# A New RSA Variant Based on Elliptic Curves

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Useful Lemmas

**Lemma**

**1.**

**Theorem**

**1.**

**Lemma**

**2.**

## 3. Elliptic Curves over the Finite Field ${\mathbb{F}}_{\mathbf{p}}$

**Theorem**

**2.**

**Theorem**

**3.**

**Lemma**

**3.**

**Proof.**

**Lemma**

**4.**

**Proof.**

## 4. Elliptic Curves over the Ring $\mathbb{Z}/\mathbf{n}\mathbb{Z}$

**Theorem**

**4.**

## 5. The New Scheme

#### 5.1. The New Encryption Scheme

**Key generation.**

- Choose a size $l\ge 4096$ for the modulus to guarantee at least 128 security levels.
- Choose two large integers ${u}_{1}$ and ${v}_{1}$ of size $l/4$.
- Compute ${u}_{p}=4{u}_{1}+3$ and ${v}_{p}=4{v}_{1}+2$.
- Compute $p={u}_{p}^{2}+{v}_{p}^{2}$.
- If p is not prime, return to Step 2.
- Choose two large integers ${u}_{2}$ and ${v}_{2}$ of size $l/4$.
- Compute ${u}_{q}=4{u}_{2}+3$ and ${v}_{q}=4{v}_{2}+2$.
- Compute $q={u}_{q}^{2}+{v}_{q}^{2}$.
- If q is not prime, return to Step 6.
- Compute $n=pq$.
- Choose an integer e such that$$gcd\left(e,\left({(p+1)}^{2}-4{u}_{p}^{2}\right)\left({(q+1)}^{2}-4{u}_{q}^{2}\right)\right)=1.$$The pair $(n,e)$ represents the public key, and $({u}_{p},{v}_{p},{u}_{q},{v}_{q})$ represents the private key.

**Encryption.**

- Generate a random integer $r\in \mathbb{Z}/n\mathbb{Z}$.
- Use the message ${y}_{M}$ as $M=(r,{y}_{M})\in \mathbb{Z}/n\mathbb{Z}\times \mathbb{Z}/n\mathbb{Z}$.
- Compute $a\equiv \left({y}_{M}^{2}-{r}^{3}\right){r}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$. The elliptic curve ${E}_{n}\left(a\right)$ is defined by the equation ${y}^{2}\equiv {x}^{3}+ax\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$.
- Compute $({x}_{C},{y}_{C})=e(r,{y}_{M})$ on ${E}_{a}\left(n\right)$. The point $({x}_{C},{y}_{C})$ is the encrypted message.

**Decryption.**

- Compute $a\equiv \left({y}_{C}^{2}-{x}_{C}^{3}\right){x}_{C}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$. The elliptic curve ${E}_{a}\left(n\right)$ is defined by the equation ${y}^{2}\equiv {x}^{3}+ax\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$.
- Compute $\varphi (a,n)=(p+1-2{U}_{p})(q+1-2{U}_{q})$.
- Compute $d\equiv {e}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}\varphi (a,n))$.
- Compute $M=(r,{y}_{M})=d({x}_{C},{y}_{C})$ on ${E}_{n}\left(a\right)$. The point $(r,{y}_{M})$ is the original message.

#### 5.2. A Numerical Example

#### 5.3. The New Signature Scheme

**Key generation.**The key generation scheme is similar to that of the encryption in Section 5.1.**Encryption.**- Generate a random integer $r\in \mathbb{Z}/n\mathbb{Z}$.
- Represent the message as $M=(r,{y}_{M})\in \mathbb{Z}/n\mathbb{Z}\times \mathbb{Z}/n\mathbb{Z}$.
- Compute $a\equiv \left({y}_{M}^{2}-{r}^{3}\right){r}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$. The elliptic curve ${E}_{n}\left(a\right)$ is defined by the equation ${y}^{2}\equiv {x}^{3}+ax\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$.
- Compute $({x}_{C},{y}_{C})=e(r,{y}_{M})$ on ${E}_{a}\left(n\right)$. The point $({x}_{C},{y}_{C})$ is the encrypted message.
- Compute the signature $s=\mathrm{Hash}(r\parallel {y}_{M})$.

