MINISTRY OF EDUCATION AND TRAINING

MINISTRY OF NATIONAL DEFENCE

ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY

HOANG THI MAI

DEVELOPING SEVERAL DIGITAL SIGNATURE
SCHEMES BASED ON THE RABIN CRYPTOSYSTEM
AND THE RSA CRYPTOSYSTEM
Speciality: Mathematical Foundation for Informatics
Code:
9 46 01 10

SUMMARY OF PhD THESIS IN MATHEMATICS

HA NOI – 2019


This thesis has been completed at:

ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY

Scientific Supervisors:
1. Dr. Nguyen Huu Mong
2. Dr. Ngo Trong Mai

Reviewer 1: Assos. Prof. Dr. Le My Tu
Academy of Cryptography Techniques

Reviewer 2: Assos. Prof. Dr. Nguyen Linh Giang
Hanoi University of Science and Technology

Reviewer 3: Dr. Thai Trung Kien
Academy of Military Science and Technology

The thesis was defended in front of the Doctoral Evaluating Council at
Academy level held Academy of Military Science and Technology at
............ on......

The thesis can be found at:
- Library of Academy of Military Science and Technology
- Vietnam National library


1

INTRODUCTION
1. The necessity of the topic
Recently, the application of digital signature in digital transaction in Vietnam
is in development. This great progress is the result of improving infrastructure
facilitation and legal corridor. On infrastructure facilitation, according to the white
paper Information Technology and Media of Vietnam 2017, the fixed bandwidth of
Internet subscription in Vietnam is the lowest worldwide at 1/139 countries [1]. The
number of Internet users was 50 million until 2016. On legal corridor, the digital
transaction law validated from 2015 legalized digital transaction, just like those
conducted with hard document and ordinary signature.
In the field of digital signature, the system of law document is improving,
alongside with the increasing number of Certificate Authority. After the
establishment of National Electronic Authentication Center in 2008, there were 9

enterprises licensed to provide public signature-verifying service to organizations
and individuals. Although the developing progress is quick recently, but the
practicability is great and digital signature plays an indispensable role in digital trade
in Vietnam.
In such situation, researching and improving the effectiveness of signature
scheme and constructing new scheme is necessary and meaningful academically and
practically.
2. Research target
− The target of this thesis is to construct a public key system for application using
digital trade, such a profile admission of public administration service. These
activities include information sent from many to one; therefore, authentication
of signature validity in a great deal is required. As a result, signature-verifying
algorithm consuming little time needs to be applied.
− The base for developing new signature schemes in this thesis is RSA
cryptosystem and Rabin cryptosystem. This thesis proves that the suggested
scheme have security and time cot that meet the practicability requirement the
target of the thesis.


2

3. Object and domain of the research
Researching object
− The researching object and domain of the thesis is of security system and basic
cryptosystem; scheme that have little verifying cost: RSA, Rabin, DSA,
ECDSA,...
Researching domain
The thesis focus in problems related to developing signature scheme based on
RSA cryptosystem and Rabin cryptosystem.
4. Researching content

This thesis focus in researching the signature schemes suggested based on RSA
cryptosystem, of which actually is based on difficult problems of digital theory.
Researching results is presented in four publications. The main result is:
− Studying basic digital signature system based on difficult problems of digital
theory: number factorization problem, discrete logarithm problem, elliptic curve
discrete logarithm problem.
− Propose signature schemes on developing the Rabin digital signature.
− Propose a signature scheme as a combination of RSA and Rabin.
5. Researching method
The research will be conducted as followed:
− Referring to scientific publications, books, documents; scientific report of
cryptography, especially of digital signature.
− Using mathematics tools of digital theory to construct the algorithm for proposed
schemes.
− Using the theory of algorithm complication to rate the security and time cost of
the signature schemes proposed.
6. Scientific and practical value.
Scientifically, the thesis proposed some new signature schemes on developing
the Rabin cryptosystem, as well as combining the RSA cryptosystem and Rabin
cryptosystem. The new ones improve the blemishes of the old ones, have security
guaranteed by the difficult problems of number theory and low time cost of verifying
signature.


3

Practically, the new signature schemes proposed the thesis can be applied in
transaction of “many-one” type of digital signature applications of digital
government and digital trade.
7. Structure of the thesis

The thesis includes an introduction, 04 chapters, the conclusion and developing
strategies, scientific publications and references.
CHAPTER 1. OVERVIEW OF DIGITAL SIGNATURE AND
DEVELOPING STRATEGIES
1.1. Digital signature schemes
This part gives some definitions.
1.2. Several signatures schemes
Among public signature scheme, with each chosen pair of keys, the calculation
of secret key from public one is guaranteed by a factorization problem. These are:
− Factorization Problem, of which difficulty guarantees security for RSA
cryptosystem and RSA digital signature.
− Discrete Logarithm Problem. The difficulty of this problem guarantee security
for the public key system and digital signature ElGamal as well as other signature
system, such as DSA (Digital Signature Algorithm).
− Elliptic Curve Discrete Logarithm Problem, of which difficulty guarantee the
security of crypto.
In this chapter, the thesis present four basic signature schemes that directly affect
the researching topic of the thesis - RSA scheme, Rabin scheme and Rabin William
scheme, DSA scheme and ECDSA scheme.
1.3 Time cost of arithmetic operations of Zn
In this chapter, the thesis presents the time cost of several algorithms which
operate arithmetic calculations.
1.4 Evaluating the time cost of verifying several signature schemes
This section gives the evaluation of the verifying cost of the RSA scheme, the
Rabin scheme and Rabin-William scheme, DSA scheme and ECDSA scheme.
Finally, the conclusion is given:


4


Clause 1.1. Among the standardized signature schemes with the input parameter
given in table 1.3, the Rabin schemes has the lowest signature-verifying cost.
1.5. Practicability and researching strategy of the topic
In section 1.4, clause 1.1, we conclude: “Among the standardized signature
schemes with the input parameter given in table 1.3, the Rabin schemes has the
lowest signature-verifying cost.”.
The target of this thesis is to develop signature schemes that have small time cost
for verifying, which are to be used in digital trade with “many-one” type. The
conclusion of the researching strategy of the thesis focus in developing the Rabin
scheme and RSA scheme with small exponent e.
Studying the Rabin scheme, we may realize that since its birth, this scheme have
had countless developing researches: extending the usable modulo, developing the
signature algorithm, extending the cases of exponent e (e=3),...
On extending usable modulo in the Rabin scheme, several publications can be
named such as those of L. Harn and T. Kiesler [14], of Kaoru Kurosawa and Wakaha
Ogata [15], of M. Ela - M. Piva - D. Schipani [16],... among of which shines the
contribution of M. Ela, M. Piva and D. Schipani given in 2013 which construct a
Rabin-styled cryptosystem with modulo n as multiplication of two random primes
for using Dedekind sum instead of Jacobi symbol.
On improving the signature algorithm of the Rabin scheme, William has
publicized the Rabin-Williams scheme[4]. This scheme only requires a single Jacobi
symbol operation in signature algorithm while the Rabin scheme requires four. In
the publication in 1989, L. Harn and T. Kiesler [14] combined the square root and
Jacobi symbol to develop the signature algorithm in Rabin. M. Ela - M. Piva - D.
Schipani [16] used Dedekin sum instead of Jacobi symbol in signature algorithm.
On extending exponent e, specifically replacing the exponent with 3 instead of
2, there are publications of Williams [17], J. H. Loxton, David S. P. Khoo, Gregory
J. Bird and Jennifer Seberry in 1992 [18], R. Scheidler [19] in 1998,…
On researching the relevant scientific publications, the thesis determines two
researching strategies:



5

● The first strategy: improving and developing the Rabin scheme. The thesis
improve the calculating cost for signing without calculating the value of
Jacobi symbol, as well as developing Rabin digital signature with exponent
e=3.
● The second strategy: Combining the design principle of Rabin and RSA
schemes to propose several schemes with small exponent, e=3 particularly.
With exponent e, the RSA schemes can be divided into three types:
● Type one: signature scheme with modulo n=p.q and 𝑔𝑐𝑑 𝑔𝑐𝑑 (𝑒, 𝜙(𝑛)) = 1,
which means e is coprime with both (p-1) and (q-1).
● Type 2: signature scheme with modulo n=p.q in which (p-1) and (q-1) are
both multiplicities of e.
● Type 3: signature scheme with modulo n=p.q and (p-1) is multiplicity of e,
while (q-1) is coprime with e.
Clearly, the RSA scheme is he first type as exponent e satisfies 𝑔𝑐𝑑 (𝑒, 𝜙(𝑛)) =
1. The Rabin scheme is the second type as e=2 is the divisor of both (p-1) and (q-1).
The thesis proposes new schemes of type 2 and 3 above in case of small exponent
e. In chapter 2, the thesis propose a type-2 scheme, in which both (p-1) and (q-1) are
multiplicities of either e=2 or e=3. In chapter 3, the thesis propose a type-3 scheme,
a combination of Rabin and RSA, which means e satisfies (p-1) being the
multiplicity of e, while (q-1) is coprime with e=3 particularly.
1.6 Conclusion of chapter 1
In this chapter, the thesis presents basic terms and definitions that are directly
related to the researching topic. An important part of this chapter is the calculation
of the time cost of verifying algorithms and proof that among the standardized
signature schemes, the Rabin schemes has the lowest verifying cost. This is a vital
base for the research when proposing signature scheme for digital trade of “manyone” type. On analyzing and synthesizing outstanding publications, the first chapter

point out the researching strategy of the thesis: developing signature schemes based
of RSA and Rabin cryptosystem.


6

CHAPTER 2. IMPROVEMENT AND DEVELOPMENT OF RABIN
SIGNATURE SCHEME
2.1 Introduction
In this chapter, the thesis proposed two signature schemes improved from the
Rabin and a scheme developed from the Rabin scheme with e=3. The first improved
scheme, denoted as RW0, improves signing algorithm without calculating Jacobi
symbol. The second improved scheme, denoted as R0, is a brand-new scheme, in
which the modulo are used half as much as the Rabin scheme with verifying cost no
higher than the original, while signing algorithm is without calculating Jacobi
symbol. The scheme developed from the Rabin, denoted as PCRS, has exponent e=3
and e is divisor of both p-1 and q-1. This scheme has verifying algorithm which
requires a single modulo cubic exponentiation and signing algorithm is without
calculating Jacobi symbol.
2.2 Mathematic Base
In this section, the thesis summarizes and rearranges some of the results in
number theory extracted from [11] and some auxiliary results related to the content
of chapter two.
2.3 RW0 signature scheme
In this section, the thesis presents a signature scheme, denoted as RW0. This
scheme improves the algorithm of RW signing algorithm without calculating the
Jacobi symbol.
2.3.1 RW0 signature Scheme
a) Systematic parameter:
Integer n = p.q with 𝑝, 𝑞 ≡ 3 (𝑚𝑜𝑑 4), 𝑝 ≠ 𝑞 (𝑚𝑜𝑑 8) and 𝑐 = 𝑞. (𝑞 −1 𝑚𝑜𝑑 𝑝).

Also need to add parameter d defined by the following formula:
d = (c.( 𝑑𝑝 − 𝑑𝑞 ) + 𝑑𝑞 ) mod n

(2.22)

with
𝑑𝑝 = 2

𝑝+1
4

mod p và 𝑑𝑞 = 2

𝑞+1
4

mod q.

