A new public key cryptosystem based on Edwards curves

Abstract

The elliptic curve cryptography plays a central role in various cryptographic schemes and protocols. For efficiency reasons, Edwards curves and twisted Edwards curves have been introduced. In this paper, we study the properties of twisted Edwards curves on the ring \({\mathbb {Z}}/n{\mathbb {Z}}\) where \(n=p^rq^s\) is a prime power RSA modulus and propose a new scheme and study its efficiency and security.

Appendices

A: Proof of Theorem 1

Let \(p>2\) be a prime number. Suppose that d is a non-square in \({\mathbb {Z}}/p{\mathbb {Z}}\) and a a square with \(a\equiv b^2\pmod p\). Let \((x_{1},y_{1})\), \((x_{2},y_{2})\) be two points on the curve \(E_{a,d,p}\). Suppose that \(dx_{1}y_{1}x_{2}y_{2}\equiv \delta \equiv \pm 1\pmod p\). Then \(x_{1}y_{1}x_{2}y_{2}\ne 0\pmod p\) and

$$\begin{aligned} \begin{aligned} ax_{1}^{2}+y_{1}^{2}&\equiv dx_{1}^{2}y_{1}^{2}+1\\&\equiv dx_{1}^{2}y_{1}^{2}+d^{2}x_{1}^{2}y_{1}^{2}x_{2}^{2}y_{2}^{2}\pmod p\\&\equiv dx_{1}^{2}y_{1}^{2}\left( 1+dx_{2}^{2}y_{2}^{2}\right) \pmod p\\&\equiv dx_{1}^{2}y_{1}^{2}\left( ax_{2}^{2}+y_{2}^{2}\right) \pmod p. \end{aligned} \end{aligned}$$

Hence, since \(\delta ^2\equiv 1\pmod p\) and \(ax_{1}^{2}+y_{1}^{2}\equiv dx_{1}^{2}y_{1}^{2}\left( ax_{2}^{2}+y_{2}^{2}\right) \pmod p\), we get

$$\begin{aligned} (bx_{1}+ \delta y_{1})^{2}&=b^{2}x_{1}^{2}+y_{1}^{2}+ 2b\delta x_{1}y_{1}\\&\equiv dx_{1}^{2}y_{1}^{2}\left( ax_{2}^{2}+y_{2}^{2}\right) +2bdx_{1}^{2}y_{1}^{2}x_{2}y_{2}\pmod p\\&\equiv dx_{1}^{2}y_{1}^{2}\left( b^{2}x_{2}^{2}+y_2^{2}+2bx_{2}y_{2}\right) \pmod p\\&\equiv dx_{1}^{2}y_{1}^{2}(bx_{2}+y_{2})^{2}\pmod p. \end{aligned}$$

If \(bx_{2}+y_{2}\not \equiv 0\pmod p\), then, since \(x_{1}y_{1}\ne 0\pmod p\), we have \(\gcd (x_{1}y_{1}(bx_{2}+y_{2}),p)=1\), and

$$\begin{aligned} d\equiv \frac{(bx_{1}+\delta y_{1})^{2}}{x_{1}^{2}y_{1}^{2}(bx_{2}+y_{2})^{2}}\pmod p, \end{aligned}$$

is a square which is a contradiction. Similarly, we have

$$\begin{aligned} (bx_{1}-\delta y_{1})^{2}\equiv dx_{1}^{2}y_{1}^{2}(bx_{2}-y_{2})^{2}\pmod p. \end{aligned}$$

If \(bx_{2}-y_{2}\not \equiv 0\pmod p\), then \(\gcd (x_{1}y_{1}(bx_{2}-y_{2}),p)=1\), and

$$\begin{aligned} d\equiv \frac{(bx_{1}-\delta y_{1})^{2}}{x_{1}^{2}y_{1}^{2}(bx_{2}-y_{2})^{2}}\pmod p, \end{aligned}$$

is a square which is a contradiction. It follows that \(bx_{2}+y_{2}\equiv 0\pmod p\) and \(bx_{2}-y_{2}\equiv 0\pmod p\), from which we deduce \(x_{2}\equiv 0\pmod p\) and \(y_{2}\equiv 0\pmod p\). This is also a contradiction. As a consequence, we have always \(\delta \not \equiv \pm 1\pmod p\) and the denominators in the addition law never vanish. This terminates the proof.

