The Jacobi Symbol Problem for Quadratic Congruences and Applications to Cryptography

Abstract

Modern security models for public-key cryptography, such as one-way encryption under chosen plaintext attack (OWE-CPA) or indistinguishability under chosen plaintext attack (IND-CPA), rely on reductions between the security of cryptographic schemes and well-studied hard problems, such as integer factorization, discrete logarithm, quadratic residuosity, or learning with errors. The reduction can go from the hard problem to the security property under study, or vice versa, or in both directions (in which case we say there is an equivalence). Equivalences fundamentally tie the security property to the hard problem, thus offering multiple benefits. But obtaining an equivalence between a security property and a computational hard problem can be challenging, as is the case with the equivalence between the OWE-CPA security of the textbook RSA cryptosystem and the integer factorization problem. In this paper, we introduce a new computational problem, namely, distinguishing the Jacobi symbols of the solutions of a quadratic congruence modulo an RSA modulus (JSP(QC)). We show that this problem is at least as hard as the quadratic residuosity problem. Then, we show that the IND-CPA security of two public-key encryption schemes due to Cocks is equivalent to JSP(QC). We then specialize JSP(QC) to roots of quadratic residues and establish several computational indistinguishability results.

1. Introduction

A problem is hard if there is no polynomial-time probabilistic algorithm that can solve it with non-negligible probability. There is no known proof that a particular problem is hard. Unsuccessful attempts to solve specific problems efficiently, together with the lack of a proof of hardness, have led to the adoption of so-called computational hardness assumptions. Such an assumption states that a particular problem is hard. Notice, however, that a hardness assumption is not a mathematical argument, and so, some believed-to-be-hard problems might become easy in the future. Among the problems currently considered hard are the factorization problem for positive integers, the discrete logarithm problem, the decisional and computational Diffie–Hellman problems, and problems specific to residuosity or lattice theory [1].

Modern cryptographic security relies on computational hardness assumptions via reductions. We will elaborate a bit on this aspect. The security of a cryptographic scheme $\mathcal{S}$ is studied within a security model $SM$ that specifies the security goal $\mathcal{S}$ that needs to be achieved and the attack model against which it is evaluated. Then, $\mathcal{S}$ is $SM$-secure if the problem $SM\left(\mathcal{S}\right)$ of breaking $\mathcal{S}$’s security goal through the attack model specified by $SM$ is hard. This is where the hardness assumptions and the reduction technique come into play. More precisely, to prove that $\mathcal{S}$ is $SM$-secure, we do as follows:

• Choose a problem H for which there is a hardness assumption;
• Reduce H to $SM\left(\mathcal{S}\right)$ in the sense that if breaking the $SM$-security of $\mathcal{S}$ is easy, then H is easy.

The conclusion then is that $\mathcal{S}$ achieves $SM$-security provided that H is hard.

$\mathcal{S}$ can remain $SM$-secure even if the hardness assumption on H is later proven false. However, in such a case, another problem must be found on which to argue for the $SM$-security of the scheme $\mathcal{S}$. If, however, H and $SM\left(\mathcal{S}\right)$ are equivalent in the sense that there is a bidirectional reduction between them, then $\mathcal{S}$ is $SM$-secure if and only if H is hard. In other words, $\mathcal{S}$’s security is fundamentally tied to the hardness of H.

Establishing an equivalence (bidirectional reduction) between the security of a cryptographic scheme and a well-defined hard mathematical problem is critically important for several reasons:

• An equivalence means that breaking the cryptographic scheme is equivalent to solving the underlying hard problem. This provides strong theoretical assurance: if the hard problem is truly difficult, then the scheme is secure. So, it shifts the burden of security analysis from ad hoc approaches to a well-understood computational problem;
• Computational problems are usually formulated more simply, eliminating details that are not of algorithmic importance (which may appear in the description of a cryptographic scheme);
• Specific parameters of the cryptographic scheme, such as the key size, can be chosen based on the best-known algorithms for solving the hard problem underlying the scheme’s security;
• It allows easy correlation with other computational problems and so may facilitate security comparisons between cryptographic schemes;
• It provides a clearer picture of the security level of the cryptographic scheme.

We will briefly discuss a few examples below (the mathematical notations are standard but the reader can find them in the next section). The (textbook) RSA cryptosystem [1] is a public-key encryption system. To set up such a system, an integer $n=pq$ is chosen, where p and q are distinct odd prime integers. The public key (used for encryption) is of the form $(n,e)$, where e is coprime with $\phi \left(n\right)=(p-1)(q-1)$, and the secret key (used for decryption) is of the form $(n,d)$, where d is the inverse of e modulo $\phi \left(n\right)$. The ciphertext associated with a message $x\in {\mathbb{Z}}_n$ is $c=x^{e}modn$, while its decryption is $x=c^{d}modn$.

The OWE-CPA security [1] of the RSA cryptosystem is the following problem: given $(n,e)$ and $y\in {\mathbb{Z}}_n$, determine an integer $x\in {\mathbb{Z}}_n$ such that $y=x^{e}modn$. It is clear that if the factorization of n is easy, then the calculation of the function $\phi \left(n\right)$ is easy, which leads to the easy determination of d (the inverse of e modulo $\phi \left(n\right)$). So, the OWE-CPA security of RSA reduces to factorization or, in other words, the OWE-CPA security of RSA is no harder than factoring. This leaves open the possibility that the OWE-CPA security of RSA is easier than factorization. However, it is an open problem to prove that breaking the OWE-CPA security of RSA efficiently can also factorize the modulus.

In the Rabin cryptosystem [1], which can be viewed as a special case of RSA, the public key is n, while the private key consists of the prime integers $(p,q)$. Encryption is performed by squaring the plaintext message x modulo n, resulting in the ciphertext $c=x^{2}modn$. The decryption of c needs the Chinese Remainder Theorem with the prime integers p and q, leading to four roots of c modulo n. Additional information is then needed to identify the original message. Unlike RSA, the OWE-CPA security of the Rabin cipher is equivalent to factoring [1].

The list of examples can continue with the ElGamal cryptosystem, whose IND-CPA security is equivalent to the decisional Diffie–Hellman problem, or with the Paillier cryptosystem whose IND-CPA security is equivalent to the composite residuosity problem [1].

• Problem formulation and contribution

Problem formulation: The quadratic residuosity problem (QRP) is one of the seemingly hard problems. This problem requires that, given the product n of two distinct prime integers p and q and an integer $a\in {\mathbb{Z}}_n$ with Jacobi symbol +1, one must decide whether or not a is a quadratic residue modulo n. Since all attempts to solve it efficiently failed, the assumption was adopted that no probabilistic algorithm of polynomial time complexity can distinguish with a non-negligible probability between quadratic residues and quadratic non-residues with the Jacobi symbol +1. This assumption, known as the quadratic residuosity assumption (QRA), together with the problem of quadratic residuosity, is of great importance in cryptography [2,3,4,5,6,7,8,9,10,11,12].

Cocks’s public-key encryption (CPKE) and identity-based encryption (CIBE) schemes [6] are two well-known cryptosystems that achieve security by indistinguishability under chosen-ciphertext attack ($IND\text{-}CPA$ security), provided that $QRP$ is hard. That is, $QRP$ reduces to the $IND\text{-}CPA$ security of any of the two schemes (in the sense we have already discussed: if breaking the $IND\text{-}CPA$ security of any of the two schemes is easy, then $QRP$ is easy).

The question now is whether the $IND\text{-}CPA$ security of the two Cocks cryptosystems reduces to $QRP$. In other words, the question is whether the $IND\text{-}CPA$ security of any of these schemes is equivalent to $QRP$.

Contribution: We introduce a new computational problem in this paper, called the Jacobi symbol problem for quadratic congruences ($JSP\left(QC\right)$), and we show that

1.

$QRP$ reduces to $JSP\left(QC\right)$. Therefore, $JSP\left(QC\right)$ is at least as hard as $QRP$.

2.

The $IND\text{-}CPA$ security of any of the two Cocks cryptosystems is equivalent to $JSP\left(QC\right)$.

As a result, the $IND\text{-}CPA$ security of the two Cocks cryptosystems is equivalent to $QRP$ if and only if $QRP$ and $JSP\left(QC\right)$ are equivalent. We conjecture that $JSP\left(QC\right)$ is strictly harder than $QRP$. Regardless of the truth value of this conjecture, we have identified a computational problem, namely $JSP\left(QC\right)$, that is equivalent to the security of the two cryptographic schemes mentioned above.

We then specialize $JSP\left(QC\right)$ to roots of quadratic residues modulo anti-Blum integers. We divide the quadratic residues into two classes according to the Jacobi symbol of their roots, which in turn induces a partition into two classes of the integers with the Jacobi symbol $+1$ but which are not quadratic residues. Then, we establish computational indistinguishability relationships between these distributions. Thus, we refine the problem of distinguishing between quadratic residues and non-residues depending on the Jacobi symbol of the roots.

