Removing the Strong RSA Assumption from Arguments over the Integers
 7 Citations
 2.5k Downloads
Abstract
Committing integers and proving relations between them is an essential ingredient in many cryptographic protocols. Among them, range proofs have been shown to be fundamental. They consist in proving that a committed integer lies in a public interval, which can be seen as a particular case of the more general Diophantine relations: for the committed vector of integers \(\varvec{x}\), there exists a vector of integers \(\varvec{w}\) such that \(P(\varvec{x},\varvec{w})=0\), where P is a polynomial.
In this paper, we revisit the security strength of the statistically hiding commitment scheme over the integers due to DamgårdFujisaki, and the zeroknowledge proofs of knowledge of openings. Our first main contribution shows how to remove the Strong RSA assumption and replace it by the standard RSA assumption in the security proofs. This improvement naturally extends to generalized commitments and more complex proofs without modifying the original protocols.
As a second contribution, we design an interactive technique turning commitment scheme over the integers into commitment scheme modulo a prime p. Still under the RSA assumption, this results in more efficient proofs of relations between committed values. Our methods thus improve upon existing proof systems for Diophantine relations both in terms of performance and security. We illustrate that with more efficient range proofs under the sole RSA assumption.
Keywords
Publickey cryptography Commitment schemes Interactive arguments of knowledge Zeroknowledge proofs RSA assumption1 Introduction
Commitment Schemes. Commitments are one of the most fundamental and widely used tools in cryptography. A commitment scheme allows a committer \(\mathscr {C}\) holding a secret value s to send a commitment c of s to a verifier \(\mathscr {V}\), and later on to open this commitment to reveal the value s. Such a commitment should hide the committed value s to the verifier, but binds the committer in opening only s. A famous example of commitment scheme, that perfectly hides its input, is the Pedersen commitment scheme [38], whose binding property relies on the discrete logarithm assumption: let \(\mathbb {G}\) be a group of prime order p with two generators (g, h). To commit to \(m \in \mathbb {Z}_p\), \(\mathscr {C}\) picks at random \(r \in \mathbb {Z}_p \) and sends \(c = g^mh^r\).
Fujisaki and Okamoto introduced the first integer commitment scheme [23], which was later generalized in [20]. Unlike classical commitment schemes, an integer commitment scheme allows \(\mathscr {C}\) to commit to any \(m \in \mathbb {Z}\). Intuitively, this is done by committing to m in a group \(\mathbb {Z}_\tau \) of unknown order \(\tau \), where division by units cannot be performed in general.
Interactive Proofs of Knowledge. An interactive proof of knowledge is a twoparty protocol in which a prover \(\mathscr {P}\) wants to convince a verifier \(\mathscr {V}\) of his knowledge of some values satisfying a public statement. It should be knowledgeextractable, which means that an extractor can get values satisfying the statement when interacting with a successful prover, and zeroknowledge, which means that no information about these values leaks to the verifier (except that they satisfy the statement). Such proofs of knowledge are useful in many cryptographic constructions. Commitment schemes are a core component of zeroknowledge proofs of knowledge. In particular, integer commitment schemes have been extensively used in various interactive protocols involving zeroknowledge proofs of knowledge.
Assumptions for Proofs on Integer Commitments. The binding property of the DamgårdFujisaki commitment scheme relies on the hardness of factoring composite integers. Even though the intractability of factoring is widely considered as a mild computational assumption, the knowledgeextractability of the proofs using these commitments relies on the \(\textsf {Strong\text {}RSA}\) assumption [3, 23], which is a much stronger assumption than the classical \(\textsf {RSA}\) assumption. This assumption states that, given a composite integer n and a random element \(u \in {\mathbb {Z}_n ^*} \), it is hard to find a pair (v, e) such that \(u = v^e \bmod n\). Unlike the \(\textsf {RSA}\) assumption [43], where the exponent \(e>1\) is imposed, there are exponentially many solutions to a given instance of the \(\textsf {Strong\text {}RSA}\) problem, the problem is thus easier to solve. However, these commitments still provide the best solution to prove relations over integers.
Range Proof. The most widespread reason to work over the integers is to prove that a committed value x lies in a public integer range \(\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\). Indeed, working over the integers allows to show that \(xa\) and \(bx\) are positive by decomposing them as sum of four squares, following the wellknown Lagrange’s result. Boudot in his Eurocrypy’00 talk, and Lipmaa [36], were the first to propose such a method by relying on a commitment over the integers. As a consequence, the knowledge extractability of this range proof requires the \(\textsf {Strong\text {}RSA}\) assumption.
1.1 Our Contribution
First, we revisit the DamgårdFujisaki integer commitment scheme and show that the security of arguments of knowledge of openings can be based on the standard \(\textsf {RSA}\) assumption, instead of the \(\textsf {Strong\text {}RSA}\) assumption. In the reduction, we use the rewinding technique in another way than in [20] as well as the splitting lemma [39, 40]. Our result extends to any protocols involving arguments or relations between committed integers which first prove the knowledge of the inputs before proving that the relations are satisfied. This implies that the security of numerous protocols, such as twoparty computation [18, 32], ecash [12], evoting [25], secure generation of RSA keys [21, 33], zeroknowledge primality tests [14], passwordprotected secret sharing [31], and range proofs [36], among many others, can be proven under the \(\textsf {RSA}\) assumption instead of the \(\textsf {Strong\text {}RSA}\) assumption at no computational cost. In addition, we believe that the ideas on which our proof relies could be used in several other constructions whose security was proven under the \(\textsf {Strong\text {}RSA}\) assumption, and might allow to replace the \(\textsf {Strong\text {}RSA}\) assumption by the standard \(\textsf {RSA}\) assumption as well.
Second, we revisit a commitment scheme which was formally introduced in [24]: \(c=g^m R^\pi \bmod n\), for a message \(m\in \mathbb {Z}_\pi \) and \(R\in {\mathbb {Z}_n ^*} \). It is perfectly hiding, and the binding property relies on the \(\textsf {RSA}\) assumption (with modulus n, exponent \(\pi \), and challenge g). We prove, as for the DamgårdFujisaki commitment scheme, that the security of an argument of knowledge of an opening can also be based on the classical \(\textsf {RSA}\) assumption. Therefore, we identify an interesting property that is satisfied by this commitment, which corresponds informally to the possibility to see this commitment scheme either as an integer commitment scheme (i.e., \(c = g^m h^r \bmod n\)), or, after some secret has been revealed, as a commitment scheme over \(\mathbb {Z}_\pi \) for some prime \(\pi \) (i.e., \(c = g^m R^\pi \bmod n\)). Without additional assumption, we show how the unpredictability of \(\pi \) allows improving the efficiency of zeroknowledge arguments over the integers as the knowledge of the order \(\pi \) is delayed in the protocol. This method allows to save communication and greatly reduces the work of the verifier, compared with a classical zeroknowledge argument for the same statement. We illustrate our method on range proofs [36], a zeroknowledge argument of knowledge of an input to a commitment such that the input belongs to some public interval.
Taken together, our contributions allow us to enhance both the security, by removing the \(\textsf {Strong\text {}RSA}\) assumption, and the efficiency of numerous cryptographic protocols relying on integer commitment schemes.
1.2 Related Works
The DamgårdFujisaki commitment scheme [20, 23] is the only known homomorphic statisticallyhiding commitment scheme over the integers. Arguments of knowledge over the integers were studied in [16, 34, 36].

