Rabin signature algorithm

The Rabin signature scheme is parametrized by a randomized hash function ${\displaystyle H(m,u)}$  of a message ${\displaystyle m}$  and ${\displaystyle k}$ -bit randomization string ${\displaystyle u}$ .

Public key

A public key is a pair of integers ${\displaystyle (n,b)}$  with ${\displaystyle 0\leq b<n}$  and ${\displaystyle n}$  odd. ${\displaystyle b}$  is chosen arbitrarily and may be a fixed constant.

Signature

A signature on a message ${\displaystyle m}$  is a pair ${\displaystyle (u,x)}$  of a ${\displaystyle k}$ -bit string ${\displaystyle u}$  and an integer ${\displaystyle x}$  such that $${\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}.}$$ 

Private key

The private key for a public key ${\displaystyle (n,b)}$  is the secret odd prime factorization ${\displaystyle p\cdot q}$  of ${\displaystyle n}$ , chosen uniformly at random from some large space of primes.

Signing a message

To make a signature on a message ${\displaystyle m}$  using the private key, the signer starts by picking a ${\displaystyle k}$ -bit string ${\displaystyle u}$  uniformly at random, and computes ${\displaystyle c:=H(m,u)}$ . Let ${\displaystyle d=(b/2){\bmod {n}}}$ . If ${\displaystyle c+d^{2}}$  is a quadratic nonresidue modulo ${\displaystyle n}$ , the signer starts over with an independent random ${\displaystyle u}$ .^{[1]: p. 10} Otherwise, the signer computes $${\displaystyle {\begin{aligned}x_{p}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {p}},\\x_{q}&:={\Bigl (}-d\pm {\sqrt {c+d^{2}}}{\Bigr )}{\bmod {q}},\end{aligned}}}$$  using a standard algorithm for computing square roots modulo a prime—picking ${\displaystyle p\equiv q\equiv 3{\pmod {4}}}$  makes it easiest. Square roots are not unique, and different variants of the signature scheme make different choices of square root;^[5] in any case, the signer must ensure not to reveal two different roots for the same hash ${\displaystyle c}$ . ${\displaystyle x_{p}}$  and ${\displaystyle x_{q}}$  satisfy the equations $${\displaystyle {\begin{aligned}x_{p}(x_{p}+b)&\equiv H(m,u){\pmod {p}},\\x_{q}(x_{q}+b)&\equiv H(m,u){\pmod {q}}.\end{aligned}}}$$  The signer then uses the Chinese remainder theorem to solve the system $${\displaystyle {\begin{aligned}x&\equiv x_{p}{\pmod {p}},\\x&\equiv x_{q}{\pmod {q}},\end{aligned}}}$$  for ${\displaystyle x}$ , so that ${\displaystyle x}$  satisfies $${\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}}$$  as required. The signer reveals ${\displaystyle (u,x)}$  as a signature on ${\displaystyle m}$ .

The number of trials for ${\displaystyle u}$  before ${\displaystyle x(x+b)\equiv H(m,u){\pmod {n}}}$  can be solved for ${\displaystyle x}$  is geometrically distributed with an average around 4 trials, because about 1/4 of all integers are quadratic residues modulo ${\displaystyle n}$ .

Security against any adversary defined generically in terms of a hash function ${\displaystyle H}$  (i.e., security in the random oracle model) follows from the difficulty of factoring ${\displaystyle n}$ : Any such adversary with high probability of success at forgery can, with nearly as high probability, find two distinct square roots ${\displaystyle x_{1}}$  and ${\displaystyle x_{2}}$  of a random integer ${\displaystyle c}$  modulo ${\displaystyle n}$ . If ${\displaystyle x_{1}\pm x_{2}\not \equiv 0{\pmod {n}}}$  then ${\displaystyle \gcd(x_{1}\pm x_{2},n)}$  is a nontrivial factor of ${\displaystyle n}$ , since ${\displaystyle {x_{1}}^{2}\equiv {x_{2}}^{2}\equiv c{\pmod {n}}}$  so ${\displaystyle n\mid {x_{1}}^{2}-{x_{2}}^{2}=(x_{1}+x_{2})(x_{1}-x_{2})}$  but ${\displaystyle n\nmid x_{1}\pm x_{2}}$ .^[2] Formalizing the security in modern terms requires filling in some additional details, such as the codomain of ${\displaystyle H}$ ; if we set a standard size ${\displaystyle K}$  for the prime factors, ${\displaystyle 2^{K-1}<p<q<2^{K}}$ , then we might specify ${\displaystyle H\colon \{0,1\}^{*}\times \{0,1\}^{k}\to \{0,1\}^{K}}$ .^[6]

