Relación de columnas

Here, we come back to a classical RSA modulus n = pq, where the primes p and q are chosen according to the character order d, i.e., such that d|p − 1 and d|q − 1. Again, we particularly focus to the cases d = 2, 3, 4.

Key Validity

The aim of this part is to find some criteria on elements of Z∗

n to H-generate Z∗n for

any group H of order d. For the sake of simplicity, we will say “d-generate Z∗

n”. Due

to the structure of Z∗

n, it will be sufficient to consider two elements so that Lkey = 2

for Setup Variants 3 and 4 of the MOVA scheme.

The following proposition shows how we can generally proceed to determine whether two elements d-generate Z∗

n.

5.5. On the MOVA Key Validation Proposition 5.5.1. Let n and d be integers defined as above and u, v ∈ Z∗

n. Assume

we are given two characters χp and χq of order d which are defined on Z∗p and Z∗q

respectively. Let consider the function ϕ : Z∗

n→ Zd⊕ Zd defined by

ϕ(x) = (log_χp(x mod p), log_χq(x mod q)).

Then, u and v d-generate Z∗

n if and only if ϕ(u) and ϕ(v) are both elements of order

d such that hϕ(u)i ∩ hϕ(v)i = {(0, 0)}.

Proof. We note that ϕ is a surjective group homomorphism since both characters

χp and χq are of order d and p 6= q. Namely, x mod q and x mod q can take

all values independently so that the pair (χp(x mod p), χq(x mod q)) generate all

possible values. By First Isomorphism Theorem, we have Z∗

n/ ker(ϕ) ' Zd⊕ Zd.

Moreover, ker(ϕ) = (Z∗

n)d and we obtain the following commutative diagram

Z∗ n Zd⊕ Zd Z∗ n/(Z∗n)d - ϕ ? proj ¡¡ ¡¡ ¡ µ '

where proj denotes the canonical projection. By the assertion 7 of Lemma 4.1.3,

u and v d-generate Z∗

n if and only if proj(u) and proj(v) generate Z∗n/(Z∗n)d. Due

to the above commutative diagram, this is equivalent to prove that ϕ(u) and ϕ(v) generate Zd⊕ Zd. It suffices to determine when two elements generate the group

Zd⊕ Zd. Any two elements g, h ∈ Zd⊕ Zd generate the subgroup hg, hi = hgi + hhi.

Since the order of any element of Zd⊕ Zd is at most equal to d, the subgroup hg, hi

can contain d2 _{elements only if g and h are of order d. We conclude by saying that}

hg, hi = Zd⊕ Zd, if g and h additionally generate some subgroups with a trivial

intersection.

In practice, the signer can pick seedK at random until this seed generates two elements GenK(seedK) → u, v ∈ Z∗

nwhich d-generate Z∗n. To check the last property,

he can use the results of the above proposition. More precisely, an element (a, b) ∈ Zd⊕ Zd has order d if and only if a ∈ Z∗d or b ∈ Z∗d. The second criterion can be

verified by testing whether ϕ(v) = jϕ(u) for one j ∈ Z∗

d. In other words, we check

that ϕ(v) 6∈ hϕ(u)i. Since v is of order d it is sufficient to test only for j ∈ Z∗

dinstead

of any j ∈ Zd\{0}.

Example 8. Let n = pq be an RSA modulus with p ≡ q ≡ 1 (mod 4) and π, σ ∈ Z[i] such that N(π) = p and N(σ) = q. The signer can decide whether u and v 4-generate Z∗

n by checking the following properties.

5. Characters on Z∗

n and Applications to MOVA

1. At least one value among χπ(u), χσ(u) is equal to i or −i.

2. At least one value among χπ(v), χσ(v) is equal to i or −i.

3. (χπ(u), χσ(u)) 6= (χπ(v), χσ(v)) and (χπ(u), χσ(u)) 6= (χπ(v)3, χσ(v)3).