B: Proof of Lemma 2

Let (x, y) be a point on the curve \(ax^{2}+y^{2}\equiv 1+dx^{2}y^{2}\pmod p\) with \(ad(a-d)\ne 0\). If \(x\ne 0\), then \(y\ne \pm 1\) and

$$\begin{aligned} \frac{1-y^{2}}{x^{2}}\equiv a-dy^{2}\pmod p. \end{aligned}$$

Since \(d\ne a\) and \(y\ne \pm 1\), then multiplying both sides by \(\frac{4(1+y)}{(1-y)^{3}(a-d)}\), we get

$$\begin{aligned} \frac{4(1+y)^{2}}{(1-y)^{2}(a-d)x^{2}}\equiv \frac{4\left( a-dy^{2}\right) (1+y)}{(1-y)^{3}(a-d)}\pmod p. \end{aligned}$$

Setting \(Y\equiv \frac{2(1+y)}{(1-y)x}\pmod p\) and transforming the right side, we get

$$\begin{aligned} \frac{1}{a-d}Y^{2}\equiv \frac{(1+y)^{3}}{(1-y)^{3}}+\frac{((a+3d)y+3a+d)(1+y)}{(1-y)^{2}(a-d)}\pmod p. \end{aligned}$$

Setting \(X\equiv \frac{1+y}{1-y}\pmod p\) and plugging it in the right side of the former equality, we get

$$\begin{aligned} \frac{1}{a-d}Y^{2}\equiv X^{3}+\frac{2(a+d)}{a-d}X^{2}+X\pmod p. \end{aligned}$$

Multiplying by \((a-d)^{3}\), we get

$$\begin{aligned} (a-d)^{2}Y^{2}\equiv (a-d)^{3}X^{3}+2(a+d)(a-d)^{2}X^{2}+(a-d)^{3}X\pmod p. \end{aligned}$$

Setting \(U\equiv (a-d)X\pmod p\) and \(V\equiv (a-d)Y\pmod p\), this transforms to \(V^{2}=U^{3}+2(a+d)U^{2}+(a-d)^{2}U\pmod p\) which can be rewritten as

$$\begin{aligned} V^{2}\equiv \left( U+\frac{2(a+d)}{3}\right) ^{3}-\frac{4(a+d)^{2}}{3}U-\frac{8(a+d)^{3}}{27} +(a-d)^{2}U\pmod p, \end{aligned}$$

that is

$$\begin{aligned} V^{2}\equiv \left( U+\frac{2(a+d)}{3}\right) ^{3}-\frac{a^{2} +14ad+d^{2}}{3}U-\frac{8(a+d)^{3}}{27}\pmod p. \end{aligned}$$

Let \(u\equiv U+\frac{2(a+d)}{3}\pmod p\) and \(v\equiv V\pmod p\). Then using u and v, we get

$$\begin{aligned} v^{2}\equiv u^{3}-\frac{1}{3}\left( a^{2}+14ad+d^{2}\right) u -\frac{2}{27}(a+d)\left( a^{2}-34ad+d^{2}\right) \pmod p.\nonumber \\ \end{aligned}$$

(2)

Summarizing the transformations, we get for \(x\ne 0\),

$$\begin{aligned} u\equiv \frac{5a-d+(a-5d)y}{3(1-y)}\pmod p,\quad v\equiv \frac{2(a-d)(1+y)}{(1-y)x}\pmod p.\ \ \end{aligned}$$

(3)

Now, if \(x=0\), then \(y^{2}=1\) and \(y=\pm 1\). If \(y=1\), then the transformations (3) are not valid and the point (0, 1) is transformed to the point at infinity \({\mathcal {O}}\). If \(y=-1\), then \(u\equiv \frac{2}{3}(a+d)\pmod p\). Plugging this in the Eq. (2), we get \(v=0\). Hence, the point \((0,-1)\) on \(E_{a,d,p}\) is transformed to the point \(\left( \frac{2}{3}(a+d),0\right) \) on the Eq. (2). This terminates the proof.

