Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

CiteScore 2018: 1.41

SCImago Journal Rank (SJR) 2018: 0.342
Source Normalized Impact per Paper (SNIP) 2018: 1.076

Mathematical Citation Quotient (MCQ) 2018: 0.75

Open Access
See all formats and pricing
More options …
Ahead of print


New number-theoretic cryptographic primitives

Éric Brier / Houda Ferradi / Marc Joye / David Naccache
Published Online: 2019-11-09 | DOI: https://doi.org/10.1515/jmc-2019-0035


This paper introduces new prq-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat–Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli ni=pi2qi and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the ni’s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design, the proposed signature schemes seem to be overlooked “missing species” in the corpus of known signature algorithms.

Keywords: number theory; one-way functions; digital signatures; cryptographic primitives

MSC 2010: 94A60; 11T71; 11A15; 11R18

1 Introduction

1.1 One-way functions

A fundamental building block for constructing secure signature schemes or public-key cryptosystems is one-way functions [14, Chapter 2]. Informally, a one-way function (OWF) is a function f that is easy to compute in polynomial time (by definition) on every input, but hard to invert given the image of a random input.

Basically, there exist three families of OWFs: (i) one-way permutations which are bijective OWFs, (ii) trapdoor OWFs which are one-way unless some extra information is given, and (iii) collision-free or collision-resistant hash functions. Almost all known OWFs have been based on intractable problems from number theory or some related mathematical fields like coding theory.

1.2 Digital signatures

Diffie and Hellman in their seminal work [10] first pointed out the notion of digital signatures. Since then, there have been many signature proposals built from trapdoor one-way permutations based on different algebraic assumptions. The most well-known being the one devised by Rivest, Shamir and Adleman from the so-called RSA assumption [35].

Concurrently to the above, another popular approach to construct signature schemes is by using the Fiat–Shamir tranform [12]. It consists in turning a public-coin proof of knowledge into a signature scheme, which has yielded many efficient signature schemes like the Schnorr signature [41].

1.3 Cryptography modulo prq

Moduli of the form prq have found a few applications in cryptography since the mid 1980s, the most notable of which are probably the ESIGN signature scheme and its variants using p2q (see [31, 13, 30, 17, 42]), Okamoto–Uchiyama’s cryptosystem [32, 40], Schmidt-Samoa’s cryptosystem [39] or constructions such as [43, 37].

There are four main approaches of factorization algorithms for the structure prq: the elliptic curve method (ECM) [25] which was improved by Peralta and Okamoto [34], the number field sieve (NFS) [26], the lattice factoring method (LFM) [3] and factoring using Jacobi symbols. Note that the special structure of prq is not threatened by NFS beyond regular RSA moduli are threatened by that same attack. Actually, it turns out that using p2q moduli does not seem to render factoring significantly easier. Boneh, Durfee and Howgrave-Graham [3] showed that n=prq can be factored in polynomial time when r is large (i.e., rlogp). Consequently, as stated in [29], this LLL-based approach [22] does not apply to the setting considered in this paper where r is rather small. See also [28, 27].


The rest of this paper is organized as follows. In the next section, we introduce some useful notation and review the definitions of the Jacobi symbol and of a signature scheme. Section 3 proposes a new OWF, building on the concept of Jacobi imprint. We then present in Section 4 a first signature scheme relying on this new OWF and prove its security. In Section 5, we generalize our basic design to higher-order residue symbols and introduce the corresponding signature schemes. As an illustration, we implement Quartapus in Section 6, a signature scheme based on the quartic residue symbol. Finally, we conclude the paper in Section 7.

2 Notation and basic definitions

If 𝒟 is a finite domain, we let x$𝒟 denote picking an element of 𝒟 uniformly at random and assigning it to x. A boldface variable 𝒙 is used to denote a vector of elements identified by that variable; i.e., 𝒙=(x0,,xk-1). The symbol stands for the set of (rational) primes. Given a vector 𝒏=(n0,,nk-1) of pairwise co-prime integers nj (0jk-1) and a vector 𝒙=(x0,,xk-1) of integers, we use 𝖢𝖱𝖳(𝒙,𝒏) for the Chinese remainder function, returning the smallest non-negative integer y such that yxj(modnj) for 0jk-1 (see [11, Chapter 2]).

2.1 The Jacobi symbol

Given a positive integer n, an integer a with gcd(a,n)=1 is called a quadratic residue modulo n if and only if x2a(modn) is solvable. If a is not a quadratic residue, then it is called a quadratic non-residue modulo n .

Let a be an integer, and let p, p2. The Legendre symbol (ap) is defined as

(ap)={1ifais a quadratic residue modulop,-1ifais a quadratic non-residue modulop,0ifgcd(a,p)1.