• Paper structure

Our paper is structured into six sections, the first one being an introduction. The second section establishes the basic notation and terminology for the entire paper. Then, in Section 3, we present some results on quadratic congruences. The fourth section is dedicated to the computational problem we propose, namely the Jacobi symbol problem for quadratic congruences. Connections between this problem, the quadratic residuosity problem, and the security of Cocks’ schemes are established. The fifth section specializes the Jacobi symbol problem for quadratic congruences to roots of quadratic congruences and establishes several computational indistinguishability results. The conclusions of our work are presented in the sixth section.

2. Preliminaries

We recall here the basic notation and terminology used in the paper. For details the reader is referred to [1,13,14,15,16,17].

• Number theory

We use $\mathbb{Z}$ to denote the set of integers and $(a,b)$ for the gcd of the integers a and b (it will be clear from context when $(a,b)$ is the pair of the two integers and not their gcd). When $(a,b)=1$, the integers a and b are called co-prime. ${\mathbb{Z}}_n$ stands for $\{0,\dots ,n-1\}$ and ${\mathbb{Z}}_n^{*}=\{a\in {\mathbb{Z}}_n\mid (a,n)=1\}$, for any positive integer n.

Two integers a and b are congruent modulo an integer n, denoted $a{\equiv }_{n}b$, if n divides $a-b$. When $n\ne 0$, the remainder of the integer division of a by n is expressed $amodn$ or ${\left(a\right)}_n$.

An RSA integer, also called RSA modulus, is a product $n=pq$ of two distinct odd prime integers p and q (as a matter of convention, we always assume $p<q$).

Given a system of congruences in the indeterminate x,

$$x\equiv b_{i}mod{m}_i\mathrm{for} \mathrm{all}1\le i\le n,$$

the Chinese Remainder Theorem (CRT) [14,15] states that the system has a unique solution modulo $m_1\dots m_n$, whenever $m_1,\dots ,m_n$ are pairwise co-prime.

Given two integers a and $n>0$, we say that a is a quadratic residue modulo n if $a\equiv x^{2}modn$, for some integer x; the integer x is called a square root of a modulo n.

Let p be an odd prime integer. The Legendre symbol of an integer a modulo p, denoted $\left({\displaystyle \frac{a}{p}}\right)$, is 1 when a is a quadratic residue modulo p, 0 when p divides a, and $-1$ otherwise. The extension to odd moduli $n>0$ is called the Jacobi symbol, denoted in the same way as the Legendre symbol is. Thus, the Jacobi symbol of a modulo $n>0$ is 1 when $n=1$ and

$$\left({\displaystyle \frac{a}{n}}\right)={\left({\displaystyle \frac{a}{p_1}}\right)}^{e_1}\dots {\left({\displaystyle \frac{a}{p_m}}\right)}^{e_m}$$

if $n=p_1^{e_1}\dots p_m^{e_m}$ is the prime factorization of n ($p_1,\dots ,p_m$ are distinct prime integers and $e_i\ge 1$, for all $1\le i\le m$). For ease of expression, we will use the term “Jacobi symbol” for both prime and composite moduli.

Let $Q{R}_n$ ($QN{R}_n$, $J_n^{+}$, $J_n^{-}$) be the set of quadratic residues (quadratic non-residues, integers with the Jacobi symbol +1, integers with the Jacobi symbol $-1$, respectively) from ${\mathbb{Z}}_n^{*}$. The following facts are well-known [13,14,17]:

1.

$\left|Q{R}_n\right|=|QN{R}_n|$ when n is an odd prime integer;

2.

For any odd integer $n>2$, $a\in {\mathbb{Z}}_n^{*}$ is a quadratic residue modulo n if and only if there is a quadratic residue modulo any prime factor of n;

3.

For any RSA modulus $n=pq$, $\left|J_n^{+}\right|=\left|J_n^{-}\right|$ and $\left|Q{R}_n\right|={\displaystyle \frac{|J_n^{+}|}{2}}$;

4.

For any RSA modulus $n=pq$, if we split $J_n^{-}$ into two subsets

$$\begin{array}{cc}\hfill J_n^{\pm }& =\left\{a\in J_n^{-}|\left({\displaystyle \frac{a}{p}}\right)=1\mathrm{and}\left({\displaystyle \frac{a}{q}}\right)=-1\right\}\hfill \\ \hfill J_n^{\mp }& =\left\{a\in J_n^{-}|\left({\displaystyle \frac{a}{p}}\right)=-1\mathrm{and}\left({\displaystyle \frac{a}{q}}\right)=1\right\},\hfill \end{array}$$

and $Q{R}_n$, $J_n^{+}\setminus Q{R}_n$, $J_n^{\pm }$, and $J_n^{\mp }$ partition ${\mathbb{Z}}_n^{*}$ into four subsets of equal size. These subsets are called the quadrants of ${\mathbb{Z}}_n^{*}$.

• Probabilistic algorithms

Probabilistic polynomial time (PPT) algorithms [16] play an important role in cryptography. For such an algorithm $\mathcal{A}$, $b\leftarrow \mathcal{A}\left(D\right)$ means that b is an output of $\mathcal{A}$ on some input from D, and $P(b\leftarrow \mathcal{A}(D\left)\right)$ stands for the probability with which $\mathcal{A}$ outputs b. An oracle for $\mathcal{A}$ can be viewed as a black box f that can perform a particular computation whenever it is queried by $\mathcal{A}$. We do not care about f’s implementation or how it works. We only assume that f returns the computation result in $\mathcal{O}\left(1\right)$ time complexity. The notation ${\mathcal{A}}^f$ is used to specify that $\mathcal{A}$ may query the oracle f.

A positive function $f\left(\lambda \right)$ is negligible if for any polynomial function $poly\left(\lambda \right)$ there is ${\lambda }_0$ such that $f\left(\lambda \right)<1/poly\left(\lambda \right)$, for any $\lambda \ge {\lambda }_0$. If $1-f\left(\lambda \right)$ is negligible, then $f\left(\lambda \right)$ is called overwhelming.

When a problem cannot be solved by any PPT algorithm, except with negligible probability, we will say that it is hard; otherwise, it will be called easy. The problem Areduces to the problem B, denoted $A⪯B$, if A’s hardness implies B’s hardness (equivalent to saying that A is easy assuming B is easy). If $A⪯B$ and $B⪯A$, then A and B are called equivalent, denoted $A\sim B$.

• Probability distributions and indistinguishability

A (discrete) probability distribution over a discrete sample space D is a real-valued function X with the properties $X\left(d\right)\ge 0$ for any $d\in D$ and ${\sum }_{d\in D}X\left(d\right)=1$. We will omit the sample space D whenever it is clear from the context. When a probabilistic algorithm $\mathcal{A}$ receives inputs from a sample space over which we have defined a probability distribution X, we will say that the algorithm gets inputs from X and write $\mathcal{A}\left(X\right)$.

A distinguisher for a probability distribution X is a PPT algorithm $\mathcal{A}$ whose output lies in $\{0,1\}$ for any input in X. The advantage of a distinguisher $\mathcal{A}$ on two families of probability distributions $X={\left(X_{\lambda }\right)}_{\lambda }$ and $Y={\left(Y_{\lambda }\right)}_{\lambda }$ over the same sample space, denoted $Ad{v}_{\mathcal{A},X,Y}\left(\lambda \right)$, is defined as being the function

$$Ad{v}_{\mathcal{A},X,Y}\left(\lambda \right)=|P(1\leftarrow \mathcal{A}\left(X_{\lambda }\right))-P(1\leftarrow \mathcal{A}\left(Y_{\lambda }\right))|.$$

X and Y are called computationally indistinguishable, denoted $X\stackrel{c}{\approx }Y$, if $Ad{v}_{\mathcal{A},X,Y}$ is negligible, for any distinguisher $\mathcal{A}$.

• Public-key encryption

Let $\mathcal{M}$ and $\mathcal{C}$ be two finite sets of messages and ciphertexts, respectively. A public-key encryption (PKE) scheme over $(\mathcal{M},\mathcal{C})$ is a triple of algorithms $\mathcal{S}=(\mathcal{G},\mathcal{E},\mathcal{D})$, where

• $(pk,sk)\leftarrow \mathcal{G}\left(\lambda \right)$: $\mathcal{G}$ is a PPT algorithm that takes as input a security parameter $\lambda$ and outputs a pair $(pk,sk)$ consisting of a public key $pk$ and a secret key $sk$;
• $c\leftarrow \mathcal{E}(pk,m)$: $\mathcal{E}$ is a PPT algorithm that takes as input a public key $pk$ and a message m and outputs a ciphertext;
• $\mathcal{D}(sk,c)=m/\perp$: $\mathcal{D}$ is a deterministic polynomial-time (DPT) algorithm that takes as input a private key $sk$ and a ciphertext c and outputs a message m or a special symbol ⊥ denoting failure. It is required that $\mathcal{D}(sk,c)=m$, for all outputs $(pk,sk)$ of $\mathcal{G}$, all messages m, and all outputs c of $\mathcal{E}(pk,m)$.