C: Proof of Lemma 3

Since \({\mathcal {O}}\) and (0, 1) are the neutral elements in \(W_{a,d,p}\) and \(E_{a,d,p}\) respectively, then they correspond to each other. For \(u\ne \frac{5d-a}{3}\) and \(v\ne 0\), we can invert (3) to get

$$\begin{aligned} (x,y)=\left( \frac{2(3u-2a-2d)}{3v},\frac{3u-5a+d}{3u+a-5d}\right) . \end{aligned}$$

(4)

Observe that (4) is not defined for \(v=0\) and for \(3u+a-5d\equiv 0\pmod p\).

First, for \(v=0\), suppose that \((u,0)\in W_{a,d,p}\). Then u satisfies the equation

$$\begin{aligned} \left( u-\frac{2(a+d)}{3}\right) \left( u+\frac{a+d+6\sqrt{ad}}{3}\right) \left( u+\frac{a+d-6\sqrt{ad}}{3}\right) \equiv 0\pmod p.\nonumber \\ \end{aligned}$$

(5)

The first root of (5) is \(u=\frac{2}{3}(a+d)\). Plugging this in the second coordinate of (4), we get \(y=-1\). Plugging \(y=-1\) in the equation \(ax^{2}+y^{2}=1+dx^{2}y^{2}\) of \(E_{a,d,p}\), we get \(ax^{2}=dx^{2}\). Since \(a\ne d\), then \(x=0\). Therefore the point \((\frac{2}{3}(a+d),0)\in W_{a,d,p}\) is mapped to \((0,-1)\in E_{a,d,p}\).

In the case ad is a square in \({\mathbb {Z}}/p{\mathbb {Z}}\), then the second and third roots of (5) are \(u=-\frac{1}{3}\left( a+d\pm 6\sqrt{ad}\right) \). Then the second coordinate of (4) is

$$\begin{aligned} y=\frac{3u-5a+d}{3u+a-5d}=\pm \sqrt{\frac{a}{d}}. \end{aligned}$$

Plugging \(y=\mp \sqrt{\frac{a}{d}}\) in the equation of \(E_{a,d,p}\), we get \(ax^{2}+\frac{a}{d}=1+ax^{2}\) and \(\frac{a}{d}=1\). Since \(a\ne d\), then this is impossible. Therefore the points \((u,v)=\left( -\frac{1}{3}\left( a+d\pm 6\sqrt{ad}\right) ,0\right) \in W_{a,d,p}\) are not mapped in \(E_{a,d,p}\).

Second, for \(3u+a-5d\equiv 0\pmod 0\) we have \(u\equiv -\frac{1}{3}(a-5d)\pmod p\). Suppose that there exists v such that \((u,v)=\left( -\frac{1}{3}(a-5d),v\right) \in W_{a,d,p}\). Then v satisfies

$$\begin{aligned} v^{2}\equiv 4d(a-d)^{2}\pmod p. \end{aligned}$$

Hence, if d is a square in \({\mathbb {Z}}/p{\mathbb {Z}}\), then \(v\equiv \pm 2\sqrt{d}(a-d)\pmod p\). Plugging \((u,v)=\left( -\frac{1}{3}(a-5d),\pm 2\sqrt{d}(a-d)\right) \) in the first coordinate of (4), we get \(x=\mp \frac{\sqrt{d}}{d}\). Plugging this in the equation of \(W_{a,d,p}\), we get \(\frac{a}{d}+y^{2}=1+y^{2}\) and \(\frac{a}{d}=1\), which is impossible since \(a\ne d\). Consequently, the points \((u,v)=\left( -\frac{1}{3}(a-5d),\pm 2\sqrt{d}(a-d)\right) \in W_{a,d,p}\) are not mapped on the twisted Edwards curve \(E_{a,d,p}\).