EUROCRYPT 1999: Advances in Cryptology — EUROCRYPT ’99 pp 107-122

# Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes

• Jan Camenisch
• Markus Michels
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1592)

## Abstract

We present the first efficient statistical zero-knowledge protocols to prove statements such as:
• - A committed number is a prime.

• - A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)/2 and (q - 1)/2 are prime.

• - A given integer has large multiplicative order modulo a composite number that consists of two safe prime factors.

The main building blocks of our protocols are statistical zero-knowledge proofs of knowledge that are of independent interest. We show how to prove the correct computation of a modular addition, a modular multiplication, and a modular exponentiation, where all values including the modulus are committed to but not publicly known. Apart from the validity of the equations, no other information about the modulus (e.g., a generator whose order equals the modulus) or any other operand is exposed. Our techniques can be generalized to prove that any multivariate modular polynomial equation is satisfied, where only commitments to the variables of the polynomial and to the modulus need to be known. This improves previous results, where the modulus is publicly known. We show how these building blocks allow to prove statements such as those listed earlier.

## Keywords

Discrete Logarithm Commitment Scheme Monotone Formula Modular Exponentiation Intermediary Result
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

## References

1. 1.
E. Bach and J. Shallit. Factoring with cyclotomic polynomials. In 26th FOCS, IEEE, pp. 443–450, 1985.Google Scholar
2. 2.
J. Boyar, K. Friedl, and C. Lund. Practical zero-knowledge proofs: Giving hints and using defficiencies. Journal of Cryptology, 4(3):185–206, 1991.
3. 3.
S. Brands. Untraceable on-line cash in wallets with observers. In Advances in Cryptology — CRYPTO’ 93, volume 773 of LNCS, pp. 302–318, 1993.Google Scholar
4. 4.
S. Brands. Rapid demonstration of linear relations connected by boolean operators. In Advances in Cryptology — EUROCRYPT’ 97, volume 1233 of LNCS, pp. 318–333. Springer Verlag, 1997.Google Scholar
5. 5.
G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2):156–189, Oct. 1988.
6. 6.
J. Camenisch and M. Michels. Proving in zero-knowledge that a number n is the product of two safe primes. Technical Report RS-98-29, BRICS, Departement of Computer Science, University of Åarhus, Nov. 1998.Google Scholar
7. 7.
J. Camenisch and M. Michels. A group signature scheme based on an RSA-variant. Tech. Rep. RS-98-27, BRICS, Departement of Computer Science, University of Åarhus, Nov. 1998. Preliminary version appeared in Advances in Cryptology — ASIACRYPT’ 98, volume 1514 of LNCS, pages 160–174. Springer Verlag, 1998.Google Scholar
8. 8.
J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Advances in Cryptology — CRYPTO’ 97, volume 1296 of LNCS, pp. 410–424. Springer Verlag, 1997.Google Scholar
9. 9.
J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical Report TR 260, Institute for Theoretical Computer Science, ETH Zürich, Mar. 1997.Google Scholar
10. 10.
J. L. Camenisch. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zürich, 1998. Diss. ETH No. 12520.Google Scholar
11. 11.
A. Chan, Y. Frankel, and Y. Tsiounis. Easy come — easy go divisible cash. In Advances in Cryptology — EUROCRYPT’ 98, volume 1403 of LNCS, pp. 561–575. Springer Verlag, 1998. Revised version available as GTE Technical Report.Google Scholar
12. 12.
D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In Advances in Cryptology — EUROCRYPT’ 87, volume 304 of LNCS, pp. 127–141. Springer-Verlag, 1988.Google Scholar
13. 13.
D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta. Demonstrating possession of a discrete logarithm without revealing it. In Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pp. 200–212. Springer-Verlag, 1987.Google Scholar
14. 14.
