You are on page 1of 4

# UCL Crypto Group Technical Report Series

## Note on the Preliminary Version of the Meyer-Muller's Cryptosystem

Marc Joye and Jean-Jacques Quisquater

R EG AR D S

GROUPE

http://www.dice.ucl.ac.be/crypto/

Marc Joye

1)

2)

## January 29, 1996

1)

Departement de Mathematique (AGEL), Universite de Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: joye@agel.ucl.ac.be 2) Departement d'Electricite (DICE), Universite de Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail: jjq@dice.ucl.ac.be

Abstract. After the introduction of the RSA cryptosystem 5], Rabin 4] proposed to use even public exponents. The resulting function was four to one, and was to be proved as intractable as factorization. Shortly after, Williams 6] showed how to transform the Rabin's function to a one to one. The drawback of his method is the bit-length extension of the message. This shortcoming was later eliminated by Guillou and Quisquater 2, 3]. Very recently, Meyer and Muller 1] proposed an analogous cryptosystem based on elliptic curves over a ring. We shall show that their cryptosystem is equivalent to the Williams' one.

1 Meyer-Muller cryptosystem
In this section, we shall not review in details the Meyer-Muller cryptosystem. For a full description, we refer to the original paper 1].

## 1.1 Encryption of a message m

1

Each user chooses n, the product of two large prime numbers p and q such that p; q 7 (mod 8). Then, the protocol goes as follows.

Note on the Preliminary Version of the Meyer-Muller's Cryptosystem 1. Set P = (m2; m3) (mod n), whith 2 2 (mod n). 2. Modulo n, choose a randomly and compute b = m6 am2. 3. Send the ciphertext Q = 2P over the elliptic curve En(a; b).

4 + a)2 2m2. Hence, since The rst coordinate of Q is given by Qx = (3m 8m6 m6 = am2 + b, we obtain two polynomial relations in the indeterminate x

1.2 Analysis

and

P1(x) = ax2 + (7b + 8aQx)x a2 + 8Qxb (mod n); P2(x) = x3 ax b (mod n);

(1) (2)

which become 0 for x = m2. Thus, if we construct the polynomial P3(x) = P2(x) mod P1(x), we get a linear relation for which m2 is the root.

2 Conclusion
Since the knowledge of Q and the elliptic curve En (a; b) enables to easily compute m2 (mod n), we nd again the result of 6]. In his paper, Williams transforms, by a known way, the message m to ensure Bob computes the desired square root. In 1], Meyer and Muller impose that P is on the elliptic curve En(a; b). Thus, the decryption process may be simpli ed as follows: 1. Compute s1 and s2, the square roots of m2 modulo p and modulo q, respectively. 2. With the chinese remainder theorem, construct the square root of m2 (modulo n) from s1 and s2. 3. Check whether P = (m2; m3) is on the curve. If yes then m is the original message; otherwise, change the sign of s1 and/or s2 and go to step 2. Furthermore, the equivalence of the cryptosystem with factorization follows immediately from 6].

CG{1996/2

## Note on the Preliminary Version of the Meyer-Muller's Cryptosystem

References
1] Bernd Meyer, and Volker Muller. A public key cryptosystem based on elliptic curves over Z=nZequivalent to factoring. To appear in Eurocrypt '96, preprint. 2] Louis Guillou, and Jean-Jacques Quisquater. E cient digital public-key signatures with shadow. Crypto '87, Lectures Notes on Computer Science, Vol. 293, Springer-Verlag, 1988. 3] Louis Guillou, Jean-Jacques Quisquater, and al. Information technology { Security techniques { Digital signature scheme giving message recovery. ISO/IEC 9796, 1991. 4] Michael O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical report MIT/LCS/TR-212, Laboratory for Computer Science, MIT, January 1979. 5] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM, Vol. 21, 1978. 6] H. C. Williams. A modi cation of the RSA public-key encryption procedure. IEEE Transactions on Information Theory, Vol. IT-26, No. 6, pp. 726{729, November 1980.

CG{1996/2