Rabin signature algorithm

In cryptography the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1979. The Rabin signature algorithm was one of the first digital signature schemes proposed, and it is the only one to relate the hardness of forgery directly to the problem of integer factorization. The Rabin signature algorithm is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin signature algorithm is also closely related to the Rabin cryptosystem.

But, the RSA cryptosystem has a prominent role in the early days of public key cryptography, and the Rabin signature algorithm is not covered in most introductory courses on cryptography.

Equations

If H is a collision resistant hash function, m the message to sign and

H(m)^{\frac {p-1}{2}}{\bmod {p}}=1

and

H(m)^{\frac {q-1}{2}}{\bmod {q}}=1

the signature S is given by the equation

S=\left(\left(p^{q-2}H(m)^{\frac {q+1}{4}}{\bmod {q}}\right)p+\left(q^{p-2}H(m)^{\frac {p+1}{4}}{\bmod {p}}\right)q\right){\bmod {(}}p\cdot q)

.

Everybody can verify

H(m)=S^{2}{\bmod {(}}p\cdot q)

,

if the value $n=p\cdot q$ is public.

Original Algorithm - insecure without hash function

Key Generation
- The signer S chooses primes p, q each of size approximately k/2 bits, and computes the product $n=p\cdot q$ .
- S then chooses a random b in $\{1,\ldots,n\}$ .
- The public key is (n, b).
- The private key is (p, q).
Signing
- To sign a message m the signer S picks random padding U and calculates $m\cdot U\mod n$ .
- S then solves $x(x+b)\mod n=m\cdot U\mod n$ .

- If there is no solution S picks a new pad U and tries again.

- The signature on m is the pair (U, x)
Verification
- Given a message m and a signature (U,x) the verifier V calculates x(x+b) mod n and $m\cdot U\mod n$ and verifies that they are equal.

Secure and simplified Algorithm

The secure algorithm relies on a collision-resistant hash function $H : \{0,1\}^* \rightarrow \{0,1\}^k$ .

In most presentations the algorithm is simplified by choosing $b=0$ . The hash function H with k output bits is assumed to be a random oracle and the algorithm works as follows:

Key generation

The signer S chooses primes p, q each of size approximately k/2 bits, and p, q mod 4 equals 3. He computes the product $n=p\cdot q$ .
The public key is n.
The private key is (p, q).

Signing

To sign a message m the signer S picks random padding U and calculates H(m, U).
If H(m, U) is not a square modulo n, S picks a new pad U.
S computes one value x that solves the equation $x^{2}=H(m,U)\mod n$ .
The signature on m is the pair (U, x).

Verification

Given a message m and a signature (U, x), the verifier V calculates x² mod n and H(m, U) and verifies that they are equal.

Remarks

In some treatments the random pad U is eliminated. Instead we can eventually multiply the hash value with two numbers a or b with the properties $\left({\tfrac {a}{p}}\right)=-\left({\tfrac {a}{q}}\right)=1$ and $\left({\tfrac {b}{q}}\right)=-\left({\tfrac {b}{p}}\right)=1$ , where $(\cdot )$ denotes the legendre symbol. Then for any H modulo n exactly one of the four numbers $H,aH,bH,abH$ will be a square modulo n, and the signer chooses that one for his signature.

Even more simple, we change the message m until the signature can be verified.

def root(m, p, q):

 while True:
   x = h(m)
   sig =   pow(p,q-2,q) * p * pow(x,(q+1)/4,q) 
   sig = ( pow(q,p-2,p) * q * pow(x,(p+1)/4,p) + sig ) % (nrabin) 
   if (sig * sig) % nrabin == x:
     print "write extended message to file m "
     f = open('m','w')
     f.write(m)
     f.close()
     break
   m = m + ' '
 return sig

Security

If the hash function H is a random oracle, i.e. its output is truly random in $\mathbb {Z} /n\mathbb {Z}$ , then forging a signature on any message m is as hard as calculating the square root of a random element in $\mathbb {Z} /n\mathbb {Z}$ .

To prove that taking a random square root is as hard as factoring, we first note that in most cases there are four distinct square roots since n has two square roots modulo p and two square roots modulo q, and each pair gives a square root modulo n by the chinese remainder theorem. Some of the four roots may have the same value, but only with extreme low probability.

Now, if we can find two different square roots, x,y such that $x^2 = y^2 \mod n$ but $x \ne \pm y \mod n$ , then this immediately leads to a factorization of n since n divides $x^2 - y^2 = (x-y)(x+y)$ but it does not divide either factor. Thus taking $\operatorname {gcd} (x\pm y,n)$ will lead to a nontrivial factorization of n.

Now, we assume an efficient algorithm exists to find at least one square root. Then we pick a random r modulo n and square it $r^2 = R \mod n$ , then, using the algorithm we take one square root of R modulo n, we will get a new square root $r^\prime$ , and with probability half $r \ne \pm r^\prime \mod n$ .

References

Michele Elia, Davide Schipani, On the Rabin Signature, 2011 PDF
Buchmann, Johannes. Einführung in die Kryptographie. Second Edition. Berlin: Springer, 2001. ISBN 3-540-41283-2
Menezes, Alfred; van Oorschot, Paul C.; and Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, October 1996. ISBN 0-8493-8523-7
Rabin, Michael. Digitalized Signatures and Public-Key Functions as Intractable as Factorization (in PDF). MIT Laboratory for Computer Science, January 1979.
Scott Lindhurst, An analysis of Shank's algorithm for computing square roots in finite fields. in R Gupta and K S Williams, Proc 5th Conf Can Nr Theo Assoc, 1999, vol 19 CRM Proc & Lec Notes, AMS, Aug 1999.
R Kumanduri and C Romero, Number Theory w/ Computer Applications, Alg 9.2.9, Prentice Hall, 1997. A probabilistic for square root of a quadratic residue modulo a prime.

External links

Software Implementation with Python programming language

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.