On integer sequences in cryptography

2.3.1 Sequence

Symbolically a n n ∈ N denotes a sequence whose nth element is given by the variable a _n . For example:

For the above, we can define a sequence of integers as:

1. Explicit formula for its nth term. For example, the sequence 0, 3, 8, 15, … is formed according to the formula n ² − 1 for the nth term.

2. Relationship between its terms. For example, the sequence 0, 1, 1, 2, 3, 5, 8, 13, … (Fibonacci sequence – OEIS: A000045) is formed by starting with 0 and 1 and then adding any two consecutive terms to obtain the next one.

3. Alternatively, an integer sequence may be defined by a property that members of the sequence possess and that other integers do not possess. For example, we can determine whether a given integer is a perfect number, even though we do not have a formula for the nth perfect number.

Subsequences. Subsequences are sequences formed from the given sequence by deleting some of the elements without disturbing the relative positions of the remaining elements. For example, the sequence of even positive integers (2, 4, 6, …) is a subsequence of positive integers (1, 2, 3, …). In the case of deletion of some elements, the positions of those elements change. However, the relative positions are preserved.

In formal terms, a subsequence of the sequence a n n ∈ N is any sequence of the form a n k k ∈ N , where n k k ∈ N is a strictly increasing sequence of positive integers.

2.3.2 Recurrence relation

2.3.3 Linear recurrence

Suppose that we have a function ϕ : N → R . Setting a _n  = ϕ(n) for all n ∈ N , we term the set a n n ∈ N a sequence. Assuming that we know a ₁, …, a _k and for n > k, we define a n = f a n − 1 , … , a n − k for some function f : R k → R . We say that a n n ∈ N is a recursively defined sequence given by the recurrence relation a n = f a n − 1 , … , a n − k .

We say a recurrence relation is linear if f is a linear function or in other words:

where s i ∈ R and g ( n ) ∈ R for all n [6]. Moreover, a linear recurrence relation is said to be homogeneous if g(n) = 0, and non-homogeneous if g(n) ≠ 0.

2.3.4 Recurrence equation

When formulated as an equation to be solved, recurrence relations are known as recurrence equations or sometimes difference equations (i.e. a recurrence equation is the discrete analogue of a differential equation).

If g(n) = 0 for all n, the recurrence equation is called homogeneous; otherwise, it is called non-homogeneous.

The sequence (x _n ) is said to satisfy the recurrence equation if the equality above holds for all n ≥ 0, given initial conditions x 0 , x 1 , … , x k − 1 ∈ Z .

A sequence that satisfies a linear recurrence equation with constant coefficients and integer initial values is called a linear recurrence sequence.

If the recurrence relation is associated with a characteristic polynomial of the form:

where α i ∈ C \ { 0 } are distinct nonzero roots, then the general term x _n can be expressed as:

where each A _i (n) is a polynomial of degree n _i  − 1 with coefficients in C .

Such a sequence is called a recurrence sequence of order k.

Here, φ and ψ are the two distinct real roots of the characteristic polynomial associated with the recurrence. The formula expresses F _n as a linear combination of powers of these roots, and despite the irrationality of the roots, the result is always an integer for each n ∈ N .

2.3.5 Generating function

When working with sequences and recurrence relations, it is often advantageous to represent the entire sequence in a compact algebraic form. This is achieved through what is known as a generating function, which encodes the terms of a sequence as coefficients in a formal power series. Unlike traditional analytic series, generating functions are treated purely as formal expressions, without regard to issues of convergence. The variable used in the series does not take on a numerical value but instead serves as a placeholder that allows algebraic manipulation of the sequence’s structure.

When the term generating function is used without qualification, it is usually taken to mean an ordinary generating function.

Exponential generating functions are generally more convenient than ordinary generating functions for combinatorial enumeration problems that involve labelled objects.

Example. The sequence 1, 3, 6, 10, 15, … (OEIS: A000217) of triangular numbers are given by the following explicit formulas:

The generating functions of the sequence are:

Generating functions provide a very efficient way to represent sequences.

With the definition of generating functions now established, it becomes feasible to present examples that elucidate homogeneous linear recurrences.

2.3.6 Autocorrelation

Autocorrelation is a measure of the similarity between a sequence and a time-shifted replica of the sequence. Ideally, the autocorrelation function (ACF) should be impulsive, i.e. peak value at zero time shift and zero values at all other time shifts.

Autocorrelation is a mathematical tool used to measure the similarity between a sequence and a shifted version of itself. It plays a fundamental role in the analysis of discrete-time signals, combinatorial sequences, and in the evaluation of pseudorandomness and periodicity.

Let ( a n ) n = 0 N − 1 be a finite sequence of real or complex numbers. The aperiodic autocorrelation function (ACF) of the sequence is defined as:

where a n + k ̄ denotes the complex conjugate of a _n+k . In the real-valued case, the conjugate is simply a _n+k . This quantity represents the degree of similarity between the sequence and a version shifted by k units.

In many contexts, particularly in coding theory and signal design, one seeks sequences with impulsive autocorrelation, meaning:

Such sequences are orthogonal to their shifted versions, which makes them ideal for applications like radar, spread-spectrum communication, and synchronization.

For periodic sequences of length N, the periodic autocorrelation function is given by:

Autocorrelation analysis is also a powerful diagnostic tool for studying structural regularity. For example, low autocorrelation values at non-zero shifts indicate the absence of strong internal patterns or repetitions, a property desirable in pseudorandom and noise-like sequences.

2.3.7 Crosscorrelation

Crosscorrelation is a fundamental operation used to quantify the similarity between two distinct sequences. It extends the concept of autocorrelation to the case where the sequences are not necessarily identical. In applications such as digital communications, radar, and coding theory, crosscorrelation provides a measure of how distinguishable two signals or sequences are when compared under all possible relative shifts.

