Rabin signature algorithm explained

In cryptography, the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1978.^[1] ^[2] ^[3]

The Rabin signature algorithm was one of the first digital signature schemes proposed. By introducing the use of hashing as an essential step in signing, it was the first design to meet what is now the modern standard of security against forgery, existential unforgeability under chosen-message attack, assuming suitably scaled parameters.

Rabin signatures resemble RSA signatures with 'exponent

e=2

', but this leads to qualitative differences that enable more efficient implementation^[4] and a security guarantee relative to the difficulty of integer factorization,^[2] ^[3] ^[5] which has not been proven for RSA.However, Rabin signatures have seen relatively little use or standardization outside IEEE P1363 in comparison to RSA signature schemes such as RSASSA-PKCS1-v1_5 and RSASSA-PSS.

Definition

H(m,u)

of a message

and

-bit randomization string

Public key

A public key is a pair of integers

(n,b)

with

0\leqb<n

and

odd.

Signature

A signature on a message

is a pair

(u,x)

of a

-bit string

and an integer

such that

x (x + b) \equiv H(m, u) \pmod n.

Private key

The private key for a public key

(n,b)

is the secret odd prime factorization

p ⋅ q

, chosen uniformly at random from some space of large primes. Let

d=(b/2)\bmodn

d_p=(b/2)\bmodp

, and

d_q=(b/2)\bmodq

. To make a signature on a message

, the signer picks a

-bit string

uniformly at random, and computes

c:=H(m,u)

. If

c+d²

is a quadratic nonresidue modulo

, then the signer throws away

and tries again. Otherwise, the signer computes

\begin x_p &:= \Bigl(-d_p \pm \sqrt\Bigr) \bmod p \\ x_q &:= \Bigl(-d_q \pm \sqrt\Bigr) \bmod q, \end

using a standard algorithm for computing square roots modulo a prime - picking

p\equivq\equiv3\pmod4

makes it easiest. Square roots are not unique, and different variants of the signature scheme make different choices of square root;^[4] in any case, the signer must ensure not to reveal two different roots for the same hash

. The signer then uses the Chinese remainder theorem to solve the system

\beginx &\equiv x_q \pmod n \\ x &\equiv x_p \pmod n\end

for

. The signer finally reveals

(u,x)

Correctness of the signing procedure follows by evaluating

x(x+b)-H(m,u)

modulo

and

with

as constructed. For example, in the simple case where

b=0

is simply a square root of

H(m,u)

modulo

. The number of trials for

is geometrically distributed with expectation around 4, because about 1/4 of all integers are quadratic residues modulo

Security

Security against any adversary defined generically in terms of a hash function

(i.e., security in the random oracle model) follows from the difficulty of factoring

:Any such adversary with high probability of success at forgery can, with nearly as high probability, find two distinct square roots

x₁

and

x₂

of a random integer

modulo

.If

x₁\pmx₂\not\equiv0\pmodn

then

\gcd(x₁\pmx_2,n)

is a nontrivial factor of

, since

	2
{x
	1}

\equiv

	2
{x
	2}

\equivc\pmodn

n\mid

	2
{x
	1}

	2
{x
	2}

=(x₁+x₂₎(x₁-x₂₎

but

n\nmidx₁\pmx₂

.^[3] Formalizing the security in modern terms requires filling in some additional details, such as the codomain of

; if we set a standard size

for the prime factors,

2^K<p<q<2^K

, then we might specify

H\colon\{0,1\}^* x \{0,1\}^k\to\{0,1\}^K

.^[5]

Randomization of the hash function was introduced to allow the signer to find a quadratic residue, but randomized hashing for signatures later became relevant in its own right for tighter security theorems^[3] and resilience to collision attacks on fixed hash functions.^[6] ^[7] ^[8]

Variants

The quantity

in the public key adds no security, since any algorithm to solve congruences

x(x+b)\equivc\pmodn

for

given

and

can be trivially used as a subroutine in an algorithm to compute square roots modulo

and vice versa, so implementations can safely set

b=0

for simplicity;

was discarded altogether in treatments after the initial proposal.^[3] ^[4]

The Rabin signature scheme was later tweaked by Williams in 1980^[9] to choose

p\equiv3\pmod8

and

q\equiv7\pmod8

, and replace a square root

by a tweaked square root

(e,f,x)

, with

e=\pm1

and

f\in\{1,2\}

, so that a signature instead satisfies

e f x^2 \equiv H(m, u) \pmod n,

which allows the signer to create a signature in a single trial without sacrificing security.This variant is known as Rabin–Williams.^[4] ^[10] Further variants allow tradeoffs between signature size and verification speed, partial message recovery, signature compression (down to one-half size), and public key compression (down to one-third size), still without sacrificing security.^[4]

