A Trapdoor Permutation Equivalent to Factoring

In Eurocrypt’98 [1], Okamoto et al. exhibited a new trapdoor function based on the use of a special moduli (pq) allowing easy discrete logarithm computations. The authors proved that the scheme’s resistance to chosen-plaintext attacks is equivalent to factoring n. Unfortunately, the proposed scheme suffers from not being a permutation (the expansion rate is = 3), and hence cannot be used for public-key signatures. In this paper, we show how to refine the function into a trapdoor permutation that can be used for signatures. Interestingly, our variant still remains equivalent to factoring and seems to be the second known trapdoor permutation (Rabin-Williams’ scheme [3] being the first) provably as secure as a primitive problem. 1 The Okamoto-Uchiyama Cryptosystem In Eurocrypt’98, Okamoto and Uchiyama proposed a new public-key cryptosystem based on the ability of computing discrete logarithms in a particular subgroup. Namely, if p is a large prime and γp ⊂ Z ∗ p is γp = {x < p 2 | x = 1 mod p} , then γp has a group structure with respect to the multiplication modulo p 2 and ♯γp = p. The function log(.) : γp −→ Zp which associates (x − 1)/p to x is clearly well-defined on γp and presents interesting homomorphic properties. In particular, ∀x, y ∈ γp log(xy mod p ) = log(x) + log(y) mod p whereby, as a straightforward generalization, ∀g ∈ γp,m ∈ Zp log(g m mod p) = m log(g) mod p .