Show Summary Details
More options …

# Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

CiteScore 2018: 1.41

SCImago Journal Rank (SJR) 2018: 0.342
Source Normalized Impact per Paper (SNIP) 2018: 1.076

Mathematical Citation Quotient (MCQ) 2018: 0.75

Open Access
Online
ISSN
1862-2984
See all formats and pricing
More options …

# New number-theoretic cryptographic primitives

Éric Brier
/ Marc Joye
/ David Naccache
Published Online: 2019-11-09 | DOI: https://doi.org/10.1515/jmc-2019-0035

## Abstract

This paper introduces new ${p}^{r}q$-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat–Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli ${n}_{i}=p_{i}{}^{2}{q}_{i}$ and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the ${n}_{i}$’s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design, the proposed signature schemes seem to be overlooked “missing species” in the corpus of known signature algorithms.

MSC 2010: 94A60; 11T71; 11A15; 11R18

## 1.1 One-way functions

A fundamental building block for constructing secure signature schemes or public-key cryptosystems is one-way functions [14, Chapter 2]. Informally, a one-way function (OWF) is a function f that is easy to compute in polynomial time (by definition) on every input, but hard to invert given the image of a random input.

Basically, there exist three families of OWFs: (i) one-way permutations which are bijective OWFs, (ii) trapdoor OWFs which are one-way unless some extra information is given, and (iii) collision-free or collision-resistant hash functions. Almost all known OWFs have been based on intractable problems from number theory or some related mathematical fields like coding theory.

## 1.2 Digital signatures

Diffie and Hellman in their seminal work [10] first pointed out the notion of digital signatures. Since then, there have been many signature proposals built from trapdoor one-way permutations based on different algebraic assumptions. The most well-known being the one devised by Rivest, Shamir and Adleman from the so-called RSA assumption [35].

Concurrently to the above, another popular approach to construct signature schemes is by using the Fiat–Shamir tranform [12]. It consists in turning a public-coin proof of knowledge into a signature scheme, which has yielded many efficient signature schemes like the Schnorr signature [41].

## 1.3 Cryptography modulo ${p}^{r}q$

Moduli of the form ${p}^{r}q$ have found a few applications in cryptography since the mid 1980s, the most notable of which are probably the ESIGN signature scheme and its variants using ${p}^{2}q$ (see [31, 13, 30, 17, 42]), Okamoto–Uchiyama’s cryptosystem [32, 40], Schmidt-Samoa’s cryptosystem [39] or constructions such as [43, 37].

There are four main approaches of factorization algorithms for the structure ${p}^{r}q$: the elliptic curve method (ECM) [25] which was improved by Peralta and Okamoto [34], the number field sieve (NFS) [26], the lattice factoring method (LFM) [3] and factoring using Jacobi symbols. Note that the special structure of ${p}^{r}q$ is not threatened by NFS beyond regular RSA moduli are threatened by that same attack. Actually, it turns out that using ${p}^{2}q$ moduli does not seem to render factoring significantly easier. Boneh, Durfee and Howgrave-Graham [3] showed that $n={p}^{r}q$ can be factored in polynomial time when r is large (i.e., $r\simeq \mathrm{log}p$). Consequently, as stated in [29], this LLL-based approach [22] does not apply to the setting considered in this paper where r is rather small. See also [28, 27].

## Organization

The rest of this paper is organized as follows. In the next section, we introduce some useful notation and review the definitions of the Jacobi symbol and of a signature scheme. Section 3 proposes a new OWF, building on the concept of Jacobi imprint. We then present in Section 4 a first signature scheme relying on this new OWF and prove its security. In Section 5, we generalize our basic design to higher-order residue symbols and introduce the corresponding signature schemes. As an illustration, we implement Quartapus in Section 6, a signature scheme based on the quartic residue symbol. Finally, we conclude the paper in Section 7.

## 2 Notation and basic definitions

If $\mathcal{𝒟}$ is a finite domain, we let $x\stackrel{\text{}}{←}\mathcal{𝒟}$ denote picking an element of $\mathcal{𝒟}$ uniformly at random and assigning it to x. A boldface variable $𝒙$ is used to denote a vector of elements identified by that variable; i.e., $𝒙=\left({x}_{0},\mathrm{\dots },{x}_{k-1}\right)$. The symbol $ℙ$ stands for the set of (rational) primes. Given a vector $𝒏=\left({n}_{0},\mathrm{\dots },{n}_{k-1}\right)$ of pairwise co-prime integers ${n}_{j}$ ($0\le j\le k-1$) and a vector $𝒙=\left({x}_{0},\mathrm{\dots },{x}_{k-1}\right)$ of integers, we use $\mathrm{𝖢𝖱𝖳}\left(𝒙,𝒏\right)$ for the Chinese remainder function, returning the smallest non-negative integer y such that $y\equiv {x}_{j}\phantom{\rule{veryverythickmathspace}{0ex}}\left(mod{n}_{j}\right)$ for $0\le j\le k-1$ (see [11, Chapter 2]).

## 2.1 The Jacobi symbol

Given a positive integer n, an integer a with $\mathrm{gcd}\left(a,n\right)=1$ is called a quadratic residue modulo n if and only if ${x}^{2}\equiv a\phantom{\rule{veryverythickmathspace}{0ex}}\left(modn\right)$ is solvable. If a is not a quadratic residue, then it is called a quadratic non-residue modulo n .

Let a be an integer, and let $p\in ℙ$, $p\ne 2$. The Legendre symbol $\left(\frac{a}{p}\right)$ is defined as

$\left(\frac{a}{p}\right)=\left\{\begin{array}{cc}1\hfill & \text{if}a\text{is a quadratic residue modulo}p,\hfill \\ -1\hfill & \text{if}a\text{is a quadratic non-residue modulo}p,\hfill \\ 0\hfill & \text{if}\mathrm{gcd}\left(a,p\right)\ne 1.\hfill \end{array}$

The Legendre symbol satisfies Euler’s criterion, namely, $\left(\frac{a}{p}\right)\equiv {a}^{\frac{p-1}{2}}\phantom{\rule{veryverythickmathspace}{0ex}}\left(modp\right)$.

The Jacobi symbol is a natural generalization of the Legendre symbol.

#### Definition 1.

Let n be an odd positive integer with prime factorization $n={\prod }_{j}p_{j}{}^{{e}_{j}}$. Then, for an integer a, the Jacobi symbol $\left(\frac{a}{n}\right)$ is given by

$\left(\frac{a}{n}\right)=\prod _{j}{\left(\frac{a}{{p}_{j}}\right)}^{{e}_{j}}$

with the convention $\left(\frac{a}{1}\right)=1$ for all integers a.

Interestingly, the prime factorization of n is not required for evaluating $\left(\frac{a}{n}\right)$. It can be efficiently computed with $O\left(\left({\mathrm{log}}_{2}a\right)\left({\mathrm{log}}_{2}n\right)\right)$ bit operations [1, § 5.9]. We point out that the Legendre and Jacobi symbols are indistinguishable when n is an odd prime. Also, we note that the Legendre symbol allows to determine whether an integer is a quadratic residue or not, whereas the Jacobi symbol does not allow checking this property.

