New number-theoretic cryptographic primitives

1.1 One-way functions

A fundamental building block for constructing secure signature schemes or public-key cryptosystems is one-way functions [14, Chapter 2]. Informally, a one-way function (OWF) is a function f that is easy to compute in polynomial time (by definition) on every input, but hard to invert given the image of a random input.

Basically, there exist three families of OWFs: (i) one-way permutations which are bijective OWFs, (ii) trapdoor OWFs which are one-way unless some extra information is given, and (iii) collision-free or collision-resistant hash functions. Almost all known OWFs have been based on intractable problems from number theory or some related mathematical fields like coding theory.

1.2 Digital signatures

Diffie and Hellman in their seminal work [10] first pointed out the notion of digital signatures. Since then, there have been many signature proposals built from trapdoor one-way permutations based on different algebraic assumptions. The most well-known being the one devised by Rivest, Shamir and Adleman from the so-called RSA assumption [35].

Concurrently to the above, another popular approach to construct signature schemes is by using the Fiat–Shamir tranform [12]. It consists in turning a public-coin proof of knowledge into a signature scheme, which has yielded many efficient signature schemes like the Schnorr signature [41].

1.3 Cryptography modulo p^rq

Moduli of the form p^rq have found a few applications in cryptography since the mid 1980s, the most notable of which are probably the ESIGN signature scheme and its variants using p²q (see [13, 17, 30, 31, 42]), Okamoto–Uchiyama’s cryptosystem [32, 40], Schmidt-Samoa’s cryptosystem [39] or constructions such as [37, 43].

There are four main approaches of factorization algorithms for the structure p^rq: the elliptic curve method (ECM) [25] which was improved by Peralta and Okamoto [34], the number field sieve (NFS) [26], the lattice factoring method (LFM) [3] and factoring using Jacobi symbols. Note that the special structure of p^rq is not threatened by NFS beyond regular RSA moduli are threatened by that same attack. Actually, it turns out that using p²q moduli does not seem to render factoring significantly easier. Boneh, Durfee and Howgrave-Graham [3] showed that n = p^rq can be factored in polynomial time when r is large (i.e., r ≃ log p). Consequently, as stated in [29], this LLL-based approach [22] does not apply to the setting considered in this paper where r is rather small. See also [27, 28].

2.1 The Jacobi symbol

Given a positive integer n, an integer a with gcd(a, n) = 1 is called a quadratic residue modulon if and only if x² ≡ a(mod n) is solvable. If a is not a quadratic residue, then it is called a quadratic non-residue modulon.

Let a be an integer, and let p ∈ ℙ, p ≠ 2. The Legendre symbol(ap) is defined as

The Legendre symbol satisfies Euler’s criterion, namely, ap≡ap−12 (mod p).

The Jacobi symbol is a natural generalization of the Legendre symbol.

Interestingly, the prime factorization of n is not required for evaluating (an). It can be efficiently computed with O((log₂a)(log₂n)) bit operations [1, § 5.9]. We point out that the Legendre and Jacobi symbols are indistinguishable when n is an odd prime. Also, we note that the Legendre symbol allows to determine whether an integer is a quadratic residue or not, whereas the Jacobi symbol does not allow checking this property.

2.2 Digital signatures

A signature scheme [19] is a tuple Σ = (KeyGen, Sign, Verify) of probabilistic polynomial-time algorithms satisfying the following:

KeyGen(1^κ) On input security parameter 1^κ, key generation algorithm KeyGen produces a pair (pk, sk) of matching public and private keys.

Sign(sk, m) Given a private key sk and a message m in a set 𝓜 of messages, signing algorithm Sign produces a signature σ.

Verify(pk, m, σ) Given a public key pk, a message m ∈ 𝓜 and a signature σ, the verifying algorithm Verify checks whether σ is a valid signature on m with respect to pk.

The classical security notion for signature schemes is existential unforgeability against chosen-message attacks (in short, EUF-CMA) [15]. Basically, it requires that an adversary having access to a signing oracle returning the signature on messages of its choice is unable to produce a valid signature on a message not previously submitted to the signing oracle. In the random oracle model [2], the adversary has in addition access to a hash oracle viewed as a random oracle. More formally, we have the following definition.

Figure 1

EUF-CMA experiment for digital signature schemes.

3.1 Function 𝓕₀

Let q = (q₀, …, q_k–1) be a set of k distinct (odd) primes, and let Q = ∏j=0k−1q_j. Consider the function 𝓕₀ given by

We argue that an appropriate selection for the domain of 𝓕₀ and the number of primes q_j turns 𝓕₀ into a one-way function.

Of course, 𝔇 cannot be the whole group ZQ∗. Otherwise, given a challenge ŷ = 𝓕₀(x̂), an attacker could execute Algorithm 1.

This algorithm yields outputs that are smaller than Q = ∏j=0k−1q_j. An obvious way to prevent an attacker to successfully run Algorithm 1 would be to restrict 𝔇 to entries smaller than a given bound B.

