authors knowledge, of such decryption algorithms whose security is based on the factorization problem. The presented scheme exploits different properties of Rédei rational functions, which are classical functions in number theory. The proposed decryption algorithm is quadratically, on the number of primes composing the modulus N, faster than RSA.
The work is divided as follows. In Sect. 2 an overview of the main schemes based on the factorization problem which successfully improved RSA decryption step is presented. In Sect. 3 the main theoretical results underlying our scheme are described. Section 4 is devoted to the presentation of the cryptographic scheme, and in Sects. 5 and 6 its security and efficiency are discussed, respectively. Section 7 concludes the work.
2 Related Work
In this section we briefly overview the main cryptographic schemes based on the factorization problem that have been introduced in order to improve RSA decryption step.
Usually, the general technique to speed up the RSA decryption step \(C=M^e \pmod N\) is to compute the exponentiation modulo each factor of N and then obtain N using the Chinese Remainder Theorem.
2.1 Multifactor RSA
There exists variants of RSA scheme which exploit a modulus with more than 2 factors to achieve a faster decryption algorithm. This variants are sometimes called Multifactor RSA [6], or Multiprime RSA [8, 10]. The first proposal exploiting a modulus of the form \(N=p_1 p_2 p_3\) has been patented by Compaq [9, 10] in 1997. About at the same time Takagi [30] proposed an even faster solution using the modulus \(N=p^r q\), for which the exponentiation modulo \(p^r\) is computed using the Hensel lifting method [11, p. 137]. Later, this solution has been generalized to the modulus \(N=p^r q^s\) [28]. According to [10], the appropriate number of primes to be chosen in order to resist state-of-the-art factorization algorithms depends from the modulus size, and, precisely, it can be: up to 3 primes for 1024, 1536, 2048, 2560, 3072, and 3584 bit modulus, up to 4 for 4096, and up to 5 for 8192.
2.2 RSA-like Schemes
Another solution which allows to obtain even faster decryption is to use RSA-like schemes based on isomorphism as [3, 16, 17, 26]. As an additional property, these schemes owns better security properties with respect to RSA, avoiding small exponent attacks to either d [31] or e [12, 13], and vulnerabilities which appear when switching from one-to-one communication scenario to broadcast scenario (e.g., see [14]). The aforementioned schemes are based on isomorphism between two groups, one of which is the set of points over a curve, usually a cubic or a conic. A complete overview on RSA-like schemes based on conics can be found in [3]. In general, schemes based on cubic curves have a computationally more expensive addition operation compared to schemes based on conic equations.
2.3 Generalizing RSA-like Scheme with Multifactor Modulus
As done when generalizing from RSA to Multiprime RSA, in [7] a generalization of [16, 17] has been proposed, thus generalizing a RSA-like scheme based on elliptic curves and a modulus \(N=pq\) to a similar scheme based on the generic modulus \(N=p^rq^s\).
In this paper we present a similar generalization of the scheme [3], which is based on the Pell’s equation, to the modulus \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\) for \(r > 2\), obtaining the fastest decryption of all schemes discussed in this section.
3 Product of Points over the Pell Hyperbola
In [3], we introduced a novel RSA–like scheme based on an isomorphism between certain conics (whose the Pell hyperbola is a special case) and a set of parameters equipped with a non–standard product. In Sect. 4, we generalize this scheme considering a prime power modulus \(N = p_1^{e_1} \cdots p_r^{e_r}\). In this section, we recall some definitions and properties given in [3] in order to improve the readability of the paper. Then, we study properties of the involved products and sets in \({\mathbb Z}_{p^r}\) and \({\mathbb Z}_N\).