## 2.2 Digital signatures

A signature scheme [19] is a tuple $\mathrm{\Sigma }=\left(\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇},\mathrm{𝖲𝗂𝗀𝗇},\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}\right)$ of probabilistic polynomial-time algorithms satisfying the following:

• $\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}\left({1}^{\kappa }\right)$ On input security parameter ${1}^{\kappa }$, key generation algorithm $\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}$ produces a pair $\left(\mathrm{𝗉𝗄},\mathrm{𝗌𝗄}\right)$ of matching public and private keys.

• $\mathrm{𝖲𝗂𝗀𝗇}\left(\mathrm{𝗌𝗄},m\right)$ Given a private key $\mathrm{𝗌𝗄}$ and a message m in a set $\mathcal{ℳ}$ of messages, signing algorithm $\mathrm{𝖲𝗂𝗀𝗇}$ produces a signature σ.

• $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}\left(\mathrm{𝗉𝗄},m,\sigma \right)$ Given a public key $\mathrm{𝗉𝗄}$, a message $m\in \mathcal{ℳ}$ and a signature σ, the verifying algorithm $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}$ checks whether σ is a valid signature on m with respect to $\mathrm{𝗉𝗄}$.

The classical security notion for signature schemes is existential unforgeability against chosen-message attacks (in short, $\mathrm{𝖤𝖴𝖥}\text{-}\mathrm{𝖢𝖬𝖠}$) [15]. Basically, it requires that an adversary having access to a signing oracle returning the signature on messages of its choice is unable to produce a valid signature on a message not previously submitted to the signing oracle. In the random oracle model [2], the adversary has in addition access to a hash oracle viewed as a random oracle. More formally, we have the following definition.

#### Definition 2.

A signature scheme Σ is $\mathrm{𝖤𝖴𝖥}\text{-}\mathrm{𝖢𝖬𝖠}$ secure if, for every probabilistic polynomial-time adversary $\mathcal{𝒜}$, the success probability ${\mathrm{𝖠𝖽𝗏}}_{\mathcal{𝒜},\mathrm{\Sigma }}^{\mathrm{𝖤𝖴𝖥}}\left(\kappa \right):=\mathrm{Pr}\left[{\mathrm{𝖤𝖴𝖥}}_{\mathrm{\Sigma }}^{\mathcal{𝒜}}\left(\kappa \right)=1\right]$ is negligible against the security game defined in Figure 1.

Figure 1

$\mathrm{𝖤𝖴𝖥}\text{-}\mathrm{𝖢𝖬𝖠}$ experiment for digital signature schemes.

## 3 A candidate one-way function

If p is an odd prime, then half of the integers in the sequence $1,2,\mathrm{\dots },p-1$ are quadratic residues modulo p, and half are not. The problem of counting the number of occurrences of k distinct integers $\left({a}_{0},{a}_{1},\mathrm{\dots },{a}_{k-1}\right)$ modulo p obeying a given pattern $\left({ϵ}_{0},{ϵ}_{1},\mathrm{\dots },{ϵ}_{k-1}\right)$ with ${ϵ}_{j}=\left(\frac{{a}_{j}}{p}\right)\in \left\{-1,1\right\}$ and variations thereof have been studied in a number of papers, including [8, 9, 6, 33, 16, 36]. In particular, the results of Peralta in [33] indicate that the probability of

$\left(\left(\frac{{a}_{0}}{p}\right),\left(\frac{{a}_{1}}{p}\right),\mathrm{\dots },\left(\frac{{a}_{k-1}}{p}\right)\right)$

matching any particular sequence $\left({ϵ}_{0},{ϵ}_{1},\mathrm{\dots },{ϵ}_{k-1}\right)\in {\left\{-1,1\right\}}^{k}$ is in the range $\frac{1}{{2}^{k}}±O\left(k{p}^{-1/2}\right)$.

This section considers a related problem. It relies on a new notion that we call Jacobi imprint. In essence, the imprint is an integer formed of bits representing the sequence of Jacobi symbols where -1’s are replaced by 1’s and 1’s by 0’s.

#### Definition 3 (Jacobi imprint).

For an integer a and $𝒏=\left({n}_{0},\mathrm{\dots },{n}_{k-1}\right)\in {ℕ}^{k}$ such that $\mathrm{gcd}\left(a,{n}_{j}\right)=1$ for $0\le j\le k-1$, the Jacobi imprint ${\Im }_{𝒏}\left(a\right)$ is given by

${\Im }_{𝒏}\left(a\right)=\sum _{j=0}^{k-1}\left\{\frac{a}{{n}_{j}}\right\}{2}^{j},\text{where}\left\{\frac{a}{{n}_{j}}\right\}=\frac{1-\left(\frac{a}{{n}_{j}}\right)}{2}.$

(At times, we will interchangeably use ${\Im }_{𝒏}\left(a\right)$ to denote the integer ${\Im }_{𝒏}\left(a\right)$ or its binary representation.)

## 3.1 Function ${\mathcal{ℱ}}_{0}$

Let $𝒒=\left({q}_{0},\mathrm{\dots },{q}_{k-1}\right)$ be a set of k distinct (odd) primes, and let $Q={\prod }_{j=0}^{k-1}{q}_{j}$. Consider the function ${\mathcal{ℱ}}_{0}$ given by

${\mathcal{ℱ}}_{0}:𝔇\subset {ℤ}_{Q}^{*}\to ℕ,x↦{\mathcal{ℱ}}_{0}\left(x\right)={\Im }_{𝒒}\left(x\right).$

We argue that an appropriate selection for the domain of ${\mathcal{ℱ}}_{0}$ and the number of primes ${q}_{j}$ turns ${\mathcal{ℱ}}_{0}$ into a one-way function.

Of course, $𝔇$ cannot be the whole group ${ℤ}_{Q}^{*}$. Otherwise, given a challenge $\stackrel{^}{y}={\mathcal{ℱ}}_{0}\left(\stackrel{^}{x}\right)$, an attacker could execute Algorithm 1.

#### Algorithm 1 (Finding a (large) pre-image.).

This algorithm yields outputs that are smaller than $Q={\prod }_{j=0}^{k-1}{q}_{j}$. An obvious way to prevent an attacker to successfully run Algorithm 1 would be to restrict $𝔇$ to entries smaller than a given bound B.

But there is another way to tackle the problem of finding pre-images to ${\mathcal{ℱ}}_{0}$. Let $\mathcal{𝒵}$ be the set of k-bit integers in $ℕ$. Now if we regard an imprint in $\mathcal{𝒵}$ as an element of ${\left({ℤ}_{2}\right)}^{k}$ (that is, if we look at its binary representation), we see that ${\mathcal{ℱ}}_{0}$ induces a group homomorphism from $\left({ℤ}_{Q}^{*},\cdot \right)$ to $\left(\mathcal{𝒵},\oplus \right)$:

${\mathcal{ℱ}}_{0}\left({x}_{1}\cdot {x}_{2}modQ\right)={\mathcal{ℱ}}_{0}\left({x}_{1}\right)\oplus {\mathcal{ℱ}}_{0}\left({x}_{2}\right)\mathit{ }\text{for all}{x}_{1},{x}_{2}\in {ℤ}_{Q}^{*}.$

Therefore, an attacker could generate a set of $\mathrm{\ell }$ “small” primes ${p}_{i}$ (with ${p}_{i}\nmid Q$) and compute the corresponding imprint ${z}_{i}={\mathcal{ℱ}}_{0}\left({p}_{i}\right)$ for $1\le i\le \mathrm{\ell }$. It suffices then for the attacker to use linear algebra modulo 2 (i.e., Gaussian elimination) to find a subset of the ${z}_{i}$’s having the target imprint $\stackrel{^}{y}$ as an xor:1

$\stackrel{^}{y}={\epsilon }_{1}{z}_{1}\oplus \mathrm{\cdots }\oplus {\epsilon }_{\mathrm{\ell }}{z}_{\mathrm{\ell }}\mathit{ }\text{with}{\epsilon }_{i}\in \left\{0,1\right\}.$

A pre-image is given by

$x=\prod _{\begin{array}{c}1\le i\le \mathrm{\ell }\\ {\epsilon }_{i}=1\end{array}}{p}_{i},$

which is valid provided that $x. This second attack is avoided by limiting $𝔇$ to primes. Furthermore, each prime ${q}_{j}$ in $𝒒$ imposes a condition on the pre-image. The birthday paradox suggests to choose the number k of primes ${q}_{j}$ to be at least $2\kappa$, where κ is the security parameter. All in all, we recommend to select $k=2\kappa$ and $𝔇=\left\{x\in ℙ\mid x.

