Journal of Applied Mathematics

Volume 2014 (2014), Article ID 819182, 7 pages

http://dx.doi.org/10.1155/2014/819182

## Signature Scheme Using the Root Extraction Problem on Quaternions

^{1}State Key Laboratory of Integrated Service Networks, Xidian University, Xi'an 710071, China^{2}Guangxi Key Lab of Wireless Wide Band Communication and Signal Processing, Guilin University of Electronic Technology, Guilin 541004, China

Received 6 February 2014; Accepted 19 May 2014; Published 28 May 2014

Academic Editor: Frank Werner

Copyright © 2014 Baocang Wang and Yupu Hu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The root extraction problem over quaternion rings modulo an RSA integer is defined, and the intractability of the problem is examined. A signature scheme is constructed based on the root extraction problem. It is proven that an adversary can forge a signature on a message if and only if he can extract the roots for some quaternion integers. The performance and other security related issues are also discussed.

#### 1. Introduction

Cryptographic algorithms are important tools to resolve the security issues in open networks, amongst which the public key cryptographic schemes [1] may be the most powerful tool. In a public key cryptosystem, two separate keys are deployed. One key is kept secret and can be used to decrypt ciphertexts or sign messages, and the other key can be published and is used for encrypting plaintexts or verifying signatures. It requires that it should be computationally infeasible to derive the secret key from the public key. In public key cryptography, three categories of algorithms are widely used in network and information security engineering according to their functionalities, namely, key exchange protocols [2], public key encryption schemes [3], and digital signature schemes [4]. The key exchange protocols are used to establish the shared keys between two communication parties. The public key encryption algorithm allows the encryption key to be published without compromising the security of the decryption key and hence does not require securely initializing a shared key between the communication sender and receiver. A digital signature scheme is used to create a digital signature on a message by using the secret key, so a signature scheme allows the authenticity of a message or a document by using the public key to verify the validity of the signature.

It is striking to note that most of the widely used unbroken public key cryptosystems are based on some number-theoretic intractability assumptions such as the integer factorization problem, the discrete logarithm problem defined over finite fields, and the elliptic curve discrete logarithm problem [1]. However, we have a strong desire to enrich the public key cryptographic toolkits to avoid putting all application-oriented eggs in one cryptographic basket. So tremendous efforts had been made to develop public key cryptosystems from other problems. In particular, it seems a nice idea to introduce some noncommutative algebraic structures [5–13] in the design of public key ciphers to destroy the commutativity property commonly shared in the widely used public key cryptosystems.

In the realm of noncommutative public key cryptography, some key exchange protocols and public key encryption schemes were developed, amongst which are the notable AAG commutator key exchange protocol [14] and its variants [15–17], the MOR encryption algorithm [18], the MST cryptosystems [19, 20], and the braid public key encryption schemes [21] and their instantiations on other generalized noncommutative groups [7, 11–13]. On the one hand, many of the previous proposals were shown vulnerable to some attacks [22–34]. On the other hand, very few secure signature schemes were known in the literature of noncommutative public key cryptography [35–41]. The known signature schemes may have at least one of the flaws listed below.(i)The security of the signature schemes cannot be mathematically proven [35–38]. Only the three schemes in [39–41] satisfy the provable security goals.(ii)Some signature schemes [39–41] utilized some nonstandard intractability assumptions. These newly defined mathematical problems were not fully studied, so if the underlying intractability was not true, these schemes would be insecure.(iii)The intractability problems were not tightly used in the construction of the signature schemes [35], which makes it possible for an adversary to forge a signature on a message just by solving an easy problem but not necessarily the underlying intractable problem [42, 43].

In this paper, we propose a novel signature scheme from the root extraction problem defined on the quaternion ring modulo an RSA integer. Our proposal overcomes the flaws existing in the known signature schemes.(i)The security is based on the root extraction problem over quaternions, which can be seen as the generalizations of the standard RSA problem and the quadratic residue problem modulo an RSA modulus. So the intractability assumption of our proposal is well established.(ii)The security of the proposed signature scheme is tightly dependent on the root extraction problem over quaternion rings. Any adversary must solve the underlying intractability problem in order to successfully recover the secret key or forge a signature.(iii)The proposal is provably secure. We prove that an adversary can forge a signature for a given message if and only if he can extract the -th root for a given quaternion number.