**Decryption.**- Compute $a\equiv \left({y}_{C}^{2}-{x}_{C}^{3}\right){x}_{C}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$. The elliptic curve ${E}_{a}\left(n\right)$ is defined by the equation ${y}^{2}\equiv {x}^{3}+ax\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}n)$.
- Compute $\varphi (a,n)=(p+1-2{U}_{p})(q+1-2{U}_{q})$.
- Compute $d\equiv {e}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}\varphi (a,n))$.
- Compute $M=(r,{y}_{M})=d({x}_{C},{y}_{C})$ on ${E}_{n}\left(a\right)$.
- Compute ${s}^{\prime}=\mathrm{Hash}(r\parallel {y}_{M})$
- Accept the message if ${s}^{\prime}=s$.

## 6. Security Analysis

#### 6.1. Resistance against Factorization Methods

#### 6.2. Resistance against Decomposition as Sum of Two Squares

#### 6.3. Resistance against Decomposition as Sum of Four Squares

#### 6.4. Resistance against Solving the Order

#### 6.5. Resistance against Small Private Exponent Attacks

**Lemma**

**5.**

**Proof.**

**Theorem**

**5.**

**Proof.**

**Theorem**

**6.**

**Proof.**

**Remark**

**1.**

#### 6.6. Resistance against Discrete Logarithm Problem

#### 6.7. Resistance against Isomorphism and Homomorphism Attacks

#### 6.8. Other Attacks

- The ciphertext and half of the plaintext are known.
- Three encryptions of the same message are encrypted with distinct public keys.
- Six encryptions of linearly related messages are encrypted with distinct public keys.
- Two encryptions of linearly related messages are encrypted with the same public key.