Secret key is (n, p, q, c, d) and public key is n.
Hash Function: Hash: {0,1}∞ → {0,1}ℎ .

(2.23)


7

Function of message format f: {𝟎, 𝟏}𝒌 {𝟎, 𝟏}𝒉 𝒁∗𝒏 : ∀ R ∈ {𝟎, 𝟏}𝒌 and H ∈
{𝟎, 𝟏}𝒉 :
𝑓 (𝑅, 𝐻 ) = 𝐶𝑜𝑑𝑒 (𝐻 ) + 𝐶𝑜𝑑𝑒(𝐻𝑎𝑠ℎ(𝑅||𝐻 )). 2ℎ + 𝐶𝑜𝑑𝑒(𝑅). 22ℎ + 2⌈𝑙𝑜𝑔2𝑛⌉−1


(2.24)

with
k + 2.h < 𝑙𝑜𝑔2 𝑛 −8

(2.25)

and
𝐶𝑜𝑑𝑒(𝑥0 𝑥1 … 𝑥𝑡−1 ) = 𝑥0 2𝑡−1 + 𝑥1 2𝑡−2 + ⋯ + 𝑥𝑡−1

(2.26)

b) RW0 signing algorithm:
Algorithm 2.3 – Signing Algorithm RW0
INPUT: m, (n, p, q, c, d):
m ∈ {0,1}∞is the message to be signed.
(n, p, q, c, d) is the signer's secret key.
OUTPUT: (R,s) ∈ {0,1}𝑘 × 𝑍𝑛∗ with 0 ≤ s < n/2 is signature of the holder (n, p,
q, c, d).
1. Choosen R randomly in {0,1}𝑘 ;
2. v ← f(R, Hash(m));
3. 𝑠𝑝 ← 𝑣
4. 𝑠𝑞 ← 𝑣

𝑝+1
4

mod p;

𝑞+1

4

mod q;

5. s ← (c.( 𝑠𝑝 − 𝑠𝑞 ) + 𝑠𝑞 ) mod n;
6. u ← 𝑠 2 mod n;
7. if u ∉ {v, n – v} then s ← d.s mod n;
8. s ← min(s, n – s);
9. return (R,s);
c) RW0 verifying algorithm:
Algorithm 2.4 – RW0 Verifying Algorithm
INPUT: m, (R, s), n
𝑚 ∈ {0,1}∞ is the message to be signed..
(R,s) is the signature on m.
n is the signer’s public key.


8

OUTPUT: Accept ∈ {0,1} only accept the validity of the signature (R,s) if
and only if Accept = 1.
1. if s ∉ [0,

𝑛−1
2

] then Accept ← 0; go to 5;

2. v ← f(R, Hash(m));
3. u ← 𝑠 2 mod n;

4. if u ∈ {v, n – v, 2v, n – 2v} then Accept ← 1;
else Accept ← 0;
5. return Accept.
2.3.2 The correctness of the RW0 signature scheme
Result 2.1. Integer n = p.q with p, q are two primes.
(1.a) Then for each value x ∈ 𝑍𝑛∗ is corresponding only to pair (𝑥𝑝 , 𝑥𝑞 ) ∈
𝑍𝑝∗ × 𝑍𝑞∗ with:
𝑥𝑝 = x mod p and 𝑥𝑞 = x mod q.

(2.27)

Moreover, according to the Garner algorithm [11, p. 88] x also can be
calculated from (𝑥𝑝 , 𝑥𝑞 ) by the following formula:
x = (q.( 𝑞 −1 mod p).( 𝑥𝑝 − 𝑥𝑞 ) + 𝑥𝑞 ) mod n.

(2.28)

So, x = (𝑥𝑝 , 𝑥𝑞 ).
(1.b) If x = (𝑥𝑝 , 𝑥𝑞 ) and y = (𝑦𝑝 , 𝑦𝑞 ) then we have the following equation:
x.y mod n = (𝑥𝑝 𝑦𝑝 𝑚𝑜𝑑 𝑝, 𝑥𝑞 𝑦𝑞 𝑚𝑜𝑑 𝑞).

(2.29)

With the above results, we get the following lemma.
Lemma 2.3. Give the number blum n = pq. With v ∈ 𝑍𝑛∗ , denoted as:
s = (q.( 𝑞 −1 mod p).( 𝑠𝑝 − 𝑠𝑞 ) + 𝑠𝑞 ) mod n

(2.30)

with

𝑠𝑝 = 𝑣

𝑝+1
4

mod p and 𝑠𝑞 = 𝑣

𝑞+1
4

mod q.

(2.31)

We have
𝑣

𝑠 2 𝑚𝑜𝑑 𝑛 ∈ {𝑣, 𝑛 – 𝑣} if and only if (𝑛) = 1 .
Proof: This proof is presented on the thesis.
Clause 2.1. The RW0 scheme is correct.
Proof: This proof is presented on the thesis.

(2.32)


9

2.3.3 The effectiveness of the RW0 scheme
Corollary 2.1. The cost of the RW and RW0 signature algorithms are denoted as
𝑇𝑅𝑊 and 𝑇𝑅𝑊0 ; 𝑡𝐽 and 𝑡𝑚 are the time to perform the calculation of Jacobi symbol

and multiplication on 𝑍𝑛∗ then:
𝑇𝑅𝑊 − 𝑇𝑅𝑊0 = 𝑡𝐽 − 2𝑡𝑚 .

(2.33)

The effectiveness of RW0 scheme compared to some other schemes
Conclusion: "The time cost of the RW0 signature scheme is less than the
improvement scheme of Kaoru Kurosawa and Wakaha Ogata which is 0.16 time of
multiplication on 𝑍𝑛∗ "
2.4 R0 Signature Scheme
2.4.1 R0 signature scheme
a) Systematic parameters:
Integer n = p.q with p, q ≡ 3 (mod 4) are two primes.
b is the smallest integer so that:
𝑏

(𝑛) = −1.

