Next Article in Journal
Boosting Quantum Key Distribution via the End-to-End Loss Control
Previous Article in Journal
The Role of Blockchain in Medical Data Sharing

Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

# A New RSA Variant Based on Elliptic Curves

1
Department of Computing and Mathematics, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia
2
Department of Mathematics, LMNO, Normandie University, UNICAEN, CNRS, LMNO, 14000 Caen, France
*
Author to whom correspondence should be addressed.
Cryptography 2023, 7(3), 37; https://doi.org/10.3390/cryptography7030037
Submission received: 31 May 2023 / Revised: 28 June 2023 / Accepted: 16 July 2023 / Published: 19 July 2023

## Abstract

:
In this paper, we propose a new scheme based on ephemeral elliptic curves over a finite ring with an RSA modulus. The new scheme is a variant of both the RSA and the KMOV cryptosystems and can be used for both signature and encryption. We study the security of the new scheme and show that it is immune to factorization attacks, discrete-logarithm-problem attacks, sum-of-two-squares attacks, sum-of-four-squares attacks, isomorphism attacks, and homomorphism attacks. Moreover, we show that the private exponents can be much smaller than the ordinary exponents in RSA and KMOV, which makes the decryption phase in the new scheme more efficient.

## 1. Introduction

The RSA system was proposed in 1977 by Rivest, Shamir, and Adleman [1] as a public key cryptosystem. The algorithm is based on a trap-door function that utilizes the Fermat–Euler theorem. The RSA algorithm’s strength depends on the difficulty of factorizing a large integer n, which is the product of two large primes p and q. In RSA, the public exponent is an integer e and the private exponent is an integer d such that $e d ≡ 1 ( mod ( p − 1 ) ( q − 1 ) )$.
Since its publication, the RSA cryptosystem has been intensively studied for vulnerabilities using various methods (see [2,3]). On the other hand, to improve the efficiency of RSA, many variants have been proposed such as Batch RSA [4], Multi-Prime RSA [5], Prime Power RSA [6], CRT-RSA [7], Rebalanced RSA [8], Dual RSA [9], and DRSA [10].
In 1985, Koblitz [11] and Miller [12] showed independently how to use elliptic curves over finite fields for the design of cryptosystems. Such schemes contribute to elliptic curve cryptography (ECC) and their security is based on the hardness of the elliptic curve discrete logarithm (ECDLP). ECC offers high security with smaller keys and more efficient implementations than traditional public key cryptosystems such as RSA. ECC is increasingly used in industry for digital signatures such as ECDSA [13], key agreement such as ECDH [14], and Bitcoin [15].
In 1991, Koyama et al. [16] proposed a new scheme called KMOV by adapting RSA to the elliptic curve with an equation $y 2 ≡ x 3 + b ( mod n )$ over the ring $Z / n Z$, where $n = p q$ is an RSA modulus satisfying $p ≡ q ≡ 2 ( mod 3 )$. In KMOV, b is computed during the encryption process in terms of the plaintext $( x , y )$ as $b ≡ y 2 − x 3 ( mod n )$. The main property of KMOV is that $( p + 1 ) ( q + 1 ) P = O$ holds for any point P on the elliptic curve, where $O$ is the point at infinity. In 1993, Demytko [17] proposed a variant of RSA, where the elliptic curve with the equation $y 2 ≡ x 3 + a x + b ( mod n )$ over $Z / n Z$ is fixed. The advantage of Demytko’s scheme over KMOV is that it uses only the x-coordinate of the points on the elliptic curve. One of the common properties of both schemes is that their security is based on the hardness of factoring large composite integers.
This paper proposes a new RSA variant based on the elliptic curve with the equation $y 2 = x 3 + a x$ over the ring $Z / n Z$, where $n = p q$ is an RSA modulus with $p = u p 2 + v p 2$, $q = u q 2 + v q 2$, $u p ≡ 3 ( mod 4 )$ and $u q ≡ 3 ( mod 4 )$. The number of points on the elliptic curve $y 2 = x 3 + a x$ over the finite field $F p$ is $p + 1 − 2 U p$, with $U p ∈ { ± u p , ± v p }$. Similarly, the number of points on the same elliptic curve over $F p$ is $q + 1 − 2 V p$, with $U q ∈ { ± u q , ± v q }$.
The new scheme is a variant of both RSA and KMOV and works as follows. The public exponent is an integer e satisfying $gcd ( e , ψ ( n ) ) = 1$, where
$ψ ( n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) ,$
with $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$. To encrypt a message m, one generates a random integer r with $1 ≤ r < n$, computes $a = m 2 − r 3 r ( mod n )$, and $C = ( x C , y C ) = e ( r , m )$ on the elliptic curve with equation $y 2 = x 3 + a x$ over the ring $Z / n Z$. The point C is then the encrypted message. To decrypt C, one first computes $a ≡ y C 2 − x C 3 x C ( mod n )$ and the two values $U p$ and $U q$ such that
$U p = − u p if a p − 1 4 ≡ 1 ( mod p ) , u p if a p − 1 4 ≡ − 1 ( mod p ) , v p if a p − 1 4 ≡ u p v p ( mod p ) , − v p if a p − 1 4 ≡ − u p v p ( mod p ) ,$
and
$U q = − u q if a q − 1 4 ≡ 1 ( mod q ) , u q if a q − 1 4 ≡ − 1 ( mod q ) , v q if a q − 1 4 ≡ u q v q ( mod q ) , − v q if a q − 1 4 ≡ − u q v q ( mod q ) .$
Using $U p$ and $U q$, one computes $ψ ( n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ and $d ≡ e − 1 ( mod ψ ( n ) )$. Finally, one computes the initial message $( r , m ) = d ( x C , y C )$ on the elliptic curve with equation $y 2 = x 3 + a x$ over the ring $Z / n Z$.
This paper studies the security of the new scheme regarding the modulus n, the private multiplier d, and the elliptic curve with an equation $y 2 ≡ x 3 + a x ( mod n )$. For the modulus $n = p q$, we study its resistance against factorization algorithms and its decomposition as the sum of two or four squares. We show that knowing the order $ψ ( n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ with $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$ is not sufficient to factor n. For the private multiplier d, we show that the attacks based on the continued fraction algorithm or Coppersmith’s method are applicable only if $d < n 0.133$. For comparison, the former techniques are applicable to RSA and KMOV when their private exponent and multiplier $d ′$ is such that $d ′ < n 0.292$. Finally, we study the discrete logarithm problem for an elliptic curve with the equation $y 2 ≡ x 3 + a x ( mod n )$. We also study isomorphism and homomorphism attacks and ways to overcome them.
To summarize, our scheme is a generalization of the KMOV and Demytko’s schemes, which can be used for encryption and signatures. Moreover, it is a probabilistic algorithm that is secure against known classical attacks.
It should be noted that our scheme is not secure under quantum cryptanalysis because Shor’s [18] algorithm can factor any RSA modulus in polynomial time.
The rest of this paper is organized as follows. Section 2 presents the results that will be used in this paper. Section 3 and Section 4 present the theory of elliptic curves over a finite field $F p$ and a finite ring $Z / n Z$, respectively. Section 5 presents the new scheme. Section 6 presents an analysis of the security of the new scheme. Section 7 concludes the paper.

