The Squaring Trapdoor Function Candidate by Rabin

Rabin in [164] introduced a candidate trapdoor function which we call the squaring function. The squaring function resemble the RSA function except that Rabin was able to actuallyprovethat inverting the squaring function is as hard as factoring integers. Thus, inverting the squaring function is a computation which is at least as hard as inverting the RSA function and possibly harder.

Definition 2.36 Let I = {n = pq : pandqare distinct odd primes.}. For n ∈ I, the squaring function SQU AREn :Z^∗_n−→Z^∗_n is defined bySQU AREn(x)≡x²modn. The trapdoor information ofn=pq∈I ist_n= (p, q). We will denote the entire collection of Rabin’s functions by RABIN ={SQU ARE_n :Z^∗_n −→

Z^∗_n}n∈I.

Remark 2.37 Observe that while Rabin’s function squares its input, the RSA function uses a varying exponent; namely, e where gcd(e, φ(n)) = 1. The requirement that gcd(e, φ(n)) = 1 guarentees that the RSA function is a permutation. On the other hand, Rabin’s function is 1 to 4 and thus it does not have a uniquely defined inverse. Specifically, let n = pq ∈ I and let a ∈ Z^∗_p. As discussed in section C.4, if a ≡ x²modp then x and −x are the distinct square roots of a modulo p and if a ≡ y²modq then y and −y are the distinct square roots of a modulo q. Then, there are four solutions to the congruence a ≡ z²modn, constructed as follows. Let c, d ∈ Z_n be the Chinese Remainder Theorem coefficients as discussed in Appendix C.4. Then

c=

1 modp 0 modq and

d=

0 modp 1 modq

and the four solutions arecx+dy,cx−dy,−cx+dy, and−cx−dy.

Cryptography: Lecture Notes 31

The main result is that RABIN is a collection of strong one way trapdoor functions and the proof relies on an assumption concerning the difficulty of factoring. We state this assumption now.

Factoring Assumption: LetHk ={pq:pandqare prime and |p|=|q|=k}. Then for every polynomial Qand every PTM A,∃k0 such that∀k > k0

Pr[A(n) =p:p|nandp6= 1, n]< 1 Q(k) (where the probability is taken over alln∈Hk and the coin tosses of A).

Our ultimate goal is to prove the following result.

Theorem 2.38 Under the factoring assumption, RABIN is a collection of one way trapdoor functions.

Before proving this, we consider two auxiliary lemmas. Lemma 2.39 constructs a polynomial-time machine A which computes square roots modulo a prime. Lemma 2.42 constructs another polynomial-time machine, SQRT, that inverts Rabin’s function using the trapdoor information; specifically, it computes a square root modulo composites given the factorization. SQRT makes calls to A.

Lemma 2.39 Letpbe an odd prime and letabe a square modulop. There exists a probabilistic algorithm Arunning in expected polynomial time such thatA(p, a) =xwherex²≡amodp.

Proof: Let pbe an odd prime and let a be a quadratic residue in Z^∗_p. There are two cases to consider;

p≡1 mod 4 andp≡3 mod 4.

Case 1p≡3 mod 4; that is,p= 4m+ 3 for some integerm.

Sinceais a square we have 1 =J_p(a)≡a^p−12 modp=⇒a^2m+1≡1 modp

=⇒a^2m+2≡amodp Therefore,a^m+1 is a square root ofamodulop.

Case 2p≡1 mod 4; that is,p= 4m+ 1 for some integerm.

As in Case 1, we will attempt to find an odd exponentesuch thata^e≡1 modp.

Again,ais a square and thus 1 =Jp(a)≡a^p−12 modp=⇒a^2m≡1 modp.

However, at this point we are not done as in Case 1 because the exponent onain the above congruence is even. But notice thata^2m≡1 modp=⇒a^m≡ ±1 modp. Ifa^m ≡1 modpwith modd, then we proceed as in Case 1.

This suggests that we write 2m = 2^lr where r is an odd integer and computea^2l−irmodpfor i= 1, . . . , l with the intention of reaching the congruence a^r ≡1 modpand then proceeding as in Case 1. However, this is not guarenteed as there may exist an integer l⁰ satisfying 0≤l⁰ < l such that a^2l

0r

≡ −1 modp. If this congruence is encountered, we can recover as follows. Choose a quadratic nonresidue b ∈ Z^∗_p. Then

−1 = Jp(b) ≡ b^p−12 modp and therefore a^2l0r·b^2lr = a^2l0r·b^p−12 ≡ 1 modp. Thus, by multiplying by b^2lr≡ −1 modp, we obtain a new congruence (a^rb^2l−l

0r)

2^l0

≡1 modp. We proceed by taking square roots

in this congruence. Sincel⁰< l, we will, afterl steps, arrive ata^rb^2s≡1 modpwhere sis integral. At this point we havea^r+1b^2s≡amodp=⇒a^r+12 b^s is a square root ofamodp.

From the above discussion (Cases 1 and 2) we obtain a probabilistic algorithm A for taking square roots.

The algorithm A runs as follows on inputa,pwhereJp(a) = 1.

(1) Ifp= 4m+ 3 for some integermthen outputa^m+1 as a square root ofamodp.

(2) If p = 4m+ 1 for some integer m then randomly choose b ∈ Z^∗_p until a value is found satisfying J_p(b) =−1.

(1) Initializei= 2mandj= 0.

(2) Repeat untiliis odd.

i←₂ⁱ andj← ^j₂.

Ifaⁱb^j=−1 thenj←j+ 2m.