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining digital signatures and public-key cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] [Green Version] - Boneh, D. Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc.
**1999**, 46, 203–213. [Google Scholar] - Hinek, M. Cryptanalysis of RSA and Its Variants; Cryptography and Network Security Series; Chapman & Hall/CRC Press: Boca Raton, FL, USA, 2009. [Google Scholar]
- Fiat, A. Batch RSA. In Proceedings of the Crypto 1989, 9th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 1989; Brassard, G., Ed.; Volume 435 of LNCS. Springer: Berlin/Heidelberg, Germany, 1989; pp. 175–185. [Google Scholar]
- Collins, T.; Hopkins, D.; Langford, S.; Sabin, M. Public Key Cryptographic Apparatus and Method. U.S. Patent 5,848,159, 16 January 1997. [Google Scholar]
- Takagi, T. Fast RSA-type Cryptosystem Modulo p
^{k}q. In Proceedings of the Crypto 1998, 18th Annual International Cryptology Conference, Santa Barbara, CA, USA, 23–27 August 1998; Krawczyk, H., Ed.; Volume 1462 of LNCS. Springer: Berlin/Heidelberg, Germany, 1998; pp. 318–326. [Google Scholar] - Couvreur, C.; Quisquater, J.J. Fast Decipherment Algorithm for RSA Public-Key Cryptosystem. Electron. Lett.
**1982**, 18, 905–907. [Google Scholar] - Wiener, M. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory
**1990**, 36, 553–558. [Google Scholar] [CrossRef] [Green Version] - Sun, H.M.; Wu, M.E.; Ting, W.C.; Hinek, M.J. Dual RSA and its security analysis. IEEE Trans. Inf. Theory
**2007**, 53, 2922–2933. [Google Scholar] - Pointcheval, D. New public key cryptosystem based on the dependent RSA problem. In Advances in Cryptology-EUROCRYPT’99. EUROCRYPT 1999; Stern, J., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 239–254. [Google Scholar]
- Koblitz, N. Elliptic curve cryptosystems. Math. Comput.
**1987**, 48, 203–209. [Google Scholar] [CrossRef] - Miller, V.S. Use of elliptic curves in cryptography. In Advances in Cryptology-CRYPTO’85; Lecture Notes in Computer Science; Williams, H.C., Ed.; Springer: Berlin/Heidelberg, Germany, 1986; Volume 218, pp. 417–426. [Google Scholar]
- Federal Information Processing Standards Publication, FIPS PUB 186-2; National Institute of Standards and Technology, Digital Signature Standard: Gaithersburg, MD, USA, 2000.
- Certicom Research. Standards for Efficient Cryptography, SEC 2: Recommended Elliptic Curve Domain Parameters. 27 January 2010 Version 2.0. Available online: https://www.secg.org/sec2-v2.pdf (accessed on 10 July 2023).
- Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2009. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 10 July 2023).
- Koyama, K.; Maurer, U.M.; Okamoto, T.; Vanstone, S.A. New Public-Key Schemes Based on Elliptic Curves over the Ring Z
_{n}. In Annual International Cryptology Conference; Lecture Notes in Computer Science 576; Springer: Berlin/Heidelberg, Germany, 1991; pp. 252–266. [Google Scholar] - Demytko, N. A new elliptic curve based analogue of RSA. In Advances in Cryptology—EUROCRYPT’93: Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; Lecture Notes in Computer Science 765; Helleseth, T., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 40–49. [Google Scholar]
- Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput.
**1997**, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version] - Nitaj, A. Another generalization of Wiener’s attack on RSA. In International Conference on Cryptology in Africa, AFRICACRYPT 2008; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5023, pp. 174–190. [Google Scholar]
- Hardy, G.H.; Wright, E.M. An Introduction to Theory of Numbers, 5th ed.; The Clarendon Press Oxford University Press: New York, NY, USA, 1979. [Google Scholar]
- Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.
**1997**, 10, 233–260. [Google Scholar] [CrossRef] [Green Version] - Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N
^{0.292}. In Advances in Cryptology-EUROCRYPT’99: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 1–11. [Google Scholar] - Takayasu, A.; Kunihiro, N. General bounds for small inverse problems and its applications to multi-prime RSA. In Proceedings of the Information Security and Cryptology—ICISC 2014, Seoul, Korea, 3–5 December 2014; Springer: Berlin/Heidelberg, Germany, 2014; pp. 3–17. [Google Scholar]
- de Weger, B. Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput.