## 2. Useful Lemmas

This section presents some results that will be useful for the security analysis of our new scheme.
Let $n = p q$ be an RSA modulus with balanced prime factors p and q, typically, $q < p < 2 q$. The following result gives the upper and lower bounds for p and q in terms of n [19].
Lemma 1.
Let $n = p q$ be the product of two unknown integers such that $q < p < 2 q$. Then,
$2 2 n < q < n < p < 2 n .$
In 1990, Wiener [8] showed that RSA with a public key $( n = p q , e )$ is insecure if the private exponents d satisfy $e d − k ( p − 1 ) ( q − 1 ) = 1$ with $d < 1 3 n 1 4$. His method is based on the continued fraction algorithm and makes use of Theorem 184 in [20].
Theorem 1.
Let ξ be a real number. Let a and b be two positive integers satisfying $gcd ( a , b ) = 1$ and
$ξ − a b < 1 2 b 2 .$
Then, $a b$ is a convergent of the continued fraction expansion of ξ.
In 1996, Coppersmith [21] described a polynomial-time algorithm for finding small solutions of univariate modular polynomial equations. The method is based on lattice reduction. Since then, the Coppersmith method has been extended to solve modular polynomial equations with more variables and has been used for cryptanalysis, especially with regard to the RSA system. To illustrate this point, Boneh and Durfee [22] presented an attack on RSA by transforming the RSA key equation $e d − k ( p − 1 ) ( q − 1 ) = 1$ into the small inverse problem $x ( n + y ) ≡ 1 ( mod e )$. Using Coppersmith’s method, they improved Wiener’s attack up to $d < n 0.292$.
The following result is a generalization of the method of Boneh and Durfee for solving the small inverse problem (see [22,23,24]).
Lemma 2.
Let n and e be two distinct integers of the same size. Let x and y be two integers such that $| x | < n δ$, $| y | < n β$, and $x ( n + y ) ≡ 1 ( mod e )$. If $1 4 < β < 1$ and $δ < 1 − β$, then one can find x and y in polynomial time.

## 3. Elliptic Curves over the Finite Field $F p$

This section presents the main definitions and properties of elliptic curves. For more properties, see [25,26,27,28].
Let p be a prime number and $F p$ be the finite field with p elements. An elliptic curve E over $F p$ is an algebraic curve with no singular points, which is given by the Weierstrass equation
$y 2 + a 1 x y + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 ,$
where $a i ∈ F p$ for $i ∈ { 1 , 2 , 3 , 4 , 6 }$. When $p ≥ 5$, the equation can be transformed into the short Weierstrass equation $y 2 = x 3 + a x + b ,$ with the nonzero discriminant $Δ = − 16 4 a 3 + 27 b 2 ≠ 0$. The set of points $P = ( x , y )$ satisfying the equation, along with the infinity point $O$, is denoted as $E ( F p )$. The total number of points on $E ( F p )$ is called the order of E and is denoted as $# E ( F p )$. It is well known that $# E ( F p )$ can be written as $# E ( F p ) = p + 1 − t$, where t is bounded by the following result of Hasse $0 ≤ | t | ≤ 2 p$. An addition law is defined over $E ( F p )$ using the chord-tangent method.
The following result is fundamental to finding the exact value of $# E ( F p )$ for specific elliptic curves (see Theorem 5, page 307, Section 4, Chapter 18 of [29]).
Theorem 2.
Let $p = u p 2 + v p 2$ be a prime number with $p ≡ 1 ( mod 4 )$. Let $a ∈ F p$ with $a ≠ 0$. Consider the elliptic curve $E p$ with equation $y 2 = x 3 + a x$ over $F p$. Then,
$# E ( F p ) = p + 1 − − a π 4 ¯ π − − a π 4 π ¯ ,$
where $π = u p + i v p ≡ 1 ( mod ( 2 + 2 i ) )$, $i 2 = − 1$, and $α π 4 = α p − 1 4 ( mod π )$ is the biquadratic (or quartic) residue character of α modulo π.
The following result provides an explicit solution for $a π 4 ( mod π )$ (see page 122, Proposition 9.8.2 of [29]).
Theorem 3.
Let $p = u p 2 + v p 2$ be a prime number with $p ≡ 1 ( mod 4 )$. Let $a ∈ F p$ with $a ≠ 0$. Then,
$a p − 1 4 ≡ ± 1 , ± i ( mod π ) ,$
where $π = u p + i v p$, $i 2 = − 1$.
The following result is valid when the residue quartic character is computed for modulo p.
Lemma 3.
Let $p = u p 2 + v p 2$ be a prime number with $p ≡ 1 ( mod 4 )$. Let $a ∈ F p$ with $a ≠ 0$. Then,
$a p − 1 4 ≡ ± 1 , ± u p v p − 1 ( mod p ) .$
Proof.
Let $p = u p 2 + v p 2$ be a prime number. First, we have $u p 2 + v p 2 ≡ 0 ( mod p )$ and $u p v p − 1 2 ≡ − 1 ( mod p )$. Next, let $a ∈ F p$ with $a ≠ 0$. According to Fermat’s Little Theorem, we have $a p − 1 ≡ 1 ( mod p )$. Then, $a p − 1 2 ≡ 1 ( mod p )$ or $a p − 1 2 ≡ − 1 ( mod p )$. If $a p − 1 2 ≡ 1 ( mod p )$, then $a p − 1 4 ≡ ± 1 ( mod p )$, and if $a p − 1 2 ≡ − 1 ( mod p )$, then
$a p − 1 2 ≡ u p v p − 1 2 ( mod p ) ,$
and $a p − 1 4 ≡ ± u p v p − 1 ( mod p )$. To summarize, we have $a p − 1 4 ∈ { ± 1 , ± u p v p − 1 }$ for modulo p. This concludes the proof. □
The following result provides a simple proof for the estimation of $# E ( F p )$ when $p ≡ 1 ( mod 4 )$. Alternative proofs can be found in [28] (Section 4.4 p. 115) and [29] (Section 4 in Chapter 18).
Lemma 4.
Let $p = u p 2 + v p 2$ be a prime number with $u p = 4 u + 3$ and $v p = 4 v + 2$. For $a ∈ F p$ with $a ≠ 0$, let $E a ( p )$ be the elliptic curve with the equation $y 2 = x 3 + a x$ over $F p$. Then,
$# E ( F p ) = p + 1 + 2 u p if a p − 1 4 ≡ 1 ( mod p ) , p + 1 − 2 u p if a p − 1 4 ≡ − 1 ( mod p ) , p + 1 − 2 v p if a p − 1 4 ≡ u p v p ( mod p ) , p + 1 + 2 v p if a p − 1 4 ≡ − u p v p ( mod p ) ,$
Proof.
Let $p = u p 2 + v p 2$ with $u p = 4 u + 3$ and $v p = 4 v + 2$. We set $p = π π ¯$ with $π = u p + i v p$. Then,
$p − 1 4 = 4 u 2 + 4 v 2 + 6 u + 4 v + 3 ,$
and
$− 1 π 4 = ( − 1 ) p − 1 4 = ( − 1 ) 3 = − 1 .$
Also, we have
$u p + i v p = 1 + ( 2 + 2 i ) ( 1 + u − v + i ( v − u ) ) ≡ 1 ( mod 2 + 2 i ) .$
We apply Theorem 2 to the elliptic curve with equation $y 2 = x 3 + a x$ over $F p$. We obtain
$# E ( F p ) = p + 1 − − a π 4 ¯ π − − a π 4 π ¯ = p + 1 − − 1 π 4 ¯ a π 4 ¯ π − − 1 π 4 ¯ a π 4 π ¯ = p + 1 + a π 4 ¯ π + a π 4 π ¯ .$
Theorem 3 asserts that $a p − 1 4 ≡ ± 1 , ± u p v p − 1 ( mod p )$. First, assume that $a p − 1 4 ≡ 1 ( mod p )$. Then, $a p − 1 4 ≡ 1 ( mod π )$ and
$# E ( F p ) = p + 1 + ( u p + i v p ) + ( u p − i v p ) = p + 1 + 2 u p .$
Next, assume that $a p − 1 4 ≡ − 1 ( mod p )$. Then, $a p − 1 4 ≡ − 1 ( mod π )$ and
$# E ( F p ) = p + 1 − ( u p + i v p ) − ( u p − i v p ) = p + 1 − 2 u p .$
Now, assume that $a p − 1 4 ≡ − u p v p ( mod p )$. Since $u p + i v p ≡ 0 ( mod π )$, then $− u p v p − 1 − i ≡ 0 ( mod π )$ and $− u p v p − 1 ≡ i ( mod π )$. Hence, $a p − 1 4 ≡ i ( mod π )$ and
$# E ( F p ) = p + 1 − i ( u p + i v p ) + i ( u p − i v p ) = p + 1 + 2 v p .$
Finally, assume that $a p − 1 4 ≡ u p v p ( mod p )$. Then, $u p v p − 1 ≡ − i ( mod π )$ and $a p − 1 4 ≡ − i ( mod π )$, which gives
$# E ( F p ) = p + 1 + i ( u p + i v p ) − i ( u p − i v p ) = p + 1 − 2 v p .$
This concludes the proof. □

