Selective Convertibility

We show here how a signer with an expert group knowledge of Xgroup with the set S1 = {Xkey1, . . . , XkeyLkey} can convert a given MOVA signature in a uni- versally verifiable signature. From a valid message-signature (m, σ) with σ = (Ysig₁, . . . , Ysig_Lsig) the signer finds some coefficients ri ∈ Xgroup and ai,j ∈ Zd

for i = 1, . . . , Lsig, j = 1, . . . , Lkey such that Xsig_i = dri+

Lkey_X

j=1

ai,jXkeyj for i = 1, . . . , Lsig. (4.13)

The converted signature is σconv := (σ, ri’s, ai,j’s). The verification of converted pair

(m, σconv) consists in retrieving the Xsigi’s from m and verifying Equation (4.13)

and the following equation Ysig_i =

Lkey_X

j=1

ai,jYkeyj for i = 1, . . . , Lsig.

Note that this holds if and only if σ is a valid MOVA signature. Although the conversion may be useful in some applications, the major drawback is that the converted signature is usually quite large. Moreover, the advantage of this method compared to signing the message m with another universally verifiable signature is not clear at all. In other words, the link between the converted signature and the regular MOVA signature does not seem to be crucial. In general, converting a

4. MOVA Undeniable Signature

signature is performed to allow the recipient to verify the authenticity of the message without the help of the signer.

Chapter

5

Characters on Z∗_n

and Applications to

MOVA

Group characters on Z∗

n played a central role in the development of MOVA scheme

since the first variant of the scheme [109] was based on this sole concept. They are typical examples of homomorphisms with a very small range allowing to basically produce MOVA signatures of any size depending on a security parameter. Thereby, they perfectly illustrate the full scalability of MOVA signatures. In this chapter, we focus on characters of order 2, 3, 4 which arise naturally from the theory of quadratic, cubic, and biquadratic residuosity, respectively. So, characters of small order defined on Z∗

n can be seen as a natural generalization of the Legendre symbol and related

problems generalize the quadratic residuosity problem.

We also want to mention that characters were already used in public-key cryp- tography for the design of algorithms as well as a useful tool in security proofs. Namely, the former is illustrated by the design of public-key cryptosystems due to Scheidler and Williams [135, 136]. The latter is a recent result due to Okamoto and Stern [120] who used the theory of characters to complete the security proof of the signature scheme ESIGN [117].

This chapter mainly deals with the theoretical aspects of characters and their implications to the MOVA scheme. After an introduction of the theoretical back- ground, we show how to select characters which are particularly relevant for MOVA instantiations. Related computational problems are presented in the subsequent section as well as a treatment of the reductions (we could exhibit) between one an- other. Then, as a rather purely theoretical interest, we focus on a special variant which does not make use of prime numbers. Finally, we examine the concept of expert group knowledge in this setting clarifying how to use Setup Variants 3 and 4 with these MOVA instantiations.

5. Characters on Z∗

n and Applications to MOVA

5.1

Characters on Z

n

In this section, we introduce the notion of multiplicative characters. Although char- acters can be defined on any group, we concentrate here on Z∗

n. Namely, characters

based on another kind of group will not be considered for MOVA instantiations. In particular, our treatment will focus on the characters of order 2, 3, and 4. Most of the material developed in this section is taken from the book of Ireland and Rosen [79] and that of Nathanson [114].

Definition 5.1.1. Let G be a finite Abelian group. A character χ on G is a group homomorphism from G to (C\{0}, ·), i.e., a map χ : G → C\{0} satisfying

χ(a + b) = χ(a)χ(b) for any a, b ∈ G.

From the definition of a character, we can quickly deduce that χ(1) = 1 and that the value χ(a) is always a λ(G)th root of the unity for all a ∈ G, where λ(G) denotes the exponent of the group G, i.e., the maximal order an element of G can have. A group structure can be defined on the set of all characters on G. In this group, the product (group operation) χ1χ2 of two characters χ1 and χ2 is defined by

χ1χ2(a) = χ1(a)χ2(a)

for all a ∈ G. Similarly, the inverse χ−1 _{of a character χ is defined by}

χ−1_{(a) = χ(a)}−1

for any a ∈ G. The group of the characters defined on G is called the dual group of

G and is denoted bG. The structure of this group is given by the following theorem.

Theorem 5.1.2 ([114], pp. 129). A finite Abelian group G is isomorphic to its dual, i.e.,

G ' bG.

In the rest of this section, we restrict to the multiplicative group G = Z∗ n.

Applying the above results to Z∗

n shows that χ(a) is a λ(n)th root of the unity

for any a ∈ Z∗

n and any character χ defined on Z∗n. We also note that a character

can be naturally extended on the whole ring Zn by setting χ(a) = 0 for any non

invertible element a. From Theorem 5.1.2, we readily get a characterization of the characters on Z∗

n. This result for a prime n is given here.

Corollary 5.1.3. Let p be a prime and d be an integer such that d|p − 1.

1. The group of characters defined on Z∗

p is a cyclic group of order p − 1.

5.1. Characters on Z∗ n

2. The characters on Z∗

p of order dividing d form a cyclic subgroup of order d.

A proof of this corollary which does not make use of Theorem 5.1.2 can be found in Chapter 8 of [79].

The second part of this corollary is especially interesting for us, because we will consider characters of small order (e.g., 2, 3, 4). In addition, we deduce that a character on Z∗

p of order d maps the elements of Z∗p to the set

{ζ_dj | j = 0, . . . , d − 1},

where ζd denotes the unit e2πi/d and i :=

√ −1.

In the following subsections we present additional material which is specific to the cases d = 2, 3, 4.