## 3.2 From ${\mathcal{ℱ}}_{0}$ to ${\mathcal{ℱ}}_{1}$

We use function ${\mathcal{ℱ}}_{0}$ as a starting point to define a (conjectured) trapdoor one-way function. The resulting function ${\mathcal{ℱ}}_{1}$ has the extra property that it can be inverted when it is given a trapdoor as an additional input. To insert a trapdoor, we replace the primes ${q}_{j}$ with RSA-like moduli of the form ${n}_{j}=p_{j}{}^{2}{q}_{j}$. This does not affect the output value since ${\Im }_{𝒏}\left(x\right)={\Im }_{𝒒}\left(x\right)$ for all x such that $\mathrm{gcd}\left(x,{n}_{j}\right)=1$ for $0\le j\le k-1$. The trapdoor is $𝒒$.

#### Assumption 1.

Let κ denote a security parameter. Let also $k\mathrm{=}k\mathit{}\mathrm{\left(}\kappa \mathrm{\right)}$ and $\mathrm{\ell }\mathrm{=}\mathrm{\ell }\mathit{}\mathrm{\left(}\kappa \mathrm{\right)}$. Define $\mathrm{D}\mathrm{=}\mathrm{\left\{}x\mathrm{\in }\mathrm{P}\mathrm{\mid }x\mathrm{<}{\mathrm{2}}^{k\mathit{}\mathrm{\ell }}\mathrm{\right\}}$ and

${\mathcal{ℱ}}_{1}:𝔇\to ℕ,x↦{\mathcal{ℱ}}_{1}\left(x\right)={\Im }_{𝒏}\left(x\right),$

where $𝐧\mathrm{=}\mathrm{\left(}{n}_{\mathrm{0}}\mathrm{,}\mathrm{\dots }\mathrm{,}{n}_{k\mathrm{-}\mathrm{1}}\mathrm{\right)}$ is a set of k pairwise co-prime moduli of the form ${n}_{j}\mathrm{=}p_{j}{}^{\mathrm{2}}\mathit{}{q}_{j}$ for $\mathrm{\ell }$-bit primes ${p}_{j}$ and ${q}_{j}$, $\mathrm{0}\mathrm{\le }j\mathrm{\le }k\mathrm{-}\mathrm{1}$. For every polynomial-time algorithm $\mathcal{A}$, the success probability

$\mathrm{Pr}\left[\stackrel{^}{x}\stackrel{\text{}}{←}𝔇;\mathcal{𝒜}\left({\mathcal{ℱ}}_{1}\left(\stackrel{^}{x}\right)\right)=x\mid {\mathcal{ℱ}}_{1}\left(x\right)={\mathcal{ℱ}}_{1}\left(\stackrel{^}{x}\right)\right]$

is negligible.

Note that finding a pre-image to $\stackrel{^}{y}={\mathcal{ℱ}}_{1}\left(\stackrel{^}{x}\right)$ is easy given the trapdoor $𝒒=\left({q}_{0},\mathrm{\dots },{q}_{k-1}\right)$:

• (1)

run Algorithm 1, and obtain x such that ${\Im }_{𝒒}\left(x\right)=\stackrel{^}{y}$;

• (2)

update x as $x←x{u}^{2}modQ$ with $u\stackrel{\text{}}{←}{ℤ}_{Q}^{*}$ until x is prime;

• (3)

return x.

Clearly, the so-obtained x is a valid pre-image: $x\in 𝔇$ and ${\mathcal{ℱ}}_{1}\left(x\right)=\stackrel{^}{y}$.

#### Remark 1.

By definition, the Jacobi imprint ${\Im }_{𝒏}\left(x\right)$ requires x to be co-prime with ${n}_{j}$ for $0\le j\le k-1$. Strictly speaking, the domain $𝔇$ should therefore exclude the primes ${p}_{j}$ and ${q}_{j}$. However, since primes ${p}_{j}$ and ${q}_{j}$ are $\mathrm{\ell }$-bit primes, where $\mathrm{\ell }=\mathrm{\ell }\left(\kappa \right)$, the probability to output an x such that $\mathrm{gcd}\left(x,{n}_{j}\right)\ne 1$ for some $0\le j\le k-1$ is negligible when the prime factorization of the ${n}_{j}$’s is unknown.

## 4 Signatures modulo ${p}^{2}q$

We are now ready to formally describe a first signature scheme. We prove that it meets the $\mathrm{𝖤𝖴𝖥}\text{-}\mathrm{𝖢𝖬𝖠}$ security level in the random oracle model.

## 4.1 Description

Our basic signature scheme is a tuple of algorithms $\mathrm{\Sigma }=\left(\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇},\mathrm{𝖲𝗂𝗀𝗇},\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}\right)$, which we define as follows:

• Key generation The key generation algorithm $\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}$ takes as input a security parameter ${1}^{\kappa }$ and defines parameters k and $\mathrm{\ell }$. It selects a collision-resistant hash function $H:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{k}$. It also produces k pairs $\left({p}_{j},{q}_{j}\right)$ of $\mathrm{\ell }$-bit primes and forms the moduli ${n}_{j}=p_{j}{}^{2}{q}_{j}$. The public parameters are $\mathrm{𝗉𝗉}=\left(k,\mathrm{\ell },H\right)$. The public key is $\mathrm{𝗉𝗄}={\left\{{n}_{j}\right\}}_{0\le j\le k-1}$, while the private key is $\mathrm{𝗌𝗄}={\left\{{q}_{j}\right\}}_{0\le j\le k-1}$. The outputs are $\mathrm{𝗉𝗄}$ and $\mathrm{𝗌𝗄}$ (and $\mathrm{𝗉𝗉}$).