## 4. Elliptic Curves over the Ring $Z / n Z$

This section briefly describes the theory of elliptic curves over the ring $Z / n Z$, where $n = p q$ is an RSA modulus (see [28], Section 2.11 and [30] for more details).
Let $a , b ∈ Z / n Z$ with $gcd ( 4 a 3 + 27 b 2 , n ) = 1$. The elliptic curve $E n ( a , b )$ is the set of points $P = ( x , y )$ that satisfies the equation $y 2 = x 3 + a x + b ( mod n ) ,$ together with the point at infinity denoted as $O n$. According to the Chinese remainder Theorem, the set $E n ( a , b )$ is isomorphic to the direct sum $E p ( a , b ) ⊕ E q ( a , b )$, where $E p ( a , b )$ is the elliptic curve with equation $y 2 = x 3 + a x + b ( mod p )$ over $F p$ with the point at infinity $O p$, and $E q ( a , b )$ is the elliptic curve with equation $y 2 = x 3 + a x + b ( mod q )$ over $F q$ with the point at infinity $O q$. Hence, the point at infinity of $E n ( a , b )$ is $O n = ( O p , O q )$. The points of the form $( O p , P q )$ with $P q ≠ O q$ and the points of the form $( P p , O q )$ with $P p ≠ O p$ are semi-zero points, whereas the ordinary points are of the form $P = ( P p , P q )$ with $P p ≠ O p$ and $P q ≠ O q$. A group law can be given for $E n ( a , b )$ using the chord and tangent addition law. However, the addition law is not always well-defined when using analytical expressions since there are elements in $Z / n Z$ that are not invertible modulo n. To overcome this, the projective coordinates $( x : y : z ) ∈ P 2 ( Z n )$ are used with the equation $y 2 z = x 3 + a x z 2 + b z 3 ( mod n )$. Hence, for any point P of the elliptic curve $E n ( a , b )$, we have
$lcm ( # E p ( a , b ) , # E q ( a , b ) ) · P = O n .$
In this paper, the arithmetic of the new scheme is based on the elliptic curve $E n ( a , b )$ with $a ∈ Z / n Z$ and $b = 0$, where $n = p q$ with large prime numbers. Consequently, the sum of two points of $E n ( a , 0 )$ is defined with overwhelming probability.
The following result gives an explicit value for the order $# E n ( a , 0 )$.
Theorem 4.
Let $n = p q$ be an RSA modulus with $p = u p 2 + v p 2$, $q = u q 2 + v q 2$, $u p ≡ u q ≡ 3 ( mod 4 )$ and $v p ≡ v q ≡ 2 ( mod 4 )$. For $a ∈ Z / n Z$ with $gcd ( a , n ) = 1$, let $E n ( a )$ be the elliptic curve with the equation $y 2 = x 3 + a x$ over $Z / n Z$. Then, for any point P on $E n ( a )$, we have
$( p + 1 − 2 U p ) ( q + 1 − 2 U q ) · P = O n ,$
where $U p$ satisfies (1) and $U q$ satisfies (2).

## 5. The New Scheme

This section presents the new scheme and a small numerical example.

