1 Introduction

In 1997, Naccache and Stern (NS, [15]) presented a public-key cryptosystem based on the conjectured hardness of the modular multiplicative knapsack problem. This problem is defined as follows:

Let p be a modulusFootnote 1 and let \(v_0,\cdots ,v_{n-1}\in \mathbb {Z}_p\).

$$\begin{aligned} \text {Given }p,v_0,\cdots ,v_{n-1},\text { and }\prod _{i=0}^{n-1} v_i^{m_i} \bmod p\text {, find the } \{m_i\}. \end{aligned}$$

Given this scheme’s algebraic structure it is interesting to determine if variants and generalizations can add to NS features such as semantic security, re-randomizability or extend it to operate on higher-residues.

This paper addresses these questions and explores several such variants.

1.1 The Original Naccache-Stern Cryptosystem

The NS cryptosystem uses the following sub-algorithms:

  • \(\mathsf {Setup}\): Pick a large prime p and a positive integer n. Let \(\mathfrak {P} = \{p_0 = 2, \cdots , p_{n-1}\}\) be the set of the n first primes, so that

    $$\begin{aligned} \prod _{i = 0}^{n-1} p_i < p \end{aligned}$$

    (We leave aside a one-bit leakage dealt with in [15] — this technique applies mutatis mutandis to the algorithm presented in this paper).

  • \(\mathsf {KeyGen}\): Pick a secret integer \(s < p-1\), such that \(\gcd (p-1,s) = 1\). Set

    $$\begin{aligned} v_i=\root s \of {p_i} \bmod p. \end{aligned}$$

    The public key is \((p,n,v_0,\cdots ,v_{n-1})\). The private key is s.

  • \(\mathsf {Encrypt}\): To encrypt an n-bit message m, compute the ciphertext c:

    $$\begin{aligned} c=\prod _{i=0}^{n-1}v_{i}^{m_{i}}\bmod p \end{aligned}$$

    where \(m_i\) is the i-th bit of m.

  • \(\mathsf {Decrypt}\): To decrypt c, compute

    $$\begin{aligned} m=\sum _{i=0}^{n-1}2^i \mu _i(c,s,p) \end{aligned}$$

    where \(\mu _i(c,s,p)\in \{0,1\}\) is the function defined by:

    $$\begin{aligned} \mu _{i}(c,s,p) = \frac{\gcd (p_i,c^s \bmod p)-1}{p_i-1}. \end{aligned}$$

To this day, NS has neither been proven secure in the usual models, nor has it been attacked. Rather, its security relies on the conjectured hardness of a multiplicative variant of the knapsack problemFootnote 2:

Definition 1 (Multiplicative Knapsack Problem)

Given p, c, and a set \(\{v_i\}\), find a binary vector x such that

$$\begin{aligned} c = \prod _{i=0}^{n-1} v_i^{x_i} \bmod p. \end{aligned}$$

Just as in additive knapsacks, this problem is NP-hard in general but can be solved efficiently in some situations; the secret key enabling precisely to transform the ciphertext into an easily-solvable instance.

Unlike additive knapsacks, this multiplicative knapsack doesn’t lend itself to lattice reduction attacks, which completely break many additive knapsack-based cryptosystems [1, 3, 5, 11,12,13].

Over the past years, several NS variants were published, these notably seek to either increase efficiency [6] or extend NS to polynomial rings [11]; to the best of our knowledge, no efficient attacks against the original NS are known.

1.2 Security Notions

A cryptosystem is semantically secure, or equivalently \(\mathsf {IND}\mathsf {\text {-}CPA}\)-secure [9], if there is no adversary \(\mathcal A\) capable of distinguishing between two ciphertexts of plaintexts of his choosing.

To capture this notion, \(\mathcal A\) starts by creating two messages \(m_0\) and \(m_1\) and sends them to a challenger \(\mathcal C\). \(\mathcal C\) randomly selects one of the \(m_i\) (hereafter \(m_b\)) and encrypts it into a ciphertext c. \(\mathcal A\) is then challenged with c and has to guess b with probability significantly higher than 1/2.

Given a public-key cryptosystem \(\mathsf {PKC}=\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt}\}\), this security notion can be formally defined by the following game:

Definition 2

( \(\mathsf {IND}\mathsf {\text {-}CPA}\) -Security). The following game is played:

  • \(\mathcal C\) selects a secret random bit b;

  • \(\mathcal A\) outputs two messages \(m_0\) and \(m_1\);

  • \(\mathcal C\) sends to \(\mathcal A\) the ciphertext \(c\leftarrow \mathsf {Encrypt}(m_b)\);

  • \(\mathcal A\) outputs a guess \(b'\).

