Quadratic residues, square roots and Rabin
cryptosystem
Martin Stanek
Department of Computer Science
Comenius University
[email protected]
Cryptology 1 (2016/17)
Content
Quadratic residues
Rabin cryptosystem
Quadratic residuosity problem
Goldwasser–Micali cryptosystem
BBS generator
QR and Rabin
2 / 23
,
Quadratic residues
I
an integer a ∈ Z∗n is called a quadratic residue modulo n if there exists an
integer b such that b2 ≡ a (mod n)
I
otherwise a is called a quadratic nonresidue modulo n
I
QRn – the set of all quadratic residues modulo n
I
QNRn – the set of all quadratic nonresidues modulo n
I
trivially QRn ∪ QNRn = Z∗n
QR and Rabin
3 / 23
,
Quadratic residues modulo prime
example for p = 11:
x
x 2 mod 11
1
1
2
4
3
9
4
5
5
3
6
3
7
5
8
9
9
4
10
1
Lemma 1
Let p > 2 be a prime. Then |QRp | = |QNRp |.
Proof.
Let x 2 ≡ y 2 (mod p) for any x, y ∈ Zp∗ . Then
p | (x 2 − y 2 )
⇒
p | (x − y)(x + y).
We have x = y or x = p − y, i.e. each quadratic residue has exactly two square
roots. Therefore |QRp | = |Z∗p |/2 = (p − 1)/2 ⇒ |QNRp | = (p − 1)/2
QR and Rabin
4 / 23
,
Computing square roots modulo prime
I
solve equation x 2 ≡ a (mod p)
I
solution exists iff a ∈ QRp
I
if x is the solution then −x = p − x is the solution as well:
(p − x)2 ≡ p2 − 2px + x 2 ≡ x 2 ≡ a (mod p)
I
easy to solve for p ≡ 3 (mod 4); the solution is x = a(p+1)/4 mod p:
x 2 ≡ a(p+1)/2 ≡ a · a(p−1)/2
≡a·b
≡a
I
p−1
(mod p)
(mod p)
(mod p)
(assuming a ∈ QRp , i.e. ∃b: b2 ≡ a)
(FLT)
probabilistic polynomial time (PPT) algorithm exists for p ≡ 1 (mod 4)
QR and Rabin
5 / 23
,
Euler’s criterion: testing a ∈ QRp ?
Lemma 2 (Euler’s criterion)
Let p > 2 be a prime and a ∈ Z∗p . Then a ∈ QRp ⇔ a(p−1)/2 ≡ 1 (mod p).
Proof.
⇒ a ∈ QRp ⇒ ∃b : b2 ≡ a (mod p)
we have a(p−1)/2 ≡ bp−1 ≡ 1 (mod p) (using FLT)
⇐ (Z∗p , ·) is cyclic group; let g be its generator
then g r ≡ a (mod p) for some odd r (assuming a ∈ QNRp );
if a(p−1)/2 ≡ 1 (mod p) then g r(p−1)/2 ≡ 1 (mod p)
hence ord(g) = (p − 1) | r(p − 1)/2 ⇒ r/2 is an integer,
i.e. r is even (a contradiction)
QR and Rabin
6 / 23
,
Euler’s criterion: testing a ∈ QRp ?
Lemma 2 (Euler’s criterion)
Let p > 2 be a prime and a ∈ Z∗p . Then a ∈ QRp ⇔ a(p−1)/2 ≡ 1 (mod p).
Proof.
⇒ a ∈ QRp ⇒ ∃b : b2 ≡ a (mod p)
we have a(p−1)/2 ≡ bp−1 ≡ 1 (mod p) (using FLT)
⇐ (Z∗p , ·) is cyclic group; let g be its generator
then g r ≡ a (mod p) for some odd r (assuming a ∈ QNRp );
if a(p−1)/2 ≡ 1 (mod p) then g r(p−1)/2 ≡ 1 (mod p)
hence ord(g) = (p − 1) | r(p − 1)/2 ⇒ r/2 is an integer,
i.e. r is even (a contradiction)
QR and Rabin
6 / 23
,
Computing square roots modulo n = p · q
(1)
There is a PPT algorithm for factoring n ⇔ there is a PPT algorithm for
computing square roots modulo n.
⇒ let’s solve x 2 ≡ a (mod n) for a ∈ QRn
trivially, if a ∈ QRn then a ∈ QRp and a ∈ QRq
compute u, v such that u2 ≡ a (mod p), v 2 ≡ a (mod q)
use CRT to solve:
x≡u
(mod p)
x≡v
(mod q)
trivially, x 2 ≡ a (mod p) and x 2 ≡ a (mod q)
therefore (again by CRT) x 2 ≡ a (mod n)
QR and Rabin
7 / 23
,
Computing square roots modulo n = p · q
(2)
⇐ let a = m2 mod n for randomly chosen m ∈ Z∗n
solve x 2 ≡ a (mod n); since pq | (x − m)(x + m) there are four possible
solutions:
x≡m
(mod p)
&
x ≡ m (mod q)
x≡m
(mod p)
&
x ≡ −m (mod q)
x ≡ −m
(mod p)
&
x ≡ m (mod q)
x ≡ −m
(mod p)
&
x ≡ −m (mod q)
computing gcd(x − m, n) reveals p and q in 2nd and 3rd case, respectively
