UCL Crypto Group Technical Report Series

E cient computation of full Lucas sequences

Marc Joye and Jean-Jacques Quisquater

R EG AR D S

GROUPE

http://www.dice.ucl.ac.be/crypto/

Technical Report CG{1996/3

Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium Phone: (+32) 10 472541 Fax: (+32) 10 478667

E cient computation of full Lucas sequences

Marc Joye

1)

and Jean-Jacques Quisquater

2)

January 29, 1995

Department of Mathematics (AGEL), University of Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: joye@agel.ucl.ac.be 2) Department of Electrical Engineering (DICE), University of Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail: jjq@dice.ucl.ac.be
1)

Abstract. Recently, Yen and Laih 1] proposed a algorithm to quickly compute LUC digital signatures. This signature is based on a special type of the Lucas sequence Vk . In this paper, we shall generalize their method to any type of Lucas sequences, and we shall extend it to the 'sister' Lucas sequence Uk . As application, we shall quickly compute the order of an elliptic curve over GF (2m ).

1 Basic facts
In this section, we shall only include the minimal amount of background necessary to understand the article. For a systematic treatment, see the references 2, 3]. Let P and Qp be two rational integers, and let be a root of x Px+Q = 0 in the eld Q( D), where D = P 4Q is a non-square. Let be the conjugate of , i.e. = . The Lucas sequences fUk gk and fVk gk with parameters P and Q are given by
2 2 0 0

Uk (P; Q) = ; (1) Vk (P; Q) = k + k: (2) It can easily be shown that the numbers Ui and Vi satisfy the following relations Ui j = UiVj Qj Ui j ; (3)
+

CG{1996/3

E cient computation of full Lucas sequences

2 (4)

Vi

= ViVj Qj Vi j :

2 Fast algorithm for Lucas sequences

Assume you have to compute Uk (P; Q) and Vk (P; Q). If we use the binary expansion of k, it can be expressed as k = K , where

Kj =
Hence,

X k 2i j ; k 2 f0; 1g and k i i n
1

i=j

= 1:

Kj = kj + 2Kj = (Kj + kj ) + Kj : (5) Using the equations (3) and (4), we obtain (6) UK 1 = U K k 1 VK QK Uk 1 ; VK 1 = V K k 1 VK QK Vk 1 : (7) At iteration j , let (lj ; hj ) = (Kj ; Kj +1). By relation (7), we see obviously that both Vl and Vh are needed to compute Vl 1 , and so to compute Vk . This is not the case for Uk as we shall see in the following theorem. Theorem1. If k is odd, then the computation of Uk does not require the computation of Ul (j 1). Proof. Since k is odd (i.e. k = 1), Uk (= Ul0 ) = Uh1 Vl1 Ql1 . Thus, only the value of Uh1 is needed. We only need to show that the value of Uh 1 can be derived from Uh . By (5) and depending on the value of kj , we have the following cases: if kj = 0, then (lj ; hj ) = (2lj ; lj + hj ); if kj = 1, then (lj ; hj ) = (lj + hj ; 2hj ): Hence, if kj = 0, then hj (= hj + lj = 2lj + 1) is odd and Uh 1 = Uh Vl Ql ; otherwise, hj (= 2hj ) is even and Uh 1 = Uh Vh . We now are ready to give the algorithm that we shall extend to the case where k is even. Remarks. 1) The presented algorithm is a left-to-right scanning one. Similar to 1], it is also possible to develop a right-to-left scanning algorithm, but that requires more temporary memories. 2) An implementation with Pari-GP 4] is available at
1 1 1
j

j+ j

j+ j

ftp://math.math.ucl.ac.be/pub/joye/pari/lucas2.gp.