\(\mathcal A\) wins the game if \(b' = b\). The advantage of \(\mathcal A\) in this game is defined as:

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PKC}, \mathcal A}^{\mathsf {IND}\mathsf {\text {-}CPA}} := \left| \Pr \left[ b = b' \right] - \frac{1}{2} \right| \end{aligned}$$

A public-key cryptosystem \(\mathsf {PKC}\) is \(\mathsf {IND}\mathsf {\text {-}CPA}\) -secure if \(\mathsf {Adv}_{\mathsf {PKC}, \mathcal A}^{\mathsf {IND}\mathsf {\text {-}CPA}}\) is negligible for all PPT adversaries \(\mathcal A\).

\(\mathsf {IND}\mathsf {\text {-}CPA}\)-security is a very basic requirement, and in some scenarios it is desirable to have stronger security notions, capturing stronger adversaries. The strongest security notion for a public-key cryptosystem is indistinguishability under adaptive chosen ciphertext attacks, or \(\mathsf {IND}\mathsf {\text {-}CCA2}\)-security. \(\mathsf {IND}\mathsf {\text {-}CCA2}\) is also defined in terms of a game, where \(\mathcal A\) is furthermore given access to an encryption oracle and a decryption oracle:

Definition 3

( \(\mathsf {IND}\mathsf {\text {-}CCA2}\) -Security). An adversary \(\mathcal A\) is given access to an encryption oracle \(\mathcal O_E\) and a decryption oracle \(\mathcal O_D\). The following game is played:

  • \(\mathcal C\) selects a secret random bit b;

  • \(\mathcal A\) queries \(\mathcal O_E\) and \(\mathcal O_D\) and outputs two messages \(m_0\) and \(m_1\);

  • \(\mathcal C\) sends to \(\mathcal A\) the ciphertext \(c\leftarrow \mathsf {Encrypt}(m_b)\);

  • \(\mathcal A\) queries \(\mathcal O_E\) and \(\mathcal O_D\) and outputs a guess \(b'\).

\(\mathcal A\) wins the game if \(b' = b\) and if no query to the oracles concerned \(m_0\) nor \(m_1\). The advantage of \(\mathcal A\) in this game is defined as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PKC}, \mathcal A}^{\mathsf {IND}\mathsf {\text {-}CCA2}} := \left| \Pr \left[ b = b' \right] - \frac{1}{2} \right| \end{aligned}$$

A public-key cryptosystem \(\mathsf {PKC}\) is \(\mathsf {IND}\mathsf {\text {-}CCA2}\) -secure if \(\mathsf {Adv}_{\mathsf {PKC}, \mathcal A}^{\mathsf {IND}\mathsf {\text {-}CCA2}}\) is negligible for all PPT adversaries \(\mathcal A\).

We further remind the syntax of a perfectly re-randomizable encryption scheme [4, 10, 16]. A perfectly re-randomizable encryption scheme consists in four polynomial-time algorithms (polynomial in the implicit security parameter k):

  1. 1.

    \(\mathsf {KeyGen}\): a randomized algorithm which outputs a public key \(\mathsf {pk}\) and a corresponding private key \(\mathsf {sk}\).

  2. 2.

    \(\mathsf {Encrypt}\): a randomized encryption algorithm which takes a plaintext m (from a plaintext space) and a public key \(\mathsf {pk}\), and outputs a ciphertext c.

  3. 3.

    \(\mathsf {ReRand}\): a randomized algorithm which takes a ciphertext c and outputs another ciphertext \(c'\); \(c'\) decrypts to the same message m as the original ciphertext c.

  4. 4.

    \(\mathsf {Decrypt}\): a deterministic decryption algorithm which takes a private key \(\mathsf {sk}\) and a ciphertext c, and outputs either a plaintext m or an error indicator \(\bot \).

In other words:

$$\begin{aligned} \{\mathsf {sk},\mathsf {pk}\}\leftarrow \mathsf {KeyGen}(1^k) \end{aligned}$$
$$\begin{aligned} \mathsf {Decrypt}(\mathsf {ReRand}(\mathsf {Encrypt}(m,\mathsf {pk}),\mathsf {pk}),\mathsf {sk})= \mathsf {Decrypt}(\mathsf {Encrypt}(m,\mathsf {pk}),\mathsf {sk})=m \end{aligned}$$

Note that \(\mathsf {ReRand}\) takes only a ciphertext and a public key as input, and in particular, does not require \(\mathsf {sk}\).

2 Higher-Residues Naccache-Stern

The deterministic nature of NS prevents it from achieving \(\mathsf {IND}\mathsf {\text {-}CPA}\)-security: Indeed, a given message \(m_0\) will always produce the same ciphertext \(c_0\), so \(\mathcal A\) will always win the game of Definition 2.

