Signature Scheme Using the Root Extraction Problem on Quaternions

The root extraction problem over quaternion rings modulo an RSA integer is defined, and the intractability of the problem is examined. A signature scheme is constructed based on the root extraction problem. It is proven that an adversary can forge a signature on a message if and only if he can extract the roots for some quaternion integers. The performance and other security related issues are also discussed.


Introduction
Cryptographic algorithms are important tools to resolve the security issues in open networks, amongst which the public key cryptographic schemes [1] may be the most powerful tool.In a public key cryptosystem, two separate keys are deployed.One key is kept secret and can be used to decrypt ciphertexts or sign messages, and the other key can be published and is used for encrypting plaintexts or verifying signatures.It requires that it should be computationally infeasible to derive the secret key from the public key.In public key cryptography, three categories of algorithms are widely used in network and information security engineering according to their functionalities, namely, key exchange protocols [2], public key encryption schemes [3], and digital signature schemes [4].The key exchange protocols are used to establish the shared keys between two communication parties.The public key encryption algorithm allows the encryption key to be published without compromising the security of the decryption key and hence does not require securely initializing a shared key between the communication sender and receiver.A digital signature scheme is used to create a digital signature on a message by using the secret key, so a signature scheme allows the authenticity of a message or a document by using the public key to verify the validity of the signature.
It is striking to note that most of the widely used unbroken public key cryptosystems are based on some numbertheoretic intractability assumptions such as the integer factorization problem, the discrete logarithm problem defined over finite fields, and the elliptic curve discrete logarithm problem [1].However, we have a strong desire to enrich the public key cryptographic toolkits to avoid putting all application-oriented eggs in one cryptographic basket.So tremendous efforts had been made to develop public key cryptosystems from other problems.In particular, it seems a nice idea to introduce some noncommutative algebraic structures [5][6][7][8][9][10][11][12][13] in the design of public key ciphers to destroy the commutativity property commonly shared in the widely used public key cryptosystems.
(ii) Some signature schemes [39][40][41] utilized some nonstandard intractability assumptions.These newly defined mathematical problems were not fully studied, so if the underlying intractability was not true, these schemes would be insecure.
(iii) The intractability problems were not tightly used in the construction of the signature schemes [35], which makes it possible for an adversary to forge a signature on a message just by solving an easy problem but not necessarily the underlying intractable problem [42,43].
In this paper, we propose a novel signature scheme from the root extraction problem defined on the quaternion ring modulo an RSA integer.Our proposal overcomes the flaws existing in the known signature schemes.
(i) The security is based on the root extraction problem over quaternions, which can be seen as the generalizations of the standard RSA problem and the quadratic residue problem modulo an RSA modulus.So the intractability assumption of our proposal is well established.
(ii) The security of the proposed signature scheme is tightly dependent on the root extraction problem over quaternion rings.Any adversary must solve the underlying intractability problem in order to successfully recover the secret key or forge a signature.
(iii) The proposal is provably secure.We prove that an adversary can forge a signature for a given message if and only if he can extract the -th root for a given quaternion number.
We also provide a thorough security scrutiny on the proposed signature scheme with respect to key recovery attacks and partial key exposure attacks.Performance analysis demonstrates that the proposal is efficient and practical.
The rest of the paper is organized as follows.In Section 2, we provide some preliminaries about the quaternion algebra, discuss the related root extraction problem, and provide the signature scheme.In Section 3, we analyze the proposal with respect to performance and security.Finally, we conclude the work in Section 4.

Proposal
We first review some definitions about quaternion algebra and then elaborate on the proposed signature scheme.

Notations.
Throughout this paper, we use R to denote the field of real numbers and use the symbol Z to denote the ring of integers.For a positive integer  ∈ Z, the modular reduction of an integer  ∈ Z modulo  means the unique nonnegative least remainder  ∈ Z of  divided by  such that  ∈ Z  = {0, 1, . . .,  − 1}, and we denote  = (mod ).The greatest common divisor of two integers  and  is denoted by gcd(, ).We use Z *  to denote the set { ∈ Z  : gcd(, ) = 1}.For any integer  ∈ Z *  there exists a unique integer  ∈ Z *  called the modular inverse of  modulo  such that  = 1(mod ), and we denote  =  −1 (mod ).

