A Public-Key Cryptosystem Based on Lucas Sequences

Transcription

1 Palestine Journal of Mathematics Vol. 1(2) (2012), Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010 Classification: 11T71. Keywords : Lucas sequences, Public-Key Cryto-system, Semantic security. Suorted by the Sanish ministry (Ref : SB ) at CRM of Barcelona Abstract. Based on Lucas functions, an imroved version of Diffie-hellman key distribution, El Gamal ublic key cryto-system scheme and El Gamal signature scheme are roosed, together with an imlementation and comutational cost. The security relies on the difficulty of factoring an RSA integer and on the difficulty of comuting the discrete logarithm. Introduction In [1], Diffie and Hellman introduced a ractical solution to the key distribution roblem, allowing two arties, Alice and Bob never met, to share a secret key by exchanging information over an oen channel. In [2], El Gamal used Diffie-Hellman ideas to design a cryto-system whose security is based on the difficulty of solving the discrete logarithm roblem. In [3], It was suggested that linear sequences could be used instead of the standard RSA. In this aer, based on Lucas sequences, an imroved of Diffie-hellman key distribution,el Gamal ublic key cryto-system and El Gamal digital signature were roosed. This considerably reduces the comutation cost of these methods. The security relies on the difficulty of factoring an RSA integer. In section 1, an investigation of crytograhic roerties of Lucas sequences, and a comutational method to evaluate the k th term of a Lucas sequence are given. In section 2, two crytograhic alications are given, their security and comutational cost were analyzed. 1 Lucas sequences In this section, the main crytograhic roerties of Lucas sequences are studied. A comutational method to evaluate the k th term are given, together with an analysis of its comutational cost. Throughout this section, is a rime integer, a Z, f(x) = X 2 ax + 1 [] a olynomial in IF [X], α a root of f(x) in a slitting field of f(x) and s(a) the characteristic sequence generated by a modulo, where IF := Z/ Z is the finite field of element. Denote the reduction modulo, A = IF [X]/(f(X)) and α = X the class of X modulo the rincial ideal of IF [X] generated by f(x). For every x A, let l x be the linear ma of A defined by l x (y) = xy, T (x) = T r(l x ) and N(x) = det(l x ) the trace and norm of x, where det(l x ) is the determinant of the linear ma l x, and T r(l x ) is its trace. Define a sequence s(a) as follows : s k (a) = T (α k ). Since f(α) = 0 and the ma trace is linear, it follows that s k+2 (a) = as k+1 (a) s k (a) modulo. So, s(a) is a second order linear sequence (Lucas sequence), called the characteristic sequence generated by a. Remark. Let l k be( the endomorhism ) ( of A defined ) by l k (x) = α k x, and M k its matrix with resect to the basis (1, α). Then M 0 =, M 1 =, and then s 0 (a) = 2 and s 1 (a) = ā ā 1.1 Crytograhic roerties The crytograhic alications of Lucas sequences are listed in [3]. For the commodity of the reader, we resent some of these results in a more accessible form and with simlified roofs. Lemma For every integer k, s k (a) = α k + α k and s k (a) = s k (a). Proof. Let K be a slitting field of f(x). Since f(x), the characteristic olynomial of M( 1, slits in) K, there exists an invertible matrix P in M 2 (K) and x K such that M 1 = P T P 1 α x, where T = 0 α 1. Let k ( ) be an integer. As M k = M k 1, we have M k = P T k P 1, where T k = α k x k 0 α k and x k K. Therefore,