3.1 A Group Structure over the Pell Hyperbola over a Field
Let \(\mathbb K\) be a field and \(x^2 - D\) an irreducible polynomial over \(\mathbb K [x]\). Considering the quotient field \(\mathbb A[x] = \mathbb K[x] / (x^2 - D)\), the induced product over \(\mathbb A[x]\) is
The group of unitary elements of \(\mathbb A^*[x] = \mathbb A[x] - \{0_{\mathbb A[x]}\}\)Footnote 1 is \(\{ p + q x \in \mathbb A^*[x] : p^2 - D q^2 = 1 \}\). Thus, we can introduce the commutative group \(({\mathcal H}_{D,\mathbb K}, \otimes )\), where
and
It is worth noting that (1, 0) is the identity and the inverse of an element (x, y) is \((x,-y)\).
Remark 1
When \(\mathbb K = \mathbb R\), the conic \({\mathcal H}_{D,\mathbb K}\), for D a non–square integer, is called the Pell hyperbola since it contains all the solutions of the Pell equation and \(\otimes \) is the classical Brahamagupta product, see, e.g., [15].
3.2 A Parametrization of the Pell Hyperbola
From now on let \(\mathbb {A}=\mathbb {A}[x]\).
Starting from \(\mathbb A^*\), we can derive a parametrization for \({\mathcal H}_{D,\mathbb K}\). In particular, let us consider the group \(\mathbb A^* / \mathbb K^*\), whose elements are the equivalence classes of \(\mathbb A^*\) and can be written as
The induced product over \(\mathbb A^* / \mathbb K^*\) is given by
and, if \(a + b \not = 0\), we have
else
This construction allows us to define the set of parameters \({\mathcal P}_{\mathbb K} = \mathbb K \cup \{\alpha \}\), with \(\alpha \) not in \(\mathbb K\), equipped with the following product:
We have that \(({\mathcal P}_\mathbb K, \odot )\) is a commutative group with identity \(\alpha \) and the inverse of an element a is the element b such that \(a + b = 0\). Now, consider the following parametrization for the conic \({\mathcal H}_{D,\mathbb K}\):
It can be proved that the following isomorphism between \(({\mathcal H}_{D,\mathbb K}, \otimes )\) and \(({\mathcal P}_{\mathbb K}, \odot )\) holds:
and
Proposition 1
When \(\mathbb K = {\mathbb Z}_p\), p prime, \(({\mathcal P}_{\mathbb K}, \odot )\) and \(({\mathcal H}_{D,\mathbb K}, \otimes )\) are cyclic groups of order \(p + 1\) and
or, equivalently
where powers are performed using products \(\odot \) and \(\otimes \), respectively. See [3].
The powers in \({\mathcal P}_{\mathbb K}\) can be efficiently computed by means of the Rédei rational functions [27], which are classical functions in number theory. They are defined by considering the development of
for z integer and D non–square positive integer. The polynomials \(A_n(D,z)\) and \(B_n(D,z)\) defined by the previous expansion are called Rédei polynomials and can be evaluated by
where
From this property, it follows that the Rédei polynomials are linear recurrent sequences with characteristic polynomial \(t^2 - 2 z t + (z^2 - D)\). The Rédei rational functions are defined by
Proposition 2
Let \(m^{\odot n}\) be the n–th power of \(m \in {\mathcal P}_{\mathbb K}\) with respect to \(\odot \), then
See [2].
Remark 2
The Rédei rational functions can be evaluated by means of an algorithm of complexity \(O(\log _2(n))\) with respect to addition, subtraction and multiplication over rings [24].
3.3 Properties of the Pell Hyperbola over a Ring
In this section, we study the case \(\mathbb K = {\mathbb Z}_{p^r}\) that we will exploit in the next section for the construction of a cryptographic scheme. In what follows, we will omit from \({\mathcal H}_{D, \mathbb K}\) the dependence on D when it will be clear from the context.
First, we need to determine the order of \({\mathcal H}_{{\mathbb Z}_{p^r}}\) in order to have a result similar to Proposition 1 also in this situation.
Theorem 1
The order of the cyclic group \({\mathcal H}_{{\mathbb Z}_{p^r}}\) is \(p^{r-1} (p + 1)\), i.e., the Pell equation \(x^2 - D y^2 = 1\) has \(p^{r-1} (p + 1)\) solutions in \({\mathbb Z}_{p^r}\) for \(D \in {\mathbb Z}_{p^r}^*\) quadratic non–residue in \({\mathbb Z}_{p}\).