The Legendre symbol satisfies Euler’s criterion, namely, (ap)ap-12(modp).

The Jacobi symbol is a natural generalization of the Legendre symbol.

Definition 1.

Let n be an odd positive integer with prime factorization n=jpjej. Then, for an integer a, the Jacobi symbol (an) is given by


with the convention (a1)=1 for all integers a.

Interestingly, the prime factorization of n is not required for evaluating (an). It can be efficiently computed with O((log2a)(log2n)) bit operations [1, § 5.9]. We point out that the Legendre and Jacobi symbols are indistinguishable when n is an odd prime. Also, we note that the Legendre symbol allows to determine whether an integer is a quadratic residue or not, whereas the Jacobi symbol does not allow checking this property.

2.2 Digital signatures

A signature scheme [19] is a tuple Σ=(𝖪𝖾𝗒𝖦𝖾𝗇,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋𝗂𝖿𝗒) of probabilistic polynomial-time algorithms satisfying the following:

  • 𝖪𝖾𝗒𝖦𝖾𝗇(1κ) On input security parameter 1κ, key generation algorithm 𝖪𝖾𝗒𝖦𝖾𝗇 produces a pair (𝗉𝗄,𝗌𝗄) of matching public and private keys.

  • 𝖲𝗂𝗀𝗇(𝗌𝗄,m) Given a private key 𝗌𝗄 and a message m in a set of messages, signing algorithm 𝖲𝗂𝗀𝗇 produces a signature σ.

  • 𝖵𝖾𝗋𝗂𝖿𝗒(𝗉𝗄,m,σ) Given a public key 𝗉𝗄, a message m and a signature σ, the verifying algorithm 𝖵𝖾𝗋𝗂𝖿𝗒 checks whether σ is a valid signature on m with respect to 𝗉𝗄.

The classical security notion for signature schemes is existential unforgeability against chosen-message attacks (in short, 𝖤𝖴𝖥-𝖢𝖬𝖠) [15]. Basically, it requires that an adversary having access to a signing oracle returning the signature on messages of its choice is unable to produce a valid signature on a message not previously submitted to the signing oracle. In the random oracle model [2], the adversary has in addition access to a hash oracle viewed as a random oracle. More formally, we have the following definition.

Definition 2.

A signature scheme Σ is 𝖤𝖴𝖥-𝖢𝖬𝖠 secure if, for every probabilistic polynomial-time adversary 𝒜, the success probability 𝖠𝖽𝗏𝒜,Σ𝖤𝖴𝖥(κ):=Pr[𝖤𝖴𝖥Σ𝒜(κ)=1] is negligible against the security game defined in Figure 1.

                     𝖤𝖴𝖥⁢-⁢𝖢𝖬𝖠{\mathsf{EUF}\text{-}\mathsf{CMA}} experiment for digital signature schemes.
Figure 1

𝖤𝖴𝖥-𝖢𝖬𝖠 experiment for digital signature schemes.

3 A candidate one-way function

If p is an odd prime, then half of the integers in the sequence 1,2,,p-1 are quadratic residues modulo p, and half are not. The problem of counting the number of occurrences of k distinct integers (a0,a1,,ak-1) modulo p obeying a given pattern (ϵ0,ϵ1,,ϵk-1) with ϵj=(ajp){-1,1} and variations thereof have been studied in a number of papers, including [8, 9, 6, 33, 16, 36]. In particular, the results of Peralta in [33] indicate that the probability of


matching any particular sequence (ϵ0,ϵ1,,ϵk-1){-1,1}k is in the range 12k±O(kp-1/2).

This section considers a related problem. It relies on a new notion that we call Jacobi imprint. In essence, the imprint is an integer formed of bits representing the sequence of Jacobi symbols where -1’s are replaced by 1’s and 1’s by 0’s.

Definition 3 (Jacobi imprint).

For an integer a and 𝒏=(n0,,nk-1)k such that gcd(a,nj)=1 for 0jk-1, the Jacobi imprint 𝒏(a) is given by


(At times, we will interchangeably use 𝒏(a) to denote the integer 𝒏(a) or its binary representation.)

3.1 Function 0

Let 𝒒=(q0,,qk-1) be a set of k distinct (odd) primes, and let Q=j=0k-1qj. Consider the function 0 given by


We argue that an appropriate selection for the domain of 0 and the number of primes qj turns 0 into a one-way function.

Of course, 𝔇 cannot be the whole group Q*. Otherwise, given a challenge y^=0(x^), an attacker could execute Algorithm 1.

Algorithm 1 (Finding a (large) pre-image.).

