MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY HOANG THI MAI DEVELOPING SEVERAL DIGITAL SIGNATURE SCHEMES BASED ON THE RABIN CRYPTOSYSTEM AND THE RSA CRYPTOSYSTEM Speciality: Mathematical Foundation for Informatics Code: 46 01 10 SUMMARY OF PhD THESIS IN MATHEMATICS HA NOI – 2019 This thesis has been completed at: ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY Scientific Supervisors: Dr Nguyen Huu Mong Dr Ngo Trong Mai Reviewer 1: Assos Prof Dr Le My Tu Academy of Cryptography Techniques Reviewer 2: Assos Prof Dr Nguyen Linh Giang Hanoi University of Science and Technology Reviewer 3: Dr Thai Trung Kien Academy of Military Science and Technology The thesis was defended in front of the Doctoral Evaluating Council at Academy level held Academy of Military Science and Technology at on The thesis can be found at: - Library of Academy of Military Science and Technology - Vietnam National library INTRODUCTION The necessity of the topic Recently, the application of digital signature in digital transaction in Vietnam is in development This great progress is the result of improving infrastructure facilitation and legal corridor On infrastructure facilitation, according to the white paper Information Technology and Media of Vietnam 2017, the fixed bandwidth of Internet subscription in Vietnam is the lowest worldwide at 1/139 countries [1] The number of Internet users was 50 million until 2016 On legal corridor, the digital transaction law validated from 2015 legalized digital transaction, just like those conducted with hard document and ordinary signature In the field of digital signature, the system of law document is improving, alongside with the increasing number of Certificate Authority After the establishment of National Electronic Authentication Center in 2008, there were enterprises licensed to provide public signature-verifying service to organizations and individuals Although the developing progress is quick recently, but the practicability is great and digital signature plays an indispensable role in digital trade in Vietnam In such situation, researching and improving the effectiveness of signature scheme and constructing new scheme is necessary and meaningful academically and practically Research target − The target of this thesis is to construct a public key system for application using digital trade, such a profile admission of public administration service These activities include information sent from many to one; therefore, authentication of signature validity in a great deal is required As a result, signature-verifying algorithm consuming little time needs to be applied − The base for developing new signature schemes in this thesis is RSA cryptosystem and Rabin cryptosystem This thesis proves that the suggested scheme have security and time cot that meet the practicability requirement the target of the thesis Object and domain of the research Researching object − The researching object and domain of the thesis is of security system and basic cryptosystem; scheme that have little verifying cost: RSA, Rabin, DSA, ECDSA, Researching domain The thesis focus in problems related to developing signature scheme based on RSA cryptosystem and Rabin cryptosystem Researching content This thesis focus in researching the signature schemes suggested based on RSA cryptosystem, of which actually is based on difficult problems of digital theory Researching results is presented in four publications The main result is: − Studying basic digital signature system based on difficult problems of digital theory: number factorization problem, discrete logarithm problem, elliptic curve discrete logarithm problem − Propose signature schemes on developing the Rabin digital signature − Propose a signature scheme as a combination of RSA and Rabin Researching method The research will be conducted as followed: − Referring to scientific publications, books, documents; scientific report of cryptography, especially of digital signature − Using mathematics tools of digital theory to construct the algorithm for proposed schemes − Using the theory of algorithm complication to rate the security and time cost of the signature schemes proposed Scientific and practical value Scientifically, the