You are on page 1of 4

UCL Crypto Group Technical Report Series

Note on the Preliminary Version of the Meyer-Muller's Cryptosystem

Marc Joye and Jean-Jacques Quisquater



Technical Report CG{1996/2

Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium

Phone: (+32) 10 472541 Fax: (+32) 10 478667

Note on the Preliminary Version of the Meyer-Muller's Cryptosystem

Marc Joye


and Jean-Jacques Quisquater


January 29, 1996


Departement de Mathematique (AGEL), Universite de Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: 2) Departement d'Electricite (DICE), Universite de Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail:

Abstract. After the introduction of the RSA cryptosystem 5], Rabin 4] proposed to use even public exponents. The resulting function was four to one, and was to be proved as intractable as factorization. Shortly after, Williams 6] showed how to transform the Rabin's function to a one to one. The drawback of his method is the bit-length extension of the message. This shortcoming was later eliminated by Guillou and Quisquater 2, 3]. Very recently, Meyer and Muller 1] proposed an analogous cryptosystem based on elliptic curves over a ring. We shall show that their cryptosystem is equivalent to the Williams' one.

1 Meyer-Muller cryptosystem
In this section, we shall not review in details the Meyer-Muller cryptosystem. For a full description, we refer to the original paper 1].

1.1 Encryption of a message m


Each user chooses n, the product of two large prime numbers p and q such that p; q 7 (mod 8). Then, the protocol goes as follows.

Note on the Preliminary Version of the Meyer-Muller's Cryptosystem 1. Set P = (m2; m3) (mod n), whith 2 2 (mod n). 2. Modulo n, choose a randomly and compute b = m6 am2. 3. Send the ciphertext Q = 2P over the elliptic curve En(a; b).

4 + a)2 2m2. Hence, since The rst coordinate of Q is given by Qx = (3m 8m6 m6 = am2 + b, we obtain two polynomial relations in the indeterminate x

1.2 Analysis


P1(x) = ax2 + (7b + 8aQx)x a2 + 8Qxb (mod n); P2(x) = x3 ax b (mod n);

(1) (2)

which become 0 for x = m2. Thus, if we construct the polynomial P3(x) = P2(x) mod P1(x), we get a linear relation for which m2 is the root.

2 Conclusion
Since the knowledge of Q and the elliptic curve En (a; b) enables to easily compute m2 (mod n), we nd again the result of 6]. In his paper, Williams transforms, by a known way, the message m to ensure Bob computes the desired square root. In 1], Meyer and Muller impose that P is on the elliptic curve En(a; b). Thus, the decryption process may be simpli ed as follows: 1. Compute s1 and s2, the square roots of m2 modulo p and modulo q, respectively. 2. With the chinese remainder theorem, construct the square root of m2 (modulo n) from s1 and s2. 3. Check whether P = (m2; m3) is on the curve. If yes then m is the original message; otherwise, change the sign of s1 and/or s2 and go to step 2. Furthermore, the equivalence of the cryptosystem with factorization follows immediately from 6].


Note on the Preliminary Version of the Meyer-Muller's Cryptosystem

1] Bernd Meyer, and Volker Muller. A public key cryptosystem based on elliptic curves over Z=nZequivalent to factoring. To appear in Eurocrypt '96, preprint. 2] Louis Guillou, and Jean-Jacques Quisquater. E cient digital public-key signatures with shadow. Crypto '87, Lectures Notes on Computer Science, Vol. 293, Springer-Verlag, 1988. 3] Louis Guillou, Jean-Jacques Quisquater, and al. Information technology { Security techniques { Digital signature scheme giving message recovery. ISO/IEC 9796, 1991. 4] Michael O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical report MIT/LCS/TR-212, Laboratory for Computer Science, MIT, January 1979. 5] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM, Vol. 21, 1978. 6] H. C. Williams. A modi cation of the RSA public-key encryption procedure. IEEE Transactions on Information Theory, Vol. IT-26, No. 6, pp. 726{729, November 1980.