1.1 One-way functions
A fundamental building block for constructing secure signature schemes or public-key cryptosystems is one-way functions [14, Chapter 2]. Informally, a one-way function (OWF) is a function f that is easy to compute in polynomial time (by definition) on every input, but hard to invert given the image of a random input.
Basically, there exist three families of OWFs: (i) one-way permutations which are bijective OWFs, (ii) trapdoor OWFs which are one-way unless some extra information is given, and (iii) collision-free or collision-resistant hash functions. Almost all known OWFs have been based on intractable problems from number theory or some related mathematical fields like coding theory.
1.2 Digital signatures
Diffie and Hellman in their seminal work  first pointed out the notion of digital signatures. Since then, there have been many signature proposals built from trapdoor one-way permutations based on different algebraic assumptions. The most well-known being the one devised by Rivest, Shamir and Adleman from the so-called RSA assumption .
Concurrently to the above, another popular approach to construct signature schemes is by using the Fiat–Shamir tranform . It consists in turning a public-coin proof of knowledge into a signature scheme, which has yielded many efficient signature schemes like the Schnorr signature .
1.3 Cryptography modulo
Moduli of the form have found a few applications in cryptography since the mid 1980s, the most notable of which are probably the ESIGN signature scheme and its variants using (see [31, 13, 30, 17, 42]), Okamoto–Uchiyama’s cryptosystem [32, 40], Schmidt-Samoa’s cryptosystem  or constructions such as [43, 37].
There are four main approaches of factorization algorithms for the structure : the elliptic curve method (ECM)  which was improved by Peralta and Okamoto , the number field sieve (NFS) , the lattice factoring method (LFM)  and factoring using Jacobi symbols. Note that the special structure of is not threatened by NFS beyond regular RSA moduli are threatened by that same attack. Actually, it turns out that using moduli does not seem to render factoring significantly easier. Boneh, Durfee and Howgrave-Graham  showed that can be factored in polynomial time when r is large (i.e., ). Consequently, as stated in , this LLL-based approach  does not apply to the setting considered in this paper where r is rather small. See also [28, 27].
The rest of this paper is organized as follows. In the next section, we introduce some useful notation and review the definitions of the Jacobi symbol and of a signature scheme. Section 3 proposes a new OWF, building on the concept of Jacobi imprint. We then present in Section 4 a first signature scheme relying on this new OWF and prove its security. In Section 5, we generalize our basic design to higher-order residue symbols and introduce the corresponding signature schemes. As an illustration, we implement Quartapus in Section 6, a signature scheme based on the quartic residue symbol. Finally, we conclude the paper in Section 7.
2 Notation and basic definitions
If is a finite domain, we let denote picking an element of uniformly at random and assigning it to x. A boldface variable is used to denote a vector of elements identified by that variable; i.e., . The symbol stands for the set of (rational) primes. Given a vector of pairwise co-prime integers () and a vector of integers, we use for the Chinese remainder function, returning the smallest non-negative integer y such that for (see [11, Chapter 2]).
2.1 The Jacobi symbol
Given a positive integer n, an integer a with is called a quadratic residue modulo n if and only if is solvable. If a is not a quadratic residue, then it is called a quadratic non-residue modulo n .
Let a be an integer, and let , . The Legendre symbol is defined as
The Legendre symbol satisfies Euler’s criterion, namely, .
The Jacobi symbol is a natural generalization of the Legendre symbol.
Let n be an odd positive integer with prime factorization . Then, for an integer a, the Jacobi symbol is given by
with the convention for all integers a.
Interestingly, the prime factorization of n is not required for evaluating . It can be efficiently computed with bit operations [1, § 5.9]. We point out that the Legendre and Jacobi symbols are indistinguishable when n is an odd prime. Also, we note that the Legendre symbol allows to determine whether an integer is a quadratic residue or not, whereas the Jacobi symbol does not allow checking this property.
2.2 Digital signatures
A signature scheme  is a tuple of probabilistic polynomial-time algorithms satisfying the following:
On input security parameter , key generation algorithm produces a pair of matching public and private keys.
Given a private key and a message m in a set of messages, signing algorithm produces a signature σ.