thesis proposed some new signature schemes on developing the Rabin cryptosystem, as well as combining the RSA cryptosystem and Rabin cryptosystem The new ones improve the blemishes of the old ones, have security guaranteed by the difficult problems of number theory and low time cost of verifying signature Practically, the new signature schemes proposed the thesis can be applied in transaction of “many-one” type of digital signature applications of digital government and digital trade Structure of the thesis The thesis includes an introduction, 04 chapters, the conclusion and developing strategies, scientific publications and references CHAPTER OVERVIEW OF DIGITAL SIGNATURE AND DEVELOPING STRATEGIES 1.1 Digital signature schemes This part gives some definitions 1.2 Several signatures schemes Among public signature scheme, with each chosen pair of keys, the calculation of secret key from public one is guaranteed by a factorization problem These are: − Factorization Problem, of which difficulty guarantees security for RSA cryptosystem and RSA digital signature − Discrete Logarithm Problem The difficulty of this problem guarantee security for the public key system and digital signature ElGamal as well as other signature system, such as DSA (Digital Signature Algorithm) − Elliptic Curve Discrete Logarithm Problem, of which difficulty guarantee the security of crypto In this chapter, the thesis present four basic signature schemes that directly affect the researching topic of the thesis - RSA scheme, Rabin scheme and Rabin William scheme, DSA scheme and ECDSA scheme 1.3 Time cost of arithmetic operations of Zn In this chapter, the thesis presents the time cost of several algorithms which operate arithmetic calculations 1.4 Evaluating the time cost of verifying several signature schemes This section gives the evaluation of the verifying cost of the RSA scheme, the Rabin scheme and Rabin-William scheme, DSA scheme and ECDSA scheme Finally, the conclusion is given: Clause 1.1 Among the standardized signature schemes with the input parameter given in table 1.3, the Rabin schemes has the lowest signature-verifying cost 1.5 Practicability and researching strategy of the topic In section 1.4, clause 1.1, we conclude: “Among the standardized signature schemes with the input parameter given in table 1.3, the Rabin schemes has the lowest signature-verifying cost.” The target of this thesis is to develop signature schemes that have small time cost for verifying, which are to be used in digital trade with “many-one” type The conclusion of the researching strategy of the thesis focus in developing the Rabin scheme and RSA scheme with small exponent e Studying the Rabin scheme, we may realize that since its birth, this scheme have had countless developing researches: extending the usable modulo, developing the signature algorithm, extending the cases of exponent e (e=3), On extending usable modulo in the Rabin scheme, several publications can be named such as those of L Harn and T Kiesler [14], of Kaoru Kurosawa and Wakaha Ogata [15], of M Ela - M Piva - D Schipani [16], among of which shines the contribution of M Ela, M Piva and D Schipani given in 2013 which construct a Rabin-styled cryptosystem with modulo n as multiplication of two random primes for using Dedekind sum instead of Jacobi symbol On improving the signature algorithm of the Rabin scheme, William has publicized the Rabin-Williams scheme[4] This scheme only requires a single Jacobi symbol operation in signature algorithm while the Rabin scheme requires four In the publication in 1989, L Harn and T Kiesler [14] combined the square root and Jacobi symbol to develop the signature algorithm in Rabin M Ela - M Piva - D Schipani [16] used Dedekin sum instead of Jacobi symbol in signature algorithm On extending exponent e, specifically replacing the exponent with instead of 2, there are publications of Williams [17], J H Loxton, David S P Khoo, Gregory J Bird and Jennifer Seberry in 1992 [18], R Scheidler [19] in 1998,… On researching the relevant scientific publications, the thesis determines two researching strategies: ● The first strategy: improving and developing the Rabin scheme The thesis improve the calculating cost for