Anonymous Multi-Receiver Public Key Encryption Based on Lucas Sequences

Multi-receiver encryption enables a sender to encrypt a message and transmit the ciphertext to a set of authorized users, while no one out this group of authorized users can decrypt the message. Multi-receiver encryption is of great importance in many sectors such as broadcast communication, cloud computing, wireless communications, networking applications, e-voting, lottery, and medical applications. This paper proposes an e(cid:30)cient multi-receiver public key encryption scheme based on Lucas sequences. The results of the computational analysis show that, projected scheme is better against renown attacks and prevailing anonymous multi-receiver algorithms.


Introduction
The goal of the multi-receiver encryption is to securely transmit any message to all authorized receivers via insecure channels.There are several proposed multi-receiver encryption schemes in the literature based on dierent technical [18,7,1,14,19,21,4,9,11].
In their paper Smith and Lennon [17], were the rst to introduce linear sequences in cryptography in 1993.They suggested that the second order linear sequences could be used instead of the standard exponentiation used in RSA.Two years later, Chi-Sung et al has shown that the security of Lucas functions is polynomial-time equivalent to the generalized discrete logarithm problems [2].In 2012, El Fadil proposed a cryptosystem based on second order linear sequences in which semantic security is ensured [10].Moreover, as linear sequences are not multiplicative, the main advantage of Lucas cryptosystems is that they are not formulated in terms of exponentiation.
This would make them invulnerable to various well known attacks that threaten the security of more traditional cryptosystems like RSA and Die Hellman [5].However, many current networking applications involve multiple receivers and one-to-one type of encryption is not appropriate for such type of applications.The main motivation of multiple receivers is to secure that group communications which getting popularity in dierent domains.
In this paper, we propose a novel multi-receiver public key encryption scheme based on Lucas sequences.From analysis results, it is clear that our approach is more ecient and satisfying anonymity of receivers as compared to existing schemes.Section 2, consists of brief description of the second order linear sequences ("Lucas sequences") and their cryptography properties.After that, we present a new approach in Section 3 with security and computation analysis.Finally, we give our conclusion in Section 4.
2 Second order linear sequences ("Lucas sequences") In this section, the main cryptographic properties of Lucas sequences are studied.A computational method to evaluate the k th term are given, together with an analysis of its computational cost.
Throughout this section : • p is a prime integer.
• F p = Z/pZ the nite eld of p elements.
• α = X the class of X modulo the principal ideal of F p [X] generated by f (X).
• For every x ∈ A, l x be the linear map of A dened by l x (y) = xy.
• T (x) = T r(l x ) the trace of x, T r(l x ) the trace of the linear map l x .
• N (x) = det(l x ) the norm of x, det(l x ) is the determinant of the linear map l x .
• Dene the sequence s(a) as follows : k ∈ Z, s k (a) = T (α k ) for every integer.
(1) Remark 2.1 Since f (α) = 0 and the map trace is linear, it follows that : s k+2 (a) ≡ as k+1 (a) − s k (a) (mod p) modulo p. ( So, s(a) is a second order linear sequence (Lucas sequence), called the characteristic sequence generated by a.
Remark 2.2 Let l k be the endomorphism of A dened by : M k its matrix with respect to the basis (1, α).

Cryptographic properties
The cryptographic applications of Lucas sequences are listed in [16,15].To make this concept easy for the reader, we present some of these results in a more accessible form and without proofs.
1.For every integer k, s k (a) ≡ α k + α −k (mod p) and s k (a) ≡ s −k (a) (mod p). 2. For every integers k and e, s e (s k (a)) ≡ s ke (a) (mod p).
3. Let a ∈ Z such that p does not divide a 2 − 4.
If f (X) is a primitive polynomial over p, then π = p + 1 is the period of s(a).More general Thus the period π of s(a) Therefore : If f (X) is a primitive polynomial modulo p, then α generates the multiplicative group (A * , .) with cardinal order p 2 − 1 and π is exactly π = p + 1.
Corollary 2.3 For every integer e such that gcd(e, π) = 1, where the gcd is the greatest common divisor, the map : is a one-one correspondence.
Proof: Indeed, since gcd(e, π) = 1, then we can use the Euclid algorithm to calculate the inverse d of e modulo π.That means there exists an integer k such that de = 1 + kπ.Hence : So, assume that

Computation Method and analysis
Lemma 2.5 For every integer n, set s n := s n (a) (mod p).Then Let n and m be two integers. Therefore, In particular, we have i) and ii).
Let k = 2 r m, where m is an odd integer.To compute s k , rst we compute s m , then s 2m : Then to compute s k , we need r multiplications modulo p and we need s m .
For 0 ≤ i < l − 1 and assume that, s fi−1 and s fi−1+1 are computed.Then Computation Algorithm.This method warrant that s k can be computed in about the same length of time as the k th power is computed in the RSA method.But in the computation of s m , having to compute two numbers at each stage does slow the computation down a little, but there are optimizations in the calculation which mean that the total amount of computation is only about half less than the amount needed for the RSA system.Therefore, to compute s k (a), the total number of multiplications modulo p is log 2 (k).