Arithmetic Operations on
Quaternions.The number system of quaternions is the extension of the number system of complex numbers.Formally, we denote the set of quaternions as We define three operations on quaternions, namely, addition, scalar multiplication, and quaternion multiplication.For two The quaternion multiplication is somewhat more complicated to define.We first define i 2 = j 2 = k 2 = ijk = −1 and then we can derive the following relations: from which we can easily see that quaternion multiplication is noncommutative.So the product of a =  1 +  2 i +  3 j +  4 k and b =  1 +  2 i +  3 j +  4 k can be easily computed via The norm and conjugate of a =  1 +  2 i +  3 j +  4 k are defined For a positive integer  ∈ Z and a quaternion a =  1 +  2 i +  3 j +  4 k, we define a modulo  as a (mod ) =  1 (mod ) +  2 (mod ) i Thus, we can define the set H  = {a(mod ): a ∈ H}.We call a quaternion a invertible modulo  if and only if there exists a quaternion b such that ab = ba = 1(mod ), and we denote b = a −1 (mod ).We use the symbol H *  to denote the set consisting of all the invertible quaternions in H  .It is easy to verify that a quaternion a ∈ H  is invertible if and only if gcd(‖a‖, ) = 1.When gcd(‖a‖, ) = 1, the inverse of a modulo  is easy to compute; namely, a −1 = ‖a‖ −2 a * (mod ), where ‖a‖ −1 denotes the modular inverse of ‖a‖ modulo .In this paper, we consider the case of  being an RSA modulus, namely,  =  being the product of two distinct large primes  and .From the above definitions, we can see that when  is relatively prime to () = ( − 1)( − 1), the -th root extraction problem over H  is a generalization of the RSA problem, which asks for the -th root  for a given integer  ∈ Z  ; namely,  =   (mod ).The quadratic root extraction problem over H  is a generalization of the quadratic residue problem, which is defined as finding an integer  ∈ Z  such that  =  2 (mod ) for the given integer  ∈ Z  .The quadratic residue problem is proven to be equivalent to the problem of factoring the modulus  in the construction of the Rabin public key cryptosystem [44].We note that the RSA problem and the quadratic residue problem are widely believed as intractable and had been widely used in the design of public key cryptographic primitives.So we conjecture that the -th root extraction problem over H  is also intractable.
We develop a new quaternion signature scheme in the sequel.To begin with, we first define three system parameters: the binary length  ∈ Z of the modulus , the binary length  ∈ Z of the hashed value of a message  ∈ {0, 1} * , and 2 ≤  ∈ Z.Typically, we set  = 1024,  = 160, and  = 3.We also define a hash function  which maps a message bit string with an arbitrary length into a -bit-long string; namely,  : {0, 1} * → {0, 1}  .In this paper, we write a binary number as a string of symbols.

Key Generation.
The key generation algorithm runs as follows.Firstly, the signer randomly chooses two distinct /2-bit-long primes  and  and computes their product  = .Then, the signer randomly and uniformly chooses two quaternions b ∈ H  and r ∈ H *  and computes a = rb  r −1 (mod ).Finally, the signer publishes the public key as (a, , , ) and keeps the secret key as (b, r −1 ).

Signature.
To sign a message , the signer firstly computes the hashed value of ; namely, ℎ = ().Then, the signer randomly and uniformly chooses a quaternion s ∈ H *  and computes t = sr −1 (mod ) and u = sb ℎ s −1 (mod ).Finally, the signer sends (t, u) to the verifier as the signature on the message .

Verification.
Upon receiving the signature (t, u), the verifier firstly computes ℎ = () and k = a ℎ (mod ).Then, the verifier decides whether or not the equation u  = tkt −1 (mod ) is satisfied.If the equation is satisfied, the verifier accepts (t, u) as a valid signature on the message .Otherwise, the verifier refuses to accept (t, u) as a valid signature on .