Proof
Since, by Proposition 1, the Pell equation in \({\mathbb Z}_p\) has \(p + 1\) solutions, then we need to prove the following
-
1.
any solution of the Pell equation in \({\mathbb Z}_p\), generates \(p^{r-1}\) solutions of the same equation in \({\mathbb Z}_{p^r}\);
-
2.
all the solutions of the Pell equation in \({\mathbb Z}_{p^r}\) are generated as in the previous step.
-
(1) Let \((x_0, y_0)\) be a solution of \(x^2 - D y^2 \equiv 1 \pmod p\). We want to prove that for any integer \(0 \le k < p^{r-1}\), there exists one and only one integer h such that \((x_0 + k p, y_0 + h p)\) is solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\). Indeed, we have
$$ (x_0 + k p)^2 - D (y_0 + h p)^2 = 1 + v p + 2 x_0 k p + k^2 p^2 - 2 D y_0 h p - D h^2 p^2, $$since \(x_0^2 - D y_0^2 = 1 + v p\) for a certain integer v. Thus, we have that \((x_0 + k p, y_0 + h p)\) is solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\) if and only if
$$D p h^2 + 2 D y_0 h - v - 2 x_0 k - k^2 p \equiv 0 \pmod {p^{r-1}}.$$Hence, we have to prove that there is one and only one integer h that satisfies the above identity. The above equation can be solved in h by completing the square and reduced to
$$\begin{aligned} (2 D p h + 2 D y_0)^2 \equiv s \pmod {p^{r-1}}, \end{aligned}$$(5)where \(s = (2 D y_0)^2 + 4 (v + 2 x_0 k + k^2 p) D p\). Let us prove that s is a quadratic residue in \({\mathbb Z}_{p^{r-1}}\). Indeed,
$$s = 4 D ((x_0 + k p)^2 - 1)$$and surely the Jacobi symbol \(\left( \frac{s}{p^{r-1}} \right) = \left( \frac{s}{p} \right) ^{r-1} = 1\) if r is odd. If r is even we have that
$$ \left( \frac{s}{p^{r-1}} \right) = \left( \frac{4}{p^{r-1}} \right) \left( \frac{D}{p^{r-1}} \right) \left( \frac{(x_0 + k p)^2 - 1}{p^{r-1}} \right) =1 $$since \(\left( \frac{4}{p^{r-1}} \right) = 1\), \(\left( \frac{D}{p^{r-1}} \right) = \left( \frac{D}{p} \right) ^{r-1} = -1\) by hypothesis on D, \(\left( \frac{(x_0 + k p)^2 - 1}{p^{r-1}} \right) = -1\), since \((x_0 + k p)^2 - 1 \equiv D y_0^2 \pmod p\). Now, let \(\pm t\) be the square roots of s. It is easy to note that
$$t \equiv 2 D y_0 \pmod p, \quad -t \equiv - 2 D y_0 \pmod p$$or
$$-t \equiv 2 D y_0 \pmod p, \quad t \equiv - 2 D y_0 \pmod p.$$Let us call \(\bar{t}\) the only one between t and \(-t\) that is equal to \(2 D y_0\) in \({\mathbb Z}_p\). Hence, Eq. (5) is equivalent to the linear equation
$$p h \equiv (\bar{t} - 2 D y_0)(2 D)^{-1} \pmod {p^{r-1}},$$which has one and only one solution, since \(\bar{t} - 2 D y_0 \equiv 0 \pmod p\). Note that, if \(\bar{t}\) is not equal to \(2 D y_0\) in \({\mathbb Z}_p\) the above equation has no solutions. Thus, we have proved that any solution of the Pell equation in \({\mathbb Z}_p\) generates \(p^{r-1}\) solutions of the Pell equation in \({\mathbb Z}_{p^r}\).
-
(2) Now, we prove that all the solutions of the Pell equation in \({\mathbb Z}_{p^r}\) are generated as in step 1.
Let \((\bar{x}, \bar{y})\) be a solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\), i.e., \(\bar{x}^2 - D \bar{y}^2 = 1 + w p^{r}\), for a certain integer w. Then \(x_0 = \bar{x} - k p\) and \(y_0 = \bar{y} -h p\), for h, k integers, are solutions of \(x^2 - D y^2 \equiv 1 \pmod p\). Indeed,
$$ (\bar{x} - k p)^2 - D (\bar{y} - h p)^2 = 1 + w p^r - 2 \bar{x} k p + k^2 p^2 + 2 D \bar{y} h p - D h^2 p^2 \,. $$
As a consequence of the previous theorem, an analogous of the Euler theorem holds for the product \(\otimes \).
Theorem 2
Let p, q be prime numbers and \(N = p^r q^s\), then for all \((x,y) \in {\mathcal H}_{{\mathbb Z}_N}\) we have
for \(D \in {\mathbb Z}_{N}^*\) quadratic non–residue in \({\mathbb Z}_p\) and \({\mathbb Z}_q\).
Proof
By Theorem 1, we know that
and
Thus, said \((a, b) = (x,y)^{\otimes p^{r-1}(p + 1) q^{s-1}(s + 1)}\), we have
i.e., \(a = 1 + kp^r\) and \(b = hp^r\) for some integers h, k. On the other hand, we have
We can observe that \(1 + kp^r \equiv 1 \pmod {q^s}\) if and only if \(k = k'q^s\) for a certain integer \(k'\). Similarly, it must be \(h = h'q^s\), for an integer \(h'\). Hence, we have that \((a, b) = (1 + k'p^rq^s, h'p^rq^s) \equiv (1, 0) \pmod N\).
Corollary 1
Let \(p_1, ..., p_r\) be primes and \(N = p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\), then for all \((x,y) \in {\mathcal H}_{{\mathbb Z}_N}\) we have
where
for \(D \in {\mathbb Z}_{N}^*\) quadratic non–residue in \({\mathbb Z}_{p_i}\), for \(i = 1, ..., r\).
Now, we can observe that when we work on \({\mathbb Z}_{N}\), the map \({\varPhi }_D\) is not an isomorphism. Indeed, the orders of \({\mathcal H}_{D,{\mathbb Z}_{N}}\) and \({\mathcal P}_{{\mathbb Z}_{N}}\) do not coincide. However, it is still a morphism and we also have \(|{\mathbb Z}_{N}^* |= |{\mathcal H}^*_{{\mathbb Z}_{N}} |\), because of the following proposition.
Proposition 3
With the above notation, we have that
-
1.
\(\forall (x_1,y_1), (x_2,y_2)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\), \({\varPhi }_D(x_1,y_1)={\varPhi }_D(x_2,y_2)\Leftrightarrow (x_1,y_1)=(x_2,y_2)\);
-
2.
\(\forall m_1, m_2\in {\mathbb Z}_{N}^*\), \({\varPhi }_D^{-1}(m_1)={\varPhi }_D^{-1}(m_2)\Leftrightarrow m_1=m_2\);
-
3.
\(\forall m\in {\mathbb Z}_{N}^*\), we have \({\varPhi }^{-1}(m)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\) and \(\forall (x,y)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\), we have \({\varPhi }_D(x,y)\in {\mathbb Z}_{N}^*\).
See [3].
As a consequence, we have an analogous of the Euler theorem also for the product \(\odot \), i.e., for all \(m \in {\mathbb Z}^*_N\) the following holds
where \(\odot \) is the special product in \({\mathcal P}_{{\mathbb Z}_N}\) defined in Eq. 2.
4 The Cryptographic Scheme
In this section, we describe our public–key cryptosystem based on the properties studied in the previous section.