Very similar results are obtained with d = 2 and 3. Expert Group Knowledge

As shown in Setup Variant 3 and 4 of the MOVA scheme, the signer needs to perform the protocol MGGDproof and NIMGGDproof respectively. Both these protocols require from the signer an expert group knowledge with respect to the set {Xkey₁, . . . , Xkey_Lkey}. As shown above, we can always reduce Lkey to 2 for

the characters we consider here. We have Xkey₁ = u, Xkey₂ = v, Xgroup = Z∗ n

and Ygroup = Zd, where u and v are chosen according to Proposition 5.5.1. In our

context, an expert group knowledge of the signer means that for any x ∈ Z∗ n he is

able to find an r ∈ Z∗

n and some coefficients a, b ∈ Zd such that

x = rd_ua_vb _{mod n.}

We show below how one can solve such an equation provided the knowledge of the factorization of n. Namely, as shown in Section 5.2 all characters defined on Z∗

n can

be found with p and q for d = 2, 3, 4. For the sake of simplicity, we consider χp and

χq defined on Z∗n. We first determine the unique coefficients a and b for a given x.

To this end, we compute log_χp(x) and log_χq(x) and solve the equations log_χp(x) ≡ a log_χp(u) + b log_χp(v) (mod d) log_χq(x) ≡ a log_χq(u) + b log_χq(v) (mod d)

with respect to a and b. By definition of u and v, we are ensured that a unique solution exists. Namely, the two vectors (log_χp(u), log_χq(u)), (log_χp(v), log_χq(v)) form a basis of Zd⊕ Zd since

Zd⊕ Zd' hϕ(u)i ⊕ hϕ(v)i.

It remains to find a dth root of x/(ua_vb_{) mod n. This can be achieved by finding}

the dth root of this element modulo p and q. We retrieve r by applying Chinese Remainder Theorem. For d = 2, we can use the algorithm of Tonelli and Shanks (see [42]) and for d = 4, we apply this twice. Extracting cube roots can also be done efficiently modulo p and q by using an algorithm similar to the Shanks and Tonelli algorithm. More details about the computation of a cube root modulo a prime are given in Williams and Zarnke [147].

5.5. On the MOVA Key Validation

After having shown that the factorization of n allows to have an expert group knowledge of Z∗

n, we prove the converse statement below. Assume we have an oracle

such that for any query x ∈ Z∗

n, we receive some values r ∈ Z∗n, a, b ∈ Zd satisfying

x = rd_ua_vb _{mod n. The main technique will consist in picking some r}

1 ∈U Z∗n,

a, b ∈U Zd uniformly at random and sends x = r1duavb mod n to the oracle and attempting to factorize n using the received representation x = rd

2uavb mod n. From this, we get two dth root of the same value, namely

r₁d≡ rd₂ (mod n).

It is well known that if r1 6≡ ±r2 (mod n) and d = 2, we retrieve a non trivial factor of n with probability 1/2 by computing gcd(r1− r2, n). This extends easily to d = 4, since 4th root leads to square root in a straightforward way. For d = 3, we proceed in the same way and gcd(r1− r2, n) leads a non trivial factor of n with a probability of 4/9. This probability corresponds to the cases where both roots are equal modulo p but not modulo q and vice versa. So, if we repeat the above method until a success occurs, we can factorize n. The expected time of success is quite low and anyway polynomial in log(n).

Chapter

6

Additional Homomorphisms and

Algorithmic Issues

Homomorphism evaluations play a central role in the different components of MOVA and in particular in the signature generation algorithm. Due to the generic nature of MOVA undeniable signature scheme, it is required to specify the choice of group homomorphisms in order to fully determine the different parameters and algorith- mic aspects. The main task of this chapter is mostly to contribute to the latter in clarifying the impact of the homomorphism’s choice on the efficiency of MOVA. A particular attention will be addressed to the quartic residue symbol for which practical implementations are not widespread. Furthermore, we focus on a homo- morphism shortly introduced in Chapter 4 which consists in sending elements in a hidden (relatively small) subgroup followed by a discrete logarithm computation.

We first present the different homomorphisms considered for the efficiency com- parisons giving a more detailed treatment to the homomorphism based on the dis- crete logarithm. The next section is dedicated to provide algorithms for the compu- tation of the quartic residue symbol. In Section 6.3, we briefly explain the different variants for computing the discrete logarithm based homomorphism. Then, we fo- cus on the implementation of this one as well as the quartic residue symbol. We finally conclude by comparing the different homomorphisms by considering signature generation of a 20-bit MOVA signature.