signing without calculating the value of Jacobi symbol, as well as developing Rabin digital signature with exponent e=3 ● The second strategy: Combining the design principle of Rabin and RSA schemes to propose several schemes with small exponent, e=3 particularly With exponent e, the RSA schemes can be divided into three types: ● Type one: signature scheme with modulo n=p.q and 𝑔𝑐𝑑 𝑔𝑐𝑑 (𝑒, 𝜙(𝑛)) = 1, which means e is coprime with both (p-1) and (q-1) ● Type 2: signature scheme with modulo n=p.q in which (p-1) and (q-1) are both multiplicities of e ● Type 3: signature scheme with modulo n=p.q and (p-1) is multiplicity of e, while (q-1) is coprime with e Clearly, the RSA scheme is he first type as exponent e satisfies 𝑔𝑐𝑑 (𝑒, 𝜙(𝑛)) = The Rabin scheme is the second type as e=2 is the divisor of both (p-1) and (q-1) The thesis proposes new schemes of type and above in case of small exponent e In chapter 2, the thesis propose a type-2 scheme, in which both (p-1) and (q-1) are multiplicities of either e=2 or e=3 In chapter 3, the thesis propose a type-3 scheme, a combination of Rabin and RSA, which means e satisfies (p-1) being the multiplicity of e, while (q-1) is coprime with e=3 particularly 1.6 Conclusion of chapter In this chapter, the thesis presents basic terms and definitions that are directly related to the researching topic An important part of this chapter is the calculation of the time cost of verifying algorithms and proof that among the standardized signature schemes, the Rabin schemes has the lowest verifying cost This is a vital base for the research when proposing signature scheme for digital trade of “manyone” type On analyzing and synthesizing outstanding publications, the first chapter point out the researching strategy of the thesis: developing signature schemes based of RSA and Rabin cryptosystem CHAPTER IMPROVEMENT AND DEVELOPMENT OF RABIN SIGNATURE SCHEME 2.1 Introduction In this chapter, the thesis proposed two signature schemes improved from the Rabin and a scheme developed from the Rabin scheme with e=3 The first improved scheme, denoted as RW0, improves signing algorithm without calculating Jacobi symbol The second improved scheme, denoted as R0, is a brand-new scheme, in which the modulo are used half as much as the Rabin scheme with verifying cost no higher than the original, while signing algorithm is without calculating Jacobi symbol The scheme developed from the Rabin, denoted as PCRS, has exponent e=3 and e is divisor of both p-1 and q-1 This scheme has verifying algorithm which requires a single modulo cubic exponentiation and signing algorithm is without calculating Jacobi symbol 2.2 Mathematic Base In this section, the thesis summarizes and rearranges some of the results in number theory extracted from [11] and some auxiliary results related to the content of chapter two 2.3 RW0 signature scheme In this section, the thesis presents a signature scheme, denoted as RW0 This scheme improves the algorithm of RW signing algorithm without calculating the Jacobi symbol 2.3.1 RW0 signature Scheme a) Systematic parameter: Integer n = p.q with 𝑝, 𝑞 ≡ (𝑚𝑜𝑑 4), 𝑝 ≠ 𝑞 (𝑚𝑜𝑑 8) and 𝑐 = 𝑞 (𝑞 −1 𝑚𝑜𝑑 𝑝) Also need to add parameter d defined by the following formula: d = (c.( 𝑑𝑝 − 𝑑𝑞 ) + 𝑑𝑞 ) mod n (2.22) with 𝑑𝑝 = 𝑝+1 mod p 𝑑𝑞 = 𝑞+1 mod q Secret key is (n, p, q, c, d) and public key is n Hash Function: Hash: {0,1}∞ → {0,1}ℎ (2.23) Function of message format f: {𝟎, 𝟏}𝒌 {𝟎, 𝟏}𝒉 𝒁∗𝒏 : ∀ R ∈ {𝟎, 𝟏}𝒌 and H ∈ {𝟎, 𝟏}𝒉 : 𝑓 (𝑅, 𝐻 ) = 𝐶𝑜𝑑𝑒 (𝐻 ) + 𝐶𝑜𝑑𝑒(𝐻𝑎𝑠ℎ(𝑅||𝐻 )) 2ℎ + 𝐶𝑜𝑑𝑒(𝑅) 22ℎ + 2⌈𝑙𝑜𝑔2𝑛⌉−1 (2.24) with k + 2.h < 𝑙𝑜𝑔2 𝑛 −8 (2.25) and 𝐶𝑜𝑑𝑒(𝑥0 𝑥1 … 𝑥𝑡−1 ) = 𝑥0 2𝑡−1 + 𝑥1 2𝑡−2 + ⋯ + 𝑥𝑡−1 (2.26) b) RW0 signing algorithm: Algorithm 2.3 – Signing Algorithm RW0 INPUT: m, (n, p, q, c, d): m ∈ {0,1}∞is the message to be signed (n, p, q, c, d) is the signer's secret key OUTPUT: (R,s) ∈ {0,1}𝑘 × 𝑍𝑛∗ with ≤ s < n/2 is signature of the holder (n, p, q, c, d) Choosen R randomly in {0,1}𝑘 ; v ← f(R, Hash(m)); 𝑠𝑝 ← 𝑣 𝑠𝑞 ← 𝑣 𝑝+1 mod p; 𝑞+1 mod q; s ← (c.