Let ( a n ) n = 0 N − 1 and ( b n ) n = 0 N − 1 be two sequences of real or complex numbers of the same length N. The aperiodic crosscorrelation function is defined as:

where b n + k ̄ denotes the complex conjugate of b _n+k . This expression represents the inner product of the first sequence with a right-shifted version of the second sequence.

The value CCF _a,b (k) captures the level of alignment between a _n and b _n+k . High absolute values indicate similarity at a given shift, while values near zero suggest orthogonality or lack of correlation at that shift.

For periodic sequences, the periodic crosscorrelation function is defined as:

Ideally, one seeks families of sequences such that the crosscorrelation values are zero (or very small) for all nonzero shifts:

This property is crucial in contexts where multiple signals coexist (such as CDMA systems), since low crosscorrelation minimizes mutual interference and allows for reliable separation of signals.

Sequences with near-zero crosscorrelation are also essential in the design of orthogonal codes, spread-spectrum systems, and pseudorandom number generation, where they contribute to noise resilience and improved signal detectability.

2.3.8 Analysis

Various methodologies can be used to analyse integer sequences [4], 5]. These include using a data compression algorithm, computing the discrete Fourier transform, or seeking a linear recurrence equation that links the terms or a generating function that produces them. Moreover, there exist a substantial number of transformations that establish a connection between different integer sequences. Such transformations include the Euler transform, the exponential transform, the Möbius transform, and others.

3.1.1 Proprieties

As is well known since primary school, by multiplying prime numbers, we can obtain in an essentially unique way each positive integer number. This is the gist of the Fundamental Theorem of Arithmetic, which Euclid already knew and expounded in Book VII of his Elements. Before discussing the Fundamental Theorem of Arithmetic, it is necessary to state the following simple but crucial characterisation of prime numbers.

OEIS. Table 1 lists the first terms of the sequence, which are also available in the OEIS database.

We are now in a position to prove the following.

(The distribution of prime numbers). How many prime numbers are there? Euclid already knew the following theorem, which can be proved in several ways. We give here a completely elementary proof dating back to Euclid himself.

Recurrence relation. A possible formula using a recurrence relation is defined by:

where gcd(x, y) denotes the greatest common divisor of x and y. The sequence of differences a _n+1 − a _n starts with 1, 1, 1, 5, 3, 1, 1, 1, 1, 11, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 23, 3, 1, … (sequence OEIS: A132199). It is proven that this sequence contains only ones and prime numbers [7]. However, it does not contain all the prime numbers, since the terms gcd  n + 1 , a n are always odd and thus never equal to 2. 587 is the smallest prime (other than 2) not appearing in the first 10,000 results that are different from 1.

Nevertheless, it was conjectured that it contains all odd primes, even though it is rather inefficient. It is important to note that there is not a trivial programme that enumerates all and only prime numbers, as well as more efficient ones, so these recurrence relations are more curious than useful.

Functions. The distribution of prime numbers among the natural numbers has been the subject of mathematical inquiry since antiquity. While many aspects of this distribution have been explored, it remains largely unknown and exhibits irregularities that resist simple characterization. Although primes follow a deterministic pattern, their apparent irregular spacing has often been described as resembling randomness, even though the underlying structure is not fully understood. For this reason, functions that generate primes with some regularity have been regarded as heuristically significant in the study of prime numbers.

In order to obtain prime numbers, it is natural to ask for functions f defined for all natural numbers n ≥ 1, which can be calculated in practice and produce some or all prime numbers. Several prime-generating functions can be classified into three classes for this purpose [8]:

1. f(n) = p _n ; (the nth prime) for all n ≥ 1.

2. f(n) is always a prime number, and if n ≠ m, then f(n) ≠ f(m).

3. The set of prime numbers is equal to the set of positive values assumed by the function.

In practice, these functions are generally impossible to compute. For example, both Gandhi’s formula [9]:

where P _n  = p ₁ p ₂…p _n , and Willans’ formula [10]:

satisfy condition (a) but are essentially versions of the sieve of Eratosthenes [11], 12]. Gandhi’s formula depends on properties of the Möbius function μ(d), while Willans’ formula is based on Wilson’s Theorem.

From a theoretical perspective, the functions satisfying (b) are interesting, even though all known members of this class are not practical prime generators. The first example proved the existence of a real number A such that A 3 n is the prime for n ≥ 1 (Mills’ function). The only known way to find an approximation to a suitable A is by working backward from known large primes. Several relatives can be constructed similarly [13].

The peculiar condition (c) is tailored to a class of multivariate polynomials constructed with this property [14], 15]. These results are implementations of primality tests in the language of polynomials, and thus they also cannot be used to generate primes in practise.

3.1.2 Applications to cryptography

Prime numbers play a crucial role in various cryptographic applications due to their unique mathematical properties. Here are some different uses of prime numbers in cryptography:

1. Cryptographic hash functions

   1. Prime numbers contribute to cryptographic hashing algorithms. They are used to create strong and unique hash values that are resistant to collision attacks. For example, SHA-2 is a family of cryptographic hash functions that produce a fixed length output from a variable length input [16]. In particular, SHA-2 uses prime numbers in several ways, to generate the initial values of the internal state, to generate the round constants, to generate the initial values of the truncated variants, to ensure the security of the message padding, which requires that the message length be a multiple of 512 bits.

2. Public-key cryptography

   1. RSA stands as a significant cryptographic algorithm in the realm of securing sensitive information across potentially insecure channels. Introduced by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977, RSA relies on the intricate properties of prime numbers to perform its encryption tasks [17]. At its core, the fundamental premise of RSA is based on the complexity of factoring composite numbers into their prime components. This property sets the stage for its operation.

