Abstract
ESIGN is an efficient signature scheme that has been proposed in the early nineties (see [14]). Recently, an effort was made to lay ESIGN on firm foundations, using the methodology of provable security. A security proof [15] in the random oracle model, along the lines of [2], appeared in support for ESIGN. However, several unexpected difficulties were found. Firstly, it was observed in [20], that the proof from [15] holds in a more restricted model of security than claimed. Even if it is quite easy to restore the usual security level, as suggested in [9], this shows that the methodology of security proofs is more subtle than it at first appears. Secondly, it was found that the proof needs the additional assumption that e is prime to φ(n), thus excluding the case where e is a small power of two, a very attractive parameter choice. The difficulty here lies in the simulation of the random oracle, since it relies on the distribution of e-th powers, which is not completely understood from a mathematical point of view, at least when e is not prime to φ(n). In this paper, we prove that the set of e-th power modulo an RSA modulus n, which is a product of two equal size integers p,q, is almost uniformly distributed on any large enough interval. This property allows to complete the security proof of ESIGN. We actually offer two proofs of our result: one is based on two-dimensional lattice reduction, and the the other uses Dirichlet characters. Besides yielding better bounds, the latter is one new example of the use of analytic number theory in cryptography.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of the 1st CCS, pp. 62–73. ACM Press, New York (1993)
Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)
Brickell, E., De Laurentis, J.M.: An Attack on a Signature Scheme proposed by Okamoto and Shiraishi. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 28–32. Springer, Heidelberg (1986)
Burgess, D.A.: On character sums and primitive roots. Proc. London Math. Soc. 12, 179–192 (1962)
Davenport, H.: Multiplicative Number theory. Graduate Texts in Mathematics, vol. 74. Springer, Heidelberg (1980)
Ellison, W.J., Mendes France, M.: Les nombres premiers, Hermann, Paris (1975)
Girault, M., Toffin, P., Vallée, B.: Computation of Approximate L-th Roots Modulo n and Application to Cryptography. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 100–118. Springer, Heidelberg (1990)
Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptative Chosen-Message Attacks. SIAM Journal of Computing 17(2), 281–308 (1988)
Granboulan, L.: How to repair ESIGN, NESSIE internal document. Docuemnyt NES/DOC/ENS/WP5/019 (2002), See http://www.cryptonessie.org
IEEE Standard 1363–2000. Standard Specifications for Public Key Cryptography. IEEE (August 2000), Available from: http://grouper.ieee.org/groups/1363
IEEE P1363a Draft Version 9. Standard Specifications for Public Key Cryptography: Additional Techniques
Jonsson, J.: Security Proofs for RSA–PSS and Its Variants. Cryptology ePrint Archive 2001/053 (June 2001), Available from: http://eprint.iacr.org/
Lenstra, K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)
Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations. IEEE Transactions on Information Theory IT–36 (1), 47–53 (1990)
Okamoto, T., Fujisaki, E., Morita, H.: TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, Submission to P1363a (1998)
Okamoto, T., Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities. In: Proc. of the ACM Symp. Security and Privacy, pp. 123–132. ACM Press, New York (1985)
Pólya, G.: Über die Verteilung des quadratischen Reste und Nichtreste, Göttinger Nachtrichten, 21-26 (1918)
Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)
Shoup, V.: OAEP Reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001), Also appeared in the Cryptology ePrint Archive 2000/060 (November 2000), Available from: http://eprint.iacr.org/
Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.: Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)
Vallée, B., Girault, M., Toffin, P.: How to break Okamoto’s Cryptosystem by Reducing Lattice Bases. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 281–291. Springer, Heidelberg (1988)
Vallée, B., Girault, M., Toffin, P.: How to Guess _th Roots Modulo n by Reducing Lattice Bases. In: Mora, T. (ed.) AAECC 1988. LNCS, vol. 357, pp. 427–442. Springer, Heidelberg (1989)
Vinogradov, I.M.: Sur la distributions des résidus et des non-résidus des puissances. J. Phys.-Math. Soc. Perm. 1, 94–96 (1918)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Okamoto, T., Stern, J. (2003). Almost Uniform Density of Power Residues and the Provable Security of ESIGN. In: Laih, CS. (eds) Advances in Cryptology - ASIACRYPT 2003. ASIACRYPT 2003. Lecture Notes in Computer Science, vol 2894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-40061-5_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-40061-5_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20592-0
Online ISBN: 978-3-540-40061-5
eBook Packages: Springer Book Archive