Writing the number in binary notation [10, 27] or uary notation [11], committing to its decomposition and performing a specific proof for each of these commitments For example, membership to \(\mathopen {[\![}0\mathclose {}\mathpunct {};2^\ell \mathclose {]\!]}\) is proven in communication \(O(\ell /(\log \ell  \log \log \ell ))\) in the protocol of [11], and in communication \(O(\ell ^{1/3})\) in the protocol of [27] (only counting the number of group elements).
Note that protocols such as [17] do also allow to prove that a committed integer x lies in a given interval \(\mathopen {[\![}0\mathclose {}\mathpunct {};a\mathclose {]\!]}\) up to an accuracy parameter \(\delta \): actually only membership to \(\mathopen {[\![}0\mathclose {}\mathpunct {};(1+\delta )a\mathclose {]\!]}\) is proved.
Eventually, several papers have proposed signatures based on the standard \(\textsf {RSA}\) assumption [7, 29, 30] as alternatives to classical signature schemes based on the \(\textsf {Strong\text {}RSA}\) assumption. Our work is in the same vein as these papers, replacing the \(\textsf {Strong\text {}RSA}\) assumption by the \(\textsf {RSA}\) assumption in arguments over the integers. However, note that we do not actually propose a new argument system to get rid of the \(\textsf {Strong\text {}RSA}\) assumption, but rather show that the security of the classical argument system is implied by the \(\textsf {RSA}\) assumption. As a consequence, the schemes using arguments over the integers do not need to be modified to benefit from our security analysis.
1.3 Organization
Section 2 introduces the necessary background for what follows, and namely some useful facts on the RSA groups. Section 3 recalls the DamgårdFujisaki commitment scheme, its properties, and the argument of knowledge of [20]. A new security proof of the latter, under the standard \(\textsf {RSA}\) assumption, is given in details in Sect. 4. Section 5 illustrates some extensions of our result. First, we show how one can commit to vectors at once with generalized commitments. And then, we show how one can make range proofs under the standard \(\textsf {RSA}\) assumption. Section 6 revisits the commitment scheme of [24] and shows how, by switching from the previous commitment to this one, we can get a new interactive proof system for performing zeroknowledge arguments over the integers, that is more efficient. Eventually, Sect. 7 illustrates our method on range proofs, with concrete efficiency comparisons.
For the sake of completeness, in the full version [19] we exhibit a flaw in the optimized version of Lipmaa’s range proof [36, Annex B]. We then propose a fix as well as security proof.
2 Backgrounds
Throughout this paper, \(\kappa \) denotes the security parameter. An algorithm is efficient when it runs in polynomial time in the (implicit) security parameter \(\kappa \). A positive function f is negligible if for any polynomial p there exists a bound \(B>0\) such that, for any integer \(k\ge B\), \(f(k)\le 1/\vert p(k) \vert \). An event depending on \(\kappa \) occurs with overwhelming probability when its probability is at least \(1\varepsilon (\kappa )\) for a negligible function \(\varepsilon \).
2.1 Notations
Given a finite set S, the notation \(x\leftarrow _RS\) means a uniformly random assignment of an element of S to the variable x, then for any \(s\in S\) we have \(\Pr _S[x=s]=1/\# S\) where \(\# S\) denotes the cardinality of S. When an element s is represented by an integer, \(\vert s \vert _b\) is the bitlength of the integer, and \(\vert s \vert \) denotes its absolute value (or norm). Bold variables denote vectors. For a vector \(\varvec{x} = (x_1, \cdots , x_\ell )\), \(g^{\varvec{x}}\) denotes \((g^{x_1}, \cdots , g^{x_\ell })\) and \(\Vert \varvec{x} \Vert _\infty =\max _{1\le i\le \ell }\vert x_i \vert \).
The integer range \(\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\) stands for \(\{x\in \mathbb {Z}\;\vert \;a\le x\le b\}\). For any integers \({a\le b}\), the statistical distance between two uniform distributions, over \(U_a=\mathopen {[\![}1\mathclose {}\mathpunct {};a\mathclose {]\!]}\) and \(U_b=\mathopen {[\![}1\mathclose {}\mathpunct {};b\mathclose {]\!]}\) respectively, is given by \(\sum _{i=1}^{b} \vert \Pr _{U_a}[x=i]\Pr _{U_b} [x=i] \vert = \sum _{i=1}^{a}(1/a1/b)+\sum _{i=a+1}^{b} 1/b = 2 (ba)/b\).
2.2 Commitment Scheme

\(\mathsf {Setup}(1^\kappa )\), generates the public parameters \(\mathsf {pp}\), which also specifies the message space \(\mathscr {M} \), the commitment space \(\mathscr {C} \), the opening space \(\mathscr {D} \), and the random source \(\mathscr {R} \);

\(\mathsf {Commit}(\mathsf {pp},m;r)\), given the message \(m\in \mathscr {M} \) and some random coins \(r\in \mathscr {R} \), outputs a commitmentopening pair (c, d). When there is no ambiguity, we will abuse the notation \((c,d)\leftarrow _R\mathsf {Commit}(m)\), for \(\mathsf {pp} \) and \(r\leftarrow _R\mathscr {R} \);

\(\mathsf {Verify}(\mathsf {pp},c,d,m)\), outputs a bit whose value depends on the validity of the opening (m, d) with respect to the commitment c.
 Correct.

For any public parameters \(\mathsf {pp} \leftarrow _R\mathsf {Setup}(1^\kappa )\), any message \(m\in \mathscr {M} \), and any random coin \(r\in \mathscr {R} \), if \((c,d)\leftarrow \mathsf {Commit}(\mathsf {pp},m;r)\), then we necessarily have \(\mathsf {Verify}(\mathsf {pp},c,d,m)=1\).
 Hiding.

No probabilistic polynomialtime adversary \(\mathscr {A}\), that is first given \(\mathsf {pp} \leftarrow _R\mathsf {Setup}(1^\kappa )\), can distinguish commitments on two messages \((m_0,m_1)\) of its choice. The commitment scheme is said statistically hiding if the indistinguishability holds even for unbounded adversaries.
 Binding.

No probabilistic polynomialtime adversary \(\mathscr {A}\) can open a commitment c on two different messages \(m_0\ne m_1\). The commitment scheme is said statistically binding if this is infeasible even for unbounded adversaries.
A commitment scheme can also be homomorphic, if for a group law \(\oplus \) on the message space \(\mathscr {M} \), from \(\mathsf {pp} \), \((c_0,d_0)\leftarrow \mathsf {Commit}(\mathsf {pp},m_0;r_0)\) and \((c_1,d_1)\leftarrow \mathsf {Commit}(\mathsf {pp},m_1;r_1)\), one can generate c and d so that \(\mathsf {Verify}(\mathsf {pp},c,d,m_0\oplus m_1)=1\).
2.3 Interactive Proof Systems
We now recall the second tool we will use in this paper, the zeroknowledge proofs of knowledge, and their variants.
ZeroKnowledge Proofs and Arguments. Let \(\mathsf {R} \) be an NPrelation over a set \(\mathfrak {X} \) defining an NPlanguage \(\mathscr {L} = \{x \in \mathfrak {X} \;\vert \;\exists w, \mathsf {R} (x,w) = 1\}\), where a w such that \(\mathsf {R} (x,w) = 1\) is called a witness for the statement \(x\in \mathscr {L} \).
 Correct.

For every \(x\in \mathscr {L} \), if \(\mathscr {P}\) knows a witness w, and both \(\mathscr {P}\) and \(\mathscr {V}\) behave honestly, \(\langle \mathscr {P}(w),\mathscr {V}\rangle (x\in \mathscr {L}) \) is accepted by \(\mathscr {V}\) with overwhelming probability.
 Knowledge Extractable.

For any prover Open image in new window which succeeds in convincing \(\mathscr {V}\) of \(x\in \mathscr {L} \) with nonnegligible probability, there exists a simulator \(\mathscr {S}\!\textit{im}_\mathsf {KE}\), running in expected polynomial time, which extracts a witness w for \(x\in \mathscr {L} \) from Open image in new window .
 ZeroKnowledge.

