## Almost Uniform Density of Power Residues and the Provable Security of ESIGN (2003)

Citations: | 14 - 0 self |

### BibTeX

@MISC{Okamoto03almostuniform,

author = {Tatsuaki Okamoto and Jacques Stern},

title = {Almost Uniform Density of Power Residues and the Provable Security of ESIGN},

year = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

ESIGN is an ecient signature scheme that has been proposed in the early nineties (see [14]). Recently, an eort was made to lay ESIGN on rm foundations, using the methodology of provable security. A security proof [15] in the random oracle model, along the lines of [2], appeared in support for ESIGN. However, several unexpected diculties were found. Firstly, it was observed in [20], that the proof from [15] holds in a more restricted model of security than claimed. Even if it is quite easy to restore the usual security level, as suggested in [9], this shows that the methodology of security proofs is more subtle than it at rst appears. Secondly, it was found that the proof needs the additional assumption that e is prime to '(n), thus excluding the case where e is a small power of two, a very attractive parameter choice. The diculty here lies in the simulation of the random oracle, since it relies on the distribution of e-th powers, which is not completely understood from a mathematical point of view, at least when e is not prime to '(n). In this paper, we prove that the set of e-th power modulo an RSA modulus n, which is a product of two equal size integers p,q, is almost uniformly distributed on any large enough interval. This property allows to complete the security proof of ESIGN. We actually oer two proofs of our result: one is based on two-dimensional lattice reduction, and the the other uses Dirichlet characters. Besides yielding better bounds, the latter is one new example of the use of analytic number theory in cryptography.