(2.34)

c is calculated by the following formula (similar to the RW scheme):
c = 𝑞. (𝑞−1 mod p).

(2.35)

Also, there is parameter d determined by the following formula:
d = (c.( 𝑑𝑝 − 𝑑𝑞 ) + 𝑑𝑞 ) mod n

(2.36)


with
𝑑𝑝 = 𝑏

𝑝+1
4

mod p and 𝑑𝑞 = 𝑏

𝑞+1
4

mod q.

(2.37)

The secret key kept by the signer is the set (n, p, q, c, d) and the public key for
the signature authenticator is (n, b).
Hash function and f message format function are the same as RW0.
b) R0 signing algorithm:
Algorithm 2.5 – R0 Signing Algorithm
INPUT: m, (n, p, q, c, d) with:
𝑚 ∈ {0,1}∞ is the message to be signed.
(n, p, q, c, d) is the signer's secret key.


10

OUTPUT: (𝑅, 𝑠) ∈ {0,1}𝑘 × 𝑍𝑛∗ sao cho 0 ≤ s < n/2 is signature of the holder
(n, p, q, c, d) onto m.
1. Choosen randomly R in {0,1}𝑘 ;

2. v ← f(R, Hash(m));
3. 𝑠𝑝 ← 𝑣
4. 𝑠𝑞 ← 𝑣

𝑝+1
4

mod p;

𝑞+1
4

mod q;

5. s ← (c.( 𝑠𝑝 − 𝑠𝑞 ) + 𝑠𝑞 ) mod n;
6. u ← 𝑠 2 mod n;
7. if u ∉ {v, n – v} then s ← d.s mod n;
8. s ← min(s, n – s);
9. return (R,s);
c) R0 verifying algorithm:
Algorithm 2.6 – R0 Verifying Algorithm
INPUT: m, (R, s), (n, b) with:
𝑚 ∈ {0,1}∞ is the message to be signed..
(R,s) is the signature onto m.
(n,b) is the signer’s public key.
OUTPUT: Accept ∈ {0,1} only accept the validity of the signature (R,s) if
and only if Accept = 1.
1. if s ∉ [0,

𝑛−1

2

] then: Accept ← 0; goto 5;

2. v ← f(R, Hash(m));
3. u ← 𝑠 2 mod n;
4. if u ∈ {v, n – v } then: Accept ← 1; goto 5;
else: v ← v.b mod n;
if u ∈ {v, n – v } then Accept ← 1;
else Accept ← 0;
5. return Accept;


11

2.4.2 The correctness of the R0 signature scheme
Clause 2.2. R0 scheme is correct.
Proof: This proof is presented on the thesis.
2.4.3 Security of R0 signature scheme
The security of R0 is presented on the thesis.
2.4.4 The effectiveness of the R0 scheme
The effectiveness of R0 compared to Rabin scheme
Compare two signature algorithms: Analysis and comparison of two signature
algorithms are presented in detail on the thesis.
Corollary 2.2. The time cost of the Rabin signature algorithm is 3𝑡𝐽 longer than

that of R0 scheme.
Compare two signature verifying algorithms: Analysis and comparison of two
signature verifying algorithms are presented in detail on the thesis.
Corollary 2.3. The time cost of the signature verifying algorithm of Rabin and


R0 scheme is approximately the same.
The effectiveness of R0 scheme compared to some other schemes
In this section, the thesis compares R0 with some general determinations Rabinstyle schemes (with parameters p, q ≡ 3 (mod 4)), which is typically the best of L.
Harn and T Kiesler [14].
2.5 PCRS Signature Scheme
2.5.1 PCRS signature scheme
Similar to the Rabin signature scheme, in the direction of expanding parameter e
= 3, the PCRS scheme which is presented in this section has parameters p and q
satisfying 𝑝 ≡ 𝑞 ≡ 1 (𝑚𝑜𝑑 3). On improving Rabin scheme, PCRS has a verifying
signature algorithm which only needs a power exponent of three modulo n.
a) Systematic parameters:
Systematic parameters for signature schemes includes:
− Integer n = p.q with p, q are two primes so that:
p = 3.t + 1 with gcd(t,3) = 1

(2.38)


12

and q = 3.k + 1 with gcd(k,3) = 1
− Hash Function: Hash: {0,1}∞ → {0,1}ℎ satisfies security requirements for
codes.
− Secret parameters 𝑑𝑝 , 𝑑𝑞 can be defined as follows:
2p+1
9
𝑑𝑝 = { p+2
9
2q+1


𝑑𝑞 =

9
{ q+2
9

𝑖𝑓 𝑝 ≡ 4 (𝑚𝑜𝑑 9)
;
𝑖𝑓 𝑝 ≡ 7 (𝑚𝑜𝑑 9)
(2.39)
𝑖𝑓 𝑞 ≡ 4 (𝑚𝑜𝑑 9)
;
𝑖𝑓 𝑞 ≡ 7 (𝑚𝑜𝑑 9)

b) PCRS Signing message:
Algorithm 2.7 – Signing Algorithm PCRS
INPUT: 𝑚 ∈ {0,1}∞ is the message to be signed; parameters p, q, 𝑑𝑝 , 𝑑𝑞
OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m.
1.

Repeat
R ← Random({0,1}𝑘 );
h ← Code(Hash(R||m));
t←ℎ

𝑝−1
3

mod p; u ← ℎ


𝑞−1
3

mod q;

(2.40)

until (t=1) and (u=1)
2.

hp ←h mod p; hq←h mod q;

4.

𝑠𝑝 ← ℎ𝑝𝑝 𝑚𝑜𝑑 𝑝; 𝑠𝑞 ← ℎ𝑞 𝑞 𝑚𝑜𝑑 𝑞;

(2.42)

5.