2 A Public-Key Crytosystem Based on Lucas Sequences 149 s k (a) = T r(m k ) = α k + α k. Corollary For every integer k, let f k (X) = X 2 s k (a)x + 1. Then f k (X) = (X α k )(X α k ). Indeed, s k (a) = α k + α k and α k α k = 1. Lemma For every integers k and e, s e (s k (a)) = s ke (a). Proof. From Corollary 1.2, the roots of the olynomial f k (X) are α k and α k. So, s e (s k (a)) = (α k ) e + (α k ) e = T (α ke ) = s ke (a). Lemma π = 2 1 is a eriod of s(a). Esecially, if does not divide a 2 4, then ɛ is the eriod, where ɛ = ( a2 4 ) is the Legendre symbol. Proof. Since α is an element of A of norm 1, α is an invertible element of A. Let = a 2 4 be the disciminant of f(x). (i) divides (a 2 4). Then a = 2 modulo. If a = 2 modulo, then s k (a) = 2. If a = 2 modulo, then s 2k (a) = 2 and s 2k+1 (a) = 2. (ii) If ( a2 4 ) = 1, then f(x) slits in IF, and A IF IF. Hence the exonent of the multilicative grou A is 1. Thus, α 1 = 1. (iii) If ( a2 4 ) = 1, then A IF 2 and N(α) = α+1 = 1. Let x IN be the eriod of s(a). Then α x = 1. Since( a2 4 ) = 1, α IF, and then x + 1. Corollary For every integer e such that gcd(e, π) = 1, the ma Luc e : IF IF is a one-one corresondence. a s e (a) Indeed, since gcd(e, 2 1) = 1, let d be the inverse of e modulo π. Then there exists an integer k such that de = 1 + kπ. Hence s d (s e (a)) = s de (a) = s 1+kπ (a) = s 1 (a) = a []. Lemma Let a Z such that does not divide a 2 4. Let ɛ = ( a2 4 ), e IN such that Gcd(e, π) = 1 and b = s e (a), where π = ɛ. Then does not divide b 2 4 ( a2 4 ) = ( b2 4 ) Proof. Since a = s d (b) [], where d is the inverse of e modulo 2 1, it suffices to show that if ( a2 4 ) = 1, then ( b2 4 ) = 1 too. Assume that ( a2 4 ) = 1, then α IF, and then α e IF. Thus, f b (X) = X 2 bx + 1 slits in IF (α e + α e = b []), i.e., ( b2 4 ) = Comutational Method and Cost i) s 2n (a) = s n (a) 2 2, Lemma ii) s 2n+1 (a) = s n (a)s n+1 (a) a Proof. Let n and m be two integers. s n (a)s m (a) = (α n + α n )(α m + α m ) = (α n+m + α n m ) + (α n m + α n+m 2 ) = s n+m (a) + s n m (a). Therefore, s n+m (a) = s n (a)s m (a) s n m (a) In articular, we have i) and ii). Let k = 2 r m, where m is an odd integer. To comute s k (a), first we comute s m (a), then s 2m (a) = (s m (a)) 2 2, then s 4m (a) = (s 2m (a)) 2 2,...,s k (a) = s 2 m(a) 2 r 1 2. Then to comute s k (a), we need r multilications modulo and we need s m (a). Let m = l 1 i=0 k i2 l 1 i. For every 0 i < l 1, let f i+1 = 2f i + k i+1 and f 0 = k 0. Then f l 1 = k. For 0 i < l 1 and assume that, s fi 1 (a) and s fi 1 +1(a) are comuted. Then if k i = 0, then if k i = 1, then s fi (a) = s 2fi 1 (a) = (s fi 1 (a)) 2 2 s fi+1(a) = s 2fi 1 +1(a) = s fi 1 (a)s fi 1 +1(a) a s fi (a) = s 2fi 1 +1(a) = s fi 1 (a)s fi 1 +1(a) a s fi+1(a) = s 2(fi 1 +1)(a) = (s fi 1 +1(a)) 2 2 Comutational Algorithm. In ut k = 2 r l 1 i=0 k i2 i and a, where k 0 0 and k l 1 0. Out ut s k.