We now describe an NS variant that is randomized. We then show how this modification guarantees semantic security, and even \(\mathsf {CCA2}\) security in the random oracle model, assuming the hardness of solving the multiplicative knapsack described earlier. In doing so, we must be very careful not to introduce additional structure that an adversary could leverage. To make this very visible, we decomposed the construction into three steps, each step pointing out the flaws avoided in the final construction.

2.1 Construction Step ①

Because the modified cryptosystem uses special prime moduli, algorithms \(\mathsf {Setup}\) and \(\mathsf {KeyGen}\) are merged into one single \(\mathsf {Setup}+\mathsf {KeyGen}\) algorithmFootnote 3.

  • \(\mathsf {Setup}+\mathsf {KeyGen}\): Pick a large prime p such that \((p-1)/2=as\) is a factoring-resistant RSA modulus. Pick a positive integer n. Let \(\mathfrak {P} = \{p_0 = 2, \cdots , p_{n-1}\}\) be the set of the n first primes, so that

    $$\begin{aligned} \prod _{i = 0}^{n-1} p_i < p \end{aligned}$$

    Set

    $$\begin{aligned} v_i=\root s \of {p_i} \bmod p \end{aligned}$$

    Let g be a generator of \(\mathbb F_p\), and \(\ell = g^{2a} \bmod p\). The public key is \((p,n,\ell , v_0,\cdots ,v_{n-1})\). The private key is s.

  • \(\mathsf {Encrypt}\): To encrypt m, pick a random integer \(k\in [1,p-2]\) and compute:

    $$\begin{aligned} c = \ell ^k \prod _{i=0}^{n-1}v_i^{m_{i}} \bmod p \end{aligned}$$

    where \(m_i\) is the i-th bit of the message m.

  • \(\mathsf {Decrypt}\): To decrypt c compute

    $$\begin{aligned} m=\sum _{i=0}^{n-1}2^i \mu _i(c,s,p). \end{aligned}$$

To understand why decryption works we first observe that

$$\begin{aligned} (\ell ^k)^s = ((g^{2a})^k)^s = g^{k(p-1)}=1 \bmod p. \end{aligned}$$

Hence:

And we are brought back to the original NS decryption process.

The Problem: The (attentive) reader could have noted at this step that because s is large and because the \(p_i\) are very few, the odds that a \(p_i\) is an s-th residue modulo p are negligible. Hence, unless p is constructed in a very particular way, key pairs simply... cannot be constructed.Footnote 4

A solution consisting in using a specific p and is detailed in Sect. 4. The alternative consists in proceeding with ② hereafter.

2.2 Construction Step ②

The workaround will be the following: Assume that we pick a \(v_i\) at random, raise it to the power s and get some integer \(\pi \):

$$\begin{aligned} \pi = v_i^s \bmod p \end{aligned}$$

Refresh \(v_i\) until \(\pi = 0 \bmod p_i\) where \(\pi \) is considered as an element of \(\mathbb {Z}\). (In the worst case this takes \(p_i\) trials.) Letting \(y_i=\pi /p_i\), we have:

$$\begin{aligned} p_i \times y_i = v_i^s \bmod p \Rightarrow p_i = y_i^{-1} \times v_i^s = u_i \times v_i^s \bmod p \end{aligned}$$

We will now add the \(u_i\) as auxiliary public keys.

  • \(\mathsf {Setup}+\mathsf {KeyGen}\): Pick a large prime p such that \((p-1)/2=as\) is a factoring-resistant RSA modulus. Pick a positive integer n. Let \(\mathfrak {P} = \{p_0 = 2, \cdots , p_{n-1}\}\) be the set of the n first primes, so that

    $$\begin{aligned} \prod _{i = 0}^{n-1} p_i < p \end{aligned}$$

    Generate the \(u_i,v_i\) pairs as previously described so that:

    $$\begin{aligned} p_i = u_i \times v_i^s \bmod p \end{aligned}$$

    Let g be a generator of \(\mathbb F_p\), and \(\ell = g^{2a} \bmod p\). The public key is \((p,n,\ell , u_0,\cdots ,u_{n-1},v_0,\cdots ,v_{n-1})\). The private key is s.

  • \(\mathsf {Encrypt}\): To encrypt m, pick a random integer \(k\in [1,p-2]\) and compute:

    $$\begin{aligned} c_0 = \ell ^k \prod _{i=0}^{n-1}v_i^{m_{i}} \bmod p \text{ and } c_1 = \prod _{i=0}^{n-1}u_i^{m_{i}} \end{aligned}$$

    where \(m_i\) is the i-th bit of the message m.

  • \(\mathsf {Decrypt}\): To decrypt \(c_0,c_1\) compute

    $$\begin{aligned} m=\sum _{i=0}^{n-1}2^i \eta _i(c_0,c_1,s,p) \end{aligned}$$

Where

$$\begin{aligned} \eta _{i}(c_0,c_1,s,p) = \frac{\gcd (p_i,c_1 \times c_0^s \bmod p)-1}{p_i-1}. \end{aligned}$$

To understand why decryption works remind that \((\ell ^k)^s = 1 \bmod p\) and hence

And we are brought back to the original NS decryption process.