• Signing The signing algorithm $\mathrm{𝖲𝗂𝗀𝗇}$ takes as inputs a message $m\in {\left\{0,1\right\}}^{*}$ and the secret key $\mathrm{𝗌𝗄}$. The signature on message m proceeds as follows:

• (1)

compute $H\left(m\right)={\sum }_{j=0}^{k-1}{h}_{j}{2}^{j}$ with ${h}_{j}\in \left\{0,1\right\}$;

• (2)

pick at random k $\mathrm{\ell }$-bit integers ${r}_{j}$ such that $\left\{\frac{{r}_{j}}{{q}_{j}}\right\}={h}_{j}$ for $0\le j\le k-1$;

• (3)

compute $R=\mathrm{𝖢𝖱𝖳}\left(𝒓,𝒒\right)$ with $𝒓=\left({r}_{0},\mathrm{\dots },{r}_{k-1}\right)$ and $𝒒=\left({q}_{0},\mathrm{\dots },{q}_{k-1}\right)$;

• (4)

set $Q={\prod }_{j=0}^{k-1}{q}_{j}$ and choose at random an integer $u\in {ℤ}_{Q}^{*}$ such that $\sigma :=R{u}^{2}modQ\in ℙ$;

• (5)

return σ.

• Verification The verifying algorithm $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}$ takes as inputs the public key $\mathrm{𝗉𝗄}$, a message m and a signature σ on message m. It checks whether (i) $\sigma \in ℙ$, (ii) $\sigma <{2}^{\mathrm{\ell }k}$, (iii) ${\Im }_{𝒏}\left(\sigma \right)=H\left(m\right)$, where $𝒏=\left({n}_{0},\mathrm{\dots },{n}_{k-1}\right)$. $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}$ returns 1 (i.e., the signature is accepted) if and only if the three conditions above are fulfilled. Otherwise, $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}$ returns 0.

The next proposition shows that the signature scheme is correct: for $\left(\mathrm{𝗉𝗄},\mathrm{𝗌𝗄}\right)←\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}\left({1}^{\kappa }\right)$ and any message $m\in {\left\{0,1\right\}}^{*}$, we have $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}\left(\mathrm{𝗉𝗄},m,\mathrm{𝖲𝗂𝗀𝗇}\left(m,\mathrm{𝗌𝗄}\right)\right)=1$.

#### Proposition 1 (Correctness).

Signature scheme Σ is correct.

#### Proof.

Let $\left(\left\{{n}_{j}\right\},\left\{{q}_{j}\right\}\right)$ and σ be the respective outputs of $\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}$ and $\mathrm{𝖲𝗂𝗀𝗇}$, with message m as input. By construction, σ is prime and $\sigma =R{u}^{2}modQ<{2}^{\mathrm{\ell }k}$. Moreover, since $\sigma \equiv {r}_{j}{u}^{2}\phantom{\rule{veryverythickmathspace}{0ex}}\left(mod{q}_{j}\right)$ ($0\le j\le k-1$), it follows that

${\Im }_{𝒒}\left(\sigma \right)=\sum _{j=0}^{k-1}\left\{\frac{{r}_{j}{u}^{2}}{{q}_{j}}\right\}{2}^{j}=\sum _{j=0}^{k-1}\left\{\frac{{r}_{j}}{{q}_{j}}\right\}{2}^{j}.$

Finally, since ${n}_{j}=p_{j}{}^{2}{q}_{j}$, we have $\left\{\frac{{r}_{j}}{{n}_{j}}\right\}=\left\{\frac{{r}_{j}}{{q}_{j}}\right\}$, and so ${\Im }_{𝒏}\left(\sigma \right)={\Im }_{𝒒}\left(\sigma \right)=H\left(m\right)$. ∎

## 4.2 Security proof

#### Theorem 1.

Signature scheme Σ is $\mathrm{EUF}\mathit{}\mathit{\text{-}}\mathit{}\mathrm{CMA}$ secure assuming the hardness of inverting ${\mathcal{F}}_{\mathrm{1}}$, in the random oracle model.

#### Proof.

The security proof is by contradiction. Suppose we are given as a challenge an output $\stackrel{^}{s}$ of the function ${\mathcal{ℱ}}_{1}$. We assume that there exists a polynomial-time adversary $\mathcal{𝒜}$ that is able to produce an existential signature forgery with non-negligible success probability. Adversary $\mathcal{𝒜}$ is allowed to make ${q}_{H}$ queries to random oracle H and ${q}_{s}$ queries to signing oracle $\mathrm{𝖲𝗂𝗀𝗇}$. We then use $\mathcal{𝒜}$’s forgery to invert ${\mathcal{ℱ}}_{1}$, i.e., to find a pre-image to $\stackrel{^}{s}$.

Specifically, suppose that the received challenge is the k-bit integer

$\stackrel{^}{s}←{\mathcal{ℱ}}_{1}\left(x\right)={\Im }_{𝒏}\left(x\right)\mathit{ }\text{with}𝒏=\left({n}_{0},\mathrm{\dots },{n}_{k-1}\right)$

for moduli ${n}_{j}$ of the form ${n}_{j}=p_{j}{}^{2}{q}_{j}$ where ${p}_{j}$’s and ${q}_{j}$’s are $\mathrm{\ell }$-bit primes, $0\le j\le k-1$. The simulator sets the public key to $\mathrm{𝗉𝗄}={\left\{{n}_{j}\right\}}_{0\le j\le k-1}$. It also selects a collision-resistant hash function H mapping to ${\left\{0,1\right\}}^{k}$. The public key $\mathrm{𝗉𝗄}$ as well as public parameters $\mathrm{𝗉𝗉}:=\left(k,\mathrm{\ell },H\right)$ are given to $\mathcal{𝒜}$.

The simulator needs to answer the oracle queries made by $\mathcal{𝒜}$. It maintains a history list of tuples $\left({m}_{i},{𝔥}_{i},{\sigma }_{i}\right)$, $\mathrm{Hist}\left[H\right]$, that keeps track of the hash queries; $\mathrm{Hist}\left[H\right]$ is initialized to $\mathrm{\varnothing }$. It also maintains a counter i initialized to 0 and chooses at random an index ${i}^{*}\in \left[1,\mathrm{\dots },{q}_{H}\right]$.

• Answering hash queries When $\mathcal{𝒜}$ submits a message m to H, the simulator checks whether m was already queried.

• If $m\notin \mathrm{Hist}\left[H\right]$, then i is incremented: $i←i+1$. Next, the simulator sets ${m}_{i}←m$, and depending on the value of i,

• *

if $i={i}^{*}$, it sets ${𝔥}_{i}←\stackrel{^}{s}$ and ${\sigma }_{i}←\perp$,

• *

if $i\ne {i}^{*}$, it generates a random $\mathrm{\ell }k$-bit prime ${\sigma }_{i}$ and sets ${𝔥}_{i}←{\Im }_{𝒏}\left({\sigma }_{i}\right)$.

Tuple $\left({m}_{i},{𝔥}_{i},{\sigma }_{i}\right)$ is appended to $\mathrm{Hist}\left[H\right]$: $\mathrm{Hist}\left[H\right]←\mathrm{Hist}\left[H\right]\cup \left({m}_{i},{𝔥}_{i},{\sigma }_{i}\right)$.

• If $m\in \mathrm{Hist}\left[H\right]$, the simulator finds the index i such that $m={m}_{i}$ and recovers the corresponding value ${𝔥}_{i}$.

The simulator returns ${𝔥}_{i}$ as the hash value of input message m.

• Answering signature queries Without loss of generality, we assume that, when $\mathcal{𝒜}$ calls signing oracle $\mathrm{𝖲𝗂𝗀𝗇}$ with a message m, it has already submitted m to hash oracle H (observe that the simulator can always call internally H). Therefore, there exists an index i such that $m={m}_{i}$ in $\mathrm{Hist}\left[H\right]$. The simulator recovers the corresponding value for ${\sigma }_{i}$. There are two cases.