    To define the $IND\text{-}CPA$ security of a PKE scheme $\mathcal{S}$, consider the probabilistic Algorithm 1, where $\mathcal{A}$ is a PPT algorithm and $b\in \{0,1\}$. Thus, we say that $\mathcal{S}$ has indistinguishable encryptions under chosen plaintext attack or that it is $IND\text{-}CPA$ secure if the advantage $Ad{v}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$ of $\mathcal{A}$ against $\mathcal{S}$ is negligible for any PPT $\mathcal{A}$, where

$$Ad{v}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)=|P(1\leftarrow PK{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}0}\left(\lambda \right))-P(1\leftarrow PK{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}1}\left(\lambda \right))|.$$

We will denote by $IND\text{-}CPA\left(\mathcal{S}\right)$ the problem of breaking the $IND\text{-}CPA$ security of the PKE scheme $\mathcal{S}$.

Algorithm 1: $IND\text{-}CPA$ security game

$PK{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}b}\left(\lambda \right)$     1. $(pk,sk)\leftarrow \mathcal{G}\left(\lambda \right)$;     2. $(m_0,m_1)\leftarrow {\mathcal{A}}^{\mathcal{E}}(\lambda ,pk)$ with $m_0\ne m_1$ and $\left|m_0\right|=\left|m_1\right|$;     3. $c\leftarrow \mathcal{E}(pk,m_b)$;     4. $b^{\prime }\leftarrow {\mathcal{A}}^{\mathcal{E}}(c,\sigma )$;     5. Return $b^{\prime }$.      ($\sigma$ denotes state information).

Identity-based encryption (IBE) is a form of PKE, where the public key can be computed by the sender, while the corresponding private key has to be computed by a dedicated key generator. So, an IBE scheme over $(\mathcal{M},\mathcal{C})$ consists of four PPT algorithms $\mathcal{S}=(Setup,\mathcal{G},\mathcal{E},\mathcal{D})$ as follows:

1.

$(PP,Msk)\leftarrow Setup\left(\lambda \right)$: $Setup$ is a PPT algorithm that takes as input a security parameter $\lambda$ and outputs the system public parameters $PP$ together with a master key $Msk$;

2.

$sk\leftarrow \mathcal{G}(Msk,ID)$: $\mathcal{G}$ is a PPT algorithm that takes as input the master key $Msk$ and an identity $ID$, and outputs a private key $sk$ associated with $ID$;

3.

$c\leftarrow \mathcal{E}(PP,ID,m)$: $\mathcal{E}$ is a PPT algorithm that, starting with the public parameter $PP$, an identity $ID$, and a message m, encrypts m into some ciphertext c (the encryption key is some binary string derived from $ID$);

4.

$\mathcal{D}(sk,c)=m/\perp$: $\mathcal{D}$ is a DPT algorithm that takes as input a secret key associated with some identity $ID$ and a ciphertext c, and outputs a message m or a special symbol ⊥ denoting failure. It is required that $\mathcal{D}(sk,c)=m$, for all outputs $(PP,Msk)$ of $Setup\left(\lambda \right)$, all identities $ID$, all messages m, all outputs c of $\mathcal{E}(PP,ID,m)$, and all outputs $sk$ of $\mathcal{G}(Msk,ID)$.

The concept of $IND\text{-}CPA$ security can be extended to IBE schemes as well by means of Algorithm 2. We say that $\mathcal{S}$ has indistinguishable encryptions under chosen plaintext attack or that it is $IND\text{-}ID\text{-}CPA$-secure if the advantage $Ad{v}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$ of $\mathcal{A}$ against $\mathcal{S}$ is negligible for any PPT $\mathcal{A}$, where

$$Ad{v}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)=|P(1\leftarrow IB{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}0}\left(\lambda \right))-P(1\leftarrow IB{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}1}\left(\lambda \right))|.$$

We will denote by $IND\text{-}ID\text{-}CPA\left(\mathcal{S}\right)$ the problem of breaking the $IND\text{-}ID\text{-}CPA$ security of the IBE scheme $\mathcal{S}$.

Algorithm 2: $IND\text{-}ID\text{-}CPA$ security game

$IB{E}_{\mathcal{A},\mathcal{S}}^{cpa\text{-}b}\left(\lambda \right)$     1. $(PP,Msk)\leftarrow Setup\left(\lambda \right)$;     2. $(m_0,m_1,ID)\leftarrow {\mathcal{A}}^{\mathcal{E},\mathcal{G}}(\lambda ,PP)$ with $m_0\ne m_1$ and $\left|m_0\right|=\left|m_1\right|$;     3. $c\leftarrow \mathcal{E}(PP,ID,m_b)$;     4. $b^{\prime }\leftarrow {\mathcal{A}}^{\mathcal{E},\mathcal{G}}(c,\sigma )$;     5. Return $b^{\prime }$. ($\sigma$ denotes state information. It is assumed that the identity $ID$ in step 3 was never queried for private key extraction in steps 2 and 4).

3. Quadratic Congruences

We present in this section some results on solving quadratic congruences modulo a prime integer and an RSA modulus. For the completeness of the presentation, a few known results are recalled in an appropriate form and accompanied by brief proof sketches.

3.1. Quadratic Congruences Modulo a Prime Integer

We will focus on solving quadratic congruences

$$a_2{x}^2+a_{1}x+a_0\equiv 0modp,$$

(1)

where p is an odd prime integer and $a_0,a_1,a_2\in {\mathbb{Z}}_p$. For the congruence not to degenerate into a linear one, we will ask for $(a_2,p)=1$. Under this requirement, we may multiply the quadratic congruence by $a_2^{-1}modp$ without changing its solutions. So, we may consider the quadratic congruence in the equivalent form $x^2+cx+a\equiv 0modp$. For technical reasons, we write the congruence in the form

$$x^2-cx+a\equiv 0modp,$$

(2)

where $a,c\in {\mathbb{Z}}_p$. If $a=0$, the congruence becomes $x(x-c)\equiv 0modp$, which trivially leads to the solutions 0 and c in ${\mathbb{Z}}_p$. As a result, we will avoid this case and, in what follows, we assume $a\in {\mathbb{Z}}_p^{*}$.

Although not presented in this form, the following result is part of any standard textbook on number theory, such as [13,14].

Proposition 1

(Solving quadratic congruences). Let p be an odd prime integer, $a\in {\mathbb{Z}}_p^{*}$, $c\in {\mathbb{Z}}_p$, and $\Delta =(c^2-4a)modp$.

1. 

If $\Delta \in Q{R}_p$, then

(a) 

The congruence (2) has two distinct solutions in ${\mathbb{Z}}_p^{*}$, namely $(c+\sqrt{\Delta })/2modp$ and $(c-\sqrt{\Delta })/2modp$, where $\sqrt{\Delta }$ is an arbitrary root modulo p of Δ;

(b) 

If $t\in {\mathbb{Z}}_p^{*}$ is one of the solutions for (2), then $a{t}^{-1}modp$ is the other solution in ${\mathbb{Z}}_p^{*}$;

(c) 

The two solutions in ${\mathbb{Z}}_p^{*}$ for (2), t and $a{t}^{-1}modp$, satisfy

$$\left({\displaystyle \frac{a{t}^{-1}}{p}}\right)=\left({\displaystyle \frac{a}{p}}\right)\left({\displaystyle \frac{t}{p}}\right).$$

Therefore, they have the same Jacobi symbol modulo p if and only if $a\in Q{R}_p$;

2. 

If $\Delta =0$, then

(a) 

$a\equiv {(c/2)}^{2}modp$, and so $a\in Q{R}_p$ and $c\in {\mathbb{Z}}_p^{*}$;

(b) 

The congruence (2) has a (double) solution in ${\mathbb{Z}}_p^{*}$, namely $t=c/2modp$, which is also one of the two roots in ${\mathbb{Z}}_p^{*}$ of a;

3. 

If none of the above occurs, the congruence (2) has no solution.

Proof. 

According to the hypothesis, the congruence (2) is equivalent to

$$4x^2-4cx+4a\equiv 0modp,$$

(3)

which in turn can be re-written as

$${(2x-c)}^2\equiv \Delta modp.$$

(4)

It is now clear that the congruence (2) has solutions only if $\Delta =0$ or $\Delta \in Q{R}_p$. This answers the last item of Proposition 1.

1. Let us assume that $\Delta$ is a quadratic residue modulo p. Then, (4) leads to

$$p|(2x-c-\sqrt{\Delta })(2x-c+\sqrt{\Delta }),$$

from which follows that $(c+\sqrt{\Delta })/2modp$ and $(c-\sqrt{\Delta })/2modp$ are solutions in ${\mathbb{Z}}_p$ for (2). It is straightforward to check that they are non-congruent modulo p. If we assume that p divides one of them, then p divides their product and so, $p|a$, which is a contradiction. Therefore, both solutions are in ${\mathbb{Z}}_p^{*}$, and thus 1(a) is proved.

Here, 1(b) requires only a simple check, and 1(c) follows from the basic properties of the Jacobi symbol.