3 150 Lhoussain El Fadil Algorithm s 0 = 2, s 1 = a, for i from 0 to l 1 do if k i = 0 then s 1 = s 1 s 0 a, s 0 = s else then s 0 = s 1 s 0 a, s 1 = s End return (s 0 ). s = s 0, for i from 1 to r do s = s 2 2. End return (s). This method ensures that s k can be comuted in about the same length of time as the k th ower is comuted in the RSA method. But in the comutation of s m (a), having to comute two numbers at each stage does slow the comutation down a little, but there are otimizations in the calculation which mean that the total amount of comutation is only about half less than the amount needed for the RSA system. Therefore, to comute s k (a), the total number of multilications modulo is log 2 (k). 2 Main results In this section we describe some alications of Lucas sequences, in more details : Lucas Diffie-Hellman, Lucas El Gamal encrytion scheme and Lucas El Gamal signature scheme. Let n = q be an RSA integer, a IN such that ( a ) = ( a q ) = 1 and s(a) the Lucas sequence generated by a defined by : s 0 (a) = 2 [n], s 1 (a) = a [n] and s k+2 (a) = as k+1 (a) s k (a) [n]. Let and f(x) = X 2 ax + 1 modulo n, A = Z n [X]/(f(X)) and α = X the class of X modulo the rincial ideal (f(x)) (we have s k (a) = α k + α k = T (α k )). 2.1 Lucas Diffie-Hellman Let a be an integer. Suose that Alice and Bob, who both have access to the Lucas sequences ublic key data (n, a), want to agree on a shared secret key K AB. (i) User Alice selects 0 < x A < n as her rivate key. She then comutes y A = s xa (a) as her ublic key from the system ublic arameters (n, a). (ii) User Bob selects 0 < x B < n as his rivate key. He then comutes y B = s xb (a) as his ublic key from the system ublic arameters (n, a). (iii) Key-Distribution Phase : K AB = s xa (y B ) = s xb (y A ) is their common secret key. Remarks (i) In [3], it was given a Diffie-Hellman scheme based on lucas functions defined in IF q. Here, it is the same version but with Lucas sequences modulo an RSA integer. (ii) K AB = s xa x B (a). (iii) In each exchange session, the comutational cost of each user is 2log 2 (n). (iv) From [5], the security of Lucas sequences is olynomial-time equivalent to the generalized discrete logarithm roblem over IF. Thus, the security level of this scheme is at least the security level of the standard Diffie- Hellman scheme. 2.2 Lucas El Gamal Now, we exlain our version of the ublic key system. It is based on El Gamal system, which is defined by Lucas sequences. Suose that Bob is the owner of the Lucas ublic key data (, q, a). Bob selects a small integer e such that Gcd(d, ( 2 1)(q 2 1)) = 1 and a secret integer 0 < x n. He comutes d the inverse of e modulo ( 2 1)(q 2 1), y = s x (a) and makes ublic (e, y). Given Bob s ublic data (n, a, e, y), Alice can encryt a message m, where 0 m < n, intended for Bob using the following Lucas version of the El Gamal encrytion scheme :

4 A Public-Key Crytosystem Based on Lucas Sequences 151 Algorithm (i) Public key : (n, a, y, e) (ii) Private key : (, q, d, x). (iii) Encrytion : For a message 0 m < n, Alice chooses a (secret) random number 0 < k < n, and sends Bob the ciher c = (c 1, c 2 ), where c 1 = s k (a), c 2 = K + s e (m) and K = s k (y). (iv) Decrytion : For a ciher c = (c 1, c 2 ), Bob comutes K = s x (c 1 ), and then m = s d (c 2 K), where (, q, d, x) is its rivate key. Note that (1) All comutations are erformed in Z n. (2) Let ɛ = ( m2 4 ), ɛ q = ( m2 4 q ) and π = Lcm( ɛ, q ɛ q ). Then s x (c 1 ) = s x (s k (a)) = s xk (a) = s k (s x (a)) = s k (y) = K, and then c 2 K = s e (m). Since ed = 1 modulo π, there exists an integer l such that ed = 1 + lπ.thus, s d (c 2 K) = s d (s e (m)) = s ed (m) = s 1+l( 2 1)(q 2 1)(m) = s 1 (m) = m modulo. Security analysis Definition Given a ciher C = K + s e (m) (m m 0, m 1 }), where K is randomly chosen modulo n, the roblem of deciding whether m equals m 0 or m 1 is called decision roblem based on Lucas sequences. If any analyzer can not decide which one of m 0 or m 1 is corresonding to the ciher c in olynomial time, then the encrytion scheme is semantical secure. First, since k is randomly chosen, K is considered random too. On the other hand, since n = q is an RSA integer, it is very hard to factorise the eriod T = ( ɛ )(q ɛ q ). It follows that, the