A New Public Key Cryptosystem Based on Edwards Curves Maher Boudabra1 and Abderrahmane Nitaj2 1 Université de Monastir, Tunisia [email protected] 2 LMNO, Université de Caen Normandie, France [email protected] Abstract. The elliptic curve cryptography plays a central role in various cryptographic schemes and protocols. For efficiency reasons, Edwards curves and twisted Edwards curves have been introduced. In this paper, we study the properties of twisted Edwards curves on the ring Z/nZ where n = prqs is a prime power RSA modulus and propose a new scheme and study its efficiency and security. Keywords: Elliptic curves, Twisted Edwards curves, RSA cryptosys- tem, KMOV cryptosystem 1 Introduction In 2007, Edwards [9] introduced a new normal form of elliptic curves over a field K with characteristic not equal to 2. He showed that any elliptic curve over K is birationally equivalent over some extension of K to a curve with an equation of the form 2 2 2 2 2 5 x + y = c 1 + x y , c ∈ K, c 6= c. Bernstein and Lange [2] generalized the former form to the short form 2 2 2 2 Ed : x + y = 1 + dx y , where d ∈ K − {0, 1}. The addition law for Edwards curves is given by x1y2 + y1x2 y2y1 − x2x1 (x1, y1) + (x2, y2) = , , 1 + dx1y1x2y2 1 − dx1y1x2y2 and the same formulas can also be used for doubling. For this law, the point (0, 1) is the neutral element and the negative of a point (x, y) is (−x, y). Moreover, it is shown in [2] that when d is not a square in K, then the sum of any two points (x1, y1), (x2, y2) is always defined. In [1], Bernstein et al. introduced the twisted Edwards curves with an equa- tion 2 2 2 2 Ea,d : ax + y = 1 + dx y , 2 Maher Boudabra and Abderrahmane Nitaj where a, d ∈ K are non zero and distinct. The addition law is defined on Ea,d by the rule x1y2 + y1x2 y2y1 − ax2x1 (x1, y1) + (x2, y2) = , . 1 + dx1y1x2y2 1 − dx1y1x2y2 For this law, the identity is still (0, 1) and the negative of a point (x, y) is (−x, y). The operations on twisted Edwards curves are more efficient than for most of the other forms of elliptic curves and the discrete logarithm problem is hard to solve. This makes twisted Edwards curves suitable for cryptographic applica- tions. In this paper, we study various properties of the twisted Edwards curves. We first give a study of the twisted Edwards curves on the finite field Z/pZ where p ≥ 5 is a prime number, and generalize it to the rings Z/prZ and Z/prqsZ. Then, using the arithmetic properties of the twisted Edwards curves on the ring Z/prqsZ, we propose a new public key scheme and study its efficiency and its security. The new scheme generalizes two former schemes, namely the KMOV cryptosystem [12] with a modulus of the form n = pq and an elliptic curve with equation y2 ≡ x3 + b (mod n) and its extension to a prime power RSA modulus n = prqs with a similar equation [5]. The new scheme uses a prime power RSA modulus n = prqs and a twisted Edwards curve with equation −dx2 + y2 ≡ 1 + dx2y2 (mod n). The use of a prime power RSA in cryptography has been proposed for some cryp- tographic applications (see [20,10,16]). The security of such moduli was studied in [7] where it is recommended to use moduli of the form prqs where p, q are large prime numbers with the same size and r, s are small exponents satisfying the conditions of Table 1. Modulus size in bits Form of the modulus 2048 pq, p2q 3072 pq, p2q 3584 pq, p2q 4096 pq, p2q, p3q 8192 pq, p2q, p3q, p3q2 Table 1. Optimal number of prime factors for a specific modulus size [7]. The rest of the paper is organized as follows. In Section 2, we study various arithmetical properties of a twisted Edwards curve on the finite field Z/pZ. In Section 3, we extend the former properties to the ring Z/prZ. Similarly, we extend the properties to Z/prqsZ in Section 4. In section 5, we present our new scheme. We study its efficiency and security in Section 6. We conclude the