E cient computation of full Lucas sequences - Semantic Scholar

Download PDF
4 downloads 424 Views 234KB Size Report
Comment
Jan 29, 1995 - E-mail: [email protected]. Abstract. Recently, Yen and Laih 1] proposed a algorithm to quickly compute LUC digital signatures. This signature ...
UCL Crypto Group Technical Report Series

Ecient computation of full Lucas sequences Marc Joye and Jean-Jacques Quisquater

R EG AR D S

GROUPE

http://www.dice.ucl.ac.be/crypto/

Technical Report CG{1996/3 Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium

Phone: (+32) 10 472541 Fax: (+32) 10 478667

Ecient computation of full Lucas sequences Marc Joye

1)

and Jean-Jacques Quisquater

2)

January 29, 1995 Department of Mathematics (AGEL), University of Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: [email protected] 2) Department of Electrical Engineering (DICE), University of Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail: [email protected] 1)

Abstract. Recently, Yen and Laih [1] proposed a algorithm to quickly compute LUC digital signatures. This signature is based on a special type of the Lucas sequence Vk . In this paper, we shall generalize their method to any type of Lucas sequences, and we shall extend it to the 'sister' Lucas sequence Uk . As application, we shall quickly compute the order of an elliptic curve over GF (2m ).

1 Basic facts In this section, we shall only include the minimal amount of background necessary to understand the article. For a systematic treatment, see the references [2, 3]. Let P and Qpbe two rational integers, and let be a root of x ?Px+Q = 0 in the eld Q( D), where D = P ? 4Q is a non-square. Let be the conjugate of , i.e. = . The Lucas sequences fUk gk and fVk gk with parameters P and Q are given by k ? k (1) Uk (P; Q) = ? ; Vk (P; Q) = k + k: (2) It can easily be shown that the numbers Ui and Vi satisfy the following relations Ui j = UiVj ? Qj Ui?j ; (3) 2

2

0

+

CG{1996/3

0

Ecient computation of full Lucas sequences

Vi

2

= ViVj ? Qj Vi?j :

j

+

(4)

2 Fast algorithm for Lucas sequences Assume you have to compute Uk (P; Q) and Vk (P; Q). If we use the binary expansion of k, it can be expressed as k = K , where 0

Kj = Hence,

X k 2i?j ; k 2 f0; 1g and k i i n?

n?1

1

i=j

= 1:

Kj? = kj? + 2Kj = (Kj + kj? ) + Kj : (5) Using the equations (3) and (4), we obtain (6) UK ?1 = U K k ?1 VK ? QK Uk ?1 ; (7) VK ?1 = V K k ?1 VK ? QK Vk ?1 : At iteration j , let (lj ; hj ) = (Kj ; Kj +1). By relation (7), we see obviously that both Vl and Vh are needed to compute Vl ?1 , and so to compute Vk . This is not the case for Uk as we shall see in the following theorem. Theorem1. If k is odd, then the computation of Uk does not require the computation of Ul (j  1). Proof. Since k is odd (i.e. k = 1), Uk (= Ul0 ) = Uh1 Vl1 ? Ql1 . Thus, only the value of Uh1 is needed. We only need to show that the value of Uh ?1 can be derived from Uh . By (5) and depending on the value of kj? , we have the following cases:  if kj? = 0, then (lj? ; hj? ) = (2lj ; lj + hj );  if kj? = 1, then (lj? ; hj? ) = (lj + hj ; 2hj ): Hence, if kj? = 0, then hj? (= hj + lj = 2lj + 1) is odd and Uh ?1 = Uh Vl ? Ql ; otherwise, hj? (= 2hj ) is even and Uh ?1 = Uh Vh . We now are ready to give the algorithm that we shall extend to the case where k is even. Remarks. 1) The presented algorithm is a left-to-right scanning one. Similar to [1], it is also possible to develop a right-to-left scanning algorithm, but that requires more temporary memories. 2) An implementation with Pari-GP [4] is available at 1

1

1

(

j

(

j

j+ j

)

)

j

j

j

j

j

j

j

j

j

j+ j

j

0

j

1

j

1

1

1

1

1

1

1

j

j

j

1

1

j

j

j

j

ftp://math.math.ucl.ac.be/pub/joye/pari/lucas2.gp.

CG{1996/3

Ecient computation of full Lucas sequences Inputs:

k

Outputs:

(

= 2s

Pn?

