In 1993 Lennon and Smith proposed to use Lucas functions instead of the exponentiation function as a one-way function in cryptographic mechanisms. Recently Smith and Skinner presented an ElGamal signature scheme based on Lucas functions. In this paper we point out the weakness in this approach and present our version of an ElGamal signature scheme based on Lucas functions. Furthermore we outline how to apply the ideas of the Meta-ElGamal signature scheme to Lucas functions. As a result we get various new signature schemes. Unfortunately the new schemes are slightly less efficient than the schemes in finite fields and additionally -- in contradiction to a conjecture by Smith and Skinner -- the security of the schemes isn't increased: It can be proved that a variant of the signature schemes based on Lucas functions can be universally forged iff a related signature scheme in GF(p) can be universally forged.

These notes informally review the most common methods from computational number theory that have applications in public key cryptology.

of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be addressed to the

Abstract. In 1984, H.C. Williams introduced a public key cryptosystem whose security is as intractable as factorization. Motivated by some strong and interesting cryptographic properties of the intrinsic structure of this scheme, we present a practical modification thereof that has very strong security properties. We establish, and prove, a generalization of the “sole-samplability ” paradigm of Zheng-Seberry (1993) which is reminiscent of the plaintext-awareness concept of Bellare et. al. The assumptions that we make are both well-defined and reasonable. In particular, we do not model the functions as random oracles. In essence, the proof of security is based on the factorization problem of any large integer n = pq and Canetti’s “oracle hashing ” construction introduced in 1997. Another advantage of our system is that we do not rely on any special structure of the modulus n = pq, nor do we require any specific form of the primes p and q. As our main result we establish a model which implies security attributes even stronger than semantic security against chosen ciphertext attacks.

Abstract not found

We introduce Pollard's ae method and factorisation. We highlight some sequences modulo n which are good for factorising an RSA modulus, that is, factorising, n = pq, p, q prime. A sequence fSg modulo n which "is good for factorising n" has the following two properties: ffl fSg has a "short" period ß modulo p (or modulo q); ffl the periods of fSg modulo p and modulo q are not equal. We examine the periods ß of a variety of such sequences fSg. Let fFg = f i and fHg = h i be Fibonacci/Lucas or any second order linear recurrent sequences, let a; b 2 Z p . We then examine the following sequences fSg, fTg, fUg, fV g: ffl fSg = s i , where s 0 = a, s i+1 = s b i modulo p. ffl fTg = t i , where t i = f a i modulo p. ffl fUg = u i , where u i = a f i modulo p. ffl fV g = v i , where v i = f h i modulo p. In all these sequences the next element can be computed efficiently from the previous one. For example, f ak can be computed from f k by one matrix--exponentiation to the power a....

Given an RSA modulus n, a ciphertext c and the encryption exponent e, one can construct the sequence x 0 = c mod n; x i+1 = x e i mod n; i = 0; 1; : : : until gcd(x i+1 \Gamma x 0 ; n) 6= 1 or i ? B, B a given boundary. If i B, there are two cases. Case 1: gcd(x i+1 \Gamma x 0 ; n) = n. In this case x i = m and the secret message m can be recovered. Case 2: 1 6= gcd(x i+1 \Gamma x 0 ; n) 6= n. In this case, the RSA modulus n can be factorised. If i B, then Case 2 is much more likely to occur than Case 1. This attack is called a cycling attack. We introduce some new generalised cycling attacks. These attacks work without the knowledge of e and c. Therefore, these attacks can be used as factorisation algorithms. We introduce Lucas sequences V (P; 1), the Carmichael function (\Delta) and we define the \Omega\Gamma \Delta; \Delta) function. The attacks involve Lucas sequences. The Carmichael and the Omega functions then describe an upper bound of the complexity of the attacks. We als...

Introduction L'apparition des syst`emes de chiffrement `a clefs publiques de fa¸con g'en'erale [DH76], et du syst`eme de chiffrement RSA en particulier [ARS78], a caus'e un regain d'int'eret pour la th'eorie des nombres et en particulier l'arithm'etique dans ses aspects calculatoires. Pour r'epondre `a des questions aussi simples que celles concernant la d'ecomposition des nombres en facteurs premiers, il a fallu donner des r'eponses algorithmiques prenant en compte la faisabilit'e des calculs ainsi que le temps imparti pour donner une r'eponse satisfaisante. Cela a provoqu'e l'essor de la th'eorie algorithmique des nombres. Cet expos'e est destin'e `a mettre en lumi`ere les progr`es accomplis depuis une dizaine d'ann'ees dans les domaines de la primalit'e des entiers (comment peut-on prouver qu'un entier de quelques centaines de chiffres d'ecimaux est premier) ; factorisation des entiers (quels sont les facteurs d'un nombre qui n'est pas premier) ; logarithme

6> Vn(P; Q) from Dickson polynomials Vn(P; Q) = [ n 2 ] X i=0 n n \Gamma i ` n \Gamma i i ' (\GammaQ) i P n\Gamma2i Fact: Vn(V k (P; Q); Q k ) = V nk (P; Q). In particular, if Q = 1, then Vn(V k (P; 1); 1) = V nk (P; 1) = V k (Vn(P; Q); 1). The above fact forms the basis for many RSA and ElGamal type cryptosystems based on Lucas sequences. Observe th

In this paper we analyze the security of Koyama scheme based on the singular cubic curve for some well known attacks. We provide an efficient algorithm for linearly related plaintext attack and identify isomorphic attack on Koyama scheme. Some other attacks are also discussed in this paper.