The Problem: The (very attentive) reader could have noted that the resulting cryptosystem does not achieve semantic security because the construction process of \(c_1\) is deterministic.

2.3 Construction Step ③

The workaround is the following: we provide the sender with two extra elements of \(\mathbb {Z}_p\) that will allow him to blind \(c_0,c_1\).

To that end, pick a random \(\alpha \in \mathbb {Z}_p\), let \(\beta \alpha ^{s}=1 \bmod p\) and add \(\alpha ,\beta \) to the public key.

The algorithms \(\mathsf {Setup}+\mathsf {KeyGen}\) and \(\mathsf {Decrypt}\) remain otherwise unchanged but \(\mathsf {Encrypt}\) now becomes:

  • \(\mathsf {Encrypt}\): To encrypt m, pick a random integer \(k\in [1,p-2]\) and compute:

    $$\begin{aligned} c_0 = \alpha ^k\prod _{i=0}^{n-1}v_i^{m_{i}} \bmod p \text{ and } c_1 = \beta ^k\prod _{i=0}^{n-1}u_i^{m_{i}}. \end{aligned}$$

To understand why decryption works we note that (modulo p):

And we are brought back to the original NS decryption process.

3 Security

3.1 Semantic Security

The modified scheme’s security essentially relies on blinding an NS ciphertext using a multiplicative factor \(\ell ^k = g^{2ka} \bmod p\), which belongs to the subgroup of \(\mathbb Z_p\) of order b.

Lemma 1

Under the subgroup hiding assumption in \(\mathbb Z_p\), the scheme described in Sect. 2.1 is \(\mathsf {IND}\mathsf {\text {-}CPA}\)-secure.

Recall that the subgroup-hiding assumption [2] states that the uniform distribution over \(\mathbb Z_p\) is indistinguishable from the uniform distribution over one of its subgroups.

Proof

Assume that \(\mathcal A(\mathsf {pk})\) wins the \(\mathsf {IND}\mathsf {\text {-}CPA}\) game with non-negligible advantage. Then in particular \(\mathcal A(\mathsf {pk})\) has non-negligible advantage in the “real-or-random” game

$$\begin{aligned} \mathsf {Adv}^{\mathsf {R/R}}_{\mathcal A} := \Pr [\mathcal A^{\mathcal E_\mathsf {pk}}(\mathsf {pk}) = 1 ] - \Pr [\mathcal A^{\mathcal O}(\mathsf {pk}) = 1] \end{aligned}$$

where \(\mathcal E_\mathsf {pk}\) is an encryption oracle and \(\mathcal O\) is a random oracle. We define \(\mathcal B(\mathsf {pk}, \gamma )\) as follows:

  • Let \(\mathcal E_\mathcal {B}(m) = \gamma \prod _{i=0}^{n-1} v_i^{m_i} \bmod p\);

  • \(\mathcal B(\mathsf {pk}, \gamma )\) returns the same result as \(\mathcal A^{\mathcal E_\mathcal {B}}(\mathsf {pk})\)

The scenario \(\mathcal B(\mathsf {pk}, \gamma = g^{2au})\) yields \(\mathcal E_\mathcal {B} = \mathcal E_\mathsf {pk}\). The scenario \(\mathcal B(\mathsf {pk}, \gamma = g^u)\) for random u gives a ciphertext that is a uniform value, and therefore behaves as a perfect simulator of a random oracle, i.e. \(\mathcal E_\mathcal {B} = \mathcal O\). Hence if \(\mathcal A\) is an efficient adversary against our scheme, then \(\mathcal B\) is an efficient solver for the subgroup-hiding problem.    \(\square \)

Note that this part of the argument does not fundamentally rely on the original NS being secure — indeed, we may consider an encryption scheme that produces ciphertexts of the form \(c = x^k m\). Decryption for such a cryptosystem would be tricky, as \(c^b = m^b\) and there are b possible roots. That is why using NS is useful, as we do not have decryption ambiguity issues.

As we pointed out, the construction of Sect. 2.2 is not semantically secure: indeed, \(c_1\) is generated deterministically from m. This is addressed in Sect. 2.3 by introducing two numbers \(\alpha \) and \(\beta \). Using a similar argument as in Lemma 1, we have

Lemma 2

Under the DDH assumption in \(\mathbb Z_p\), and assuming that factoring \((p-1)/2\) is infeasible, the scheme described in Sect. 2.3 is \(\mathsf {IND}\mathsf {\text {-}CPA}\)-secure.

Note that these hypotheses can be simultaneously satisfied.

