A Fiat-Shamir Implementation Note

In the Micali-Shamir paper [7] improving the efficiency of the original Fiat-Shamir protocol [5,6,9], the authors state that “(. . .) not all of the vi’s will be quadratic residues mod n. We overcome this technical difficulty with an appropriate perturbation technique (. . .)” This perturbation technique is made more explicit in the associated patent application [8]: “Each entity is allowed to modify the standard vj which are QNRs. A particularly simple way to achieve this is to pick a modulus n = pq where p = 3 mod 8 and q = 7 mod 8, since then exactly one of vj , −vj , 2vj , −2vj is a QR mod n for any vj . The appropriate variant of each vj can be (. . .) deduced by the verifier himself during the verification of given signatures.” In this short note we clarify the way in which the verifier can infer by himself the appropriate variant of each vj during verification.