#### 5.1. The New Encryption Scheme

Key generation.
• Choose a size $l ≥ 4096$ for the modulus to guarantee at least 128 security levels.
• Choose two large integers $u 1$ and $v 1$ of size $l / 4$.
• Compute $u p = 4 u 1 + 3$ and $v p = 4 v 1 + 2$.
• Compute $p = u p 2 + v p 2$.
• Choose two large integers $u 2$ and $v 2$ of size $l / 4$.
• Compute $u q = 4 u 2 + 3$ and $v q = 4 v 2 + 2$.
• Compute $q = u q 2 + v q 2$.
• Compute $n = p q$.
• Choose an integer e such that
$gcd e , ( p + 1 ) 2 − 4 u p 2 ( q + 1 ) 2 − 4 u q 2 = 1 .$
The pair $( n , e )$ represents the public key, and $( u p , v p , u q , v q )$ represents the private key.
Encryption.
• Generate a random integer $r ∈ Z / n Z$.
• Use the message $y M$ as $M = ( r , y M ) ∈ Z / n Z × Z / n Z$.
• Compute $a ≡ y M 2 − r 3 r − 1 ( mod n )$. The elliptic curve $E n ( a )$ is defined by the equation $y 2 ≡ x 3 + a x ( mod n )$.
• Compute $( x C , y C ) = e ( r , y M )$ on $E a ( n )$. The point $( x C , y C )$ is the encrypted message.
Decryption.
• Compute $a ≡ y C 2 − x C 3 x C − 1 ( mod n )$. The elliptic curve $E a ( n )$ is defined by the equation $y 2 ≡ x 3 + a x ( mod n )$.
• Compute $U p$ using Formula (1) and $U q$ using Formula (2).
• Compute $ϕ ( a , n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$.
• Compute $d ≡ e − 1 ( mod ϕ ( a , n ) )$.
• Compute $M = ( r , y M ) = d ( x C , y C )$ on $E n ( a )$. The point $( r , y M )$ is the original message.
The role of the random integer r is to serve as the x-coordinate of M on the elliptic curve with the equation $y 2 ≡ x 3 + a x ( mod n )$. If the same message $y M$ is encrypted twice, this yields two different couples, $( r , y M )$ and $( r ′ , y m )$; two values, $a ≡ y M 2 − r 3 r − 1 ( mod n )$ and $a ′ ≡ y M 2 − r ′ 3 r ′ − 1 ( mod n )$; and two elliptic curves with different equations.

#### 5.2. A Numerical Example

The following is a numerical example with small integers demonstrating the system parameters and a plaintext–ciphertext pair.
$u 1 = 3253473156 , v 1 = 3239617290 , u p = 4 u 1 + 3 = 13013892627 , v p = 4 v 1 + 2 = 12958469162 , p = u p 2 + v p 2 = 337283324329589943373 , u 2 = 4133795239 , v 2 = 4069844016 , u q = 4 u 2 + 3 = 16535180959 , v q = 4 v 2 + 2 = 16279376066 , q = u q 2 + v q 2 = 538430294445129796037 , n = p q = 181603559630213323475279432919469869812801 , e = 233 , r = 276576193905959805653341 , y M = 24123988022450690140866 .$
Then, one can compute the following parameters
$a ≡ y M 2 − r 3 r ( mod n ) = 124892799480186717332460335305220886752546 , C = e ( r , y M ) = ( x C , y C ) , x C = 9895932661554916108079613524266560686478 , y C = 174838551993023162117462165695082973280827 , a p − 1 4 ≡ 1 ( mod p ) , hence U p = − u p , a q − 1 4 ≡ − 1 ( mod q ) , hence U q = u q , ϕ ( a , n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 181603559633073389948874511533493403987360 , d ≡ e − 1 ( mod ϕ ( a , n ) ) = 35073648856172972307722545145953661714297 , m = d ( x C , y C ) = ( r , y M ) ,$
which shows that the decryption is correct.
In addition to the former example, we performed extensive experiments to test the validity of our scheme, as described in Section 5, using random parameters $u 1$, $v 1$, $u 2$, $v 2$, e, r, and $y M$. In all cases, the scheme was successful without failure.

#### 5.3. The New Signature Scheme

The encryption scheme can be transformed easily into a signature scheme using a hash function as follows. There is no particular specification for the hash function, so any of the most popular hash functions can be used such SHA-2, MD6, RIPEMD, HAVAL-128, etc.
• Key generation. The key generation scheme is similar to that of the encryption in Section 5.1.
• Encryption.
• Generate a random integer $r ∈ Z / n Z$.
• Represent the message as $M = ( r , y M ) ∈ Z / n Z × Z / n Z$.
• Compute $a ≡ y M 2 − r 3 r − 1 ( mod n )$. The elliptic curve $E n ( a )$ is defined by the equation $y 2 ≡ x 3 + a x ( mod n )$.
• Compute $( x C , y C ) = e ( r , y M )$ on $E a ( n )$. The point $( x C , y C )$ is the encrypted message.
• Compute the signature $s = Hash ( r ∥ y M )$.
• Decryption.
• Compute $a ≡ y C 2 − x C 3 x C − 1 ( mod n )$. The elliptic curve $E a ( n )$ is defined by the equation $y 2 ≡ x 3 + a x ( mod n )$.
• Compute $U p$ using Formula (1) and $U q$ using Formula (2).
• Compute $ϕ ( a , n ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$.
• Compute $d ≡ e − 1 ( mod ϕ ( a , n ) )$.
• Compute $M = ( r , y M ) = d ( x C , y C )$ on $E n ( a )$.
• Compute $s ′ = Hash ( r ∥ y M )$
• Accept the message if $s ′ = s$.
As in the encryption scheme, the random number r serves as the x-coordinate of the point $M = ( r , y M )$ on the elliptic curve with the equation $y 2 ≡ x 3 + a x ( mod n )$. Note that r is random, which implies that the signature scheme is probabilistic.

## 6. Security Analysis

This section presents an analysis of the resistance of our scheme to the most well-known attacks that can be applied to it.

#### 6.1. Resistance against Factorization Methods

When p and q are sufficiently large, factoring the RSA modulus $n = p q$ is believed to be hard for all currently known factorization algorithms (see [31,32]). Indeed, Pollard’s rho method is ineffective since its run time is $O p ( log ( n ) ) 2$ and depends on the size of the prime number p found. This is similar to Lenstra’s Elliptic Curve Method (ECM) for which the run time is $O exp 2 ln p ln ln p$. The Number Field Sieve [33] is also ineffective for large primes p and q. Its run time is $O exp c ln n 3 ( ln ln n ) 2 3$, where c is a constant.

#### 6.2. Resistance against Decomposition as Sum of Two Squares

It is well known that if $n = p q$ with $p ≡ q ≡ 1 ( mod 4 )$, then n can be expressed as the sum of two squares as $n = x 2 + y 2$. In the new scheme, the modulus is in the form $n = p q = u p 2 + v p 2 u q 2 + v q 2$. Then, the Brahmagupta–Fibonacci identity expresses n as a sum of two squares in two different ways, namely
$n = ( u p u q − v p v q ) 2 + ( u p v q + v p u q ) 2 = ( u p u q + v p v q ) 2 + ( u p v q − v p u q ) 2 .$
Euler observed that if $n = x 1 2 + y 1 2 = x 2 2 + y 2 2$ with $x 1 ≡ x 2 ≡ 0 ( mod 2 )$ and $x 1 ≠ ± x 2 ( mod n )$, then
$n = r 2 4 + u 2 4 s 2 + t 2 ,$
where
$r = gcd ( x 1 − x 2 , y 2 − y 1 ) , u = gcd ( x 1 + x 2 , y 2 + y 1 ) , s = x 1 − x 2 r , t = y 2 − y 1 r .$
On the other hand, we have $x 1 y 1 − 1 2 ≡ x 2 y 2 − 1 2 ≡ − 1 ( mod n )$. It follows that decomposing n as the sum of two squares in two different ways will provide a solution to the equation $t 1 2 ≡ t 2 2 ( mod n )$ with $t 1 ≠ ± t 2 ( mod n )$, and two solutions of the congruence $t 2 = − 1 ( mod n )$. This is known to be equivalent to factoring n, as in the quadratic sieve factoring algorithm [34] and in Rabin’s cryptosystem [35].
It is also known that by applying the continued fraction algorithm to $n$, it is possible to find one representation of n (see [36]) as $n = x 2 + y 2$. This leads to one of the systems
$u p u q − v p v q = x , u p v q + v p u q = y , u p u q + v p v q = x , u p v q − v p u q = y .$
This is insufficient for solving either of the two systems. Consequently, the representation of n as a sum of two squares by the continued fraction method is inadequate to factorize it.

