Almost Uniform Density of Power Residues and the Provable Security of ESIGN

  • Tatsuaki Okamoto
  • Jacques Stern
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2894)


ESIGN is an efficient signature scheme that has been proposed in the early nineties (see [14]). Recently, an effort was made to lay ESIGN on firm foundations, using the methodology of provable security. A security proof [15] in the random oracle model, along the lines of [2], appeared in support for ESIGN. However, several unexpected difficulties were found. Firstly, it was observed in [20], that the proof from [15] holds in a more restricted model of security than claimed. Even if it is quite easy to restore the usual security level, as suggested in [9], this shows that the methodology of security proofs is more subtle than it at first appears. Secondly, it was found that the proof needs the additional assumption that e is prime to φ(n), thus excluding the case where e is a small power of two, a very attractive parameter choice. The difficulty here lies in the simulation of the random oracle, since it relies on the distribution of e-th powers, which is not completely understood from a mathematical point of view, at least when e is not prime to φ(n). In this paper, we prove that the set of e-th power modulo an RSA modulus n, which is a product of two equal size integers p,q, is almost uniformly distributed on any large enough interval. This property allows to complete the security proof of ESIGN. We actually offer two proofs of our result: one is based on two-dimensional lattice reduction, and the the other uses Dirichlet characters. Besides yielding better bounds, the latter is one new example of the use of analytic number theory in cryptography.


Signature Scheme Random Oracle Uniform Density Security Proof Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of the 1st CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Brickell, E., De Laurentis, J.M.: An Attack on a Signature Scheme proposed by Okamoto and Shiraishi. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 28–32. Springer, Heidelberg (1986)Google Scholar
  4. 4.
    Burgess, D.A.: On character sums and primitive roots. Proc. London Math. Soc. 12, 179–192 (1962)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Davenport, H.: Multiplicative Number theory. Graduate Texts in Mathematics, vol. 74. Springer, Heidelberg (1980)zbMATHGoogle Scholar
  6. 6.
    Ellison, W.J., Mendes France, M.: Les nombres premiers, Hermann, Paris (1975)Google Scholar
  7. 7.
    Girault, M., Toffin, P., Vallée, B.: Computation of Approximate L-th Roots Modulo n and Application to Cryptography. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 100–118. Springer, Heidelberg (1990)Google Scholar
  8. 8.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptative Chosen-Message Attacks. SIAM Journal of Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Granboulan, L.: How to repair ESIGN, NESSIE internal document. Docuemnyt NES/DOC/ENS/WP5/019 (2002), See
  10. 10.
    IEEE Standard 1363–2000. Standard Specifications for Public Key Cryptography. IEEE (August 2000), Available from:
  11. 11.
    IEEE P1363a Draft Version 9. Standard Specifications for Public Key Cryptography: Additional TechniquesGoogle Scholar
  12. 12.
    Jonsson, J.: Security Proofs for RSA–PSS and Its Variants. Cryptology ePrint Archive 2001/053 (June 2001), Available from:
  13. 13.
    Lenstra, K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  14. 14.
    Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations. IEEE Transactions on Information Theory IT–36 (1), 47–53 (1990)CrossRefGoogle Scholar
  15. 15.
    Okamoto, T., Fujisaki, E., Morita, H.: TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, Submission to P1363a (1998)Google Scholar
  16. 16.
    Okamoto, T., Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities. In: Proc. of the ACM Symp. Security and Privacy, pp. 123–132. ACM Press, New York (1985)Google Scholar
  17. 17.
    Pólya, G.: Über die Verteilung des quadratischen Reste und Nichtreste, Göttinger Nachtrichten, 21-26 (1918)Google Scholar
  18. 18.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Shoup, V.: OAEP Reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001), Also appeared in the Cryptology ePrint Archive 2000/060 (November 2000), Available from:
  20. 20.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.: Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Vallée, B., Girault, M., Toffin, P.: How to break Okamoto’s Cryptosystem by Reducing Lattice Bases. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 281–291. Springer, Heidelberg (1988)Google Scholar
  22. 22.
    Vallée, B., Girault, M., Toffin, P.: How to Guess _th Roots Modulo n by Reducing Lattice Bases. In: Mora, T. (ed.) AAECC 1988. LNCS, vol. 357, pp. 427–442. Springer, Heidelberg (1989)Google Scholar
  23. 23.
    Vinogradov, I.M.: Sur la distributions des résidus et des non-résidus des puissances. J. Phys.-Math. Soc. Perm. 1, 94–96 (1918)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Tatsuaki Okamoto
    • 1
  • Jacques Stern
    • 2
  1. 1.NTT LabsJapan
  2. 2.Dépt d’informatique, ENSParis Cedex 05France

Personalised recommendations