4.1 Key Generation
The key generation is performed by the following steps:
-
choose r prime numbers \(p_1, \dots , p_r\), r odd integers \(e_1, \dots , e_r\) and compute \(N = \prod _{i=1}^r p_i^{e_i}\);
-
choose an integer e such that \(\gcd ( e, {{\,\mathrm{lcm}\,}}\prod _{i=1}^r{p_i^{e_i-1}(p_i + 1)} ) = 1\);
-
evaluate \(d = e^{-1} \pmod {{{\,\mathrm{lcm}\,}}\prod _{i=1}^r{p_i^{e_i-1}(p_i + 1)}}\).
The public or encryption key is given by (N, e) and the secret or decryption key is given by \((p_1,\ldots ,p_r, d)\).
4.2 Encryption
We can encrypt pair of messages \((M_x, M_y) \in {\mathbb Z}_N^* \times {\mathbb Z}_N^*\), such that \(\left( \frac{M_x^2 - 1}{N} \right) = -1\). This condition will ensure that we can perform all the operations. The encryption of the messages is performed by the following steps:
-
compute \(D = \frac{M_x^2 - 1}{M_y^2} \pmod N\), so that \((M_x, M_y) \in {\mathcal H}^*_{D, {\mathbb Z}_N}\);
-
compute \(M = {\varPhi }(M_x, M_y) = \frac{M_x + 1}{M_y} \pmod N\);
-
compute the ciphertext \(C = M^{\odot e} \pmod N = Q_e(D,M) \pmod N\)
Notice that not only C, but the pair (C, D) must be sent through the insecure channel.
4.3 Decryption
The decryption is performed by the following steps:
-
compute \(C^{\odot d} \pmod N = Q_d(D,C) \pmod N = M\);
-
compute \({\varPhi }^{-1}(M) = \left( \frac{M^2 + D}{M^2 - D}, \frac{2 M}{M^2 - D} \right) \pmod N\) for retrieving the messages \((M_x, M_y)\).
5 Security of the Encryption Scheme
The proposed scheme can be attacked by solving one of the following problems:
-
1.
factorizing the modulus \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\);
-
2.
computing \(\varPsi (N) = p_1^{e_1-1}(p_1+1)\cdot \ldots \cdot p_r^{e_r-1}(p_r+1)\), or finding the number of solutions of the equation \(x^2-Dy^2 \equiv 1 \mod N\), i.e. the curve order, which divides \(\varPsi (N)\);
-
3.
computing Discrete Logarithm problem either in \(({\mathcal H}^*_{{\mathbb Z}_N},\otimes )\) or in \(({\mathcal P}^*_{{\mathbb Z}_N},\odot )\);
-
4.
finding the unknown d in the equation \(ed \equiv 1 \mod \varPsi (N)\);
-
5.
finding an impossible group operation in \({\mathcal P}_{{\mathbb Z}_N}\);
-
6.
computing \(M_x,M_y\) from D.
5.1 Factorizing N or Computing the Curve Order
It is well known that the problem of factorizing \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\) is equivalent to that of computing the Euler totient function \(\phi (N)=p_1^{e_1-1}(p_1-1)\cdot \ldots \cdot p_r^{e_r-1}(p_r-1)\), e.g. see [23] or [29, Section 10.4].
In our case we need to show the following
Proposition 4
The problem of factorizing N is equivalent to the problem of computing \(\varPsi (N)=p_1^{e_1-1}(p_1+1)\cdot \ldots \cdot p_r^{e_r-1}(p_r+1)\) or the order of the group \({\mathcal P}^*_{{\mathbb Z}_N}\) (or equivalently of \({\mathcal H}^*_{{\mathbb Z}_N}\)), which is a divisor of \(\varPsi (N)\).
Proof
Clearly, knowing the factorization of N yields \(\varPsi (N)\). Conversely, suppose N and \(\varPsi (N)\) are known. A factorization of N can be found by applying Algorithm 1 recursively.
