Keywords

1 Introduction

RSA is the most widespread asymmetric encryption scheme. Its security is based on the fact that the trapdoor function \(\tau _{N,e}(x) = x^e \mod N\), where \(N=pq\) is the product of two large prime integers, and e an invertible element in \(\mathbb {Z}_{\phi (N)} (\phi (N)\) being the Euler totient function), cannot be inverted by a polynomial-time in N algorithm without knowing either the integers p, q, \(\phi (N)\) or the inverse d of e modulo \(\phi (N)\). Thus the pair (Ne), called the public key, is known to everyone, while the triple (pqd), called the secret key, is only known to the receiver of an encrypted message. Both encryption and decryption are performed through an exponentiation modulo N. Precisely, the ciphertext C is obtained as \(C=M^e \pmod N\), and the original message M is obtained with the exponentiation \(M = C^d \pmod N\). While usually the encryption exponent is chosen to be small, the decryption exponent is about the size of N, implying much slower performances during decryption with respect to encryption. Through the years many proposal have been presented trying to speed up the decryption process.

In this work we present the fastest, to the authors knowledge, of such decryption algorithms whose security is based on the factorization problem. The presented scheme exploits different properties of Rédei rational functions, which are classical functions in number theory. The proposed decryption algorithm is quadratically, on the number of primes composing the modulus N, faster than RSA.

The work is divided as follows. In Sect. 2 an overview of the main schemes based on the factorization problem which successfully improved RSA decryption step is presented. In Sect. 3 the main theoretical results underlying our scheme are described. Section 4 is devoted to the presentation of the cryptographic scheme, and in Sects. 5 and 6 its security and efficiency are discussed, respectively. Section 7 concludes the work.

2 Related Work

In this section we briefly overview the main cryptographic schemes based on the factorization problem that have been introduced in order to improve RSA decryption step.

Usually, the general technique to speed up the RSA decryption step \(C=M^e \pmod N\) is to compute the exponentiation modulo each factor of N and then obtain N using the Chinese Remainder Theorem.

2.1 Multifactor RSA

There exists variants of RSA scheme which exploit a modulus with more than 2 factors to achieve a faster decryption algorithm. This variants are sometimes called Multifactor RSA [6], or Multiprime RSA [8, 10]. The first proposal exploiting a modulus of the form \(N=p_1 p_2 p_3\) has been patented by Compaq [9, 10] in 1997. About at the same time Takagi [30] proposed an even faster solution using the modulus \(N=p^r q\), for which the exponentiation modulo \(p^r\) is computed using the Hensel lifting method [11, p. 137]. Later, this solution has been generalized to the modulus \(N=p^r q^s\) [28]. According to [10], the appropriate number of primes to be chosen in order to resist state-of-the-art factorization algorithms depends from the modulus size, and, precisely, it can be: up to 3 primes for 1024, 1536, 2048, 2560, 3072, and 3584 bit modulus, up to 4 for 4096, and up to 5 for 8192.

2.2 RSA-like Schemes

Another solution which allows to obtain even faster decryption is to use RSA-like schemes based on isomorphism as [3, 16, 17, 26]. As an additional property, these schemes owns better security properties with respect to RSA, avoiding small exponent attacks to either d [31] or e [12, 13], and vulnerabilities which appear when switching from one-to-one communication scenario to broadcast scenario (e.g., see [14]). The aforementioned schemes are based on isomorphism between two groups, one of which is the set of points over a curve, usually a cubic or a conic. A complete overview on RSA-like schemes based on conics can be found in [3]. In general, schemes based on cubic curves have a computationally more expensive addition operation compared to schemes based on conic equations.

2.3 Generalizing RSA-like Scheme with Multifactor Modulus

As done when generalizing from RSA to Multiprime RSA, in [7] a generalization of [16, 17] has been proposed, thus generalizing a RSA-like scheme based on elliptic curves and a modulus \(N=pq\) to a similar scheme based on the generic modulus \(N=p^rq^s\).

In this paper we present a similar generalization of the scheme [3], which is based on the Pell’s equation, to the modulus \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\) for \(r > 2\), obtaining the fastest decryption of all schemes discussed in this section.