We also provide a thorough security scrutiny on the proposed signature scheme with respect to key recovery attacks and partial key exposure attacks. Performance analysis demonstrates that the proposal is efficient and practical.

The rest of the paper is organized as follows. In Section 2, we provide some preliminaries about the quaternion algebra, discuss the related root extraction problem, and provide the signature scheme. In Section 3, we analyze the proposal with respect to performance and security. Finally, we conclude the work in Section 4.

#### 2. Proposal

We first review some definitions about quaternion algebra and then elaborate on the proposed signature scheme.

##### 2.1. Notations

Throughout this paper, we use to denote the field of real numbers and use the symbol to denote the ring of integers. For a positive integer , the modular reduction of an integer modulo means the unique nonnegative least remainder of divided by such that , and we denote (mod ). The greatest common divisor of two integers and is denoted by . We use to denote the set . For any integer there exists a unique integer called the modular inverse of modulo such that (mod ), and we denote (mod ).

##### 2.2. Arithmetic Operations on Quaternions

The number system of quaternions is the extension of the number system of complex numbers. Formally, we denote the set of quaternions as

We define three operations on quaternions, namely, addition, scalar multiplication, and quaternion multiplication. For two quaternions and in , their sum is defined as with for . We define the scalar multiplication of and as . The quaternion multiplication is somewhat more complicated to define. We first define and then we can derive the following relations: from which we can easily see that quaternion multiplication is noncommutative. So the product of and can be easily computed via

The norm and conjugate of are defined as and , respectively. It is easy to verify that .

For a positive integer and a quaternion , we define modulo as

Thus, we can define the set (mod ). We call a quaternion invertible modulo if and only if there exists a quaternion such that (mod ), and we denote (mod ). We use the symbol to denote the set consisting of all the invertible quaternions in . It is easy to verify that a quaternion is invertible if and only if . When , the inverse of modulo is easy to compute; namely, (mod ), where denotes the modular inverse of modulo .

##### 2.3. Root Extraction Problem over

We define the -th root extraction problem over .

*Definition 1 (the -th root extraction problem over ). *Given two positive integers and and a quaternion , the -th root extraction problem over is defined as finding a quaternion if any such that (mod ). In particular, when , the problem is called the quadratic root extraction problem over .

In this paper, we consider the case of being an RSA modulus, namely, being the product of two distinct large primes and . From the above definitions, we can see that when is relatively prime to , the -th root extraction problem over is a generalization of the RSA problem, which asks for the -th root for a given integer ; namely, (mod ). The quadratic root extraction problem over is a generalization of the quadratic residue problem, which is defined as finding an integer such that (mod ) for the given integer . The quadratic residue problem is proven to be equivalent to the problem of factoring the modulus in the construction of the Rabin public key cryptosystem [44]. We note that the RSA problem and the quadratic residue problem are widely believed as intractable and had been widely used in the design of public key cryptographic primitives. So we conjecture that the -th root extraction problem over is also intractable.

##### 2.4. Quaternion Signature Scheme

Quaternion algebra had been used to design a signature scheme [35]. However, the signature scheme was soon broken [42, 43] by solving a quadratic congruence (mod ) with the Pollard-Schnorr algorithm [45].

We develop a new quaternion signature scheme in the sequel. To begin with, we first define three system parameters: the binary length of the modulus , the binary length of the hashed value of a message , and . Typically, we set , , and . We also define a hash function which maps a message bit string with an arbitrary length into a -bit-long string; namely, . In this paper, we write a binary number as a string of symbols.

###### 2.4.1. Key Generation

The key generation algorithm runs as follows. Firstly, the signer randomly chooses two distinct -bit-long primes and and computes their product . Then, the signer randomly and uniformly chooses two quaternions and and computes (mod ). Finally, the signer publishes the public key as and keeps the secret key as .