Variants without the hash function have been published in textbooks,^[11] ^[12] crediting Rabin for exponent 2 but not for the use of a hash function.These variants are trivially broken - for example, the signature

x=2

can be forged by anyone as a valid signature on the message

m=4

if the signature verification equation is

x²\equivm\pmodn

instead of

x²\equivH(m,u)\pmodn

In the original paper,^[2] the hash function

H(m,u)

was written with the notation

C(MU)

, with C for compression, and using juxtaposition to denote concatenation of

and

as bit strings:

By convention, when wishing to sign a given message,

M

, [the signer]
P

adds as suffix a word
U

of an agreed upon length
k

.The choice of
U

is randomized each time a message is to be signed.The signer now compresses
M₁=MU

by a hashing function to a word
C(M₁₎=c

, so that as a binary number
c\leqn

…

This notation has led to some confusion among some authors later who ignored the

part and misunderstood

to mean multiplication, giving the misapprehension of a trivially broken signature scheme.^[13]

External links

Rabin–Williams signatures at cr.yp.to

Notes and References

Book: Rabin. Michael O.. Michael O. Rabin. DeMillo. Richard A.. Richard DeMillo. Dobkin. David P.. David P. Dobkin. Jones. Anita K.. Anita K. Jones. Lipton. Richard J.. Richard Lipton. Foundations of Secure Computation. 1978. Academic Press. New York. 0-12-210350-5. 155–168. Digitalized Signatures.
Rabin. Michael O.. Michael O. Rabin. Digitalized Signatures and Public Key Functions as Intractable as Factorization. TR-212. MIT Laboratory for Computer Science. January 1979. Cambridge, MA, United States.
Bellare. Mihir. Mihir Bellare. Rogaway. Phillip. Phillip Rogaway. The Exact Security of Digital Signatures—How to Sign with RSA and Rabin. Maurer. Ueli. Ueli Maurer (cryptographer). Advances in Cryptology – EUROCRYPT ’96. May 1996. https://link.springer.com/book/10.1007/3-540-68339-9. 1070. Lecture Notes in Computer Science. Springer. Saragossa, Spain. 978-3-540-61186-8. 399–416. 10.1007/3-540-68339-9_34. free.
Bernstein. Daniel J.. Daniel J. Bernstein. January 31, 2008. RSA signatures and Rabin–Williams signatures: the state of the art. (additional information at https://cr.yp.to/sigs.html)
Bernstein. Daniel J.. Daniel J. Bernstein. Proving tight security for Rabin–Williams signatures. Smart. Nigel. Nigel Smart (cryptographer). Advances in Cryptology – EUROCRYPT 2008. April 2008. https://link.springer.com/book/10.1007/978-3-540-78967-3. 4965. Lecture Notes in Computer Science. Springer. Istanbul, Turkey. 978-3-540-78966-6. 70–87. 10.1007/978-3-540-78967-3_5. free.
Bellare. Mihir. Mihir Bellare. Rogaway. Phillip. Phillip Rogaway. Submission to IEEE P1393—PSS: Provably Secure Encoding Method for Digital Signatures. August 1998. https://web.archive.org/web/20040713140300/http://grouper.ieee.org/groups/1363/P1363a/contributions/pss-submission.pdf. 2004-07-13.
Halevi. Shai. Shai Halevi. Krawczyk. Hugo. Strengthening Digital Signatures via Randomized Hashing. Dwork. Cynthia. Cynthia Dwork. Advances in Cryptology – CRYPTO 2006. https://link.springer.com/book/10.1007%2F11818175. August 2006. 4117. Lecture Notes in Computer Science. Springer. Santa Barbara, CA, United States. 10.1007/11818175_3. free. 41–59.
Dang. Quynh. Randomized Hashing for Digital Signatures. NIST Special Publication. 800-106. United States Department of Commerce, National Institute for Standards and Technology. February 2009. 10.6028/NIST.SP.800-106. free .
Williams. Hugh C.. Hugh C. Williams. A modification of the RSA public-key encryption procedure. IEEE Transactions on Information Theory. 26. 6. 0018-9448. 726–729. 10.1109/TIT.1980.1056264.
Book: August 25, 2000. Institute of Electrical and Electronics Engineers. 0-7381-1956-3. 10.1109/IEEESTD.2000.92292. IEEE Standard Specifications for Public-Key Cryptography. IEEE Std 1363-2000.
Book: Menezes. Alfred J.. Alfred Menezes. van Oorschot. Paul C.. Paul van Oorschot. Vanstone. Scott A.. Scott Vanstone. Handbook of Applied Cryptography. CRC Press. October 1996. 0-8493-8523-7. §11.3.4: The Rabin public-key signature scheme. 438–442.
Book: Galbraith. Steven D.. Mathematics of Public Key Cryptography. Cambridge University Press. 2012. 978-1-10701392-6. §24.2: The textbook Rabin cryptosystem. 491–494.
Elia. Michele. Schipani. David. On the Rabin signature. Workshop on Computational Security. 2011. Centre de Recerca Matemàtica, Barcelona, Spain.