• If ${\sigma }_{i}\ne \perp$, then the simulator returns ${\sigma }_{i}$ as a valid signature on input message m.

• Otherwise, the simulator fails and stops.

The number of queries to the hash oracle being polynomial, with non-negligible probability, the adversary will return a signature forgery on its ${i}^{*}$-th query to H, i.e., on message ${m}_{{i}^{*}}$. Letting ${\sigma }_{{i}^{*}}$ be the corresponding signature returned by $\mathcal{𝒜}$, we see that ${\sigma }_{{i}^{*}}$ is a solution to the challenge since ${\Im }_{𝒏}\left({\sigma }_{{i}^{*}}\right)=H\left({m}_{{i}^{*}}\right)=\stackrel{^}{s}$. ∎

## 4.3 Toy example ($k=8$)

Picking the secret primes

we have the public moduli

${n}_{0}=\text{𝟸𝟷𝟿𝟽𝟽𝟽𝟾𝟼𝟻𝟹𝟸𝟾𝟼𝟸𝟿},$${n}_{1}=\text{𝟶𝟿𝟼𝟺𝟾𝟶𝟽𝟻𝟽𝟿𝟿𝟹𝟹𝟻𝟽},$${n}_{2}\mathit{ }=\text{𝟷𝟶𝟷𝟹𝟼𝟼𝟻𝟸𝟿𝟺𝟻𝟻𝟷𝟺𝟹},$${n}_{3}=\text{𝟷𝟺𝟶𝟷𝟶𝟿𝟹𝟽𝟼𝟾𝟹𝟽𝟷𝟸𝟽},$${n}_{4}=\text{𝟶𝟿𝟷𝟷𝟼𝟶𝟸𝟾𝟼𝟸𝟺𝟸𝟻𝟽𝟹},$${n}_{5}\mathit{ }=\text{𝟶𝟻𝟿𝟻𝟺𝟼𝟻𝟺𝟼𝟾𝟷𝟷𝟼𝟺𝟹},$${n}_{6}=\text{𝟷𝟻𝟷𝟷𝟽𝟽𝟽𝟼𝟾𝟺𝟸𝟽𝟺𝟻𝟹},$${n}_{7}=\text{𝟶𝟼𝟹𝟺𝟾𝟺𝟷𝟼𝟷𝟸𝟷𝟿𝟼𝟿𝟷}$

and the value

$Q=\prod _{i=0}^{7}{q}_{i}=\text{𝟿𝟼𝟸𝟻𝟹𝟻𝟺𝟾𝟸𝟶𝟾𝟹𝟺𝟹𝟶𝟾𝟺𝟺𝟺𝟹𝟶𝟷𝟾𝟿𝟶𝟾𝟻𝟺𝟽𝟼𝟼𝟽𝟾𝟻𝟷𝟼𝟷}.$

Consider a message whose digest is $𝒉=\left({h}_{0},\mathrm{\dots },{h}_{7}\right)$, and draw ${r}_{j}$’s as

We get $\mathrm{𝖢𝖱𝖳}\left(𝒓,𝒒\right)=\text{𝟷𝟹𝟿𝟻𝟽𝟾𝟼𝟸𝟻𝟷𝟻𝟻𝟿𝟸𝟹𝟷𝟾𝟽𝟾𝟽𝟾𝟿𝟽𝟼𝟺𝟻𝟹𝟻𝟾𝟻𝟾𝟼𝟺𝟷𝟷𝟿𝟾}$.

By selecting $u=\text{𝟸𝟷𝟻𝟸𝟸𝟼𝟼𝟾𝟸𝟶𝟽𝟶𝟿𝟾𝟼𝟼𝟸𝟿𝟻𝟷𝟺𝟶𝟶𝟽𝟽𝟻𝟶𝟺𝟼𝟾𝟽𝟾𝟶𝟹𝟺𝟻𝟿}$, we obtain the signature

$\sigma =\text{𝟷𝟷𝟹𝟽𝟻𝟺𝟸𝟻𝟼𝟷𝟻𝟾𝟼𝟽𝟼𝟷𝟸𝟹𝟶𝟽𝟽𝟶𝟻𝟾𝟻𝟹𝟺𝟻𝟸𝟻𝟼𝟶𝟿𝟸𝟾𝟺𝟷}\in ℙ.$

## 5 Generalized signatures

The Legendre symbol tells whether an integer is a square modulo a prime p. Given an integer a and an odd prime p, if $p\nmid a$, there exists a unique integer j modulo 2 such that ${a}^{\left(p-1\right)/2}\equiv {\left(-1\right)}^{j}\phantom{\rule{veryverythickmathspace}{0ex}}\left(modp\right)$. To obtain the analogue to a higher power r, the rational integers need to be extended so that they include an r-th root of unity, namely, ${e}^{2\pi i/r}$.

## 5.1 Cyclotomic integers and higher-order residuosity

We start by reviewing some classical results on cyclotomic fields. We refer the reader to [18, 44] for further introductory background.

Fix $\zeta :={\zeta }_{r}$ a primitive r-th root of unity; i.e., ζ is a root of ${X}^{r}-1$ and ${X}^{s}\ne 1$ for $0. Adjoining ζ to the field $ℚ$ of rationals defines the cyclotomic field $ℚ\left(\zeta \right)$ . It is the splitting field of ${X}^{r}-1$; its Galois group $\mathrm{Gal}\left(ℚ\left(\zeta \right)/ℚ\right)$ is isomorphic to ${ℤ}_{r}^{*}$, with $kmodr$ corresponding to the map ${\sigma }_{k}:\zeta ↦{\zeta }^{k}$; see [18, Proposition 13.2.1] or [44, Theorem 2.5]. The ring of integers of $ℚ\left(\zeta \right)$ is $ℤ\left[\zeta \right]\cong ℤ\left[X\right]/\left({\mathrm{\Phi }}_{r}\right)$, where ${\mathrm{\Phi }}_{r}$ is the r-th cyclotomic polynomial; see [44, Theorem 2.6].

The elements α of $ℤ\left[\zeta \right]$ are written as

$\alpha =\sum _{0\le j<\phi \left(r\right)}{a}_{j}{\zeta }^{j}\mathit{ }\text{with}{a}_{j}\in ℤ,$

where φ denotes Euler’s totient function. The norm of $\alpha \in ℤ\left[\zeta \right]$ is the rational integer $\mathrm{N}\left(\alpha \right)={\prod }_{k\in {ℤ}_{r}^{*}}{\sigma }_{k}\left(\alpha \right)$. We assume that $ℤ\left[\zeta \right]$ is norm-Euclidean.2

The elements of norm $±1$ in $ℤ\left[\zeta \right]$ are called units. Two elements $\alpha ,\beta \in ℤ\left[\zeta \right]$ that are equal up to multiplication by a unit $\upsilon \in ℤ\left[\zeta \right]$ (i.e., $\alpha =\upsilon \beta$) are said to be associates; we write $\alpha \sim \beta$. A non-unit element $\pi \in ℤ\left[\zeta \right]$ is a prime in $ℤ\left[\zeta \right]$ if, for any $\alpha ,\beta \in ℤ\left[\zeta \right]$, $\pi \mid \alpha \beta$ implies $\pi \mid \alpha$ or $\pi \mid \beta$. If r is a prime power (i.e., $r={q}^{\mathrm{\ell }}$ for some rational prime q and $\mathrm{\ell }\ge 1$), then $\left(1-\zeta \right)$ is a prime in $ℤ\left[\zeta \right]$ and $\mathrm{N}\left(1-\zeta \right)=q$; otherwise, $\left(1-\zeta \right)$ is a unit in $ℤ\left[\zeta \right]$.