Why Verification Works.
We explain why a valid signature (t, u) on the message  can pass the verification equation u  = tkt −1 (mod ).Note that So a valid signature (t, u) on the message  can pass the verification process.

Security.
We analyze the security of the proposed quaternion signature scheme.

Key Security.
The secret key of the proposed signature scheme consists of b ∈ H  and r ∈ H *  .We have the following result with respect to the key security.
Theorem 2. Any adversary can recover the secret key (b, r) from the public key (a, , , ) if and only if he can extract the -th root for a ∈ H  .
Proof.We first prove the sufficiency of the theorem.Assume that the adversary can extract the -th root for a ∈ H  , and we denote it as c ∈ H  ; namely, c  = a(mod ).Then, we randomly choose r ∈ H *  and compute b = r −1 cr(mod ).Then, (b, r) can serve as the secret key of the proposed signature scheme; namely, b and r satisfy a = rb  r −1 (mod ).This is because Then, we prove the necessity of the theorem.We assume that the adversary recovers the secret key (b, r).So b and r satisfy a = rb  r −1 (mod ); namely, a = rb  r −1 = (rbr −1 ) (mod ), from which we immediately derive an -th root rbr −1 (mod )∈ H  for a ∈ H  .
Theorem 3. Assume that there exists a polynomial-time algorithm A to break the key security of the proposed quaternion signature scheme.For any quaternion a ∈ H  such that a has an -th root in H  , then there exists a polynomial-time algorithm B to determine the -root of a.
Proof.We want to construct a polynomial-time algorithm B such that given the input (a, , ), the algorithm B outputs the -th root for a ∈ H  .To do this, we just need to show that we can derive a public key from (a, , ) and then access the algorithm A to recover the corresponding secret key.We denote the -th root of a ∈ H  as c ∈ H  ; namely, c  = a(mod ) and  is a hash function.Thus, we randomly choose r ∈ H *  , and from the proof of Theorem 2 we know that b = r −1 cr(mod ) and r can serve as the secret key of the signature scheme with the corresponding public key (a, , , ).So the algorithm B runs as follows.Firstly, B defines a hash function ; then the algorithm B feeds the public key (a, , , ) into the algorithm A to obtain the output (b, r) by the algorithm A. Finally, the algorithm B computes and outputs rbr −1 (mod )∈ H  .It can be easily verified that rbr −1 (mod ) is an -root of a and that the algorithm B can be carried out in polynomial time.
The above theorems say that if the adversary can break the key security of the proposed signature scheme, the adversary can also solve a random instance of the -th root extraction problem over H  , which seems computationally intractable.

Partial Key Exposure Attacks.
We discuss the attacks assuming that the adversary knows the quaternion b or r.If the adversary knows the quaternion r, the adversary can get b  = r −1 ar(mod ).So the adversary needs to compute the -root of the quaternion r −1 ar ∈ H  to derive b, which seems computationally impossible.We also have the following result.Proof.Note that the secret keys b and r satisfy a = rb  r −1 (mod ).So we have gcd(‖r‖, ) = 1.Then, for an integer  ∈ Z *  , if we denote r  = r(mod ), we must have gcd(‖r‖, ) = gcd(‖r‖, ) Note that Z *  have () = ( − 1)( − 1) distinct integers, so we conclude that there exist at least () = ( − 1)( − 1) quaternions r ∈ H *  such that a = rb  r −1 (mod ).If the adversary knows b, we know that ar = rb  (mod ), from which the adversary can obtain four linear congruences modulo  by associating the constants and the coefficients of i, j, and k.Thus, we solve the linear congruences by using, for example, the Gaussian elimination algorithm to obtain the coefficients of the quaternion r, which only costs O(log 3  2 ) bit operations.The above theorem says that we must keep b secret.Otherwise, the adversary can retrieve the whole secret key in polynomial time.
3.1.3.Signature Forgery Attacks.Given a message , we discuss the difficulty for the adversary to forge a signature (u, t) on the message  such that the signature (u, t) can pass the verification equation u  = tkt −1 (mod ).
Theorem 5.An adversary can produce a signature (u, t) on a given message  if and only if he can extract the -th root for k = a ℎ = a () (mod ).
So (u, t) can pass the verification equation u  = tkt −1 (mod ); namely, a valid signature (u, t) on the message  is forged.
Then, we prove the necessity.If the adversary forges a signature (u, t) on a given message  satisfying u  = tkt −1 (mod ), so k = t −1 u  t = (t −1 ut)  (mod ).Thus, an -th root t −1 ut(mod ) is determined for the quaternion k ∈ H  .
The above theorem says that there is only one way for the adversary to forge a signature (u, t) for a given message , that is, to extract the -th root for the quaternion k = a ℎ = a () (mod ).However, the -th root extraction problem over H  is assumed to be intractable.So it is computationally infeasible to forge a signature for a given message.

