396:
176:
285:
971:
897:
837:
785:
710:
654:
507:
459:
270:
583:
1139:
222:
104:
1236:
1229:
391:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }\simeq (\mathbb {Z} /p\mathbb {Z} )^{\times }\times (\mathbb {Z} /q\mathbb {Z} )^{\times }}
1444:
1320:
1284:
1222:
1315:
1189:
Zhang, Yuliang; Tsutomu
Matsumoto; Hideki Imai (1988). "Cryptographic Applications of th-Residuosity Problem with an Odd Integer".
925:
854:
794:
742:
667:
611:
464:
416:
227:
1439:
540:
1245:
1075:
1169:
192:
1392:
1362:
1372:
1279:
1149:
171:{\displaystyle \mathbb {Z} /n\mathbb {Z} \simeq \mathbb {Z} /p\mathbb {Z} \times \mathbb {Z} /q\mathbb {Z} }
1408:
1346:
1310:
1387:
95:
1305:
1203:
1413:
21:
1198:
1274:
1264:
1259:
40:
1382:
1165:
8:
590:
186:
1376:
1366:
182:
71:
64:
1214:
1161:
848:
402:
1341:
276:
1418:
1336:
1067:
1433:
510:
91:
17:
1269:
586:
24:
are founded on problems that are believed to be intractable. The
1188:
526:
60:
851:, it is well-known that exactly one quarter of the elements in
43:, so the assumption that this problem is hard to solve is
47:
than the assumption that integer factorization is hard.
966:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }.}
1244:
892:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }}
832:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }}
780:{\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{\times }}
705:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }}
649:{\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{\times }}
502:{\displaystyle (\mathbb {Z} /q\mathbb {Z} )^{\times }}
454:{\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{\times }}
265:{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{\times }}
1078:
928:
857:
797:
745:
670:
614:
543:
467:
419:
288:
230:
195:
107:
1133:
965:
891:
831:
779:
704:
648:
577:
501:
453:
390:
264:
216:
170:
1431:
578:{\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{*}}
189:under multiplication, and the group of units in
1134:{\displaystyle x^{(p-1)/d}\equiv 1{\pmod {p}}}
903:is the product of two primes, as it is here).
1230:
1172:rests on the intractability of this problem.
906:The important point is that for any divisor
847:= 2, and we are considering the subgroup of
1237:
1223:
1043:are known it is easy to determine whether
217:{\displaystyle \mathbb {Z} /n\mathbb {Z} }
50:
1202:
946:
933:
875:
862:
815:
802:
763:
750:
688:
675:
632:
619:
561:
548:
485:
472:
437:
424:
374:
361:
340:
327:
306:
293:
248:
235:
210:
197:
164:
151:
143:
130:
122:
109:
1182:
1016:, it is infeasible to determine whether
35:) is one such problem. This problem is
1432:
1218:
922: th powers forms a subgroup of
413:were assumed to be prime, the groups
975:
1123:
13:
1445:Computational hardness assumptions
1246:Computational hardness assumptions
843:. This is most commonly seen when
14:
1456:
1285:Decisional composite residuosity
1155:
1116:
660: th power, so the set of
1127:
1117:
1096:
1084:
1024: th power (equivalently
951:
929:
880:
858:
820:
798:
768:
746:
693:
671:
637:
615:
566:
544:
490:
468:
442:
420:
379:
357:
345:
323:
311:
289:
253:
231:
1:
1175:
1150:quadratic residuosity problem
899:are quadratic residues (when
1321:Computational Diffie–Hellman
712:is also a subgroup of index
7:
1440:Computational number theory
1409:Exponential time hypothesis
1170:Naccache–Stern cryptosystem
10:
1461:
1028: th residue) modulo
26:higher residuosity problem
1419:Planted clique conjecture
1401:
1388:Ring learning with errors
1355:
1329:
1316:Decisional Diffie–Hellman
1298:
1252:
1191:Transactions of the IEICE
1063: th residue modulo
1051: th residue modulo
224:is traditionally denoted
96:Chinese remainder theorem
1148:= 2, this is called the
996:are unknown, an integer
22:public key cryptosystems
1414:Unique games conjecture
1363:Shortest vector problem
1337:External Diffie–Hellman
51:Mathematical background
1393:Short integer solution
1373:Closest vector problem
1135:
967:
893:
833:
781:
716:. In general, if gcd(
706:
650:
579:
503:
455:
392:
266:
218:
172:
33:th-residuosity problem
1280:Quadratic residuosity
1260:Integer factorization
1136:
968:
894:
834:
782:
707:
651:
580:
521:−1 respectively. If
504:
456:
403:isomorphism of groups
393:
267:
219:
173:
41:integer factorization
1383:Learning with errors
1166:Benaloh cryptosystem
1076:
926:
855:
795:
791: th powers in
743:
739: th powers in
668:
664: th powers in
612:
541:
537: th powers in
533:−1, then the set of
465:
417:
286:
228:
193:
105:
63:, then the integers
1008:−1, and an integer
185:of any ring form a
1306:Discrete logarithm
1290:Higher residuosity
1131:
963:
889:
849:quadratic residues
829:
777:
728:, then there are (
702:
646:
575:
499:
451:
388:
262:
214:
168:
1427:
1426:
1402:Non-cryptographic
1162:semantic security
980:Given an integer
976:Problem statement
28:(also called the
1452:
1342:Sub-group hiding
1253:Number theoretic
1239:
1232:
1225:
1216:
1215:
1209:
1208:
1206:
1186:
1140:
1138:
1137:
1132:
1130:
1108:
1107:
1103:
972:
970:
969:
964:
959:
958:
949:
941:
936:
898:
896:
895:
890:
888:
887:
878:
870:
865:
838:
836:
835:
830:
828:
827:
818:
810:
805:
787:, so the set of
786:
784:
783:
778:
776:
775:
766:
758:
753:
711:
709:
708:
703:
701:
700:
691:
683:
678:
655:
653:
652:
647:
645:
644:
635:
627:
622:
584:
582:
581:
576:
574:
573:
564:
556:
551:
508:
506:
505:
500:
498:
497:
488:
480:
475:
460:
458:
457:
452:
450:
449:
440:
432:
427:
397:
395:
394:
389:
387:
386:
377:
369:
364:
353:
352:
343:
335:
330:
319:
318:
309:
301:
296:
277:ring isomorphism
271:
269:
268:
263:
261:
260:
251:
243:
238:
223:
221:
220:
215:
213:
205:
200:
177:
175:
174:
169:
167:
159:
154:
146:
138:
133:
125:
117:
112:
1460:
1459:
1455:
1454:
1453:
1451:
1450:
1449:
1430:
1429:
1428:
1423:
1397:
1351:
1347:Decision linear
1325:
1299:Group theoretic
1294:
1248:
1243:
1213:
1212:
1204:10.1.1.137.8511
1187:
1183:
1178:
1158:
1115:
1099:
1083:
1079:
1077:
1074:
1073:
1035:Notice that if
978:
954:
950:
945:
937:
932:
927:
924:
923:
918:−1) the set of
883:
879:
874:
866:
861:
856:
853:
852:
823:
819:
814:
806:
801:
796:
793:
792:
771:
767:
762:
754:
749:
744:
741:
740:
696:
692:
687:
679:
674:
669:
666:
665:
640:
636:
631:
623:
618:
613:
610:
609:
569:
565:
560:
552:
547:
542:
539:
538:
493:
489:
484:
476:
471:
466:
463:
462:
445:
441:
436:
428:
423:
418:
415:
414:
382:
378:
373:
365:
360:
348:
344:
339:
331:
326:
314:
310:
305:
297:
292:
287:
284:
283:
279:above, we have
256:
252:
247:
239:
234:
229:
226:
225:
209:
201:
196:
194:
191:
190:
163:
155:
150:
142:
134:
129:
121:
113:
108:
106:
103:
102:
53:
12:
11:
5:
1458:
1448:
1447:
1442:
1425:
1424:
1422:
1421:
1416:
1411:
1405:
1403:
1399:
1398:
1396:
1395:
1390:
1385:
1380:
1370:
1359:
1357:
1353:
1352:
1350:
1349:
1344:
1339:
1333:
1331:
1327:
1326:
1324:
1323:
1318:
1313:
1311:Diffie-Hellman
1308:
1302:
1300:
1296:
1295:
1293:
1292:
1287:
1282:
1277:
1272:
1267:
1262:
1256:
1254:
1250:
1249:
1242:
1241:
1234:
1227:
1219:
1211:
1210:
1197:(8): 759–767.
