Wei Dai: Lucas Sequences in Cryptography
1996 Aug 1
See all posts
Wei Dai: Lucas Sequences in Cryptography @ Satoshi Nakamoto
- Author
-
Wei Dai
- Email
-
satoshinakamotonetwork@proton.me
- Site
-
https://satoshinakamoto.network
This is a short note on the practical usefulness of Lucas sequences
in applied cryptography. A Lucas sequence is a sequence of integers
characterized by two parameters, P and Q. In practice Q is always 1 and
the sequence is taken modulo a large integer. Calculating an element of
a Lucas sequence is very similar to exponentiation. It may be helpful to
think of P as the base and the index as the exponent. The following
algorithm calculates V_e(p, 1) mod n, i.e., the e-th element of the
Lucas sequence mod n characterized by P=p and Q=1. It uses m modular
multiplies and m modular squarings, where m is the bit length of e.
Therefore, it's about twice as slow as a modular exponentiation to the
power e mod n.
Integer Lucas(const Integer &e, const Integer &p, const Integer &n)
{
unsigned i = e.BitCount();
if (i==0)
return 2;
Integer v=p, v1=(p*p-2)%n;
i--;
while (i--)
{
if (e[i]) // if i-th bit of e is 1
{
v = (v*v1 - p) % n;
v1 = (v1*v1 - 2) % n;
}
else
{
v1 = (v*v1 - p) % n;
v = (v*v - 2) % n;
}
}
return v;
}
One application for Lucas sequences is primality testing. A theorem
similar to Fermat's Little Theorem states that if n is prime and
Jacobi(P^2-4, n)==-1, then V_n+1(P, 1) mod n == 2. The following
algorithm uses this theorem as a probable primality test. A combination
of this test and the strong probable prime test to the base 2 is
extremely fast and reliable. In fact no composite number is known to
pass both tests, and the total amount of time for the combined test is
no more than 3 modular exponentiations.
boolean IsStrongLucasProbablePrime(const Integer &n)
{
assert(n>1);
if (n[0]==0)
return n==2;
Integer b=1, d;
unsigned int i=0;
int j;
do
{
if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
return FALSE;
++b; ++b;
d = (b.Square()-4)%n;
}
while ((j=Jacobi(d,n)) == 1);
if (j==0)
return FALSE;
Integer n1 = n-j;
unsigned int a;
// calculate a = largest power of 2 that divides n1
for (a=0; ; a++)
if (n1[a])
break;
Integer m = n1>>a;
Integer z = Lucas(m, b, n);
if (z==2 || z==n-2)
return TRUE;
for (i=1; i<a; i++)
{
z = (z.Square()-2)%n;
if (z==n-2)
return TRUE;
if (z==2)
return FALSE;
}
return FALSE;
}
Lucas sequences can also be used for public key crypto and signature
systems in a manner similar to RSA, but using Lucas sequences modulo a
composite number instead of exponentiation. It has roughly the same
security as RSA for the same size key, but is about twice as slow. Lucas
sequence analogues of Diffie-Hellman and ElGamal can also be
constructed. Compared to DH and ElGamal, for the same level of security
they only require modulus half the size because their security is based
on discrete log in GF(p^2) rather than GF(p). Because of the smaller
modulus used and depending on your modular multiplication algorithm,
they are also 50 to 100 percent faster. For more details, see the Crypto
95 paper "Some Remarks on Lucas-Based Cryptosystems" by Bleichenbacher,
Bosman, and Lenstra.
In summary, Lucas sequences are very useful for fast and reliable
primality testing. The Lucas sequence analogue of RSA is relatively less
efficient, but the Lucas sequence analogues of Diffie-Hellman and
ElGamal is relatively more efficient. However, Lucas sequence based
cryptosystems have not received as much scrutiny as the more popular
exponentiation based ones, so they should be used with caution.
Wei Dai
P.S. C++ implementations of the above mentioned algorithms and
cryptosystems can be found in Crypto++.
Wei Dai: Lucas Sequences in Cryptography
1996 Aug 1 See all postsWei Dai
satoshinakamotonetwork@proton.me
https://satoshinakamoto.network
This is a short note on the practical usefulness of Lucas sequences in applied cryptography. A Lucas sequence is a sequence of integers characterized by two parameters, P and Q. In practice Q is always 1 and the sequence is taken modulo a large integer. Calculating an element of a Lucas sequence is very similar to exponentiation. It may be helpful to think of P as the base and the index as the exponent. The following algorithm calculates V_e(p, 1) mod n, i.e., the e-th element of the Lucas sequence mod n characterized by P=p and Q=1. It uses m modular multiplies and m modular squarings, where m is the bit length of e. Therefore, it's about twice as slow as a modular exponentiation to the power e mod n.
One application for Lucas sequences is primality testing. A theorem similar to Fermat's Little Theorem states that if n is prime and Jacobi(P^2-4, n)==-1, then V_n+1(P, 1) mod n == 2. The following algorithm uses this theorem as a probable primality test. A combination of this test and the strong probable prime test to the base 2 is extremely fast and reliable. In fact no composite number is known to pass both tests, and the total amount of time for the combined test is no more than 3 modular exponentiations.
Lucas sequences can also be used for public key crypto and signature systems in a manner similar to RSA, but using Lucas sequences modulo a composite number instead of exponentiation. It has roughly the same security as RSA for the same size key, but is about twice as slow. Lucas sequence analogues of Diffie-Hellman and ElGamal can also be constructed. Compared to DH and ElGamal, for the same level of security they only require modulus half the size because their security is based on discrete log in GF(p^2) rather than GF(p). Because of the smaller modulus used and depending on your modular multiplication algorithm, they are also 50 to 100 percent faster. For more details, see the Crypto 95 paper "Some Remarks on Lucas-Based Cryptosystems" by Bleichenbacher, Bosman, and Lenstra.
In summary, Lucas sequences are very useful for fast and reliable primality testing. The Lucas sequence analogue of RSA is relatively less efficient, but the Lucas sequence analogues of Diffie-Hellman and ElGamal is relatively more efficient. However, Lucas sequence based cryptosystems have not received as much scrutiny as the more popular exponentiation based ones, so they should be used with caution.
Wei Dai
P.S. C++ implementations of the above mentioned algorithms and cryptosystems can be found in Crypto++.