2. If $\Delta =0$, then $a\equiv {(c/2)}^{2}modp$, and so $a\in Q{R}_p$ (remark that $a\in {\mathbb{Z}}_p^{*}$ by the hypothesis). Moreover, $c\in {\mathbb{Z}}_p^{*}$. Therefore, 2(a) is proved.

To prove 2(b), remark that (4) becomes ${(2x-c)}^2\equiv 0modp$, which leads to the (double) solution $c/2modp$ in ${\mathbb{Z}}_p^{*}$. □

Each solvable congruence $x^2-cx+a\equiv 0modp$ is precisely defined by

1.

The odd prime integer p;

2.

$a\in {\mathbb{Z}}_p^{*}$, which is the product modulo p of the solutions in ${\mathbb{Z}}_p^{*}$;

3.

$c\in {\mathbb{Z}}_p$, which is the sum modulo p of the solutions in ${\mathbb{Z}}_p$.

Given p and a as above, we can count the solvable quadratic congruences (2) by counting the integers $c\in {\mathbb{Z}}_p$ for which the discriminant $\Delta$ is zero or in $Q{R}_p$. This, however, reduces to counting the pairs of solutions $(t,a{t}^{-1}modp)\in {\left({\mathbb{Z}}_p^{*}\right)}^2$ because $c=t+a{t}^{-1}modp$ (remark that $t\equiv a{t}^{-1}modp$ if and only if $a\in Q{R}_p$ and t is a square root of a modulo p).

Given an odd prime integer p, $a\in Q{R}_p$, and $s\in \{-,+\}$, define the set

$$\begin{array}{cc}\hfill Q{C}_{p,a}^s=\{c\in {\mathbb{Z}}_p& \mid x^2-cx+a\equiv 0modp\mathrm{is}\mathrm{solvable}\mathrm{and}\hfill \\ \hfill & \mathrm{all}\mathrm{its}\mathrm{solutions}\mathrm{have}\mathrm{the}\mathrm{Jacobi}\mathrm{symbol}s\}.\hfill \end{array}$$

We note that the sets $Q{C}_{p,a}^s$ make sense only in the case $a\in Q{R}_p$. If $a\in QN{R}_p$, then the solutions of the congruence (2), when solvable, have different Jacobi symbols.

Proposition 2.

Let p be an odd prime integer and $a\in Q{R}_p$. Then,

$$\left|\right|Q{C}_{p,a}^{+}|-\left|Q{C}_{p,a}^{-}\right||=\left\{\begin{array}{cc}1,\hfill & \mathit{if}p\equiv 1mod4\hfill \\ 0,\hfill & \mathit{otherwise}.\hfill \end{array}\right.$$

Proof. 

Let p and a be as in the statement of the proposition. The following facts are straightforward:

• a has two distinct roots in ${\mathbb{Z}}_p^{*}$.
• If $t\in {\mathbb{Z}}_p^{*}$ is not a root of a, then $a{t}^{-1}modp\in {\mathbb{Z}}_p^{*}\setminus \left\{t\right\}$. If $t\in {\mathbb{Z}}_p^{*}$ is a root of a, then $t\equiv a{t}^{-1}modp$.
• For any $t\in {\mathbb{Z}}_p^{*}$, t and $a{t}^{-1}modp$ have the same Jacobi symbol.
• If $t_1\in {\mathbb{Z}}_p^{*}$ and $t_2\in {\mathbb{Z}}_p^{*}\setminus \{t_1,a{t}_1^{-1}modp\}$, then $\{t_1,a{t}_1^{-1}modp\}$ and $\{t_2,a{t}_2^{-1}modp\}$ are disjoint sets.

Now, we consider the following two cases.

Case 1: $p\equiv 1mod4$. In this case, $(p-1)/2$ is even, and both roots of a are either in $Q{R}_p$ or in $QN{R}_p$.

Each $t\in {\mathbb{Z}}_p^{*}$ that is not a root of a defines, together with $a{t}^{-1}modp$, a unique congruence of type (2) whose roots are distinct and have the same Jacobi symbol. Each root $r\in {\mathbb{Z}}_p^{*}$ of a defines a unique congruence of type (2) whose roots are equal to r and have the same Jacobi symbol. Since both roots of a are either in $Q{R}_p$ or in $QN{R}_p$, one of the sets $Q{C}_{p,a}^{+}$ and $Q{C}_{p,a}^{-}$ will have $(p-1)/4+1$ elements while the other will have $(p-1)/4$ elements.

Case 2: $p\equiv 3mod4$. In this case, $(p-1)/2$ is odd, and the roots of a are one in $Q{R}_p$ and the other in $QN{R}_p$.

The reasoning follows as in Case 1, but with the difference that the roots of a exist as one in $Q{R}_p$ and one in $QN{R}_p$, so the sets $Q{C}_{p,a}^{+}$ and $Q{C}_{p,a}^{-}$ will have the same number of elements, which is $(p-3)/4+1$. □

A brief discussion on the complexity of computing the solutions of a quadratic congruence modulo a prime integer concludes the section.

Remark 1.

The calculation of solutions for the congruence (2) requires first to decide whether the discriminant Δ is a quadratic residue modulo p. This can be decided in polynomial time $\mathcal{O}\left({log}^{2}p\right)$ by computing the Jacobi symbol of Δ modulo p [15]. If $\Delta \in Q{R}_p$, its roots can be computed in polynomial time $\mathcal{O}({log}^{3}p+h(logh)\left({log}^{2}p\right))$, where $p-1=2^{h}m$ for some odd integer m [15]. This gives also the final complexity to compute the solutions.

3.2. Quadratic Congruences Modulo a Composite Integer

Solving quadratic congruences in which the modulus is a composite integer calls on the CRT and Hensel’s lifting lemma [13,14]. However, in what follows, we will only consider quadratic congruences (5) with an RSA modulus $n=pq$ and a free coefficient a co-prime with n.

$$x^2-cx+a\equiv 0modpq$$

(5)

Therefore, to solve these congruences, we will only need CRT. According to it, solving the congruence (5) reduces to combining the solutions of the congruences (6) and (7) using CRT.

$$\begin{array}{c}\hfill x^2-{\left(c\right)}_{p}x+{\left(a\right)}_p\equiv 0modp\end{array}$$

(6)

$$\begin{array}{c}\hfill x^2-{\left(c\right)}_{q}x+{\left(a\right)}_q\equiv 0modq\end{array}$$

(7)

As a result, if (6) and (7) are solvable, they may have each one or two solutions in ${\mathbb{Z}}_p^{*}$ and ${\mathbb{Z}}_q^{*}$, respectively, which implies that (5) may have one, two, or four solutions in ${\mathbb{Z}}_{pq}^{*}$. Thus, if $u\in {\mathbb{Z}}_p^{*}$ is a solution for (6) and $v\in {\mathbb{Z}}_q^{*}$ is a solution for (7), then the unique solution modulo $pq$ of the system

$$\left\{\begin{array}{c}x\equiv umodp\hfill \\ x\equiv vmodq\hfill \end{array}\right.$$

(8)

is a solution for (5). In addition, distinct pairs $(u,v)\in {\mathbb{Z}}_p^{*}\times {\mathbb{Z}}_q^{*}$ as above give rise to distinct solutions modulo $pq$ for (5), and all solutions modulo $pq$ for (5) are obtained in this way [13,14].

The system (8) has exactly one solution modulo $pq$, whose form is shown below.

Lemma 1.

Let p and q be two distinct odd prime integers, $u\in {\mathbb{Z}}_p$, and $v\in {\mathbb{Z}}_q$. Then, the unique solution modulo $pq$ for the system (8) has the form

$$x=(u{e}_1+v{e}_2)modpq,$$

(9)

where $e_1=(q^{-1}modp)q$ and $e_2=(p^{-1}modq)p$. Moreover,

$$\left({\displaystyle \frac{x}{p}}\right)=\left({\displaystyle \frac{u}{p}}\right),\left({\displaystyle \frac{x}{q}}\right)=\left({\displaystyle \frac{v}{q}}\right),\mathit{and}\left({\displaystyle \frac{x}{pq}}\right)=\left({\displaystyle \frac{u}{p}}\right)\left({\displaystyle \frac{v}{q}}\right).$$

(10)

Proof. 

The first part of this lemma simply follows from the CRT [13,14]. For the second part, remark that

$$e_1\equiv \left\{\begin{array}{c}1modp\hfill \\ 0modq\hfill \end{array}\right.$$

(11)

and

$$e_2\equiv \left\{\begin{array}{c}1modq\hfill \\ 0modp\hfill \end{array}\right.$$

(12)

Then, apply basic computation rules for the Jacobi symbol. □

To decide if a quadratic congruence has one, two, or four solutions, modulus factorization is not necessary.

Lemma 2.

Let $n=pq$ be an RSA modulus. If the congruence (5) is solvable, we can efficiently decide whether it has one, two, or four solutions in ${\mathbb{Z}}_n^{*}$ without knowing the factorization of n.

Proof. 