CG{1996/3

E cient computation of full Lucas sequences

Inputs: Outputs:
Uh V k

3
( s = 1)
k

= 2s

Pin s
=

ki

2i

s,

P; Q

Uk ; Vk

)
P Q Q s

for

= 1; l = 2;
j

= ; l = 1; h = 1; 1 to + 1 by 1 l= l h; if ] == 1 then ; h= l h= h h; l= h l l; h= h 2 h
from
k j Vh n Q Q Q U V Q Q V U V V P Q V V Q

else

Qh Uh V V

fi endfor
Ql V Uh Q

= l; = h h= h l= l
Q U V V

Vl Vl Vl

Ql

Ql

Ql

for

= = l= l=

Ql Uh Ql

Qh Qh Vl Vl Qh P

Ql ;

Ql

Vh

Uh V Q

endfor

= = l l=

from
Vl

Uh Ql

; 1

Ql s

;
Ql

to
Vl Ql

Vl

; ;

;
V

f k(
U

P; Q

)=

Uh Vk P; Q

; (

) = lg

Figure 1: Algorithm to compute (Uk ; Vk )

3 Performances
The worst case of the algorithm appears when s = 0. Assume s = 0, then the computation of Uk and Vk requires n multiplications. Furthermore, only ve temporary memories (with the same length as the output) are needed. If we only want the value of Vk , the algorithm is the same as presented on gure 1, except we do not care of the Uh 's. Thus, the computation of Vk requires n multiplications in the worst case with only four temporary memories. Remarks. 1) Some applications use Lucas sequences with parameter Q = 1. In that case, the computation of Uk and Vk requires less than 3n multiplications with three temporary memories.
11 2 9 2

CG{1996/3

E cient computation of full Lucas sequences

2) If we want Uk and Vk modulo a number, the computation can be improved using the technique of the common-multiplicand 5]. 3) Moreover, due to the high regularity of the algorithm, it can be parallelized.

4 Applications
Lucas sequences have numerous applications in number theory. For example, the divisibility properties of the Uk 's (see 3, pp. 54{59]) allows to test the primality of a number N for which the factorization of N + 1 is partially given. It is also possible to develop e cient (pseudo) primality test 6]. In this paper, we shall see a less-known application. In 1985, the theory elliptic curves emerged for cryptographic purposes. Since many cryptographic protocols 7, 8] require the knowledge of the order of an elliptic curve over GF (2m), i.e. #E (GF (2m)), we shall see how it can be computed using Lucas sequences. Let p be a prime and q = pr . Consider the elliptic curve E=GF (q) such that E (GF (q)) has order #E (GF (q)) = q + 1 t. Using the Weil theorem, we have #E (GF (ql)) = ql + 1 l l; (8) where and are given from the factorization of 1 tT + qT = (1 T )(1 T ). Let E=GF (2r ) be the non-supersingular elliptic curve given by the Weierstra equation E : y + xy = x + a x + a : Assume r is small, so t = 2r + 1 #E (GF (2r )) can be computed by exhaustion. Moreover, if m is a multiple of l, then the curve E can be viewed as an elliptic curve over GF (2m). Hence, if we put l = m=r, then by (8)
2 2 3 2 2 6

#E (GF (2m)) = 2m + 1 Vl(t; 2r ); where Vl(t; 2r ) is the l term of the Lucas sequence fVk g with parameters P = t and Q = 2r .
th

5 Acknowledgments
The authors are grateful to Daniel Bleichenbacher and to Richard Pinch for providing useful informations about Lucas-based cryptosystems.
CG{1996/3

E cient computation of full Lucas sequences

References
1] yen, s.-m., and laih, c.-s.: `Fast algorithms for LUC digital signature computation', IEE Proc.-Comput. Digit. Tech., 1995, 142, (2), pp. 165{ 169 2] riesel, h.: `Prime numbers and computers methods for factorization' in `Progress in Mathematics' (Birkhauser, 1985), Vol. 57 3] ribenboim, p.: `The little book of big primes' (Springer, 1991) 4] batut, c., bernardi, d., cohen, h., and olivier, m.: `User's guide to PARI-GP', January 1995 5] yen, s.-m., and laih, c.-s.: `Common-multiplicand multiplication and its applications to public key cryptography', Electron. Lett., 1993, 29, (17), pp. 1583{1584 6] pomerance, c., selfridge, j.l., and wagstaff, s.s., jr.: `The pseudoprimes to 25 10 ', Math. of Comp., 1980, 35, (151), pp. 1003{ 1026 7] menezes, a.j.: `Elliptic curve public key cryptosystems' (Kluwer Academic Publishers, 1993) 8] menezes, a., qu, m., and vanstone, s.: `Draft of IEEE P1363, chapter 6', November 1995
9

CG{1996/3