3 Product of Points over the Pell Hyperbola

In [3], we introduced a novel RSA–like scheme based on an isomorphism between certain conics (whose the Pell hyperbola is a special case) and a set of parameters equipped with a non–standard product. In Sect. 4, we generalize this scheme considering a prime power modulus \(N = p_1^{e_1} \cdots p_r^{e_r}\). In this section, we recall some definitions and properties given in [3] in order to improve the readability of the paper. Then, we study properties of the involved products and sets in \({\mathbb Z}_{p^r}\) and \({\mathbb Z}_N\).

3.1 A Group Structure over the Pell Hyperbola over a Field

Let \(\mathbb K\) be a field and \(x^2 - D\) an irreducible polynomial over \(\mathbb K [x]\). Considering the quotient field \(\mathbb A[x] = \mathbb K[x] / (x^2 - D)\), the induced product over \(\mathbb A[x]\) is

$$(p + q x) (r + s x) = (p r + q s D) + (q r + p s) x.$$

The group of unitary elements of \(\mathbb A^*[x] = \mathbb A[x] - \{0_{\mathbb A[x]}\}\)Footnote 1 is \(\{ p + q x \in \mathbb A^*[x] : p^2 - D q^2 = 1 \}\). Thus, we can introduce the commutative group \(({\mathcal H}_{D,\mathbb K}, \otimes )\), where

$${\mathcal H}_{D,\mathbb K} = \{ (x,y) \in \mathbb K \times \mathbb K : x^2 - D y^2 =1 \}$$

and

$$\begin{aligned} (x,y) \otimes (w,z) = (x w + y z D, y w + x z), \quad \forall (x,y), \ (w,z) \in {\mathcal H}_{D,\mathbb K}. \end{aligned}$$
(1)

It is worth noting that (1, 0) is the identity and the inverse of an element (xy) is \((x,-y)\).

Remark 1

When \(\mathbb K = \mathbb R\), the conic \({\mathcal H}_{D,\mathbb K}\), for D a non–square integer, is called the Pell hyperbola since it contains all the solutions of the Pell equation and \(\otimes \) is the classical Brahamagupta product, see, e.g., [15].

3.2 A Parametrization of the Pell Hyperbola

From now on let \(\mathbb {A}=\mathbb {A}[x]\).

Starting from \(\mathbb A^*\), we can derive a parametrization for \({\mathcal H}_{D,\mathbb K}\). In particular, let us consider the group \(\mathbb A^* / \mathbb K^*\), whose elements are the equivalence classes of \(\mathbb A^*\) and can be written as

$$\{ [a + x] : a \in \mathbb K \} \cup \{[1_{\mathbb K^*}]\}.$$

The induced product over \(\mathbb A^* / \mathbb K^*\) is given by

$$[a + x] [b + x] = [ab + ax + bx + x^2] = [D + a b + (a + b) x]$$

and, if \(a + b \not = 0\), we have

$$[a + x] [b + x] = [\frac{D + a b}{a + b} + x]$$

else

$$[a + x] [b + x] = [D + a b] = [1_{\mathbb K^*}].$$

This construction allows us to define the set of parameters \({\mathcal P}_{\mathbb K} = \mathbb K \cup \{\alpha \}\), with \(\alpha \) not in \(\mathbb K\), equipped with the following product:

$$\begin{aligned} {\left\{ \begin{array}{ll} a \odot b = \frac{D + a b}{a + b}, \quad a + b \not = 0 \\ a \odot b = \alpha , \quad a + b = 0 \end{array}\right. }. \end{aligned}$$
(2)

We have that \(({\mathcal P}_\mathbb K, \odot )\) is a commutative group with identity \(\alpha \) and the inverse of an element a is the element b such that \(a + b = 0\). Now, consider the following parametrization for the conic \({\mathcal H}_{D,\mathbb K}\):

$$y = \frac{1}{m}(x + 1)\,.$$

It can be proved that the following isomorphism between \(({\mathcal H}_{D,\mathbb K}, \otimes )\) and \(({\mathcal P}_{\mathbb K}, \odot )\) holds:

$$\begin{aligned} {\varPhi }_{D}: {\left\{ \begin{array}{ll} {\mathcal H}_{D,\mathbb K} &{} \rightarrow {\mathcal P}_{\mathbb K}\\ (x,y) &{} \mapsto \frac{1+x}{y} \quad \forall (x,y)\in {\mathcal H}_{D,\mathbb K}, \quad y\not =0 \\ (1,0) &{} \mapsto \alpha \\ (-1,0) &{} \mapsto 0 \ , \end{array}\right. } \end{aligned}$$
(3)

and

$$\begin{aligned} {\varPhi }^{-1}_{D}: {\left\{ \begin{array}{ll} {\mathcal P}_{\mathbb K}&{} \rightarrow {\mathcal H}_{D,\mathbb K} \\ m &{} \mapsto \left( \frac{m^2+D}{m^2-D}\ , \frac{2m}{m^2-D}\right) \quad \forall m \in \mathbb K \\ \alpha &{} \mapsto (1,0)\ , \end{array}\right. }, \end{aligned}$$
(4)

see [1] and [3].

Proposition 1

When \(\mathbb K = {\mathbb Z}_p\), p prime, \(({\mathcal P}_{\mathbb K}, \odot )\) and \(({\mathcal H}_{D,\mathbb K}, \otimes )\) are cyclic groups of order \(p + 1\) and

$$m^{\odot (p+2)}=m \pmod p,\quad \forall m\in {\mathcal P}_{{\mathbb Z}_p}$$

or, equivalently

$$(x,y)^{\otimes (p+2)}=(x,y) \pmod p,\quad \forall (x,y)\in {\mathcal H}_{D,\mathbb {\mathbb Z}_p},$$

where powers are performed using products \(\odot \) and \(\otimes \), respectively. See [3].

The powers in \({\mathcal P}_{\mathbb K}\) can be efficiently computed by means of the Rédei rational functions [27], which are classical functions in number theory. They are defined by considering the development of

$$(z + \sqrt{D})^n = A_n(D,z) + B_n(D,z)\sqrt{D},$$

for z integer and D non–square positive integer. The polynomials \(A_n(D,z)\) and \(B_n(D,z)\) defined by the previous expansion are called Rédei polynomials and can be evaluated by

$$M^n = \begin{pmatrix} A_n(D,z) &{} DB_n(D,z) \\ B_n(D,z) &{} A_n(D,z) \end{pmatrix}$$

where

$$M = \begin{pmatrix} z &{} D \\ 1 &{} z \end{pmatrix}.$$

From this property, it follows that the Rédei polynomials are linear recurrent sequences with characteristic polynomial \(t^2 - 2 z t + (z^2 - D)\). The Rédei rational functions are defined by

$$Q_n(D,z) = \frac{A_n(D,z)}{B_n(D,z)}, \quad \forall n \ge 1.$$

Proposition 2

Let \(m^{\odot n}\) be the n–th power of \(m \in {\mathcal P}_{\mathbb K}\) with respect to \(\odot \), then

$$m^{\odot n} = Q_n(D, m).$$

See [2].

Remark 2

The Rédei rational functions can be evaluated by means of an algorithm of complexity \(O(\log _2(n))\) with respect to addition, subtraction and multiplication over rings [24].

3.3 Properties of the Pell Hyperbola over a Ring

In this section, we study the case \(\mathbb K = {\mathbb Z}_{p^r}\) that we will exploit in the next section for the construction of a cryptographic scheme. In what follows, we will omit from \({\mathcal H}_{D, \mathbb K}\) the dependence on D when it will be clear from the context.

First, we need to determine the order of \({\mathcal H}_{{\mathbb Z}_{p^r}}\) in order to have a result similar to Proposition 1 also in this situation.

Theorem 1

The order of the cyclic group \({\mathcal H}_{{\mathbb Z}_{p^r}}\) is \(p^{r-1} (p + 1)\), i.e., the Pell equation \(x^2 - D y^2 = 1\) has \(p^{r-1} (p + 1)\) solutions in \({\mathbb Z}_{p^r}\) for \(D \in {\mathbb Z}_{p^r}^*\) quadratic non–residue in \({\mathbb Z}_{p}\).

Proof

Since, by Proposition 1, the Pell equation in \({\mathbb Z}_p\) has \(p + 1\) solutions, then we need to prove the following

  1. 1.

    any solution of the Pell equation in \({\mathbb Z}_p\), generates \(p^{r-1}\) solutions of the same equation in \({\mathbb Z}_{p^r}\);

  2. 2.

    all the solutions of the Pell equation in \({\mathbb Z}_{p^r}\) are generated as in the previous step.