Let $\Delta =(c^2-4a)modn$. One can easily check that

• The congruence (5) has exactly one solution in ${\mathbb{Z}}_n^{*}$ when $\Delta =0$;
• The congruence (5) has exactly two solutions in ${\mathbb{Z}}_n^{*}$ when $\Delta \ne 0$ but $\left({\displaystyle \frac{\Delta }{n}}\right)=0$;
• The congruence (5) has exactly four solutions in ${\mathbb{Z}}_n^{*}$ when the first two cases are not met (remark that our hypothesis stipulates that the congruence is solvable).

The proof ends by observing that we can efficiently compute the Jacobi symbol without knowing the factorization of n. □

The following two propositions make beneficial connections between a’s residuosity and the Jacobi symbol of the solutions for (5).

Proposition 3.

Let $n=pq$ be an RSA modulus. Assume that the quadratic congruence (5) is solvable and $a\in {\mathbb{Z}}_n^{*}$. Then, $a\in Q{R}_n$ if and only if all solutions in ${\mathbb{Z}}_n^{*}$ for (5) have the same Jacobi symbol.

Proof. 

Assume (5) is solvable. Then, both (6) and (7) are solvable (each of them having one or two solutions in ${\mathbb{Z}}_p^{*}$ and ${\mathbb{Z}}_q^{*}$, respectively). So, (5) may have one, two, or four solutions in ${\mathbb{Z}}_n^{*}$.

According to Lemma 2, the solutions for (5) have the same Jacobi symbol if and only if each of the congruences (6) and (7) has solutions with the same Jacobi symbol (independently of each other). But this is equivalent to the fact that ${\left(a\right)}_p\in Q{R}_p$ and ${\left(a\right)}_q\in Q{R}_q$, which in turn is equivalent to $a\in Q{R}_n$. □

Proposition 4.

Let $n=pq$ be an RSA modulus. Assume that the quadratic congruence (5) is solvable and $a\in {\mathbb{Z}}_n^{*}$. Then,

1. 

$a\in QN{R}_n$ if and only if the congruence (5) has two or four non-congruent solutions in ${\mathbb{Z}}_n^{*}$, half of them having the Jacobi symbol $+1$ and the other half, $-1$.

2. 

$a\in J_n^{+}\setminus Q{R}_n$ if and only if the congruence (5) has four non-congruent solutions in ${\mathbb{Z}}_n^{*}$, distributed one by one in the four quadrants of ${\mathbb{Z}}_n^{*}$.

Proof. 

Assume (5) is solvable. Then, both (6) and (7) are solvable.

1. Assume that $a\in QN{R}_n$. Then, ${\left(a\right)}_p\in QN{R}_p$ or ${\left(a\right)}_q\in QN{R}_q$. Therefore, at least one of the two congruences (6) and (7) have two non-congruent solutions (in ${\mathbb{Z}}_p^{*}$ or ${\mathbb{Z}}_q^{*}$) of opposite Jacobi symbols (Proposition 1(1c)). The other congruence may have two solutions of opposite or the same Jacobi symbols, or it may have one solution (Proposition 1(2)). So, (5) has two or four solutions in ${\mathbb{Z}}_n^{*}$, having the distribution of Jacobi symbols as specified in the proposition.

Conversely, the hypothesis shows that at least one of the two congruences (6) and (7) has two non-congruent solutions of opposite Jacobi symbols. Suppose that this is the congruence (6). Then ${\left(a\right)}_p\in QN{R}_p$ (Proposition 1(1c)). As with respect to ${\left(a\right)}_q$, this may be in $Q{R}_q$ or $QN{R}_q$. As a result, $a\in QN{R}_n$.

Here, 2 is a special case of 1. The congruence (5) has four solutions in ${\mathbb{Z}}_n^{*}$ if and only if each of the congruences (6) and (7) has two solutions in ${\mathbb{Z}}_p^{*}$ and ${\mathbb{Z}}_q^{*}$, respectively. In addition, the four solutions are distributed one by one in the four quadrants of ${\mathbb{Z}}_n^{*}$ if and only if each of the congruences (6) and (7) has solutions with different Jacobi symbols (independently of each other). But this last fact is equivalent to ${\left(a\right)}_p\in QN{R}_p$ and ${\left(a\right)}_q\in QN{R}_q$, which in turn is equivalent to $a\in J_n^{+}\setminus Q{R}_n$. □

Let $n=pq$ be an RSA modulus, $a\in Q{R}_n$, and $s\in \{-,+\}$. Extending the notation from the previous section to RSA moduli, denote by $Q{C}_{n,a}^s$ the set

$$\begin{array}{cc}\hfill Q{C}_{n,a}^s=\{c\in {\mathbb{Z}}_n& \mid x^2-cx+a\equiv 0modn\mathrm{is}\mathrm{solvable}\mathrm{and}\hfill \\ \hfill & \mathrm{all}\mathrm{its}\mathrm{solutions}\mathrm{have}\mathrm{the}\mathrm{Jacobi}\mathrm{symbol}s\}.\hfill \end{array}$$

Proposition 5.

Let $n=pq$ be an RSA modulus and $a\in Q{R}_n$. Then,

$$\left|\right|Q{C}_{n,a}^{+}|-\left|Q{C}_{n,a}^{-}\right||\le 1.$$

Proof. 

Each pair of integers

$$(c_1,c_2)\in Q{C}_{p,{\left(a\right)}_p}^{+}\times Q{C}_{q,{\left(a\right)}_q}^{+}\cup Q{C}_{p,{\left(a\right)}_p}^{-}\times Q{C}_{q,{\left(a\right)}_q}^{-}$$

produces a unique integer $c\in Q{C}_{n,a}^{+}$, and each integer $c\in Q{C}_{n,a}^{+}$ comes from a single pair of integers $(c_1,c_2)$ as above (Lemma 1).

Likewise, each pair of integers

$$(c_1,c_2)\in Q{C}_{p,{\left(a\right)}_p}^{+}\times Q{C}_{q,{\left(a\right)}_q}^{-}\cup Q{C}_{p,{\left(a\right)}_p}^{-}\times Q{C}_{q,{\left(a\right)}_q}^{+}$$

produces a unique integer $c\in Q{C}_{n,a}^{-}$, and each integer $c\in Q{C}_{n,a}^{-}$ comes from a single pair of integers $(c_1,c_2)$ as above.

From Proposition 2, by a simple computation, we arrive at the proposition’s conclusion. For illustration, let us consider just one case. Let $|Q{C}_{p,{\left(a\right)}_p}^{+}|=\alpha$, $|Q{C}_{p,{\left(a\right)}_p}^{-}|=\alpha -1$, $|Q{C}_{q,{\left(a\right)}_q}^{+}|=\beta$, and $|Q{C}_{q,{\left(a\right)}_q}^{-}|=\beta -1$. Then,

$$\begin{array}{ccc}|Q{C}_{n,a}^{+}|\hfill & =& \left|Q{C}_{p,{\left(a\right)}_p}^{+}\right|·\left|Q{C}_{q,{\left(a\right)}_q}^{+}\right|+\left|Q{C}_{p,{\left(a\right)}_p}^{-}\right|·\left|Q{C}_{q,{\left(a\right)}_q}^{-}\right|\hfill \\ & =& \alpha \beta +(\alpha -1)(\beta -1)\hfill \\ & =& 2\alpha \beta -\alpha -\beta +1\hfill \end{array}$$

and

$$\begin{array}{ccc}|Q{C}_{n,a}^{-}|\hfill & =& |Q{C}_{p,{\left(a\right)}_p}^{+}|·|Q{C}_{q,{\left(a\right)}_q}^{-}|+|Q{C}_{p,{\left(a\right)}_p}^{-}|·|Q{C}_{q,{\left(a\right)}_q}^{+}|\hfill \\ & =& \alpha (\beta -1)+(\alpha -1)\beta \hfill \\ & =& 2\alpha \beta -\alpha -\beta \hfill \end{array}$$

Therefore, $|Q{C}_{n,a}^{+}|=|Q{C}_{n,a}^{-}|+1$. □

A brief discussion on computing the solutions for a quadratic congruence modulo an RSA integer concludes the section.

Remark 2.

The calculation of solutions for the congruence (5) requires the factorization of $n=pq$. If it can be done in polynomial time, then the solutions can be computed in polynomial time (we compute the solutions for (6) and (7) and then combine them with the CRT). However, factorization of large RSA moduli is a hard problem and no other method that avoids it is known to compute solutions for (5).

4. The Jacobi Symbol Problem for Quadratic Congruences

The Jacobi symbol problem for quadratic congruences, abbreviated $JSP\left(QC\right)$, is the problem to compute the Jacobi symbol of the solutions to a solvable quadratic congruence whose free coefficient is a quadratic residue with respect to an RSA modulus. $JSP\left(QC\right)$ appears to be a hard problem in the sense that no PPT algorithm can solve it with non-negligible probability.

We formalize below $JSP\left(QC\right)$ as a distinguishing problem between two probability distributions. Let $RSA\_Gen$ be an RSA moduli generator, that is, on some input $\lambda$, it outputs $(n,p,q)$, where p and q are two odd distinct primes of the same size $\lambda$ and $n=pq$. In what follows, we will simply write $n\leftarrow RSA\_Gen\left(\lambda \right)$ instead of $(n,p,q)\leftarrow RSA\_Gen\left(\lambda \right)$, whenever it is not necessary to emphasize the factorization of n.