Main results
In this section we describe some applications of Lucas sequences, in more details : Lucas multi-receiver encryption scheme and Lucas Die-Hellman key exchange extended to a group of communications.Through this section, n = pq is an RSA integer, a ∈ Z sush that gcd(n, a) = 1, (s n ) n is the Lucas sequence generated by f = x 2 − ax + 1, and f is a primitive polynomial over F p and F q .

Multi-receiver encryption scheme
In this section, we propose a multi-receiver encryption scheme based on Lucas sequences and Chines Remainder Theorem.Our scheme consists of two procedures: Encryption procedure and decryption procedure.

Keys generation :
First, assume that there are r + 1 users.Any user selects s ≤ r authorized receivers u 1 , • • • , u s such that each one has one public key pair (n i , e i ), where every n i = p i q i is an RSA integer, e i is coprime to (p i ∓ 1)(q i ∓ 1) and n 1 , • • • , n r , n r+1 are pairwise coprime.

Encryption procedure :
A sender uses all s receivers public keys to encrypt the message and then broadcasts the ciphertext to the s authorized receivers as follows : (a) Assume that he needs to send a message 0 < m < N to the s legitimate receivers, where N is the minimum of all n i .
(c) He uses the Chines Remainder Theorem to calculate the integer c such that for every i = 1, . . ., s, c ≡ c i (mod n i ).
(d) Then He broadcasts the ciphertext c to the s receivers.

Decryption procedure :
When a autorized receiver i receives the ciphertext c, he will compute his private key d i as follows : the inverse of e i modulo π = (p i − pi )(q i − qi ).
(c) Finally, he calculates m ≡ s di (c i ) (mod n i ).
Proof : Encryption : Indeed, in order to calculate the ciphertext c, for every i = 1 As y i M i ≡ 1 (mod n i ) and for every j = i, y i M i ≡ 0 (mod n j ) (since n j divides M i ), for every i = 1, . . ., s, c ≡ c i (mod n i ).
Decryption : For the decryption phase, as c i ≡ s ei (m) (mod n i ) and gcd(e, π) = 1, Thus, Analysis : Now, we will discuss security, computation cost and the anonymity of receivers of the proposed scheme.The anonymity means that the identities of receivers can be protected.We will compare the computation cost of our scheme and other existing schemes.

Security
Since this scheme uses "LUC" cryptosystem, the security of the scheme is the same as monocast "LUC" cryptosystem.Namely, if Oscar wants to decrypt the encrypted message c, rst of all he needs to break the LUC cryptosystem, which is cryptographically equivalent to the security of RSA [17,2].

Anonymity of Receivers
When a sender broadcasts the ciphertext nobody in the group except the sender knows who is the receiving end.

Die-Hellmane Key exchange extended to a group of communication
The standard Die-Hellman key exchange was rst proposed in 1976 [20].After that there have been eorts to extend its simplicity to a group setting.The main motivating factor is the increasing popularity of various types of group applications and the need of doing it securely.Since key distribution is the cornerstone of secure group communication, it has naturally received a lot of attention.Notable solutions have been proposed but some of theme are only of theoretical interest, while the security of some others remains unproven (See for example [12,8,3,13]).In this paper, a natural extension of Die-Hellman key exchange, based on Lucas sequences is proposed, see Figure 1.
Let n = pq be an RSA integer, a be an integer such that X 2 − aX + 1 is a primitive polynomial modulo p and modulo q too.Assume that r users u 1 , • • • , u r , whose have access to a public key data (n, a) and each one has his private key x i , want to agree on a shared secret key.Then : The rst user u 1 makes public y

Lemma 2 . 4 4 p= c 2 = 1 , then c 2 − 4 p= 1
Let e ∈ N such that gcd(e, π) = 1 and let c = s e (a).Then p does not divide c 2 − 4 if and only if p does not divide a 2 − 4 and a 2 −a ≡ s d (c) (mod p), where d is the inverse of e modulo π, it suces to show that if a 2 −4 p too.

4 .
for i from 0 to l − 1 do 5. if (a) First he calculates c i ≡ c (mod n i ), pi = He calculates his private key d i :
, • • • , s, the sender will calculate j , y i its inverse modulo n i and c = n

Table 1 :
Comparison results among dierent schemes.