      RSA’s security hinges on the formidable challenge of factoring the modulus, a semiprime resulting from the product of two prime numbers. This factorisation obstacle, especially with the inclusion of large prime numbers, renders the decryption process computationally formidable. In the contemporary landscape, RSA finds extensive use, acting as a linchpin for secure digital communication in various domains, including online transactions, digital signatures, and more. However, as computational capabilities grow, the need for longer key lengths arises to maintain a robust level of security.

   2. Elliptic Curve Cryptography (ECC) is a public-key cryptographic system that uses the algebraic structure of elliptic curves over finite fields defined by prime numbers [18], 19]. ECC typically operates over a prime field F p , where p is a large prime, ensuring a finite and well-structured environment for secure arithmetic operations. Prime numbers are fundamental in defining the field and determining its size, directly influencing the cryptographic strength. Key generation involves selecting a generator point on the elliptic curve and computing scalar multiples: the private key is a random integer, and the public key results from multiplying this scalar with the generator. ECC achieves high security with smaller key sizes than RSA, making it efficient and widely used in modern cryptographic protocols.

3. Cryptographic protocols

   1. The Diffie–Hellman Key Exchange is a foundational cryptographic protocol that enables two parties to establish a shared secret key over an insecure channel [20]. Its security relies on the difficulty of the discrete logarithm problem in finite fields. The protocol begins with the public selection of a large prime number p and a generator g modulo p, both of which are known to all participants. Each party then chooses a private key (a random integer) and computes a public key by raising g to the private key modulo p. After exchanging public keys, both parties compute the shared secret by exponentiating the received public key with their own private key, again modulo p. The use of prime numbers is fundamental: the prime modulus p defines the finite field in which all operations occur and ensures the cryptographic strength of the exchange.

4. Implementation

   1. Implementation of the previous cryptographic primitives plays crucial roles in ensuring the security and integrity of Internet communication, authentication, email encryption, secure shell connections, VPNs, blockchain transactions, and the establishment of trust through certificate authorities.

3.1.3 Further details

Remark on Cryptography protocols. One of the primary objectives of cryptography is to establish secure communication channels between different parties. Security in this context encompasses various aspects such as data confidentiality, message integrity, and participant authentication. An approach to constructing secure channels is for the parties to share suitable cryptographic keys, which they maintain in strict confidence and use as inputs to encryption and message authentication algorithms. Typically, keys deemed appropriate for such cryptographic applications are required to possess the properties of length and randomness. This essentially ensures that they cannot be anticipated or thoroughly searched within a reasonable timeframe. We are now faced with the challenge of establishing these keys over an insecure network. Key-Exchange protocols are designed to address this issue. More formally, a Key-Exchange protocol is a cryptographic procedure in which two or more entities exchange messages to jointly determine a strong cryptographic key that cannot be computed by external parties.

In-depth analysis of sequence application. As we mentioned in the previous paragraph, Diffie-Hellman Key-Exchange is a fundamental cryptographic protocol that allows two parties to securely share a secret key over an insecure communication channel. This protocol relies heavily on the mathematical properties of prime numbers and generators within a finite cyclic group, typically involving modular arithmetic. The prime number p and the generator g play a critical role in ensuring the security and functionality of this cryptographic method, as it makes it difficult for attackers to deduce the secret key even if they know the public keys.

1. Prime number p . The prime number p is a cornerstone of the Diffie-Hellman Key-Exchange. Its primary role is to define the finite field Z p , which is the set of integers modulo p. This field has several important properties that are leveraged in the protocol:

   1. Finite field definition. The prime p ensures that the set Z p forms a finite field, which is a set of numbers with well-defined addition, subtraction, multiplication, and division operations (excluding division by zero). The finiteness of the field is important because it limits the number of possible values, making exhaustive search attacks computationally infeasible.

   2. Modular arithmetic. Operations in the Diffie–Hellman Key-Exchange are performed modulo p. This modular arithmetic ensures that the results of these operations remain within the set Z p , preventing overflow and maintaining the integrity of the computations.

   3. Security foundation. The security of the Diffie-Hellman protocol is based on the difficulty of solving the discrete logarithm problem within the finite field Z p . Specifically, given g ^a  mod p and g ^b  mod p, it is computationally challenging to determine a or b without knowing the other value. The choice of a large prime p makes this problem even more difficult, improving the security of Key-Exchange.

   4. Public parameter. The prime p is a public parameter that is shared between the communicating parties. Both parties agree on this value before initiating the Key-Exchange process. The public nature of p does not compromise security, as the difficulty of the discrete logarithm problem remains regardless of the knowledge of p.

2. Generator g . The generator g is another critical component of the Diffie–Hellman Key-Exchange. It is an element of the finite field Z p that has the specific properties necessary for the protocol:

   1. Primitive root. Ideally, the generator g is chosen to be a primitive root modulo p. A primitive root is an element whose powers generate all the non-zero elements of the field Z p . In other words, g is a generator of the multiplicative group of integers modulo p, meaning that the set g 1 , g 2 , … , g p − 1 mod p contains all the elements from 1 to p − 1. This property ensures that the key space is maximized, making it more difficult for an attacker to guess the secret key.

   2. Public parameter. Like the prime p, the generator g is also a public parameter. Both parties agree on g before the Key-Exchange begins. The public nature of g does not reduce the security of the protocol because the security relies on the difficulty of the discrete logarithm problem.

   3. Exponential operations. During the Key-Exchange, each party selects a private key (a random integer) and computes an exponential value using g. For example, if Alice chooses a private key a and Bob chooses a private key b, they compute g ^a  mod p and g ^b  mod p, respectively. These values are then exchanged over the insecure channel. The use of g in these exponential operations is important because it ensures that the resulting values are uniformly distributed over the field Z p , making it difficult for an attacker to predict the private keys.

   4. Shared secret computation. After exchanging the exponential values, each party uses their private key to compute the shared secret. Alice computes g b mod p a mod p , and Bob computes g a mod p b mod p . Due to the properties of modular arithmetic, both computations yield the same result: g ^ab  mod p. This shared secret can then be used as a key for symmetric encryption algorithms to secure further communications.