We define now four families of probability distributions ${\mathcal{QC}}^s={\left({\mathcal{QC}}_{\lambda }^s\right)}_{\lambda }$ and ${\mathcal{QNC}}^s={\left({\mathcal{QNC}}_{\lambda }^s\right)}_{\lambda }$, where $s\in \{-,+\}$, as follows:

$$\begin{array}{cc}\hfill {\mathcal{QC}}_{\lambda }^s& =\{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow Q{R}_n,t\leftarrow J_n^s,c=t+a{t}^{-1}modn\}\hfill \\ \hfill {\mathcal{QNC}}_{\lambda }^s& =\{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow J_n^{+}\setminus Q{R}_n,t\leftarrow J_n^s,c=t+a{t}^{-1}modn\}\hfill \end{array}$$

We may say that ${\mathcal{QC}}_{\lambda }^s$ is the probability distribution of solvable quadratic congruences (5) whose solutions have the same Jacobi symbol s (see also Proposition 3). So, $JSP\left(QC\right)$ is the problem to distinguish between ${\mathcal{QC}}^{+}$ and ${\mathcal{QC}}^{-}$.

The probability distributions ${\mathcal{QNC}}_{\lambda }^{+}$ and ${\mathcal{QNC}}_{\lambda }^{-}$ will be technically necessary. According to Proposition 4, they are identical.

4.1. $JSP\left(QC\right)$ and $QRP$

We prove here that the quadratic residuosity problem reduces to $JSP\left(QC\right)$.

Let $RSA\_Gen$ be an RSA moduli generator. This generator gives rise to two probability distributions $\mathcal{QR}={\left({\mathcal{QR}}_{\lambda }\right)}_{\lambda }$ and $\mathcal{QNR}={\left({\mathcal{QNR}}_{\lambda }\right)}_{\lambda }$ of quadratic residues and non-residues, as follows:

$$\begin{array}{cc}\hfill {\mathcal{QR}}_{\lambda }& =\{(n,a)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow Q{R}_n\}\hfill \\ \hfill {\mathcal{QNR}}_{\lambda }& =\{(n,a)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow J_n^{+}\setminus Q{R}_n\}\hfill \end{array}$$

The quadratic residuosity problem $\left(QRP\right)$ is the problem to distinguish between $\mathcal{QR}$ and $\mathcal{QNR}$ [18]. This is considered a hard problem. More precisely, the following assumption is adopted.

Definition 1.

We say that the quadratic residuosity assumption ($QRA$) holds for a generator $RSA\_Gen$ if the distributions $\mathcal{QR}$ and $\mathcal{QNR}$, defined by means of $RSA\_Gen$, are computationally indistinguishable.

The following result shows that $JSP\left(QC\right)$ is harder than $QRP$.

Theorem 1.

$QRP⪯JSP\left(QC\right)$.

Proof. 

Assume that $QRA$ holds for a generator $RSA\_Gen$. Then, the following relationships hold:

$$\begin{array}{ccc}{\mathcal{QC}}_{\lambda }^{+}\hfill & =& \{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow Q{R}_n,t\leftarrow J_n^{+},c=t+a{t}^{-1}modn\}\hfill \\ & \stackrel{c}{\approx }& \{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow J_n^{+}\setminus Q{R}_n,t\leftarrow J_n^{+},c=t+a{t}^{-1}modn\}\hfill \\ & =& {\mathcal{QNC}}_{\lambda }^{+}\hfill \\ & \equiv & {\mathcal{QNC}}_{\lambda }^{-}\hfill \\ & =& \{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow J_n^{+}\setminus Q{R}_n,t\leftarrow J_n^{-},c=t+a{t}^{-1}modn\}\hfill \\ & \stackrel{c}{\approx }& \{(n,a,c)\mid n\leftarrow RSA\_Gen\left(\lambda \right),a\leftarrow Q{R}_n,t\leftarrow J_n^{-},c=t+a{t}^{-1}modn\}\hfill \\ & =& {\mathcal{QC}}_{\lambda }^{-}\hfill \end{array}$$

So, ${\mathcal{QC}}^{+}$ and ${\mathcal{QC}}^{-}$ are computationally indistinguishable. □

Whether $JSP\left(QC\right)$ is strictly harder than $QRP$ remains an open question. However, we conjecture that this question has a positive answer.

4.2. $JSP\left(QC\right)$ and Cocks’ PKE Scheme

In the following, we will connect $JSP\left(QC\right)$ and the $IND\text{-}CPA$ security of Cocks’ PKE (CPKE) scheme [6]. The CPKE scheme encrypts bits in $\{-1,+1\}$. It uses quadratic residues as public keys, while their roots are the secret keys. Its correctness follows easily from the congruence $c+2r\equiv t{(1+r{t}^{-1})}^{2}modn$ (please see the scheme for the meaning of the parameters).

Cryptographic scheme 1: Cocks’ PKE scheme

A straightforward analysis of the scheme shows that its $IND\text{-}CPA$ security is equivalent to the indistinguishability of the distributions ${\mathcal{QC}}^{+}$ and ${\mathcal{QC}}^{-}$.

Theorem 2.

$JSP\left(QC\right)\sim IND\text{-}CPA\left(CPKE\right)$.

4.3. $JSP\left(QC\right)$ and Cocks’ IBE Scheme

Cocks’ IBE (CIBE) scheme [6] has a setup phase where an RSA modulus n, a random integer $e\in J_n^{+}\setminus Q{R}_n$, and a hash function h are published. The function h returns elements in $J_n^{+}$, whenever it is applied to identities. As $a=h\left(ID\right)$ is either a quadratic residue or an element in $J_n^{+}\setminus Q{R}_n$, exactly one of a and $ea$ is a quadratic residue. So, the CIBE scheme encrypts as CPKE does, but with both “public keys”, a and $ea$.

Cryptographic scheme 2: Cocks’ IBE scheme

A simple analysis of the CIBE scheme shows that its $IND\text{-}ID\text{-}CPA$ security is equivalent to the indistinguishability of the distributions ${\mathcal{CIBE}}^{+}={\left({\mathcal{CIBE}}_{\lambda }^{+}\right)}_{\lambda }$ and ${\mathcal{CIBE}}^{-}={\left({\mathcal{CIBE}}_{\lambda }^{-}\right)}_{\lambda }$ given by

$$\begin{array}{c}\hfill {\mathcal{CIBE}}_{\lambda }^s=\{(n,e,a,c_1,c_2)\mid n\leftarrow RSA\_Gen(\lambda ,e\leftarrow J_n^{+}\setminus Q{R}_n,a\leftarrow J_n^{+},\\ \hfill t_1,t_2\leftarrow J_n^s,c_1=t_1+a{t}_1^{-1}modn,c_2=t_2+ua{t}_2^{-1}modn\},\end{array}$$

(13)

where $s\in \{-,+\}$, by adversaries that are allowed to query the hash function and the private key generator.

Now, we are ready to prove the following theorem.

Theorem 3.

$IND\text{-}ID\text{-}CPA\left(CIBE\right)⪯JSP\left(QC\right)$. Under the assumption that the hash function in $CIBE$ is implemented as a random oracle, the converse reduction also holds.

Proof. 

First, assume that $JSP\left(QC\right)$ is easy and prove that $IND\text{-}ID\text{-}CPA\left(CIBE\right)$ is easy. As $QRP⪯JSP\left(QC\right)$, the hypothesis shows that QRP is easy. So, there exists an adversary $\mathcal{A}$ that has a non-negligible advantage against $QRP$ and an adversary $\mathcal{B}$ that has a non-negligible advantage against $JSP\left(QC\right)$.

Define a distinguisher $\mathcal{D}$ that on an $IND\text{-}ID\text{-}CPA\left(CIBE\right)$ instance $(n,e,a,c_1,c_2)$, where $n\leftarrow RSA\_Gen\left(\lambda \right)$ for some $\lambda$, does as follows:

1.

Run $\mathcal{A}$ to decide with non-negligible probability whether a or $ea$ is a quadratic residue;

2.

Run $\mathcal{B}$ on $(n,a,c_1)$ if the answer of $\mathcal{A}$ is 1 (that is, a is a quadratic residue), and on $(n,ea,c_2)$, otherwise;

3.

$\mathcal{D}$ outputs what $\mathcal{B}$ outputs.

Remark that $\mathcal{D}$ does not need to query any oracle for h or private key generation. Clearly, $\mathcal{D}$ has a non-negligible advantage to distinguish from which of the two distributions ${\mathcal{CIBE}}_{\lambda }^{+}$ or ${\mathcal{CIBE}}_{\lambda }^{-}$ the instance $(n,e,a,c_1,c_2)$ comes. So, $IND\text{-}ID\text{-}CPA\left(CIBE\right)$ is easy.