1180:
1179:
1177:
1174:
1157:
1154:
1142:
1141:
1129:
1126:
1122:
1119:
1114:
1111:
1106:
1102:
1098:
1095:
1092:
1089:
1086:
1082:
1068:if and only if
977:
974:
962:
957:
953:
948:
944:
940:
935:
931:
886:
882:
877:
873:
869:
864:
860:
826:
822:
817:
813:
809:
804:
800:
774:
770:
765:
761:
757:
752:
748:
699:
695:
690:
686:
682:
677:
673:
643:
639:
634:
630:
626:
621:
617:
604:−1) = 1, then
572:
568:
563:
559:
555:
550:
546:
496:
492:
487:
483:
479:
474:
470:
448:
444:
439:
435:
431:
426:
422:
399:
398:
385:
381:
376:
372:
368:
363:
359:
356:
351:
347:
342:
338:
334:
329:
325:
322:
317:
313:
308:
304:
300:
295:
291:
259:
255:
250:
246:
242:
237:
233:
212:
208:
204:
199:
179:
178:
166:
162:
158:
153:
149:
145:
141:
137:
132:
128:
124:
120:
116:
111:
98:tells us that
52:
49:
39:to solve than
9:
6:
4:
3:
2:
1457:
1446:
1443:
1441:
1438:
1437:
1435:
1420:
1417:
1415:
1412:
1410:
1407:
1406:
1404:
1400:
1394:
1391:
1389:
1386:
1384:
1381:
1378:
1374:
1371:
1368:
1364:
1361:
1360:
1358:
1354:
1348:
1345:
1343:
1340:
1338:
1335:
1334:
1332:
1328:
1322:
1319:
1317:
1314:
1312:
1309:
1307:
1304:
1303:
1301:
1297:
1291:
1288:
1286:
1283:
1281:
1278:
1276:
1273:
1271:
1268:
1266:
1263:
1261:
1258:
1257:
1255:
1251:
1247:
1240:
1235:
1233:
1228:
1226:
1221:
1220:
1217:
1205:
1200:
1196:
1192:
1185:
1181:
1173:
1171:
1167:
1163:
1153:
1151:
1147:
1124:
1120:
1112:
1109:
1104:
1100:
1093:
1090:
1087:
1080:
1072:
1071:
1070:
1069:
1066:
1062:
1058:
1054:
1050:
1046:
1042:
1038:
1033:
1031:
1027:
1023:
1019:
1015:
1011:
1007:
1003:
999:
995:
991:
987:
983:
973:
960:
955:
942:
938:
921:
917:
913:
909:
904:
902:
884:
871:
867:
850:
846:
842:
824:
811:
807:
790:
772:
759:
755:
738:
735:
731:
727:
723:
719:
715:
697:
684:
680:
663:
659:
641:
628:
624:
607:
603:
599:
595:
592:
588:
570:
557:
553:
536:
532:
528:
524:
520:
516:
512:
494:
481:
477:
446:
433:
429:
412:
408:
404:
383:
370:
366:
354:
349:
336:
332:
320:
315:
302:
298:
282:
281:
280:
278:
273:
257:
244:
240:
206:
202:
188:
184:
160:
156:
147:
139:
135:
126:
118:
114:
101:
100:
99:
97:
93:
89:
85:
81:
77:
73:
69:
66:
62:
58:
48:
46:
42:
38:
34:
32:
27:
23:
19:
1289:
1194:
1190:
1184:
1159:
1156:Applications
1145:
1143:
1064:
1060:
1056:
1052:
1048:
1044:
1040:
1036:
1034:
1029:
1025:
1021:
1017:
1013:
1009:
1005:
1001:
