A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order
- The earlier scheme  has some gaps in the proof of soundness of the associated protocols, one of which presents a non-trivial problem which, to the best of our knowledge, has remained open until now. We fill all the gaps here using additional ideas including minor modification of the form of a commitment.
- Although related works such as |8, 3, 10, 4| do not suffer from the main problem we solve here, the reason for this is that they use “commitments” with a single base (i.e., of form c = g s mod n). Such commitments, however, cannot satisfy the standard hiding property for commitments, and hence protocols using them cannot in general be (honest-verifier) zero-knowledge nor witness indistinguishable.
- In a computationally convincing proof of knowledge where the prover produces the common input (which is the type of protocol we look at here), one cannot completely exclude the possibility that a prover manages to produce a common input on which he can cheat easily. This means that the standard definition of proofs of knowledge cannot be satisfied. Therefore we introduce a new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover.
- Our results apply to any group with suitable properties. In particular, they apply to a much larger class of RSA moduli than the safe prime products proposed in  - Potential examples include RSA moduli, class groups and, with a slight modification, even non-Abelian groups.
Our scheme can replace the earlier one in various other constructions, such as the efficient interval proofs of Boudot  and the efficient proofs for the product of two safe primes proposed by Camenisch and Michels .
KeywordsCommitment Scheme Common Input Convincing Proof Root Problem Probabilistic Polynomial Time
- 1.F. Bao: An efficient verifiable encryption scheme for encryption of discrete logarithm, In CARDIS’98, LNCS 1820, pp. 213–220, 2000.Google Scholar
- 2.N. Baric and B. Pfitzmann: Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees, In EUROCRYPT’97, LNCS 1233, pp. 480–494, 1997.Google Scholar
- 3.F. Boudot and J. Traoré. Efficient publicly verifiable secret sharing schemes with fast or delayed recovery. In 2nd ICICS, LNCS 1726, pp. 87–102. 1999.Google Scholar
- 4.F. Boudot: Efficient Proof that a Committed Number Lies in an Interval, In Eurocrypt LNCS 1807, Springer, 2000.Google Scholar
- 5.Boudot: presentation at the rump session of Eurocrypt 2000.Google Scholar
- 6.M. Bellare and O. Goldreich: Defining proofs of knowledge, In Crypto 92.Google Scholar
- 7.R. Cramer and I. Damgård: Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free?, In Crypto 98, LNCS 1462, 1998.Google Scholar
- 8.A. Chan, Y. Frankel and Y. Tsiounis: Easy Come-Easy Go Divisible Cash, In EUROCRYPT’98, pp. 561–575 LNCS 1403, 1998.Google Scholar
- 9.J. Camenisch and M. Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes, In Eurocrypt’99 pp. 107–122 LNCS 1592, 1999.Google Scholar
- 10.J. Camenisch and M. Michels: Separability and Efficiency for Generic Group Signature Schemes, In CRYPTO’99 pp. 413–430, LNCS 1666, 1999.Google Scholar
- 11.J. Camenisch and M. Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes, Tech. Report RS-98-29, BRICS, 1999.Google Scholar
- 12.I. Damård: Practical and Provably Secure release of a Secret and Exchange of Signatures, J.Cryptology, vol. 8, pp. 201–222, 1995.Google Scholar
- 13.E. Fujisaki: A simple Approach to Secretly Sharing a Factoring Witness in a Publically-Verifiable Manner, IEICE Trans. Fund., E85-A, vol. 5, May 2002.Google Scholar
- 15.E. Fujisaki and T. Okamoto: Statistical Zero-Know ledge Protocols to Prove Modular Polynomial Relations, in IEICE Trans. Fund., E82-A, vol. 1 pp. 81–92, Jan. 1999.Google Scholar
- 17.T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, In Crypto 91, LNCS 576, pp. 129–140.Google Scholar
- 18.P. Paillier: Public-Key Crypto systems Based on Composite Degree Residuosity Classes, In Eurocrypt’99, LNCS 1592, pp. 223–238, 1999.Google Scholar
- 19.T. Okamoto and S. Uchiyama: A New Public-Key Cryptosystem as Secure as Factoring In Eurocrypt 98, LNCS 1403, 1998.Google Scholar