( 𝑠𝑝 − 𝑠𝑞 ) + 𝑠𝑞 ) mod n; u ← 𝑠 mod n; if u ∉ {v, n – v} then s ← d.s mod n; s ← min(s, n – s); return (R,s); c) RW0 verifying algorithm: Algorithm 2.4 – RW0 Verifying Algorithm INPUT: m, (R, s), n 𝑚 ∈ {0,1}∞ is the message to be signed (R,s) is the signature on m n is the signer’s public key OUTPUT: Accept ∈ {0,1} only accept the validity of the signature (R,s) if and only if Accept = 1 if s ∉ [0, 𝑛−1 ] then Accept ← 0; go to 5; v ← f(R, Hash(m)); u ← 𝑠 mod n; if u ∈ {v, n – v, 2v, n – 2v} then Accept ← 1; else Accept ← 0; return Accept 2.3.2 The correctness of the RW0 signature scheme Result 2.1 Integer n = p.q with p, q are two primes (1.a) Then for each value x ∈ 𝑍𝑛∗ is corresponding only to pair (𝑥𝑝 , 𝑥𝑞 ) ∈ 𝑍𝑝∗ × 𝑍𝑞∗ with: 𝑥𝑝 = x mod p and 𝑥𝑞 = x mod q (2.27) Moreover, according to the Garner algorithm [11, p 88] x also can be calculated from (𝑥𝑝 , 𝑥𝑞 ) by the following formula: x = (q.( 𝑞 −1 mod p).( 𝑥𝑝 − 𝑥𝑞 ) + 𝑥𝑞 ) mod n (2.28) So, x = (𝑥𝑝 , 𝑥𝑞 ) (1.b) If x = (𝑥𝑝 , 𝑥𝑞 ) and y = (𝑦𝑝 , 𝑦𝑞 ) then we have the following equation: x.y mod n = (𝑥𝑝 𝑦𝑝 𝑚𝑜𝑑 𝑝, 𝑥𝑞 𝑦𝑞 𝑚𝑜𝑑 𝑞) (2.29) With the above results, we get the following lemma Lemma 2.3 Give the number blum n = pq With v ∈ 𝑍𝑛∗ , denoted as: s = (q.( 𝑞 −1 mod p).( 𝑠𝑝 − 𝑠𝑞 ) + 𝑠𝑞 ) mod n (2.30) with 𝑠𝑝 = 𝑣 𝑝+1 mod p and 𝑠𝑞 = 𝑣 𝑞+1 mod q (2.31) We have 𝑣 𝑠 𝑚𝑜𝑑 𝑛 ∈ {𝑣, 𝑛 – 𝑣} if and only if (𝑛) = Proof: This proof is presented on the thesis Clause 2.1 The RW0 scheme is correct Proof: This proof is presented on the thesis (2.32) 11 2.4.2 The correctness of the R0 signature scheme Clause 2.2 R0 scheme is correct Proof: This proof is presented on the thesis 2.4.3 Security of R0 signature scheme The security of R0 is presented on the thesis 2.4.4 The effectiveness of the R0 scheme The effectiveness of R0 compared to Rabin scheme Compare two signature algorithms: Analysis and comparison of two signature algorithms are presented in detail on the thesis Corollary 2.2 The time cost of the Rabin signature algorithm is 3𝑡𝐽 longer than that of R0 scheme Compare two signature verifying algorithms: Analysis and comparison of two signature verifying algorithms are presented in detail on the thesis Corollary 2.3 The time cost of the signature verifying algorithm of Rabin and R0 scheme is approximately the same The effectiveness of R0 scheme compared to some other schemes In this section, the thesis compares R0 with some general determinations Rabinstyle schemes (with parameters p, q ≡ (mod 4)), which is typically the best of L Harn and T Kiesler [14] 2.5 PCRS Signature Scheme 2.5.1 PCRS signature scheme Similar to the Rabin signature scheme, in the direction of expanding parameter e = 3, the PCRS scheme which is presented in this section has parameters p and q satisfying 𝑝 ≡ 𝑞 ≡ (𝑚𝑜𝑑 3) On improving Rabin scheme, PCRS has a verifying signature algorithm which only needs a power exponent of three modulo n a) Systematic parameters: Systematic parameters for signature schemes includes: − Integer n = p.q with p, q are two primes so that: p = 3.t + with gcd(t,3) = (2.38) 12 and q = 3.k + with gcd(k,3) = − Hash Function: Hash: {0,1}∞ → {0,1}ℎ satisfies security requirements for codes − Secret parameters 𝑑𝑝 , 𝑑𝑞 can be defined as follows: 2p+1 𝑑𝑝 = { p+2 2q+1 𝑑𝑞 = { q+2 𝑖𝑓 𝑝 ≡ (𝑚𝑜𝑑 9) ; 𝑖𝑓 𝑝 ≡ (𝑚𝑜𝑑 9) (2.39) 𝑖𝑓 𝑞 ≡ (𝑚𝑜𝑑 9) ; 𝑖𝑓 𝑞 ≡ (𝑚𝑜𝑑 9) b) PCRS Signing message: Algorithm 2.7 – Signing Algorithm PCRS INPUT: 𝑚 ∈ {0,1}∞ is the message to be signed; parameters p, q, 𝑑𝑝 , 𝑑𝑞 OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m Repeat R ← Random({0,1}𝑘 ); h ← Code(Hash(R||m)); t←ℎ 𝑝−1 mod p; u ← ℎ 𝑞−1 mod q; (2.40) until (t=1) and (u=1) hp ←h mod p; hq←h mod q; 𝑠𝑝 ← ℎ𝑝𝑝 𝑚𝑜𝑑 𝑝; 𝑠𝑞 ← ℎ𝑞 𝑞 𝑚𝑜𝑑 𝑞; (2.42) 𝑠 ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ); (2.43) return (R, s); (2.44) 𝑑 𝑑 (2.41) c) PCRS verifying algorithm: Algorithm 2.8 – PCRS Verifying Algorithm Input: m ∈ {0,1}∞ and (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m Output: Accept ∈ {0,1} only accept the validity of the signature (R,s) if and only if Accept = 13 h ← Code(Hash(R||m)); t ← 𝑠 mod n; Accept ← (t=h); return Accept; 2.5.2 The correctness of the PCRS signature scheme Clause 2.3 All signatures (R, s) on message M created from algorithm 2.7 have an output value of according to algorithm 2.8 Proof: This proof is presented on the thesis 2.5.3 Security of the signature schemes Clause 2.4 The security of the PCSR scheme is ensured by the difficulty of the factorizing problem Proof: This proof is presented on the thesis 2.5.4 Time cost of PCRS scheme Clause 2.5 The cost of the signature-creation algorithm, denoted as 𝑇2.7 , and the verifying algorithm, denoted as 𝑇2.8 , in the PCRS scheme are given by the following formula 𝑙𝑛3 𝑇2.7 = 16.5 𝑙𝑒𝑛(𝑝)(𝑙𝑛2+1) + 2𝑙𝑛(𝑙𝑒𝑛(𝑝)) + 𝑇2.8 3.