For any verifier Open image in new window , there exists a simulator \(\mathscr {S}\!\textit{im}_\mathsf {ZK}\) such that for every \(x\in \mathscr {L} \), \(\mathscr {S}\!\textit{im}_\mathsf {ZK}(x)\) and \(\textsc {View} _{\mathscr {V}'}[\langle \mathscr {P}(w),\mathscr {V}'\rangle (x\in \mathscr {L}) ]\), where w is a witness for \(x\in \mathscr {L} \), are indistinguishable.
If the knowledgeextractability holds only for a computationallybounded \(\mathscr {P}'\), the protocol is a zeroknowledge argument of knowledge (\(\textsf {ZKAoK}\)). If the verifier is restricted to being honest in the zeroknowledge property, the proof is an honestverifier zeroknowledge proof.
ZeroKnowledge Arguments from Diophantine Relations. A Diophantine set \(S \subseteq \mathbb {Z}^k\) is a set of vectors over \(\mathbb {Z}^k\) defined by a representing polynomial \(P_S(X,W)\) with \(X = (X_1, \cdots , X_k)\) and \(W = (Y_1, \cdots , Y_\ell )\), i.e. a set of the form \(S = \{\varvec{x} \in \mathbb {Z}^k \;\vert \;\exists \varvec{w} \in \mathbb {Z}^\ell , P_S(\varvec{x},\varvec{w}) = 0\}\) for some polynomial \(P_S\). It was shown in [22] that any recursively enumerable set is Diophantine. An interesting class for cryptographic applications is the class \(\mathbf {D}\) of Diophantine sets S such that each \(\varvec{x} \in S\) has at least one witness \(\varvec{w}\) satisfying \(\Vert \varvec{w} \Vert _\infty \le \Vert \varvec{x} \Vert _\infty ^{O(1)}\). It is widely conjectured that \(\mathbf {D} = \mathsf {NP} \), as \(\mathbf {D} \) contains several \(\mathsf {NP}\)complete problems, and it was shown in [41] that if \(\mathsf {co}\text {}\mathsf {NLOGTIME} \subseteq \mathbf {D} \), then \(\mathbf {D} = \mathsf {NP} \). The class \(\mathbf {D}\) was introduced in [1] and its cryptographic relevance was pointed out in [36]. For example, the set \(\mathbb {Z}_+\) of positive integers is in \(\mathbf {D}\), as by a wellknown result of Lagrange, it can be defined as \(\mathbb {Z}_+ = \{x \in \mathbb {Z}\;\vert \;\exists (w_1,w_2,w_3,w_4)\in \mathbb {Z}^4, x  (w_1^2 + w_2^2 + w_3^2 + w_4^2) = 0\}\). In addition, each \(w_i\) is of bounded size \(\vert w_i \vert \le \vert x \vert \).
Lipmaa [36] has shown that zeroknowledge arguments of membership to a set \(S \in \mathbf {D} \), with representing polynomial P over kvector inputs and \(\ell \)vector witnesses, can be constructed using an integer commitment scheme, such as [20]. The size of the argument (the communication between \(\mathscr {P}\) and \(\mathscr {V}\)) depends on k, \(\ell \), and \(\deg (P)\), the degree of P. As noted in [36], intervals, unions of intervals, exponential relations (i.e., set of tuples (x, y, z) such that \(z = x^y\)) and \(\gcd \) relation (i.e., set of tuples (x, y, z) such that \(z = \gcd (x,y)\)) are all in \(\mathbf {D}\), with parameters (k, \(\ell \) and \(\deg (P)\)) small enough for cryptographic applications.
2.4 RSA Group Structure
In this paper we focus on \({\mathbb {Z}_n ^*} \) for a strong RSA modulus \(n=pq\) where p, q are distinct safe primes. That means that \(p=2p'+1\) and \(q=2q'+1\) for two other primes so that \(p,p',q,q'\) are all distinct, and \(\varphi (n) = 4p'q'\). We write \(a=b \bmod n\) to specify that \(a=b\) in \(\mathbb {Z}_n \) and we write \(a\leftarrow [b \bmod n]\) to affect the smallest positive integer to a so that \(a=b \bmod n\).
By \(\mathsf {GenMod}(1^\kappa )\), we denote a probabilistic efficient algorithm that, given the security parameter \(\kappa \), generates a strong RSA modulus n and secret parameters (p, q) of at least \(\kappa \) bits each with the specification that \(n=pq\). In the following, we write \((n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )\). We will sometimes abuse the notation \(n\leftarrow _R\mathsf {GenMod}(1^\kappa )\) to say that the modulus n has been generated according to this distribution.
The RSA Assumption. The \(\textsf {RSA}\) assumption states, informally, that given an exponent e prime to \(\varphi (n)\), it is hard for any probabilistic polynomialtime algorithm to find the eth root modulo n of a random \(y\leftarrow _R{\mathbb {Z}_n ^*} \). More formally, let \(\mathsf {P} _n\) be the subset of \(\mathbb {Z}_n \) of elements prime to \(\varphi (n)\). The \(\textsf {RSA}\) assumption does in fact refer to a class of assumptions, depending of the distribution \(\mathscr {D} _n\) over \(\mathsf {P} _n\) from which the exponent e is drawn.
 \(\mathscr {D} _n\)  RSA Assumption

[43]. For \(n\leftarrow _R\mathsf {GenMod}(1^\kappa )\) and \(e \leftarrow _R\mathscr {D} _n\), it is hard for any probabilistic polynomialtime algorithm to find the eth root modulo n of a random \(y\leftarrow _R{\mathbb {Z}_n ^*} \). The triple (n, e, y) is the \(\textsf {RSA}\) instance.
Various flavours of the \(\textsf {RSA}\) assumption are standard in the literature. In particular, the \(\textsf {RSA}\) assumption with a fixed small exponent (the most common being 65537) is widely used in practical implementations. In theoretical papers, it is common to consider the \(\textsf {RSA}\) assumption for exponents picked from the uniform distribution over \(\mathsf {P} _n\) (see [30] for example). In this paper, we use a flavour of the \(\textsf {RSA}\) assumption which is somewhat intermediate between these two standard variants: we will consider the \(\textsf {RSA}\) assumption for exponents picked from the uniform distribution over \(\mathopen {[\![}3\mathclose {}\mathpunct {};a\mathclose {]\!]} \cap \mathsf {P} _n\) for a value a polynomial in \(\kappa \) (hence, we consider random small exponents). To simplify the notations, we will denote by a\(\textsf {RSA}\) this variant of the \(\textsf {RSA}\) assumption^{1}.
Other Computational Assumptions. Other famous computational assumptions over RSA groups are the intractability of the factorization and the \(\textsf {Strong\text {}RSA}\) assumption:
 Integer Factorization Assumption.