Remark 3
Algorithm 1 is an adaptation of the general algorithm in [29, Section 10.4], used to factorize N by only knowing \(\phi (N)\) (Euler totient function) and N itself. The main idea of the Algorithm 1 comes from the fact that \(x^{\odot \varPsi (N)}=1 \pmod N\) for all \(x \in {\mathbb Z}^*_N\), which is the analog of the Euler theorem in \({\mathcal P}_{{\mathbb Z}_N}\). Notice that, because of Step 7, Algorithm 1 is a probabilistic algorithm. Thus, to find a non-trivial factor, it might be necessary to run the algorithm more than once. We expect that a deeper analysis of the algorithm will lead to a similar probabilistic behaviour than the algorithm in [29], which returns a non-trivial factor with probability 1/2.
Since we proved that the problems 1 and 2 are equivalent, we can only focus on the factorization problem.
According to [10], state-of-the-art factorization methods as the Elliptic Curve Method [18] or the Number Field Sieve [4, 19] are not effective if in the following practical cases
-
\(|N|=1024, 1536, 2048, 2560, 3072, 3584\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3}\) with \(e_1+e_2+e_3 \le 3\) and \(p_i,i=1,2,3\) greater than approximately the size of \(\root 3 \of {N}\).
-
\(|N|=4096\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3} p_4^{e_4}\) with \(e_1+e_2+e_3+e_4 \le 4\) and \(p_i,i=1,\ldots ,4\) greater than approximately the size of \(\root 4 \of {N}\).
-
\(|N|=8192\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3} p_4^{e_4} p_5^{e_5}\) with \(e_1+e_2+e_3+e_4+e_5 \le 5\) and \(p_i,i=1,\ldots ,5\) greater than approximately the size of \(\root 5 \of {N}\).
Notice that currently, the largest prime factor found by the Elliptic Curve Method is a 274 bit digit integer [32]. Note also that the Lattice Factoring Method (LFM) of Boneh, Durfee, and Howgrave-Graham [5] is designed to factor integers of the form \(N=p^u q\) only for large u.
5.2 Computing the Discrete Logarithm
Solving the discrete logarithm problem in a conic curve can be reduced to the discrete logarithm problem in the underlying finite field [22]. In our case the curve is defined over the ring \(\mathbb {Z}_N\). Solving the DLP over \(\mathbb {Z}_N\) without knowing the factorization of N is as hard as solving the DLP over a prime finite field of approximately the same size. As for the factorization problem, the best known algorithm to solve DLP on a prime finite field is the Number Field Sieve. When the size of N is greater than 1024 then the NFS can not be effective.
5.3 Solving the Private Key Equation
In the case of RSA, small exponent attacks [12, 13, 31] can be performed to find the unknown d in the equation \(ed \equiv 1 \mod \varPsi (N)\). Generalization of these attacks can be performed on RSA variants where the modulus is of the form \(N=p_1^{e_1}p_2^{e_2}\) [20]. It has already been argued in [3, 16] and [16] that this kind of attacks fails when the trapdoor function is not a simple monomial power as in RSA, as it is in the proposed scheme.
5.4 Finding an Impossible Group Operation
In the case of elliptic curves over \({\mathbb Z}_N\), as in the generalized KMOV cryptosystem [7], it could happen that an impossible addition between two curve points occurs, yielding the factorization of N. This is due to the fact that the addition formula requires to perform an inversion in the underlying ring \({\mathbb Z}_N\). However, as shown by the same authors of [7], the occurrence of an impossible addition is very unlikely for N with few and large prime factors.
In our case an impossible group operation may occur if \(a+b\) is not invertible in \({\mathbb Z}_N\), i.e. if \(\gcd (a+b,N) \ne 1\), yielding in fact a factor of N. However, also in our case, if N contains a few large prime factors, impossible group operations occur with negligible probability, as shown by the following proposition.
Proposition 5
The probability to find an invertible element in \({\mathcal P}_{{\mathbb Z}_N}\) is approximately
Proof
The probability to find an invertible element in \({\mathcal P}_{{\mathbb Z}_N}\) is given by dividing the number of non-invertible elements in \({\mathcal P}_{{\mathbb Z}_N}\) by the total number of elements of this set, as follows:
where we used \(N\sim N+1\) and \(\phi (N)=N\left( 1-\frac{1}{p_1}\right) \cdot \ldots \cdot \left( 1-\frac{1}{p_r}\right) \).
