Signatures Through Approximate Representations by Quadratic Forms

extended abstract
  • H. Ong
  • C. P. Schnorr


We propose a signature scheme where the private key is a random (n, n)-matrix T with coefficients in ℤm=ℤ/mℤ, m a product of two large primes. The corresponding public key is A,m with A = TT. A signature y of a message z ∈ ℤm is any y∈(ℤm)n such that y Ay approximates z, e.g. \(\left| z-{{y}^{T}}Ay \right|<4{{m}^{{{2}^{-n}}}}\). Messages z can be efficiently signed using the private key T and by approximating z as a sum of squares. Even tighter approximations | z− yAy| can be achieved by tight signature procedures. Heuristical arguments show that forging signatures is not easier than factoring m. The prime decomposition of m is not needed for signing messages, however knowledge of this prime decomposition enables forging signatures. Distinct participants of the system may share the same modulus m provided that its prime decomposition is unknown. Our signature scheme is faster than the RSA-scheme.


  1. 1.Fachbereich MathematikUniversität FrankfurtGermany

