Rabin signature algorithm

Digital signature scheme

In cryptography, the Rabin signature algorithm is a method of digital signature originally published by Michael O. Rabin in 1979.^[1]^[2]

The Rabin signature algorithm was one of the first digital signature schemes proposed. By using a trapdoor function with a hash of the message rather than with the message itself, in contrast to earlier proposals of one-time hash-based signatures or trapdoor-based signatures without hashing,^[3]^[4] Rabin's was the first published design to meet what is now the modern standard of security for digital signatures for more than one message, existential unforgeability under chosen-message attack.^[5]

Rabin signatures resemble RSA signatures with exponent $e=2$ {\displaystyle e=2}, but this leads to qualitative differences that enable more efficient implementation^[5] and a security guarantee relative to the difficulty of integer factorization,^[1]^[2]^[6] which has not been proven for RSA. However, Rabin signatures have seen relatively little use or standardization outside IEEE P1363 ^[7] in comparison to RSA signature schemes such as RSASSA-PKCS1-v1_5 and RSASSA-PSS.

Definition

[edit ]

The Rabin signature scheme is parametrized by a randomized hash function $H(m,u)$ {\displaystyle H(m,u)} of a message $m$ {\displaystyle m} and $k$ {\displaystyle k}-bit randomization string $u$ {\displaystyle u}.

Public key: A public key is a pair of integers $(n,b)$ {\displaystyle (n,b)} with $0\leq b<n$ {\displaystyle 0\leq b<n} and $n$ {\displaystyle n} odd. $b$ {\displaystyle b} is chosen arbitrarily and may be a fixed constant.
Signature: A signature on a message $m$ {\displaystyle m} is a pair $(u,x)$ {\displaystyle (u,x)} of a $k$ {\displaystyle k}-bit string $u$ {\displaystyle u} and an integer $x$ {\displaystyle x} such that $x(x+b)\equiv H(m,u){\pmod {n}}.$ {\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}.}
Private key: The private key for a public key $(n,b)$ {\displaystyle (n,b)} is the secret odd prime factorization $p\cdot q$ {\displaystyle p\cdot q} of $n$ {\displaystyle n}, chosen uniformly at random from some large space of primes.
Signing a message: To make a signature on a message $m$ {\displaystyle m} using the private key, the signer starts by picking a $k$ {\displaystyle k}-bit string $u$ {\displaystyle u} uniformly at random, and computes $c:=H(m,u)$ {\displaystyle c:=H(m,u)}. Let $d=(b/2){\bmod {n}}$ {\displaystyle d=(b/2){\bmod {n}}}. If $c+d^{2}$ {\displaystyle c+d^{2}} is a quadratic nonresidue modulo $n$ {\displaystyle n}, the signer starts over with an independent random $u$ {\displaystyle u}.^[1]^{: p. 10} Otherwise, the signer computes ${\begin{aligned}x_{p}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {p}},\\x_{q}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {q}},\end{aligned}}$ {\displaystyle {\begin{aligned}x_{p}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {p}},\\x_{q}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {q}},\end{aligned}}} using a standard algorithm for computing square roots modulo a prime—picking $p\equiv q\equiv 3{\pmod {4}}$ {\displaystyle p\equiv q\equiv 3{\pmod {4}}} makes it easiest. Square roots are not unique, and different variants of the signature scheme make different choices of square root;^[5] in any case, the signer must ensure not to reveal two different roots for the same hash $c$ {\displaystyle c}. $x_{p}$ {\displaystyle x_{p}} and $x_{q}$ {\displaystyle x_{q}} satisfy the equations ${\begin{aligned}x_{p}(x_{p}+b)&\equiv H(m,u){\pmod {p}},\\x_{q}(x_{q}+b)&\equiv H(m,u){\pmod {q}}.\end{aligned}}$ {\displaystyle {\begin{aligned}x_{p}(x_{p}+b)&\equiv H(m,u){\pmod {p}},\\x_{q}(x_{q}+b)&\equiv H(m,u){\pmod {q}}.\end{aligned}}} The signer then uses the Chinese remainder theorem to solve the system ${\begin{aligned}x&\equiv x_{p}{\pmod {p}},\\x&\equiv x_{q}{\pmod {q}},\end{aligned}}$ {\displaystyle {\begin{aligned}x&\equiv x_{p}{\pmod {p}},\\x&\equiv x_{q}{\pmod {q}},\end{aligned}}} for $x$ {\displaystyle x}, so that $x$ {\displaystyle x} satisfies $x(x+b)\equiv H(m,u){\pmod {n}}$ {\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}} as required. The signer reveals $(u,x)$ {\displaystyle (u,x)} as a signature on $m$ {\displaystyle m}.

The number of trials for

u

{\displaystyle u} before

x(x+b)\equiv H(m,u){\pmod {n}}

{\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}} can be solved for

x

{\displaystyle x} is geometrically distributed with an average around 4 trials, because about 1/4 of all integers are quadratic residues modulo

n

{\displaystyle n}.