This probability tends to zero for large prime factors.
Let us notice that, in the Pell curve case, it is possible to avoid such situation, by performing encryption and decryption in \({\mathcal H}^*_{{\mathbb Z}_N}\), without exploiting the isomorphism operation. Here the group operation \(\otimes \) is defined between two points on the Pell curve, as in Eq. 1, and does not contain the inverse operation. In the resulting scheme the ciphertext is obtained as \((C_x,C_y)=(M_x,M_y)^{\otimes e}\), where the operation \(\otimes \) depends on D. Thus the triple \((C_x,C_y,D)\) must be transmitted, resulting in a non-compressed ciphertext.
5.5 Recovering the Message from D
To recover the message pair \((M_x, M_y)\) from \(D = \frac{M_x^2 - 1}{M_y^2} \pmod N\), the attacker must solve the quadratic congruence \(M_x^2 - D M_y^2 - 1 = 0 \pmod N\) with respect to the two unknowns \(M_x\) and \(M_y\). Even if one of the two coordinates is known (partially known plaintext attack), it is well known that computing square roots modulo a composite integer N, when the square root exists, is equivalent to factoring N itself.
5.6 Further Comments
As a conclusion to this section, we only mention that as shown in [3], RSA-like schemes based on isomorphism own the following properties: they are more secure than RSA in the broadcast scenario, they can be transformed to semantically secure schemes using standard techniques which introduce randomness in the process of generating the ciphertext.
6 Efficiency of the Encryption Scheme
Recall that our scheme encrypts and decrypts messages of size \(2\log N\). To decrypt a ciphertext of size \(2\log N\) using CRT, standard RSA requires four full exponentiation modulo N/2-bit primes. Basic algorithms to compute \(x^d \mod p\) requires \(O(\log d \log ^2p)\), which is equal to \(O(\log ^3p)\) if \(d \sim p\).
Using CRT, if \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\), our scheme requires at most r exponentiation modulo N/r-bit primes.
This means that the final speed up of our scheme with respect to RSA is
When \(r=2\) our scheme is two times faster than RSA, as it has already been shown in [3]. If \(r=3\) our scheme is 4.5 time faster, with \(r=4\) is 8 times faster, and with \(r=5\) is 12.5 times faster.
7 Conclusions
We generalized an RSA-like scheme based on the Pell hyperbola from a modulus that was a product of two primes to a generic modulus. We showed that this generalization leads to a very fast decryption step, up to 12 times faster than original RSA for the security level of a modulus of 8192 bits. The scheme preserves all security properties of RSA-like schemes, which are in general more secure than RSA, especially in a broadcast scenario. Compared to similar schemes based on elliptic curves it is more efficient. We also pointed that a variation of the scheme with non-compressed ciphertext does not suffer of impossible group operation attacks.
Notes
- 1.
The element \(0_{\mathbb A[x]}\) is the zero polynomial.