3.2.1 Proprieties

OEIS. Table 2 lists the first terms of the sequence, which are also available in the OEIS database.

Numbers of the form M _n  = 2 ⁿ − 1 without the primality requirement may be called simply Mersenne numbers (OEIS: A000225).

Although the expression 2 ⁿ  − 1 can be prime only for certain values of n, called Mersenne exponents, there is no simple condition on how large n must be. In practice, primes of this form are rare and require computational verification even for relatively small n. The following result characterizes all even perfect numbers, regardless of how large n is.

Connections to Perfect numbers. A positive integer n is called a perfect number if it is equal to the sum of all its positive divisors, excluding n itself. More than 2,300 years ago, Euclid proved that if 2 ^k − 1 is a prime number (it would be a Mersenne prime), then 2 k − 1 2 k − 1 is a perfect number. A few hundred years ago Euler proved the converse (that every even perfect number has this form). It is still unknown whether there are any odd perfect numbers (but if there are, they are large and have many prime factors).

Notice that we can say more: suppose that n > 1. Since x − 1 divides x ⁿ − 1, for the latter to be prime the former must be one. This gives the following.

Usually the first step in factoring numbers of the forms a ⁿ − 1 (where a and n are positive integers) is to factor the polynomial x ⁿ  − 1. In this proof, we just used the most basic of such factorisation rules.

Lucas-Lehmer test. Let M _p  = 2 ^p − 1 be a Mersenne number, where p is an odd prime. The Lucas–Lehmer test provides an efficient algorithm to determine whether M _p is prime. This test is based on a special recursive sequence and relies on earlier results from Lucas’s primality criterion, later formalized and extended by Morrison.

Define a sequence (s _i ) for i ≥ 0 by:

The first few terms of this sequence are 4, 14, 194, 37634, … (OEIS: A003010).

Then M _p is prime if and only if:

This condition is both necessary and sufficient, and it provides a deterministic test for the primality of Mersenne numbers. The value s _p−2 mod M _p is called the ”Lucas–Lehmer residue” of p.

The Lucas–Lehmer test is an adaptation of a more general primality criterion due to Édouard Lucas, who developed methods to test the primality of numbers of special algebraic forms. In particular, Lucas showed that for certain sequences satisfying specific recurrence relations, divisibility properties could certify primality. The current form of the test emerged in the 20th century through the contributions of Derrick Henry Lehmer and the formal justifications provided by Morrison, who connected the sequence to quadratic residues and the properties of the multiplicative group modulo M _p .

Theoretical justification. Let us sketch a proof of the correctness of the Lucas–Lehmer test. Suppose p is an odd prime, and define M _p  = 2 ^p − 1. Consider the field F M p , assuming M _p is prime. One can construct an element ω ∈ F M p 2 such that ω + ω ⁻¹ = 4, which implies ω = 2 + 3 in some algebraic extension. Then, the recurrence s n = s n − 1 2 − 2 can be expressed as:

In particular, this expression simplifies modulo M _p , and it can be shown that:

This result relies on the fact that the order of ω in the multiplicative group modulo M _p is maximal when M _p is prime, and the sequence hits zero only in that case.

Remarks. The Lucas–Lehmer test is deterministic and runs in polynomial time in p, making it one of the most efficient known methods for testing the primality of Mersenne numbers. It is the foundation of the ”Great Internet Mersenne Prime Search” (GIMPS) project, which has discovered all currently known Mersenne primes.

Example. The Mersenne number M₃ = 2³ − 1 = 7 is prime. The Lucas–Lehmer test verifies this as follows. Initially s is set to 4 and then updated 3 − 2 = 1 time:

Since the final value of s is 0 , the conclusion is that M ₃ is prime.

On October 21, 2024, GIMPS discovered the largest known prime number, 2 ^136,279,841  − 1, having 41,024,320 decimal digits. The new prime number, also known as M136279841, has been calculated using the Lucas–Lehmer primality test.

Open problems. It is not known whether the set of Mersenne primes is finite or infinite.

3.2.2 Applications to cryptography

The principal applications of Mersenne Prime numbers in cryptography are as follows:

1. Foundations

   1. A general-purpose pseudorandom number generator (PRNG), called Mersenne Twister, provides a 623-dimensional equidistribution up to 32-bit accuracy [21]. In this algorithm, a Mersenne prime period is used, which is achieved by modifying the previously proposed generators. For a n-bit word length, the Mersenne Twister generates integers in the range 0 , 2 n − 1 . The algorithm is based on a matrix linear recurrence over a finite binary field F 2 . It is a twisted generalised feedback shift register of rational normal form, with state bit reflection and tempering. The basic idea is to define a series x _i through a simple recurrence relation, and then output numbers of the form x i T , where T is an invertible F 2 -matrix called a tempering matrix. The most commonly used version of the Mersenne Twister algorithm is based on the Mersenne prime 2¹⁹⁹³⁷ − 1. The standard implementation of that, MT19937, uses a 32-bit word length. There is another implementation (with five variants) that uses a 64-bit word length, MT19937-64 and generates a different sequence. Furthermore, the generator has an algorithm that is provided to check its primitivity and the computational complexity of this primitivity test is O ( p 2 ) , where p is the degree of the polynomial. However, it is not cryptographically secure, i.e. Cryptographically Secure Pseudorandom Number Generator (CSPRNG), unless the CryptMT variant is used. The reason is that observing a sufficient number of iterations (624 in the case of MT19937, since this is the size of the state vector from which future iterations are produced) allows one to predict all future iterations.

      Specifically, CryptMT is a stream cipher which is a combination of Linear Feedback Shift Register (LFSR) like Mersenne Twister and non-linear filter based on multiplication [22]. The period and high dimension of equidistribution as a stream cipher are theoretically assured. Moreover, it uses a booter to generate shorter sequence efficiently.