This algorithm yields outputs that are smaller than Q=j=0k-1qj. An obvious way to prevent an attacker to successfully run Algorithm 1 would be to restrict 𝔇 to entries smaller than a given bound B.

But there is another way to tackle the problem of finding pre-images to 0. Let 𝒵 be the set of k-bit integers in . Now if we regard an imprint in 𝒵 as an element of (2)k (that is, if we look at its binary representation), we see that 0 induces a group homomorphism from (Q*,) to (𝒵,):

0(x1x2modQ)=0(x1)0(x2)for allx1,x2Q*.

Therefore, an attacker could generate a set of “small” primes pi (with piQ) and compute the corresponding imprint zi=0(pi) for 1i. It suffices then for the attacker to use linear algebra modulo 2 (i.e., Gaussian elimination) to find a subset of the zi’s having the target imprint y^ as an xor:1


A pre-image is given by


which is valid provided that x<B. This second attack is avoided by limiting 𝔇 to primes. Furthermore, each prime qj in 𝒒 imposes a condition on the pre-image. The birthday paradox suggests to choose the number k of primes qj to be at least 2κ, where κ is the security parameter. All in all, we recommend to select k=2κ and 𝔇={xx<BwithBQ,whereQ=j=0k-1qj}.

3.2 From 0 to 1

We use function 0 as a starting point to define a (conjectured) trapdoor one-way function. The resulting function 1 has the extra property that it can be inverted when it is given a trapdoor as an additional input. To insert a trapdoor, we replace the primes qj with RSA-like moduli of the form nj=pj2qj. This does not affect the output value since 𝒏(x)=𝒒(x) for all x such that gcd(x,nj)=1 for 0jk-1. The trapdoor is 𝒒.

Assumption 1.

Let κ denote a security parameter. Let also k=k(κ) and =(κ). Define D={xPx<2k} and


where 𝐧=(n0,,nk-1) is a set of k pairwise co-prime moduli of the form nj=pj2qj for -bit primes pj and qj, 0jk-1. For every polynomial-time algorithm A, the success probability


is negligible.

Note that finding a pre-image to y^=1(x^) is easy given the trapdoor 𝒒=(q0,,qk-1):

  • (1)

    run Algorithm 1, and obtain x such that 𝒒(x)=y^;

  • (2)

    update x as xxu2modQ with u$Q* until x is prime;

  • (3)

    return x.

Clearly, the so-obtained x is a valid pre-image: x𝔇 and 1(x)=y^.

Remark 1.

By definition, the Jacobi imprint 𝒏(x) requires x to be co-prime with nj for 0jk-1. Strictly speaking, the domain 𝔇 should therefore exclude the primes pj and qj. However, since primes pj and qj are -bit primes, where =(κ), the probability to output an x such that gcd(x,nj)1 for some 0jk-1 is negligible when the prime factorization of the nj’s is unknown.

4 Signatures modulo p2q

We are now ready to formally describe a first signature scheme. We prove that it meets the 𝖤𝖴𝖥-𝖢𝖬𝖠 security level in the random oracle model.

4.1 Description

Our basic signature scheme is a tuple of algorithms Σ=(𝖪𝖾𝗒𝖦𝖾𝗇,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋𝗂𝖿𝗒), which we define as follows:

  • Key generation The key generation algorithm 𝖪𝖾𝗒𝖦𝖾𝗇 takes as input a security parameter 1κ and defines parameters k and . It selects a collision-resistant hash function H:{0,1}*{0,1}k. It also produces k pairs (pj,qj) of -bit primes and forms the moduli nj=pj2qj. The public parameters are 𝗉𝗉=(k,,H). The public key is 𝗉𝗄={nj}0jk-1, while the private key is 𝗌𝗄={qj}0jk-1. The outputs are 𝗉𝗄 and 𝗌𝗄 (and 𝗉𝗉).

  • Signing The signing algorithm 𝖲𝗂𝗀𝗇 takes as inputs a message m{0,1}* and the secret key 𝗌𝗄. The signature on message m proceeds as follows:

    • (1)

      compute H(m)=j=0k-1hj2j with hj{0,1};

    • (2)

      pick at random k -bit integers rj such that {rjqj}=hj for 0jk-1;

    • (3)

      compute R=𝖢𝖱𝖳(𝒓,𝒒) with 𝒓=(r0,,rk-1) and 𝒒=(q0,,qk-1);

    • (4)

      set Q=j=0k-1qj and choose at random an integer uQ* such that σ:=Ru2modQ;

    • (5)

      return σ.

