Jan 29, 1995 - E-mail: jjq@dice.ucl.ac.be. Abstract. Recently, Yen and Laih 1] proposed a algorithm to quickly compute LUC digital signatures. This signature ...
UCL Crypto Group Technical Report Series
E�cient computation of full Lucas sequences Marc Joye and Jean-Jacques Quisquater
R EG AR D S
GROUPE
http://www.dice.ucl.ac.be/crypto/
Technical Report CG{1996/3 Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium
Phone: (+32) 10 472541 Fax: (+32) 10 478667
E�cient computation of full Lucas sequences Marc Joye
1)
and Jean-Jacques Quisquater
2)
January 29, 1995 Department of Mathematics (AGEL), University of Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: joye@agel.ucl.ac.be 2) Department of Electrical Engineering (DICE), University of Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail: jjq@dice.ucl.ac.be 1)
Abstract. Recently, Yen and Laih [1] proposed a algorithm to quickly compute LUC digital signatures. This signature is based on a special type of the Lucas sequence Vk . In this paper, we shall generalize their method to any type of Lucas sequences, and we shall extend it to the 'sister' Lucas sequence Uk . As application, we shall quickly compute the order of an elliptic curve over GF (2m ).
1 Basic facts In this section, we shall only include the minimal amount of background necessary to understand the article. For a systematic treatment, see the references [2, 3]. Let P and Qpbe two rational integers, and let � be a root of x ?Px+Q = 0 in the eld Q( D), where D = P ? 4Q is a non-square. Let be the conjugate of �, i.e. = ��. The Lucas sequences fUk gk� and fVk gk� with parameters P and Q are given by k ? k (1) Uk (P; Q) = �� ? ; Vk (P; Q) = �k + k: (2) It can easily be shown that the numbers Ui and Vi satisfy the following relations Ui j = UiVj ? Qj Ui?j ; (3) 2
2
0
+
CG{1996/3
0
E�cient computation of full Lucas sequences
Vi
2
= ViVj ? Qj Vi?j :
j
+
(4)
2 Fast algorithm for Lucas sequences Assume you have to compute Uk (P; Q) and Vk (P; Q). If we use the binary expansion of k, it can be expressed as k = K , where 0
Kj = Hence,
X k 2i?j ; k 2 f0; 1g and k i i n?
n?1
1
i=j
= 1:
Kj? = kj? + 2Kj = (Kj + kj? ) + Kj : (5) Using the equations (3) and (4), we obtain (6) UK ?1 = U K k ?1 VK ? QK Uk ?1 ; (7) VK ?1 = V K k ?1 VK ? QK Vk ?1 : At iteration j , let (lj ; hj ) = (Kj ; Kj +1). By relation (7), we see obviously that both Vl and Vh are needed to compute Vl ?1 , and so to compute Vk . This is not the case for Uk as we shall see in the following theorem. Theorem1. If k is odd, then the computation of Uk does not require the computation of Ul (j � 1). Proof. Since k is odd (i.e. k = 1), Uk (= Ul0 ) = Uh1 Vl1 ? Ql1 . Thus, only the value of Uh1 is needed. We only need to show that the value of Uh ?1 can be derived from Uh . By (5) and depending on the value of kj? , we have the following cases: � if kj? = 0, then (lj? ; hj? ) = (2lj ; lj + hj ); � if kj? = 1, then (lj? ; hj? ) = (lj + hj ; 2hj ): Hence, if kj? = 0, then hj? (= hj + lj = 2lj + 1) is odd and Uh ?1 = Uh Vl ? Ql ; otherwise, hj? (= 2hj ) is even and Uh ?1 = Uh Vh . We now are ready to give the algorithm that we shall extend to the case where k is even. Remarks. 1) The presented algorithm is a left-to-right scanning one. Similar to [1], it is also possible to develop a right-to-left scanning algorithm, but that requires more temporary memories. 2) An implementation with Pari-GP [4] is available at 1
1
1
(
j
(
j
j+ j
)
)
j
j
j
j
j
j
j
j
j
j+ j
j
0
j
1
j
1
1
1
1
1
1
1
j
j
j
1
1
j
j
j
j
ftp://math.math.ucl.ac.be/pub/joye/pari/lucas2.gp.
CG{1996/3
E�cient computation of full Lucas sequences Inputs:
k
Outputs:
(
= 2s
Pn?