###### 2.4.2. Signature

To sign a message , the signer firstly computes the hashed value of ; namely, . Then, the signer randomly and uniformly chooses a quaternion and computes (mod ) and (mod ). Finally, the signer sends to the verifier as the signature on the message .

###### 2.4.3. Verification

Upon receiving the signature , the verifier firstly computes and (mod ). Then, the verifier decides whether or not the equation (mod ) is satisfied. If the equation is satisfied, the verifier accepts as a valid signature on the message . Otherwise, the verifier refuses to accept as a valid signature on .

###### 2.4.4. Why Verification Works

We explain why a valid signature on the message can pass the verification equation (mod ). Note that

So a valid signature on the message can pass the verification process.

#### 3. Analysis

##### 3.1. Security

We analyze the security of the proposed quaternion signature scheme.

###### 3.1.1. Key Security

The secret key of the proposed signature scheme consists of and . We have the following result with respect to the key security.

Theorem 2. *Any adversary can recover the secret key from the public key if and only if he can extract the -th root for .*

*Proof. *We first prove the sufficiency of the theorem. Assume that the adversary can extract the -th root for , and we denote it as ; namely, (mod ). Then, we randomly choose and compute (mod ). Then, can serve as the secret key of the proposed signature scheme; namely, and satisfy (mod ). This is because

Then, we prove the necessity of the theorem. We assume that the adversary recovers the secret key . So and satisfy (mod ); namely, (mod ), from which we immediately derive an -th root (mod ) for .

Theorem 3. *Assume that there exists a polynomial-time algorithm to break the key security of the proposed quaternion signature scheme. For any quaternion such that has an -th root in , then there exists a polynomial-time algorithm to determine the -root of .*

*Proof. *We want to construct a polynomial-time algorithm such that given the input , the algorithm outputs the -th root for . To do this, we just need to show that we can derive a public key from and then access the algorithm to recover the corresponding secret key.

We denote the -th root of as ; namely, (mod ) and is a hash function. Thus, we randomly choose , and from the proof of Theorem 2 we know that (mod ) and can serve as the secret key of the signature scheme with the corresponding public key . So the algorithm runs as follows. Firstly, defines a hash function ; then the algorithm feeds the public key into the algorithm to obtain the output by the algorithm . Finally, the algorithm computes and outputs (mod ). It can be easily verified that (mod ) is an -root of and that the algorithm can be carried out in polynomial time.

The above theorems say that if the adversary can break the key security of the proposed signature scheme, the adversary can also solve a random instance of the -th root extraction problem over , which seems computationally intractable.

###### 3.1.2. Partial Key Exposure Attacks

We discuss the attacks assuming that the adversary knows the quaternion or . If the adversary knows the quaternion , the adversary can get (mod ). So the adversary needs to compute the -root of the quaternion to derive , which seems computationally impossible. We also have the following result.

Theorem 4. *There exist at least quaternions such that ( ). If the adversary knows , there exists an algorithm to compute such an at the cost of bit operations.*

*Proof. *Note that the secret keys and satisfy (mod ). So we have . Then, for an integer , if we denote (mod ), we must have . So satisfies (mod ). Note that have distinct integers, so we conclude that there exist at least quaternions such that (mod ).

If the adversary knows , we know that , from which the adversary can obtain four linear congruences modulo by associating the constants and the coefficients of , , and . Thus, we solve the linear congruences by using, for example, the Gaussian elimination algorithm to obtain the coefficients of the quaternion , which only costs bit operations.

The above theorem says that we must keep secret. Otherwise, the adversary can retrieve the whole secret key in polynomial time.

###### 3.1.3. Signature Forgery Attacks

Given a message , we discuss the difficulty for the adversary to forge a signature on the message such that the signature can pass the verification equation (mod ).

Theorem 5. *An adversary can produce a signature on a given message if and only if he can extract the -th root for ( ).*

*Proof. *We first prove the sufficiency. We assume that the adversary can extract the -th root denoted as for (mod ); namely, (mod ). The adversary randomly chooses a quaternion and computes (mod ). Note that

So can pass the verification equation (mod ); namely, a valid signature on the message is forged.

Then, we prove the necessity. If the adversary forges a signature on a given message satisfying (mod ), so (mod ). Thus, an -th root (mod ) is determined for the quaternion .

The above theorem says that there is only one way for the adversary to forge a signature for a given message , that is, to extract the -th root for the quaternion (mod ). However, the -th root extraction problem over is assumed to be intractable. So it is computationally infeasible to forge a signature for a given message.

##### 3.2. Performance

We analyze the performance of related issues.

##### 3.3. Quaternion Modular Exponentiation Operation

In the proposed signature scheme, quaternion modular exponentiations are often used. For example, in the signature generation algorithm, we need to compute (mod ), and in the verification algorithm we also need to compute (mod ). The quaternion modular exponentiation can be performed via a square-and-multiply approach. To illustrate, we let the binary representation of be with or 1. Given , we firstly set and compute (mod ) for . Then, we compute

This is because

Therefore, to compute (mod ) we firstly need to do quaternion modular multiplications to compute and then on average quaternion modular multiplications to compute (mod ). The quaternion modular exponentiation (mod ) needs about quaternion modular multiplications.

##### 3.4. Computational Costs

We consider the computational costs for signing a message and verifying a signature.

In the signature generation phase, we need to do the computations and (mod ) (here we ignore the computational inexpensive hash operations), which are equivalent to 3 quaternion modular multiplications and one quaternion modular exponentiation. According to the aforementioned analysis, the total computations are equivalent about quaternion modular multiplications. We recall the quaternion modular multiplicative operation in Section 2.2. One quaternion modular multiplication costs about 16 modular multiplications. However, we note that modular multiplication modulo achieves a quadratic complexity; namely, . So the computational complexity for the signature scheme is given as .

In the verification process, we need to compute (mod ) (a quaternion modular exponentiation), (mod ) (two quaternion modular multiplications according to the square-and-multiply approach; namely, (mod ) and (mod )), and (mod ) (two quaternion modular multiplications). So the computational costs are about quaternion modular multiplications. Therefore, the computational complexity for the verification algorithm is also .

#### 4. Conclusion

In this paper, a quaternion signature scheme was proposed based on the root extraction problem defined over quaternion algebraic structures. The signature scheme only performs bit operations to sign a message and to verify a signature, and hence the proposal is practical. We showed that the key security is equivalent to a random instance of the -th root extraction problem defined over , and the signature forgery security is equivalent to extracting the -th root for the quaternion (mod ). Hence, our proposal satisfies some provable security goals.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work was supported by the National Natural Science Foundation of China (nos. 61173152 and 61173151), the 111 Project (no. B08038), the ISN Foundation (no. ISN1103007), the Fundamental Research Funds for the Central Universities (no. JY10000901009), and the Natural Science Basic Research Plan in Shaanxi Province of China (no. 2012JM8005).