It states that finding a nontrivial factor of \(n\leftarrow _R\mathsf {GenMod}(1^\kappa )\) is hard for any probabilistic polynomialtime algorithm.
 StrongRSA Assumption

[3, 23]. It lets the choice of e to the algorithm: It states that, for \(n\leftarrow _R\mathsf {GenMod}(1^\kappa )\), this is hard to find the eth root modulo n, for a random \(y\leftarrow _R{\mathbb {Z}_n ^*} \), for any probabilistic polynomialtime algorithm, for an exponent \(e>1\) of its choice.
It is wellknown that breaking the integer factorization assumptions allows to break both the \(\textsf {RSA}\) and the \(\textsf {Strong\text {}RSA}\) assumption. From the definition, it is clear that the \(\textsf {Strong\text {}RSA}\) assumption gives more degree of freedom to the adversary, so it is seemingly much stronger. Indeed, for the \(\textsf {RSA}\) assumption, the exponent is not chosen by the adversary, but can be fixed in any way in advance by the challenger.
Properties of Strong RSA Groups. One can note that in groups modulo n, where \(n=pq\) is a strong RSA modulus, p and q are Blum primes: \(p=q=3 \bmod 4\). If we denote \(\mathsf {QR}_n \) the subgroup of the squares, \(\mathsf {QR}_n =\{a\in {\mathbb {Z}_n ^*}\ \;\vert \;\exists b\in {\mathbb {Z}_n ^*}, a=b^2\bmod n\}\), this is a cyclic subgroup of \({\mathbb {Z}_n ^*} \) of order \(\varphi (n)/4=p'q'\).
Proposition 1
 1.
\(1\not \in \mathsf {QR}_n \);
 2.
any square \(h\in \mathsf {QR}_n \) has four square roots, with exactly one in \(\mathsf {QR}_n \);
 3.
for a random element \(h\in \mathsf {QR}_n \), finding a square root of h is equivalent to factoring the modulus n;
 4.
for random elements \(g,h\in \mathsf {QR}_n \), finding nonzero integers a, b such that \(g^a =h^b \bmod n\) is equivalent to factoring the modulus n;
 5.
for an \(\textsf {RSA}\) instance (n, e, y), finding \(x\in {\mathbb {Z}_n ^*} \) and \(e'\) prime to e such that \(x^e =y^{e'} \bmod n\) is equivalent to finding an eth root of y modulus n.
Proof
Let us briefly explain why these facts hold, using the Jacobi symbol function \(J_n(x) = J_p(x) \times J_q(x)\) in \({\mathbb {Z}_n ^*} \), as the extension of the Legendre symbol on \(\mathbb {Z}_p^* \) for prime p, \(J_p(x) = (x)^{(p1)/2}\), which determines whether x is a square or not in \(\mathbb {Z}_p^* \). Since p and q are Blum primes, \(J_p(1) = J_q(1) = 1\), and so \(J_n(1) =1\), but \(1\) is not in \(\mathsf {QR}_n \), hence the Fact 1. The four square roots of 1, in \({\mathbb {Z}_n ^*} \) are 1 and \(1\), both with Jacobi symbol +1, but respectively \((+1,+1)\) and \((1,1)\) for the Legendre symbols in \(\mathbb {Z}_p^* \) and \(\mathbb {Z}_q^* \), and \(\alpha \), and \(\alpha \), both with Jacobi symbol 1, but respectively \((+1,1)\) and \((1,+1)\) for the Legendre symbols in \(\mathbb {Z}_p^* \) and \(\mathbb {Z}_q^* \). As a consequence, given a square \(h\in \mathsf {QR}_n \), and a square root u, the four square roots are \(u,u\), and \(\alpha u, \alpha u\), one of which being in \(\mathsf {QR}_n \), since the four kinds of Legendre symbols are represented. This leads to the Fact 2.
For Fact 3, if one chooses a random \(u\in {\mathbb {Z}_n ^*} \) and sets \(h=u^2 \bmod n\), \(J_n(u)\) is completely hidden. Another square root v has probability onehalf to have \(J_n(v) =  J_n(u)\). This means that \(u^2 = v^2 \bmod n\), but \(u\ne \pm v \bmod n\). Then, \(\gcd (uv,n)\) gives a nontrivial factor of n.
For Fact 4, if one chooses a random \(u\in {\mathbb {Z}_n ^*} \) and a large random scalar \(\alpha \) and sets \(h=u^2 \bmod n\) and \(g=h^\alpha \bmod n\), h is likely a generator of \(\mathsf {QR}_n \), and then \(g^a =h^b \bmod n\) means that \(m = b  a \alpha \) is a multiple of \(p'q'\), the order of the subgroup of the squares. Let us note \(m = 2^v \cdot t\), for an odd t, then \(p'q'\) divides t: let us choose a random element \(u\in {\mathbb {Z}_n ^*} \), with probability close to onehalf, \(J_n(u)=1\), and so \(J_n(u^t)=1\) while \(u^t\) is a square root of 1. As in the proof of the previous Fact 3, we can obtain a nontrivial factor of n.
Eventually, for Fact 5, using Bézout relation \(ue + ve' = 1\), then \(x^{ve} = y^{v e'} = y^{1  ue} \bmod n\). So \(y = (x^v y^u)^e \bmod n\). \(\square \)
3 Commitment of Integers Revisited
In [23], Okamoto and Fujisaki proposed a statisticallyhiding commitment scheme allowing commitment to arbitrarysize integers. Their commitment was later generalized in [20]. It relies on the fact that when the factorization is unknown, it is infeasible to know the order of the subgroup \(\mathsf {QR}_n \) of the squares in \({\mathbb {Z}_n ^*} \), where n is a strong RSA modulus. Hence, the only way for a computationallybounded committer to open a commitment is to do it over the integers.
In addition, [23] gave an argument of knowledge of an opening of a commitment and proved that the knowledge extractability of the argument is implied by the \(\textsf {Strong\text {}RSA}\) assumption. A flaw in the original proof was later identified and corrected in [20]. We will revisit the argument of knowledge of an opening due to DamgårdFujisaki [20] and provide a new proof for its knowledge extractability, in order to remove the requirement of the \(\textsf {Strong\text {}RSA}\) assumption. Our proof requires the standard \(\textsf {RSA}\) assumption only, with an exponent randomly chosen in a polynomiallybounded set.
3.1 Commitments over the Integers

\(\mathsf {Setup}(1^\kappa )\) runs \((n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )\), and picks two random generators g, h of \(\mathsf {QR}_n \). It returns \(\mathsf {pp} =(n,g,h)\);

\(\mathsf {Commit}(\mathsf {pp},m;r)\), for \(\mathsf {pp} =(n,g,h)\), a message \(m\in \mathbb {Z}\), and some random coins \(r\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}\), computes \(c= g^m h^r\bmod n\), and returns (c, d) with \(d=r\);

\(\mathsf {Verify}(\mathsf {pp},c,d,m)\) parses \(\mathsf {pp}\) as \(\mathsf {pp} =(n,g,h)\) and outputs 1 if \(c= \pm g^{m}h^{d} \bmod n\) and 0 otherwise.
One should note that an honest user will always open such that \(c= g^{m}h^{d} \bmod n\). But the knowledgeextractability of the next \(\textsf {ZKAoK}\) of opening cannot exclude the change of sign. In this description, we provide a trusted setup algorithm. But as we see below, the guarantees for the committer (the hiding property of the commitment) just rely on the existence of \(\alpha \) such that \(g=h^\alpha \bmod n\). For the verifier to be convinced, one can just let him generate the parameters (n, g, h), and prove the existence of such an \(\alpha \) to the committer.
3.2 ZeroKnowledge Argument of Opening
Let us now study the argument of knowledge of a valid opening for such a commitment. The common inputs are the public parameters \(\mathsf {pp} \) and the commitment \(c=g^x h^r \bmod n\), together with the bitlength \(k_x\) of the message x, that is then assumed to be in \(\mathopen {[\![}2^{k_x}\mathclose {}\mathpunct {};2^{k_x}\mathclose {]\!]}\), while \(r\in \mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}\) and x are the private inputs, i.e. the witness of the prover. We stress that \(k_x\) is chosen by the prover, since this reveals some information about the integer x, while r is always in the same set, whatever the committed element x is.
 Initialize:

\(\mathscr {P}\) and \(\mathscr {V}\) decide to run the protocol on input \((\mathsf {pp},\kappa ,c,k_x)\);
 Commit:

\(\mathscr {P}\) computes \(d = g^yh^s \bmod n\), for randomly chosen \(y\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{k_x+2\kappa }\mathclose {]\!]}\) and \(s\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }\mathclose {]\!]}\), and sends d to the \(\mathscr {V}\);
 Challenge:

\(\mathscr {V}\) outputs \(e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}\);
 Response:

\(\mathscr {P}\) computes and outputs the integers \(z=ex+y\) and \(t=er+s\);
 Verify:

\(\mathscr {V}\) accepts the proof and outputs 1 if \(c^e d = g^z h^t \bmod n\). Otherwise, \(\mathscr {V}\) rejects the proof and outputs 0.
In the rest of this section, we prove this protocol is indeed a zeroknowledge argument of knowledge of an opening. Which means it is correct, zeroknowledge, and knowledgeextractable.
Correctness. First, the correctness is quite obvious: if \(c = g^x h^r \bmod n\), with \(z=ex+y\) and \(t=er+s\), we have \(g^z h^t = (g^x h^r)^e \cdot g^y h^s = c^e d \bmod n\).
 1.
\(\mathscr {S}\!\textit{im}\) chooses a random challenge \(e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}\);
 2.
\(\mathscr {S}\!\textit{im}\) chooses random responses \(z\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{k_x+2\kappa }\mathclose {]\!]}\) and \(t\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }\mathclose {]\!]}\);
 3.
\(\mathscr {S}\!\textit{im}\) sets \(d = g^z h^t c^{e} \bmod n\).
KnowledgeExtractability. The last property is the most intricate, and this is the one that required the \(\textsf {Strong\text {}RSA}\) assumption in the original proof of Damgård and Fujisaki [20]. In the next section, we present a detailed proof of the following theorem:
Theorem 2
Given a prover Open image in new window able to convince a verifier \(\mathscr {V}\) of its knowledge of an opening of c for random system parameters \(\mathsf {pp} =(n,g,h)\) with probability greater than \(\varepsilon \) within time t, one either breaks the \(4/\varepsilon \)\(\textsf {RSA}\) assumption with expected time upperbounded by \(256 t/\varepsilon ^3\), or extracts a valid opening with expected time upperbounded by \(16 t / \varepsilon ^2\).
4 Proof of Theorem 2
Since this proof is the main technical contribution of the paper, with many practical applications, we provide it in details. We start with some preliminaries, and then discuss various cases.
4.1 Preliminaries
The proof will make use of the splitting lemma [39, 40], that we recall below:
Lemma 3
In the proof, we will consider an adversary with a random tape R who succeeds with some probability \(\varepsilon \) in any run of the full argument. Our proof will make use of rewinding: we will rewind the adversary several times to get several transcripts of the protocol for the same random tape R, and various challenges. The purpose of the splitting lemma is therefore to get a bound on the probability of getting valid transcripts when we fix R and run the adversary on various challenges.
4.2 Detailed Proof
Let us suppose the extractor \(\mathscr {S}\!\textit{im}\) (that is \(\mathscr {S}\!\textit{im}_\mathsf {KE}\) in this case) is given a \(4/\varepsilon \)\(\textsf {RSA}\) challenge (n, e, u), which means that the exponents e is randomly chosen prime to \(\varphi (n)\) but also in the set \([1,4/\varepsilon ]\). It sets \(h \leftarrow u^2 \bmod n\) and \(g \leftarrow h^{\alpha } \bmod n\) for a random exponent \(\alpha \leftarrow _R\mathbb {Z}_{n^2} \). It sets \(\mathsf {pp} = (n, g,h)\). Note that as u is random in \({\mathbb {Z}_n ^*} \), (g, h) are actually distributed as in the real protocol. We consider an adversary \(\mathscr {A} \) that provides a convincing proof of knowledge of an opening of c (an accepted transcript) with probability \(\varepsilon \), with the parameters \((\mathsf {pp} =(n,g,h),\kappa ,c,k_x)\).
Note that the probability distribution of a protocol execution is \(D = (R,e)\), where R is the adversary’s random tape that determines d, and e is the random challenge from the honest verifier. Then, we can assume that on a random pair \((R,e_0)\), its probability to output an accepted transcript \((d,e_0,z_0,t_0)\) is greater than \(\varepsilon \). We apply the splitting lemma with \(\varepsilon ' = \varepsilon /2\) for the distribution \(D = \{R\} \times \{e\}\): after one execution, with probability greater than \(\varepsilon \), we obtain an accepted transcript \((d,e_0, z_0,t_0)\). In such a case, with probability greater than 1 / 2, R is a good random tape, which means that another execution with the same R but a random challenge \(e_1\) will lead to another accepted transcript \((d, e_1, z_1,t_1)\) with probability \(\varepsilon ' = \varepsilon /2\). Note that since R is kept unchanged, d is the same. Globally, with probability greater than \(\varepsilon ^2/4\), after 2 executions of the protocol, one gets two related accepted transcripts: \((d,e_0, z_0,t_0)\) and \((d,e_1, z_1,t_1)\).
Without loss of generality, we may assume \(e_0 \ge e_1\). Writing \(e'_1 \leftarrow e_0  e_1\), \(z'_1 \leftarrow z_0  z_1\), and \(t'_1 \leftarrow t_0  t_1\), the two valid tuples lead to the relation \(c^{e'_1} = {g}^{z'_1}{h}^{t'_1} \bmod n\).

Statement 1. one gets two related accepted transcripts \((d,e_0, z_0,t_0)\) and \((d,e_1, z_1,t_1)\), and \(e'_1\) divides both \(z'_1\) and \(t'_1\) (with above notations) with probability greater than \(\varepsilon ^2/8\);

Statement 2. one gets two related accepted transcripts \((d,e_0, z_0,t_0)\) and \((d,e_1, z_1,t_1)\), and \(e'_1\) does not divide both \(z'_1\) and \(t'_1\) (with above notations) with probability greater than \(\varepsilon ^2/8\).

either \(c^{1}g^{x_1}h^{r_1} = \pm 1 \bmod n\), and so \(c=\pm g^{x_1}h^{r_1} \bmod n\) (valid opening);

or we have a nontrivial square root of 1 modulo n, which leads to the factorization of n (see Proposition 1). As the \(\textsf {RSA} \) assumption is stronger than the factorization, when we solve the factorization, we can compute the solution to the \(\textsf {RSA}\) challenge.
Let Q be a prime factor of \(e'_1\) and j be the integer such that \(Q^j\) divides \(e'_1\) but \(Q^{j+1}\) does not divide \(e'_1\), and at least one of \(z'_1\) or \(t'_1\) is nonzero modulo \(Q^j\). Since \(e'_1\) does not divide both \(z'_1\) and \(t'_1\), such a pair (Q, j) does necessarily exist. Actually, if \(Q^j\) divides \(z'_1\), as it divides \(e'_1\), it must also divide \(\alpha z'_1 + t'_1\) and therefore \(t'_1\), which was excluded (at least one of \(z'_1\) or \(t'_1\) is nonzero modulo \(Q^j\)). Therefore, \(z'_1 \ne 0 \bmod Q^j\).
One gets two related accepted transcripts and \(e'_1\) does not divide \(\alpha z'_1 + t'_1\) with probability greater than \(\varepsilon ^2/16\).

Statement 2.a. One gets two related accepted transcripts, \(e'_1\) does not divide \(\alpha z'_1 + t'_1\), and \(\varGamma _1 \le 8/\varepsilon \) with probability at least \(\varepsilon ^2/32\);

Statement 2.b. One gets two related accepted transcripts, \(e'_1\) does not divide \(\alpha z'_1 + t'_1\), and \(\varGamma _1 > 8/\varepsilon \) with probability at least \(\varepsilon ^2/32\).