#### 6.3. Resistance against Decomposition as Sum of Four Squares

Lagrange’s four-square theorem states that every positive integer n is the sum of four squares (Theorem 369 in [20]), that is, $n = x 1 2 + x 2 2 + x 3 2 + x 4 2 .$ The number of decomposing n is such that a sum is denoted as $r 4 ( n )$, and for odd n, Jacobi’s four-square theorem formula gives $r 4 ( n ) = 8 ∑ m | n m$ (Proposition 17.7.2 of [20]). For the modulus $n = p q = u p 2 + v p 2 u q 2 + v q 2$, a specific decomposition as a sum of four squares is
$n = ( u p u q ) 2 + ( u p v q ) 2 + ( v p u q ) 2 + ( v p v q ) 2 .$
Conversely, let $n = x 1 2 + x 2 2 + x 3 2 + x 4 2$ be a decomposition of n leading to the factorization $n = p q = u p 2 + v p 2 u q 2 + v q 2$. Then,
from which we obtain
$gcd ( | x 1 | , | x 2 | ) = gcd ( u p u q , u p v q ) = u p gcd ( u q , v q ) = u p .$
Similarly, we have
$v p = gcd ( | x 3 | , | x 4 | ) , u q = gcd ( | x 1 | , | x 3 | ) , v q = gcd ( | x 2 | , | x 4 | ) .$
As the decomposition of $p = u p 2 + v p 2$, with the positive integers $u p$ and $v p$ that satisfy $u p ≡ 3 ( mod 4 )$, is unique, p can be decomposed as $p = r 2 + s 2$ with the integers r and s in eight ways, namely
$p = ( ± u p ) 2 + ( ± v p ) 2 = ( ± v p ) 2 + ( ± u p ) 2 .$
This is also true for q. Consequently, among the representations of n as a sum of four squares $n = x 1 2 + x 2 2 + x 3 2 + x 4 2$, only 64 decompositions can lead to the factorization of n by using
This is negligible compared to $r 4 ( n ) = 8 ( 1 + p + q + n )$, which represents the number of decompositions of a large modulus $n = p q$ as the sum of four squares.

#### 6.4. Resistance against Solving the Order

In RSA, it is well known that solving Euler’s totient function $ϕ ( n ) = ( p − 1 ) ( q − 1 )$ is equivalent to factoring $n = p q$. This is also true for solving the order $N n = ( p + 1 ) ( q + 1 )$ in the KMOV system. For an elliptic curve E over a finite ring $Z / n Z$ with an RSA modulus n, Martin et al. [37] proved that computing the order $# E$ is as difficult as factoring n. Moreover, for our scheme, we have the following facts.
Let $a ∈ Z / n Z$ be fixed. In our scheme, the order of the elliptic curves $E n ( a )$ is of the form
$# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) ,$
with $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$. Assume that the factorization of n is known. Then, one can compute $# E p ( a ) = p + 1 − 2 U p$ and $# E q ( a ) = q + 1 − 2 U q$ using a specific algorithm to determine the order of an elliptic curve over a finite field such as the Schoof–Elkies–Atkin algorithm [38]. This implies that $# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ can be computed. Conversely, assume that $# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ is known, where $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$. Let $V p ∈ { v p , u p }$ and $V q ∈ { v q , u q }$ such that
$V p 2 = p − U p 2 , V q 2 = q − U q 2 .$
Assume that $u p$ and $v p$ are of the same size so that $u p < 2 v p$ and $v p < 2 u p$. Then, if $U p = ± u p$, we obtain $V p = v p$, and
$p = U p 2 + V p 2 = u p 2 + v p 2 < 5 v p 2 = 5 V p 2 .$
Also, if $U p = ± v p$, we obtain $V p = u p$, and
$p = U p 2 + V p 2 = v p 2 + u p 2 < 5 v p 2 = 5 U p 2 .$
Hence, using Lemma 1, we obtain
$min U p 2 , V p 2 > p 5 > n 5 .$
Similarly, assuming that $u q$ and $v q$ are of the same size with $u q < 2 v q$ and $v q < 2 u p$, we obtain
$min U q 2 , V q 2 > q 5 > 2 n 10 .$
As a consequence, we have
$p + 1 − 2 U p = ( U p − 1 ) 2 + V p 2 > V p 2 > n 5 ,$
and
$q + 1 − 2 U q = ( U q − 1 ) 2 + V q 2 > V q 2 > 2 n 10 .$
By combining the former inequalities, we obtain
$( p + 1 − 2 U p ) ( q + 1 − 2 U q ) > n 5 · 2 n 10 = 2 50 n .$
This implies that the order $# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ is sufficiently large. Moreover, with a high probability, it can take any shape, and consequently, there is no efficient method to factor it with a classical computer. Hence, finding p and q is not feasible in general.
It is important to note that the work of Kunihiro and Koyama [39] on the equivalence between factoring n and counting the number of points on elliptic curves over $Z / n Z$ does not apply when the order $# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ is known for a fixed a. The reason is that in [39], an oracle is needed that can count the number of points on every elliptic curve over $Z / n Z$, whereas in our situation, only $# E n ( a ) = ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ is known.

