Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes

  • Jan Camenisch
  • Markus Michels
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1592)


We present the first efficient statistical zero-knowledge protocols to prove statements such as:
  • - A committed number is a prime.

  • - A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)/2 and (q - 1)/2 are prime.

  • - A given integer has large multiplicative order modulo a composite number that consists of two safe prime factors.

The main building blocks of our protocols are statistical zero-knowledge proofs of knowledge that are of independent interest. We show how to prove the correct computation of a modular addition, a modular multiplication, and a modular exponentiation, where all values including the modulus are committed to but not publicly known. Apart from the validity of the equations, no other information about the modulus (e.g., a generator whose order equals the modulus) or any other operand is exposed. Our techniques can be generalized to prove that any multivariate modular polynomial equation is satisfied, where only commitments to the variables of the polynomial and to the modulus need to be known. This improves previous results, where the modulus is publicly known. We show how these building blocks allow to prove statements such as those listed earlier.


Discrete Logarithm Commitment Scheme Monotone Formula Modular Exponentiation Intermediary Result 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    E. Bach and J. Shallit. Factoring with cyclotomic polynomials. In 26th FOCS, IEEE, pp. 443–450, 1985.Google Scholar
  2. 2.
    J. Boyar, K. Friedl, and C. Lund. Practical zero-knowledge proofs: Giving hints and using defficiencies. Journal of Cryptology, 4(3):185–206, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    S. Brands. Untraceable on-line cash in wallets with observers. In Advances in Cryptology — CRYPTO’ 93, volume 773 of LNCS, pp. 302–318, 1993.Google Scholar
  4. 4.
    S. Brands. Rapid demonstration of linear relations connected by boolean operators. In Advances in Cryptology — EUROCRYPT’ 97, volume 1233 of LNCS, pp. 318–333. Springer Verlag, 1997.Google Scholar
  5. 5.
    G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2):156–189, Oct. 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    J. Camenisch and M. Michels. Proving in zero-knowledge that a number n is the product of two safe primes. Technical Report RS-98-29, BRICS, Departement of Computer Science, University of Åarhus, Nov. 1998.Google Scholar
  7. 7.
    J. Camenisch and M. Michels. A group signature scheme based on an RSA-variant. Tech. Rep. RS-98-27, BRICS, Departement of Computer Science, University of Åarhus, Nov. 1998. Preliminary version appeared in Advances in Cryptology — ASIACRYPT’ 98, volume 1514 of LNCS, pages 160–174. Springer Verlag, 1998.Google Scholar
  8. 8.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Advances in Cryptology — CRYPTO’ 97, volume 1296 of LNCS, pp. 410–424. Springer Verlag, 1997.Google Scholar
  9. 9.
    J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical Report TR 260, Institute for Theoretical Computer Science, ETH Zürich, Mar. 1997.Google Scholar
  10. 10.
    J. L. Camenisch. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zürich, 1998. Diss. ETH No. 12520.Google Scholar
  11. 11.
    A. Chan, Y. Frankel, and Y. Tsiounis. Easy come — easy go divisible cash. In Advances in Cryptology — EUROCRYPT’ 98, volume 1403 of LNCS, pp. 561–575. Springer Verlag, 1998. Revised version available as GTE Technical Report.Google Scholar
  12. 12.
    D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In Advances in Cryptology — EUROCRYPT’ 87, volume 304 of LNCS, pp. 127–141. Springer-Verlag, 1988.Google Scholar
  13. 13.
    D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta. Demonstrating possession of a discrete logarithm without revealing it. In Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pp. 200–212. Springer-Verlag, 1987.Google Scholar
  14. 14.
    D. Chaum and T. P. Pedersen. Wallet databases with observers. In Advances in Cryptology — CRYPTO’ 92, volume 740 of LNCS, pp. 89–105. Springer-Verlag, 1993.Google Scholar
  15. 15.