Statement 2.a.1. One gets two related accepted transcripts, \(e'_1\) does not divide \(\alpha z'_1 + t'_1\), \(\varGamma _1 \le 8/\varepsilon \), and \(\varGamma _1 = 2^a\) with \(a\ge 1\), with probability at least \(\varepsilon ^2/64\).
We thus have, with probability \(\varepsilon ^2/64\), an odd \(k_1\) such that \(c^{2^a } = u^{2 F_1} \bmod n\): \(c^{2^{a1}}\) and \(u^{F_1}\) are two square roots of the same value. Since no information leaks about the actual square roots \(\{u,u\}\) known for h, nor for \(h^{F_1}\bmod n\), so \(c^{2^{a1}} \ne \pm u^{F_1} \bmod n\) with probability 1 / 2, which leads to the factorization of n with probability 1 / 2 (see Proposition 1). Hence, we solve the \(\textsf {RSA}\) challenge with probability at least \(\varepsilon ^2/128\).

Statement 2.a.2. One gets two related accepted transcripts, \(e'_1\) does not divide \(\alpha z'_1 + t'_1\), \(\varGamma _1 \le 8/\varepsilon \), and \(\varGamma _1=2^a v\) with \(a\ge 0\) and an odd \(v>1\), with probability at least \(\varepsilon ^2/64\).
It thus holds, with probability \(\varepsilon ^2/64\) (unless one finds a nontrivial square root of 1 modulo n, which allows to solve any \(\textsf {RSA} \) instance modulo n, see above), that \(C^v = u^{2F_1} \bmod n\), for \(C=\pm c^{2^a}\) and \(\gcd (v,2F_1)=1\), since \(v \;\vert \;\varGamma _1\) and v is odd. Using the Fact 5 from Proposition 1, one gets the vth root of u modulo n, for \(v\in \mathopen {[\![}3\mathclose {}\mathpunct {};8/\varepsilon \mathclose {]\!]}\cap \mathsf {P} _n\). Since our simulation that uses the RSA challenge (n, u, e) does not leak any information about e, then \(v=e\) with probability greater than \(\varepsilon /4\), if the exponent e is randomly chosen in \(\mathopen {[\![}2\mathclose {}\mathpunct {};8/\varepsilon \mathclose {]\!]}\cap \mathsf {P} _n\) (this set being exactly the set of odd integers smaller than \(8/\varepsilon \), it contains approximately \(4/\varepsilon \) elements). Hence, we solve an \(\textsf {RSA}\) challenge with probability at least \(\varepsilon ^2/64\times \varepsilon /4 = \varepsilon ^3/256\).
As above, for the third transcript \((d,e_2,z_2,t_2)\), we assume \(e_0 \ge e_2\), and define \(e'_2 \leftarrow e_0  e_2\), \(z'_2 \leftarrow z_0  z_2\) (otherwise we change the signs). We also define \(\beta _2 = \gcd (e'_2, \alpha z'_2 + t'_2)\). Note that we do not require that \(e'_2\) does not divide \(\alpha z'_2 + t'_2\). We also set \(\varGamma _2 \leftarrow e'_2/\beta _2\) and \(F_2 \leftarrow (\alpha z'_2 + t'_2)/\beta _2\): \(F_2/\varGamma _2\) is the irreducible fraction form of \((\alpha z'_2 + t'_2)/e'_2\). Since \(\varGamma _2\) divides \(e'_2\), it cannot be equal to \(\varGamma _1\).
Overall Success Probability. All in all, if Statement 2 is true, we get a solution to the \(\textsf {RSA} \) challenge with probability at least \(\varepsilon ^3/256\). On the other hand, if Statement 1 holds, there are two complementary situations: either we get a valid opening with probability at least \(\varepsilon ^2/16\), or we get a nontrivial square root of 1 modulo n with probability at least \(\varepsilon ^2/16\). Overall, we either get a valid opening with probability at least \(\varepsilon ^2/16\), or we solve an \(\textsf {RSA} \) challenge modulo n with probability at least \(\varepsilon ^3/256\). \(\square \)
5 Classical Extensions and Applications
We revisit the natural implications of the commitment scheme of Sect. 3 and its argument of knowledge. More precisely, we generalize the results of previous sections while we commit to vectors of integers. Then, we also show the security of Lipmaa’s range proofs [36] under the \(\textsf {RSA}\) assumption to illustrate how the result of Sect. 4 extends to more general arguments over the integers.
5.1 Generalized Commitment of Integers

\(\mathsf {Setup}(1^\kappa ,\ell )\) runs \((n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )\), and picks \(\ell +1\) random generators \((g_1,\ldots ,g_\ell ,h)\) of \(\mathsf {QR}_n \). It returns \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)\);

\(\mathsf {Commit}(\mathsf {pp},\varvec{m};r)\), for \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)\), a vector \(\varvec{m} = (m_1,\ldots ,m_\ell )\in \mathbb {Z}^\ell \), and some random coins \(r\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}\), computes \(c=g_1^{m_1}\cdots g_\ell ^{m_\ell }h^r \bmod n\), and returns (c, d) with \(d=r\);