Performance.
We analyze the performance of related issues.

Quaternion Modular Exponentiation
Operation.In the proposed signature scheme, quaternion modular exponentiations are often used.For example, in the signature generation algorithm, we need to compute b ℎ (mod ), and in the verification algorithm we also need to compute k = a ℎ (mod ).The quaternion modular exponentiation can be performed via a square-and-multiply approach.To illustrate, we let the binary representation of ℎ be ℎ This is because Therefore, to compute b ℎ (mod ) we firstly need to do ( − 1) quaternion modular multiplications to compute b  and then on average /2 quaternion modular multiplications to compute ∏ ℎ  =1 b  (mod ).The quaternion modular exponentiation b ℎ (mod ) needs about 3/2 quaternion modular multiplications.
3.4.Computational Costs.We consider the computational costs for signing a message and verifying a signature.
In the signature generation phase, we need to do the computations t = sr −1 ( mod ) and u = sb ℎ s −1 (mod ) (here we ignore the computational inexpensive hash operations), which are equivalent to 3 quaternion modular multiplications and one quaternion modular exponentiation.According to the aforementioned analysis, the total computations are equivalent about 3 + 3/2 quaternion modular multiplications.We recall the quaternion modular multiplicative operation in Section 2.2.One quaternion modular multiplication costs about 16 modular multiplications.However, we note that modular multiplication modulo  achieves a quadratic complexity; namely, O(log 2  2 ) = O( 2 ).So the computational complexity for the signature scheme is given as O( 2 ).
In the verification process, we need to compute k = a ℎ (mod ) (a quaternion modular exponentiation), u  (mod ) (two quaternion modular multiplications according to the square-and-multiply approach; namely, u 1 = u 2 (mod ) and u  = u 3 = u 1 u(mod )), and tkt −1 (mod ) (two quaternion modular multiplications).So the computational costs are about 4 + 3/2 quaternion modular multiplications.Therefore, the computational complexity for the verification algorithm is also O( 2 ).

Conclusion
In this paper, a quaternion signature scheme was proposed based on the root extraction problem defined over quaternion algebraic structures.The signature scheme only performs O( 2 ) bit operations to sign a message and to verify a signature, and hence the proposal is practical.We showed that the key security is equivalent to a random instance of the -th root extraction problem defined over H  , and the signature forgery security is equivalent to extracting the -th root for the quaternion k = a ℎ = a () (mod ).Hence, our proposal satisfies some provable security goals.

Theorem 4 .
There exist at least () = ( − 1)( − 1) quaternions r ∈ H *  such that a = rb  r −1 (mod).If the adversary knows b ∈ H  , there exists an algorithm A to compute such an r at the cost of O(log3  2 ) bit operations.
we firstly set b 0 = b and compute b  = b 2 −1 = b 2  (mod ) for  = 1, . . .,  − 1.Then, we compute b Problem over H  .We define the -th root extraction problem over H  .Definition 1 (the -th root extraction problem over H  ).Given two positive integers  ∈ Z and 2 ≤  ∈ Z and a quaternion a ∈ H  , the -th root extraction problem over H  is defined as finding a quaternion b ∈ H  if any such that b  = a(mod ).In particular, when  = 2, the problem is called the quadratic root extraction problem over H  .