  • Verification The verifying algorithm 𝖵𝖾𝗋𝗂𝖿𝗒 takes as inputs the public key 𝗉𝗄, a message m and a signature σ on message m. It checks whether (i) σ, (ii) σ<2k, (iii) 𝒏(σ)=H(m), where 𝒏=(n0,,nk-1). 𝖵𝖾𝗋𝗂𝖿𝗒 returns 1 (i.e., the signature is accepted) if and only if the three conditions above are fulfilled. Otherwise, 𝖵𝖾𝗋𝗂𝖿𝗒 returns 0.

The next proposition shows that the signature scheme is correct: for (𝗉𝗄,𝗌𝗄)𝖪𝖾𝗒𝖦𝖾𝗇(1κ) and any message m{0,1}*, we have 𝖵𝖾𝗋𝗂𝖿𝗒(𝗉𝗄,m,𝖲𝗂𝗀𝗇(m,𝗌𝗄))=1.

Proposition 1 (Correctness).

Signature scheme Σ is correct.


Let ({nj},{qj}) and σ be the respective outputs of 𝖪𝖾𝗒𝖦𝖾𝗇 and 𝖲𝗂𝗀𝗇, with message m as input. By construction, σ is prime and σ=Ru2modQ<2k. Moreover, since σrju2(modqj) (0jk-1), it follows that


Finally, since nj=pj2qj, we have {rjnj}={rjqj}, and so 𝒏(σ)=𝒒(σ)=H(m). ∎

4.2 Security proof

Theorem 1.

Signature scheme Σ is EUF-CMA secure assuming the hardness of inverting F1, in the random oracle model.


The security proof is by contradiction. Suppose we are given as a challenge an output s^ of the function 1. We assume that there exists a polynomial-time adversary 𝒜 that is able to produce an existential signature forgery with non-negligible success probability. Adversary 𝒜 is allowed to make qH queries to random oracle H and qs queries to signing oracle 𝖲𝗂𝗀𝗇. We then use 𝒜’s forgery to invert 1, i.e., to find a pre-image to s^.

Specifically, suppose that the received challenge is the k-bit integer


for moduli nj of the form nj=pj2qj where pj’s and qj’s are -bit primes, 0jk-1. The simulator sets the public key to 𝗉𝗄={nj}0jk-1. It also selects a collision-resistant hash function H mapping to {0,1}k. The public key 𝗉𝗄 as well as public parameters 𝗉𝗉:=(k,,H) are given to 𝒜.

The simulator needs to answer the oracle queries made by 𝒜. It maintains a history list of tuples (mi,𝔥i,σi), Hist[H], that keeps track of the hash queries; Hist[H] is initialized to . It also maintains a counter i initialized to 0 and chooses at random an index i*[1,,qH].

  • Answering hash queries When 𝒜 submits a message m to H, the simulator checks whether m was already queried.

    • If mHist[H], then i is incremented: ii+1. Next, the simulator sets mim, and depending on the value of i,

      • *

        if i=i*, it sets 𝔥is^ and σi,

      • *

        if ii*, it generates a random k-bit prime σi and sets 𝔥i𝒏(σi).

      Tuple (mi,𝔥i,σi) is appended to Hist[H]: Hist[H]Hist[H](mi,𝔥i,σi).

    • If mHist[H], the simulator finds the index i such that m=mi and recovers the corresponding value 𝔥i.

    The simulator returns 𝔥i as the hash value of input message m.

  • Answering signature queries Without loss of generality, we assume that, when 𝒜 calls signing oracle 𝖲𝗂𝗀𝗇 with a message m, it has already submitted m to hash oracle H (observe that the simulator can always call internally H). Therefore, there exists an index i such that m=mi in Hist[H]. The simulator recovers the corresponding value for σi. There are two cases.

    • If σi, then the simulator returns σi as a valid signature on input message m.

    • Otherwise, the simulator fails and stops.

The number of queries to the hash oracle being polynomial, with non-negligible probability, the adversary will return a signature forgery on its i*-th query to H, i.e., on message mi*. Letting σi* be the corresponding signature returned by 𝒜, we see that σi* is a solution to the challenge since 𝒏(σi*)=H(mi*)=s^. ∎

4.3 Toy example (k=8)

Picking the secret primes

we have the public moduli


and the value


Consider a message whose digest is 𝒉=(h0,,h7), and draw rj’s as

We get 𝖢𝖱𝖳(𝒓,𝒒)=𝟷𝟹𝟿𝟻𝟽𝟾𝟼𝟸𝟻𝟷𝟻𝟻𝟿𝟸𝟹𝟷𝟾𝟽𝟾𝟽𝟾𝟿𝟽𝟼𝟺𝟻𝟹𝟻𝟾𝟻𝟾𝟼𝟺𝟷𝟷𝟿𝟾.