𝑙𝑒𝑛(𝑝)2 𝑙𝑛𝑙𝑒𝑛(𝑝) (2.47) 𝑙𝑛3 = 𝑙𝑒𝑛(𝑝)𝑙𝑛2 (2.48) Proof: This proof is presented on the thesis 2.6 Conclusion of chapter In this chapter, the thesis proposes three signature schemes, of which two schemes RW0 and R0 improve the Rabin scheme, while the PCRS scheme develops the Rabin scheme in the direction of expending exponent e = Improved schemes RW0 and R0 not need to calculate the Jacobi symbol in the signature algorithm With the proposed results and on the basis of analyzing some publications in the same direction, it can be affirmed that the technique of avoiding the calculation of Jacobi symbol in the signature algorithm is completely new With the above technique, the proposed schemes are most effective in the 14 modulo same-type schemes The PCRS scheme develops the Rabin scheme with the exponent e = 3, so the parameters p, q satisfy the condition 𝑝 ≡ 𝑞 ≡ (𝑚𝑜𝑑 3) All schemes proposed in this chapter are in the Rabin series with the time cost of the verifying signature algorithm being low and can be applied in transaction of “many-one” type of digital signature applications The signature schemes proposed in this chapter were publicized in [1], [3] and [4] CHAPTER THE SIGNATURE SCHEMES IN COMBINATION WITH RSA AND RABIN 3.1 Mathematical base 3.1.1 Symbol - Integer n = p.q with p, q are two primes so that p = 3.t + with gcd(3, t) = and gcd(3, q – 1) = (3.1) - With all a ∈ Zn corresponding only with (𝑎𝑝 , 𝑎𝑞 ) ∈ 𝑍𝑝 × 𝑍𝑞 with 𝑎𝑝 = a mod p, 𝑎𝑞 = a mod q and reverse mapping, denoted as CRT, is determined by the formula: CRT(u,v) = (𝑞 (𝑞 −1 𝑚𝑜𝑑 𝑝) 𝑢 + 𝑝 (𝑝−1 𝑚𝑜𝑑 𝑝) 𝑣) 𝑚𝑜𝑑 𝑛 (3.2) - Mapping on the preservation of multiplication means: CRT(u.x mod p,v.y mod q) = CRT(u,v) CRT(x,y) mod n (3.3) 3.1.2 Function CR and solving cube root problem on GF(p) with p ≠ (mod 3) as a prime Definition (Function CR, where the letters CR stand for "Cube Root") Given p ≠ (mod 9) as an odd prime, we have: 3−1 𝑚𝑜𝑑 (𝑝 – 1) 𝑛ế𝑢 𝑝 ≠ (𝑚𝑜𝑑 3) 2𝑝+1 d= 𝑝+2 𝑛ế𝑢 𝑝 ≡ (𝑚𝑜𝑑 9) (3.4) 𝑛ế𝑢 𝑝 ≡ (𝑚𝑜𝑑 9) [ Function CR (., p): GF(p) → GF(p) is determined by the following formula: CR(a, 𝑝) = 𝑎𝑑 mod p (3.5) with GF(p), where the letters GF stand for "Galois field", is a finite field that is given by the integers mod p when p is a prime number Then, we have : Lemma With p ≠ (mod 9) as an odd prime, then with a ∈ GF*(p) we have : If p ≠ (mod 3) then 15 𝐶𝑅(𝑎, 𝑝)3 ≡ a (mod p) (3.6) If p ≡ (mod 9) then 𝐶𝑅(𝑎, 𝑝) ≡ a.(𝑎 𝑝−1 ) (mod p) (3.7) (mod p) (3.8) If p ≡ (mod 9) then 𝐶𝑅(𝑎, 𝑝)3 ≡ a.𝑎 𝑝−1 Proof: This proof is presented on the thesis 3.1.3 Sets E(β), B(β) Clause 3.1 Give β ∈ 𝑍𝑛∗ so that: 𝑝−1 ≠ (mod p) (3.9) 𝐸(𝛽) = {𝑒𝑖 = 𝜀 𝑖 𝑚𝑜𝑑 𝑝}𝑖=0,1,2 (3.10) 𝐵(𝛽) = {𝑏𝑖 = 𝛽 𝑖 𝑚𝑜𝑑 𝑛}𝑖=0,1,2 (3.11) 𝜀=𝛽 Denoted as We have: 1) E(β) is the set of square roots of the unit in GF (p) 2) With all a ∈ 𝑍𝑛∗ , if 𝑎 𝑝−1 (3.12) 𝑚𝑜𝑑 𝑝 = 𝑒𝑖 , with j = – i mod (3.13) then the following condition is satisfied: (𝑎 𝑏𝑗 𝑝−1 ) 𝑚𝑜𝑑 𝑝 = (3.14) Proof: This proof is presented on the thesis 3.1.4 Cube Congruent Equation and Factorization Problem Considering the equation below with a ∈ 𝑍𝑛 𝑥 ≡ 𝑎 (mod n) (3.16) We have results as follows Lemma Conditions needed and sufficient for (3.16) to have a solution: 𝑎 𝑝−1 𝑚𝑜𝑑 𝑝 = Then, a solution of (3.16) is given by the following formula: (3.17) 16 x = CRT(CR(a mod p, p), CR(a mod q, q)) (3.18) Proof: This proof is presented on the thesis Corollary 3.1 If n can be analyzed into factors p and q, then equation (3.16) always be solved Clause 3.2 If two different solutions of equation (3.16) are found, then n can be analyzed Proof: This proof is presented on the thesis 3.2 Signature scheme DRSA-RABIN3 3.2.1 Signature scheme DRSA-RABIN3 a) Systematic parameters: Integer n = p.q with p and q are satisfied condition (3.1) 𝑑𝑝 𝑎𝑛𝑑 𝑑𝑞 are calculated as the corresponding d value in the formula (3.4) Find the smallest value β satisfying the condition (3.9) and construct the set E = E (β), B = B (β) according to two formulas (3.10) and (3.11) Secret parameters