    H. Cohen. A Course in Computational Algebraic Number Theory. Number 138 in Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1993.Google Scholar
  16. 16.
    R. Cramer and I. Damgård. Zero-knowledge proof for finite field arithmetic, or: Can zero-knowledge be for free? In Advances in Cryptology — CRYPTO’ 98, volume 1642 of LNCS, pp. 424–441, Berlin, 1998. Springer Verlag.CrossRefGoogle Scholar
  17. 17.
    R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Advances in Cryptology — CRYPTO’ 94, volume 839 of LNCS, pp. 174–187. Springer Verlag, 1994.Google Scholar
  18. 18.
    E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology — CRYPTO’ 97, volume 1294 of LNCS, pp. 16–30. Springer Verlag, 1997.Google Scholar
  19. 19.
    E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In Advances in Cryptology — EUROCRYPT’ 98, volume 1403 of LNCS, pp. 32–46. Springer Verlag, 1998.Google Scholar
  20. 20.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Advances in Cryptology — CRYPT0’ 96, volume 1109 of LNCS, pp. 157–172, Berlin, 1996. IACR, Springer Verlag.Google Scholar
  21. 21.
    R. Gennaro, H. Krawczyk, and T. Rabin. RSA-based undeniable signatures. In Advances in Cryptology — CRYPTO’ 97, volume 1296 of LNCS, pp. 132–149. Springer Verlag, 1997.Google Scholar
  22. 22.
    R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In 5rd ACM Conference on Computer and Communicatons Security, 1998.Google Scholar
  23. 23.
    O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodology of cryptographic protocol design. In Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pp. 171–185. Springer-Verlag, 1987.Google Scholar
  24. 24.
    J. Gordon. Strong RSA keys. Electronics Letters, 20(12):514–516, 1984.CrossRefGoogle Scholar
  25. 25.
    K. Koyama, U. Maurer, T. Okamoto, and S. Vanstone. New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology — CRYPTO’ 91, volume 576 of LNCS, pp. 252–266. Springer-Verlag, 1992.Google Scholar
  26. 26.
    E. Kranakis. Primality and Cryptography. Wiley-Teubner Series in Computer Science, 1986.Google Scholar
  27. 27.
    D. J. Lehmann. On primality tests. SIAM Journal of Computing, 11(2):374–375, May 1982.zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    M. Liskov and B. Silverman. A Statisical limited-knowledge proof for secure RSA keys. manuscript, (1998).Google Scholar
  29. 29.
    W. Mao. Verifable Partial Sharing of Integer Factors. to appear in Proc. SAC’ 98, 1998.Google Scholar
  30. 30.
    G. L. Miller. Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences, 13:300–317, 1976.zbMATHMathSciNetGoogle Scholar
  31. 31.
    T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Advances in Cryptology — CRYPTO’ 91, volume 576 of LNCS, pp. 129–140. Springer Verlag, 1992.Google Scholar
  32. 32.
    J. M. Pollard. Theorems on factorization and primality testing. Proc. Cambridge Philosophical Society, 76:521–528, 1974.zbMATHMathSciNetCrossRefGoogle Scholar
  33. 33.
    M. O. Rabin. Probabilistic algorithm for testing primality. Journal of Number Theory, 12:128–138, 1980.zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    A. de Santis, L. di Crescenzo, G. Persiano, M. Yung. On Monotone Formula Closure of SZK. 35th FOCS, IEEE, pp. 454–465, 1994.Google Scholar
  35. 35.
    C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.CrossRefMathSciNetGoogle Scholar
  36. 36.
    R. Solovay and V. Strassen. A fast monte-carlo test for primality. SIAM Journal on Computing, 6(1):84–85, Mar. 1977.zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    J. van de Graaf and R. Peralta. A simple and secure way to show the validity of your public key. In Advances in Cryptology — CRYPTO’ 87, volume 293 of LNCS, pp. 128–134. Springer-Verlag, 1988.Google Scholar
  38. 38.
    H. C. Williams. A p + 1 method of factoring. Mathematics of Computation, 39(159):225–234, 1982.zbMATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    X9.31-1998 Digital Signatures using reversible public key cryptography for the financial services industry (rDSA). American National Standard, Working Draft, 59 pages, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Markus Michels
    • 2
  1. 1.BRICS Department of Computer ScienceUniversity of AarhusÅrhus CDenmark
  2. 2.Entrust Technologies EuropeGlattzentrumSwitzerland

Personalised recommendations