References
Barbero, S., Cerruti, U., Murru, N.: Generalized Rédei rational functions and rational approximations over conics. Int. J. Pure Appl. Math 64(2), 305–317 (2010)
Barbero, S., Cerruti, U., Murru, N.: Solving the Pell equation via Rédei rational functions. Fibonacci Q. 48(4), 348–357 (2010)
Bellini, E., Murru, N.: An efficient and secure RSA-like cryptosystem exploiting Rédei rational functions over conics. Finite Fields Appl. 39, 179–194 (2016)
Bernstein, D.J., Lenstra, A.K.: A general number field sieve implementation. In: Lenstra, A.K., Lenstra, H.W. (eds.) The development of the number field sieve. LNM, vol. 1554, pp. 103–126. Springer, Heidelberg (1993). https://doi.org/10.1007/BFb0091541
Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring \(N=p^rq\) for large \(r\). Crypto 1666, 326–337 (1999)
Boneh, D., Shacham, H.: Fast variants of RSA. CryptoBytes 5(1), 1–9 (2002)
Boudabra, M., Nitaj, A.: A new generalization of the KMOV cryptosystem. J. Appl. Math. Comput. 57, 1–17 (2017)
Ciet, M., Koeune, F., Laguillaumie, F., Quisquater, J.: Short private exponent attacks on fast variants of RSA. UCL Crypto Group Technical Report Series CG-2003/4, Université Catholique de Louvain (2002)
Collins, T., Hopkins, D., Langford, S., Sabin, M.: Public key cryptographic apparatus and method. Google Patents, US Patent 5,848,159 (1998)
Compaq: Cryptography using Compaq multiprime technology in a parallel processing environment. ftp://15.217.49.193/pub/solutions/CompaqMultiPrimeWP.pdf. Accessed 2019
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2013)
Coppersmith, D., Franklin, M., Patarin, J., Reiter, M.: Low-exponent RSA with related messages. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 1–9. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_1
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Hastad, J.: N using RSA with low exponent in a public key network. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 403–408. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_29
Jacobson, M.J., Williams, H.C., Taylor, K., Dilcher, K.: Solving the Pell Equation. Springer, New York (2009). https://doi.org/10.1007/978-0-387-84923-2
Koyama, K.: Fast RSA-type schemes based on singular cubic curves \(y^{2} + axy \equiv x^{3}\) (mod n). In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 329–340. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_27
Koyama, K., Maurer, U.M., Okamoto, T., Vanstone, S.A.: New public-key schemes based on elliptic curves over the Ring Z\(_{n}\). In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 252–266. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_20
Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)
Lenstra, A.K., Lenstra, H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra, H.W. (eds.) The development of the number field sieve. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993). https://doi.org/10.1007/BFb0091537
Lu, Y., Peng, L., Sarkar, S.: Cryptanalysis of an RSA variant with moduli \(N = p^r q^l\). J. Math. Cryptol. 11(2), 117–130 (2017)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Prog. Rep. 44, 114–116 (1978)
Menezes, A.J., Vanstone, S.A.: A note on cyclic groups, finite fields, and the discrete logarithm problem. Appl. Algebr. Eng. Commun. Comput. 3(1), 67–74 (1992)
Miller, G.L.: Riemann’s hypothesis and tests for primality. In: Proceedings of Seventh Annual ACM Symposium on Theory of Computing, pp. 234–239 (1975)
More, W.: Fast evaluation of Rédei functions. Appl. Algebr. Eng. Commun. Comput. 6(3), 171–173 (1995)
NIST: Round 1 Submissions. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions. Accessed 2019
Padhye, S.: A public key cryptosystem based on pell equation. IACR Cryptology ePrint Archive, p. 191 (2006)
Rédei, L.: Über eindeutig umkehrbare polynome in endlichen körpern redei. Acta Sci. Math. 11, 85–92 (1946)
Lim, S., Kim, S., Yie, I., Lee, H.: A generalized takagi-cryptosystem with a modulus of the form \(p^{r}q^{s}\). In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 283–294. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44495-5_25
Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2009)
Takagi, T.: Fast RSA-type cryptosystem modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055738
Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)
Zimmermann, S.: 50 largest factors found by ECM. https://members.loria.fr/PZimmermann/records/top50.html. Accessed 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bellini, E., Murru, N. (2020). A Multi-factor RSA-like Scheme with Fast Decryption Based on Rédei Rational Functions over the Pell Hyperbola. In: Sergeyev, Y., Kvasov, D. (eds) Numerical Computations: Theory and Algorithms. NUMTA 2019. Lecture Notes in Computer Science(), vol 11973. Springer, Cham. https://doi.org/10.1007/978-3-030-39081-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-030-39081-5_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39080-8
Online ISBN: 978-3-030-39081-5
eBook Packages: Computer ScienceComputer Science (R0)