Vice versa, assume that $IND\text{-}ID\text{-}CPA\left(CIBE\right)$ is easy and let $\mathcal{A}$ be an adversary that has non-negligible advantage against it. Moreover, assume that the hash function used to compute public keys from identities is a random oracle.

Let $(n,a,c)$ be a $JSP\left(QC\right)$ instance, where $n\leftarrow RSA\_Gen\left(\lambda \right)$ for some $\lambda$. Recall that $a\in Q{R}_n$. Define a distinguisher $\mathcal{B}$ that on $(n,a,c)$ does as follows:

1.

$e\leftarrow J_n^{+}$;

2.

$\overline{t}\leftarrow {\mathbb{Z}}_n^{*}$;

3.

Compute $\overline{c}=\overline{t}+ea{\overline{t}}^{-1}modn$;

4.

Run $\mathcal{A}$ on $(n,e,a,c,\overline{c})$, simulating for it a random oracle for hash function h and an oracle for private key calculation as follows:

• When $\mathcal{A}$ queries h on the identity $ID$ for the first time, $\mathcal{B}$ randomly generates $v\leftarrow J_n^{+}$ and a bit $b\leftarrow \{0,1\}$, returns $h\left(ID\right)=e^b{v}^{2}modn$ to $\mathcal{A}$ and also stores $(ID,v,b)$ in its internal database.
  For any other $ID$ query, $\mathcal{B}$ will return the same value.
• When $\mathcal{A}$ queries a private key for the identity $ID$ and $(ID,v,b)$ is in its database for some v and b, $\mathcal{B}$ will return v, if $b=0$, and $ev$, otherwise.
  If the $ID$ private key query occurs for the first time, $\mathcal{B}$ first computes $h\left(ID\right)$ as above and then answers the private key query.

It is quite clear that h implemented in this way is a random oracle.

5.

$\mathcal{B}$ returns what $\mathcal{A}$ returns.

Two cases are to be analyzed.

Case 1: $e\in J_n^{+}\setminus Q{R}_n$. Then, $\mathcal{B}$ has the same probability $\mathcal{A}$ has to guess the Jacobi symbol of the solutions.

Case 2: $e\in Q{R}_n$. Then, $\mathcal{B}$ has the probability 1/2 to guess the Jacobi symbol of the solutions because each of them is equally probable.

Therefore,

$$\begin{array}{ccc}Ad{v}_{\mathcal{B},{\mathcal{QC}}^{+},{\mathcal{QC}}^{-}}\left(\lambda \right)\hfill & =& 2\left|P(s\leftarrow \mathcal{B}\left({\mathcal{QC}}_{\lambda }^s\right)\mid s\leftarrow \{-,+\})-{\displaystyle \frac{1}{2}}\right|\hfill \\ & =& 2|P(s\leftarrow \mathcal{B}\left({\mathcal{QC}}_{\lambda }^s\right)| s\leftarrow \{-,+\},\mathrm{Case}\text{\_}1)P\left(\mathrm{Case}\text{\_}1\right)\hfill \\ & & +P(s\leftarrow \mathcal{B}\left({\mathcal{QC}}_{\lambda }^s\right)| s\leftarrow \{-,+\},\mathrm{Case}\text{\_}2)P\left(\mathrm{Case}\text{\_}2\right)-{\displaystyle \frac{1}{2}}|\hfill \\ & =& 2\left|{\displaystyle \frac{1}{2}}P(s\leftarrow \mathcal{A}\left({\mathcal{CIBE}}_{\lambda }^s\right)\mid s\leftarrow \{-,+\})+{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}}-{\displaystyle \frac{1}{2}}\right|\hfill \\ & =& \left|P(s\leftarrow \mathcal{A}\left({\mathcal{CIBE}}_{\lambda }^s\right)\mid s\leftarrow \{-,+\})-{\displaystyle \frac{1}{2}}\right|\hfill \\ & =& {\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A},{\mathcal{CIBE}}^{+},{\mathcal{CIBE}}^{-}}\left(\lambda \right).\hfill \end{array}$$

So, $\mathcal{B}$ has a non-negligible advantage against $JSP\left(QC\right)$, showing that this problem is easy. □

5. The Jacobi Symbol Problem for Square Roots

We specialize the results from the previous section to square roots of $a\in Q{R}_n$ or, equivalently, solutions to the congruence

$$x^2-a\equiv 0modn$$

(14)

But for that, we need a little discussion on the integer −1.

Remark 3.

It is well-known that, given an odd prime p, $-1\in Q{R}_p$ if and only if $p\equiv 1mod4$ [14]. Based on this, the following equivalences can easily be established:

1. 

For any odd integer $n>2$, $-1\in Q{R}_n$ if and only if $p\equiv 1mod4$, for any prime factor p of n. Therefore, if at least one prime factor of n is congruent to 3 modulo 4, $-1$ is not a quadratic residue modulo n.

2. 

For any RSA modulus $n=pq$, $-1\in J_n^{+}\setminus Q{R}_n$ if and only if $p,q\equiv 3mod4$.

RSA moduli $n=pq$ with the property $p,q\equiv 3mod4$ are called Blum integers [19,20]. To have appropriate terminology for the opposite case, we refer to the RSA moduli $n=pq$ with $p,q\equiv 1mod4$, as anti-Blum integers.

Remark 4.

Let $n=pq$ be an RSA modulus and $a\in Q{R}_n$. Then, from Remark 3 we obtain the following properties:

1. 

$-a\in Q{R}_n$ if and only if n is an anti-Blum integer;

2. 

$-a\in J_n^{+}\setminus Q{R}_n$ if and only if n is a Blum integer.

Now, from Propositions 3 and 4 and Remark 4 we obtain the following result.

Corollary 1.

Let $n=pq$ be an RSA modulus and $a\in Q{R}_n$.

1. 

All four roots of a modulo n have the same Jacobi symbol if and only if n is an anti-Blum integer.

2. 

The four roots of a modulo n are distributed one by one in the four quadrants of ${\mathbb{Z}}_n^{*}$ if and only if n is a Blum integer.

Given n an anti-Blum integer and $s\in \{-,+\}$, define the following set of quadratic residues modulo n:

$$Q{R}_n^s=\{a\in Q{R}_n|(\exists t\in J_n^s)(a\equiv t^{2}modn)\}.$$

As n is an anti-Blum integer, all roots of $a\in Q{R}_n^s$ have the same Jacobi symbol s.

Proposition 6.

Let n be an anti-Blum integer. Then, the following properties hold:

1. 

If $a,b\in Q{R}_n^{+}$ or $a,b\in Q{R}_n^{-}$, then ${\left(ab\right)}_n\in Q{R}_n^{+}$;

2. 

If $a\in Q{R}_n^{+}$ and $b\in Q{R}_n^{-}$, then ${\left(ab\right)}_n\in Q{R}_n^{-}$;

3. 

If $a\in Q{R}_n^s$, then ${\left(a^{-1}\right)}_n\in Q{R}_n^s$, for any $s\in \{-,+\}$;

4. 

$Q{R}_n^{+}$ and $Q{R}_n^{-}$ are disjoint, have the same cardinality, and their union is $Q{R}_n$.

Proof. 

Here, 1 and 2 follow easily from the definition of the sets $Q{R}_n^{+}$ and $Q{R}_n^{-}$.

3. Let $s\in \{-,+\}$ and $a\in Q{R}_n^s$. If $t\in J_n^s$ is a root of a modulo n, ${\left(t^{-1}\right)}_n$ is a root of $a^{-1}$ modulo n. Moreover, $\left({\displaystyle \frac{t^{-1}}{n}}\right)=\left({\displaystyle \frac{t}{n}}\right)=s$. So, ${\left(a^{-1}\right)}_n\in Q{R}_n^s$.

4. Directly from the definition follows that $Q{R}_n^{+}$ and $Q{R}_n^{-}$ are disjoint, and their union is $Q{R}_n$. To prove that they have the same cardinality, remark that $|J_n^{+}|=|J_n^{-}|$ and exactly four integers from $J_n^s$ define a distinguished integer in $Q{R}_n^s$, for any $s\in \{-,+\}$. □

Given $b\in {\mathbb{Z}}_n^{*}$ and $s\in \{-,+\}$, define the set $b·Q{R}_n^s$ by

$$b·Q{R}_n^s=\left\{{\left(ba\right)}_n\right|a\in Q{R}_n^s\}.$$

Proposition 7.

Let n be an anti-Blum integer. Then, the following properties hold:

1. 

The sets $b·Q{R}_n^{+}$ and $b·Q{R}_n^{-}$ are disjoint and have the same cardinality, and their union is $J_n^{+}\setminus Q{R}_n$, for any $b\in J_n^{+}\setminus Q{R}_n$.

2. 

$b_1·Q{R}_n^s=b_2·Q{R}_n^s$, for any $b_1,b_2\in J_n^{+}\setminus Q{R}_n$ with ${\left(b_1{b}_2\right)}_n\in Q{R}_n^{+}$ and any $s\in \{-,+\}$.

3. 

