2

Let $x$ be a random element from $QR_n$, the quadratic residue group over Blum integer n (where $n=p*q$ and $p$ and $q$ are safe primes), and $g$ a generator of $QR_n$. Are the following computationally indistinguishable?

$$(x^2 \mod n, g^x) (r^2 \mod n, g^x)$$

The intuition is that it's hard to compute $x$ from $x^2$ and $g^x$. Could this be reduced to some standard assumptions?

Ievgeni
  • 2,585
  • 1
  • 10
  • 32
Sean
  • 99
  • 9
  • Does it miss a $\mod$ ? – Ievgeni Jul 01 '21 at 08:08
  • That is right. I've made the corrections. – Sean Jul 01 '21 at 12:29
  • 2
    How is $x \in QR_n$ is represented? E.g. If it is sampled uniformly from $[0; n\cdot ord(g))$, then these are indistinguishable since $x^2$ and $g^x$ are independent (because $x \mod n$ and $x \mod ord(g)$ are independent). – Fractalice Jul 01 '21 at 12:48
  • Thanks very much for the insights? What about x^2 \mod \totient(n) is given. Then I guess the argument wouldn't apply? – Sean Jul 01 '21 at 19:55

0 Answers0