𝑠 ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 );

(2.43)

6.

return (R, s);

(2.44)


𝑑

𝑑

(2.41)

c) PCRS verifying algorithm:
Algorithm 2.8 – PCRS Verifying Algorithm
Input: m ∈ {0,1}∞ and (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m.
Output: Accept ∈ {0,1} only accept the validity of the signature (R,s) if and only if
Accept = 1.


13

1.

h ← Code(Hash(R||m));

2.

t ← 𝑠 3 mod n;

3.

Accept ← (t=h);
return Accept;

2.5.2 The correctness of the PCRS signature scheme

Clause 2.3. All signatures (R, s) on message M created from algorithm 2.7
have an output value of 1 according to algorithm 2.8
Proof: This proof is presented on the thesis.
2.5.3 Security of the signature schemes
Clause 2.4. The security of the PCSR scheme is ensured by the difficulty of the
factorizing problem.
Proof: This proof is presented on the thesis.
2.5.4 Time cost of PCRS scheme
Clause 2.5. The cost of the signature-creation algorithm, denoted as 𝑇2.7 , and
the verifying algorithm, denoted as 𝑇2.8 , in the PCRS scheme are given by the
following formula
𝑙𝑛3

𝑇2.7 = 16.5 𝑙𝑒𝑛(𝑝)(𝑙𝑛2+1) + 2𝑙𝑛(𝑙𝑒𝑛(𝑝)) +
𝑇2.8

3.𝑙𝑒𝑛(𝑝)2
𝑙𝑛𝑙𝑒𝑛(𝑝)

(2.47)

𝑙𝑛3

= 2. 𝑙𝑒𝑛(𝑝)𝑙𝑛2

(2.48)

Proof: This proof is presented on the thesis.
2.6 Conclusion of chapter 2
In this chapter, the thesis proposes three signature schemes, of which two

schemes RW0 and R0 improve the Rabin scheme, while the PCRS scheme develops
the Rabin scheme in the direction of expending exponent e = 3.
Improved schemes RW0 and R0 do not need to calculate the Jacobi symbol in
the signature algorithm. With the proposed results and on the basis of analyzing
some publications in the same direction, it can be affirmed that the technique of
avoiding the calculation of Jacobi symbol in the signature algorithm is completely
new. With the above technique, the proposed schemes are most effective in the


14

modulo same-type schemes. The PCRS scheme develops the Rabin scheme with the
exponent e = 3, so the parameters p, q satisfy the condition 𝑝 ≡ 𝑞 ≡ 1 (𝑚𝑜𝑑 3).
All schemes proposed in this chapter are in the Rabin series. with the time cost
of the verifying signature algorithm being low and can be applied in transaction of
“many-one” type of digital signature applications. The signature schemes proposed
in this chapter were publicized in [1], [3] and [4].
CHAPTER 3. THE SIGNATURE SCHEMES IN COMBINATION WITH
RSA AND RABIN
3.1 Mathematical base
3.1.1 Symbol
-

Integer n = p.q with p, q are two primes so that
p = 3.t + 1 with gcd(3, t) = 1 and gcd(3, q – 1) = 1

(3.1)

- With all a ∈ Zn corresponding only with (𝑎𝑝 , 𝑎𝑞 ) ∈ 𝑍𝑝 × 𝑍𝑞 with 𝑎𝑝 = a mod
p, 𝑎𝑞 = a mod q and reverse mapping, denoted as CRT, is determined by the formula:

CRT(u,v) = (𝑞. (𝑞 −1 𝑚𝑜𝑑 𝑝). 𝑢 + 𝑝. (𝑝−1 𝑚𝑜𝑑 𝑝). 𝑣) 𝑚𝑜𝑑 𝑛 (3.2)
-

Mapping on the preservation of multiplication means:
CRT(u.x mod p,v.y mod q) = CRT(u,v). CRT(x,y) mod n

(3.3)

3.1.2 Function CR and solving cube root problem on GF(p) with p ≠ 1 (mod 3)
as a prime
Definition 1 (Function CR, where the letters CR stand for "Cube Root")
Given p ≠ 1 (mod 9) as an odd prime, we have:
3−1 𝑚𝑜𝑑 (𝑝 – 1) 𝑛ế𝑢 𝑝 ≠ 1 (𝑚𝑜𝑑 3)
2𝑝+1

d=

9
𝑝+2

𝑛ế𝑢 𝑝 ≡ 4 (𝑚𝑜𝑑 9)

(3.4)

𝑛ế𝑢 𝑝 ≡ 7 (𝑚𝑜𝑑 9)
[
9
Function CR (., p): GF(p) → GF(p) is determined by the following formula:
CR(a, 𝑝) = 𝑎𝑑 mod p.
(3.5)

with GF(p), where the letters GF stand for "Galois field", is a finite field that is
given by the integers mod p when p is a prime number.
Then, we have :
Lemma 2. With p ≠ 1 (mod 9) as an odd prime, then with a ∈ GF*(p) we have :
If p ≠ 1 (mod 3) then


15

𝐶𝑅(𝑎, 𝑝)3 ≡ a (mod p).

(3.6)

If p ≡ 4 (mod 9) then
3

𝐶𝑅(𝑎, 𝑝) ≡ a.(𝑎

𝑝−1
3

2

) (mod p).

(3.7)

(mod p).

(3.8)


If p ≡ 7 (mod 9) then
𝐶𝑅(𝑎, 𝑝)3 ≡ a.𝑎

𝑝−1
3

Proof: This proof is presented on the thesis.
3.1.3 Sets E(β), B(β)
Clause 3.1. Give β ∈ 𝑍𝑛∗ so that:
𝑝−1
3

≠ 1 (mod p).

(3.9)

𝐸(𝛽) = {𝑒𝑖 = 𝜀 𝑖 𝑚𝑜𝑑 𝑝}𝑖=0,1,2 .