#### 6.5. Resistance against Small Private Exponent Attacks

The main small private exponent attacks on RSA are based on the key equation $e d ′ − k ′ ( p − 1 ) ( q − 1 ) = 1$. Wiener’s attack is based on the continued fraction algorithm, which exploits the approximation $( p − 1 ) ( q − 1 ) = n + 1 − p − q ≈ n$. It leads to the factorization of n under the condition $d ′ < 1 3 n 1 4$. The attack of Boneh and Durfee is based on Coppersmith’s method and exploits the existence of a small solution $( x , k ′ )$ to the modular equation $k ′ ( n + 1 − x ) ≡ 1 ( mod e )$. It works for $d ′ < n 0.292$.
In the following, we show that the private exponent d in our scheme can be small enough without undermining its security. Typically, it should be larger than $n 0.133$, whereas in RSA, it should be larger than $n 0.292$.
Lemma 5.
Let $n = p q$ be an RSA modulus with $p = u p 2 + v p 2$, $q = u q 2 + v q 2$, $u p ≡ u q ≡ 3 ( mod 4 )$, $u p ≈ v p$, and $u q ≈ v q$. If d satisfies the key equation $e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1$, where $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$, then
$| e d − k n | < 7 k ( 2 n ) 3 4 .$
Proof.
Rewrite the key equation in the form
$e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1 ,$
with $U p ∈ { ± u p , ± v p }$, $U q ∈ { ± u q , ± v q }$. We have
$( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = n + p ( 1 − 2 U q ) + q ( 1 − 2 U p ) + ( 1 − 2 U p ) ( 1 − 2 U q ) .$
Then,
$| e d − k n | = | k ( p + 1 − 2 U p ) ( p + 1 − 2 U q ) + 1 − k n | = | k ( ( p + 1 − 2 U p ) ( p + 1 − 2 U q ) − n ) + 1 | = | k ( p ( 1 − 2 U q ) + q ( 1 − 2 U p ) + ( 1 − 2 U p ) ( 1 − 2 U q ) ) + 1 | ≤ k p | 1 − 2 U q | + k q | 1 − 2 U p | + k | 1 − 2 U p | | 1 − 2 U q | + 1 .$
Suppose that $u p$ and $v p$ are of the same bit-size so that $u p < 2 v p$ and $v p < 2 u p$. Then,
$max ( u p , v p ) 2 < 2 u p v p < u p 2 + v p 2 = p .$
Hence,
$max ( u p , v p ) < p ,$
from which we deduce that
$| 1 − 2 U p | ≤ 2 | U p | + 1 < 2 p + 1 < 3 p .$
Similarly, we obtain
$| 1 − 2 U q | < 3 q .$
$| e d − k n | ≤ k p | 1 − 2 U q | + k q | 1 − 2 U p | + k | 1 − 2 U p | | 1 − 2 U q | + 1 < 3 k p q + 3 k q p + 9 k p q + 1 < 3 k p p + 3 k p p + 9 k p q + 1 < 6 k p p + 10 k p q < 7 k p p ,$
where we use $10 k p q + 1 < k p p$, which is valid since $10 q < p$. Using Lemma 1, we obtain
$| e d − k n | < 7 k p p < 7 k ( 2 n ) 3 4 .$
This concludes the proof. □
The following result shows that with regard to Wiener’s attack, the private exponent d can be very small in our scheme compared to the private exponent in RSA.
Theorem 5.
Let $n = p q$ be an RSA modulus with $p = u p 2 + v p 2$, $q = u q 2 + v q 2$ and $u p ≡ u q ≡ 3 ( mod 4 )$. Let e be a public exponent such that $e < ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ with $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$. If d satisfies the equation $e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1$ with $d < 2 4 n 1 8$, one can find d and k in polynomial time.
Proof.
The key equation is in the form
$e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1 ,$
with $U p ∈ { ± u p , ± v p }$, and $U q ∈ { ± u q , ± v q }$. Then, Lemma 5 gives
$| e d − k n | < 7 k ( 2 n ) 3 4 .$
Dividing by $n d$, we obtain
$e n − k d < 7 k ( 2 n ) 3 4 n d .$
Using the key equation $e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1$, we obtain
$k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = e d − 1 < e d .$
Then,
$k d < e ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) .$
By assuming that $e < ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$, this implies that $k < d$. Then, (6) implies that
$e n − k d < 7 ( 2 n ) 3 4 n .$
The solutions in d of the inequality $7 ( 2 n ) 3 4 n < 1 2 d 2$ satisfy
$d < 1 14 · 2 3 4 n 1 8 .$
For such solutions, we have
$e n − k d < 1 2 d 2 .$
This implies that $k d$ can be found among the convergents of the continued expansion of $e n$. Since the continued fraction algorithm computes the convergents of $e n$ with complexity $O ( log ( n ) )$, one finds k and d in polynomial time. □
Theorem 5 shows that when $d < 2 4 n 1 8$, it is possible to retrieve the private exponent d. If $d > 2 4 n 1 8$, the continued fraction attack does not apply and d may not be found using this technique.
The following result makes use of lattice reduction techniques.
Theorem 6.
Let $n = p q$ be an RSA modulus with $p = u p 2 + v p 2$, $q = u q 2 + v q 2$ and $u p ≡ u q ≡ 3 ( mod 4 )$. Let e be a public exponent such that $e < ( p + 1 − 2 U p ) ( q + 1 − 2 U q )$ with $U p ∈ { ± u p , ± v p }$ and $U q ∈ { ± u q , ± v q }$. If d satisfies the equation $e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1$ with $d < n 0.133$, one can find d and k in polynomial time.
Proof.
Since d satisfies an equation of the form $e d − k ( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = 1 ,$ with $U p ∈ { ± u p , ± v p }$, $U q ∈ { ± u q , ± v q }$, we rewrite
$( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = n + p ( 1 − 2 U q ) + q ( 1 − 2 U p ) + ( 1 − 2 U p ) ( 1 − 2 U q ) = n − s ,$
where $s = − p ( 1 − 2 U q ) − q ( 1 − 2 U p ) − ( 1 − 2 U p ) ( 1 − 2 U q )$. Then, the key equation can be transformed into the modular equation
$( − k ) ( n − s ) ≡ 1 ( mod e ) .$
We set the bound $k < X = e δ$ for some $δ > 0$. On the other hand, we have
$| s | = | p ( 1 − 2 U q ) + q ( 1 − 2 U p ) + ( 1 − 2 U p ) ( 1 − 2 U q ) | ≤ p | 1 − 2 U q | + q | 1 − 2 U p | + | 1 − 2 U p | | 1 − 2 U q | .$
By combining (4) and (5) with Lemma 1, we obtain
$| s | < 3 p q + 3 q p + 9 p q < 7 p p < 7 ( 2 n ) 3 4 .$
Then, we set the bound $| s | < Y = 7 ( 2 n ) 3 4 = n β$ with $β ≈ 3 4$. Now, we can apply Lemma 2 to Equation (7). This allows us to find k and s in polynomial time under the condition $δ < 1 − β = 1 − 3 4 ≈ 0.133$. Using k and s, one can find d since $d = k ( n − s ) + 1 e$. □
Remark 1.
The bound on d in Theorem 6 is slightly better than the bound in Theorem 5. In both cases, one can find d and k, which gives
$( p + 1 − 2 U p ) ( q + 1 − 2 U q ) = e d − 1 k ,$
with $U p ∈ { ± u p , ± v p }$, $U q ∈ { ± u q , ± v q }$. According to (3), we know that $( p + 1 − 2 U p ) ( q + 1 − 2 U q ) > 2 50 n$. This is large enough, and in general, is hard to factor when n is large. Consequently, the method described in [40] for extracting p and q cannot be applied. As a consequence, finding p and q using the continued fraction method or the lattice reduction techniques when the multiplier d is small is infeasible.

