Sampling from signed quadratic residues: RSA group is pseudofree

Abstract

Rivest (TCC 2004) explored the notion of a pseudo-free group from cryptographic perspective. He made the conjecture that the RSA group ℤ*N is a plausible pseudo-free group. Daniele Micciancio proved that (to appear in Journal of Cryptology), under strong RSA assumption, ℤ*N is pseudo-free. The proof uses the fact that N is the product of two safe primes, and elements are sampled uniformly at random from the subgroup QRN of quadratic residues. He asked whether the proof can be carried over if elements are sampled uniformly at random from the whole of ℤ*N. In this article, we show that one can sample uniformly at random from the subgroup QRN+ of signed quadratic residues to prove that ℤ*N is pseudo-free. Consequently, we believe one can show ℤ*N pseudo-free where elements are sampled from QRN∪QRN+, thus enlarging the set from which elements are sampled. © 2009 Springer-Verlag.