Let π be a prime in $ℤ\left[\zeta \right]$, with $\mathrm{gcd}\left(\mathrm{N}\left(\pi \right),r\right)=1$. For every $\alpha \in ℤ\left[\zeta \right]$ such that $\pi \nmid \alpha$, we have ${\alpha }^{\mathrm{N}\left(\pi \right)-1}\equiv 1$ ($\mathrm{mod}\pi$). Further, $〈\zeta 〉$ is a subgroup of order r of ${\left(ℤ\left[\zeta \right]/\left(\pi \right)\right)}^{*}$, it follows that $r\mid \left(\mathrm{N}\left(\pi \right)-1\right)$ and

${\alpha }^{\frac{\mathrm{N}\left(\pi \right)-1}{r}}\equiv {\zeta }^{j}\phantom{\rule{veryverythickmathspace}{0ex}}\left(mod\pi \right)\mathit{ }\text{for some}j\in {ℤ}_{r}.$

This defines the r-th-power residue symbol.

#### Definition 4.

Fix ζ a primitive r-th root of unity. Let $\alpha ,\pi \in ℤ\left[\zeta \right]$ with π prime and $\mathrm{gcd}\left(\mathrm{N}\left(\pi \right),r\right)=1$. The r-th-power residue symbol is defined by

${\left[\frac{\alpha }{\pi }\right]}_{r}=\left\{\begin{array}{cc}{\alpha }^{\left(\mathrm{N}\left(\pi \right)-1\right)/r}mod\pi \hfill & \text{if}\pi \nmid \alpha ,\hfill \\ 0\hfill & \text{otherwise}.\hfill \end{array}$

Let $\alpha ,\beta ,\pi \in ℤ\left[\zeta \right]$ with π prime and $\mathrm{gcd}\left(\mathrm{N}\left(\pi \right),r\right)=1$. It is easily verified from the definition that the following properties are satisfied:

${\left[\frac{\alpha \beta }{\pi }\right]}_{r}={\left[\frac{\alpha }{\pi }\right]}_{r}{\left[\frac{\beta }{\pi }\right]}_{r},{\left[\frac{\alpha }{\pi }\right]}_{r}={\left[\frac{\alpha mod\pi }{\pi }\right]}_{r}.$

Furthermore, in a way similar to the Jacobi symbol for quadratic residuosity, the r-th-power residue symbol naturally generalizes.

#### Definition 5.

Fix ζ a primitive r-th root of unity. Let $\alpha ,\lambda \in ℤ\left[\zeta \right]$ with λ non-unit and $\mathrm{gcd}\left(\mathrm{N}\left(\lambda \right),r\right)=1$. Then, writing $\lambda ={\prod }_{j}\pi _{j}{}^{{e}_{j}}$ for primes ${\pi }_{j}$ in $ℤ\left[\zeta \right]$, if α and λ are co-prime, the symbol ${\left[\frac{\alpha }{\lambda }\right]}_{r}$ is defined by

${\left[\frac{\alpha }{\lambda }\right]}_{r}=\prod _{j}\left[\frac{\alpha }{{\pi }_{j}}\right]_{r}{}^{{e}_{j}}.$

Moreover, ${\left[\frac{\alpha }{\upsilon }\right]}_{r}=1$ for every unit $\upsilon \in ℤ\left[\zeta \right]$.

The notion of Jacobi imprint generalizes to higher powers. To ease the notation, we extend the brace symbol as follows:

${\left\{\frac{\alpha }{\lambda }\right\}}_{r}=j\mathit{ }\text{with}j\in {ℤ}_{r},$

where ${\left\{\frac{\alpha }{\lambda }\right\}}_{r}=j$ if and only if ${\left[\frac{\alpha }{\lambda }\right]}_{r}={\zeta }^{j}$. Note that Definition 3 corresponds to the case $r=2$.

#### Definition 6 (r-th-order imprint).

For an integer $\alpha \in ℤ\left[\zeta \right]$ and a vector $𝝀=\left({\lambda }_{0},\mathrm{\dots },{\lambda }_{k-1}\right)\in ℤ{\left[\zeta \right]}^{k}$ such that α and ${\lambda }_{j}$ (with $0\le j\le k-1$) are co-prime, the r-th-order imprint of α w.r.t. $𝝀$ is the integer ${\Im }_{𝝀}^{\left(r\right)}\left(\alpha \right)\in ℤ$ given by

${\Im }_{𝝀}^{\left(r\right)}\left(\alpha \right)=\sum _{j=0}^{k-1}{\left\{\frac{\alpha }{{\lambda }_{j}}\right\}}_{r}{r}^{j}.$

## 5.2 Parameter selection

As discussed in the introduction, the main threat for factoring-related cryptosystems comes from NFS and its variants. Table 1 lists different types of security level and the commonly accepted corresponding size for the modulus. See e.g. [23, 47].

Table 1

Key lengths and bit security.

The current state of affairs teaches that moduli could be selected of the form $p_{j}{}^{r}{q}_{j}$ with $r\ge 2$ chosen to have a balanced resistance against both NFS-type and ECM-type factoring algorithms. Given a modulus whose length is chosen according to Table 1, a bound for the number of factors that may be allowed is derived in [21, Section 4]. This suggests to select r in the range $\left[2,\mathrm{\dots },5\right]$, depending on the security level.

#### Remark 2.

If ${\zeta }_{r}$ is an r-th primitive root of unity, the ring $ℤ\left[{\zeta }_{r}\right]$ is not necessarily norm-Euclidean. But for $r\in \left\{2,3,4,5\right\}$, the rings $ℤ\left[{\zeta }_{r}\right]$ are known to be norm-Euclidean [20, § 8]; see also [24].

Each possible value for r gives rise to a signature scheme. Of particular interest are the following new species in the signature zoo:

## 6 Quartapus

The ${p}^{2}q$ signature scheme given in Section 4 extends to any value of $r>2$ (provided that $ℤ\left[{\zeta }_{r}\right]$ is norm-Euclidean). As an illustration, we detail the Quartapus signature scheme, which is an adaptation to the case $r=4$.

Throughout this section, we let $\zeta :={\zeta }_{4}=i$ denote a primitive 4-th root of unity. The Galois group of $ℚ\left(\zeta \right)/ℚ$ contains the two automorphisms ${\sigma }_{k}:\zeta ↦{\zeta }^{k}$ with $k\in \left\{1,2\right\}$. For an element $\alpha \in ℤ\left[\zeta \right]$, we write ${\alpha }_{k}={\sigma }_{k}\left(\alpha \right)$. The norm of α is given by $\mathrm{N}\left(\alpha \right)={\alpha }_{1}{\alpha }_{2}$.

