Journal of Cryptology

, Volume 23, Issue 2, pp 169–186

The RSA Group is Pseudo-Free

Open Access


We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudo-free. More specifically, no polynomial-time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free Abelian group generated by the symbols g1,…,gn, together with a solution modulo the product of two randomly chosen safe primes when g1,…,gn are instantiated to randomly chosen quadratic residues. Ours is the first provably secure construction of pseudo-free Abelian groups under a standard cryptographic assumption and resolves a conjecture of Rivest (Theory of Cryptography Conference—Proceedings of TCC 2004, LNCS, vol. 2951, pp. 505–521, 2004).


Cryptographic assumptions Pseudo-free Abelian group Strong RSA problem Safe primes 


  1. [1]
    M. Abadi, P. Rogaway, Reconciling two views of cryptography (The computational soundness of formal encryption). J. Cryptol. 15(2), 103–127 (2002) MATHMathSciNetGoogle Scholar
  2. [2]
    E. Bach, Discrete logarithms and factoring. Technical Report CSD-84-186, University of California at Berkeley (1984) Google Scholar
  3. [3]
    M. Backes, B. Pfitzmann, M. Waidner, A composable cryptographic library with nested operations (extended abstract). In: Computer and Communications Security—Proceedings of CCS’03, pp. 220–230 (2003) Google Scholar
  4. [4]
    N. Baric’, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees. In: Advances in Cryptology—Proceedings of EUROCRYPT’97. LNCS, vol. 1233, pp. 480–494 (1997) Google Scholar
  5. [5]
    E. Biham, D. Boneh, O. Reingold, Breaking generalized Diffie–Hellman modulo a composite is no easier than factoring. Inf. Process. Lett. 70(2), 83–87 (1999) MATHCrossRefMathSciNetGoogle Scholar
  6. [6]
    R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000). Preliminary version in CCS’99 CrossRefGoogle Scholar
  7. [7]
    D. Dolev, A. Yao, On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983) MATHCrossRefMathSciNetGoogle Scholar
  8. [8]
    E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations. In: Proceedings of CRYPTO ’97. LNCS, vol. 1294, pp. 16–30 (1997) Google Scholar
  9. [9]
    R. Gennaro, T. Rabin, H. Krawczyk, RSA-based undeniable signatures. J. Cryptol. 13(4), 397–416 (2000). Preliminary version in CRYPTO’97 MATHCrossRefMathSciNetGoogle Scholar
  10. [10]
    P. Gupta, V. Shmatikiv, Towards computationally sound symbolic analysis of key exchange protocols (extended abstract). In: Formal Methods in Security Engineering—Proceedings of FMSE’05, ed. by V. Atluri, P. Samarati, R. Küsters, J.C. Mitchell. Fairfax, VA, USA, pp. 23–32 (2005) Google Scholar
  11. [11]
    S. Hohenberger, The cryptographic impact of groups with infeasible inversion. Master’s thesis, Massachusetts Institute of Technology, EECS Dept., Cambridge, MA (2003) Google Scholar
  12. [12]
    R. Impagliazzo, M.B. Kapron, Logics for reasoning about cryptographic constructions. J. Comput. Syst. Sci. 72(2), 286–320 (2006). Preliminary version in FOCS’03 MATHMathSciNetGoogle Scholar
  13. [13]
    O. Kharlampovich, A. Myasnikov, Implicit function theorem over free groups. J. Algebra 290(1), 1–203 (2005) MATHCrossRefMathSciNetGoogle Scholar
  14. [14]
    A.I. Mal’cev, On some correspondence between rings and groups. Mat. Sb. 50, 257–266 (1960) MathSciNetGoogle Scholar
  15. [15]
    K.S. McCurley, A key distribution system equivalent to factoring. J. Cryptol. 1(2), 95–105 (1988) MATHCrossRefMathSciNetGoogle Scholar
  16. [16]
    D. Micciancio, S. Goldwasser, Complexity of Lattice Problems: a Cryptographic Perspective, The Kluwer International Series in Engineering and Computer Science, vol. 671. (Kluwer Academic, Boston, 2002) MATHGoogle Scholar
  17. [17]
    D. Micciancio, S. Panjwani, Adaptive security of symbolic encryption. In: Theory of Cryptography Conference—Proceedings of TCC. LNCS, vol. 3378, pp. 169–187 (2005) Google Scholar
  18. [18]
    D. Micciancio, B. Warinschi, Completeness theorems for the Abadi–Rogaway logic of encrypted expressions. J. Comput. Secur. 12(1), 99–129 (2004). Preliminary version in WITS’02 Google Scholar
  19. [19]
    D. Micciancio, B. Warinschi, Soundness of formal encryption in the presence of active adversaries. In: Theory of Cryptography Conference—Proceedings of TCC’04. LNCS, vol. 2951, pp. 133–151 (2004) Google Scholar
  20. [20]
    J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time calculus for the analysis of cryptographic protocols. Theor. Comput. Sci. 353(1–3), 118–164 (2006). Preliminary version in MFPS’01 MATHCrossRefMathSciNetGoogle Scholar
  21. [21]
    G. Neven, A simple transitive signature scheme for directed trees. Theor. Comput. Sci. 396(1–3), 277–282 (2008) MATHCrossRefMathSciNetGoogle Scholar
  22. [22]
    R.L. Rivest, On the notion of pseudo-free groups. In: Theory of Cryptography Conference—Proceedings of TCC’04. LNCS, vol. 2951, pp. 505–521 (2004) Google Scholar
  23. [23]
    R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978) MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© The Author(s) 2009

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations