The Bit Security of Modular Squaring given Partial Factorization of the Modulos

Abstract

It is known that given a composite integer N = p 1 p 2 (such that p 1 ≡ p 2 ≡ 3 (mod 4)), and q a quadratic residue modulo N, guessing the least significant bit of a square root of q with any non-negligible advantage is as hard as factoring N. In this paper we extend the above result to multi-prime numbers N = p 1 p 2..p l (such that p 1 ≡ p 2 ≡.. ≡ p l ≡ 3 (mod 4)). We show that given N and q 1 a quadratic residue mod N, guessing the least significant bit of a square root of q is as hard as completely factoring N. Furthermore, the difficulty of guessing the least significant bit of the square root of q remains unchanged even when all but two of the prime factors of N, p 3,..,p l, are known. The result is useful in designing multi-party cryptographic protocols.