3.2 CCA2 Security

Even more interesting is the case for security against adaptive chosen-ciphertext attacks (\(\mathsf {IND}\mathsf {\text {-}CCA2}\)) [7, 8].

The original NS is naturally not \(\mathsf {IND}\mathsf {\text {-}CCA2}\); nor is in fact the “Step ①” variant discussed above: indeed it is possible to re-randomise a ciphertext, which immediately gives a way to win the \(\mathsf {IND}\mathsf {\text {-}CCA2}\) game.

To remedy this, we leverage the fact that upon successful decryption, we can recover the randomness \(\ell ^k\). The idea is to choose k in some way that depends on \(m_i\). If k is a deterministic function of \(m_i\) only however, randomisation is lost. Therefore we suggest the following variant, at the cost of some bandwidth:

  • Instead of m, we encrypt a message \(m\Vert r\) where r is a random string.

  • Let \(k \leftarrow H(m\Vert r)\) where H is a cryptographic hash function, and use this value of k instead of choosing it randomly in \(\mathsf {Encrypt}\).

  • Modify \(\mathsf {Decrypt}\) to recover \(\ell ^k\) (or \(\alpha ^k\) and \(\beta ^k\)). Upon successfully recovering \((m\Vert r)\), extract r, and check that \(\ell ^k\) (resp. \(\alpha ^k\) and \(\beta ^k\)) correspond to the correct value of k — otherwise it outputs \(\bot \).

This approach guarantees \(\mathsf {IND}\mathsf {\text {-}CCA2}\) in the random oracle model; this can be captured as a series of games:

  • Game 0: This is the \(\mathsf {IND}\mathsf {\text {-}CCA2}\) game against our scheme (① or ③), instantiated with some hash function H.

  • Game 1: This game differs from Game 0 in replacing H by a random oracle \(\mathcal O\). In the random oracle model, this game is computationally indistinguishable from Game 0.

  • Game 2: This game differs from Game 1 by the fact that the ciphertext is replaced by an uniformly-sampled random element of the ciphertext space. The results on \(\mathsf {IND}\mathsf {\text {-}CPA}\) security tell us that this game is computationally indistinguishable from Game 1 (under their respective hypotheses).

4 Generating Strong Pseudo-Primes in Several Bases

We now backtrack and turn our attention to generating specific moduli allowing to implement securely the “①” scheme of Sect. 2.1. This boils down to describing how to efficiently generate strong pseudo-prime numbers. In this section, we denote N the sought-after modulus.

Using quadratic reciprocity, we first introduce an algorithm generating numbers passing Fermat’s test. Then we leverage quartic reciprocity to generate numbers passing Miller-Rabin’s test. The pseudoprimes we need must be strong over several bases, and complexity is polynomial in the size of the product of these bases.

4.1 Primality Tests

A base-A Fermat primality test consists in checking that \(A^B \equiv A \bmod B\). Every prime passes this test for all bases A. There are however composite numbers, known as Carmichael numbers, that also pass this test in all bases. For instance, \(1729 = 7\cdot 13\cdot 19\) is such a number. There are an infinity of Carmichael numbers. The Miller-Rabin primality test also relies on Fermat’s little theorem. Let \(B-1 = 2^em\) with m odd. An integer B passes the Miller-Rabin test if \(A^m \equiv 1 \bmod B\) or if there exists an \(i \le e-1\) such that \(A^{2^im} \equiv -1 \bmod B\).

Definition 4 (Strong pseudo-prime)

A number that passes the Miller-Rabin test is said strongly pseudo-prime in base A.

An interesting theorem [14, Proposition 2][17] states that a composite number can only be strongly pseudo-prime for a quarter of the possible bases.

4.2 Constructing Pseudo-Primes

When p and \(2p-1\) are prime, Fermat’s test amounts to the computing of a Jacobi symbol. Indeed,

Theorem 1

Let p be a prime such that \(q = 2p-1\) is also prime. Let \(A \in \mathrm {QR}_{q}\). Then \(B = pq\) passes Fermat’s test in base A.

Proof

$$\begin{aligned} A^B&\equiv (A^p)^q \equiv A^q \equiv A^{2(p-1)+1} \equiv A \bmod p \\ A^B&\equiv (A^q)^p \equiv A^p \equiv A^{(q-1)/2+1} \equiv A \left( \frac{A}{q}\right) \equiv A \bmod q \end{aligned}$$

By the Chinese remainder theorem, we find that \(A^B \equiv A \bmod B\).   \(\square \)

From Gauss’ quadratic reciprocity theorem, if \(q \equiv 1 \bmod 4\) we can take \(q \equiv 1 \bmod A\) which guarantees that \(A \in \mathrm {QR}_{q}\). To make 2 a quadratic residue modulo q we must have \(q \equiv \pm 1 \bmod 8\). It is therefore easy to construct numbers that pass Fermat’s test in a prescribed list of bases.

