5.2
Instantiations for the MOVA Scheme
We provide a way to define certain multiplicative characters on Z∗
n for an n = pq
being the product of two primes. So, we will consider MOVA instantiations with Xgroup = Z∗
n. The way of defining all characters on Z∗n is mainly based on the
following result.
Lemma 5.2.1 ([114], pp. 128). Let G be a finite Abelian group and let G1, . . . , Gk
be subgroups of G such that G = G1⊕ · · · ⊕ Gk. For every character χ ∈ bG, there
exist unique characters χi ∈ cGi such that if g ∈ G and g = g1+ · · · + gk with gi ∈ Gi
for i = 1, . . . , k, then
χ(g) = χ1(g1) · · · χk(gk).
Moreover,
b
G ' cG1⊕ · · · ⊕ cGk.
From this result and Chinese Remainder Theorem on Z∗
n, we deduce that any
character on Z∗
ncan be defined from any characters on Z∗pand Z∗q. The corresponding
character on Z∗
n can be obtained in the same way as the Jacobi symbol is defined
from the Legendre symbol. To illustrate this technique, assume we have an integer
d such that d|p − 1 and d|q − 1. From two characters χ1 and χ2 of order dividing d defined on Z∗
p respectively Z∗q, the character χ of order dividing d is obtained from
χ(a) := χ1(a mod p) · χ2(a mod q). for any a ∈ Z∗
n. Lemma 5.2.1 ensures that all characters χ on Z∗n of order dividing
d can be defined in this way.
For any character χ of order d we will associate a logarithm function denoted as logχ. We set ζd := e2πi/d. For an element a ∈ Z∗n, we know that χ(a) is of the form
ζdj for a j ∈ {0, 1, . . . d−1}. We define logχ(a) := logζd(χ(a)) which is equal to this j. Hence, the homomorphism logχ has the associated range group Ygroup = Zd.
5.2.1
Characters of Order 2
Here, p and q stands for any different odd primes. From the above discussion, we deduce that the complete list of characters of order 2 on Z∗
n is (·/p), (·/q), (·/n) and
the trivial character. Note that the properties given in Proposition 5.1.4 are used in order to compute the Jacobi symbol (·/n) in a time complexity of O(log(n)2). Furthermore, note that the ability to compute (·/p) (without knowing p) is equiva- lent to the ability to compute (·/q) and implies to solving the quadratic residuosity problem.1
1We point out that security of the first semantically secure public-key cryptosystem proposed
by Goldwasser and Micali [73] is based on this problem.
5. Characters on Z∗
n and Applications to MOVA
5.2.2
Characters of Order 3
Let p, q be two different rational odd primes such that p ≡ q ≡ 1 (mod 3) and π,
σ ∈ Z[ω] such that N(π) = p and N(σ) = q. Set n = pq. The character on Z∗ n
produced by χπ and χσ is denoted by χπσ and is defined by
χπσ(a) = χπ(a) · χσ(a).
The other characters are defined exactly in the same multiplicative way. There are 8 non trivial characters of order 3 defined on Z∗
n, namely χπ, χπ¯, χσ, χσ¯, χπσ, χπσ¯ ,
χπ¯σ and χπ¯¯σ. Without loss of generality, it suffices to consider only χπ and χπσ.
Here, we explain how these characters can be found2. The main problem consists in finding a prime π ∈ Z[ω] such that N(π) = p ≡ 1 mod 3 for a given rational odd prime p. We first show that −3 is a quadratic residue modulo p. Namely, from the law of quadratic reciprocity we have
µ −3 p ¶ = (−1)p−12 µ p 3 ¶ (−1)p−12 ·3−12 = µ 1 3 ¶ = 1.
Therefore, we can find a square root u of −3 modulo p and we obtain the following equation on Z[ω]
u2+ 3 = (u + 1 + 2ω)(u − 1 − 2ω) = kp
for an integer k. Since p > 2, we deduce that p - u + 1 + 2ω and p - u − 1 − 2ω, which shows that gcd(u + 1 + 2ω, p) is not trivial. Thus, we choose
π = gcd(u + 1 + 2ω, p).