(3.10)

𝐵(𝛽) = {𝑏𝑖 = 𝛽 𝑖 𝑚𝑜𝑑 𝑛}𝑖=0,1,2 .

(3.11)

𝜀=𝛽
Denoted as

We have:
1) E(β) is the set of square roots of the unit in GF (p).

2) With all a ∈ 𝑍𝑛∗ , if
𝑎

𝑝−1
3

(3.12)

𝑚𝑜𝑑 𝑝 = 𝑒𝑖 ,

with
j = – i mod 3

(3.13)

then the following condition is satisfied:
(𝑎. 𝑏𝑗

𝑝−1
) 3

𝑚𝑜𝑑 𝑝 = 1

(3.14)

Proof: This proof is presented on the thesis.
3.1.4 Cube Congruent Equation and Factorization Problem
Considering the equation below with a ∈ 𝑍𝑛 .
𝑥 3 ≡ 𝑎 (mod n).


(3.16)

We have results as follows.
Lemma 3. Conditions needed and sufficient for (3.16) to have a solution:
𝑎

𝑝−1
3

𝑚𝑜𝑑 𝑝 = 1

Then, a solution of (3.16) is given by the following formula:

(3.17)


16

x = CRT(CR(a mod p, p), CR(a mod q, q)).

(3.18)

Proof: This proof is presented on the thesis.
Corollary 3.1. If n can be analyzed into factors p and q, then equation (3.16)
always be solved.
Clause 3.2. If two different solutions of equation (3.16) are found, then n can be
analyzed.
Proof: This proof is presented on the thesis.
3.2 Signature scheme DRSA-RABIN3
3.2.1 Signature scheme DRSA-RABIN3

a) Systematic parameters:
Integer n = p.q with p and q are satisfied condition (3.1).
𝑑𝑝 𝑎𝑛𝑑 𝑑𝑞 are calculated as the corresponding d value in the formula (3.4).
Find the smallest value β satisfying the condition (3.9) and construct the set E =
E (β), B = B (β) according to two formulas (3.10) and (3.11).
Secret parameters is the set (n, p, q, E) and publish parameters is the set (n,B)
b) DRSA-RABIN3 signing algorithm:
Algorithm 3.1 – DRSA-RABIN3 Signing Algorithm
INPUT: a ∈ ℤ∗𝑛 is the message to be signed, (n, p, q, E) is secret parameters
OUTPUT: (s, j) ∈ 𝑍𝑛 × 𝑍 is the signature onto a.
1. r ← 𝑎

𝑝−1
3

𝑚𝑜𝑑 𝑝

2. For i=0 to 2
if (r = 𝑒𝑖 ) then j ← – i mod 3;

(3.23)
(3.24)

3. u ← a. 𝑏𝑗 mod n;

(3.25)

4. s ←CRT(CR(u mod p, p),CR(u mod q, q));

(3.26)


5. return (s, j).

(3.27)

c) DRSA-RABIN3 verifying algorithm:
Algorithm 3.2 – DRSA-RABIN3 Verifying Algorithm
INPUT: (s, j) is the signature onto a, (n, B) is publish parameters
OUTPUT: Accept ∈ {0,1} only accept the validity of the signature (s,j) if and
only if Accept = 1.


17

1. u ← a. 𝑏𝑗 mod n;
2. if (𝑢 = 𝑠 3 𝑚𝑜𝑑 𝑛) then Accept ← 1;
else Accept ← 0;

(3.28)

3. return Accept.
3.2.2 The correctness of the DRSA-RABIN3 signature scheme.
Clause 3.3. All signatures (s,j) on message a created from algorithm 3.1 have
an output value of 1 according to algorithm 3.2
Proof: This proof is presented on the thesis.
3.2.3 Security of the DRSA-RABIN3 signature scheme
Clause 3.4. Security of the DRSA-RABIN3 scheme is ensured by the difficulty of
the factorizing problem.
3.2.4 Time cost of DRSA-RABIN3 scheme
Clause 3.5. The cost of the signature-creation algorithm, denoted as 𝑇3.1 , and

the verifying algorithm, denoted as 𝑇3.2 , in the DRSA-RABIN3 scheme are given
by the following formula:
𝑇3.1 = 𝑡𝑚 + 3. 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇
𝑇3.2 = 3. 𝑡𝑚 .

(3.29)
(3.30)

3.3 PRSA-RABIN3 Signature Scheme
3.3.1 PRSA-RABIN3 signature Scheme
a) Systematic parameters:
System parameter for signature schemes includes:

− Integer n = p.q with p, q are two primes so that:
p = 3.t + 1 with gcd(t,3) = 1
and gcd(3, q – 1) = 1

(3.31)

− Hash Function: Hash: {0,1} → {0,1}ℎ satisfies security requirements
for codes.
− Secret parameter 𝑑𝑝 , 𝑑𝑞 can be defined as follows:
2p+1

𝑑𝑝 =

9
{ p+2
9


𝑛ế𝑢 𝑝 ≡ 4 (𝑚𝑜𝑑 9)
;
𝑛ế𝑢 𝑝 ≡ 7 (𝑚𝑜𝑑 9)

𝑑𝑞 = 3−1 𝑚𝑜𝑑 (𝑞 − 1)

(3.32)


18

b) PRSA-RABIN3 signing Algorithm:
Algorithm 4.3 – PRSA-RABIN3 Signing Algorithm
INPUT: m ∈ {0,1}∞is the message to be signed; parameters: p, q, 𝑑𝑝 , 𝑑𝑞
OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m.
1.

