Rabin signature algorithm

In cryptography, the Rabin signature algorithm is a method of digital signature originally published by Michael O. Rabin in 1979.^[1][2]

The Rabin signature algorithm was one of the first digital signature schemes proposed. By using a trapdoor function with a hash of the message rather than with the message itself, in contrast to earlier proposals of one-time hash-based signatures or trapdoor-based signatures without hashing,^[3][4] Rabin's was the first published design to meet what is now the modern standard of security for digital signatures for more than one message, existential unforgeability under chosen-message attack.^[5]

Rabin signatures resemble RSA signatures with exponent ${\displaystyle e=2}$, but this leads to qualitative differences that enable more efficient implementation^[5] and a security guarantee relative to the difficulty of integer factorization,^[1][2][6] which has not been proven for RSA. However, Rabin signatures have seen relatively little use or standardization outside IEEE P1363^[7] in comparison to RSA signature schemes such as RSASSA-PKCS1-v1_5 and RSASSA-PSS.

The Rabin signature scheme is parametrized by a randomized hash function ${\displaystyle H(m,u)}$ of a message ${\displaystyle m}$ and ${\displaystyle k}$-bit randomization string ${\displaystyle u}$.

Public key

A public key is a pair of integers ${\displaystyle (n,b)}$ with ${\displaystyle 0\le b<n}$ and ${\displaystyle n}$ odd. ${\displaystyle b}$ is chosen arbitrarily and may be a fixed constant.

Signature

A signature on a message ${\displaystyle m}$ is a pair ${\displaystyle (u,x)}$ of a ${\displaystyle k}$-bit string ${\displaystyle u}$ and an integer ${\displaystyle x}$ such that $${\displaystyle x(x+b)\equiv H(m,u)(\mathrm{mod}n).}$$

Private key

The private key for a public key ${\displaystyle (n,b)}$ is the secret odd prime factorization ${\displaystyle p\cdot q}$ of ${\displaystyle n}$, chosen uniformly at random from some large space of primes.

Signing a message

To make a signature on a message ${\displaystyle m}$ using the private key, the signer starts by picking a ${\displaystyle k}$-bit string ${\displaystyle u}$ uniformly at random, and computes ${\displaystyle c:=H(m,u)}$. Let ${\displaystyle d=(b/2)modn}$. If ${\displaystyle c+d^2}$ is a quadratic nonresidue modulo ${\displaystyle n}$, the signer starts over with an independent random ${\displaystyle u}$.^{[1]: p. 10} Otherwise, the signer computes $${\displaystyle \begin{array}{cc}{x}_p& :=(-d\pm \sqrt{c+d^2})modp,\\ x_q& :=(-d\pm \sqrt{c+d^2})modq,\end{array}}$$ using a standard algorithm for computing square roots modulo a prime—picking ${\displaystyle p\equiv q\equiv 3(\mathrm{mod}4)}$ makes it easiest. Square roots are not unique, and different variants of the signature scheme make different choices of square root;^[5] in any case, the signer must ensure not to reveal two different roots for the same hash ${\displaystyle c}$. ${\displaystyle x_p}$ and ${\displaystyle x_q}$ satisfy the equations $${\displaystyle \begin{array}{cc}{x}_p(x_p+b)& \equiv H(m,u)(\mathrm{mod}p),\\ x_q(x_q+b)& \equiv H(m,u)(\mathrm{mod}q).\end{array}}$$ The signer then uses the Chinese remainder theorem to solve the system $${\displaystyle \begin{array}{cc}x& \equiv x_p(\mathrm{mod}p),\\ x& \equiv x_q(\mathrm{mod}q),\end{array}}$$ for ${\displaystyle x}$, so that ${\displaystyle x}$ satisfies $${\displaystyle x(x+b)\equiv H(m,u)(\mathrm{mod}n)}$$ as required. The signer reveals ${\displaystyle (u,x)}$ as a signature on ${\displaystyle m}$.

The number of trials for ${\displaystyle u}$ before ${\displaystyle x(x+b)\equiv H(m,u)(\mathrm{mod}n)}$ can be solved for ${\displaystyle x}$ is geometrically distributed with an average around 4 trials, because about 1/4 of all integers are quadratic residues modulo ${\displaystyle n}$.