is the set (n, p, q, E) and publish parameters is the set (n,B) b) DRSA-RABIN3 signing algorithm: Algorithm 3.1 – DRSA-RABIN3 Signing Algorithm INPUT: a ∈ ℤ∗𝑛 is the message to be signed, (n, p, q, E) is secret parameters OUTPUT: (s, j) ∈ 𝑍𝑛 × 𝑍 is the signature onto a r ← 𝑎 𝑝−1 𝑚𝑜𝑑 𝑝 For i=0 to if (r = 𝑒𝑖 ) then j ← – i mod 3; (3.23) (3.24) u ← a 𝑏𝑗 mod n; (3.25) s ←CRT(CR(u mod p, p),CR(u mod q, q)); (3.26) return (s, j) (3.27) c) DRSA-RABIN3 verifying algorithm: Algorithm 3.2 – DRSA-RABIN3 Verifying Algorithm INPUT: (s, j) is the signature onto a, (n, B) is publish parameters OUTPUT: Accept ∈ {0,1} only accept the validity of the signature (s,j) if and only if Accept = 17 u ← a 𝑏𝑗 mod n; if (𝑢 = 𝑠 𝑚𝑜𝑑 𝑛) then Accept ← 1; else Accept ← 0; (3.28) return Accept 3.2.2 The correctness of the DRSA-RABIN3 signature scheme Clause 3.3 All signatures (s,j) on message a created from algorithm 3.1 have an output value of according to algorithm 3.2 Proof: This proof is presented on the thesis 3.2.3 Security of the DRSA-RABIN3 signature scheme Clause 3.4 Security of the DRSA-RABIN3 scheme is ensured by the difficulty of the factorizing problem 3.2.4 Time cost of DRSA-RABIN3 scheme Clause 3.5 The cost of the signature-creation algorithm, denoted as 𝑇3.1 , and the verifying algorithm, denoted as 𝑇3.2 , in the DRSA-RABIN3 scheme are given by the following formula: 𝑇3.1 = 𝑡𝑚 + 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇 𝑇3.2 = 𝑡𝑚 (3.29) (3.30) 3.3 PRSA-RABIN3 Signature Scheme 3.3.1 PRSA-RABIN3 signature Scheme a) Systematic parameters: System parameter for signature schemes includes: − Integer n = p.q with p, q are two primes so that: p = 3.t + with gcd(t,3) = and gcd(3, q – 1) = (3.31) − Hash Function: Hash: {0,1} → {0,1}ℎ satisfies security requirements for codes − Secret parameter 𝑑𝑝 , 𝑑𝑞 can be defined as follows: 2p+1 𝑑𝑝 = { p+2 𝑛ế𝑢 𝑝 ≡ (𝑚𝑜𝑑 9) ; 𝑛ế𝑢 𝑝 ≡ (𝑚𝑜𝑑 9) 𝑑𝑞 = 3−1 𝑚𝑜𝑑 (𝑞 − 1) (3.32) 18 b) PRSA-RABIN3 signing Algorithm: Algorithm 4.3 – PRSA-RABIN3 Signing Algorithm INPUT: m ∈ {0,1}∞is the message to be signed; parameters: p, q, 𝑑𝑝 , 𝑑𝑞 OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m Repeat R ← Random({0,1}𝑘 ); h ← Code(Hash(R||m)); t←ℎ 𝑝−1 mod p; until (t=1); (3.33) 𝑠 ← ℎ𝑑𝑝 𝑚𝑜𝑑 𝑝; 𝑠 ← ℎ𝑑𝑞 𝑚𝑜𝑑 𝑞; 𝑝 𝑞 𝑝 𝑞 (3.34) 𝑠 ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ); (3.35) return (R, s) c) PRSA-RABIN3 verifying algorithm: Algorithm 3.4 – PRSA-RABIN3 Verifying Algorithm INPUT: m ∈ {0,1}∞ and (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m OUTPUT: Accept ∈ {0,1} only accept the validity of the signature if and only if Accept = 1 h ← Code(Hash(R||m)); t ← 𝑠 mod n; Accept ← (t=h); return Accept; 3.3.2 The correctness of the PRSA-RABIN3 signature scheme Clause 3.6 All signatures (R,s) on message m created from algorithm 3.3 have an output value of according to algorithm 3.4 Proof: This proof is presented on the thesis 3.3.3 Security of the PRSA-RABIN3 signature scheme Clause 3.7 Security of the scheme PRSA-RABIN3 is ensured by the difficulty of the factorizing problem 19 3.3.4 Time cost of PRSA-RABIN3 scheme Clause 3.8 The cost of the signature-creation algorithm, denoted as 𝑇3.3 , and the verifying algorithm, denoted as 𝑇3.4 , in the PRSA-RABIN3 scheme are given by the following formula: 𝑇3.3 = 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇 (3.38) 𝑇3.4 = 𝑡𝑚 (3.39) 3.4 The schemes DRSA-Rabin3 and PRSA-Rabin3 improved The first success of the thesis in increasing the effectiveness of signature algorithms in Rabin scheme was to introduce techniques to avoid the calculation of 𝑎 Jacobi symbols in these algorithms As we known, the Jacobian symbol ( ) is 𝑛 characteristic of the existence of solutions of the equation 𝑥 ≡ 𝑎 (mod n) For the equation 𝑥 ≡ 𝑎 (mod p) with p is prime and p - is a multiple of 3, the characteristic of the existence of this equation is 𝑎(𝑝−1)/3 ≡ (mod p) So, the RSA-Rabin3 and PRSA-Rabin3 schemes presented in the previous two sections always use the above conditions in the signature algorithms In this section, we once again applied the technique to avoid calculating the value of 𝑎(𝑝−1)/3 mod p to obtain two new schemes with much higher efficiency than the corresponding schemes 3.4.1 Mathematical basis of improvement Clause 3.9 Let p be an odd prime with p - being a multiple of and p ≠ (mod 9), b is an integer not a multiple of p such that: 𝑏 (𝑝−1)/3 𝑚𝑜𝑑 𝑝 ≠ (3.40) Denote: 𝜎 = [𝑏 2(𝑝−1)/3 𝑖𝑓 𝑝 ≡ (𝑚𝑜𝑑 9) 𝑏(𝑝−1)/3 𝑖𝑓 𝑝 ≡ (𝑚𝑜𝑑 9) (3.41) When all integers a are not multiples of p, we have the value of a mod p with one of the following three values: CR(a, p)3 mod p, CR(a, p)3.