Repeat
R ← Random({0,1}𝑘 );
h ← Code(Hash(R||m));
t←ℎ

𝑝−1
3

mod p;

until (t=1);

(3.33)


2. 𝑠 ← ℎ𝑑𝑝 𝑚𝑜𝑑 𝑝; 𝑠 ← ℎ𝑑𝑞 𝑚𝑜𝑑 𝑞;
𝑝
𝑞
𝑝
𝑞

(3.34)

3. 𝑠 ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 );

(3.35)

4. return (R, s).
c) PRSA-RABIN3 verifying algorithm:
Algorithm 3.4 – PRSA-RABIN3 Verifying Algorithm
INPUT: m ∈ {0,1}∞ and (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m.
OUTPUT: Accept ∈ {0,1} only accept the validity of the signature if and only if
Accept = 1.
1. h ← Code(Hash(R||m));
2. t ← 𝑠 3 mod n;
3. Accept ← (t=h);
return Accept;
3.3.2 The correctness of the PRSA-RABIN3 signature scheme
Clause 3.6. All signatures (R,s) on message m created from algorithm 3.3 have an
output value of 1 according to algorithm 3.4
Proof: This proof is presented on the thesis.
3.3.3 Security of the PRSA-RABIN3 signature scheme
Clause 3.7. Security of the scheme PRSA-RABIN3 is ensured by the difficulty of the
factorizing problem.



19

3.3.4 Time cost of PRSA-RABIN3 scheme.
Clause 3.8. The cost of the signature-creation algorithm, denoted as 𝑇3.3 , and
the verifying algorithm, denoted as 𝑇3.4 , in the PRSA-RABIN3 scheme are given by
the following formula:
𝑇3.3 = 5. 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇

(3.38)

𝑇3.4 = 2. 𝑡𝑚 .

(3.39)

3.4 The schemes DRSA-Rabin3 and PRSA-Rabin3 improved.
The first success of the thesis in increasing the effectiveness of signature
algorithms in Rabin scheme was to introduce techniques to avoid the calculation of
𝑎

Jacobi symbols in these algorithms. As we known, the Jacobian symbol ( ) is
𝑛
characteristic of the existence of solutions of the equation 𝑥 2 ≡ 𝑎 (mod n). For the
equation 𝑥 3 ≡ 𝑎 (mod p) with p is prime and p - 1 is a multiple of 3, the characteristic
of the existence of this equation is 𝑎(𝑝−1)/3 ≡ 1 (mod p). So, the RSA-Rabin3 and
PRSA-Rabin3 schemes presented in the previous two sections always use the above
conditions in the signature algorithms. In this section, we once again applied the
technique to avoid calculating the value of 𝑎(𝑝−1)/3 mod p to obtain two new
schemes with much higher efficiency than the corresponding schemes.

3.4.1 Mathematical basis of improvement
Clause 3.9. Let p be an odd prime with p - 1 being a multiple of 3 and p ≠ 1 (mod
9), b is an integer not a multiple of p such that:
𝑏 (𝑝−1)/3 𝑚𝑜𝑑 𝑝 ≠ 1

(3.40)

Denote:
𝜎 = [𝑏 2(𝑝−1)/3 𝑖𝑓 𝑝 ≡ 4 (𝑚𝑜𝑑 9) 𝑏(𝑝−1)/3 𝑖𝑓 𝑝 ≡ 7 (𝑚𝑜𝑑 9)

(3.41)

When all integers a are not multiples of p, we have the value of a mod p with one
of the following three values:
CR(a, p)3 mod p, CR(a, p)3.σ mod p, CR(a, p)3.σ2 mod p. (3.42)
Moreover, we also have:


20

𝐶𝑅(𝑎, 𝑝)3 . 𝜎 ≡ 𝑎 (𝑚𝑜𝑑 𝑝) ⟺ 𝐶𝑅(𝑎. 𝑏, 𝑝)3 ≡ 𝑎. 𝑏(𝑚𝑜𝑑 𝑝)

(3.43)

𝐶𝑅(𝑎, 𝑝)3 . 𝜎 2 ≡ 𝑎 (𝑚𝑜𝑑 𝑝) ⟺ 𝐶𝑅(𝑎. 𝑏 2 , 𝑝)3 ≡ 𝑎. 𝑏 2 (𝑚𝑜𝑑 𝑝)

(3.44)

Proof: This proof is presented on the thesis.
3.4.2 Improved PRSA-Rabin3 scheme

a) Systematic parameters:
The systematic parameters of the improved signature scheme is the same as
ones of PRSA-Rabin3.
a) PRSA-RABIN3-1 signing algorithm:
Algorithm 3.5 – PRSA-RABIN3-1 Signature Algorithm
INPUT: m ∈ {0,1}∞ is the message to be signed; parameters: p, q, 𝑑𝑝 , 𝑑𝑞
OUTPUT: (R,s) ∈ {0,1}𝑘 ×𝑍𝑛 is the signature onto m.
1. Repeat
R ← Random({0,1}𝑘 );
h ← Code(Hash(R||m));
𝑠𝑝 ← ℎ𝑑𝑝 mod p;
u ← 𝑠𝑝3 mod p;
until (u = h mod p);
2. 𝑠𝑞 ← ℎ𝑑𝑞 𝑚𝑜𝑑 𝑞;
3. s ← 𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 );
4. return (R, s);
c) The correctness of the signature scheme:
Clause 3.10. All signatures (R,s) on message m created from algorithm 3.5
have an output value of 1 according to algorithm 3.4
Proof: This proof is presented on the thesis.
d) The effectiveness of the improved PRSA-Rabin3-1 scheme compared to PRSARabin3:
Clause 3.11. The average time cost of the signature algorithm, denoted as 𝑇3.5
of PRSA-RABIN3-1 scheme is given by following formula:


21

𝑇3.5 = 3. (𝑡𝑒𝑥𝑝 + 2. 𝑡𝑚 ) + 𝑡𝑒𝑥𝑝 + 𝑡𝐶𝑅𝑇

(3.46

)

