A StatisticallyHiding Integer Commitment Scheme Based on Groups with Hidden Order
Abstract

 The earlier scheme [14] has some gaps in the proof of soundness of the associated protocols, one of which presents a nontrivial problem which, to the best of our knowledge, has remained open until now. We fill all the gaps here using additional ideas including minor modification of the form of a commitment.

 Although related works such as 8, 3, 10, 4 do not suffer from the main problem we solve here, the reason for this is that they use “commitments” with a single base (i.e., of form c = g ^{ s } mod n). Such commitments, however, cannot satisfy the standard hiding property for commitments, and hence protocols using them cannot in general be (honestverifier) zeroknowledge nor witness indistinguishable.

 In a computationally convincing proof of knowledge where the prover produces the common input (which is the type of protocol we look at here), one cannot completely exclude the possibility that a prover manages to produce a common input on which he can cheat easily. This means that the standard definition of proofs of knowledge cannot be satisfied. Therefore we introduce a new definition for computationally convincing proofs of knowledge, designed to handle the case where the common input is chosen by the (possibly cheating) prover.

 Our results apply to any group with suitable properties. In particular, they apply to a much larger class of RSA moduli than the safe prime products proposed in [14]  Potential examples include RSA moduli, class groups and, with a slight modification, even nonAbelian groups.
Our scheme can replace the earlier one in various other constructions, such as the efficient interval proofs of Boudot [4] and the efficient proofs for the product of two safe primes proposed by Camenisch and Michels [9].
Keywords
Commitment Scheme Common Input Convincing Proof Root Problem Probabilistic Polynomial TimeReferences
 1.F. Bao: An efficient verifiable encryption scheme for encryption of discrete logarithm, In CARDIS’98, LNCS 1820, pp. 213–220, 2000.Google Scholar
 2.N. Baric and B. Pfitzmann: CollisionFree Accumulators and FailStop Signature Schemes Without Trees, In EUROCRYPT’97, LNCS 1233, pp. 480–494, 1997.Google Scholar
 3.F. Boudot and J. Traoré. Efficient publicly verifiable secret sharing schemes with fast or delayed recovery. In 2nd ICICS, LNCS 1726, pp. 87–102. 1999.Google Scholar
 4.F. Boudot: Efficient Proof that a Committed Number Lies in an Interval, In Eurocrypt LNCS 1807, Springer, 2000.Google Scholar
 5.Boudot: presentation at the rump session of Eurocrypt 2000.Google Scholar
 6.M. Bellare and O. Goldreich: Defining proofs of knowledge, In Crypto 92.Google Scholar
 7.R. Cramer and I. Damgård: ZeroKnowledge Proofs for Finite Field Arithmetic or: Can ZeroKnowledge be for Free?, In Crypto 98, LNCS 1462, 1998.Google Scholar
 8.A. Chan, Y. Frankel and Y. Tsiounis: Easy ComeEasy Go Divisible Cash, In EUROCRYPT’98, pp. 561–575 LNCS 1403, 1998.Google Scholar
 9.J. Camenisch and M. Michels: Proving in ZeroKnowledge that a Number Is the Product of Two Safe Primes, In Eurocrypt’99 pp. 107–122 LNCS 1592, 1999.Google Scholar
 10.J. Camenisch and M. Michels: Separability and Efficiency for Generic Group Signature Schemes, In CRYPTO’99 pp. 413–430, LNCS 1666, 1999.Google Scholar
 11.J. Camenisch and M. Michels: Proving in ZeroKnowledge that a Number Is the Product of Two Safe Primes, Tech. Report RS9829, BRICS, 1999.Google Scholar
 12.I. Damård: Practical and Provably Secure release of a Secret and Exchange of Signatures, J.Cryptology, vol. 8, pp. 201–222, 1995.Google Scholar
 13.E. Fujisaki: A simple Approach to Secretly Sharing a Factoring Witness in a PublicallyVerifiable Manner, IEICE Trans. Fund., E85A, vol. 5, May 2002.Google Scholar
 14.E. Fujisaki and T. Okamoto: Statistical ZeroKnowledge Protocols to prove Modular Polynomial Relations, In Crypto 97, LNCS 1294, 1997.CrossRefGoogle Scholar
 15.E. Fujisaki and T. Okamoto: Statistical ZeroKnow ledge Protocols to Prove Modular Polynomial Relations, in IEICE Trans. Fund., E82A, vol. 1 pp. 81–92, Jan. 1999.Google Scholar
 16.Goldwasser, Micali and Rackoff: The knowledge complexity of interactive proof systems, SIAM J.Computing, vol. 18, pp. 186–208, 1989.MATHCrossRefMathSciNetGoogle Scholar
 17.T. Pedersen: NonInteractive and Information Theoretic Secure Verifiable Secret Sharing, In Crypto 91, LNCS 576, pp. 129–140.Google Scholar
 18.P. Paillier: PublicKey Crypto systems Based on Composite Degree Residuosity Classes, In Eurocrypt’99, LNCS 1592, pp. 223–238, 1999.Google Scholar
 19.T. Okamoto and S. Uchiyama: A New PublicKey Cryptosystem as Secure as Factoring In Eurocrypt 98, LNCS 1403, 1998.Google Scholar