We mention that u can be computed by the algorithm of Tonelli and Shanks which computes the square root of any quadratic residue modulo a prime. Details about this algorithm can be found in the book of Cohen [42]. Note also that computing the gcd can be done with the classical Euclid algorithm, since Euclidean division exists in Z[ω].
We would now like to summarize another method for finding π. It is based on solving the equation a2− ab + b2 = p with respect to the integer variables a and b. By making the change of variables s = 2a − b and t = b, a and b can be found by solving the equation
s2+ 3t2 = 4p.
Applying the modified Cornacchia algorithm allows to solve this equation and to find a and b. The details about this algorithm are given in the book of Cohen [42]. Once cubic residue characters are found, they can be evaluated using properties of Theorem 5.1.10. Namely, based on these properties algorithms with quadratic complexity were developed. As an example, we refer to Damg˚ard and Frandsen [48].
2This method is very similar as the proof of Proposition 9.1.4 of Ireland and Rosen [79]
5.2. Instantiations for the MOVA Scheme
5.2.3
Characters of Order 4
We consider two rational primes p and q such that p ≡ q ≡ 1 (mod 4) and π, σ ∈ Z[i] such that N(π) = p and N(σ) = q. We set n = pq. All the characters of order dividing 4 defined on Z∗
n are generated by χπ and χσ. If we exclude the
trivial character and those of order 2 (Legendre and Jacobi symbols), it remains 12 characters of order 4. In this thesis, we will only work with χπ and χπσ.
We show below how these characters can concretely be found. To this end, we first find an integer u which is a square root of −1 modulo p. Such a u always exists since (−1/p) = (−1)(p−1)/2 = 1 whenever p ≡ 1 (mod 4). From this, we get the equality (on Z[i])
u2+ 1 = (u + i)(u − i) = kp
for an integer k. We note that p > 1 implies that p - u + i and p - u − i. Hence, gcd(u + i, p) cannot be trivial and we can choose
π = gcd(u + i, p).
As for the characters of order 3, u can be computed by the algorithm of Tonelli and Shanks and the gcd can be found using the classical Euclid algorithm, since Euclidean division exists in Z[i]. It is also worth to mention that π = a + bi can be found by solving the equation a2 + b2 = p in a and b using the algorithm of Cornacchia (see also Cohen [42]). Moreover, efficient algorithms using properties of Theorem 5.1.16 evaluate quartic residue characters in O(log(n)2). These algorithmic aspects will be treated more precisely in Chapter 6.
5.2.4
A Variant with Two Levels of Secret
We discuss in this part special characters with two levels of secret. We consider the characters of the form χπσ as defined in the previous subsections. Such characters
can be of order 3 or 4 depending on whether π and σ are picked in Z[ω] or in Z[i]. We point out that the knowledge of the value α := πσ does not easily lead to the factorization of n = N(α). This shows that a signer may have the ability to generate MOVA signatures without factorization knowledge of n. The latter provides expert group knowledge of Z∗
n with some appropriate set. Details about this precise point
will be given in Section 5.5. At this time, it is only important to remark that we have two levels of secrecy, a partial one allowing to generate, confirm and deny MOVA signatures while the second allows also to convert signatures.
In addition to the academic and conceptual interest of such a property, a possible useful application is illustrated with the following scenario. We consider a mobile delegate of a company who signs some pre-agreement on some contracts or trans- actions using χπσ which can be confirmed by a server of the company. Later, the
5. Characters on Z∗
n and Applications to MOVA
delegate sends a report to his company, which then can issue an ordinary signature for a final agreement by converting the signature of the delegate. In such a scenario, even if the delegate loses his key or it is stolen, he can contact the company before a confirmation of the signature is performed. In any case, the company never converts a signature before being convinced that the delegate key was not lost or stolen. This is ensured by waiting on the report sent by the delegate.
As for selective convertibility, we need a concrete situation where it is important that the MOVA signature is converted. Otherwise, the company can simply generate an ordinary signature with respect to another algorithm such as DSA or ECDSA.