$b_1·Q{R}_n^{+}=b_2·Q{R}_n^{-}$, for any $b_1,b_2\in J_n^{+}\setminus Q{R}_n$ with ${\left(b_1{b}_2\right)}_n\in Q{R}_n^{-}$.

Proof. 

1. It is trivial to check that the two sets are disjoint and their union is $J_n^{+}\setminus Q{R}_n$, for any $b\in J_n^{+}\setminus Q{R}_n$. It is also immediately verified that $|b·Q{R}_n^s|=|Q{R}_n^s|$, for any $s\in \{-,+\}$. As $|Q{R}_n^{+}|=|Q{R}_n^{-}|$ (Proposition 6(4)), it follows that $|b·Q{R}_n^{+}|=|b·Q{R}_n^{-}|$.

2. Let $b_1,b_2\in J_n^{+}\setminus Q{R}_n$ with ${\left(b_1{b}_2\right)}_n\in Q{R}_n^{+}$ and $s\in \{-,+\}$. We show that for any $a_1\in Q{R}_n^s$ there exists $a_2\in Q{R}_n^s$ such that $b_1{a}_1\equiv b_2{a}_{2}modn$. This will prove that $b_1·Q{R}_n^s\subseteq b_2·Q{R}_n^s$, and the converse inclusion would follow a similar proof line.

Indeed, if we take $a_2=b_1{b}_2^{-1}{a}_{1}modn$ we obtain $b_1{a}_1\equiv b_2{a}_{2}modn$. Therefore, we only need to prove that $a_2\in Q{R}_n^s$. But that comes down to showing that ${\left(b_1{b}_2^{-1}\right)}_n\in Q{R}_n^{+}$. The congruence

$$b_1{b}_2^{-1}\equiv b_1{b}_2{\left(b_2^{-1}\right)}^{2}modn$$

shows that $t{b}_2^{-1}modn$ is a root of $b_1{b}_2^{-1}$ modulo n, for any root t of $b_1{b}_2$ modulo n. As

$$\left({\displaystyle \frac{t{b}_2^{-1}}{n}}\right)=\left({\displaystyle \frac{t}{n}}\right)\left({\displaystyle \frac{b_2^{-1}}{n}}\right)=1·1=1,$$

it follows that ${\left(b_1{b}_2^{-1}\right)}_n\in Q{R}_n^{+}$.

3. The proof is similar to that in item 2, except that this time we will prove that ${\left(b_1{b}_2^{-1}\right)}_n\in Q{R}_n^{-}$. □

Example 1.

Let $p=5$ and $q=13$. Then, $n=65$ is an anti-Blum integer. The set $Q{R}_n$ has 12 integers, distributed as follows:

$$\begin{array}{ccc}Q{R}_n^{+}\hfill & =& \{1,4,16,49,61,64\}\hfill \\ Q{R}_n^{-}\hfill & =& \{9,14,29,36,51,56\}\hfill \end{array}$$

If we take $b_1=7\in J_n^{+}\setminus Q{R}_n$, we obtain

$$\begin{array}{ccc}7·Q{R}_n^{+}\hfill & =& \{7,18,28,37,47,58\}\hfill \\ 7·Q{R}_n^{-}\hfill & =& \{2,8,32,33,57,63\}\hfill \end{array}$$

As $b_2=8\in J_n^{+}\setminus Q{R}_n$ and ${\left(b_1{b}_2\right)}_n\in Q{R}_n^{-}$, $8·Q{R}_n^{+}=7·Q{R}_n^{-}$ and $8·Q{R}_n^{-}=7·Q{R}_n^{+}$.

Given n an anti-Blum integer, the set $J_n^{+}$ is partitioned into four equally sized subsets as shown in Figure 1. The subsets $b·Q{R}_n^{+}$ and $b·Q{R}_n^{-}$ can change each other depending on b and the source from where they come ($Q{R}_n^{+}$ or $Q{R}_n^{-}$), but not as content (Proposition 7(3)).

We now introduce the Jacobi symbol problem for square roots, abbreviated $JSP\left(SR\right)$, as the problem to compute the Jacobi symbol of the square roots of a quadratic residue modulo an anti-Blum integer. The problem can be formalized as a distinguishing problem between two probability distributions.

Let $aBlum\_Gen$ be an anti-Blum integer generator. Define two families of probability distributions ${\mathcal{QR}}^s={\left({\mathcal{QR}}_{\lambda }^s\right)}_{\lambda }$, where $s\in \{-,+\}$, as follows:

$$\begin{array}{cc}\hfill {\mathcal{QR}}_{\lambda }^s& =\{(n,a)\mid n\leftarrow aBlum\_Gen\left(\lambda \right),a\leftarrow Q{R}_n^s\}\hfill \end{array}$$

So, $JSP\left(SR\right)$ is the problem to distinguish between ${\mathcal{QR}}^{+}$ and ${\mathcal{QR}}^{-}$.

It is believed that $QRP$ is hard even for Blum integers. There is no argument that $QRP$ would be easy for anti-Blum integers. As a result, we will postulate that this sub-problem of $QRP$, abbreviated $aBQRP$, is also hard. Similar assumptions to $QRA$ (Definition 1) can be formulated for Blum and anti-Blum generators.

The partition $J_n^{+}$ in Figure 1 allows us to refine the problem of distinguishing between quadratic residues and non-residues depending on the Jacobi symbol of the roots.

Let $\mathfrak{b}={\left(b_n\right)}_n$ be a sequence of integers with the property $b_n\in J_n^{+}\setminus Q{R}_n$, whenever n is an anti-Blum integer. Define another two families of probability distributions $\mathfrak{b}·{\mathcal{QR}}^s={(\mathfrak{b}·{\mathcal{QR}}_{\lambda }^s)}_{\lambda }$, where $s\in \{-,+\}$, as follows:

$$\begin{array}{cc}\hfill \mathfrak{b}·{\mathcal{QR}}_{\lambda }^s& =\{(n,{\left(b_{n}a\right)}_n)\mid n\leftarrow aBlum\_Gen\left(\lambda \right),a\leftarrow Q{R}_n^s\}.\hfill \end{array}$$

Then, the following results follow immediately.

Proposition 8.

Let $\mathfrak{b}={\left(b_n\right)}_n$ be a sequence of integers as above and $s,s^{\prime }\in \{-,+\}$. Then, the following properties hold:

1. 

${\mathcal{QR}}^{+}\stackrel{c}{\approx }{\mathcal{QR}}^{-}$ if and only if $\mathfrak{b}·{\mathcal{QR}}^{+}\stackrel{c}{\approx }\mathfrak{b}·{\mathcal{QR}}^{-}$;

2. 

If ${\mathcal{QR}}^s\stackrel{c}{\approx }\mathfrak{b}·{\mathcal{QR}}^{s^{\prime }}$ then $\mathcal{QR}\stackrel{c}{\approx }\mathcal{QNR}$.

We believe that the converse of Proposition 8(2) also holds.

6. Conclusions

Establishing a bidirectional reduction (equivalence) between the security of a cryptographic scheme and a computational problem is crucial. Such a reduction shows that breaking the scheme is equivalent to solving the underlying problem. Therefore, either the cryptographic scheme is secure or a major breakthrough has been achieved in solving a well-studied computational problem with deep implications beyond cryptography.

The quadratic residuosity problem ($QRP$) is considered hard and is crucial in cryptography. It is well known that the $IND\text{-}CPA$ security of Cocks’ public-key and identity-based cryptosystems is as hard as $QRP$. However, it is not known whether $QRP$ is equivalent to the $IND\text{-}CPA$ security of the two cryptosystems.

In this paper, we have introduced the Jacobi symbol problem for quadratic congruences ($JSP\left(QC\right)$) and shown that it is at least as hard as $QRP$. We have also proved that the $IND\text{-}CPA$ security of the two cryptosystems mentioned above is equivalent to $JSP\left(QC\right)$.

If $QRP$ and $JSP\left(QC\right)$ were equivalent, we would have a positive answer to the open problem mentioned above. We conjectured that $JSP\left(QC\right)$ is much harder than $QRP$. Regardless of the truth of this conjecture, we highlighted a computational problem equivalent to the $IND\text{-}CPA$ security of the cryptosystems mentioned above. This equivalence entails the benefits discussed in Section 1 of the paper.

We believe that either answer to the proposed conjecture contributes to the understanding of quadratic residuosity, both from a mathematical point of view and from its cryptographic applications.

Specializing $JSP\left(QC\right)$ to congruences $x^2-a\equiv 0modn$, where n is an anti-Blum integer and a is a quadratic residue, we obtain the Jacobi symbol problem for quadratic residues ($JSP\left(QR\right)$). $Q{R}_n$ is then partitioned into two subsets of quadratic residues whose roots have the Jacobi symbol $+1$ ($Q{R}_n^{+}$) and quadratic residues whose roots have the Jacobi symbol $-1$ ($Q{R}_n^{-}$). This partition induces a corresponding partition on $J_n^{+}\setminus Q{R}_n$. $QRP$ can then be nuanced, taking into account the Jacobi symbol of the roots.