Given a public key , a message and a signature σ, the verifying algorithm checks whether σ is a valid signature on m with respect to .
The classical security notion for signature schemes is existential unforgeability against chosen-message attacks (in short, ) . Basically, it requires that an adversary having access to a signing oracle returning the signature on messages of its choice is unable to produce a valid signature on a message not previously submitted to the signing oracle. In the random oracle model , the adversary has in addition access to a hash oracle viewed as a random oracle. More formally, we have the following definition.
A signature scheme Σ is secure if, for every probabilistic polynomial-time adversary , the success probability is negligible against the security game defined in Figure 1.
3 A candidate one-way function
If p is an odd prime, then half of the integers in the sequence are quadratic residues modulo p, and half are not. The problem of counting the number of occurrences of k distinct integers modulo p obeying a given pattern with and variations thereof have been studied in a number of papers, including [8, 9, 6, 33, 16, 36]. In particular, the results of Peralta in  indicate that the probability of
matching any particular sequence is in the range .
This section considers a related problem. It relies on a new notion that we call Jacobi imprint. In essence, the imprint is an integer formed of bits representing the sequence of Jacobi symbols where -1’s are replaced by 1’s and 1’s by 0’s.
Definition 3 (Jacobi imprint).
For an integer a and such that for , the Jacobi imprint is given by
(At times, we will interchangeably use to denote the integer or its binary representation.)
Let be a set of k distinct (odd) primes, and let . Consider the function given by
We argue that an appropriate selection for the domain of and the number of primes turns into a one-way function.
Of course, cannot be the whole group . Otherwise, given a challenge , an attacker could execute Algorithm 1.
This algorithm yields outputs that are smaller than . An obvious way to prevent an attacker to successfully run Algorithm 1 would be to restrict to entries smaller than a given bound B.
But there is another way to tackle the problem of finding pre-images to . Let be the set of k-bit integers in . Now if we regard an imprint in as an element of (that is, if we look at its binary representation), we see that induces a group homomorphism from to :
Therefore, an attacker could generate a set of “small” primes (with ) and compute the corresponding imprint for . It suffices then for the attacker to use linear algebra modulo 2 (i.e., Gaussian elimination) to find a subset of the ’s having the target imprint as an xor:1
A pre-image is given by
which is valid provided that . This second attack is avoided by limiting to primes. Furthermore, each prime in imposes a condition on the pre-image. The birthday paradox suggests to choose the number k of primes to be at least , where κ is the security parameter. All in all, we recommend to select and .
3.2 From to
We use function as a starting point to define a (conjectured) trapdoor one-way function. The resulting function has the extra property that it can be inverted when it is given a trapdoor as an additional input. To insert a trapdoor, we replace the primes with RSA-like moduli of the form . This does not affect the output value since for all x such that for . The trapdoor is .
Let κ denote a security parameter. Let also and . Define and
where is a set of k pairwise co-prime moduli of the form for -bit primes and , . For every polynomial-time algorithm , the success probability
Note that finding a pre-image to is easy given the trapdoor :
run Algorithm 1, and obtain x such that ;
update x as with until x is prime;
Clearly, the so-obtained x is a valid pre-image: and .
By definition, the Jacobi imprint requires x to be co-prime with for . Strictly speaking, the domain should therefore exclude the primes and . However, since primes and are -bit primes, where , the probability to output an x such that for some is negligible when the prime factorization of the ’s is unknown.
4 Signatures modulo
We are now ready to formally describe a first signature scheme. We prove that it meets the security level in the random oracle model.
Our basic signature scheme is a tuple of algorithms , which we define as follows:
Key generation The key generation algorithm takes as input a security parameter and defines parameters k and . It selects a collision-resistant hash function . It also produces k pairs of -bit primes and forms the moduli . The public parameters are . The public key is , while the private key is . The outputs are and (and ).
Signing The signing algorithm takes as inputs a message and the secret key . The signature on message m proceeds as follows:
compute with ;
pick at random k -bit integers such that for ;
compute with and ;
set and choose at random an integer such that ;
Verification The verifying algorithm takes as inputs the public key , a message m and a signature σ on message m. It checks whether (i) , (ii) , (iii) , where . returns 1 (i.e., the signature is accepted) if and only if the three conditions above are fulfilled. Otherwise, returns 0.