σ mod p, CR(a, p)3.σ2 mod p (3.42) Moreover, we also have: 20 𝐶𝑅(𝑎, 𝑝)3 𝜎 ≡ 𝑎 (𝑚𝑜𝑑 𝑝) ⟺ 𝐶𝑅(𝑎 𝑏, 𝑝)3 ≡ 𝑎 𝑏(𝑚𝑜𝑑 𝑝) (3.43) 𝐶𝑅(𝑎, 𝑝)3 𝜎 ≡ 𝑎 (𝑚𝑜𝑑 𝑝) ⟺ 𝐶𝑅(𝑎 𝑏 , 𝑝)3 ≡ 𝑎 𝑏 (𝑚𝑜𝑑 𝑝) (3.44) Proof: This proof is presented on the thesis 3.4.2 Improved PRSA-Rabin3 scheme a) Systematic parameters: The systematic parameters of the improved signature scheme is the same as ones of PRSA-Rabin3 a) PRSA-RABIN3-1 signing algorithm: Algorithm 3.5 – PRSA-RABIN3-1 Signature Algorithm INPUT: m ∈ {0,1}∞ is the message to be signed; parameters: p, q, 𝑑𝑝 , 𝑑𝑞 OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m Repeat R ← Random({0,1}𝑘 ); h ← Code(Hash(R||m)); 𝑠𝑝 ← ℎ𝑑𝑝 mod p; u ← 𝑠𝑝3 mod p; until (u = h mod p); 𝑠𝑞 ← ℎ𝑑𝑞 𝑚𝑜𝑑 𝑞; s ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ); return (R, s); c) The correctness of the signature scheme: Clause 3.10 All signatures (R,s) on message m created from algorithm 3.5 have an output value of according to algorithm 3.4 Proof: This proof is presented on the thesis d) The effectiveness of the improved PRSA-Rabin3-1 scheme compared to PRSARabin3: Clause 3.11 The average time cost of the signature algorithm, denoted as 𝑇3.5 of PRSA-RABIN3-1 scheme is given by following formula: 21 𝑇3.5 = (𝑡𝑒𝑥𝑝 + 𝑡𝑚 ) + 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇 (3.46 ) Clause 3.12: PRSA-Rabin3-1 has a more efficient signature algorithm than PRSA-Rabin3 scheme Proof: This proof is presented on the thesis 3.4.3 Improved DRSA-Rabin3 scheme The improved DRSA-Rabin3 scheme has two changes, one in the systematic parameters and the other is the signature algorithm a) Systematic parameters: In the improvement scheme, the systematic parameters identifies the following: − 𝑑𝑝 , 𝑑𝑞 are calculated as the corresponding d value in the formula (3.4) − Find the smallest value β satisfying the condition (3.40) − 𝛽𝑝 = 𝑏 𝑑𝑝 𝑚𝑜𝑑 𝑝, 𝛽𝑞 = 𝑏 𝑑𝑞 𝑚𝑜𝑑 𝑞 and σ are calculated in the formula (3.40) − Publish key is the set (n, B) with B = {1, b, 𝑏 mod n) − Secret key is the set (p, q, 𝑑𝑝 , 𝑑𝑞 , 𝛽𝑝 , 𝛽𝑞 , σ) b) DRSA-RABIN3-1 signing algorithm: Algorithm 3.6 – DRSA-RABIN3-1 Signature Algorithm INPUT: a ∈ 𝑍𝑛 is the message to be signed; secret parameters (p, q, 𝑑𝑝 , 𝑑𝑞 , 𝛽𝑝 , 𝛽𝑞 , σ) OUTPUT: (s, j) ∈ 𝑍𝑛 × 𝑍 is the signature onto a 𝑠𝑝 ← 𝑎𝑑𝑝 mod p; 𝑠𝑞 ← 𝑎𝑑𝑞 mod q; u ← 𝑠𝑝3 mod p; if (u = a mod p) then return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 0); u ← u.σ mod p; 𝑠𝑝 ← 𝑠𝑝 𝛽𝑝 mod p; 𝑠𝑞 ← 𝑠𝑞 𝛽𝑞 mod q; if (u = a mod p) then return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 1); 𝑠𝑝 ← 𝑠𝑝 𝛽𝑝 mod p; 𝑠𝑞 ← 𝑠𝑞 𝛽𝑞 mod q; return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 2);■ 22 c) The correctness of the signature scheme: Clause 3.13 All signatures (s,j) on message m created from algorithm 3.6 have an output value of according to algorithm 3.2 Proof: This proof is presented on the thesis d) The effectiveness of the improved DRSA-Rabin3-1 scheme compared to DRSARabin3: Clause 3.14 The time cost of the signature algorithm, denoted as 𝑇3.𝟔 of DRSA-RABIN3-1 scheme is given by following formula: 𝑇3.6 ≤ 𝑡𝑒𝑥𝑝 + 𝑡𝑚 + 𝑡𝐶𝑅𝑇 (3.49) Clause 3.15: DRSA-Rabin3-1 has a more efficient signature algorithm than DRSA-Rabin3 scheme Proof: This proof is presented on the thesis 3.5 Conclusion of chapter In this chapter, the thesis propose two schemes which combine the RSA and Rabin with exponent e=3 and e is the divisor of either p – or q – By not computing the Jacobi symbol in signature algorithms, these algorithms have their effectiveness improved On developing to increase the efficiency for signature algorithm, in this chapter, I avoid calculating 𝑎(𝑝−1)/3 mod p to obtain two improved schemes that have much higher effectiveness The signature schemes proposed in this chapter were publicized in [2], [3] and [4] CONCLUSION Obtained result During the research, I always stick to the target and approach valuable scientific documents nationally and internationally