therefore we factor n with probability 1/2 for each choice of m
QR and Rabin
8 / 23
,
Rabin cryptosystem
I
Initialization: choose p, q large, distinct primes; n = p · q
I
I
I
usually choose p ≡ q ≡ 3 (mod 4) (?)
easy computation of square roots
encryption is permutation on QRn
I
public key: n
I
private key: (p, q)
encryption E : Zn → Zn : E(m) = m2 mod n
I
I
I
fast, just single modular squaring
decryption D(c):
I
compute 4 square roots (knowing the factorization, assuming (?)):
±(c (p+1)/4 mod p)·q ·(q−1 mod p)±(c (q+1)/4 mod q)·p ·(p−1 mod q) mod n
I
I
recognize the valid plaintext (context, structure, redundancy etc.)
alternatively, restrict plain/cipher-text space to QRn
QR and Rabin
9 / 23
,
Rabin cryptosystem – security (1)
I
CPA scenario: ability to decrypt is provably equivalent to factoring n
I
I
insecurity in CCA scenario:
I
I
I
I
I
looks better than RSA
choose random m and compute c = m2 mod n
use c as a chosen ciphertext . . . let m0 be its decryption
then gcd(m − m0, n) yields a non-trivial factor of n with probability 1/2
repeat to increase the probability of success
padding (for uniqueness of decryption) “destroys” both properties:
I
I
equivalence to factoring: because decryption works only on subset of
ciphertexts and only the “correct” plaintext is returned
CCA insecurity: small probability of producing a valid ciphertext without
knowing the plaintext
QR and Rabin
10 / 23
,
Rabin cryptosystem – security (2)
I
I
OAEP is a good padding for Rabin
some attacks can be “translated” from RSA:
I
meet in the middle attack on short plaintexts, k = k1 · k2 :
k 2 ≡ k12 · k22
I
linearly (polynomially) dependent plaintexts, e.g. m2 = am1 + b:
(z − m1 ) | z 2 − c1
(z − m1 ) | (az + b)2 − c2
I
(mod n)
⇒
gcd(z 2 − c1 , (az + b)2 − c2 )
the computation yields z − m1 (probably)
Example 1:
Let n = 77, c1 = 53, c2 = 37, and m2 = 2m41 + m21 + 3.
gcd(z 2 − 53, (2z 4 + z 2 + 3)2 − 37) =
= gcd(z 2 + 24, 4z 8 + 4z 6 + 13z 4 + 6z 2 + 49) = z 2 + 24 = z 2 − 53,
QR and Rabin
11 / 23
,
Rabin cryptosystem – security (2)
I
I
OAEP is a good padding for Rabin
some attacks can be “translated” from RSA:
I
meet in the middle attack on short plaintexts, k = k1 · k2 :
k 2 ≡ k12 · k22
I
linearly (polynomially) dependent plaintexts, e.g. m2 = am1 + b:
(z − m1 ) | z 2 − c1
(z − m1 ) | (az + b)2 − c2
I
(mod n)
⇒
gcd(z 2 − c1 , (az + b)2 − c2 )
the computation yields z − m1 (probably)
Example 2:
Let n = 77, c1 = 23, c2 = 58, and m2 = 2m31 + m21 + 3.
gcd(z 2 − 23, (2z 3 + z 2 + 3)2 − 58) =
= gcd(z 2 + 54, 4z 6 + 4z 5 + 12z 3 + z 4 + 6z 2 + 28) = z + 32 = z − 45,
Thus m1 = 45 (or m1 = −45 = 32) and m2 = 2 · 453 + 452 + 3 = 17 (or
m2 = −17 = 60).
QR and Rabin
11 / 23
,
Rabin cryptosystem – security (2)
I
I
OAEP is a good padding for Rabin
some attacks can be “translated” from RSA:
I
meet in the middle attack on short plaintexts, k = k1 · k2 :
k 2 ≡ k12 · k22
I
(mod n)
linearly (polynomially) dependent plaintexts, e.g. m2 = am1 + b:
(z − m1 ) | z 2 − c1
(z − m1 ) | (az + b)2 − c2
⇒
gcd(z 2 − c1 , (az + b)2 − c2 )
the computation yields z − m1 (probably)
I
many variants and generalizations . . . none of them used in practice
QR and Rabin
11 / 23
,
Legendre symbol
I
indicator of quadratic residuosity modulo a prime p > 2
I
let a ≥ 0 be an integer
I
Legendre symbol:
0