#### References

- N. Koblitz and A. J. Menezes, “A survey of public-key cryptosystems,”
*SIAM Review*, vol. 46, no. 4, pp. 599–634, 2004. View at Publisher · View at Google Scholar · View at Scopus - Z. Hao, S. Zhong, and N. Yu, “A multihop key agreement scheme for wireless Ad hoc networks based on channel characteristics,”
*The Scientific World Journal*, vol. 2013, Article ID 935604, 13 pages, 2013. View at Publisher · View at Google Scholar · View at Scopus - Q. Zhang, X. Xue, and X. Wei, “A novel image encryption algorithm based on DNA subsequence operation,”
*The Scientific World Journal*, vol. 2012, Article ID 286741, 10 pages, 2012. View at Publisher · View at Google Scholar · View at Scopus - R. Guo, Q. Wen, Z. Jin, and H. Zhang, “An efficient and secure certificateless authentication protocol for healthcare system on wireless medical sensor networks,”
*The Scientific World Journal*, vol. 2013, Article ID 761240, 7 pages, 2013. View at Publisher · View at Google Scholar · View at Scopus - D. N. Moldovyan and N. A. Moldovyan, “A new hard problem over noncommutative finite groups for cryptographic protocols,” in
*Proceedings of the 5th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS '10)*, vol. 6258 of*Lecture Notes in Computer Science*, pp. 183–194, Springer, St. Petersburg, Russia, 2010. - A. A. Kamal and A. M. Youssef, “Cryptanalysis of lvarez et al. key exchange scheme,”
*Information Sciences*, vol. 223, no. 20, pp. 317–321, 2013. View at Google Scholar - P. Pan, L. Wang, L. Wang, L. Li, and Y. Yang, “CSP-DHIES: a new public-key encryption scheme from matrix conjugation,”
*Security and Communication Networks*, vol. 5, no. 7, pp. 809–822, 2012. View at Publisher · View at Google Scholar · View at Scopus - G. Baumslag, N. Fazio, A. R. Nicolosi, V. Shpilrain, and W. E. Skeith, “Generalized learning problems and applications to non-commutative cryptography,” in
*Proceedings of the 5th International Conference on Provable Security (ProvSec '11)*, vol. 6980 of*Lecture Notes in Computer Science*, pp. 324–339, Springer, Xian, China, 2011. - P. Vitkus, E. Sakalauskas, N. Listopadskis, and R. Vitkiene, “Microprocessor realization of key agreement protocol based on matrix power function,”
*Elektronika ir Elektrotechnika*, no. 1, pp. 33–36, 2012. View at Publisher · View at Google Scholar · View at Scopus - D. Boucher, P. Gaborit, W. Geiselmann, O. Ruatta, and F. Ulmer, “Key exchange and encryption schemes based on non-commutative skew polynomials,” in
*Proceedings of the 3rd International Workshop on Post-Quantum Cryptography (PQCrypto '10)*, vol. 6061 of*Lecture Notes in Computer Science*, pp. 126–141, Springer, Darmstadt, Germany, 2010. - J. Climenta, P. R. Navarrob, and L. Tortosab, “Key exchange protocols over noncommutative rings. The case of $End\mathrm{}({\mathbb{Z}}_{p}\times {\mathbb{Z}}_{{p}^{2}})$,”
*International Journal of Computer Mathematics*, vol. 89, no. 13-14, pp. 1753–1763, 2012. View at Google Scholar - L. Gu, L. Wang, K. Ota, M. Dong, Z. Cao, and Y. Yang, “New public key cryptosystems based on non-Abelian factorization problems,”
*Security and Communication Networks*, vol. 6, no. 7, pp. 912–922, 2013. View at Publisher · View at Google Scholar · View at Scopus - L. Gu, Y. Pan, M. Dong, and K. Ota, “Noncommutative lightweight signcryption for wireless sensor networks,”
*International Journal of Distributed Sensor Networks*, vol. 2013, Article ID 818917, 10 pages, 2013. View at Publisher · View at Google Scholar · View at Scopus - I. Ahshel, M. Anshel, and D. Goldfeld, “An algebraic method for public key cryptography,”
*Mathematical Research Letters*, vol. 6, pp. 287–291, 1999. View at Google Scholar - I. Ahshel, M. Anshel, B. Fisher, and D. Goldfeld, “New key agreement protocols in braid group cryptography,” in