  • (1) Let \((x_0, y_0)\) be a solution of \(x^2 - D y^2 \equiv 1 \pmod p\). We want to prove that for any integer \(0 \le k < p^{r-1}\), there exists one and only one integer h such that \((x_0 + k p, y_0 + h p)\) is solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\). Indeed, we have

    $$ (x_0 + k p)^2 - D (y_0 + h p)^2 = 1 + v p + 2 x_0 k p + k^2 p^2 - 2 D y_0 h p - D h^2 p^2, $$

    since \(x_0^2 - D y_0^2 = 1 + v p\) for a certain integer v. Thus, we have that \((x_0 + k p, y_0 + h p)\) is solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\) if and only if

    $$D p h^2 + 2 D y_0 h - v - 2 x_0 k - k^2 p \equiv 0 \pmod {p^{r-1}}.$$

    Hence, we have to prove that there is one and only one integer h that satisfies the above identity. The above equation can be solved in h by completing the square and reduced to

    $$\begin{aligned} (2 D p h + 2 D y_0)^2 \equiv s \pmod {p^{r-1}}, \end{aligned}$$
    (5)

    where \(s = (2 D y_0)^2 + 4 (v + 2 x_0 k + k^2 p) D p\). Let us prove that s is a quadratic residue in \({\mathbb Z}_{p^{r-1}}\). Indeed,

    $$s = 4 D ((x_0 + k p)^2 - 1)$$

    and surely the Jacobi symbol \(\left( \frac{s}{p^{r-1}} \right) = \left( \frac{s}{p} \right) ^{r-1} = 1\) if r is odd. If r is even we have that

    $$ \left( \frac{s}{p^{r-1}} \right) = \left( \frac{4}{p^{r-1}} \right) \left( \frac{D}{p^{r-1}} \right) \left( \frac{(x_0 + k p)^2 - 1}{p^{r-1}} \right) =1 $$

    since \(\left( \frac{4}{p^{r-1}} \right) = 1\), \(\left( \frac{D}{p^{r-1}} \right) = \left( \frac{D}{p} \right) ^{r-1} = -1\) by hypothesis on D, \(\left( \frac{(x_0 + k p)^2 - 1}{p^{r-1}} \right) = -1\), since \((x_0 + k p)^2 - 1 \equiv D y_0^2 \pmod p\). Now, let \(\pm t\) be the square roots of s. It is easy to note that

    $$t \equiv 2 D y_0 \pmod p, \quad -t \equiv - 2 D y_0 \pmod p$$

    or

    $$-t \equiv 2 D y_0 \pmod p, \quad t \equiv - 2 D y_0 \pmod p.$$

    Let us call \(\bar{t}\) the only one between t and \(-t\) that is equal to \(2 D y_0\) in \({\mathbb Z}_p\). Hence, Eq. (5) is equivalent to the linear equation

    $$p h \equiv (\bar{t} - 2 D y_0)(2 D)^{-1} \pmod {p^{r-1}},$$

    which has one and only one solution, since \(\bar{t} - 2 D y_0 \equiv 0 \pmod p\). Note that, if \(\bar{t}\) is not equal to \(2 D y_0\) in \({\mathbb Z}_p\) the above equation has no solutions. Thus, we have proved that any solution of the Pell equation in \({\mathbb Z}_p\) generates \(p^{r-1}\) solutions of the Pell equation in \({\mathbb Z}_{p^r}\).

  • (2) Now, we prove that all the solutions of the Pell equation in \({\mathbb Z}_{p^r}\) are generated as in step 1.

    Let \((\bar{x}, \bar{y})\) be a solution of \(x^2 - D y^2 \equiv 1 \pmod {p^r}\), i.e., \(\bar{x}^2 - D \bar{y}^2 = 1 + w p^{r}\), for a certain integer w. Then \(x_0 = \bar{x} - k p\) and \(y_0 = \bar{y} -h p\), for hk integers, are solutions of \(x^2 - D y^2 \equiv 1 \pmod p\). Indeed,

    $$ (\bar{x} - k p)^2 - D (\bar{y} - h p)^2 = 1 + w p^r - 2 \bar{x} k p + k^2 p^2 + 2 D \bar{y} h p - D h^2 p^2 \,. $$

As a consequence of the previous theorem, an analogous of the Euler theorem holds for the product \(\otimes \).