a
1
=

p

 −1

a
p
if p | a
if a ∈ QRp
if a ∈ QNRp
= a(p−1)/2 mod p
I
easy to compute:
I
the first case is trivial; the second one follows from Euler’s criterion
I
the third case, a ∈ QNRp : ap−1 ≡ 1 (mod p) (FLT) ⇒
p|(a(p−1)/2 − 1)(a(p−1)/2 + 1) ⇒ a(p−1)/2 mod p ∈ {1, −1}
. . . and the value 1 is for QRp only
QR and Rabin
12 / 23
,
Jacobi symbol
I
generalization of Legendre symbol to odd composite modulus n
I
let n = p1l1 p2l2 … pklk for primes pi > 2 and exponents li > 0
I
Jacobi symbol for an integer a ≥ 0:
a
n
I
if gcd(a, n) > 1 then
QR and Rabin
a
n
=
k li
Ö
a
i=1
pi
=0
13 / 23
,
Jacobi symbol – basic properties
b
=
n
n
a
a ≡ b (mod n) ⇒
ab
b
a
·
=
n
n
n
(
1 if n ≡ ±1 (mod 8)
2
=
n
−1 if n ≡ ±3 (mod 8)
n



−
if n ≡ a ≡ 3 (mod 4)
a 

a
n
=
for odd a :