## 6.1 Description

The Octapus signature scheme $\left(\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇},\mathrm{𝖲𝗂𝗀𝗇},\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}\right)$ is defined as follows:

• Key generation $\mathrm{𝖪𝖾𝗒𝖦𝖾𝗇}$ takes as input a security parameter ${1}^{\kappa }$ and defines parameters k and $\mathrm{\ell }$. It selects a collision-resistant hash function $H:{\left\{0,1\right\}}^{*}\to {\left({ℤ}_{4}\right)}^{k}$. It also produces k pairs $\left({\pi }_{j},{\psi }_{j}\right)$ of primes in $ℤ\left[\zeta \right]$, where $\mathrm{N}\left({\pi }_{j}\right)$ and $\mathrm{N}\left({\psi }_{j}\right)$ are $\mathrm{\ell }$-bit long, and forms the moduli ${\nu }_{j}=\pi _{j}{}^{4}{\psi }_{j}$. The outputs are $\mathrm{𝗉𝗉}=\left(k,\mathrm{\ell },H\right)$, $\mathrm{𝗉𝗄}={\left\{{\nu }_{j}\right\}}_{0\le j\le k-1}$ and $\mathrm{𝗌𝗄}={\left\{{\psi }_{j}\right\}}_{0\le j\le k-1}$.

• Signing On input, a message $m\in {\left\{0,1\right\}}^{*}$ and $\mathrm{𝗌𝗄}$, $\mathrm{𝖲𝗂𝗀𝗇}$ does the following:

• (1)

compute $H\left(m\right)={\sum }_{j=0}^{k-1}{h}_{j}{4}^{j}$ with ${h}_{j}\in {ℤ}_{4}$;

• (2)

pick at random k integers ${\rho }_{j}\in ℤ\left[\zeta \right]$ of $\mathrm{\ell }$-bit norm such that $\left\{\frac{{\rho }_{j}}{{\psi }_{j}}\right\}={h}_{j}$ for $0\le j\le k-1$;

• (3)

compute $\varrho =\mathrm{𝖢𝖱𝖳}\left(𝝆,𝝍\right)$ with $𝝆=\left({\rho }_{0},\mathrm{\dots },{\rho }_{k-1}\right)$ and $𝝍=\left({\psi }_{0},\mathrm{\dots },{\psi }_{k-1}\right)$;

• (4)

set $\mathrm{\Psi }={\prod }_{j=0}^{k-1}{\psi }_{j}$, and choose at random an integer $\upsilon \in {\left(ℤ\left[\zeta \right]/\left(\mathrm{\Psi }\right)\right)}^{*}$ such that $\sigma :=\varrho {\upsilon }^{4}mod\mathrm{\Psi }$ is prime in $ℤ\left[\zeta \right]$;

• (5)

return σ.

• Verification On input σ, m and $\mathrm{𝗉𝗄}$, $\mathrm{𝖵𝖾𝗋𝗂𝖿𝗒}$ checks whether (i) σ is prime, (ii) $\mathrm{N}\left(\sigma \right)<{2}^{\mathrm{\ell }k}$, (iii) ${\Im }_{𝝂}^{\left(4\right)}\left(\sigma \right)=H\left(m\right)$ and, if so, accepts the signature.

#### Remark 3.

The primes ${\pi }_{j}$ and ${\psi }_{j}$ must be chosen of norm of $\mathrm{\ell }$ bits for an $\mathrm{\ell }$ sized for the factoring problem over the rational integers. Indeed, suppose an attacker is given as a challenge $\nu =\pi \psi$, a product of two primes in $ℤ\left[\zeta \right]$. The goal of the attacker is to recover π and ψ.

The norm of ν satisfies $\mathrm{N}\left(\nu \right)=\mathrm{N}\left(\pi \right)\mathrm{N}\left(\psi \right):=pq$ for two $\mathrm{\ell }$-bit rational primes $p,q\equiv 1\phantom{\rule{veryverythickmathspace}{0ex}}\left(mod4\right)$. If $\mathrm{\ell }$ were chosen too small so that the problem of factoring the product of two rational $\mathrm{\ell }$-bit primes becomes feasible, the attacker could factor $\mathrm{N}\left(\nu \right)$ and recover p and q. Once p and q are found, its remaining task is to find $\pi ,\psi \in ℤ\left[\zeta \right]$ with $\mathrm{N}\left(\pi \right)=p$ and $\mathrm{N}\left(\psi \right)=q$. This can be efficiently achieved by generalizing Cornacchia’s algorithm [5, Algorithm 1.5.2] to fourth roots, as done in [7, § 1.2] for cubic roots. The first step is to solve for r over ${𝔽}_{p}^{*}$ the equation ${r}^{2}+1=0\phantom{\rule{veryverythickmathspace}{0ex}}\left(modp\right)$. Next, consider the integer $\rho :=r-\zeta \in ℤ\left[\zeta \right]$, whose norm is a multiple of p. Hence, the computation of $\mathrm{gcd}\left(\rho ,p\right)$ yields $\pi \in ℤ\left[\zeta \right]$ – remember that $ℤ\left[\zeta \right]$ is norm-Euclidean, and $p=\pi {\pi }_{2}$, where ${\pi }_{2}={\sigma }_{2}\left(\pi \right)$, and similarly for q.

## 6.2 Evaluating quartic residue symbols

Quartapus requires the evaluation of the 4-th-power residue symbol. We refer to [45, 7] for efficient implementations.

A generic algorithm for computing the r-th-power residue symbol for any prime $r\le 11$ is described in [4, Section 7]. The case $r=3$ is discussed in [46, 7, 38] and the case $r=5$ in [38].

## 7 Concluding remarks

In this paper, we have introduced a formal definition and construction of a new family of one-way functions and signature schemes. They are related to the hardness of factoring moduli of the form $n={p}^{r}q$. Since our constructions rely on newly introduced assumptions, further cryptanalytic efforts are demanded in order to get more confidence about their exact security.

## Acknowledgements

We are grateful to Dan Bernstein, Dan Boneh and Antoine Joux for comments and discussions on the ECM factoring method.

## References

• [1]

E. Bach and J. Shallit, Algorithmic Number Theory. Vol. 1: Efficient Algorithms, MIT Press, Cambridge, 1996.  Google Scholar

• [2]

M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, ACM Conference on Computer and Communications Security, ACM Press, New York (1993), 62–73.  Google Scholar

• [3]

D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring $N={p}^{r}q$ for large r, Advances in Cryptology—CRYPTO ’99, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 326–337.  Google Scholar

• [4]

P. C. Caranay and R. Scheidler, An efficient seventh power residue symbol algorithm, Int. J. Number Theory 6 (2010), no. 8, 1831–1853.

• [5]

H. Cohen, A Course in Computational Algebraic Number Theory, Grad. Texts in Math. 138, Springer, Berlin, 1993.  Google Scholar

• [6]

I. B. Damgård, On the randomness of Legendre and Jacobi sequences, Advances in Cryptology—CRYPTO’88, Lecture Notes in Comput. Sci. 403, Springer, Berlin (1990), 163–172.  Google Scholar

• [7]

I. B. Damgård and G. S. Frandsen, Efficient algorithms for the gcd and cubic residuosity in the ring of Eisenstein integers, J. Symbolic Comput. 39 (2005), no. 6, 643–652.