The next proposition shows that the signature scheme is correct: for and any message , we have .
Proposition 1 (Correctness).
Signature scheme Σ is correct.
Let and σ be the respective outputs of and , with message m as input. By construction, σ is prime and . Moreover, since (), it follows that
Finally, since , we have , and so . ∎
4.2 Security proof
Signature scheme Σ is secure assuming the hardness of inverting , in the random oracle model.
The security proof is by contradiction. Suppose we are given as a challenge an output of the function . We assume that there exists a polynomial-time adversary that is able to produce an existential signature forgery with non-negligible success probability. Adversary is allowed to make queries to random oracle H and queries to signing oracle . We then use ’s forgery to invert , i.e., to find a pre-image to .
Specifically, suppose that the received challenge is the k-bit integer
for moduli of the form where ’s and ’s are -bit primes, . The simulator sets the public key to . It also selects a collision-resistant hash function H mapping to . The public key as well as public parameters are given to .
The simulator needs to answer the oracle queries made by . It maintains a history list of tuples , , that keeps track of the hash queries; is initialized to . It also maintains a counter i initialized to 0 and chooses at random an index .
Answering hash queries When submits a message m to H, the simulator checks whether m was already queried.
If , then i is incremented: . Next, the simulator sets , and depending on the value of i,
if , it sets and ,
if , it generates a random -bit prime and sets .
Tuple is appended to : .
If , the simulator finds the index i such that and recovers the corresponding value .
The simulator returns as the hash value of input message m.
Answering signature queries Without loss of generality, we assume that, when calls signing oracle with a message m, it has already submitted m to hash oracle H (observe that the simulator can always call internally H). Therefore, there exists an index i such that in . The simulator recovers the corresponding value for . There are two cases.
If , then the simulator returns as a valid signature on input message m.
Otherwise, the simulator fails and stops.
The number of queries to the hash oracle being polynomial, with non-negligible probability, the adversary will return a signature forgery on its -th query to H, i.e., on message . Letting be the corresponding signature returned by , we see that is a solution to the challenge since . ∎
5 Generalized signatures
The Legendre symbol tells whether an integer is a square modulo a prime p. Given an integer a and an odd prime p, if , there exists a unique integer j modulo 2 such that . To obtain the analogue to a higher power r, the rational integers need to be extended so that they include an r-th root of unity, namely, .
5.1 Cyclotomic integers and higher-order residuosity
Fix a primitive r-th root of unity; i.e., ζ is a root of and for . Adjoining ζ to the field of rationals defines the cyclotomic field . It is the splitting field of ; its Galois group is isomorphic to , with corresponding to the map ; see [18, Proposition 13.2.1] or [44, Theorem 2.5]. The ring of integers of is , where is the r-th cyclotomic polynomial; see [44, Theorem 2.6].
The elements α of are written as
where φ denotes Euler’s totient function. The norm of is the rational integer . We assume that is norm-Euclidean.2
The elements of norm in are called units. Two elements that are equal up to multiplication by a unit (i.e., ) are said to be associates; we write . A non-unit element is a prime in if, for any , implies or . If r is a prime power (i.e., for some rational prime q and ), then is a prime in and ; otherwise, is a unit in .
Let π be a prime in , with . For every such that , we have (). Further, is a subgroup of order r of , it follows that and
This defines the r-th-power residue symbol.
Fix ζ a primitive r-th root of unity. Let with π prime and . The r-th-power residue symbol is defined by
Let with π prime and . It is easily verified from the definition that the following properties are satisfied:
Furthermore, in a way similar to the Jacobi symbol for quadratic residuosity, the r-th-power residue symbol naturally generalizes.
Fix ζ a primitive r-th root of unity. Let with λ non-unit and . Then, writing for primes in , if α and λ are co-prime, the symbol is defined by
Moreover, for every unit .
The notion of Jacobi imprint generalizes to higher powers. To ease the notation, we extend the brace symbol as follows:
where if and only if . Note that Definition 3 corresponds to the case .
Definition 6 (r-th-order imprint).