Randomization of the hash function was introduced to allow the signer to find a quadratic residue, but randomized hashing for signatures later became relevant in its own right for tighter security theorems^[2] and resilience to collision attacks on fixed hash functions.^[8][9][10]

The quantity ${\displaystyle b}$  in the public key adds no security, since any algorithm to solve congruences ${\displaystyle x(x+b)\equiv c{\pmod {n}}}$  for ${\displaystyle x}$  given ${\displaystyle b}$  and ${\displaystyle c}$  can be trivially used as a subroutine in an algorithm to compute square roots modulo ${\displaystyle n}$  and vice versa, so implementations can safely set ${\displaystyle b=0}$  for simplicity; ${\displaystyle b}$  was discarded altogether in treatments after the initial proposal.^{[11][2][7][5]} After removing ${\displaystyle b}$ , the equations for ${\displaystyle x_{p}}$  and ${\displaystyle x_{q}}$  in the signing algorithm become:$${\displaystyle {\begin{aligned}x_{p}&:=\pm {\sqrt {c}}{\bmod {p}},\\x_{q}&:=\pm {\sqrt {c}}{\bmod {q}}.\end{aligned}}}$$ 

The Rabin signature scheme was later tweaked by Williams in 1980^[11] to choose ${\displaystyle p\equiv 3{\pmod {8}}}$  and ${\displaystyle q\equiv 7{\pmod {8}}}$ , and replace a square root ${\displaystyle x}$  by a tweaked square root ${\displaystyle (e,f,x)}$ , with ${\displaystyle e=\pm 1}$  and ${\displaystyle f\in \{1,2\}}$ , so that a signature instead satisfies $${\displaystyle efx^{2}\equiv H(m,u){\pmod {n}},}$$  which allows the signer to create a signature in a single trial without sacrificing security. This variant is known as Rabin–Williams.^[5][7]

Further variants allow tradeoffs between signature size and verification speed, partial message recovery, signature compression (down to one-half size), and public key compression (down to one-third size), still without sacrificing security.^[5]

Variants without the hash function have been published in textbooks,^[12][13] crediting Rabin for exponent 2 but not for the use of a hash function. These variants are trivially broken—for example, the signature ${\displaystyle x=2}$  can be forged by anyone as a valid signature on the message ${\displaystyle m=4}$  if the signature verification equation is ${\displaystyle x^{2}\equiv m{\pmod {n}}}$  instead of ${\displaystyle x^{2}\equiv H(m,u){\pmod {n}}}$ .

In the original paper,^[1] the hash function ${\displaystyle H(m,u)}$  was written with the notation ${\displaystyle C(MU)}$ , with C for compression, and using juxtaposition to denote concatenation of ${\displaystyle M}$  and ${\displaystyle U}$  as bit strings:

By convention, when wishing to sign a given message, ${\displaystyle M}$ , [the signer] ${\displaystyle P}$  adds as suffix a word ${\displaystyle U}$  of an agreed upon length ${\displaystyle k}$ . The choice of ${\displaystyle U}$  is randomized each time a message is to be signed. The signer now compresses ${\displaystyle M_{1}=MU}$  by a hashing function to a word ${\displaystyle C(M_{1})=c}$ , so that as a binary number ${\displaystyle c\leq n}$ …

This notation has led to some confusion among some authors later who ignored the ${\displaystyle C}$  part and misunderstood ${\displaystyle MU}$  to mean multiplication, giving the misapprehension of a trivially broken signature scheme.^[14]

• Rabin–Williams signatures at cr.yp.to