2. Cryptographic hash functions

   1. An hash function scheme called Hash Mersenne Number Transform (HMNT) based on a New Mersenne Number Transform (NMNT) [23]. The HMNT is defined as the modulo of the Mersenne numbers, where arithmetic operations are simple equivalents to ones’ complement. It takes an arbitrary length as input and generates a hash value with variable lengths (128, 256, and 512-bits or longer).

3. Public-key cryptography

   1. A public-key cryptosystem whose security is based on arithmetic modulo of Mersenne numbers [24]. These numbers have an extremely useful property. For any number x modulo p, and y = 2 ^z , where z is a positive integer, x ⋅ y is a cyclic shift of x by z positions and thus the Hamming weight of x is unchanged under multiplication by powers of 2. The encryption scheme is based on the simple observation that, given a uniformly random n-bit string R, when we consider T = F ⋅ R + G(mod p), where the binary representation of F and G modulo p has low Hamming weight, then T looks pseudorandom, i.e., it is hard to obtain any non-trivial information about F, G from R, T. The public-key is chosen to be the pair (R, T), and the secret key is the string F. The encryption scheme also requires an efficient error correcting code with.

3.2.3 Further details

Remark on cryptographic Hash functions. Hash functions are cryptographic algorithms that transform an input of arbitrary length into a fixed-length output, known as a ”digest” or ”hash value”, unique representation of the original input. They must have several key properties to be secure and effective, as their function is fundamental in many security and cryptographic applications due to the hash functions’ ability to ensure:

1. Data integrity. Hash functions are used to ensure the integrity of the data. If we have the hash of a message or file, we can compare it with the hash of a received message or file to verify that it has not been altered. This is commonly used in checksums and digital signatures.

2. Digital signatures. A hash function is a crucial component in digital signatures. The hash of a document is calculated and then encrypted with the sender’s private key. The recipient can decrypt the hash using the sender’s public key and compare it to the hash calculated from the received document to verify its authenticity and integrity.

3. Password hashing. Passwords are usually stored as hashes rather than as plain text. When a user enters a password, its hash is calculated and compared with the stored hash. This ensures that even if a password database is compromised, attackers cannot easily retrieve the original passwords.

4. Key Derivation Functions (KDFs). Hash functions are used to derive cryptographic keys from passwords or other sensitive information. KDFs transform an input of arbitrary length into fixed-length keys that can be used in encryption algorithms.

5. Security protocols. Hash functions are used in various security protocols such as TLS, SSL, IPSec, and in technologies like Bitcoin and other cryptocurrencies to ensure the integrity and security of transactions and communications.

In-depth analysis of sequence application. As mentioned previously, from the Mersenne numbers it has been possible to construct a hash function scheme (HMNT) derived from NMNT [25]. The NMNT has proved to be an important Number-Theoretic Transform (NTT), which has been firmly recognised within the field of signal processing. Interesting applications of NTTs are found in the areas of digital filtering, image processing, fast coding and decoding, multiplication of large integers and matrices, deconvolution, and cryptography [26].

The most recognised NTTs are the Fermat (FNT) [27] and Mersenne (MNT) [28] number transforms. However, for standard signal processing applications the main drawback of these transforms is the stringent relationship between word length (the number of bits in the modulus), obtainable transform length, and a limited choice of possible word lengths. In order to retain the advantages of NTTs, the NMNT was consequently introduced, which alleviates this relationship. NMNT is defined modulo the Mersenne numbers, where arithmetic operations are simple equivalent to the complement of 1 and has the cyclic convolution property; therefore, it can be used for fast calculation of error-free convolutions and correlations [29]. The NMNT is a particularly interesting NTT as it has a long powers of two lengths up to 2 ^p , making it amenable to fast algorithms. However, NMNT can be used in one or several dimensions. Moreover, NMNT has several inherent advantages, such as its sensitivity to slight input variation, the long transform length, and variable block size [30].

These properties can be exploited to design a hash function that is more secure and efficient.

X(k), H(k) and Y(k) stand for the NMNT transforms of x(n), h(n) and y(n) respectively. H _ev (k) and H _od (k) stand for even and odd parts of H(k) respectively, which are given by:

If both x(n) and h(n) are properly padded with zeros, their circular convolution given in (57) will be equivalent to their linear convolution. To avoid overflow, the modulus Mp must be chosen so that y(n) does not exceed Mp, an upper bound is given by [25], 31]:

(HMNT scheme). An input message M of arbitrary length is required to generate a variable hash value H. Usually, HMNT supports three lengths of hash values, i.e. H = 128, 256 and 512 bits or longer. The HMNT process consists of the following steps:

1. Step 1. Convert the input message M into the corresponding ASCII code value.

2. Step 2. The original message M is divided into a number of blocks (m): M = M 0 , M 1 , … , M m − 1 . The length of each block is denoted as n, where n is the length of the hash value. The shortage in the last block is padded with the equivalent number of space characters in the ASCII code, which is 32.

3. Step 3. The secret key K is a series of characters that modify the input message M. These characters also convert into the corresponding ASCII code values. If the character length is less than the length of the hash value (n), the block is padded with the equivalent number of space characters in the ASCII code. Then, elements are added one by one to each block of the input message M.

4. Step 4. Upon modifying the input message using the secret key K, NMNT (a formula that performs mathematical operations to transfer each block of the message to the transform domain) is applied to each block in the input message.

5. Step 5. The final hash value H of the message M is obtained by summation (element-by-element addition) of transform output NMNT to each block.

3.3.1 Proprieties

OEIS. Table 3 lists the first terms of the sequence, which are also available in the OEIS database.