paper in Section 6. A New Public Key Cryptosystem Based on Edwards Curves 3 2 Twisted Edwards Curves over the Field Z/pZ In this section, we present various results on the Edwards curves over a finite field Fp = Z/pZ where p ≥ 5 is a prime number and give an explicit estimation for the number of points on a twisted Edwards curve when p ≡ 3 (mod 4) and p ≡ 11 (mod 12). . Let a be an integer. The Legendre symbol of a modulo p, denoted by p , is defined as 0 if a ≡ 0 mod p, a = 1 if a is a quadratic residue modulo p, p −1 if a is a non-quadratic residue modulo p. The following classical result concerns the Legendre symbol for −1 (see [6], Chapter 7). Lemma 1. Let p be an odd prime. Then ( −1 p−1 1 if p ≡ 1 (mod 4), = (−1) 2 = p −1 if p ≡ 3 (mod 4), ( 2 p−1 1 if p ≡ ±1 (mod 8), = 2 2 = p −1 if p ≡ ±3 (mod 8), ( 3 p−1 1 if p ≡ ±1 (mod 12), = 3 2 = p −1 if p ≡ ±5 (mod 12), A special case for the theory of Edwards curves is when the field K is the finite field Fp. Let a and d be integers such that d is not a square in Z/pZ. The following result states the addition law on the twisted Edwards curve Ea,d,p with 2 2 2 2 the equation Ea,d,p : ax + y ≡ 1 + dx y (mod p). Theorem 1. Let p > 2 be a prime number and a and d be integer such that a is a square and d is not a square in Z/pZ. Let (x1, y1) and (x2, y2) be two points on Ea,d,p. Then the addition law x1y2 + y1x2 y2y1 − ax2x1 (x1, y1) + (x2, y2) = , , 1 + dx1y1x2y2 1 − dx1y1x2y2 is always defined on the twisted Edwards curve Ea,d,p. Proof. The proof of the theorem is presented in Appendix A Observe that the condition that a is a square is necessary for the possibility of the addition. Indeed, let p = 23, a = 19 and d = 14. Then a and d are not squares in Z/pZ. The points (x1, y1) = (1, 9) and (x2, y2) = (4, 12) are on the curve Ea,d,p with 1 + dx1x2y1y2 ≡ 0 (mod p) which implies that the sum (x1, y1) + (x2, y2) is not defined on Ea,d,p. In the following results, we suppose that a and d are arbitrary integers satisfying ad(a − d) 6≡ 0 (mod p) 4 Maher Boudabra and Abderrahmane Nitaj Lemma 2. Let p ≥ 5 be a prime number and a, d be integers such that ad(a − 2 2 d) 6= 0. Then the twisted Edwards curve Ea,d,p with equation ax + y ≡ 1 + 2 2 dx y (mod p) is birationally equivalent to the short Weierstrass form Wa,d,p with equation 1 2 v2 ≡ u3 − a2 + 14ad + d2 u − (a + d) a2 − 34ad + d2 (mod p), 3 27 with the transformation modulo p O if (x, y) = (0, 1) 2 (x, y) → (u, v) = (a + d), 0 if (x, y) = (0, −1) 3 5a−d+(a−5d)y 2(a−d)(1+y) 3(1−y) , (1−y)x if (x, y) 6= (0, 1). Proof. The proof of the theorem is presented in Appendix B The following result gives the inverse transformation of Lemma 2. Lemma 3. Let p ≥ 5 be a prime number and a and d be integers such that ad(a − d) 6= 0. The short Weierstrass form Wa,d,p with the equation 1 2 v2 ≡ u3 − a2 + 14ad + d2 u − (a + d) a2 − 34ad + d2 (mod p), 3 27 is birationally equivalent to the twisted Edwards curve Ea,d,p with the transfor- mation (0, 1) if (u, v) = O 2 (u, v) → (x, y) = (0, −1) if (u, v) = (a + d), 0 3 2(3u−2a−2d) 3u−5a+d 1 3v , 3u+a−5d if u 6= − 3 (a − 5d) and v 6= 0. √ 1 If ad is a square in Z/pZ, then the points (u, v) = − 3 a + d ± 6 ad , 0 ∈ W are not mapped into E . a,d,p a,d,p √ 1 If d is a square in Z/pZ, then the points (u, v) = − 3 (a − 5d), ±2 d(a − d) ∈ Wa,d,p are not mapped into Ea,d,p. Proof. The proof of the theorem is presented in Appendix C Combining Lemma 2 and Lemma 3, we easily get the following result regard- ing the number of points of the twisted Edwards curve Ea,d,p in terms of the number of points of the Weierstrass curve Wa,d,p. Lemma 4. Let p ≥ 5 be a prime number and a and d be integers such that ad(a − d) 6= 0. Then #W if d and ad are not squares in /p , a,d,p Z Z #Ea,d,p = #Wa,d,p − 4 if ad and d are squares in Z/pZ, #Wa,d,p − 2 if ad or d is a square in Z/pZ. A New Public Key Cryptosystem Based on Edwards Curves 5 Proof.