#### 6.6. Resistance against Discrete Logarithm Problem

The elliptic curve discrete logarithm problem (ECDLP) over a finite field $F p$ is the following computational problem: Given an elliptic curve E over $F p$ and two points $P , Q ∈ E ( F p )$, find an integer x, if any, such that $Q = a P$ in E. The ECDLP is still resistant to several non-quantum algorithms and is the foundation of the security of elliptic curve cryptography (see [41] for more details).
For an elliptic curve defined over a finite ring such as $Z / n Z$, where $n = p q$ is an RSA modulus, the elliptic curve discrete logarithm problem can be solved if one knows p and q and if one can solve the ECDLP in both $E ( F p )$ and $E ( F p )$. Hence, solving the ECDLP on $E ( Z / n Z )$ is more difficult. This problem is used to build several elliptic curve-based cryptosystems [16,17,42,43,44].
One more crucial fact of our scheme is that a new elliptic curve is generated each time a message is encrypted. This ensures that any generic or global discrete-logarithm attacks on our scheme are infeasible.

#### 6.7. Resistance against Isomorphism and Homomorphism Attacks

Let $E n ( a )$ and $E n ( a ′ )$ be two elliptic curves with equations $y 2 ≡ x 3 + a x ( mod n )$ and $y 2 ≡ x 3 + a ′ x ( mod n )$, arising from our scheme. Then, $E n ( a )$ and $E n ( a ′ )$ are isomorphic if and only if $a ′ = u 4 a$ for some $u ∈ Z / n Z$. As in KMOV [16], it is possible to launch an isomorphism attack on our scheme. Moreover, the encryption and decryption are homomorphic, that is,
$enc ( m 1 + m 2 ) = enc ( m 1 ) + enc ( m 2 ) , and dec ( c 1 + c 2 ) = dec ( c 1 ) + dec ( c 2 ) ,$
when using the same elliptic curve. Also, it is possible to launch a homomorphism attack on our scheme, similar to that on KMOV. To overcome isomorphism and homomorphism attacks, a hash function should be applied, as shown in the signature in Section 5.3. This is sufficient to ensure that the new scheme is immune to the two types of attacks.

#### 6.8. Other Attacks

There are more attacks in the literature that are related to some elliptic variants of RSA.
In [45], Bleichenbacher proposed four attacks on KMOV when one of the following situations is satisfied.
• The ciphertext and half of the plaintext are known.
• Three encryptions of the same message are encrypted with distinct public keys.
• Six encryptions of linearly related messages are encrypted with distinct public keys.
• Two encryptions of linearly related messages are encrypted with the same public key.
Similarly, in [46], Kurosawa et al. showed that both the KMOV and Demytko’s schemes are not secure when the same message is encrypted with a suitably large number of distinct keys.
Note that the former attacks are not applicable to our scheme since the encryption process is probabilistic. This implies that, in contrast to the KMOV and Demytko’s schemes, if we encrypt the same message twice, even with the same key in the new scheme, the cyphertexts are different with a high probability because they depend on a randomly generated number in the encryption phase.

## 7. Conclusions

In this paper, we proposed a new variant of RSA with a modulus of the form $n = p q$, where p and q are large prime numbers satisfying $p = u p 2 + v p 2$, $q = u q 2 + v q 2$, $u p ≡ 3 ( mod 4 )$ and $u q ≡ 3 ( mod 4 )$. The arithmetic of the new scheme uses elliptic curves with the equation $y 2 = x 3 + a x$ over the finite ring $Z / n Z$. The encryption is probabilistic, such that each encryption generates a new curve that results in a new ciphertext with each call. We analyzed the security of the scheme and showed that it is resistant to known attacks on the topic.

## Author Contributions

Conceptualization, M.B. and A.N.; methodology, M.B. and A.N.; software, M.B. and A.N.; validation, M.B. and A.N.; formal analysis, M.B. and A.N.; investigation, M.B. and A.N.; resources, M.B. and A.N.; data curation, M.B. and A.N.; writing—original draft preparation, M.B. and A.N.; writing—review and editing, M.B. and A.N.; visualization, M.B. and A.N.; supervision, M.B. and A.N.; project administration, M.B. and A.N.; funding acquisition, M.B. and A.N. All authors have read and agreed to the published version of the manuscript.

## Funding

This research received no external funding.

## Conflicts of Interest

The authors declare no conflict of interest.