Safe prime. The number 2p + 1 associated with a Sophie Germain prime is called a safe prime. For example, 23 is a Sophie Germain prime and 2 ⋅ 23 + 1 = 47 is its associated safe prime.

Strong prime. A prime number q is a strong prime if q + 1 and q − 1 have a large prime factor (approximately 500 digits). For a safe prime value q = 2 p + 1, the number q − 1 naturally has a large prime value, that is, p, so a safe prime value q meets part of the criteria for a strong prime. The execution time of certain methods of factoring a number with q as the primary factor depends in part on the size of the primary factor q − 1. This is true, for example, with Pollard’s p − 1 algorithm.

Conjecture. It is conjectured that there are infinitely many Sophie Germain primes, although this has never been proven, and that the number of Sophie Germain primes up to x is

where C is Hardy–Littlewood’s twin prime constant.

and the product is over all primes p > 2 [32].

3.3.2 Applications to cryptography

The principal applications of Sophie German prime numbers in cryptography are as follows:

1. Foundations

   1. Sophie-Germain prime moduli are used in parallel Linear Congruential Generators (LCGs) for Monte Carlo simulations, providing an alternative to the commonly used Mersenne primes [33]. These primes, of the form 2 ^q  − k, where k can be as large as 2 q , are used as moduli in LCGs, and modular multiplication in an LCG with a Sophie-Germain prime modulus can be written in a specific equation. The choice of Sophie-Germain primes reduces initialisation time and provides competitive generation time when appropriately chosen. The resulting Sophie-Germain prime modulus LCGs have been tested and compared to Mersenne primes.

2. Secret-key cryptography

   1. Mode called Sophie Germain Counter Mode (SGCM) has been proposed as a variant of the Galois/Counter Mode of operation for block ciphers. Instead of the binary field GF 2 128 , it uses modular arithmetic in GF (p) where p is a safe prime 2¹²⁸ + 12451 with the corresponding Sophie Germain prime p − 1 2 = 2 127 + 6225 [34]. Although SGCM prevents the specific ”weak key” attack, there are other ways to modify the message that will achieve the same forgery probability against SGCM as is possible against GCM: By modifying a valid n-word message, you can create an SGCM forgery with probability circa n 2 128 That is, its authentication bounds are no better than those of Galois/Counter Mode.

3. Public-key cryptography

   1. Safe and strong primes were useful as the factors of secret keys in the RSA cryptosystem [35], 36], because they prevent the system being broken by some factorization algorithms such as Pollard’s p − 1 algorithm. However, with current factorisation technology, the advantage of using safe and strong primes appears to be negligible today.

4. Cryptographic protocols

   1. The issues about safe e strong primes apply in other cryptosystems as well, including Diffie-Hellman Key-Exchange and similar systems that depend on the security of the discrete log problem rather than on integer factorization [37]. If 2p + 1 is a safe prime, the multiplicative group of modulo integers 2p + 1 has a subgroup of high prime order. This prime order subgroup is usually desirable and the reason for using safe primes is so that the modulus is as small as possible relative to p. For this reason, the key generation protocols for these methods often depend on efficient algorithms to generate strong primes, which in turn depend on assumptions that these primes have sufficient density [38].

3.3.3 Further details

Remark on Secret-key cryptography. Secret-key cryptography is usually classified as block ciphers or stream ciphers. In a block cipher, the plaintext is divided into fixed-sized chunks called blocks. A block is specified to be a bitstring (i.e. a string of 0’s and 1’s) of some fixed length (e.g., 64 or 128 bits). A block cipher will encrypt (or decrypt) one block at a time. In contrast, a stream cipher first uses the key to construct a keystream, which is a bitstring that has exactly the same length as the plaintext (the plaintext is a bitstring of arbitrary length). The encryption operation constructs the ciphertext as the exclusive-or of the plaintext and the keystream. Decryption is performed by computing the exclusive-or of the ciphertext and the keystream [39].

In this regard, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity [40]. A mode of operation describes how to repeatedly apply a cipher’s single-block operation to securely transform amounts of data larger than a block. Most modes require a unique binary sequence, often called an Initialization Vector (IV), for each encryption operation. The IV must be non-repeating, and for some modes must also be random. The IV is used to ensure that distinct ciphertexts are produced even when the same plaintext is encrypted multiple times independently with the same key. Historically, encryption modes have been extensively studied in regard to their error propagation properties in various scenarios of data modification. Later development regarded integrity protection as an entirely separate cryptographic goal. Some modern modes of operation combine confidentiality and authenticity in an efficient way, and are known as authenticated encryption modes.

One such mode is Galois/Counter Mode (GCM) which is widely adopted for its performance. GCM throughput rates for high-speed state-of-the-art communication channels can be achieved with inexpensive hardware resources [41].

In-depth analysis of sequence application. (Description of GHASH). Let X be a concatenation of authenticated unencrypted data, CTR-encrypted ciphertext, and padding. This data is split into m 128-bit blocks X _i :

AES is used to derive the root authentication key H = E _K (0). The same AES key K is also used as the data encryption key. In this case, we assume that H is unknown to the attacker as the scheme would otherwise be trivially breakable.

GHASH is based on operations in the finite field F 2 128 . Horner’s rule is used in this field to evaluate the polynomial Y:

The authentication tag is T = Y m + E K I V 0 31 1 , assuming that a 96-bit IV is used. The IV value must never be repeated as that would lead to the “forbidden attack” discussed by Joux in [40].

(SGCM). Mathematically, SGCM differs from GCM only in the underlying field where GHASH’s arithmetic operations are performed. While GCM uses the binary field F 2 128 , SGCM uses traditional modular arithmetic in F p , where:

Here p − 1 2 is also a prime, a Sophie Germain prime.

All other aspects of SGCM are equivalent to GCM, except those described in the ’Multiplication operation on blocks’ and the ’GHASH function’ of NIST Special Publication 800-38D [41].