4.3 Constructing Strong Pseudo-Primes

In this section we seek to generate numbers that are strongly pseudo-prime in base \(\eta \), where \(\eta \) is prime. Let p denote a prime number such that \(q = 2p-1\) is also prime, and \(N = pq\). We have the following equations:

$$\begin{aligned} N-1&\equiv 0 \bmod p-1 \\ N-1&\equiv \frac{q-1}{2} \bmod q-1 \\ \frac{n-1}{2}&\equiv \frac{p-1}{2} \bmod p-1 \\ \frac{n-1}{2}&\equiv 3\frac{q-1}{4} \bmod q-1 \end{aligned}$$

From there on, we will use the notation \(\big (\frac{\cdot }{\cdot } \big )_4\) to denote the quartic residue symbol.

Theorem 2

Let p be a prime such that \(q = 2p-1 \equiv 1 \bmod 8\) is also prime. Let A be an integer such that

$$\begin{aligned} \left( \frac{A}{p} \right) = -1, \qquad \left( \frac{A}{q}\right) = +1, \quad \text {and} \quad \left( \frac{A}{q}\right) _4 = -1. \end{aligned}$$

Then \(N = pq\) passes the Miller-Rabin test in base A.

Proof

Note that if \(A^{(N-1)/2} \equiv -1 \bmod N\), then n passes the Miller-Rabin test in base a. It then suffices to compute this quantity modulo p and q respectively:

   \(\square \)

Bases \(\varvec{\eta > 5}\) . Let \(\eta \ge 7\) be a prime number. We consider here the case \(p \equiv 5 \bmod 8\), i.e. \(q \equiv 9 \bmod 16\). We will leverage the following classical result:

Theorem 3

Let q be a prime number, \(q = A^2 + B^2 \equiv 1 \bmod 8\) with B even. Let \(\eta \) be a prime number such that \((p/\eta ) = 1\), then

$$\begin{aligned} \left( \frac{\eta }{q} \right) _4 = 1 \Leftrightarrow {\left\{ \begin{array}{ll} \eta \mid B &{} \text {, or}\\ \eta \mid A \text { and } \left( \frac{2}{\eta }\right) = 1 &{} \text {, or} \\ A \equiv \mu B \text { where } \mu ^2 + 1 \equiv \lambda ^2 \bmod \eta \text { and } \left( \frac{\lambda (\lambda +1)}{\eta } \right) = 1 \end{array}\right. } \end{aligned}$$

We will also need the following easy lemmata:

Lemma 3

Let \(\eta \ge 7\) be a prime number, there is at least an integer \(\Lambda \) such that

$$\begin{aligned} \left( \frac{\Lambda }{\eta } \right) = \left( \frac{2 - \Lambda }{\eta } \right) = -1. \end{aligned}$$

Proof

Let

$$\begin{aligned} s_1&= \#\left\{ i \in \mathbb F_\eta , \left( \frac{i}{\eta } \right) = +1, \left( \frac{2-i}{\eta } \right) = +1,\right\} \\ s_2&= \#\left\{ i \in \mathbb F_\eta , \left( \frac{i}{\eta } \right) = +1, \left( \frac{2-i}{\eta } \right) = -1,\right\} \\ s_3&= \#\left\{ i \in \mathbb F_\eta , \left( \frac{i}{\eta } \right) = -1, \left( \frac{2-i}{\eta } \right) = +1,\right\} \\ s_4&= \#\left\{ i \in \mathbb F_\eta , \left( \frac{i}{\eta } \right) = -1, \left( \frac{2-i}{\eta } \right) = -1,\right\} . \end{aligned}$$

Then it is clear that \(s_1 + s_2 + s_3 + s_4 = \eta - 2\). The quantity \(s_1 + s_2\) corresponds to the number of quadratic residues modulo \(\eta \), except maybe 2. Therefore,

$$\begin{aligned} s_1 + s_2 = \frac{\eta - \left( \frac{2}{\eta } \right) }{2} - 1. \end{aligned}$$

By symmetry between i and \(2-i\), we have \(s_2 = s_3\). We also have

$$\begin{aligned} s_2 + s_3&= \#\left\{ i \in \mathbb F_\eta , \left( \frac{i(2-i)}{\eta } \right) = -1 \right\} \\&= \#\left\{ i \in \mathbb F_\eta ^*, \left( \frac{2/i-1}{\eta } \right) = -1 \right\} \\&= \#\left\{ u \in \mathbb F_\eta , u \ne -1, \left( \frac{u}{\eta } \right) = -1 \right\} \\&= \frac{\eta + \left( \frac{-1}{\eta }\right) }{2} - 1. \end{aligned}$$