Theorem 2

Let p, q be prime numbers and \(N = p^r q^s\), then for all \((x,y) \in {\mathcal H}_{{\mathbb Z}_N}\) we have

$$(x,y)^{\otimes p^{r-1}(p + 1) q^{s-1}(s + 1)} \equiv (1, 0) \pmod N$$

for \(D \in {\mathbb Z}_{N}^*\) quadratic non–residue in \({\mathbb Z}_p\) and \({\mathbb Z}_q\).

Proof

By Theorem 1, we know that

$$(x,y)^{\otimes p^{r-1}(p + 1)} \equiv (1, 0) \pmod {p^r}$$

and

$$(x,y)^{\otimes q^{s-1}(s + 1)} \equiv (1, 0) \pmod {q^s}.$$

Thus, said \((a, b) = (x,y)^{\otimes p^{r-1}(p + 1) q^{s-1}(s + 1)}\), we have

$$(a, b) \equiv (1,0) \pmod {p^r},$$

i.e., \(a = 1 + kp^r\) and \(b = hp^r\) for some integers h, k. On the other hand, we have

$$(a, b) \equiv (1,0) \pmod {q^s} \Leftrightarrow (1 + kp^r, hp^r) \equiv (1,0) \pmod {q^s}.$$

We can observe that \(1 + kp^r \equiv 1 \pmod {q^s}\) if and only if \(k = k'q^s\) for a certain integer \(k'\). Similarly, it must be \(h = h'q^s\), for an integer \(h'\). Hence, we have that \((a, b) = (1 + k'p^rq^s, h'p^rq^s) \equiv (1, 0) \pmod N\).

Corollary 1

Let \(p_1, ..., p_r\) be primes and \(N = p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\), then for all \((x,y) \in {\mathcal H}_{{\mathbb Z}_N}\) we have

$$(x,y)^{\otimes \varPsi (N)} = (1,0) \pmod N,$$

where

$$\varPsi (N) = p_1^{e_1-1} (p_1 + 1) \cdot \ldots \cdot p_r^{e_r-1} (p_r + 1),$$

for \(D \in {\mathbb Z}_{N}^*\) quadratic non–residue in \({\mathbb Z}_{p_i}\), for \(i = 1, ..., r\).

Now, we can observe that when we work on \({\mathbb Z}_{N}\), the map \({\varPhi }_D\) is not an isomorphism. Indeed, the orders of \({\mathcal H}_{D,{\mathbb Z}_{N}}\) and \({\mathcal P}_{{\mathbb Z}_{N}}\) do not coincide. However, it is still a morphism and we also have \(|{\mathbb Z}_{N}^* |= |{\mathcal H}^*_{{\mathbb Z}_{N}} |\), because of the following proposition.

Proposition 3

With the above notation, we have that

  1. 1.

    \(\forall (x_1,y_1), (x_2,y_2)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\), \({\varPhi }_D(x_1,y_1)={\varPhi }_D(x_2,y_2)\Leftrightarrow (x_1,y_1)=(x_2,y_2)\);

  2. 2.

    \(\forall m_1, m_2\in {\mathbb Z}_{N}^*\), \({\varPhi }_D^{-1}(m_1)={\varPhi }_D^{-1}(m_2)\Leftrightarrow m_1=m_2\);

  3. 3.

    \(\forall m\in {\mathbb Z}_{N}^*\), we have \({\varPhi }^{-1}(m)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\) and \(\forall (x,y)\in {\mathcal H}^*_{{\mathbb Z}_{N}}\), we have \({\varPhi }_D(x,y)\in {\mathbb Z}_{N}^*\).

See [3].

As a consequence, we have an analogous of the Euler theorem also for the product \(\odot \), i.e., for all \(m \in {\mathbb Z}^*_N\) the following holds

$$m^{\odot \varPsi (N)} = \alpha \pmod N\,,$$

where \(\odot \) is the special product in \({\mathcal P}_{{\mathbb Z}_N}\) defined in Eq. 2.