3.4.1 Proprieties

In some older definitions, the value F ₀ = 0 is omitted, so that the sequence starts with F ₁ = F ₂ = 1, and the recurrence F _n  = F _n−1 + F _n−2 is valid for n > 2.

OEIS. Table 4 lists the first terms of the sequence, which are also available in the OEIS database.

Recurrence relation. Another recurrence relation for the Fibonacci numbers is:

where ⌊x⌋ is the floor function and ϕ is the ”golden ratio” ( ϕ = 1 2 ( 1 + 5 ) = 1.618033988 … ) . This expression follows from the more general recurrence relation:

for k > 2. (The k = 1 case is trivially F _n+1, while the k = 2 case is essentially Cassini’s identity and therefore equal to (−1) ⁿ ).

See [ [42], pp. 236–240] for a derivation and general discussion of Fibonacci determinant identities.

Generating function. The generating function of the Fibonacci sequence is the power series:

This series is convergent for any complex number z satisfying |z| < 1/φ, and its sum has a simple closed form:

3.4.2 Applications to cryptography

The main applications of Fibonacci numbers in cryptography are as follows:

1. Foundations

   1. A Lagged Fibonacci Generator (LFG) is an example of a pseudo-random number generator based on Fibonacci sequence. This class of random number generators is aimed at being an improvement on the ”standard” linear congruential generator. Generalising the sequence (65)

      (70) S n ≡ S n − r ⊗ S n − s   ( mod   m ) , 0 < r < s

      the new term is some combination of any two previous terms. m is usually a power of 2 m = 2 M , often 2³² or 2⁶⁴. The ⊗ operator denotes a general binary operation. This may be either addition, subtraction, multiplication, or the bitwise exclusive-or operator (XOR). The theory of this type of generator is rather complex, and it may not be sufficient simply to choose random values for j and k. These generators also tend to be very sensitive to initialisation. Generators of this type employ k words of state (they ”remember”’ the last k values). If the operation used is addition, then the generator is described as an Additive Lagged Fibonacci Generator (ALFG) [43], if multiplication is used, it is a Multiplicative Lagged Fibonacci Generator (MLFG) [44], and if the XOR operation is used, it is called a Two-tap generalised feedback shift register (GFSR). The GFSR is also related to the Linear-Feedback Shift Register (LFSR) [45], 46].

   2. A variety of keystream generators have been suggested that are based on Fibonacci sequences, and at least one has been implemented. These generators are appealing because they can take advantage of the security results from the theory of shift register-based keystream generators, while running much faster in software [47].

   3. Although LFSRs are one of the most popular devices for generating pseudo-random sequences, since they are simple, fast, and easy to implement in software and hardware, the main disadvantage is that in an LFSR, the current state is a linear function of the previous state, thus cryptographically insecure. As an alternative, a Non-Linear-Feedback Shift Register (NLFSR), Fibonacci based also, whose current state is a nonlinear function of its previous state can be used. More specifically, for an n-bit shift register r its next state is defined as:

      (71) r i + 1 b 0 , b 1 , b 2 , … , b n − 1 = r i b 1 , b 2 , … , f b 0 , b 1 , b 2 , … , b n − 1 , 

      where f is the non-linear feedback function. At present, the main application area of NLFSRs is cryptography [48]. The output sequences of NLFSRs are normally very hard to break with existing cryptanalytic methods.

   4. p-Fibonacci error-correcting codes are a type of error-correcting codes that are based on the Fibonacci p-sequence. They are defined as the numerical sequence a _p,n given by the recursive relation a _p,n  = a _p,n−1 + a _p,n−p−1, with initial values a _p,1 =…= a _p,p+1 = 1. For a given integer p ≥ 1, the p-Fibonacci matrix Q _p is a (p + 1) × (p + 1) matrix of the following form:

      (72) Q p = 1 1 0 0 … 0 0 0 0 1 0 … 0 0 ⋮ ⋮ ⋮ ⋮ ⋱ ⋮ ⋮ 0 0 0 0 … 1 0 0 0 0 0 … 0 1 1 0 0 0 … 0 0 .

      Fibonacci Q _p matrices allow us to define a method to encode and decode a message M and also to detect and correct errors that might occur in transmission of the encoding of M. These codes are used in cryptography to design identification protocols and quantum-resistant signature schemes [49].

2. Cryptographic hash functions

   1. An audio fingerprint is a compact representation of an original signal and is considered as a short summary of an audio object. Therefore, the fingerprint is considered identification in the sense that it almost uniquely represents the signal. Audio fingerprinting can achieve the monitoring of audio content without metadata, which helps to identify an unknown audio clip from a database via the Internet, PC, microphone, mobile phone, etc. Furthermore, people also adopt audio fingerprinting technologies to protect the copyright of music, prohibit copyright infringement of songs, etc. A fast retrieval algorithm based on Fibonacci Hashing for the extension of the Philips’s method to save memory and improve query speed [50].

   2. Protein family classification is crucial for applications such as smart drug therapies, understanding protein functions, and building phylogenetic trees. Although sequencing techniques can reveal biological similarities between protein families, they are time-consuming. To address this challenge, a computer and artificial intelligence-based classification system has been developed. This system converts protein sequences into numerical representations. A novel protein mapping method based on Fibonacci Hashing assigns each amino acid code to Fibonacci numbers based on integer representations. These coded amino acids are then inserted into a hashing table for classification using recurrent neural networks [51].

3. Cryptographic protocols.

   Fibonacci numbers have found various applications in quantum cryptography, particularly in the design of secure encoding schemes, quantum states, and communication protocols. In this context, Fibonacci – based constructions offer unique mathematical properties such as nonlinearity, recursive structure, and incommensurate ratios – that can enhance the robustness of quantum systems. Notably, they are employed in the following ways:

   1. Fibonacci quantum states in quantum optics. Quantum states with amplitudes proportional to Fibonacci numbers have been explored to define non-classical light fields and structured superpositions. These so-called “Fibonacci states” can exhibit non-trivial phase relationships and may be used in quantum key distribution schemes [52].

   2. Quantum walks based on Fibonacci sequences. Quantum walks governed by Fibonacci step sizes or recursive rules have been proposed as mechanisms for secure key generation. These walks produce structured but non-periodic probability distributions, increasing the difficulty of key inference by adversaries [53].

   3. Fibonacci-based bases in quantum key distribution (QKD). In generalized QKD protocols, Fibonacci numbers are used to define rotation angles or construct measurement bases that are non-orthogonal or non-equidistant. For instance, angular separations can be derived from the golden ratio ϕ = 1 + 5 2 , with:

      (73) θ n = 2 π ϕ n .

      This approach reduces the probability of undetected eavesdropping due to the use of non-uniform basis alignment [54].

4. Steganography

   1. Steganographic solution in which Fibonacci numbers play a crucial role in improving the capacity and security of data embedding in images [55]. Using image decomposition based on the Fibonacci sequence, the algorithm can create a larger number of bit levels, specifically 12 levels compared to traditional 8. This increase in levels allows for a more efficient distribution of secret data, significantly improving the overall capacity of information embedding. In addition, the combination of Fibonacci numbers with T-order statistics allows the algorithm to embed secret data in less obvious regions of the image. This adaptive approach minimises the visual impact of changes made during the embedding process, thus improving the resistance to detection by various steganalysis tools.

   2. In another approach, the pixel location choice is obtained by resorting to the p-Fibonacci series F _p (i), where F _p (i) = F _p (i − 1) + F _p (i − p − 1) and p is a non-negative integer that decides the sequence of values given to a singular series [56]. Pixel positions are taken whose values are multiples of the numbers of F _p (i) and embed information in them.

3.4.3 Further details

Remark on Pseudo-Random Number Generators. Pseudo-Random Number Generators (PRNGs) play a crucial role in cryptography for several reasons:

1. Key Generation. PRNGs are used to generate cryptographic keys, which need to be random and unpredictable to ensure the security of the cryptographic system. A weak PRNG can lead to key predictability, making the system vulnerable to attacks.

2. Initialization Vectors (IV). In many cryptographic algorithms, Initialization Vectors (IVs) are used to ensure that identical plaintexts produce different ciphertexts on encryption. PRNGs are often used to generate these IVs.

3. Nonces. PRNGs generate nonces (numbers used once) that are crucial for preventing replay attacks where an attacker tries to reuse a previously captured set of messages.

4. Salts. In password hashing, salts are random data added to passwords before hashing to ensure that even identical passwords have different hash results. PRNGs are used to generate these salts.

5. Stream Ciphers. In stream ciphers, PRNGs generate a pseudorandom keystream that is XORed with plaintext to produce ciphertext. The security of stream ciphers is highly dependent on the strength and unpredictability of the PRNG.

In summary, PRNGs are fundamental to ensuring the randomness and security required in various cryptographic processes, and a compromise in PRNG quality can lead to severe vulnerabilities in the entire cryptographic system.

In-depth analysis of sequence application. In this context, LFGs have occupied a special place among such generators and have gained popularity for their ease of implementation and relatively low cost and complexity. For this reason, it has been used successfully in many situations since 1958 and it was a real shock to discover in the 1990s that they actually fail an extremely simple, non-contrived test for randomness. As anticipated in the previous paragraph, these generators are defined by their recurrence relation:

The symbol ⊗ represents an operation that could be any of the following: addition (+), subtraction (−), multiplication (×), or exclusive OR (⊕) [57]. To generate R bits random number, m = 2 ^R ; r and s are called the lags of the generator where r > s > 0 [58]. The output sequence is represented by x _n , and the time is denoted by n. See [59] for a more detailed analysis of this generator.

The maximum period that can be achieved by LFG depends on the specific operation employed, as illustrated in Table 5.

The term AFG is used to group generators that use the + or – operator. As shown in the above table, + and operators obtain large periods; therefore, most stringent statistical tests show that AFG produce satisfactory outcomes even if the lags have small values. As such, the equation of an AFG can be expressed as:

Where m denotes the base, r and s represent the lags of the past samples, and x 0 , … , x r − 1 , constitute the seeds values [58].

When m = 2 ^N , N being the length of the word, and the trinomial x ^r  + x ^s  + 1 is irreducible and primitive over F ( 2 ) , the maximum period p is reached (subject to the condition that at least one of the seed values must be odd) and its value is p = 2 N − 1 2 r − 1 .

As already mentioned, despite their advantages, LFG is subject to limitations regarding randomness and security. Therefore, in order to have sufficiently large periods and exhibit ideal random behaviour, large lags are required. However, large lags mean large amounts of memory, since the state of an LFG is proportional to its lags [60]

Recently, various studies have been done to modify LFG, due to its easy implementation and simplicity [61]. To overcome the aforementioned issues, a more sophisticated architecture for generating keys has been introduced in this work.

3.5.1 Proprieties

Any sequence satisfying this recurrence relation can be represented as a linear combination of the Lucas sequences U _n (P, Q) and V _n (P, Q).

Recurrence relations. Given the previous two integer parameters P and Q, the Lucas sequences of the first kind U n = U n ( P , Q ) ( n ∈ N ) and of the second kind V n = V n ( P , Q ) ( n ∈ N ) are defined by the recurrence relations [63]:

The characteristic equation x ² − Px + Q = 0 of the sequences U _n and V _n has two roots α = ( P + D ) / 2 and β = ( P − D ) / 2 with the discriminant D = P ² − 4Q. Note that D ^1/2 = α − β. Furthermore, D = 0 means x ² − Px + Q = 0 has the repeated root α = β = P/2. It is well known that for any n ∈ N ([8]),