P; Q U k ; Vk

= 1; l = 2;

Uh for

V

from

j

n

1

i=s

ki

3

2i?s, ( s = 1) k

)

Vh

= ; to

= 1; h = 1; + 1 by ?1

Ql

P

?1

s

Q

= l  h; [ ] == 1 then h= l ; h = h  h; l = h  l ?  l; h = h ?2 h

Ql

Q

if

Q

k j

Q

Q

U

U

V

fi endfor

V

P

V

Q

Q

= l; = h  l ? l; h = h  l ?  l; l = l  l ?2 l

Qh

Q

Uh

U

V

V

V

V

V

V

else

Q

V

V

Q

V

P

V

Q

Q

= l  h; h = l  ; = h  l ? l; l = h  l ?  l; l = l  h; for from 1 to h = h  l; l = l  l ? 2  l; l = l  l;

Ql

Q

Q

Uh

U

V

V

V

Q

V

Q

Q

Q

Q

Q

P

Q

Q

j

s

U

U

V

V

Q

V

V

Q

Q

Q

endfor

f k( U

)=

P; Q

; (

) = lg

Uh Vk P; Q

V

Figure 1: Algorithm to compute (Uk ; Vk )

3 Performances The worst case of the algorithm appears when s = 0. Assume s = 0, then the computation of Uk and Vk requires n multiplications. Furthermore, only ve temporary memories (with the same length as the output) are needed. If we only want the value of Vk , the algorithm is the same as presented on gure 1, except we do not care of the Uh 's. Thus, the computation of Vk requires n multiplications in the worst case with only four temporary memories. Remarks. 1) Some applications use Lucas sequences with parameter Q = 1. In that case, the computation of Uk and Vk requires less than 3n multiplications with three temporary memories. 11 2

9 2

CG{1996/3

Ecient computation of full Lucas sequences

4

2) If we want Uk and Vk modulo a number, the computation can be improved using the technique of the common-multiplicand [5]. 3) Moreover, due to the high regularity of the algorithm, it can be parallelized.

4 Applications Lucas sequences have numerous applications in number theory. For example, the divisibility properties of the Uk 's (see [3, pp. 54{59]) allows to test the primality of a number N for which the factorization of N + 1 is partially given. It is also possible to develop ecient (pseudo) primality test [6]. In this paper, we shall see a less-known application. In 1985, the theory elliptic curves emerged for cryptographic purposes. Since many cryptographic protocols [7, 8] require the knowledge of the order of an elliptic curve over GF (2m), i.e. #E (GF (2m)), we shall see how it can be computed using Lucas sequences. Let p be a prime and q = pr . Consider the elliptic curve E=GF (q) such that E (GF (q)) has order #E (GF (q)) = q + 1 ? t. Using the Weil theorem, we have #E (GF (ql)) = ql + 1 ? l ? l; (8) where and are given from the factorization of 1 ? tT + qT = (1 ? T )(1 ? T ). Let E=GF (2r ) be the non-supersingular elliptic curve given by the Weierstra equation E : y + xy = x + a x + a : Assume r is small, so t = 2r + 1 ? #E (GF (2r )) can be computed by exhaustion. Moreover, if m is a multiple of l, then the curve E can be viewed as an elliptic curve over GF (2m). Hence, if we put l = m=r, then by (8) 2

2

3

2

2

6

#E (GF (2m)) = 2m + 1 ? Vl(t; 2r ); where Vl(t; 2r ) is the l term of the Lucas sequence fVk g with parameters P = t and Q = 2r . th

5 Acknowledgments The authors are grateful to Daniel Bleichenbacher and to Richard Pinch for providing useful informations about Lucas-based cryptosystems. CG{1996/3

Ecient computation of full Lucas sequences

5

References [1] yen, s.-m., and laih, c.-s.: `Fast algorithms for LUC digital signature computation', IEE Proc.-Comput. Digit. Tech., 1995, 142, (2), pp. 165{ 169 [2] riesel, h.: `Prime numbers and computers methods for factorization' in `Progress in Mathematics' (Birkhauser, 1985), Vol. 57 [3] ribenboim, p.: `The little book of big primes' (Springer, 1991) [4] batut, c., bernardi, d., cohen, h., and olivier, m.: `User's guide to PARI-GP', January 1995 [5] yen, s.-m., and laih, c.-s.: `Common-multiplicand multiplication and its applications to public key cryptography', Electron. Lett., 1993, 29, (17), pp. 1583{1584 [6] pomerance, c., selfridge, j.l., and wagstaff, s.s., jr.: `The pseudoprimes to 25  10 ', Math. of Comp., 1980, 35, (151), pp. 1003{ 1026 [7] menezes, a.j.: `Elliptic curve public key cryptosystems' (Kluwer Academic Publishers, 1993) [8] menezes, a., qu, m., and vanstone, s.: `Draft of IEEE P1363, chapter 6', November 1995 9

CG{1996/3