But there is another way to tackle the problem of finding pre-images to 𝓕₀. Let 𝓩 be the set of k-bit integers in ℕ. Now if we regard an imprint in 𝓩 as an element of (𝓩₂)^k (that is, if we look at its binary representation), we see that 𝓕₀ induces a group homomorphism from (ZQ∗, ⋅) to (𝓩, ⊕):

Therefore, an attacker could generate a set of ℓ “small” primes p_i (with p_i ∤ Q) and compute the corresponding imprint z_i = 𝓕₀(p_i) for 1 ≤ i ≤ ℓ. It suffices then for the attacker to use linear algebra modulo 2 (i.e., Gaussian elimination) to find a subset of the z_i’s having the target imprint ŷ as an xor:^[1]

A pre-image is given by

which is valid provided that x < B. This second attack is avoided by limiting 𝔇 to primes. Furthermore, each prime q_j in q imposes a condition on the pre-image. The birthday paradox suggests to choose the number k of primes q_j to be at least 2κ, where κ is the security parameter. All in all, we recommend to select k = 2κ and 𝔇 = {x ∈ ℙ | x < B with B ≪ Q, where Q = ∏j=0k−1q_j}.

3.2 From 𝓕₀ to 𝓕₁

We use function 𝓕₀ as a starting point to define a (conjectured) trapdoor one-way function. The resulting function 𝓕₁ has the extra property that it can be inverted when it is given a trapdoor as an additional input. To insert a trapdoor, we replace the primes q_j with RSA-like moduli of the form n_j = p_j²q_j. This does not affect the output value since ℑ_n(x) = ℑ_q(x) for all x such that gcd(x, n_j) = 1 for 0 ≤ j ≤ k – 1. The trapdoor is q.

Note that finding a pre-image to ŷ = 𝓕₁(x̂) is easy given the trapdoor q = (q₀, …, q_k–1):

1. run Algorithm 1, and obtain x such that ℑ_q(x) = ŷ;

2. update x as x ← xu² mod Q with u ←$ ZQ∗ until x is prime;

3. return x.

Clearly, the so-obtained x is a valid pre-image: x ∈ 𝔇 and 𝓕₁(x) = ŷ.

4.1 Description

Our basic signature scheme is a tuple of algorithms Σ = (KeyGen, Sign, Verify), which we define as follows:

Key generation The key generation algorithm KeyGen takes as input a security parameter 1^κ and defines parameters k and ℓ. It selects a collision-resistant hash function H : {0, 1}^∗ → {0, 1}^k. It also produces k pairs (p_j, q_j) of ℓ-bit primes and forms the moduli n_j = p_j²q_j. The public parameters are pp = (k, ℓ, H). The public key is pk = {n_j}_{0≤j≤k–1}, while the private key is sk = {q_j}_{0≤j≤k–1}. The outputs are pk and sk (and pp).

Signing The signing algorithm Sign takes as inputs a message m ∈ {0, 1}^∗ and the secret key sk. The signature on message m proceeds as follows:

1. compute H(m) = ∏j=0k−1h_j2^j with h_j ∈ {0, 1};

2. pick at random k ℓ-bit integers r_j such that {rjqj}=hj for 0 ≤ j ≤ k – 1;

3. compute R = CRT(r, q) with r = (r₀, …, r_k–1) and q = (q₀, …, q_k–1);

4. set Q = ∏j=0k−1q_j and choose at random an integer u ∈ ZQ∗ such that σ := Ru² mod Q ∈ ℙ;

5. return σ.

Verification The verifying algorithm Verify takes as inputs the public key pk, a message m and a signature σ on message m. It checks whether (i) σ ∈ ℙ, (ii) σ < 2^ℓk, (iii) ℑ_n(σ) = H(m), where n = (n₀, …, n_k–1). Verify returns 1 (i.e., the signature is accepted) if and only if the three conditions above are fulfilled. Otherwise, Verify returns 0.

The next proposition shows that the signature scheme is correct: for (pk, sk) ← KeyGen(1^κ) and any message m ∈ {0, 1}^∗, we have Verify(pk, m, Sign(m, sk)) = 1.

4.2 Security proof

4.3 Toy example (k = 8)

Picking the secret primes

we have the public moduli

and the value

Consider a message whose digest is h = (h₀, …, h₇), and draw r_j’s as

We get CRT(r, q) = 1395786251559231878789764535858641198.

By selecting u = 2152266820709866295140077504687803459, we obtain the signature

5.1 Cyclotomic integers and higher-order residuosity

We start by reviewing some classical results on cyclotomic fields. We refer the reader to [18, 44] for further introductory background.