On solving the problem of constructing a signature scheme with low signature-verifying cost for digital transaction that require authentication of signature validity in a great deal, I choose the RSA and Rabin scheme to research and develop The researching content and the obtained result from scientific researches shows that the thesis have reached the set goal 23 The obtained result of the thesis include: − In chapter 1, the thesis proposes clause 1.1 and prove that: the calculation of the time cost of verifying algorithms and proof that among the standardized signature schemes, the Rabin schemes has the lowest verifying cost This is a vital base for the research when proposing signature scheme for digital trade of “many-one” type − In chapter 2, the thesis proposes three signature schemes RW0, R0 and PCRS, among which the RW0 and R0 schemes are improved from the Rabin scheme, while PCRS is developed from Rabin with e=3 − In chapter 3, the thesis proposed four signature schemes, namely DRSARABIN3 and PRSA-RABIN3, DRSA-RABIN3-1 and PRSA-RABIN3-1 These schemes combine the designing principle of Rabin and RSA with exponent e=3 New contributions of the thesis − In addition to the security criteria, the most important criteria for the signature scheme used in many-to-one transactions is "the lower the cost of the verifying algorithm, the better." Therefore, clause 1.1 is a very important new contribution, playing a role in shaping the studies of the thesis − The second new contribution of the thesis is to find the "avoid counting Jacobi notation" technique in Rabin signing algorithm With this technique, the thesis has proposed the RW0 (improved by Rabin-Williams) and R0 (improved by Rabin) Both of these schemes are better (in terms of time spent signing) than similar studies Besides, the thesis has proposed the probabilistic PCRS scheme It is developed from the Rabin with p-1, q-1 are both multiplicities of e (with e=3) − The third new contribution is the cleverly combining the design principles of RSA and Rabin to create new signature schemes, PRSA-Rabin3 and DRSARabin3 with exponents e = 24 − Finally, the thesis has found the clause 3.9 as the basis for avoiding calculation value 𝑎(𝑝−1)/3 𝑚𝑜𝑑 𝑝 for the DRSA-RABIN3 scheme and PRSA-RABIN3 scheme Thanks to this technique, the two improved schemes PRSA-Rabin31 and DRSA-Rabin-1 have cost for signature algorithm much lower than the original algorithm Future researching strategy The thesis shall be developed in the following ways: Academically: researching and developing Rabin-styled signature schemes with random modulo p, q; developing schemes as combination of the Rabin and RSA in cases of exponent e is a random odd prime Practically: researching application model for signature schemes proposed in the thesis, applying the obtained result into several software at work LIST OF PUBLICATIONS Hoang Thị Mai, “An improvement of the Rabin signature scheme”, Journal of Military Science and Technology, 12/2017, ISSN 1859-1043, pp.73-82 Hoang Thị Mai, "The signature scheme in combination with RSA and RABIN", Journal of Military Science and Technology, vol 53, pp 143-148, 02-2018 Hoang Thị Mai, “Developing RSA and Rabin signature schemes in case of exponent e=3”, Proceeding of International Conference “The autonomy of university in scientific and technological activities suitable for the requirement of the 4th industrial revolution”, Publishing House of Hanoi National University, ISBN 978-604-62-4759-3, 1/2019, pp.385-396 Hoang Thi Mai,“Improving signature scheme in combination with RSA and Rabin”, Journal of Military Science and Technology, ISSN 1859-1043, vol 62, 8/2019, pp.188-194 ... from the Rabin scheme, while PCRS is developed from Rabin with e=3 − In chapter 3, the thesis proposed four signature schemes, namely DRSARABIN3 and PRSA -RABIN3 , DRSA -RABIN3 -1 and PRSA -RABIN3 -1... Clause 3.12: PRSA -Rabin3 -1 has a more efficient signature algorithm than PRSA -Rabin3 scheme Proof: This proof is presented on the thesis 3.4.3 Improved DRSA -Rabin3 scheme The improved DRSA -Rabin3 scheme... PRSA -Rabin3 and DRSARabin3 with exponents e = 24 − Finally, the thesis has found the clause 3.9 as the basis for avoiding calculation value