*Proceedings of the Cryptographers Track at RSA Conference on Topics in Cryptology (CT-RSA '01)*, vol. 2020 of*Lecture Notes in Computer Science*, pp. 13–27, Springer, San Francisco, Calif, USA, 2001. - I. Anshel, M. Anshel, and D. Goldfeld, “Non-abelian key agreement protocols,”
*Discrete Applied Mathematics*, vol. 130, no. 1, pp. 3–12, 2003. View at Publisher · View at Google Scholar · View at Scopus - I. Anshel, M. Anshel, and D. Goldfeld, “A linear time matrix key agreement protocol over small finite fields,”
*Applicable Algebra in Engineering, Communications and Computing*, vol. 17, no. 3-4, pp. 195–203, 2006. View at Publisher · View at Google Scholar · View at Scopus - S. H. Paeng, K. C. Ha, J. H. Kim, S. Chee, and C. Park, “New public key cryptosystem using finite non Abelian groups,” in
*Proceedings of the Advances in Cryptology (CRYPTO '01)*, vol. 2139 of*Lecture Notes in Computer Science*, pp. 470–485, Springer, Santa Barbara, Calif, USA, 2001. - S. S. Magliveras, D. R. Stinson, and T. Van Thing, “New approaches to designing public key cryptosystems using one-way functions and trapdoors in finite groups,”
*Journal of Cryptology*, vol. 15, no. 4, pp. 285–297, 2002. View at Publisher · View at Google Scholar · View at Scopus - W. Lempken, T. Van Tran, S. S. Magliveras, and W. Wei, “A public key cryptosystem based on non-abelian finite groups,”
*Journal of Cryptology*, vol. 22, no. 1, pp. 62–74, 2009. View at Publisher · View at Google Scholar · View at Scopus - K. H. Ko, S. J. Lee, and J. H. Cheon, “New public-key cryptosystem using braid groups,” in
*Proceedings of the Advances in Cryptology (CRYPTO '00)*, vol. 1880 of*Lecture Notes in Computer Science*, pp. 166–183, Springer, Santa Barbara, Calif, USA, 2000. - J. Hughes, “A linear algebraic attack on the AAFG1 braid group cryptosystem,” in
*Proceedings of the 7th Australasian Conferenc on Information Security and Privacy (ACISP '02)*, vol. 2384 of*Lecture Notes in Computer Science*, pp. 176–189, Springer, Melbourne, Australia, 2002. - S. J. Lee and E. Lee, “Potential weaknesses of the commutator key agreement protocol based on braid groups,” in
*Proceedings of the Advances in Cryptology (EuroCrypt '02)*, vol. 2332 of*Lecture Notes in Computer Science*, pp. 14–28, Springer, Amsterdam, The Netherlands, 2002. - A. D. Myasnikov and A. Ushakov, “Length based attack and braid groups: cryptanalysis of Anshel-Anshel-Goldfeld key exchange protocol,” in
*Proceedings of the 10th International Conference on Practice and Theory in Public-Key Cryptography (PKC '07)*, vol. 4450 of*Lecture Notes in Computer Science*, pp. 76–88, Springer, Beijing, China, 2007. - A. D. Myasnikov and A. Ushakov, “Cryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux key agreement protocol,”
*Groups, Complexity, Cryptology*, vol. 1, no. 1, pp. 63–75, 2009. View at Publisher · View at Google Scholar · View at Scopus - C. Tobias, “Security analysis of the MOR cryptosystem,” in
*Proceedings of the 6th International Conference on Practice and Theory in Public-Key Cryptography (PKC '03)*, vol. 2567 of*Lecture Notes in Computer Science*, pp. 175–186, Springer, Miami, Fla, USA, 2002. - I. Lee, W. Kim, D. Kwon, S. Nahm, N. Kwak, and Y. Baek, “On the security of MOR public key cryptosystem,” in
*Proceedings of Advances in Cryptology (AsiaCrypt '04)*, vol. 3329 of*Lecture Notes in Computer Science*, pp. 387–400, Springer, Jeju Island, Korea, 2004. - A. Korsten, “Cryptanalysis of MOR and discrete logarithms in inner automorphism groups,” in
*Proceedings of the 2nd Western European Worksho on Research in Cryptology (WEWoRC '07)*, vol. 4954 of*Lecture Notes in Computer Science*, pp. 78–89, Springer, Bochum, Germany, 2008. - J. Bohli, R. Steinwandt, M. I. G. Vasco, and C. Martínez, “Weak keys in MST 1,”