Security

[edit ]

Security against any adversary defined generically in terms of a hash function $H$ {\displaystyle H} (i.e., security in the random oracle model) follows from the difficulty of factoring $n$ {\displaystyle n}: Any such adversary with high probability of success at forgery can, with nearly as high probability, find two distinct square roots $x_{1}$ {\displaystyle x_{1}} and $x_{2}$ {\displaystyle x_{2}} of a random integer $c$ {\displaystyle c} modulo $n$ {\displaystyle n}. If $x_{1}\pm x_{2}\not \equiv 0{\pmod {n}}$ {\displaystyle x_{1}\pm x_{2}\not \equiv 0{\pmod {n}}} then $\gcd(x_{1}\pm x_{2},n)$ {\displaystyle \gcd(x_{1}\pm x_{2},n)} is a nontrivial factor of $n$ {\displaystyle n}, since ${x_{1}}^{2}\equiv {x_{2}}^{2}\equiv c{\pmod {n}}$ {\displaystyle {x_{1}}^{2}\equiv {x_{2}}^{2}\equiv c{\pmod {n}}} so $n\mid {x_{1}}^{2}-{x_{2}}^{2}=(x_{1}+x_{2})(x_{1}-x_{2})$ {\displaystyle n\mid {x_{1}}^{2}-{x_{2}}^{2}=(x_{1}+x_{2})(x_{1}-x_{2})} but $n\nmid x_{1}\pm x_{2}$ {\displaystyle n\nmid x_{1}\pm x_{2}}.^[2] Formalizing the security in modern terms requires filling in some additional details, such as the codomain of $H$ {\displaystyle H}; if we set a standard size $K$ {\displaystyle K} for the prime factors, $2^{K-1}<p<q<2^{K}$ {\displaystyle 2^{K-1}<p<q<2^{K}}, then we might specify $H\colon \{0,1\}^{*}\times \{0,1\}^{k}\to \{0,1\}^{K}$ {\displaystyle H\colon \{0,1\}^{*}\times \{0,1\}^{k}\to \{0,1\}^{K}}.^[6]

Randomization of the hash function was introduced to allow the signer to find a quadratic residue, but randomized hashing for signatures later became relevant in its own right for tighter security theorems^[2] and resilience to collision attacks on fixed hash functions.^[8]^[9]^[10]

Variants

[edit ]

Removing b

[edit ]

The quantity $b$ {\displaystyle b} in the public key adds no security, since any algorithm to solve congruences $x(x+b)\equiv c{\pmod {n}}$ {\displaystyle x(x+b)\equiv c{\pmod {n}}} for $x$ {\displaystyle x} given $b$ {\displaystyle b} and $c$ {\displaystyle c} can be trivially used as a subroutine in an algorithm to compute square roots modulo $n$ {\displaystyle n} and vice versa, so implementations can safely set $b=0$ {\displaystyle b=0} for simplicity; $b$ {\displaystyle b} was discarded altogether in treatments after the initial proposal.^[11]^[2]^[7]^[5] After removing $b$ {\displaystyle b}, the equations for $x_{p}$ {\displaystyle x_{p}} and $x_{q}$ {\displaystyle x_{q}} in the signing algorithm become: ${\begin{aligned}x_{p}&:=\pm {\sqrt {c}}{\bmod {p}},\\x_{q}&:=\pm {\sqrt {c}}{\bmod {q}}.\end{aligned}}$ {\displaystyle {\begin{aligned}x_{p}&:=\pm {\sqrt {c}}{\bmod {p}},\\x_{q}&:=\pm {\sqrt {c}}{\bmod {q}}.\end{aligned}}}

Rabin-Williams

[edit ]

The Rabin signature scheme was later tweaked by Williams in 1980^[11] to choose $p\equiv 3{\pmod {8}}$ {\displaystyle p\equiv 3{\pmod {8}}} and $q\equiv 7{\pmod {8}}$ {\displaystyle q\equiv 7{\pmod {8}}}, and replace a square root $x$ {\displaystyle x} by a tweaked square root $(e,f,x)$ {\displaystyle (e,f,x)}, with $e=\pm 1$ {\displaystyle e=\pm 1} and $f\in \{1,2\}$ {\displaystyle f\in \{1,2\}}, so that a signature instead satisfies $efx^{2}\equiv H(m,u){\pmod {n}},$ {\displaystyle efx^{2}\equiv H(m,u){\pmod {n}},} which allows the signer to create a signature in a single trial without sacrificing security. This variant is known as Rabin–Williams.^[5]^[7]

Others

[edit ]

Further variants allow tradeoffs between signature size and verification speed, partial message recovery, signature compression (down to one-half size), and public key compression (down to one-third size), still without sacrificing security.^[5]

Variants without the hash function have been published in textbooks,^[12]^[13] crediting Rabin for exponent 2 but not for the use of a hash function. These variants are trivially broken—for example, the signature $x=2$ {\displaystyle x=2} can be forged by anyone as a valid signature on the message $m=4$ {\displaystyle m=4} if the signature verification equation is $x^{2}\equiv m{\pmod {n}}$ {\displaystyle x^{2}\equiv m{\pmod {n}}} instead of $x^{2}\equiv H(m,u){\pmod {n}}$ {\displaystyle x^{2}\equiv H(m,u){\pmod {n}}}.

In the original paper,^[1] the hash function $H(m,u)$ {\displaystyle H(m,u)} was written with the notation $C(MU)$ {\displaystyle C(MU)}, with C for compression, and using juxtaposition to denote concatenation of $M$ {\displaystyle M} and $U$ {\displaystyle U} as bit strings:

By convention, when wishing to sign a given message, $M$ {\displaystyle M}, [the signer] $P$ {\displaystyle P} adds as suffix a word $U$ {\displaystyle U} of an agreed upon length $k$ {\displaystyle k}. The choice of $U$ {\displaystyle U} is randomized each time a message is to be signed. The signer now compresses $M_{1}=MU$ {\displaystyle M_{1}=MU} by a hashing function to a word $C(M_{1})=c$ {\displaystyle C(M_{1})=c}, so that as a binary number $c\leq n$ {\displaystyle c\leq n}...

This notation has led to some confusion among some authors later who ignored the $C$ {\displaystyle C} part and misunderstood $MU$ {\displaystyle MU} to mean multiplication, giving the misapprehension of a trivially broken signature scheme.^[14]