Sampling from Signed Quadratic Residues: RSA Group Is Pseudofree

Rivest (TCC 2004) explored the notion of a pseudo-free group from cryptographic perspective. He made the conjecture that the RSA group $\mathbb{Z}_{N}^{*}$ is a plausible pseudo-free group. Daniele Micciancio proved that (to appear in Journal of Cryptology), under strong RSA assumption, $\mathbb{Z}_{N}^{*}$ is pseudo-free. The proof uses the fact that N is the product of two safe primes, and elements are sampled uniformly at random from the subgroup QR N of quadratic residues. He asked whether the proof can be carried over if elements are sampled uniformly at random from the whole of $\mathbb{Z}_{N}^{*}$. In this article, we show that one can sample uniformly at random from the subgroup $QR_{N}^{+}$ of signed quadratic residues to prove that $\mathbb{Z}_{N}^{*}$ is pseudo-free. Consequently, we believe one can show $\mathbb{Z}_{N}^{*}$ pseudo-free where elements are sampled from $QR_{N} \cup QR_{N}^{+}$, thus enlarging the set from which elements are sampled.

[1]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[2]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[3]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[4]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[5]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[6]  Susan Rae Hohenberger,et al.  The cryptographic impact of groups with infeasible inversion , 2003 .

[7]  Ronald L. Rivest On the Notion of Pseudo-Free Groups , 2004, TCC.

[8]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[9]  Pólya Über die Verteilung der quadratischen Reste und Nichtreste , 1918 .

[10]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[11]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, Journal of Cryptology.

[12]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[13]  Daniele Micciancio,et al.  Adaptive Security of Symbolic Encryption , 2005, TCC.

[14]  John C. Mitchell,et al.  A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols , 2005, Theor. Comput. Sci..

[15]  Gregory Neven A simple transitive signature scheme for directed trees , 2008, Theor. Comput. Sci..

[16]  D. A. Burgess On Character Sums and Primitive Roots , 1962 .

[17]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[18]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[19]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 1999, CCS '99.

[20]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[21]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[22]  Daniele Micciancio The RSA Group is Pseudo-Free , 2009, Journal of Cryptology.

[23]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[24]  Eike Kiltz,et al.  The Group of Signed Quadratic Residues and Applications , 2009, CRYPTO.

[25]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[26]  Bruce M. Kapron,et al.  Logics for reasoning about cryptographic constructions , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[27]  D. A. Burgess The distribution of quadratic residues and non-residues , 1957 .