n

otherwise

a

I
first two properties follow from definition
I
Jacobi symbol can be computed efficiently without knowing the
factorization of n
QR and Rabin
(1)
(2)
(3)
(4)
14 / 23
,
Jacobi symbol and quadratic residuosity (1)
a
n
= 1 (the opposite implication does not hold)
I
a ∈ QRn ⇒
I
example, n = 15, QR15 = {1, 4}:
a
a
3
a
5 a
15
I
1
1
1
1
2
-1
-1
1
3
0
-1
0
4
1
1
1
5
-1
0
0
6
0
1
0
7
1
-1
-1
8
-1
-1
1
9
0
1
0
10
1
0
0
11
-1
1
-1
12
0
-1
0
13
1
-1
-1
14
-1
1
-1
the most interesting case for cryptography: n = p · q
|QRn ∪ QNRn | = φ(n) = (p − 1)(q − 1)
|QRn | = φ(n)/4
QR and Rabin
(4 square roots)
15 / 23
,
Jacobi symbol and quadratic residuosity (2)
QRn
pseudo-squares
Z∗n
QNRn
+1
QR and Rabin
QNRn
−1
16 / 23
,
Quadratic residuosity problem
Let n be a product of two distinct (large) primes. Given an integer a (such
that na = 1) decide whether a ∈ QRn or a ∈ QNRp .
I
distinguishing between quadratic residues and pseudo-squares
I
not harder than factorization (easier? . . . not known)
I
some cryptographic constructions base their security on the hardness of
QRP
QR and Rabin
17 / 23
,
Goldwasser–Micali cryptosystem
I
I
Goldwasser-Micali (1982)
Initialization:
1. n = p · q (p , q are large primes)
y
2. y ∈ QNRn such that n = 1 (pseudo-square)
I
I
I
public key: (y, n)
private key: (p, q)
encryption:
I
I
I
I
plaintext m = m1 … mk ∈ {0, 1}k
$
− Z∗n
ciphertext c = (c1 , … , ck ) ∈ (Z∗n )k , where ci = x 2 · y mi mod n for x ←
if mi = 0 then ci is a random quadratic residue
2 y if mi = 1 then ci is a random pseudo-square: cni = xn
n =1
and ci is not a square, otherwise:
ci ≡ b2 ≡ x 2 · y ⇒ y ≡ (b · x −1 )2 (mod n)
(contradiction)
QR and Rabin
18 / 23
,
Goldwasser–Micali cryptosystem (2)
I
decryption – distinguishing between squares and pseudo-squares:
c
c
c ∈ QRn ⇐⇒
=1 &
=1
p
q
I
security: quadratic residuosity problem
we can choose y = −1 if p ≡ q ≡ 3 (mod 4)
I
I
I
= (−1)(p−1)/2 mod p = (−1)odd = −1 (similarly for q)
shorter public key, faster encryption
−1
p
I
length expansion: k-bit plaintext ≈ (k lg n)-bit long ciphertext
I
randomized encryption: 1 plaintext ≈ Θ(nk ) ciphertexts
I
not very practical
QR and Rabin
19 / 23
,
Remarks on Blum integers
I
Blum integer n: product of two distinct primes p ≡ q ≡ 3 (mod 4)
I
exactly one square root of a ∈ QRn is again in QRn
I
I
function f : QRn → QRn , where f (x) = x 2 mod n, is a permutation on
QRn
inverse function can be computed:
f −1 (y) = y
QR and Rabin
(p−1)(q−1)+4
8
mod n
20 / 23
,
BBS generator
I
Blum, Blum, Shub (1986)
I
asymmetric pseudo-random bit generator
I
Initialization: generate a Blum integer n
I
public key: n
I
private key: p, q
the generator:
I
$
1. x0 = r 2 mod n, where r ←
− Z∗n
2
2. xi = xi−1 mod n, for i ≥ 1
3. output: b0 , b1 , … , where bi = xi mod 2
I
encryption of plaintext m = m0 … mk−1 ∈ {0, 1}k :
ciphertext is a pair hc, xk i, where c = (c0 , … , ck−1 ) and ci = mi ⊕ bi
QR and Rabin
21 / 23
,
BBS generator (2)
I
decryption:
1. compute x0 from xk (using properties of Blum integers and CRT):
x0 ≡ xk
x0 ≡ xk
p+1 k
4
q+1
4
k
mod (p−1)
mod (q−1)
(mod p)
(mod q)
k−1 and decrypt c
2. recompute {bi }i=1
I
security: predicting BBS sequence as hard as factoring (in theory)
I
length expansion: k-bit plaintext ≈ (k + lg n)-bit long ciphertext
I
randomized encryption: 1 plaintext ≈ Θ(n) ciphertexts
QR and Rabin
22 / 23
,
BBS generator (3)
I
Theory:
I
I
I
predicting BBS sequence as hard as factoring:
A statistical test that distinguishes the BBS sequences from random
sequences can be used to factor the modulus.
one can use O(lg lg n) lower-order bits instead of single parity bit
the reduction is polynomial but not tight ⇒ long modulus is needed to
achieve sufficient security guarantee
e.g. see Sidorenko, Schoenmakers (2005)
QR and Rabin
23 / 23
,