decision roblem based on Lucas sequences is intractable: Given c = s e (m) it is very hard to calculate neither e nor m (this roblem is equivalent to the discrete logarithm roblem (see [5])). Consequently, the roosed Lucas El Gamal scheme is semantical secure. Comutational cost As in the standard RSA ublic key system, Bob chooses a small integer e and Alice chooses a relatively small integer k such that the comutational cost for evaluating s k (a) and s e (m) are low. For examle e = 5, we need 3 multilications modulo n for comuting s 3 (m), log 2 (k) multilications modulo n for comuting s k (a), i.e., totally, we need 3 + log 2 (k) multilications modulo n for encihering. For decihering, once d and y are comuted, we need log 2 (x) multilications modulo n for comuting K = s x (c 1 ), and log 2 (d) multilications modulo n for comuting s d (c 2 K). As d < n 2, we need log 2 (n) multilications modulo n for decihering. Totally, we need 4log 2 (n) on average. 2.3 Lucas El Gamal signature We now exlain our version of El Gamal signature scheme, defined by Lucas sequences. First,we need the following lemma : Lemma Let s(a) be a Lucas sequence generated by a, m, n and k three integers such that m + n = k. Then s 2 k (a) + s 2m(a) + s 2n (a) = s m (a)s n (a)s k (a). Proof. In the roof of Lemma 1.6, we have shown that s m+n (a) = s m (a)s n (a) s m n (a). Thus, s k (a) = s m (a)s n (a) s m n (a), and then s 2 k (a) = s m(a)s n (a)s k (a) s m+n (a)s m n (a) = s m (a)s n (a)s k (a) (s 2n (a) + s 2m (a)). Therefore, s 2 k (a) + (s 2n(a) + s 2m (a)) = s m (a)s n (a)s k (a). Suose Alice is the owner of the Lucas ublic key data (, q, a). She comutes the secrets ɛ = ( a2 4 ) and ). She selects an integer x, 1 x < ( 1)(q 1), comutes y = s x (a) and makes ublic (n, a, y). ɛ q = ( a2 4 q Given Alice s ublic data (n, a, y), Alice can sign a message m, where 0 m < n, intended for Bob using the following Lucas version of El Gamal signature scheme : (i) Alice selects at random an integer k such that gcd(k, ( ɛ )(q ɛ q )) = 1 and she comutes r = s k (a).

5 152 Lhoussain El Fadil (ii) She comutes s = k 1 (m xr) modulo ( ɛ )(q ɛ q ), where k 1 is the inverse of k modulo ( ɛ )(q ɛ q ). (iii) (r, S) is the signature for the message m, where S = s s (r). To verify the authenticity of the signature, any verifier can check if (E) : s 2 m(a) + s 2 r(y) + S 2 4 = Ss r (y)s m (a). Indeed, since m = xr + ks, it follows that s 2 m(a) + s 2rx (a) + s 2sk (a) = s rx (a)s sk (a)s m (a) = s r (y)s s (r)s m (a). Security analysis. This scheme hides the linear equation ks+xr = m modulo T. Thus even if the owner uses twice the same random k, the analyzer can not calculate the secret x. On the other hand, the security of Lucas sequences is olynomial-time equivalent to the generalized discrete logarithm roblem over IF. It follows that the security level of this scheme is at least the security level of El Gamal digital signature. Comutational Cost. To sign the message m, we will comute : s k (a), k 1 modulo ( ɛ )(q ɛ q ) and k 1 (m xr). Thus we need, ln 2 (n) + 3, 5 multilications to sign the message m such that 0 m < n. To verify, we will comute : s r (y), s s (r), s m (a), s 2r (y), s 2s (r) and s 2 m(a). As s 2r (y) = s 2 r(y) 2 and s 2s (r) = s 2 s(r) 2, to verify the authenticity of the signature, we need 2ln 2 (n) + 3 multilications. References [1] W. Diffie and M. E. Hellman, New directions in crytograhy, IEEE Trans. Inform. Theory, vol. IT-22, (1976). [2] T. ElGamal, "A ublic key crytosystem and a signature scheme based on discrete logarithms," IEEE Trans. Inform. Theory, vol. IT- 31, (1985). [3] P. Smith et M. J. J. Lennon, LUC : A new ublic key system. In Proc. of the Ninth IFIP Int. Sym. on Comuter Security, (1993). [4] A.K. Lenstra, E.R. Verheul, The XTR ublic key system, Proceedings of Cryto 2000, LNCS 1880, 1-19(2000). [5] Chi-Sung Laih, Fu-Kuan Tu, Wen-Chun Tai, On the security of the Lucas function, Information Processing Letters 53, (1995). [6] Douglas R. Stinson, Crytograhy Theory and Practice, Third edition 2006, Chaman, Hall/CRC, Taylor and Francis Grou. Author information Lhoussain El Fadil, De. of Math., College of Sciences, King Khalid University, Abha, Saudi Arabia. lhouelfadil@hotmail.com Received: March 12, 2012 Acceted: June 4, 2012