P; Q U k ; Vk
= 1; l = 2;
Uh for
V
from
j
n
1
i=s
ki
3
2i?s, ( s = 1) k
)
Vh
= ; to
= 1; h = 1; + 1 by ?1
Ql
P
?1
s
Q
= l � h; [ ] == 1 then h= l� ; h = h � h; l = h � l ? � l; h = h ?2� h
Ql
Q
if
Q
k j
Q
Q
U
U
V
fi endfor
V
P
V
Q
Q
= l; = h � l ? l; h = h � l ? � l; l = l � l ?2� l
Qh
Q
Uh
U
V
V
V
V
V
V
else
Q
V
V
Q
V
P
V
Q
Q
= l � h; h = l � ; = h � l ? l; l = h � l ? � l; l = l � h; for from 1 to h = h � l; l = l � l ? 2 � l; l = l � l;
Ql
Q
Q
Uh
U
V
V
V
Q
V
Q
Q
Q
Q
Q
P
Q
Q
j
s
U
U
V
V
Q
V
V
Q
Q
Q
endfor
f k( U
)=
P; Q
; (
) = lg
Uh Vk P; Q
V
Figure 1: Algorithm to compute (Uk ; Vk )
3 Performances The worst case of the algorithm appears when s = 0. Assume s = 0, then the computation of Uk and Vk requires n multiplications. Furthermore, only ve temporary memories (with the same length as the output) are needed. If we only want the value of Vk , the algorithm is the same as presented on gure 1, except we do not care of the Uh 's. Thus, the computation of Vk requires n multiplications in the worst case with only four temporary memories. Remarks. 1) Some applications use Lucas sequences with parameter Q = �1. In that case, the computation of Uk and Vk requires less than 3n multiplications with three temporary memories. 11 2
9 2
CG{1996/3
E�cient computation of full Lucas sequences
4
2) If we want Uk and Vk modulo a number, the computation can be improved using the technique of the common-multiplicand [5]. 3) Moreover, due to the high regularity of the algorithm, it can be parallelized.
4 Applications Lucas sequences have numerous applications in number theory. For example, the divisibility properties of the Uk 's (see [3, pp. 54{59]) allows to test the primality of a number N for which the factorization of N + 1 is partially given. It is also possible to develop e�cient (pseudo) primality test [6]. In this paper, we shall see a less-known application. In 1985, the theory elliptic curves emerged for cryptographic purposes. Since many cryptographic protocols [7, 8] require the knowledge of the order of an elliptic curve over GF (2m), i.e. #E (GF (2m)), we shall see how it can be computed using Lucas sequences. Let p be a prime and q = pr . Consider the elliptic curve E=GF (q) such that E (GF (q)) has order #E (GF (q)) = q + 1 ? t. Using the Weil theorem, we have #E (GF (ql)) = ql + 1 ? �l ? l; (8) where � and are given from the factorization of 1 ? tT + qT = (1 ? �T )(1 ? T ). Let E=GF (2r ) be the non-supersingular elliptic curve given by the Weierstra� equation E : y + xy = x + a x + a : Assume r is small, so t = 2r + 1 ? #E (GF (2r )) can be computed by exhaustion. Moreover, if m is a multiple of l, then the curve E can be viewed as an elliptic curve over GF (2m). Hence, if we put l = m=r, then by (8) 2
2
3
2
2
6
#E (GF (2m)) = 2m + 1 ? Vl(t; 2r ); where Vl(t; 2r ) is the l term of the Lucas sequence fVk g with parameters P = t and Q = 2r . th
5 Acknowledgments The authors are grateful to Daniel Bleichenbacher and to Richard Pinch for providing useful informations about Lucas-based cryptosystems. CG{1996/3
E�cient computation of full Lucas sequences
5
References [1] yen, s.-m., and laih, c.-s.: `Fast algorithms for LUC digital signature computation', IEE Proc.-Comput. Digit. Tech., 1995, 142, (2), pp. 165{ 169 [2] riesel, h.: `Prime numbers and computers methods for factorization' in `Progress in Mathematics' (Birkhauser, 1985), Vol. 57 [3] ribenboim, p.: `The little book of big primes' (Springer, 1991) [4] batut, c., bernardi, d., cohen, h., and olivier, m.: `User's guide to PARI-GP', January 1995 [5] yen, s.-m., and laih, c.-s.: `Common-multiplicand multiplication and its applications to public key cryptography', Electron. Lett., 1993, 29, (17), pp. 1583{1584 [6] pomerance, c., selfridge, j.l., and wagstaff, s.s., jr.: `The pseudoprimes to 25 � 10 ', Math. of Comp., 1980, 35, (151), pp. 1003{ 1026 [7] menezes, a.j.: `Elliptic curve public key cryptosystems' (Kluwer Academic Publishers, 1993) [8] menezes, a., qu, m., and vanstone, s.: `Draft of IEEE P1363, chapter 6', November 1995 9
CG{1996/3
