RSA Schnorr Signatures

[!note] Note: I wasn't aware when quickly writing this up, but it turns out that this is an application of the Guillou-Quisquater protocol.

Maurer's 2009 paper provides a generalization of schnorr signatures to a large class of situations. Essentially, any time you have a group homomorphism φ:GH\varphi : G \to H, you can provide a zero-knowledge protocol to prove:

Π(X;x):=φ(x)=X\Pi(X ; x) := \varphi(x) = X

(with xx kept secret).

In the case of a cyclic group of prime order qq, with generator GG, and the following homomorphism:

φ:FqGφ(x):=xG\begin{aligned} &\varphi : \mathbb{F}_q \to \mathbb{G}\cr &\varphi(x) := x \cdot G \end{aligned}

We have the usual Schnorr sigma protocol, which leads to Schnorr signatures after a Fiat-Shamir transform.

RSA

We can use the following group homomorphism, inspired by RSA:

φ:Z/(N)Z/(N)φ(m):=me\begin{aligned} &\varphi : \mathbb{Z}/(N)^* \to \mathbb{Z}/(N)^*\cr &\varphi(m) := m^e \end{aligned}

Here, (N,e)(N, e) is an RSA public key.

Now, this is evidently a group homomorphism, since:

(ab)e=aebe(a \cdot b)^e = a^e \cdot b^e

Furthermore, this homomorphism is one way, provided we don't know the factorization of NN, and we think RSA is hard.

The Signature Protocol

For the memes, let's explicitly describe the signature scheme.

Key-Generation

Generate random primes p,qp, q of half the desired modulus size. Let N=pqN = p \cdot q, and pick ee such that gcd(e,(p1)(q1))=1\text{gcd}(e, (p - 1)(q - 1)) = 1.

Pick a random xRZ/(N)x\xleftarrow{R} \mathbb{Z}/(N)^*, and then set XsemodNX \gets s^e \mod N.

xx is the private key.

(N,e,X)(N, e, X) is the public key.

Signing

kRZ/(N)KkemodNcH(N,e,X,K,m)rkxcmodN(K,r)\begin{aligned} k &\xleftarrow{R} \mathbb{Z}/(N)^*\cr K &\gets k^e \mod N\cr c &\gets H(N, e, X, K, m)\cr r &\gets k \cdot x^c \mod N\cr (K&, r) \end{aligned}

[!note] Note: What type should cc have? Well, one approach is to take it such that cc is coprime with ee, so that we'll have extractability. Basically, given xcx^c and xex^e, you can learn xx. We also need ee to be large enough to have our security parameter, i.e. e>2128e > 2^128 or so.

Verification

re?KXH(N,e,X,K,m)modNr^e \stackrel{?}{\equiv} K \cdot X^{H(N, e, X, K, m)}\mod N

Security

Trust me :)