For an integer and a vector such that α and (with ) are co-prime, the r-th-order imprint of α w.r.t. is the integer given by
5.2 Parameter selection
As discussed in the introduction, the main threat for factoring-related cryptosystems comes from NFS and its variants. Table 1 lists different types of security level and the commonly accepted corresponding size for the modulus. See e.g. [23, 47].
The current state of affairs teaches that moduli could be selected of the form with chosen to have a balanced resistance against both NFS-type and ECM-type factoring algorithms. Given a modulus whose length is chosen according to Table 1, a bound for the number of factors that may be allowed is derived in [21, Section 4]. This suggests to select r in the range , depending on the security level.
Each possible value for r gives rise to a signature scheme. Of particular interest are the following new species in the signature zoo:
The signature scheme given in Section 4 extends to any value of (provided that is norm-Euclidean). As an illustration, we detail the Quartapus signature scheme, which is an adaptation to the case .
Throughout this section, we let denote a primitive 4-th root of unity. The Galois group of contains the two automorphisms with . For an element , we write . The norm of α is given by .
The Octapus signature scheme is defined as follows:
Key generation takes as input a security parameter and defines parameters k and . It selects a collision-resistant hash function . It also produces k pairs of primes in , where and are -bit long, and forms the moduli . The outputs are , and .
Signing On input, a message and , does the following:
compute with ;
pick at random k integers of -bit norm such that for ;
compute with and ;
set , and choose at random an integer such that is prime in ;
Verification On input σ, m and , checks whether (i) σ is prime, (ii) , (iii) and, if so, accepts the signature.
The primes and must be chosen of norm of bits for an sized for the factoring problem over the rational integers. Indeed, suppose an attacker is given as a challenge , a product of two primes in . The goal of the attacker is to recover π and ψ.
The norm of ν satisfies for two -bit rational primes . If were chosen too small so that the problem of factoring the product of two rational -bit primes becomes feasible, the attacker could factor and recover p and q. Once p and q are found, its remaining task is to find with and . This can be efficiently achieved by generalizing Cornacchia’s algorithm [5, Algorithm 1.5.2] to fourth roots, as done in [7, § 1.2] for cubic roots. The first step is to solve for r over the equation . Next, consider the integer , whose norm is a multiple of p. Hence, the computation of yields – remember that is norm-Euclidean, and , where , and similarly for q.
6.2 Evaluating quartic residue symbols
7 Concluding remarks
In this paper, we have introduced a formal definition and construction of a new family of one-way functions and signature schemes. They are related to the hardness of factoring moduli of the form . Since our constructions rely on newly introduced assumptions, further cryptanalytic efforts are demanded in order to get more confidence about their exact security.
We are grateful to Dan Bernstein, Dan Boneh and Antoine Joux for comments and discussions on the ECM factoring method.
E. Bach and J. Shallit, Algorithmic Number Theory. Vol. 1: Efficient Algorithms, MIT Press, Cambridge, 1996. Google Scholar
M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, ACM Conference on Computer and Communications Security, ACM Press, New York (1993), 62–73. Google Scholar
D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring for large r, Advances in Cryptology—CRYPTO ’99, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 326–337. Google Scholar
H. Cohen, A Course in Computational Algebraic Number Theory, Grad. Texts in Math. 138, Springer, Berlin, 1993. Google Scholar
I. B. Damgård, On the randomness of Legendre and Jacobi sequences, Advances in Cryptology—CRYPTO’88, Lecture Notes in Comput. Sci. 403, Springer, Berlin (1990), 163–172. Google Scholar
H. Davenport, On the distribution of quadratic residues (mod p), J. Lond. Math. Soc. 6 (1931), no. 1, 49–54. Google Scholar