• [8]

H. Davenport, On the distribution of quadratic residues (mod p), J. Lond. Math. Soc. 6 (1931), no. 1, 49–54.  Google Scholar

• [9]

H. Davenport, On the distribution of quadratic residues (mod p). II, J. Lond. Math. Soc. 8 (1933), no. 1, 46–52.  Google Scholar

• [10]

W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory IT-22 (1976), no. 6, 644–654.  Google Scholar

• [11]

C. Ding, D. Pei and A. Salomaa, Chinese Remainder Theorem. Applications in Computing, Coding, Cryptography, World Scientific, River Edge, 1996.  Google Scholar

• [12]

A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Advances in Cryptology—CRYPTO’86, Lecture Notes in Comput. Sci. 263, Springer, Berlin (1987), 186–194.  Google Scholar

• [13]

A. Fujioka, T. Okamoto and S. Miyaguchi, ESIGN: An efficient digital signature implementation for smart cards, Advances in Cryptology—EUROCRYPT’91, Lecture Notes in Comput. Sci. 547, Springer, Berlin (1991), 446–457.  Google Scholar

• [14]

O. Goldreich, Foundations of Cryptography. Basic Tools, Cambridge University, Cambridge, 2001.  Google Scholar

• [15]

S. Goldwasser, S. Micali and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. Special issue on cryptography, SIAM J. Comput. 17 1988, no. 2, 281–308.

• [16]

L. Goubin, C. Mauduit and A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory 106 (2004), no. 1, 56–69.

• [17]

L. Granboulan, How to repair ESIGN, Security in Communication Networks—SCN 2002, Lecture Notes in Comput. Sci. 2576, Springer, Berlin (2003), 234–240.  Google Scholar

• [18]

K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed., Grad. Texts in Math. 84, Springer, New York, 1990.  Google Scholar

• [19]

J. Katz, Digital Signatures, Springer, New York, 2010.  Google Scholar

• [20]

F. Lemmermeyer, The Euclidean algorithm in algebraic number fields, Exp. Math. 13 (1995), no. 5, 385–416.  Google Scholar

• [21]

A. K. Lenstra, Unbelievable security (Matching AES security using public key systems), Advances in Cryptology—ASIACRYPT 2001, Lecture Notes in Comput. Sci. 2248, Springer, Berlin (2001), 67–86.  Google Scholar

• [22]

A. K. Lenstra, H. W. Lenstra, Jr. and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

• [23]

A. K. Lenstra and E. Verheul, Selecting cryptographic key sizes, J. Cryptology 14 (2001), no. 4, 255–293.

• [24]

H. W. Lenstra, Jr., Euclid’s algorithm in cyclotomic fields, J. Lond. Math. Soc. (2) 10 (1975), no. 4, 457–465.  Google Scholar

• [25]

H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math. (2) 126 (1987), no. 3, 649–673.

• [26]

H. W. Lenstra, Jr., The number field sieve: An annotated bibliography, The Development of the Number Field Sieve, Lecture Notes in Math. 1554, Springer, Berlin (1993), 1–3.  Google Scholar

• [27]

N. Manohar and B. Fisch, Factoring $n={p}^{2}q$, Final project report CS359C, Stanford University, 2017.  Google Scholar

• [28]

A. May, Secret exponent attacks on RSA-type schemes with moduli $N={p}^{r}q$, Public Key Cryptography—PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.  Google Scholar

• [29]

A. Menezes, M. Qu, D. Stinson and Y. Wang, Evaluation of security level of cryptography: ESIGN signature scheme, External Evaluation Report ex-1053-2000, CRYPTREC, 2001.  Google Scholar

• [30]

T. Okamoto, E. Fujisaki and H. Morita, TSH-ESIGN: Efficient digital signature scheme using trisection size hash, Submission to IEEE P1363a, November 1998. [Online; accessed 7-February-2019].

• [31]

T. Okamoto and A. Shibaishi, A fast signature scheme based on quadratic inequalities, 1985 IEEE Symposium on Security and Privacy, IEEE Press, Piscataway (1985), 123–133.  Google Scholar

• [32]

T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology—EUROCRYPT’98, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.  Google Scholar

• [33]

R. Peralta, On the distribution of quadratic residues and nonresidues modulo a prime number, Math. Comp. 58 (1992), no. 197, 433–440.

• [34]

R. Peralta and E. Okamoto, Faster factoring of integers of a special form, IEICE Trans. Fundam. Electron. Comm. Comp. Sci. E79 (1996), no. A4, 489–493.  Google Scholar

• [35]

R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), no. 2, 120–126.

• [36]

A. Sárközy and C. L. Stewart, On pseudorandomness in families of sequences derived from the Legendre symbol, Period. Math. Hungar. 54 (2007), no. 2, 163–173.

• [37]

H. Sato, T. Takagi, S. Tezuka and K. Takaragi, Generalized powering functions and their application to digital signatures, Advances in Cryptology—ASIACRYPT 2003, Lecture Notes in Comput. Sci. 2894, Springer, Berlin (2003), 434–451.  Google Scholar

• [38]

R. Scheidler and H. C. Williams, A public-key cryptosystem utilizing cyclotomic fields, Des. Codes Cryptogr. 6 (1995), no. 2, 117–131.

• [39]

K. Schmidt-Samoa, A new Rabin-type trapdoor permutation equivalent to factoring, Electron. Notes Theor. Comput. Sci. 157 (2006), no. 3, 79–94.

• [40]

K. Schmidt-Samoa and T. Takagi, Paillier’s cryptosystem modulo ${p}^{2}q$ and its applications to trapdoor commitment schemes, Progress in Cryptology—Mycrypt 2005, Lecture Notes in Comput. Sci. 3715, Springer, Berlin (2005), 296–313.  Google Scholar

• [41]

C. P. Schnorr, Efficient signature generation by smart cards, J. Cryptology 4 (1991), no. 3, 161–174.  Google Scholar

• [42]

J. Stern, D. Pointcheval, J. Malone-Lee and N. P. Smart, Flaws in applying proof methodologies to signature schemes, Advances in cryptology—CRYPTO 2002, Lecture Notes in Comput. Sci. 2442, Springer, Berlin (2002), 93–110.  Google Scholar

• [43]

T. Takagi, Fast RSA-type cryptosystem modulo ${p}^{k}q$., Advances in Cryptology—CRYPTO’98, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.  Google Scholar

• [44]

L. C. Washington, Introduction to Cyclotomic Fields, 2nd ed., Grad. Texts Math. 83, Springer, New York, 1997.  Google Scholar

• [45]

A. Weilert, Fast computation of the biquadratic residue symbol, J. Number Theory 96 (2002), no. 1, 133–151.

• [46]

H. C. Williams, An ${M}^{3}$ public-key encryption scheme, Advances in Cryptology—CRYPTO’85, Lecture Notes in Comput. Sci. 218, Springer, Berlin (1986), 358–368.  Google Scholar

• [47]

BlueKrypt, Cryptographic key length recommendations, 2018.

## Footnotes

• 1

If a solution ${\epsilon }_{1},\mathrm{\dots },{\epsilon }_{\mathrm{\ell }}$ does not exist, refresh the ${p}_{j}$’s as necessary.

• 2

A ring R is said norm-Euclidean or Euclidean with respect to the norm $\mathrm{N}$ if, for every $\alpha ,\beta \in R$, $\beta \ne 0$, there exist $\eta ,\rho \in R$ such that $\alpha =\beta \eta +\rho$ and $\mathrm{N}\left(\rho \right)<\mathrm{N}\left(\beta \right)$.

Accepted: 2019-09-15

Published Online: 2019-11-09

Citation Information: Journal of Mathematical Cryptology, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976,

Export Citation

© 2019 Walter de Gruyter GmbH, Berlin/Boston.