Fair Encryption of RSA Keys

  • Guillaume Poupard
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and private keys and give an encryption of their secret key with the public key of a third party. In this setting we wish to provide a publicly verifiable proof that the third party is able to recover the secret key if needed. Our emphasis is on size; we believe that the proof should be of the same length as the original key.

In this paper, we propose such proofs of fair encryption for El Gamal and RSA keys, using the Paillier cryptosystem. Our proofs are really efficient since in practical terms they are only a few hundred bytes long. As an application, we design a very simple and efficient key recovery system.


Discrete Logarithm Security Parameter Choose Ciphertext Attack Random Tape Cheat Strategy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    N. Asokan, V. Shoup, and M. Waidner. optimistic Fair Exchange of Digital Signatures. In Eurocrypt’ 98, LNCS 1403, pages 591–606. Springer-Verlag, 1998.CrossRefGoogle Scholar
  2. 2.
    F. Bao. An Efficient Verifiable Encryption Scheme for Encryption of Discrete Logarithms. In CARDIS’ 98, 1998.Google Scholar
  3. 3.
    J. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University, 1987. Available from
  4. 4.
    D. Boneh and R. Venkatesan. Breaking RSA May Not Be Equivalent to Factoring. In Eurocrypt’ 98, LNCS 1403, pages 59–71. Springer-Verlag, 1998.CrossRefGoogle Scholar
  5. 5.
    F. Boudot. Efficient Proofs that a Committed Number Lies in an Interval. In Eurocrypt 2000, LNCS 1807, pages 431–444. Springer-Verlag, 2000 (this volume).CrossRefGoogle Scholar
  6. 6.
    J. Camenisch and M. Michels. A Group Signature Scheme with Improved Efficiency. In Asiacrypt’ 98, LNCS 1514. Springer-Verlag, 1998.Google Scholar
  7. 7.
    J. Camenisch and M. Michels. Proving in Zero-Knowledge That a Number Is the Product of Two Safe Primes. In Eurocrypt’ 99, LNCS 1592, pages 107–122. Springer-Verlag, 1999.Google Scholar
  8. 8.
    A. Chan, Y. Frankel, and Y. Tsiounis. Easy Come — Easy Go Divisible Cash. In Eurocrypt’ 98, LNCS 1403, pages 561–575. Springer-Verlag, 1998. Available as GTE Tech report.CrossRefGoogle Scholar
  9. 9.
    H. Cohen. A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics 138. Springer-Verlag, 1993.Google Scholar
  10. 10.
    A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Crypto’ 86, LNCS 263, pages 186–194. Springer-Verlag, 1987.Google Scholar
  11. 11.
    PA. Fouque, G. Poupard, and J. Stern. Sharing Decryption in the Context of Voting or Lotteries. In Financial Cryptography 2000, LNCS. Springer-Verlag, 2000.Google Scholar
  12. 12.
    E. Fujisaki and T. Okamoto. A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications. In Eurocrypt’ 98, LNCS 1403, pages 32–46. Springer-Verlag, 1998.CrossRefGoogle Scholar
  13. 13.
    M. Girault. Self-certified public keys. In Eurocrypt’ 91, LNCS 547, pages 490–497. Springer-Verlag, 1992.Google Scholar
  14. 14.
    M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto’ 94, LNCS 839, pages 202–215. Springer-Verlag, 1994.Google Scholar
  15. 15.
    S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28, 1984.Google Scholar
  16. 16.
    J. Kilian and F.T. Leighton. Fair Cryptosystems Revisited. In Crypto’ 95, LNCS 963, pages 208–221. Springer-Verlag, 1995.Google Scholar
  17. 17.
    D. Naccache and J. Stern. A New Public Key Cryptosystem Based on Higher Residues. In Proc. of the 5th ACM-CCS, pages 59–66. ACM press, 1998.Google Scholar
  18. 18.
    T. Okamoto and S. Uchiyama. A New Public-Key Cryptosystem as Secure as Factoring. In Eurocrypt’ 98, LNCS 1403, pages 308–318. Springer-Verlag, 1998.CrossRefGoogle Scholar
  19. 19.
    P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In Eurocrypt’ 99, LNCS 1592, pages 223–238. Springer-Verlag, 1999.Google Scholar
  20. 20.
    D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In Eurocrypt’ 96, LNCS 1070, pages 387–398. Springer-Verlag, 1996.Google Scholar
  21. 21.
    J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918–924, July 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    G. Poupard and J. Stern. Security Analysis of a Practical “on the fly” Authentication and Signature Generation. In Eurocrypt’ 98, LNCS 1403, pages 422–436. Springer-Verlag, 1998.CrossRefGoogle Scholar
  23. 23.
    G. Poupard and J. Stern. Short Proofs of Knowledge for Factoring. In Proceedings of PKC2000, LNCS 1751, pages 147–166. Springer-Verlag, 2000.Google Scholar
  24. 24.
    C. P. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    B. Vallée. Gauss’ Algorithm Revisited. Journal of Algorithms, 12:556–572, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt’ 96, LNCS 1070, pages 332–343. Springer-Verlag, 1996.Google Scholar
  27. 27.
    E. Verheul. Certificates of Recoverability with Scaleable Recovery Agent Security. In Proceedings of PKC2000, LNCS 1751. Springer-Verlag, 2000.Google Scholar
  28. 28.
    E. Verheul and H. van Tilborg. Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals. In Eurocrypt’ 97, LNCS 1233, pages 119–133. Springer-Verlag, 1997.Google Scholar
  29. 29.
    A. Young and M. Yung. Auto-Recoverable Auto-Certifiable Cryptosystems. In Eurocrypt’ 98, LNCS 1403, pages 17–31. Springer-Verlag, 1998.CrossRefGoogle Scholar
  30. 30.
    A. Young and M. Yung. RSA-based Auto-Recoverable Cryptosystems. In Proceedings of PKC2000, LNCS 1751. Springer-Verlag, 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Guillaume Poupard
    • 1
  • Jacques Stern
    • 1
  1. 1.Département d’informatiqueÉcole Normale SupérieureParis Cedex 05France

Personalised recommendations