\(\mathsf {Verify}(\mathsf {pp},c,d,\varvec{m})\) parses \(\mathsf {pp}\) as \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)\) and outputs 1 if \(c=\pm g_1^{m_1}\cdots g_\ell ^{m_\ell }h^d \bmod n\) and 0 otherwise.
The binding property relies on the Integer Factorization assumption: indeed, from two different openings \((\varvec{m},d)\) and \((\varvec{m}',d')\) for a commitment c, with \(d'>d\), the validity checks show that \(g_1^{m_1}\cdots g_\ell ^{m_\ell } h^d = g_1^{m'_1}\cdots g_\ell ^{m'_\ell } h^{d'} \bmod n\), and so, if one has chosen \(\beta _i\) such that \(g_i = g^{\beta _i} \bmod n\), for a random square g, then one knows \(g^{\sum \beta _i (m_im'_i)} = h^{d'd} \bmod n\). The Fact 4 from Proposition 1 leads to the conclusion.
To avoid a trusted setup, one can note that the guarantees for the prover (the hiding property) just rely on the existence of \(\alpha _i\) such that \(g_i = h^{\alpha _i} \bmod n\) for \(i=1,\ldots ,\ell \). The wellformedness of the RSA modulus is for the security guarantees against the verifier. It is important for him that the prover cannot break the \(\textsf {RSA}\) assumption. So the setup can be run by the verifier, with an additional proof of existence of \(\alpha _i\) such that \(g_i = h^{\alpha _i} \bmod n\) for \(i=1,\ldots ,\ell \) to the prover.
5.2 ZeroKnowledge Argument of Opening
5.3 Efficient Range Proofs from RSA
We show that Lipmaa’s range proof [36] also benefits from our technique as the \(\textsf {Strong\text {}RSA}\) assumption can also be avoided in the security analysis.
Range Proof from Integer Commitment Scheme. Let \(c= g^{x}h^r \bmod n\) be a commitment of a value x and \(\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\) be a public interval. As the commitment is homomorphic, one can efficiently compute a commitment \(c_a\) of \(xa\) and a commitment \(c_b\) of \(bx\) from c. To prove that \(x \in \mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\), this is enough to show that \(c_a\) and \(c_b\) commit to positive values. Let us focus on the proof that \(c_a= g^{xa}h^r \bmod n\) commits to a positive value, since the same method applies for \(c_b\). To do so, the prover computes \((x_1, x_2, x_3, x_4)\) such that \(xa = \sum _{i=1}^4 x_i^2\). By a famous result from Lagrange, such a decomposition exists if and only if \(xa \ge 0\). Moreover, this decomposition can be efficiently computed by the RabinShallit algorithm [42], for which Lipmaa [36] also suggested some optimizations. The prover commits to \((x_1,x_2,x_3,x_4)\) in \((c_1,c_2,c_3,c_4)\), where \(c_i=g^{x_i}h^{r_i}\bmod n\) for each \(i=1\) to 4. Now, the prover proves his knowledge of openings \(xa\), \(x_1,x_2,x_3,x_4\) (along with random coins \(r,r_1,r_2,r_3,r_4\)) of \(c_a, c_1,c_2,c_3,c_4\) satisfying \(\sum _{i=1}^4 x_i^2 = xa\) over the integers.
The reason allowing to solely rely on the \(\textsf {RSA}\) assumption in the range proof comes from the fact that the first part of the argument reduces to an argument of knowledge of openings \(x_1,x_2,x_3,x_4\) of \(c_1,c_2,c_3,c_4\) while the remaining part simply ensures the relation \(\sum _{i=1}^4 x_i^2 = xa\) to hold. Indeed, once the witnesses are extracted, this is implied by the representation \(c_a= \prod _{i=1}^4 c_i^{x_i} h^{r  \sum x_ir_i} \bmod n\) which can be seen as generalized commitment scheme with basis \((c_1,c_2,c_3,c_4,h)\) from which the opening cannot change. Therefore, the argument can be seen as five parallel arguments of knowledge, the fifth one being an argument of knowledge for a generalized commitment, where the opening for the last argument is the vector of the openings for the other arguments. A formal proof of an optimized version of this protocol under the intractability of the \(\textsf {RSA}\) assumption is presented in the full version [19].
Extension. Since most of the arguments of knowledge of a solution to a system of equations over the integers [16] can be split into parallel arguments of knowledge of values assigned to the variables and a proof of membership (in the language composed of all the solutions of the system), which is expressed as representations corresponding to generalized commitments, our analysis extends to all “discretelogarithm relation set” (see [34]): the description of the protocol is unchanged but the security only relies on the standard \(\textsf {RSA}\) assumption.
6 Commitment with KnowledgeDelayed Order
Arguments of knowledge of openings for the DamgårdFujisaki commitment scheme can rely on the \(\textsf {RSA}\) assumption rather than the \(\textsf {Strong\text {}RSA}\) assumption. In this section, we show that this scheme can be efficiently combined with another \(\textsf {RSA}\)based commitment scheme which, as far as we know, was proposed by Gennaro [24]: we show how DamgårdFujisaki commitments (which are homomorphic over the integers) can be converted into Gennaro commitments (which are homomorphic over \(\mathbb {Z}_\pi \) for some prime \(\pi \)). We rely on this feature to design a method to improve the efficiency of zeroknowledge arguments over the integers on several aspects, by allowing the players to perform some of the computations over \(\mathbb {Z}_\pi \) rather than over the integers. We then illustrate our technique on the famous example of range proofs.
6.1 RSABased Commitments with Known Order
We recall the homomorphic commitment scheme over \(\mathbb {Z}_\pi \) of [24]. The order of the commitment is a known prime \(\pi > 2^\kappa \).

\(\mathsf {Setup}(1^\kappa )\) runs \((n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )\), and picks \(\ell \) random generators \(g_1,\ldots ,g_\ell \) of \(\mathsf {QR}_n \). Then, it picks a random prime \(\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}\), and returns \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )\);

\(\mathsf {Commit}(\mathsf {pp},\varvec{m};r)\), for \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )\), a vector \(\varvec{m} = (m_1,\ldots ,m_\ell )\in \mathbb {Z}_{\pi }^\ell \), and some random coins \(r\leftarrow _R\mathbb {Z}_n \), computes \(c=g_1^{m_1} \cdots g_\ell ^{m_\ell } r^\pi \bmod n\), and returns (c, d) with \(d=r\);

\(\mathsf {Verify}(\mathsf {pp},c,d,\varvec{m})\) parses \(\mathsf {pp} \) as \(\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )\) and outputs 1 if \(c=g_1^{m_1}\cdots g_\ell ^{m_\ell }r^{\pi } \bmod n\), and 0 otherwise.
HomomorphicOpening. In addition, this commitment scheme is homomorphic in \(\mathbb {Z}_\pi \): given \(c=g_1^{m_1}\cdots g_\ell ^{m_\ell }r^\pi \bmod n\) and \(d=g_1^{m_1'}\cdots g_\ell ^{m_\ell '}s^\pi \bmod n\) with known openings, we can efficiently open the commitment \(c\cdot d \bmod n\) to \(\bar{\varvec{m}} = (\bar{m}_1,\ldots ,\bar{m}_\ell )\), with \(\bar{m}_i = m_i + m'_i \bmod \pi \) for \(1\le i\le \ell \), and a random coin \(rs \prod g_i^{(m_i+m'_i)\div \pi } \bmod n\), where \(a\div b\) is the quotient of the Euclidean division. We emphasize this property to be essential to avoid working with long integers in the arguments of knowledge of an opening: the prover can “reduce” its openings since \(\pi \) is known.
 Initialize:

\(\mathscr {P}\) and \(\mathscr {V}\) decide to run the protocol on input \((\mathsf {pp},\kappa ,c)\);
 Commit:

\(\mathscr {P}\) computes \(d=g_1^{y_1}\cdots g_\ell ^{y_\ell }s^\pi \), for \(y_i\leftarrow _R\mathbb {Z}_\pi \), and \(s\leftarrow _R{\mathbb {Z}_n ^*} \), and sends d to \(\mathscr {V}\);
 Challenge:

\(\mathscr {V}\) outputs \(e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}\);
 Response:

\(\mathscr {P}\) computes \(k_i,z_i,t\) such that \(e x_i+y_i=k_i\pi +z_i\), with \(0\le z_i<\pi \), and \(t=g_1^{k_1}\cdots g_\ell ^{k_\ell } \cdot r^{e} s \bmod n\). \(\mathscr {P}\) outputs \((z =(z_i)_i,t)\);
 Verify:

\(\mathscr {V}\) accepts the proof and outputs 1 if, for each i, \(0\le z_i<\pi \), and \(c^{e} d=g_1^{z_1} \cdots g_\ell ^{z_\ell } t^\pi \bmod n\). Otherwise, \(\mathscr {V}\) rejects the proof and outputs 0.
6.2 Commitment with KnowledgeDelayed Order
The above commitment scheme with known prime order \(\pi \) can temporarily pass itself off as a commitment scheme of Sect. 3 with hidden order.
Description of the Commitment Scheme. The verifier sets up the parameter \(\mathsf {pp} \) of the commitment scheme with hidden order but hides a prime order \(\pi \) in \(\mathsf {pp} \) during this execution. To guarantee the hiding property, in the setup the verifier also adds a proof that \(g = h^\alpha \bmod n\) for some \(\alpha \).