4 The Cryptographic Scheme

In this section, we describe our public–key cryptosystem based on the properties studied in the previous section.

4.1 Key Generation

The key generation is performed by the following steps:

  • choose r prime numbers \(p_1, \dots , p_r\), r odd integers \(e_1, \dots , e_r\) and compute \(N = \prod _{i=1}^r p_i^{e_i}\);

  • choose an integer e such that \(\gcd ( e, {{\,\mathrm{lcm}\,}}\prod _{i=1}^r{p_i^{e_i-1}(p_i + 1)} ) = 1\);

  • evaluate \(d = e^{-1} \pmod {{{\,\mathrm{lcm}\,}}\prod _{i=1}^r{p_i^{e_i-1}(p_i + 1)}}\).

The public or encryption key is given by (Ne) and the secret or decryption key is given by \((p_1,\ldots ,p_r, d)\).

4.2 Encryption

We can encrypt pair of messages \((M_x, M_y) \in {\mathbb Z}_N^* \times {\mathbb Z}_N^*\), such that \(\left( \frac{M_x^2 - 1}{N} \right) = -1\). This condition will ensure that we can perform all the operations. The encryption of the messages is performed by the following steps:

  • compute \(D = \frac{M_x^2 - 1}{M_y^2} \pmod N\), so that \((M_x, M_y) \in {\mathcal H}^*_{D, {\mathbb Z}_N}\);

  • compute \(M = {\varPhi }(M_x, M_y) = \frac{M_x + 1}{M_y} \pmod N\);

  • compute the ciphertext \(C = M^{\odot e} \pmod N = Q_e(D,M) \pmod N\)

Notice that not only C, but the pair (CD) must be sent through the insecure channel.

4.3 Decryption

The decryption is performed by the following steps:

  • compute \(C^{\odot d} \pmod N = Q_d(D,C) \pmod N = M\);

  • compute \({\varPhi }^{-1}(M) = \left( \frac{M^2 + D}{M^2 - D}, \frac{2 M}{M^2 - D} \right) \pmod N\) for retrieving the messages \((M_x, M_y)\).

5 Security of the Encryption Scheme

The proposed scheme can be attacked by solving one of the following problems:

  1. 1.

    factorizing the modulus \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\);

  2. 2.

    computing \(\varPsi (N) = p_1^{e_1-1}(p_1+1)\cdot \ldots \cdot p_r^{e_r-1}(p_r+1)\), or finding the number of solutions of the equation \(x^2-Dy^2 \equiv 1 \mod N\), i.e. the curve order, which divides \(\varPsi (N)\);

  3. 3.

    computing Discrete Logarithm problem either in \(({\mathcal H}^*_{{\mathbb Z}_N},\otimes )\) or in \(({\mathcal P}^*_{{\mathbb Z}_N},\odot )\);

  4. 4.

    finding the unknown d in the equation \(ed \equiv 1 \mod \varPsi (N)\);

  5. 5.

    finding an impossible group operation in \({\mathcal P}_{{\mathbb Z}_N}\);

  6. 6.

    computing \(M_x,M_y\) from D.

5.1 Factorizing N or Computing the Curve Order

It is well known that the problem of factorizing \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\) is equivalent to that of computing the Euler totient function \(\phi (N)=p_1^{e_1-1}(p_1-1)\cdot \ldots \cdot p_r^{e_r-1}(p_r-1)\), e.g. see [23] or [29, Section 10.4].

In our case we need to show the following

Proposition 4

The problem of factorizing N is equivalent to the problem of computing \(\varPsi (N)=p_1^{e_1-1}(p_1+1)\cdot \ldots \cdot p_r^{e_r-1}(p_r+1)\) or the order of the group \({\mathcal P}^*_{{\mathbb Z}_N}\) (or equivalently of \({\mathcal H}^*_{{\mathbb Z}_N}\)), which is a divisor of \(\varPsi (N)\).

Proof

Clearly, knowing the factorization of N yields \(\varPsi (N)\). Conversely, suppose N and \(\varPsi (N)\) are known. A factorization of N can be found by applying Algorithm 1 recursively.