997:
993:
989:
985:
981:
979:
919:
915:
911:
907:
905:
900:
844:
840:
788:
736:
733:
729:
725:
721:
717:
713:
661:
657:
605:
601:
597:
593:
534:
530:
522:
518:
514:
410:
406:
400:
274:
180:
87:
83:
79:
75:
67:
56:
54:
44:
36:
30:
29:
25:
18:cryptography
15:
1270:RSA problem
608:element in
94:, then the
1434:Categories
1275:Strong RSA
1265:Phi-hiding
1176:References
1059:will be a
1000:such that
839:has index
596:. If gcd(
513:of orders
1199:CiteSeerX
1110:≡
1091:−
956:×
885:×
825:×
773:×
698:×
642:×
571:∗
495:×
447:×
405:. Since
384:×
355:×
350:×
321:≃
316:×
275:From the
258:×
148:×
127:≃
1356:Lattices
1330:Pairings
1168:and the
1055:because
1004:divides
587:subgroup
45:stronger
1164:of the
914:−1 (or
585:form a
527:divisor
517:−1 and
70:form a
61:integer
20:, most
1201:
988:where
724:−1) =
511:cyclic
401:as an
92:primes
82:where
74:. If
65:modulo
59:is an
37:easier
1144:When
1047:is a
1020:is a
1012:<
656:is a
606:every
591:index
525:is a
187:group
183:units
1160:The
1039:and
992:and
732:−1)/
509:are
461:and
409:and
181:The
90:are
86:and
72:ring
1377:gap
1367:gap
1121:mod
910:of
589:of
529:of
55:If
16:In
1436::
1195:71
1193:.
1152:.
1032:.
986:pq
984:=
841:dg
272:.
80:pq
78:=
1379:)
1375:(
1369:)
1365:(
1238:e
1231:t
1224:v
1207:.
1146:d
1128:)
1125:p
1118:(
1113:1
1105:d
1101:/
1097:)
1094:1
1088:p
1085:(
1081:x
1065:p
1061:d
1057:x
1053:n
1049:d
1045:x
1041:q
1037:p
1030:n
1026:d
1022:d
1018:x
1014:n
1010:x
1006:p
1002:d
998:d
994:q
990:p
982:n
961:.
952:)
947:Z
943:n
939:/
934:Z
930:(
920:d
916:q
912:p
908:d
901:n
881:)
876:Z
872:n
868:/
863:Z
859:(
845:d
821:)
816:Z
812:n
808:/
803:Z
799:(
789:d
769:)
764:Z
760:q
756:/
751:Z
747:(
737:d
734:g
730:q
726:g
722:q
720:,
718:d
714:d
694:)
689:Z
685:n
681:/
676:Z
672:(
662:d
658:d
638:)
633:Z
629:q
625:/
620:Z
616:(
602:q
600:,
598:d
594:d
567:)
562:Z
558:p
554:/
549:Z
545:(
535:d
531:p
523:d
519:q
515:p
491:)
486:Z
482:q
478:/
473:Z
469:(
443:)
438:Z
434:p
430:/
425:Z
421:(
411:q
407:p
380:)
375:Z
371:q
367:/
362:Z
358:(
346:)
341:Z
337:p
333:/
328:Z
324:(
312:)
307:Z
303:n
299:/
294:Z
290:(
254:)
249:Z
245:n
241:/
236:Z
232:(
211:Z
207:n
203:/
198:Z
165:Z
161:q
157:/
152:Z
144:Z
140:p
136:/
131:Z
123:Z
119:n
115:/
110:Z
88:q
84:p
76:n
68:n
57:n
31:n
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.