Clause 3.12: PRSA-Rabin3-1 has a more efficient signature algorithm than
PRSA-Rabin3 scheme.
Proof: This proof is presented on the thesis.
3.4.3 Improved DRSA-Rabin3 scheme
The improved DRSA-Rabin3 scheme has two changes, one in the systematic
parameters and the other is the signature algorithm.
a) Systematic parameters:
In the improvement scheme, the systematic parameters identifies the following:
− 𝑑𝑝 , 𝑑𝑞 are calculated as the corresponding d value in the formula (3.4).
− Find the smallest value β satisfying the condition (3.40).
− 𝛽𝑝 = 𝑏 𝑑𝑝 𝑚𝑜𝑑 𝑝, 𝛽𝑞 = 𝑏 𝑑𝑞 𝑚𝑜𝑑 𝑞 and σ are calculated in the formula (3.40).
− Publish key is the set (n, B) with B = {1, b, 𝑏 2 mod n).
− Secret key is the set (p, q, 𝑑𝑝 , 𝑑𝑞 , 𝛽𝑝 , 𝛽𝑞 , σ).

b) DRSA-RABIN3-1 signing algorithm:
Algorithm 3.6 – DRSA-RABIN3-1 Signature Algorithm
INPUT: a ∈ 𝑍𝑛 is the message to be signed; secret parameters (p, q, 𝑑𝑝 , 𝑑𝑞 ,
𝛽𝑝 , 𝛽𝑞 , σ).
OUTPUT: (s, j) ∈ 𝑍𝑛 × 𝑍 is the signature onto a.
1. 𝑠𝑝 ← 𝑎𝑑𝑝 mod p; 𝑠𝑞 ← 𝑎𝑑𝑞 mod q;
2. u ← 𝑠𝑝3 mod p;
3. if (u = a mod p) then return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 0);
4. u ← u.σ mod p;
5. 𝑠𝑝 ← 𝑠𝑝 . 𝛽𝑝 mod p; 𝑠𝑞 ← 𝑠𝑞 . 𝛽𝑞 mod q;
6. if (u = a mod p) then return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 1);
7. 𝑠𝑝 ← 𝑠𝑝 . 𝛽𝑝 mod p; 𝑠𝑞 ← 𝑠𝑞 . 𝛽𝑞 mod q;
8. return (𝐶𝑅𝑇(𝑠𝑝 , 𝑠𝑞 ), 2);■



22

c) The correctness of the signature scheme:
Clause 3.13. All signatures (s,j) on message m created from algorithm 3.6 have
an output value of 1 according to algorithm 3.2
Proof: This proof is presented on the thesis.
d) The effectiveness of the improved DRSA-Rabin3-1 scheme compared to DRSARabin3:
Clause 3.14. The time cost of the signature algorithm, denoted as 𝑇3.𝟔 of
DRSA-RABIN3-1 scheme is given by following formula:
𝑇3.6 ≤ 2. 𝑡𝑒𝑥𝑝 + 7. 𝑡𝑚 + 𝑡𝐶𝑅𝑇

(3.49)

Clause 3.15: DRSA-Rabin3-1 has a more efficient signature algorithm than
DRSA-Rabin3 scheme
Proof: This proof is presented on the thesis.
3.5 Conclusion of chapter 3
In this chapter, the thesis propose two schemes which combine the RSA and
Rabin with exponent e=3 and e is the divisor of either p – 1 or q – 1. By not
computing the Jacobi symbol in signature algorithms, these algorithms have their
effectiveness improved. On developing to increase the efficiency for signature
algorithm, in this chapter, I avoid calculating 𝑎(𝑝−1)/3 mod p to obtain two
improved schemes that have much higher effectiveness. The signature schemes
proposed in this chapter were publicized in [2], [3] and [4].

CONCLUSION
1. Obtained result
During the research, I always stick to the target and approach valuable scientific
documents nationally and internationally. On solving the problem of constructing a

signature scheme with low signature-verifying cost for digital transaction that
require authentication of signature validity in a great deal, I choose the RSA and
Rabin scheme to research and develop. The researching content and the obtained
result from scientific researches shows that the thesis have reached the set goal.


23

The obtained result of the thesis include:
− In chapter 1, the thesis proposes clause 1.1 and prove that: the calculation of
the time cost of verifying algorithms and proof that among the standardized
signature schemes, the Rabin schemes has the lowest verifying cost. This is a
vital base for the research when proposing signature scheme for digital trade
of “many-one” type.
− In chapter 2, the thesis proposes three signature schemes RW0, R0 and PCRS,
among which the RW0 and R0 schemes are improved from the Rabin scheme,
while PCRS is developed from Rabin with e=3.
− In chapter 3, the thesis proposed four signature schemes, namely DRSARABIN3 and PRSA-RABIN3, DRSA-RABIN3-1 and PRSA-RABIN3-1.
These schemes combine the designing principle of Rabin and RSA with
exponent e=3.
2. New contributions of the thesis
− In addition to the security criteria, the most important criteria for the signature
scheme used in many-to-one transactions is "the lower the cost of the
verifying algorithm, the better." Therefore, clause 1.1 is a very important new
contribution, playing a role in shaping the studies of the thesis.
− The second new contribution of the thesis is to find the "avoid counting Jacobi
notation" technique in Rabin signing algorithm. With this technique, the thesis
has proposed the RW0 (improved by Rabin-Williams) and R0 (improved by
Rabin). Both of these schemes are better (in terms of time spent signing) than
similar studies. Besides, the thesis has proposed the probabilistic PCRS

scheme. It is developed from the Rabin with p-1, q-1 are both multiplicities
of e (with e=3).
− The third new contribution is the cleverly combining the design principles of
RSA and Rabin to create new signature schemes, PRSA-Rabin3 and DRSARabin3 with exponents e = 3.