Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [quadratic-residuosity]

A residue of order 2. A number $a$ for which the congruence $x^2 ≡ a \pmod m$ has a solution is called a quadratic residue modulo $m$.

A residue of order 2. A number $a$ for which the congruence $x^2 ≡ a \pmod m$ has a solution is called a quadratic residue modulo $m$; in other words, $a$ is a quadratic residue modulo $m$ if for a certain integer $x$ the number $x^2 − a$ is divisible by $m$; if this congruence has no solution, then $a$ is called a quadratic nonresidue.

54 questions
12
votes
3 answers

In the Quadratic Sieve, why restrict the factor base?

In the Quadratic Sieve, when factoring a number $N$, many descriptions and most implementations select as the factor base the set of small primes $p_j$ less than some bound $B$ restricted to having Legendre symbol $\left({N\over p_j}\right)=+1$. Why…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
9
votes
4 answers

Algorithm for computing square roots in $GF(2^n)$

Short question: is there an algorithm for efficiently computing square roots in $\mathbb{F}_{2^n}$?
Arthur B
  • 275
  • 2
  • 5
8
votes
3 answers

Quadratic residuosity problem reduction to integer factorization

How can one show how to reduce the quadratic residuosity problem to an integer factorization?
Faith
  • 485
  • 7
  • 11
7
votes
1 answer

What makes the quadratic residuosity problem hard?

The quadratic residuosity problem is the problem of determining whether, for given $r$, $m$, $\exists a.a^2\equiv r\mod m$. This problem's believed to be hard to solve in general (e.g. an efficient general solution to finding $a$ would allow you to…
ais523
  • 191
  • 3
5
votes
0 answers

What is the restriction on $k$, for the $k$th composite residuosity problem to be hard?

The paper “Residuosity Problem and Its Applications to Cryptography” considers the exponent to be an odd integer. When $k = 2$, it is called the quadratic residuosity problem (mod $n$, where $n$ is composite) which is hard and can be solved if the…
Misty
  • 51
  • 1
4
votes
0 answers

About Cocks IBE

Why doesn't Cocks IBE use the hash function H from ID space to quadratic residue set $\mathbb{QR}_N$ in $\mathbb{Z}/N\mathbb{Z}$ to reduce the ciphertext expansion by half? I think it is also IND-ID-CPA secure in random oracle because we can learn…
Xiaopeng Zhao
  • 101
  • 2
4
votes
2 answers

Exactly two of the four roots must be greater than N/2

Theorem: Let $y$ be a quadratic residue in $\mathbb{Z}_N$* where $N=pq$. There are exactly four integers $x_1, x_2, x_3, x_4$ where $0 < x_1 < x_2 < \frac{N}{2} < x_3 < x_4 < N$ such that $y = x_i^2 \pmod{N}$ for $i=1,2,3,4$. The above theorem…
habillqabill
  • 163
  • 8
4
votes
2 answers

What does it mean that $BW_N$ is a permutation over the squares mod N?

Let $BW_N$ be a function such that $BW_N:\mathbb{QR}_{N} \mapsto \mathbb{QR}_{N}$ and let if be defined as follow: $BW_N(x) = x^2 \pmod N$ where $N=pq$ and p and q are primes and $p=q=3 \pmod 4$. I am reading on a set of lecture notes that, "$BW_N$…
Charlie Parker
  • 285
  • 1
  • 7
3
votes
1 answer

Quadratic Sieve: Sieving with prime powers

I am trying to understand the Quadratic Sieve algorithm. Currently I am stuck at the sieving part. Let's say the number to be factored is 9788111. I decide to look for 50-smooth factors. My initial factor base (FB) = $p_i$ = {2, 3, 5, 7, 11, 13, 17,…
user93353
  • 2,348
  • 3
  • 28
  • 49
3
votes
2 answers

How the coin flipping protocol prevent Alice from generating $ n $ from many primes?

This is a question from reading the paper 'Coin Flipping by Telephone - a protocol for solving impossible problems'. The fact that the coin is unbiased is based on the fact that if n is a product of two primes, then there should be exactly four…
Andrew Au
  • 131
  • 1
3
votes
1 answer

Elgamal problem on $\mathbb{QR}_p$ with $p$ a safe prime

I need some orientation to solve the following problem: Let $p = 2q+1$ be a safe prime and $s(x)$ the smallest of the two square roots of $x$ modulo $p$. Then: Determine the distribution of $s(g^{ab})$ for $a,b$ chosen uniformly in…
user1868607
  • 1,243
  • 12
  • 29
3
votes
1 answer

Is a composition of computational hardness problems still hard?

It is well known that both $g^x$ and $x^2$ are computational hardness problems in certain rings. But I wonder if the composition of them is still hard? Namely, given $(g, g^x, x^2)$ in a ring $Z_n$ where $n$ is a composite number of secret…
Colin Lee
  • 31
  • 3
3
votes
1 answer

Why work in a subgroup for Naor and Pinkas oblivious transfer?

In section 4 (protocol 4.1) of the paper by Naor and Pinkas [1], why did the authors decide to operate in a subgroup? When they say "the messages are in the subgroup" does that mean $x, y, z_0, z_1$, $w_0, w_1$ and the encryption keys are in the…
lamba
  • 1,395
  • 8
  • 18
3
votes
1 answer

Quadratic residue zero knowledge proof - simulator with identical distribution

I am looking at the zero knowledge proof for quadratic residues and am confused when it comes to showing a simulator that can give a transcript of the proof with the same distribution as the proof output itself. In all explanations/proofs I have…
TheFooBarWay
  • 225
  • 2
  • 6
3
votes
1 answer

How to prove the hardness of Rabin's function?

I am unable to prove the following theorem: If for a $1/(\log(n))$ fraction of the quadratic residues $q\pmod n$ one could find a square root of $q$, then one could factor $n$ in random polynomial time. $n$ is the product of two large distinct…
Aditi Rai
  • 31
  • 3
1
2 3 4