By selecting u=𝟸𝟷𝟻𝟸𝟸𝟼𝟼𝟾𝟸𝟶𝟽𝟶𝟿𝟾𝟼𝟼𝟸𝟿𝟻𝟷𝟺𝟶𝟶𝟽𝟽𝟻𝟶𝟺𝟼𝟾𝟽𝟾𝟶𝟹𝟺𝟻𝟿, we obtain the signature


5 Generalized signatures

The Legendre symbol tells whether an integer is a square modulo a prime p. Given an integer a and an odd prime p, if pa, there exists a unique integer j modulo 2 such that a(p-1)/2(-1)j(modp). To obtain the analogue to a higher power r, the rational integers need to be extended so that they include an r-th root of unity, namely, e2πi/r.

5.1 Cyclotomic integers and higher-order residuosity

We start by reviewing some classical results on cyclotomic fields. We refer the reader to [18, 44] for further introductory background.

Fix ζ:=ζr a primitive r-th root of unity; i.e., ζ is a root of Xr-1 and Xs1 for 0<s<r. Adjoining ζ to the field of rationals defines the cyclotomic field (ζ) . It is the splitting field of Xr-1; its Galois group Gal((ζ)/) is isomorphic to r*, with kmodr corresponding to the map σk:ζζk; see [18, Proposition 13.2.1] or [44, Theorem 2.5]. The ring of integers of (ζ) is [ζ][X]/(Φr), where Φr is the r-th cyclotomic polynomial; see [44, Theorem 2.6].

The elements α of [ζ] are written as


where φ denotes Euler’s totient function. The norm of α[ζ] is the rational integer N(α)=kr*σk(α). We assume that [ζ] is norm-Euclidean.2

The elements of norm ±1 in [ζ] are called units. Two elements α,β[ζ] that are equal up to multiplication by a unit υ[ζ] (i.e., α=υβ) are said to be associates; we write αβ. A non-unit element π[ζ] is a prime in [ζ] if, for any α,β[ζ], παβ implies πα or πβ. If r is a prime power (i.e., r=q for some rational prime q and 1), then (1-ζ) is a prime in [ζ] and N(1-ζ)=q; otherwise, (1-ζ) is a unit in [ζ].

Let π be a prime in [ζ], with gcd(N(π),r)=1. For every α[ζ] such that πα, we have αN(π)-11 (modπ). Further, ζ is a subgroup of order r of ([ζ]/(π))*, it follows that r(N(π)-1) and

αN(π)-1rζj(modπ)for somejr.

This defines the r-th-power residue symbol.

Definition 4.

Fix ζ a primitive r-th root of unity. Let α,π[ζ] with π prime and gcd(N(π),r)=1. The r-th-power residue symbol is defined by


Let α,β,π[ζ] with π prime and gcd(N(π),r)=1. It is easily verified from the definition that the following properties are satisfied:


Furthermore, in a way similar to the Jacobi symbol for quadratic residuosity, the r-th-power residue symbol naturally generalizes.

Definition 5.

Fix ζ a primitive r-th root of unity. Let α,λ[ζ] with λ non-unit and gcd(N(λ),r)=1. Then, writing λ=jπjej for primes πj in [ζ], if α and λ are co-prime, the symbol [αλ]r is defined by


Moreover, [αυ]r=1 for every unit υ[ζ].

The notion of Jacobi imprint generalizes to higher powers. To ease the notation, we extend the brace symbol as follows:


where {αλ}r=j if and only if [αλ]r=ζj. Note that Definition 3 corresponds to the case r=2.

Definition 6 (r-th-order imprint).

For an integer α[ζ] and a vector 𝝀=(λ0,,λk-1)[ζ]k such that α and λj (with 0jk-1) are co-prime, the r-th-order imprint of α w.r.t. 𝝀 is the integer 𝝀(r)(α) given by


5.2 Parameter selection

As discussed in the introduction, the main threat for factoring-related cryptosystems comes from NFS and its variants. Table 1 lists different types of security level and the commonly accepted corresponding size for the modulus. See e.g. [23, 47].

Table 1

Key lengths and bit security.

The current state of affairs teaches that moduli could be selected of the form pjrqj with r2 chosen to have a balanced resistance against both NFS-type and ECM-type factoring algorithms. Given a modulus whose length is chosen according to Table 1, a bound for the number of factors that may be allowed is derived in [21, Section 4]. This suggests to select r in the range [2,,5], depending on the security level.

Remark 2.