Security against any adversary defined generically in terms of a hash function ${\displaystyle H}$ (i.e., security in the random oracle model) follows from the difficulty of factoring ${\displaystyle n}$: Any such adversary with high probability of success at forgery can, with nearly as high probability, find two distinct square roots ${\displaystyle x_1}$ and ${\displaystyle x_2}$ of a random integer ${\displaystyle c}$ modulo ${\displaystyle n}$. If ${\displaystyle x_1\pm x_2\equiv ̸0(\mathrm{mod}n)}$ then ${\displaystyle \gcd (x_1\pm x_2,n)}$ is a nontrivial factor of ${\displaystyle n}$, since ${\displaystyle {x_1}^2\equiv {x_2}^2\equiv c(\mathrm{mod}n)}$ so ${\displaystyle n\mid {x_1}^2-{x_2}^2=(x_1+x_2)(x_1-x_2)}$ but ${\displaystyle n\nmid x_1\pm x_2}$.^[2] Formalizing the security in modern terms requires filling in some additional details, such as the codomain of ${\displaystyle H}$; if we set a standard size ${\displaystyle K}$ for the prime factors, ${\displaystyle 2^{K-1}<p<q<2^K}$, then we might specify ${\displaystyle H:\{0,1{\}}^{*}\times \{0,1{\}}^k\to \{0,1{\}}^K}$.^[6]

Randomization of the hash function was introduced to allow the signer to find a quadratic residue, but randomized hashing for signatures later became relevant in its own right for tighter security theorems^[2] and resilience to collision attacks on fixed hash functions.^[8][9][10]

The quantity ${\displaystyle b}$ in the public key adds no security, since any algorithm to solve congruences ${\displaystyle x(x+b)\equiv c(\mathrm{mod}n)}$ for ${\displaystyle x}$ given ${\displaystyle b}$ and ${\displaystyle c}$ can be trivially used as a subroutine in an algorithm to compute square roots modulo ${\displaystyle n}$ and vice versa, so implementations can safely set ${\displaystyle b=0}$ for simplicity; ${\displaystyle b}$ was discarded altogether in treatments after the initial proposal.^{[11][2][7][5]} After removing ${\displaystyle b}$, the equations for ${\displaystyle x_p}$ and ${\displaystyle x_q}$ in the signing algorithm become:$${\displaystyle \begin{array}{cc}{x}_p& :=\pm \sqrt{c}modp,\\ x_q& :=\pm \sqrt{c}modq.\end{array}}$$

The Rabin signature scheme was later tweaked by Williams in 1980^[11] to choose ${\displaystyle p\equiv 3(\mathrm{mod}8)}$ and ${\displaystyle q\equiv 7(\mathrm{mod}8)}$, and replace a square root ${\displaystyle x}$ by a tweaked square root ${\displaystyle (e,f,x)}$, with ${\displaystyle e=\pm 1}$ and ${\displaystyle f\in \{1,2\}}$, so that a signature instead satisfies $${\displaystyle ef{x}^2\equiv H(m,u)(\mathrm{mod}n),}$$ which allows the signer to create a signature in a single trial without sacrificing security. This variant is known as Rabin–Williams.^[5][7]

Further variants allow tradeoffs between signature size and verification speed, partial message recovery, signature compression (down to one-half size), and public key compression (down to one-third size), still without sacrificing security.^[5]

Variants without the hash function have been published in textbooks,^[12][13] crediting Rabin for exponent 2 but not for the use of a hash function. These variants are trivially broken—for example, the signature ${\displaystyle x=2}$ can be forged by anyone as a valid signature on the message ${\displaystyle m=4}$ if the signature verification equation is ${\displaystyle x^2\equiv m(\mathrm{mod}n)}$ instead of ${\displaystyle x^2\equiv H(m,u)(\mathrm{mod}n)}$.

In the original paper,^[1] the hash function ${\displaystyle H(m,u)}$ was written with the notation ${\displaystyle C(MU)}$, with C for compression, and using juxtaposition to denote concatenation of ${\displaystyle M}$ and ${\displaystyle U}$ as bit strings:

By convention, when wishing to sign a given message, ${\displaystyle M}$, [the signer] ${\displaystyle P}$ adds as suffix a word ${\displaystyle U}$ of an agreed upon length ${\displaystyle k}$. The choice of ${\displaystyle U}$ is randomized each time a message is to be signed. The signer now compresses ${\displaystyle M_1=MU}$ by a hashing function to a word ${\displaystyle C(M_1)=c}$, so that as a binary number ${\displaystyle c\le n}$…

This notation has led to some confusion among some authors later who ignored the ${\displaystyle C}$ part and misunderstood ${\displaystyle MU}$ to mean multiplication, giving the misapprehension of a trivially broken signature scheme.^[14]

• Rabin–Williams signatures at cr.yp.to