**2002**, 13, 17–28. [Google Scholar] [CrossRef] [Green Version] - Husemöller, D. Elliptic Curves, 2nd ed.; Springer: Berlin/Heidelberg, Germany, 2004. [Google Scholar]
- Schmitt, S.; Zimmer, H.G.; ProQuest (Firm). Elliptic Curves: A Computational Approach; Walter de Gruyter: Berlin, Germany; New York, NY, USA, 2003. [Google Scholar]
- Silverman, J.H. The Arithmetic of Elliptic Curves; Graduate Texts in Mathematics; Springer: Berlin/Heidelberg, Germany, 1986; Volume 106. [Google Scholar]
- Washington, L.C. Elliptic Curves: Number Theory and Cryptography; Chapman & Hall/CRC: Boca Raton, FL, USA, 2003. [Google Scholar]
- Ireland, K.; Rosen, M. A Classical Introduction to Modern Number Theory, 2nd ed.; Volume 84 of Graduate Texts in Mathematics; Springer: Berlin/Heidelberg, Germany, 1990. [Google Scholar]
- Lenstra, H. Factoring integers with elliptic curves. Ann. Math.
**1987**, 126, 649–673. [Google Scholar] [CrossRef] [Green Version] - Brent, R.P. Recent Progress and Prospects for Integer Factorisation Algorithms. In Proceedings of the Computing and Combinatorics. 6th Annual International Conference, COCOON 2000, Sydney, Australia, 26–28 July 2000; Lecture Notes in Computer Science; Du, D.Z., Eades, P., Estivill-Castro, V., Lin, X., Sharma, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1858. [Google Scholar]
- Boneh, D.; Durfee, G.; Howgrave-Graham, N. Factoring N = p
^{r}q for Large r. In Crypto’99; Lecture Notes in Computer Science 1666; Wiener, M., Ed.; Springer: Berlin/Heidelber, Germany, 1999; pp. 326–337. [Google Scholar] - Lenstra, A.K.; Lenstra, H.W., Jr. The Development of the Number Field Sieve; Lecture Notes in Mathematics 1554; Springer: Berlin/Heidelberg, Germany, 1993. [Google Scholar]
- Pomerance, C. The quadratic sieve factoring algorithm. In Workshop on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1985; pp. 169–182. [Google Scholar]
- Rabin, M.O. Digital Signatures and Public Key Functions as Intractable as Factoring, MIT Technical Report, MIT/LCS/TR-212. 1979.
- Elia, M. Continued Fractions and Factoring. arXiv
**2019**, arXiv:1905.10704. [Google Scholar] - Martín, S.; Morillo, P.; Villar, J.L. Computing the order of points on an elliptic curve modulo N is as difficult as factoring N. Appl. Math. Lett.
**2001**, 14, 341–346. [Google Scholar] [CrossRef] - Blake, I.; Seroussi, G.; Smart, N. Elliptic Curves in Cryptography; Volume 265 of London Mathematical Society Lecture Note Series; Cambridge University Press: Cambridge, UK, 1999. [Google Scholar]
- Kunihiro, N.; Koyama, K. Equivalence between counting the number of points on elliptic curves over the ring ${\mathbb{Z}}_{n}$ and factoring n. In LNCS 1403, Proceedings of the Eurocrypt 1998; 1998; pp. 47–58. [Google Scholar]
- Nitaj, A.; Fouotsa, E. A new attack on RSA and Demytko’s elliptic curve cryptosystem. J. Discret. Math. Sci. Cryptogr.
**2019**, 22, 391–409. [Google Scholar] [CrossRef] [Green Version] - Galbraith, S.D.; Gaudry, P. Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr.
**2016**, 78, 51–72. [Google Scholar] [CrossRef] - Koyama, K. Fast RSA type scheme based on singular cubic curve y
^{2}+ axy = x^{3}(mod n). In Advances in Cryptology—EUROCRYPT’95: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, 21–25 May 1995; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1995; Volume 921, pp. 329–339. [Google Scholar] - Kuwakado, H.; Koyama, K.; Tsuruoka, Y. A new RSA-type scheme based on singular cubic curves y
^{2}= x^{3}+ bx^{2}(mod n). IEICE Trans. Fundam.**1995**, E78-A, 27–33. [Google Scholar] - Paillier, P. Trapdooring Discrete Logarithms on Elliptic Curves over Rings. In Advances in Cryptology–ASIACRYPT 2000; Lecture Notes in Computer Science; Okamoto, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1976, pp. 573–584. [Google Scholar]
- Bleichenbacher, D. On the Security of the KMOV Public Key Cryptosystem. In Annual International Cryptology Conference; Springer: Berlin/Heidelber, Germany, 1997; pp. 235–248. [Google Scholar]
- Kurosawa, K.; Okada, K.; Tsujii, S. Low exponent attack against elliptic curve RSA. Inf. Process. Lett.
**1995**, 53, 77–83. [Google Scholar] [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Boudabra, M.; Nitaj, A.
A New RSA Variant Based on Elliptic Curves. *Cryptography* **2023**, *7*, 37.
https://doi.org/10.3390/cryptography7030037

**AMA Style**

Boudabra M, Nitaj A.
A New RSA Variant Based on Elliptic Curves. *Cryptography*. 2023; 7(3):37.
https://doi.org/10.3390/cryptography7030037

**Chicago/Turabian Style**

Boudabra, Maher, and Abderrahmane Nitaj.
2023. "A New RSA Variant Based on Elliptic Curves" *Cryptography* 7, no. 3: 37.
https://doi.org/10.3390/cryptography7030037