If ζr is an r-th primitive root of unity, the ring [ζr] is not necessarily norm-Euclidean. But for r{2,3,4,5}, the rings [ζr] are known to be norm-Euclidean [20, § 8]; see also [24].

Each possible value for r gives rise to a signature scheme. Of particular interest are the following new species in the signature zoo:

6 Quartapus

The p2q signature scheme given in Section 4 extends to any value of r>2 (provided that [ζr] is norm-Euclidean). As an illustration, we detail the Quartapus signature scheme, which is an adaptation to the case r=4.

Throughout this section, we let ζ:=ζ4=i denote a primitive 4-th root of unity. The Galois group of (ζ)/ contains the two automorphisms σk:ζζk with k{1,2}. For an element α[ζ], we write αk=σk(α). The norm of α is given by N(α)=α1α2.

6.1 Description

The Octapus signature scheme (𝖪𝖾𝗒𝖦𝖾𝗇,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋𝗂𝖿𝗒) is defined as follows:

  • Key generation 𝖪𝖾𝗒𝖦𝖾𝗇 takes as input a security parameter 1κ and defines parameters k and . It selects a collision-resistant hash function H:{0,1}*(4)k. It also produces k pairs (πj,ψj) of primes in [ζ], where N(πj) and N(ψj) are -bit long, and forms the moduli νj=πj4ψj. The outputs are 𝗉𝗉=(k,,H), 𝗉𝗄={νj}0jk-1 and 𝗌𝗄={ψj}0jk-1.

  • Signing On input, a message m{0,1}* and 𝗌𝗄, 𝖲𝗂𝗀𝗇 does the following:

    • (1)

      compute H(m)=j=0k-1hj4j with hj4;

    • (2)

      pick at random k integers ρj[ζ] of -bit norm such that {ρjψj}=hj for 0jk-1;

    • (3)

      compute ϱ=𝖢𝖱𝖳(𝝆,𝝍) with 𝝆=(ρ0,,ρk-1) and 𝝍=(ψ0,,ψk-1);

    • (4)

      set Ψ=j=0k-1ψj, and choose at random an integer υ([ζ]/(Ψ))* such that σ:=ϱυ4modΨ is prime in [ζ];

    • (5)

      return σ.

  • Verification On input σ, m and 𝗉𝗄, 𝖵𝖾𝗋𝗂𝖿𝗒 checks whether (i) σ is prime, (ii) N(σ)<2k, (iii) 𝝂(4)(σ)=H(m) and, if so, accepts the signature.

Remark 3.

The primes πj and ψj must be chosen of norm of bits for an sized for the factoring problem over the rational integers. Indeed, suppose an attacker is given as a challenge ν=πψ, a product of two primes in [ζ]. The goal of the attacker is to recover π and ψ.

The norm of ν satisfies N(ν)=N(π)N(ψ):=pq for two -bit rational primes p,q1(mod4). If were chosen too small so that the problem of factoring the product of two rational -bit primes becomes feasible, the attacker could factor N(ν) and recover p and q. Once p and q are found, its remaining task is to find π,ψ[ζ] with N(π)=p and N(ψ)=q. This can be efficiently achieved by generalizing Cornacchia’s algorithm [5, Algorithm 1.5.2] to fourth roots, as done in [7, § 1.2] for cubic roots. The first step is to solve for r over 𝔽p* the equation r2+1=0(modp). Next, consider the integer ρ:=r-ζ[ζ], whose norm is a multiple of p. Hence, the computation of gcd(ρ,p) yields π[ζ] – remember that [ζ] is norm-Euclidean, and p=ππ2, where π2=σ2(π), and similarly for q.

6.2 Evaluating quartic residue symbols

Quartapus requires the evaluation of the 4-th-power residue symbol. We refer to [45, 7] for efficient implementations.

A generic algorithm for computing the r-th-power residue symbol for any prime r11 is described in [4, Section 7]. The case r=3 is discussed in [46, 7, 38] and the case r=5 in [38].

7 Concluding remarks

In this paper, we have introduced a formal definition and construction of a new family of one-way functions and signature schemes. They are related to the hardness of factoring moduli of the form n=prq. Since our constructions rely on newly introduced assumptions, further cryptanalytic efforts are demanded in order to get more confidence about their exact security.


We are grateful to Dan Bernstein, Dan Boneh and Antoine Joux for comments and discussions on the ECM factoring method.


  • [1]

    E. Bach and J. Shallit, Algorithmic Number Theory. Vol. 1: Efficient Algorithms, MIT Press, Cambridge, 1996.  Google Scholar

  • [2]

    M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, ACM Conference on Computer and Communications Security, ACM Press, New York (1993), 62–73.  Google Scholar

  • [3]

    D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N=prq for large r, Advances in Cryptology—CRYPTO ’99, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 326–337.  Google Scholar

  • [4]

    P. C. Caranay and R. Scheidler, An efficient seventh power residue symbol algorithm, Int. J. Number Theory 6 (2010), no. 8, 1831–1853.  CrossrefWeb of ScienceGoogle Scholar

  • [5]

    H. Cohen, A Course in Computational Algebraic Number Theory, Grad. Texts in Math. 138, Springer, Berlin, 1993.  Google Scholar

  • [6]

    I. B. Damgård, On the randomness of Legendre and Jacobi sequences, Advances in Cryptology—CRYPTO’88, Lecture Notes in Comput. Sci. 403, Springer, Berlin (1990), 163–172.  Google Scholar

  • [7]

    I. B. Damgård and G. S. Frandsen, Efficient algorithms for the gcd and cubic residuosity in the ring of Eisenstein integers, J. Symbolic Comput. 39 (2005), no. 6, 643–652.  CrossrefGoogle Scholar

  • [8]

    H. Davenport, On the distribution of quadratic residues (mod p), J. Lond. Math. Soc. 6 (1931), no. 1, 49–54.  Google Scholar

  • [9]

    H. Davenport, On the distribution of quadratic residues (mod p). II, J. Lond. Math. Soc. 8 (1933), no. 1, 46–52.  Google Scholar

  • [10]

    W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory IT-22 (1976), no. 6, 644–654.  Google Scholar

  • [11]

    C. Ding, D. Pei and A. Salomaa, Chinese Remainder Theorem. Applications in Computing, Coding, Cryptography, World Scientific, River Edge, 1996.  Google Scholar

  • [12]

    A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Advances in Cryptology—CRYPTO’86, Lecture Notes in Comput. Sci. 263, Springer, Berlin (1987), 186–194.  Google Scholar

  • [13]

    A. Fujioka, T. Okamoto and S. Miyaguchi, ESIGN: An efficient digital signature implementation for smart cards, Advances in Cryptology—EUROCRYPT’91, Lecture Notes in Comput. Sci. 547, Springer, Berlin (1991), 446–457.  Google Scholar

  • [14]

    O. Goldreich, Foundations of Cryptography. Basic Tools, Cambridge University, Cambridge, 2001.  Google Scholar

  • [15]

    S. Goldwasser, S. Micali and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. Special issue on cryptography, SIAM J. Comput. 17 1988, no. 2, 281–308.  CrossrefGoogle Scholar

  • [16]

    L. Goubin, C. Mauduit and A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory 106 (2004), no. 1, 56–69.  CrossrefGoogle Scholar

  • [17]

    L. Granboulan, How to repair ESIGN, Security in Communication Networks—SCN 2002, Lecture Notes in Comput. Sci. 2576, Springer, Berlin (2003), 234–240.  Google Scholar

  • [18]

    K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed., Grad. Texts in Math. 84, Springer, New York, 1990.  Google Scholar

  • [19]

    J. Katz, Digital Signatures, Springer, New York, 2010.  Google Scholar

  • [20]

    F. Lemmermeyer, The Euclidean algorithm in algebraic number fields, Exp. Math. 13 (1995), no. 5, 385–416.  Google Scholar

  • [21]

    A. K. Lenstra, Unbelievable security (Matching AES security using public key systems), Advances in Cryptology—ASIACRYPT 2001, Lecture Notes in Comput. Sci. 2248, Springer, Berlin (2001), 67–86.  Google Scholar

  • [22]

    A. K. Lenstra, H. W. Lenstra, Jr. and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.  CrossrefGoogle Scholar

  • [23]

    A. K. Lenstra and E. Verheul, Selecting cryptographic key sizes, J. Cryptology 14 (2001), no. 4, 255–293.  CrossrefGoogle Scholar

  • [24]

    H. W. Lenstra, Jr., Euclid’s algorithm in cyclotomic fields, J. Lond. Math. Soc. (2) 10 (1975), no. 4, 457–465.  Google Scholar

  • [25]

    H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math. (2) 126 (1987), no. 3, 649–673.  CrossrefGoogle Scholar

  • [26]

    H. W. Lenstra, Jr., The number field sieve: An annotated bibliography, The Development of the Number Field Sieve, Lecture Notes in Math. 1554, Springer, Berlin (1993), 1–3.  Google Scholar

  • [27]

    N. Manohar and B. Fisch, Factoring n=p2q, Final project report CS359C, Stanford University, 2017.  Google Scholar

  • [28]

    A. May, Secret exponent attacks on RSA-type schemes with moduli N=prq, Public Key Cryptography—PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.  Google Scholar

  • [29]

    A. Menezes, M. Qu, D. Stinson and Y. Wang, Evaluation of security level of cryptography: ESIGN signature scheme, External Evaluation Report ex-1053-2000, CRYPTREC, 2001.  Google Scholar

  • [30]

    T. Okamoto, E. Fujisaki and H. Morita, TSH-ESIGN: Efficient digital signature scheme using trisection size hash, Submission to IEEE P1363a, November 1998. [Online; accessed 7-February-2019].  