Remark 3

Algorithm 1 is an adaptation of the general algorithm in [29, Section 10.4], used to factorize N by only knowing \(\phi (N)\) (Euler totient function) and N itself. The main idea of the Algorithm 1 comes from the fact that \(x^{\odot \varPsi (N)}=1 \pmod N\) for all \(x \in {\mathbb Z}^*_N\), which is the analog of the Euler theorem in \({\mathcal P}_{{\mathbb Z}_N}\). Notice that, because of Step 7, Algorithm 1 is a probabilistic algorithm. Thus, to find a non-trivial factor, it might be necessary to run the algorithm more than once. We expect that a deeper analysis of the algorithm will lead to a similar probabilistic behaviour than the algorithm in [29], which returns a non-trivial factor with probability 1/2.

figure a

Since we proved that the problems 1 and 2 are equivalent, we can only focus on the factorization problem.

According to [10], state-of-the-art factorization methods as the Elliptic Curve Method [18] or the Number Field Sieve [4, 19] are not effective if in the following practical cases

  • \(|N|=1024, 1536, 2048, 2560, 3072, 3584\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3}\) with \(e_1+e_2+e_3 \le 3\) and \(p_i,i=1,2,3\) greater than approximately the size of \(\root 3 \of {N}\).

  • \(|N|=4096\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3} p_4^{e_4}\) with \(e_1+e_2+e_3+e_4 \le 4\) and \(p_i,i=1,\ldots ,4\) greater than approximately the size of \(\root 4 \of {N}\).

  • \(|N|=8192\) and \(N=p_1^{e_1} p_2^{e_2} p_3^{e_3} p_4^{e_4} p_5^{e_5}\) with \(e_1+e_2+e_3+e_4+e_5 \le 5\) and \(p_i,i=1,\ldots ,5\) greater than approximately the size of \(\root 5 \of {N}\).

Notice that currently, the largest prime factor found by the Elliptic Curve Method is a 274 bit digit integer [32]. Note also that the Lattice Factoring Method (LFM) of Boneh, Durfee, and Howgrave-Graham [5] is designed to factor integers of the form \(N=p^u q\) only for large u.

5.2 Computing the Discrete Logarithm

Solving the discrete logarithm problem in a conic curve can be reduced to the discrete logarithm problem in the underlying finite field [22]. In our case the curve is defined over the ring \(\mathbb {Z}_N\). Solving the DLP over \(\mathbb {Z}_N\) without knowing the factorization of N is as hard as solving the DLP over a prime finite field of approximately the same size. As for the factorization problem, the best known algorithm to solve DLP on a prime finite field is the Number Field Sieve. When the size of N is greater than 1024 then the NFS can not be effective.

5.3 Solving the Private Key Equation

In the case of RSA, small exponent attacks [12, 13, 31] can be performed to find the unknown d in the equation \(ed \equiv 1 \mod \varPsi (N)\). Generalization of these attacks can be performed on RSA variants where the modulus is of the form \(N=p_1^{e_1}p_2^{e_2}\) [20]. It has already been argued in [3, 16] and [16] that this kind of attacks fails when the trapdoor function is not a simple monomial power as in RSA, as it is in the proposed scheme.

5.4 Finding an Impossible Group Operation

In the case of elliptic curves over \({\mathbb Z}_N\), as in the generalized KMOV cryptosystem [7], it could happen that an impossible addition between two curve points occurs, yielding the factorization of N. This is due to the fact that the addition formula requires to perform an inversion in the underlying ring \({\mathbb Z}_N\). However, as shown by the same authors of [7], the occurrence of an impossible addition is very unlikely for N with few and large prime factors.

In our case an impossible group operation may occur if \(a+b\) is not invertible in \({\mathbb Z}_N\), i.e. if \(\gcd (a+b,N) \ne 1\), yielding in fact a factor of N. However, also in our case, if N contains a few large prime factors, impossible group operations occur with negligible probability, as shown by the following proposition.