## References

1. Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining digital signatures and public-key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef] [Green Version]
2. Boneh, D. Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc. 1999, 46, 203–213. [Google Scholar]
3. Hinek, M. Cryptanalysis of RSA and Its Variants; Cryptography and Network Security Series; Chapman & Hall/CRC Press: Boca Raton, FL, USA, 2009. [Google Scholar]
4. Fiat, A. Batch RSA. In Proceedings of the Crypto 1989, 9th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 1989; Brassard, G., Ed.; Volume 435 of LNCS. Springer: Berlin/Heidelberg, Germany, 1989; pp. 175–185. [Google Scholar]
5. Collins, T.; Hopkins, D.; Langford, S.; Sabin, M. Public Key Cryptographic Apparatus and Method. U.S. Patent 5,848,159, 16 January 1997. [Google Scholar]
6. Takagi, T. Fast RSA-type Cryptosystem Modulo pkq. In Proceedings of the Crypto 1998, 18th Annual International Cryptology Conference, Santa Barbara, CA, USA, 23–27 August 1998; Krawczyk, H., Ed.; Volume 1462 of LNCS. Springer: Berlin/Heidelberg, Germany, 1998; pp. 318–326. [Google Scholar]
7. Couvreur, C.; Quisquater, J.J. Fast Decipherment Algorithm for RSA Public-Key Cryptosystem. Electron. Lett. 1982, 18, 905–907. [Google Scholar]
8. Wiener, M. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef] [Green Version]
9. Sun, H.M.; Wu, M.E.; Ting, W.C.; Hinek, M.J. Dual RSA and its security analysis. IEEE Trans. Inf. Theory 2007, 53, 2922–2933. [Google Scholar]
10. Pointcheval, D. New public key cryptosystem based on the dependent RSA problem. In Advances in Cryptology-EUROCRYPT’99. EUROCRYPT 1999; Stern, J., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 239–254. [Google Scholar]
11. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [Google Scholar] [CrossRef]
12. Miller, V.S. Use of elliptic curves in cryptography. In Advances in Cryptology-CRYPTO’85; Lecture Notes in Computer Science; Williams, H.C., Ed.; Springer: Berlin/Heidelberg, Germany, 1986; Volume 218, pp. 417–426. [Google Scholar]
13. Federal Information Processing Standards Publication, FIPS PUB 186-2; National Institute of Standards and Technology, Digital Signature Standard: Gaithersburg, MD, USA, 2000.
14. Certicom Research. Standards for Efficient Cryptography, SEC 2: Recommended Elliptic Curve Domain Parameters. 27 January 2010 Version 2.0. Available online: https://www.secg.org/sec2-v2.pdf (accessed on 10 July 2023).
15. Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2009. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 10 July 2023).
16. Koyama, K.; Maurer, U.M.; Okamoto, T.; Vanstone, S.A. New Public-Key Schemes Based on Elliptic Curves over the Ring Zn. In Annual International Cryptology Conference; Lecture Notes in Computer Science 576; Springer: Berlin/Heidelberg, Germany, 1991; pp. 252–266. [Google Scholar]
17. Demytko, N. A new elliptic curve based analogue of RSA. In Advances in Cryptology—EUROCRYPT’93: Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; Lecture Notes in Computer Science 765; Helleseth, T., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 40–49. [Google Scholar]
18. Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version]
19. Nitaj, A. Another generalization of Wiener’s attack on RSA. In International Conference on Cryptology in Africa, AFRICACRYPT 2008; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5023, pp. 174–190. [Google Scholar]
20. Hardy, G.H.; Wright, E.M. An Introduction to Theory of Numbers, 5th ed.; The Clarendon Press Oxford University Press: New York, NY, USA, 1979. [Google Scholar]
21. Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 1997, 10, 233–260. [Google Scholar] [CrossRef] [Green Version]
22. Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N0.292. In Advances in Cryptology-EUROCRYPT’99: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 1–11. [Google Scholar]
23. Takayasu, A.; Kunihiro, N. General bounds for small inverse problems and its applications to multi-prime RSA. In Proceedings of the Information Security and Cryptology—ICISC 2014, Seoul, Korea, 3–5 December 2014; Springer: Berlin/Heidelberg, Germany, 2014; pp. 3–17. [Google Scholar]
24. de Weger, B. Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput. 2002, 13, 17–28. [Google Scholar] [CrossRef] [Green Version]
25. Husemöller, D. Elliptic Curves, 2nd ed.; Springer: Berlin/Heidelberg, Germany, 2004. [Google Scholar]
26. Schmitt, S.; Zimmer, H.G.; ProQuest (Firm). Elliptic Curves: A Computational Approach; Walter de Gruyter: Berlin, Germany; New York, NY, USA, 2003. [Google Scholar]
27. Silverman, J.H. The Arithmetic of Elliptic Curves; Graduate Texts in Mathematics; Springer: Berlin/Heidelberg, Germany, 1986; Volume 106. [Google Scholar]
28. Washington, L.C. Elliptic Curves: Number Theory and Cryptography; Chapman & Hall/CRC: Boca Raton, FL, USA, 2003. [Google Scholar]
29. Ireland, K.; Rosen, M. A Classical Introduction to Modern Number Theory, 2nd ed.; Volume 84 of Graduate Texts in Mathematics; Springer: Berlin/Heidelberg, Germany, 1990. [Google Scholar]
30. Lenstra, H. Factoring integers with elliptic curves. Ann. Math. 1987, 126, 649–673. [Google Scholar] [CrossRef] [Green Version]
31. Brent, R.P. Recent Progress and Prospects for Integer Factorisation Algorithms. In Proceedings of the Computing and Combinatorics. 6th Annual International Conference, COCOON 2000, Sydney, Australia, 26–28 July 2000; Lecture Notes in Computer Science; Du, D.Z., Eades, P., Estivill-Castro, V., Lin, X., Sharma, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1858. [Google Scholar]
32. Boneh, D.; Durfee, G.; Howgrave-Graham, N. Factoring N = prq for Large r. In Crypto’99; Lecture Notes in Computer Science 1666; Wiener, M., Ed.; Springer: Berlin/Heidelber, Germany, 1999; pp. 326–337. [Google Scholar]
33. Lenstra, A.K.; Lenstra, H.W., Jr. The Development of the Number Field Sieve; Lecture Notes in Mathematics 1554; Springer: Berlin/Heidelberg, Germany, 1993. [Google Scholar]
34. Pomerance, C. The quadratic sieve factoring algorithm. In Workshop on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1985; pp. 169–182. [Google Scholar]
35. Rabin, M.O. Digital Signatures and Public Key Functions as Intractable as Factoring, MIT Technical Report, MIT/LCS/TR-212. 1979.
36. Elia, M. Continued Fractions and Factoring. arXiv 2019, arXiv:1905.10704. [Google Scholar]
37. Martín, S.; Morillo, P.; Villar, J.L. Computing the order of points on an elliptic curve modulo N is as difficult as factoring N. Appl. Math. Lett. 2001, 14, 341–346. [Google Scholar] [CrossRef]
38. Blake, I.; Seroussi, G.; Smart, N. Elliptic Curves in Cryptography; Volume 265 of London Mathematical Society Lecture Note Series; Cambridge University Press: Cambridge, UK, 1999. [Google Scholar]
39. Kunihiro, N.; Koyama, K. Equivalence between counting the number of points on elliptic curves over the ring $Z n$ and factoring n. In LNCS 1403, Proceedings of the Eurocrypt 1998; 1998; pp. 47–58. [Google Scholar]
40. Nitaj, A.; Fouotsa, E. A new attack on RSA and Demytko’s elliptic curve cryptosystem. J. Discret. Math. Sci. Cryptogr. 2019, 22, 391–409. [Google Scholar] [CrossRef] [Green Version]
41. Galbraith, S.D.; Gaudry, P. Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 2016, 78, 51–72. [Google Scholar] [CrossRef]
42. Koyama, K. Fast RSA type scheme based on singular cubic curve y2 + axy = x3 (mod n). In Advances in Cryptology—EUROCRYPT’95: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, 21–25 May 1995; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1995; Volume 921, pp. 329–339. [Google Scholar]
43. Kuwakado, H.; Koyama, K.; Tsuruoka, Y. A new RSA-type scheme based on singular cubic curves y2 = x3 + bx2 (mod n). IEICE Trans. Fundam. 1995, E78-A, 27–33. [Google Scholar]
44. Paillier, P. Trapdooring Discrete Logarithms on Elliptic Curves over Rings. In Advances in Cryptology–ASIACRYPT 2000; Lecture Notes in Computer Science; Okamoto, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1976, pp. 573–584. [Google Scholar]
45. Bleichenbacher, D. On the Security of the KMOV Public Key Cryptosystem. In Annual International Cryptology Conference; Springer: Berlin/Heidelber, Germany, 1997; pp. 235–248. [Google Scholar]
46. Kurosawa, K.; Okada, K.; Tsujii, S. Low exponent attack against elliptic curve RSA. Inf. Process. Lett. 1995, 53, 77–83. [Google Scholar] [CrossRef]
 Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

## Share and Cite

MDPI and ACS Style

Boudabra, M.; Nitaj, A. A New RSA Variant Based on Elliptic Curves. Cryptography 2023, 7, 37. https://doi.org/10.3390/cryptography7030037

AMA Style

Boudabra M, Nitaj A. A New RSA Variant Based on Elliptic Curves. Cryptography. 2023; 7(3):37. https://doi.org/10.3390/cryptography7030037

Chicago/Turabian Style

Boudabra, Maher, and Abderrahmane Nitaj. 2023. "A New RSA Variant Based on Elliptic Curves" Cryptography 7, no. 3: 37. https://doi.org/10.3390/cryptography7030037