From that we get the value of \(s_4\):

$$\begin{aligned} s_4 = \frac{\eta + 2 \left( \frac{2}{\eta } \right) - \left( \frac{-1}{\eta }\right) - 2 }{4}. \end{aligned}$$

Therefore, for every \(\eta \ge 7\), \(s_4 > 0\).    \(\square \)

Choosing such an i, we denote \(\lambda \) the integer such that \(i = 1 + 1/\lambda \bmod \eta \). Then,

$$\begin{aligned} \left( \frac{1 + 1/\lambda }{ \eta } \right)&= \left( \frac{1 - 1/\lambda }{ \eta } \right) = -1\\ \left( \frac{(\lambda + 1)\lambda }{ \eta } \right)&= \left( \frac{(\lambda - 1)\lambda }{ \eta } \right) = -1\\ \left( \frac{\lambda ^2 - 1 }{ \eta } \right)&= \left( \frac{(\lambda + 1)\lambda }{ \eta } \right) \left( \frac{(\lambda - 1)\lambda }{ \eta } \right) = 1. \end{aligned}$$

Let \(\mu \) be such that \(\mu ^2 + 1 = \lambda ^2\). We can thus construct \(\lambda \) and \(\mu \) so that the third possibility of Theorem 3 is never satisfied.

Lemma 4

Let \(\eta \ge 7\) be a prime number, there is at least an integer x such that \((x/\eta ) = -1\) and \((2x-1/\eta ) = +1\).

Proof

As for the previous lemma, we show that there are \(\frac{1}{4} \left( \eta + 2\left( \frac{2}{\eta }\right) - \left( \frac{-1}{\eta }\right) - 2 \right) \) such values of x, which strictly positive for \(\eta \ge 7\).    \(\square \)

For such an x, we write \(y = 2x - 1 = z^2 \bmod \eta \), \(A_\eta = z/\lambda \bmod \eta \), and \(B_\eta = A_\eta \mu \). We then have

$$\begin{aligned} A_\eta ^2 + B_\eta ^2 = (1+\mu ^2)A_\eta ^2 = \lambda ^2 A_\eta ^2 = z^2 = y \bmod \eta \end{aligned}$$

If \(q = A^2 + B^2 \equiv 1 \bmod 8\) is prime, with B even, \(A \equiv A_\eta \bmod \eta \), and \(B \equiv B_\eta \bmod \eta \), then we see that the conditions of Theorem 3 are not satisfied, hence \((\eta /q)_4 = -1\). Furthermore, \(q \equiv y \bmod \eta \) so that \((\eta /q) = +1\). If we assume that \(p = (q+1)/2\) is prime, and that \(p \equiv 5 \bmod 8\), then the conditions of Theorem 2 are satisfied. Indeed, \(p \equiv x \bmod \eta \) so that \((\eta /p) = (x/\eta ) = -1\). Thus we generated a pseudo-prime in base \(\eta \).

All in all, the results from this section are captured by the following theorem.

Theorem 4

Let \(\eta \ge 7\) be a prime number. There are integers \(A_\eta , A_\eta \) such that \(N = pq\) is strongly pseudo-prime in base \(\eta \), provided that

$$\begin{aligned} {\left\{ \begin{array}{ll} q &{} = A^2 + B^2 \\ B &{} \text {is even} \\ A &{} \equiv A_\eta \bmod \eta \\ B &{} \equiv B_\eta \bmod \eta \\ q &{} \equiv 9 \bmod 16 \\ p &{} = (q-1)/2 \\ q &{} \text {is prime} \\ p &{} \text {is prime} \end{array}\right. } \end{aligned}$$

4.3.1 Base \(\eta = 2\).

In that case the following theorem applies.

Theorem 5

The integer \(N = pq\) is strongly pseudo-prime in base 2 provided that

$$\begin{aligned} {\left\{ \begin{array}{ll} q &{} = A^2 + B^2 \\ A &{} \equiv 3 \bmod 8\\ B &{} \equiv 4 \bmod 8\\ p &{} = (q-1)/2 \\ q &{} \text {is prime} \\ p &{} \text {is prime} \end{array}\right. } \end{aligned}$$

Proof

From the conditions of theorem 5, \(q \equiv 9 \bmod 16\) and \(q \equiv 5 \bmod 8\), which proves that 2 is a square modulo q and not modulo p, as it is not of the form \(\alpha ^2 + 64\beta ^2\).    \(\square \)

Bases \(\varvec{\eta = 3}\) and \(\varvec{\eta = 5}\) . In both cases, we cannot find p and q such that the base is a square modulo q and not modulo p. As we will see in the next section this is not too much of a problem in practice. We can in any case ensure that the base is a quartic residue modulo q, using for instance the following choices:

$$\begin{aligned} A_3&= 1, \qquad B_3 = 0, \\ A_5&= 1, \qquad B_5 = 0. \end{aligned}$$