*Designs, Codes, and Cryptography*, vol. 37, no. 3, pp. 509–524, 2005. View at Publisher · View at Google Scholar · View at Scopus - S. R. Blackburn, C. Cid, and C. Mullan, “Cryptanalysis of the MST3 public key cryptosystem,”
*Journal of Mathematical Cryptology*, vol. 3, no. 4, pp. 321–338, 2009. View at Publisher · View at Google Scholar · View at Scopus - M. I. G. Vasco, A. L. P. Del Pozo, and P. T. Duarte, “A note on the security of MST 3,”
*Designs, Codes, and Cryptography*, vol. 55, no. 2-3, pp. 189–200, 2010. View at Publisher · View at Google Scholar · View at Scopus - J. H. Cheon and B. Jun, “A polynomial time algorithm for the braid Diffie-Hellman conjugacy problem,” in
*Proceedings of the Advances in Cryptology (CRYPTO '03)*, vol. 2729 of*Lecture Notes in Computer Science*, pp. 212–225, Springer, Santa Barbara, Calif, USA, 2003. - E. Lee and J. H. Park, “Cryptanalysis of the public-key encryption based on braid groups,” in
*Proceedings of the Advances in Cryptology (EuroCrypt '03)*, vol. 2656 of*Lecture Notes in Computer Science*, pp. 477–490, Springer, Warsaw, Poland, 2003. - A. Myasnikov, V. Shpilrain, and A. Ushakov, “A practical attack on a braid group based cryptographic protocol,” in
*Proceedings of the Advances in Cryptology (CRYPTO '05)*, vol. 3621 of*Lecture Notes in Computer Science*, pp. 86–96, Springer, Santa Barbara, Calif, USA, 2003. - T. Satoh and K. Araki, “On construction of signature scheme over a certain non-commutative ring,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E80-A, no. 1, pp. 40–45, 1997. View at Google Scholar · View at Scopus - E. Sakalauskas, “New digital signature scheme in Gaussian monoid,”
*Informatica*, vol. 15, no. 2, pp. 251–270, 2004. View at Google Scholar · View at Scopus - E. Sakalauskas, “One digital signature scheme in semimodule over semiring,”
*Informatica*, vol. 16, no. 3, pp. 383–394, 2005. View at Google Scholar · View at Scopus - D. Kahrobaei and C. Kouppari, “Non-commutative digital signatures,”
*Groups, Complexity, Cryptology*, vol. 4, no. 2, pp. 377–384, 2012. View at Publisher · View at Google Scholar · View at Scopus - B.-C. Wang and Y.-P. Hu, “Signature scheme based on the root extraction problem over braid groups,”
*IET Information Security*, vol. 3, no. 2, pp. 53–59, 2009. View at Publisher · View at Google Scholar · View at Scopus - L. Wang, L. Wang, Z. Cao, Y. Yang, and X. Niu, “Conjugate adjoining problem in braid groups and new design of braid-based signatures,”
*Science in China F: Information Sciences*, vol. 53, no. 3, pp. 524–536, 2010. View at Publisher · View at Google Scholar · View at Scopus - L. Wang, Z. Cao, P. Zeng, and X. Li, “One-more matching conjugate problem and security of braid-based signatures,” in
*Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS '07)*, pp. 295–301, ACM, New York, NY, USA, March 2007. View at Publisher · View at Google Scholar · View at Scopus - D. Coppersmith, “Weakness in quaternion signatures,” in
*Proceedings of the Advances in Cryptology (CRYPTO '99)*, vol. 1666 of*Lecture Notes in Computer Science*, pp. 305–314, Springer, Santa Barbara, Calif, USA, 1999. - D. Coppersmith, “Weakness in quaternion signatures,”
*Journal of Cryptology*, vol. 14, no. 2, pp. 77–85, 2001. View at Publisher · View at Google Scholar · View at Scopus - M. O. Rabin, “Digitalized signatures and public-key functions as intractable as factorization,”
*Technical Report*, Massachusetts Institute of Technology, Cambridge, Mass, USA, 1979. View at Google Scholar - J. M. Pollard and C. P. Schnorr, “An efficient solution of the congruence ${x}^{2}+k{y}^{2}\equiv m(\mathrm{}\text{m}\text{o}\text{d}\mathrm{}\mathrm{\hspace{0.17em}n})$,”
*IEEE Transactions on Information Theory*, vol. IT-33, no. 5, pp. 702–709, 1987. View at Google Scholar · View at Scopus