Outputaⁱ⁺¹² b^j2 as a square root ofamodp.

This algorithm terminates afterO(l) iterations because in step 2 (ii) the exponent onais divided by 2. Note also, that since exactly half of the elements inZ^∗_p are quadratic nonresidues, it is expected that 2 iterations will be required to find an appropriate value for b at the beginning of step 2. Thus, A runs in expected polynomial time and this completes the proof of Lemma 2.39.

Remark 2.40 There is a deterministic algorithm due to Ren´e Schoof (see [179]) which computes the square root of a quadratic residueamodulo a prime pin time polynomial in|p|and a(specifically, the algorithm requiresO((a¹²⁺logp)⁹) elementary operations for any >0). However, it is unknown whether there exists a deterministic algorithm running in time polynomial in|p|.

Open Problem 2.41 Does there exist a deterministic algorithm that computes square roots modulo a primepin time polynomial in|p|?

The next result requires knowledge of the Chinese Remainder Theorem. The statement of this theorem as well as a constructive proof is given in Appendix C.4. In addition, a more general form of the Chinese Remainder Theorem is presented there.

Lemma 2.42 Letpandqbe primes,n=pqandaa square modulop. There exists a probabilistic algorithm SQRT running in expected polynomial time such thatSQRT(p, q, n, a) =xwhere x²≡amodn.

Proof:The algorithm SQRT will first make calls to A, the algorithm of Lemma 2.39, to obtain square roots ofamodulo each of the primespandq. It then combines these square roots, using the Chinese Remainder Theorem, to obtain the required square root.

The algorithm SQRT runs as follows.

(1) LetA(p, a) =x1 andA(q, a) =x2.

(2) Use the Chinese Remainder Theorem to find (in polynomial time)y∈Zn such thaty≡x1modpand y≡x2modqand outputy.

Algorithm SQRT runs correctly becausey²≡

x²₁≡amodp

x²₂≡amodq =⇒y²≡amodn.

Cryptography: Lecture Notes 33

On the other hand, if the factors of n are unknown then the computation of square roots modulo n is as hard as factoringn. We prove this result next.

Lemma 2.43 Computing square roots modulon∈H_k is as hard as factoring n.

Proof:Suppose that I is an algorithm which on inputn∈H_k andaa square modulonoutputsysuch that a≡y²modnand consider the following algorithm B which on inputnoutputs a nontrivial factor of n.

(1) Randomly choosex∈Z^∗_n. (2) Sety=I(n, x²modn).

(3) Check ifx≡ ±ymodn. If not then gcd(x−y, n) is a nontrivial divisor ofn. Otherwise, repeat from 1.

Algorithm B runs correctly becausex²≡y²modn=⇒(x+y)(x−y)≡0 modnand son|[(x+y)(x−y)].

Butn6 |(x−y) because x6≡ymodnandn6 |(x+y) because x6≡ −ymodn. Therefore, gcd(x−y, n) is a nontrivial divisor ofn. Note also that the congruencea≡x²modnhas either 0 or 4 solutions (a proof of this result is presented in Appendix C.4). Therefore, ifI(n, x²) =y thenx≡ ±ymodnwith probability ¹₂ and hence the above algorithm is expected to terminate in 2 iterations.

We are now in a position to prove the main result, Theorem 2.38.

Proof: For condition 1, defineS₁ to find on input 1^k an integern=pq where pand qare primes of equal length and|n|=k. The trapdoor information is the pair of factors (p, q).

For condition 2 in the definition of a collection of one way trapdoor functions, define S2 to simply output x∈Z_n^∗ at random givenn.

Condition 3 is true since the computation ofx²modncan be performed in polynomial time and condition 4 follows from the factoring assumption and Lemma 2.43.

Condition 5 follows by applying the algorithmSQRT from Lemma 2.42.

Lemma 2.43 can even be made stronger as we can also prove that if the algorithm I in the proof of Lemma 2.43 works only on a small portion of its inputs then we are still able to factor in polynomial time.

Proposition 2.44 Let,δ∈(0,1) and let S⊆H_k. Suppose there is a probabilistic algorithm I such that for alln∈S

Pr[I(n, a) =xsuch thata≡x²modn]>

(where the probability is taken overn∈S,a∈Z^∗_n², and the coin tosses of I). Then there exists a probabilistic algorithm FACTOR running in time polynomial in⁻¹,δ⁻¹, and |n|such that for alln∈S,

Pr[FACTOR(n) =dsuch thatd|nandd6= 1, n]>1−δ (where the probability is taken overnand over the coins tosses of FACTOR).

Proof:Choose the smallest integerN such that _e¹_N < δ.

Consider the algorithm FACTOR running as follows on inputsn∈S.

Repeat 2⁻¹N times.

Randomly choose x∈Z^∗_n. Sety=I(n, x²modn).

Check ifx≡ ±ymodn. If not then gcd(x−y, n) is a nontrivial divisor of n.

Otherwise, continue to the next iteration.

End loop

We can estimate the probability that FACTOR fails. Note that even whenI(n, x²modn) produces a square root ofx²modn, FACTOR(n) will be successful exactly half of the time.

Pr[FACTOR(n) fails to factorn] = Pr[A single iteration of the loop of FACTOR fails]^−1N

<(1−¹₂)²

−1N

<(e^−N)

< δ

Since N =O(log(δ⁻¹)) =O(δ⁻¹), FACTOR is a probabilistic algorithm which runs in time polynomial in ⁻¹,δ⁻¹, and |n|.