4.4 Combining Bases

Consider a set \(\mathfrak P\) of prime numbers, which will be used as bases. For each \(\eta \in \mathfrak P\), we construct \(a_\eta , b_\eta \) as described in the previous section, using either the general construction (for \(\eta \ge 7\)) or the specific constructions (for \(\eta = 2, 3, 5\)). Then we invoke the Chinese remainder theorem, to get three integers \(a_\mathfrak {P}\), \(b_\mathfrak {P}\), and \(m_\mathfrak {P}\) such that \(N = pq\) is strongly pseudo-prime in all bases of \(\mathfrak P\) (except maybe 3 and 5), provided that

$$\begin{aligned} {\left\{ \begin{array}{ll} q &{} = A^2 + B^2 \\ B &{} \text {is even} \\ A &{} \equiv A_\mathfrak {P} \bmod m_\mathfrak {P}\\ B &{} \equiv B_\mathfrak {P} \bmod m_\mathfrak {P}\\ q &{} \equiv 9 \bmod 16 \\ p &{} = (q-1)/2 \\ q &{} \text {is prime} \\ p &{} \text {is prime} \end{array}\right. } \end{aligned}$$

In fact, running the algorithm several times eventually yields an integer N that is also strongly pseudo-prime in bases 3 and 5.

4.5 Numerical Example

Consider \(\mathfrak P = \{p_1 = 2, \cdots , p_{46}\}\) the set of all primes smaller than 200. We get:

$$\begin{aligned} A_\mathfrak {P} =~&{240951046641336683610293989487720938594370} \\&{00429131293941260428482600318651864405011} \\ B_\mathfrak {P} =~&{24500136562064551260427880199750830122812} \\&{89375458232594038192481071092303905088660}\\ m_\mathfrak {P} =~&{311996881667338462129967964253192555067519} \\&{87159614203780372129899474046144658803240}\\ \end{aligned}$$

From these we get the following number N, which is strongly pseudo-prime over all the bases in \(\mathfrak P\):

$$\begin{aligned} p =~&291618506663979836485075552375425341271029 \\&357276194940349058993812844768339307493938 \\&127646594821817009025241290150371642768597 \\&761443318584692039887707501189335237643121 \\&80942186641722156221\\ q =~&583237013327959672970151104750850682542058 \\&714552389880698117987625689536678614987876 \\&255293189643634018050482580300743285537195 \\&522886637169384079775415002378670475286243 \\&61884373283444312441\\ N =~&170082706857859304601346542040880491869964 \\&786138273235148360264007011659927137093809 \\&425108069173579937879773358221849944506646 \\&598887858361358403197265640650982893052328 \\&560315650882284134206966583670388670205884 \\&474179908395136256310311720485402493890312 \\&415845968563781269490092889866038579183791 \\&395019948173994150959921105615078612739999 \\&5262142244846207324478665807217335845461 \end{aligned}$$

This N can hence be used as the missing modulus needed to instantiate a “Step ①” NS variant.

5 Extensions

5.1 Using Composite Moduli

In the ②/④ variants of our scheme, one might be tempted to replace p itself by an RSA modulus n, where \(\phi (n) = 2ab\). Indeed, the original NS construction allows for such a choice.

Doing so, however, would immediately leak information about the factorisation of n: Indeed, \(\gcd (g^{a}-1, n) = p\).

There is a workaround: First we choose p and q so that \((p-1)/2\) and \((q-1)/2\) are RSA moduli, i.e. \(p-1 = 2s_1s_2\) and \(q-1 = 2r_1r_2\), with large \(s_1, s_2, r_1, r_2\). Then we set \(n = pq\), \(a = s_1r_1\), and \(b = 2s_2r_2\). Therefore \(\phi (n) = 2ab\) as before, but the GCD attack mentioned above does not apply, and the modified ②/③ Naccache-Stern cryptosystem works.

5.2 Bandwidth Improvements

The idea described in this paper is fully compatible with the modifications introduced in [6] to improve encryption bandwidth.

But there is even more: An interesting observation is that, upon decryption, it is possible to recover both the message m and the whitening \(x^k\). This is unlike most randomized encryption schemes, where the random nonce is lost. Thus we may contemplate storing some information in k, thereby augmenting somewhat the total information contained in a ciphertext. Alternatively, \(x^k\) may also be used as key material if NS is used (in a hybrid mode) as a key transfer mechanism.

For instance, given a message \(m = m_1 \Vert m_2\), we may encrypt \(m_1\Vert k\) using the blinding \(m_2^k\) with odd k. Upon decryption, one recovers k, and computes the k-th root of the blinding factor \(m_2^k\) — such a root is unique with overwhelming probability — thereby reconstructing the whole message.

One nontrivial research direction is to provide, in the message m, hints that make solving the discrete log modulo p easier and thereby embed directly information in k.