ASIACRYPT 2002: Advances in Cryptology — ASIACRYPT 2002 pp 125-142

# A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order

• Ivan Damgård
• Eiichiro Fujisaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2501)

## Abstract

We present a statistically-hiding commitment scheme allowing commitment to arbitrary size integers, based on any (Abelian) group with certain properties, most importantly, that it is hard for the committer to compute its order. We also give efficient zero-knowledge protocols for proving knowledge of the contents of commitments and for verifying multiplicative relations over the integers on committed values. The scheme can be seen as a generalization, with a slight modification, of the earlier scheme of Fujisaki and Okamoto [14]. The reasons we revisit the earlier scheme and give some modification to it are as follows:
• - The earlier scheme [14] has some gaps in the proof of soundness of the associated protocols, one of which presents a non-trivial problem which, to the best of our knowledge, has remained open until now. We fill all the gaps here using additional ideas including minor modification of the form of a commitment.

• - Although related works such as |8, 3, 10, 4| do not suffer from the main problem we solve here, the reason for this is that they use “commitments” with a single base (i.e., of form c = g s mod n). Such commitments, however, cannot satisfy the standard hiding property for commitments, and hence protocols using them cannot in general be (honest-verifier) zero-knowledge nor witness indistinguishable.

• - In a computationally convincing proof of knowledge where the prover produces the common input (which is the type of protocol we look at here), one cannot completely exclude the possibility that a prover manages to produce a common input on which he can cheat easily. This means that the standard definition of proofs of knowledge cannot be satisfied. Therefore we introduce a new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover.

• - Our results apply to any group with suitable properties. In particular, they apply to a much larger class of RSA moduli than the safe prime products proposed in [14] - Potential examples include RSA moduli, class groups and, with a slight modification, even non-Abelian groups.

Our scheme can replace the earlier one in various other constructions, such as the efficient interval proofs of Boudot [4] and the efficient proofs for the product of two safe primes proposed by Camenisch and Michels [9].

## Keywords

Commitment Scheme Common Input Convincing Proof Root Problem Probabilistic Polynomial Time
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

## References

1. 1.
F. Bao: An efficient verifiable encryption scheme for encryption of discrete logarithm, In CARDIS’98, LNCS 1820, pp. 213–220, 2000.Google Scholar
2. 2.
N. Baric and B. Pfitzmann: Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees, In EUROCRYPT’97, LNCS 1233, pp. 480–494, 1997.Google Scholar
3. 3.
F. Boudot and J. Traoré. Efficient publicly verifiable secret sharing schemes with fast or delayed recovery. In 2nd ICICS, LNCS 1726, pp. 87–102. 1999.Google Scholar
4. 4.
F. Boudot: Efficient Proof that a Committed Number Lies in an Interval, In Eurocrypt LNCS 1807, Springer, 2000.Google Scholar
5. 5.
Boudot: presentation at the rump session of Eurocrypt 2000.Google Scholar
6. 6.
M. Bellare and O. Goldreich: Defining proofs of knowledge, In Crypto 92.Google Scholar
7. 7.
R. Cramer and I. Damgård: Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free?, In Crypto 98, LNCS 1462, 1998.Google Scholar
8. 8.
A. Chan, Y. Frankel and Y. Tsiounis: Easy Come-Easy Go Divisible Cash, In EUROCRYPT’98, pp. 561–575 LNCS 1403, 1998.Google Scholar
9. 9.
J. Camenisch and M. Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes, In Eurocrypt’99 pp. 107–122 LNCS 1592, 1999.Google Scholar
10. 10.
J. Camenisch and M. Michels: Separability and Efficiency for Generic Group Signature Schemes, In CRYPTO’99 pp. 413–430, LNCS 1666, 1999.Google Scholar
11. 11.
J. Camenisch and M. Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes, Tech. Report RS-98-29, BRICS, 1999.Google Scholar
12. 12.
I. Damård: Practical and Provably Secure release of a Secret and Exchange of Signatures, J.Cryptology, vol. 8, pp. 201–222, 1995.Google Scholar
13. 13.
E. Fujisaki: A simple Approach to Secretly Sharing a Factoring Witness in a Publically-Verifiable Manner, IEICE Trans. Fund., E85-A, vol. 5, May 2002.Google Scholar
14. 14.
E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, In Crypto 97, LNCS 1294, 1997.
15. 15.
E. Fujisaki and T. Okamoto: Statistical Zero-Know ledge Protocols to Prove Modular Polynomial Relations, in IEICE Trans. Fund., E82-A, vol. 1 pp. 81–92, Jan. 1999.Google Scholar
16. 16.
Goldwasser, Micali and Rackoff: The knowledge complexity of interactive proof systems, SIAM J.Computing, vol. 18, pp. 186–208, 1989.
17. 17.
T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, In Crypto 91, LNCS 576, pp. 129–140.Google Scholar
18. 18.
P. Paillier: Public-Key Crypto systems Based on Composite Degree Residuosity Classes, In Eurocrypt’99, LNCS 1592, pp. 223–238, 1999.Google Scholar
19. 19.
T. Okamoto and S. Uchiyama: A New Public-Key Cryptosystem as Secure as Factoring In Eurocrypt 98, LNCS 1403, 1998.Google Scholar