D. Chaum and T. P. Pedersen. Wallet databases with observers. In Advances in Cryptology — CRYPTO’ 92, volume 740 of LNCS, pp. 89–105. Springer-Verlag, 1993.Google Scholar
15. 15.
H. Cohen. A Course in Computational Algebraic Number Theory. Number 138 in Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1993.Google Scholar
16. 16.
R. Cramer and I. Damgård. Zero-knowledge proof for finite field arithmetic, or: Can zero-knowledge be for free? In Advances in Cryptology — CRYPTO’ 98, volume 1642 of LNCS, pp. 424–441, Berlin, 1998. Springer Verlag.
17. 17.
R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Advances in Cryptology — CRYPTO’ 94, volume 839 of LNCS, pp. 174–187. Springer Verlag, 1994.Google Scholar
18. 18.
E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology — CRYPTO’ 97, volume 1294 of LNCS, pp. 16–30. Springer Verlag, 1997.Google Scholar
19. 19.
E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Advances in Cryptology — EUROCRYPT’ 98, volume 1403 of LNCS, pp. 32–46. Springer Verlag, 1998.Google Scholar
20. 20.
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Advances in Cryptology — CRYPT0’ 96, volume 1109 of LNCS, pp. 157–172, Berlin, 1996. IACR, Springer Verlag.Google Scholar
21. 21.
R. Gennaro, H. Krawczyk, and T. Rabin. RSA-based undeniable signatures. In Advances in Cryptology — CRYPTO’ 97, volume 1296 of LNCS, pp. 132–149. Springer Verlag, 1997.Google Scholar
22. 22.
R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In 5rd ACM Conference on Computer and Communicatons Security, 1998.Google Scholar
23. 23.
O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pp. 171–185. Springer-Verlag, 1987.Google Scholar
24. 24.
J. Gordon. Strong RSA keys. Electronics Letters, 20(12):514–516, 1984.
25. 25.
K. Koyama, U. Maurer, T. Okamoto, and S. Vanstone. New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology — CRYPTO’ 91, volume 576 of LNCS, pp. 252–266. Springer-Verlag, 1992.Google Scholar
26. 26.
E. Kranakis. Primality and Cryptography. Wiley-Teubner Series in Computer Science, 1986.Google Scholar
27. 27.
D. J. Lehmann. On primality tests. SIAM Journal of Computing, 11(2):374–375, May 1982.
28. 28.
M. Liskov and B. Silverman. A Statisical limited-knowledge proof for secure RSA keys. manuscript, (1998).Google Scholar
29. 29.
W. Mao. Verifable Partial Sharing of Integer Factors. to appear in Proc. SAC’ 98, 1998.Google Scholar
30. 30.
G. L. Miller. Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences, 13:300–317, 1976.
31. 31.
T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Advances in Cryptology — CRYPTO’ 91, volume 576 of LNCS, pp. 129–140. Springer Verlag, 1992.Google Scholar
32. 32.
J. M. Pollard. Theorems on factorization and primality testing. Proc. Cambridge Philosophical Society, 76:521–528, 1974.
33. 33.
M. O. Rabin. Probabilistic algorithm for testing primality. Journal of Number Theory, 12:128–138, 1980.
34. 34.
A. de Santis, L. di Crescenzo, G. Persiano, M. Yung. On Monotone Formula Closure of SZK. 35th FOCS, IEEE, pp. 454–465, 1994.Google Scholar
35. 35.
C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.
36. 36.
R. Solovay and V. Strassen. A fast monte-carlo test for primality. SIAM Journal on Computing, 6(1):84–85, Mar. 1977.
37. 37.
J. van de Graaf and R. Peralta. A simple and secure way to show the validity of your public key. In Advances in Cryptology — CRYPTO’ 87, volume 293 of LNCS, pp. 128–134. Springer-Verlag, 1988.Google Scholar
38. 38.
H. C. Williams. A p + 1 method of factoring. Mathematics of Computation, 39(159):225–234, 1982.
39. 39.
X9.31-1998 Digital Signatures using reversible public key cryptography for the financial services industry (rDSA). American National Standard, Working Draft, 59 pages, 1998.Google Scholar

© Springer-Verlag Berlin Heidelberg 1999

## Authors and Affiliations

• Jan Camenisch
• 1
• Markus Michels
• 2
1. 1.BRICS Department of Computer ScienceUniversity of AarhusÅrhus CDenmark
2. 2.Entrust Technologies EuropeGlattzentrumSwitzerland

## Personalised recommendations

### Citepaper 