Fix ζ := ζ_r a primitive r-th root of unity; i.e., ζ is a root of X^r – 1 and X^s ≠ 1 for 0 < s < r. Adjoining ζ to the field ℚ of rationals defines the cyclotomic field ℚ(ζ). It is the splitting field of X^r – 1; its Galois group Gal(ℚ(ζ)/ℚ) is isomorphic to Zr∗, with k mod r corresponding to the map σ_k : ζ ↦ ζ^k; see [18, Proposition 13.2.1] or [44, Theorem 2.5]. The ring of integers of ℚ(ζ) is 𝓩[ζ] ≅ 𝓩[X]/(Φ_r), where Φ_r is the r-th cyclotomic polynomial; see [44, Theorem 2.6].

The elements α of 𝓩[ζ] are written as

where φ denotes Euler’s totient function. The norm of α ∈ 𝓩[ζ] is the rational integer N⁡(α)=∏k∈Zr∗σk(α). We assume that 𝓩[ζ] is norm-Euclidean.^[2]

The elements of norm ±1 in 𝓩[ζ] are called units. Two elements α, β ∈ 𝓩[ζ] that are equal up to multiplication by a unit υ ∈ 𝓩[ζ] (i.e., α = υβ) are said to be associates; we write α ∼ β. A non-unit element π ∈ 𝓩[ζ] is a prime in 𝓩[ζ] if, for any α, β ∈ 𝓩[ζ], π|αβ implies π|α or π|β. If r is a prime power (i.e., r = q^ℓ for some rational prime q and ℓ ≥ 1), then (1 – ζ) is a prime in 𝓩[ζ] and N(1 – ζ) = q; otherwise, (1 – ζ) is a unit in 𝓩[ζ].

Let π be a prime in 𝓩[ζ], with gcd(N(π), r) = 1. For every α ∈ 𝓩[ζ] such that π ∤ α, we have α^N(π)–1 ≡ 1 (mod π). Further, 〈ζ〉 is a subgroup of order r of (𝓩[ζ]/(π))^∗, it follows that r|(N(π) – 1) and

This defines the r-th-power residue symbol.

Let α, β, π ∈ 𝓩[ζ] with π prime and gcd(N(π), r) = 1. It is easily verified from the definition that the following properties are satisfied:

Furthermore, in a way similar to the Jacobi symbol for quadratic residuosity, the r-th-power residue symbol naturally generalizes.

The notion of Jacobi imprint generalizes to higher powers. To ease the notation, we extend the brace symbol as follows:

where {αλ}r=j if and only if [αλ]r=ζj. Note that Definition 3 corresponds to the case r = 2.

5.2 Parameter selection

As discussed in the introduction, the main threat for factoring-related cryptosystems comes from NFS and its variants. Table 1 lists different types of security level and the commonly accepted corresponding size for the modulus. See e.g. [23, 47].

The current state of affairs teaches that moduli could be selected of the form p_j^rq_j with r ≥ 2 chosen to have a balanced resistance against both NFS-type and ECM-type factoring algorithms. Given a modulus whose length is chosen according to Table 1, a bound for the number of factors that may be allowed is derived in [21, Section 4]. This suggests to select r in the range [2, …, 5], depending on the security level.

Each possible value for r gives rise to a signature scheme. Of particular interest are the following new species in the signature zoo:

6.1 Description

The Octapus signature scheme (KeyGen, Sign, Verify) is defined as follows:

Key generation KeyGen takes as input a security parameter 1^κ and defines parameters k and ℓ. It selects a collision-resistant hash function H : {0, 1}^∗ → (𝓩₄)^k. It also produces k pairs (π_j, ψ_j) of primes in 𝓩[ζ], where N(π_j) and N(ψ_j) are ℓ-bit long, and forms the moduli ν_j = π_j⁴ψ_j. The outputs are pp = (k, ℓ, H), pk = {ν_j}_{0≤j≤k–1} and sk = {ψ_j}_{0≤j≤k–1}.

Signing On input, a message m ∈ {0, 1}^∗ and sk, Sign does the following:

1. compute H(m) = ∏j=0k−1h_j4^j with h_j ∈ 𝓩₄;

2. pick at random k integers ρ_j ∈ 𝓩[ζ] of ℓ-bit norm such that {ρjψj}=hj for 0 ≤ j ≤ k – 1;

3. compute ϱ = CRT(ρ, ψ) with ρ = (ρ₀, …, ρ_k–1) and ψ = (ψ₀, …, ψ_k–1);

4. set Ψ=∏j=0k−1ψ_j, and choose at random an integer υ ∈ (𝓩[ζ]/(Ψ))^∗ such that σ := ϱυ⁴ mod Ψ is prime in 𝓩[ζ];

5. return σ.

Verification On input σ, m and pk, Verify checks whether (i) σ is prime, (ii) N(σ) < 2^ℓk, (iii) Iν(4)(σ)=H(m) and, if so, accepts the signature.

6.2 Evaluating quartic residue symbols

Quartapus requires the evaluation of the 4-th-power residue symbol. We refer to [7, 45] for efficient implementations.

A generic algorithm for computing the r-th-power residue symbol for any prime r ≤ 11 is described in [4, Section 7]. The case r = 3 is discussed in [7, 38, 46] and the case r = 5 in [38].