H. Davenport, On the distribution of quadratic residues (mod p). II, J. Lond. Math. Soc. 8 (1933), no. 1, 46–52. Google Scholar
W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory IT-22 (1976), no. 6, 644–654. Google Scholar
C. Ding, D. Pei and A. Salomaa, Chinese Remainder Theorem. Applications in Computing, Coding, Cryptography, World Scientific, River Edge, 1996. Google Scholar
A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Advances in Cryptology—CRYPTO’86, Lecture Notes in Comput. Sci. 263, Springer, Berlin (1987), 186–194. Google Scholar
A. Fujioka, T. Okamoto and S. Miyaguchi, ESIGN: An efficient digital signature implementation for smart cards, Advances in Cryptology—EUROCRYPT’91, Lecture Notes in Comput. Sci. 547, Springer, Berlin (1991), 446–457. Google Scholar
O. Goldreich, Foundations of Cryptography. Basic Tools, Cambridge University, Cambridge, 2001. Google Scholar
S. Goldwasser, S. Micali and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. Special issue on cryptography, SIAM J. Comput. 17 1988, no. 2, 281–308. CrossrefGoogle Scholar
L. Granboulan, How to repair ESIGN, Security in Communication Networks—SCN 2002, Lecture Notes in Comput. Sci. 2576, Springer, Berlin (2003), 234–240. Google Scholar
K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed., Grad. Texts in Math. 84, Springer, New York, 1990. Google Scholar
J. Katz, Digital Signatures, Springer, New York, 2010. Google Scholar
F. Lemmermeyer, The Euclidean algorithm in algebraic number fields, Exp. Math. 13 (1995), no. 5, 385–416. Google Scholar
A. K. Lenstra, Unbelievable security (Matching AES security using public key systems), Advances in Cryptology—ASIACRYPT 2001, Lecture Notes in Comput. Sci. 2248, Springer, Berlin (2001), 67–86. Google Scholar
H. W. Lenstra, Jr., Euclid’s algorithm in cyclotomic fields, J. Lond. Math. Soc. (2) 10 (1975), no. 4, 457–465. Google Scholar
H. W. Lenstra, Jr., The number field sieve: An annotated bibliography, The Development of the Number Field Sieve, Lecture Notes in Math. 1554, Springer, Berlin (1993), 1–3. Google Scholar
N. Manohar and B. Fisch, Factoring , Final project report CS359C, Stanford University, 2017. Google Scholar
A. May, Secret exponent attacks on RSA-type schemes with moduli , Public Key Cryptography—PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230. Google Scholar
A. Menezes, M. Qu, D. Stinson and Y. Wang, Evaluation of security level of cryptography: ESIGN signature scheme, External Evaluation Report ex-1053-2000, CRYPTREC, 2001. Google Scholar
T. Okamoto and A. Shibaishi, A fast signature scheme based on quadratic inequalities, 1985 IEEE Symposium on Security and Privacy, IEEE Press, Piscataway (1985), 123–133. Google Scholar
T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology—EUROCRYPT’98, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318. Google Scholar
R. Peralta and E. Okamoto, Faster factoring of integers of a special form, IEICE Trans. Fundam. Electron. Comm. Comp. Sci. E79 (1996), no. A4, 489–493. Google Scholar
H. Sato, T. Takagi, S. Tezuka and K. Takaragi, Generalized powering functions and their application to digital signatures, Advances in Cryptology—ASIACRYPT 2003, Lecture Notes in Comput. Sci. 2894, Springer, Berlin (2003), 434–451. Google Scholar
K. Schmidt-Samoa and T. Takagi, Paillier’s cryptosystem modulo and its applications to trapdoor commitment schemes, Progress in Cryptology—Mycrypt 2005, Lecture Notes in Comput. Sci. 3715, Springer, Berlin (2005), 296–313. Google Scholar
C. P. Schnorr, Efficient signature generation by smart cards, J. Cryptology 4 (1991), no. 3, 161–174. Google Scholar
J. Stern, D. Pointcheval, J. Malone-Lee and N. P. Smart, Flaws in applying proof methodologies to signature schemes, Advances in cryptology—CRYPTO 2002, Lecture Notes in Comput. Sci. 2442, Springer, Berlin (2002), 93–110. Google Scholar
T. Takagi, Fast RSA-type cryptosystem modulo ., Advances in Cryptology—CRYPTO’98, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326. Google Scholar
L. C. Washington, Introduction to Cyclotomic Fields, 2nd ed., Grad. Texts Math. 83, Springer, New York, 1997. Google Scholar
H. C. Williams, An public-key encryption scheme, Advances in Cryptology—CRYPTO’85, Lecture Notes in Comput. Sci. 218, Springer, Berlin (1986), 358–368. Google Scholar