  • [31]

    T. Okamoto and A. Shibaishi, A fast signature scheme based on quadratic inequalities, 1985 IEEE Symposium on Security and Privacy, IEEE Press, Piscataway (1985), 123–133.  Google Scholar

  • [32]

    T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology—EUROCRYPT’98, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.  Google Scholar

  • [33]

    R. Peralta, On the distribution of quadratic residues and nonresidues modulo a prime number, Math. Comp. 58 (1992), no. 197, 433–440.  CrossrefGoogle Scholar

  • [34]

    R. Peralta and E. Okamoto, Faster factoring of integers of a special form, IEICE Trans. Fundam. Electron. Comm. Comp. Sci. E79 (1996), no. A4, 489–493.  Google Scholar

  • [35]

    R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), no. 2, 120–126.  CrossrefGoogle Scholar

  • [36]

    A. Sárközy and C. L. Stewart, On pseudorandomness in families of sequences derived from the Legendre symbol, Period. Math. Hungar. 54 (2007), no. 2, 163–173.  CrossrefGoogle Scholar

  • [37]

    H. Sato, T. Takagi, S. Tezuka and K. Takaragi, Generalized powering functions and their application to digital signatures, Advances in Cryptology—ASIACRYPT 2003, Lecture Notes in Comput. Sci. 2894, Springer, Berlin (2003), 434–451.  Google Scholar

  • [38]

    R. Scheidler and H. C. Williams, A public-key cryptosystem utilizing cyclotomic fields, Des. Codes Cryptogr. 6 (1995), no. 2, 117–131.  CrossrefGoogle Scholar

  • [39]

    K. Schmidt-Samoa, A new Rabin-type trapdoor permutation equivalent to factoring, Electron. Notes Theor. Comput. Sci. 157 (2006), no. 3, 79–94.  CrossrefGoogle Scholar

  • [40]

    K. Schmidt-Samoa and T. Takagi, Paillier’s cryptosystem modulo p2q and its applications to trapdoor commitment schemes, Progress in Cryptology—Mycrypt 2005, Lecture Notes in Comput. Sci. 3715, Springer, Berlin (2005), 296–313.  Google Scholar

  • [41]

    C. P. Schnorr, Efficient signature generation by smart cards, J. Cryptology 4 (1991), no. 3, 161–174.  Google Scholar

  • [42]

    J. Stern, D. Pointcheval, J. Malone-Lee and N. P. Smart, Flaws in applying proof methodologies to signature schemes, Advances in cryptology—CRYPTO 2002, Lecture Notes in Comput. Sci. 2442, Springer, Berlin (2002), 93–110.  Google Scholar

  • [43]

    T. Takagi, Fast RSA-type cryptosystem modulo pkq., Advances in Cryptology—CRYPTO’98, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.  Google Scholar

  • [44]

    L. C. Washington, Introduction to Cyclotomic Fields, 2nd ed., Grad. Texts Math. 83, Springer, New York, 1997.  Google Scholar

  • [45]

    A. Weilert, Fast computation of the biquadratic residue symbol, J. Number Theory 96 (2002), no. 1, 133–151.  CrossrefGoogle Scholar

  • [46]

    H. C. Williams, An M3 public-key encryption scheme, Advances in Cryptology—CRYPTO’85, Lecture Notes in Comput. Sci. 218, Springer, Berlin (1986), 358–368.  Google Scholar

  • [47]

    BlueKrypt, Cryptographic key length recommendations, 2018.  


  • 1

    If a solution ε1,,ε does not exist, refresh the pj’s as necessary. 

  • 2

    A ring R is said norm-Euclidean or Euclidean with respect to the norm N if, for every α,βR, β0, there exist η,ρR such that α=βη+ρ and N(ρ)<N(β). 

About the article

Received: 2019-07-18

Accepted: 2019-09-15

Published Online: 2019-11-09

Citation Information: Journal of Mathematical Cryptology, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976, DOI: https://doi.org/10.1515/jmc-2019-0035.

Export Citation

© 2019 Walter de Gruyter GmbH, Berlin/Boston.Get Permission

Comments (0)

Please log in or register to comment.
Log in