Proposition 5

The probability to find an invertible element in \({\mathcal P}_{{\mathbb Z}_N}\) is approximately

$$ 1-\left( 1-\frac{1}{p_1}\right) \cdot \ldots \cdot \left( 1-\frac{1}{p_r}\right) $$

Proof

The probability to find an invertible element in \({\mathcal P}_{{\mathbb Z}_N}\) is given by dividing the number of non-invertible elements in \({\mathcal P}_{{\mathbb Z}_N}\) by the total number of elements of this set, as follows:

$$\begin{aligned}&\frac{|{\mathcal P}_{{\mathbb Z}_N}| - \#\{\text {invertible elements in }{\mathcal P}_{{\mathbb Z}_N} \}}{|{\mathcal P}_{{\mathbb Z}_N}|} \end{aligned}$$
(6)
$$\begin{aligned} =&\frac{|{\mathbb Z}_N|+1 - (\#\{\text {invertible elements in }{\mathbb Z}_N\}+1)}{|{\mathbb Z}_N|+1} \end{aligned}$$
(7)
$$\begin{aligned} =&\frac{N-\phi (N)}{N+1} \end{aligned}$$
(8)
$$\begin{aligned} \sim&1-\left( 1-\frac{1}{p_1}\right) \cdot \ldots \cdot \left( 1-\frac{1}{p_r}\right) \end{aligned}$$
(9)

where we used \(N\sim N+1\) and \(\phi (N)=N\left( 1-\frac{1}{p_1}\right) \cdot \ldots \cdot \left( 1-\frac{1}{p_r}\right) \).

This probability tends to zero for large prime factors.

Let us notice that, in the Pell curve case, it is possible to avoid such situation, by performing encryption and decryption in \({\mathcal H}^*_{{\mathbb Z}_N}\), without exploiting the isomorphism operation. Here the group operation \(\otimes \) is defined between two points on the Pell curve, as in Eq. 1, and does not contain the inverse operation. In the resulting scheme the ciphertext is obtained as \((C_x,C_y)=(M_x,M_y)^{\otimes e}\), where the operation \(\otimes \) depends on D. Thus the triple \((C_x,C_y,D)\) must be transmitted, resulting in a non-compressed ciphertext.

5.5 Recovering the Message from D

To recover the message pair \((M_x, M_y)\) from \(D = \frac{M_x^2 - 1}{M_y^2} \pmod N\), the attacker must solve the quadratic congruence \(M_x^2 - D M_y^2 - 1 = 0 \pmod N\) with respect to the two unknowns \(M_x\) and \(M_y\). Even if one of the two coordinates is known (partially known plaintext attack), it is well known that computing square roots modulo a composite integer N, when the square root exists, is equivalent to factoring N itself.

5.6 Further Comments

As a conclusion to this section, we only mention that as shown in [3], RSA-like schemes based on isomorphism own the following properties: they are more secure than RSA in the broadcast scenario, they can be transformed to semantically secure schemes using standard techniques which introduce randomness in the process of generating the ciphertext.

6 Efficiency of the Encryption Scheme

Recall that our scheme encrypts and decrypts messages of size \(2\log N\). To decrypt a ciphertext of size \(2\log N\) using CRT, standard RSA requires four full exponentiation modulo N/2-bit primes. Basic algorithms to compute \(x^d \mod p\) requires \(O(\log d \log ^2p)\), which is equal to \(O(\log ^3p)\) if \(d \sim p\).

Using CRT, if \(N=p_1^{e_1}\cdot \ldots \cdot p_r^{e_r}\), our scheme requires at most r exponentiation modulo N/r-bit primes.

This means that the final speed up of our scheme with respect to RSA is

$$\begin{aligned} \frac{4 \cdot (N/2)^3}{r \cdot (N/r)^3} = r^2/2 \end{aligned}$$
(10)

When \(r=2\) our scheme is two times faster than RSA, as it has already been shown in [3]. If \(r=3\) our scheme is 4.5 time faster, with \(r=4\) is 8 times faster, and with \(r=5\) is 12.5 times faster.

7 Conclusions

We generalized an RSA-like scheme based on the Pell hyperbola from a modulus that was a product of two primes to a generic modulus. We showed that this generalization leads to a very fast decryption step, up to 12 times faster than original RSA for the security level of a modulus of 8192 bits. The scheme preserves all security properties of RSA-like schemes, which are in general more secure than RSA, especially in a broadcast scenario. Compared to similar schemes based on elliptic curves it is more efficient. We also pointed that a variation of the scheme with non-compressed ciphertext does not suffer of impossible group operation attacks.