\(\mathsf {Setup}(1^\kappa )\) runs \((n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )\), and picks \(h_0\leftarrow _R\mathsf {QR}_n \) and a random prime \(\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}\). Then, it picks \(\rho \leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n^2\mathclose {]\!]}\), relatively prime to \(\pi \), and sets \(g\leftarrow h_0^\rho \bmod n\) and \(h\leftarrow h_0^{\pi } \bmod n\). Finally, it returns \(\mathsf {pp} =(n,g,h)\) and keeps \(\mathsf {sk} =(\pi ,h_0)\). Actually, we have \(h^\rho = g^\pi \bmod n\). So, if one sets \(\alpha = \rho \cdot \pi ^{1} \bmod \varphi (n)\), one has \(g = h^\alpha \bmod n\), and proves it;

\(\mathsf {Commit}(\mathsf {pp},m;r)\) parses \(\mathsf {pp}\) as above and commits to \(m\in \mathbb {Z}\) by picking \(r\leftarrow _R\mathbb {Z}_n \) and computing \(c= g^m h^r\bmod n\). It returns (c, r);

\(\mathsf {Verify}(\mathsf {pp},c,m,r)\) parses \(\mathsf {pp} =(n,g,h)\) and outputs 1 if \(c= \pm g^{m}h^{r} \bmod n\) and 0 otherwise;

\(\mathsf {Reveal}(\mathsf {pp},\mathsf {sk})\) returns \(\mathsf {sk} =(\pi ,h_0)\);

\(\mathsf {Adapt}(\mathsf {pp},\mathsf {sk},c,m,r)\) first parses \(\mathsf {sk} =(\pi ,h_0)\) and checks whether \(h=h_0^\pi \bmod n\). Then, it adapts the opening by computing \(m=k\pi +\bar{m}\) for \(0\le \bar{m} <\pi \) and \(t=g^kh_0^r \bmod n\). It outputs \((\bar{m},t)\);

\(\mathsf {Verify}'(\mathsf {pp},\pi ,c,\bar{m},t)\) outputs 1 if \(c=g^{\bar{m}}t^{\pi } \bmod n\), and 0 otherwise.
This construction easily extends to commitments of vectors. Note that from \(g^{\bar{m}} t^{\pi } = c = g^{\bar{m}'} {t'}^{\pi } \bmod n\), with \(\bar{m}\ne \bar{m}'\bmod \pi \), setting \(h_0=y^2\) from an \(\textsf {RSA}\) challenge (n, y) of exponent \(\pi >2^\kappa \), we obtain \(y^{2\rho (\bar{m}  \bar{m}')} = (t'/t)^\pi \bmod n\), with \(2\rho (\bar{m}  \bar{m}')\ne 0 \bmod \pi \), which leads to the \(\pi \)th root of y modulo n (using Fact 5 from Proposition 1).
6.3 Improving ZeroKnowledge Arguments over the Integers
The commitment with knowledgedelayed order provides a new technique to zeroknowledge arguments for statements over the integers, while working modulo \(\pi \). This technique leads to more efficient membership arguments, with a lower communication and a smaller verifier computation (some part of the cost is delegated to the prover). We restrict our attention to statements that can be expressed as membership to a set \(S \in \mathbf {D} \). The protocol we describe is honestverifier zeroknowledge. At the end of the section we recall standard methods to get fullfledged zeroknowledge.
Membership Argument for D. Given \(S \in \mathbf {D} \), let \(P_S\) be a representing polynomial with kvector input and \(\ell \)vector witness (e.g., if S is the set of positive integers, \(P_S:(x,w_1,w_2,w_3,w_4) = x  (\sum _i w_i^2)\)). We assume \(\mathscr {P}\) and \(\mathscr {V}\) agreed on a bound t such that each \(\varvec{x} \in S\) has a witness \(\varvec{w}\) such that \(\Vert \varvec{w} \Vert _\infty \le \Vert \varvec{x} \Vert _\infty ^{t}\) (\(S \in \mathbf {D} \), so there is always such a t. As shown in [36], \(t < 2\) is sufficient for most cryptographic applications).
Let \(\varvec{x}\) be a secret vector held by \(\mathscr {P}\), and \(\varvec{w}\) be a witness for \(\varvec{x} \in S\), meaning that \(P_S(\varvec{x},\varvec{w}) = 0\). Zeroknowledge argument for polynomial relations over committed inputs usually demands committing to intermediate values, and proving additive and multiplicative relationships with the inputs, see e.g. [9]. To prove a multiplicative relationship \(z=xy\) between values (x, y, z) committed in \((c_x,c_y,c_z)\), \(\mathscr {P}\) proves knowledge of inputs (x, y, z) and random coins \((r_x,r_y,r_z)\) such that \(c_x = g^xr_x^\pi \bmod n\), \(c_y = g^yr_y^\pi \bmod n\), and \(c_z = c_x^y r_z^\pi \).
We almost follow this principle except that we use the commitment scheme of Sect. 6.2 to switch from \(\textsf {com} \) to \(\textsf {com} _\pi \) once \(\mathscr {P}\) proved knowledge of both \(\varvec{x}\) and \(\varvec{w}\) over the integers. Proving \(P_S(\varvec{x},\varvec{w}) = 0\) over the integers is then replaced by proving \(P_S(\varvec{x},\varvec{w}) = 0\) modulo \(\pi \).
 1.
\(\mathscr {V}\) runs the setup from the Sect. 6.2, which generates \(\mathsf {pp} =(n,g,h)\) and \(\mathsf {sk} =(\pi ,h_0)\): this defines \(\textsf {com}: (x;r) \mapsto g^x h^r \bmod n\). It additionally proves the existence of \(\alpha \) such that \(g = h^\alpha \bmod n\);
 2.
\(\mathscr {P}\) picks random coins \((\varvec{r_x},\varvec{r_w})\) and commits to \((\varvec{x},\varvec{w})\) with \((\varvec{r_x},\varvec{r_w})\) as \((\varvec{c_x},\varvec{c_w}) \leftarrow (\textsf {com} (\varvec{x};\varvec{r_x}),\textsf {com} (\varvec{w};\varvec{r_w}))\);
 3.
\(\mathscr {P}\) performs a \(\textsf {ZKAoK} \{(\varvec{x},\varvec{w},\varvec{r_x},\varvec{r_w}) \mid \varvec{c_x} = g^{\varvec{x}}h^{\varvec{r_x}} \wedge \varvec{c_w} = g^{\varvec{w}}h^{\varvec{r_w}}\}\), we thereafter refer to \(\textsf {ZK} _1\), with \(\mathscr {V}\). If the argument fails, \(\mathscr {V}\) aborts the protocol.
 1.
\(\mathscr {V}\) reveals \((\pi ,h_0)\) to \(\mathscr {P}\) who checks whether \(h = h_0^\pi \bmod n\) or not, to switch to \(\textsf {com} _\pi \). Let \((\varvec{x}', \varvec{w}') = (\mathfrak {r} _\pi (\varvec{x}),\mathfrak {r} _\pi (\varvec{w})) = (\varvec{x},\varvec{w}) \bmod \pi \).
 2.
\(\mathscr {P}\) performs a \(\textsf {ZKAoK} \{(\varvec{x}', \varvec{w}',\varvec{R_x}, \varvec{R_w})\}\), we thereafter refer to \(\textsf {ZK} _2\), such that \((\varvec{c_x},\varvec{c_w}) = (\textsf {com} _\pi (\varvec{x};\varvec{R_x}), \textsf {com} _\pi (\varvec{w};\varvec{R_w}))\) and \(P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi \). Note that \((\varvec{c_x},\varvec{c_w})\) are now seen as commitments over \(\mathbb {Z}_\pi \), using the fact that \(\textsf {com} (\varvec{x};\varvec{r_x}) = \textsf {com} _\pi (\mathfrak {r} _\pi (\varvec{x}); \varvec{R_x})\) and \(\textsf {com} (\varvec{w};\varvec{r_w}) = \textsf {com} _\pi (\mathfrak {r} _\pi (\varvec{w}); \varvec{R_w})\), with appropriate \((\varvec{R_x},\varvec{R_w})\). If the argument succeeds, \(\mathscr {V}\) returns \(\mathsf {accept}\).
Theorem 4
Under the RSA assumption, the above protocol is a statistical zeroknowledge argument of knowledge of openings of \((\varvec{c_x},\varvec{c_w})\) to vectors of integers \((\varvec{x},\varvec{w})\) such that \(P_S(\varvec{x},\varvec{w})=0\): which proves that \(\varvec{x} \in S\).
Proof
The intuition behind Theorem 4 is that \(\textsf {ZK} _1\) proves that \(\mathscr {P}\) knows \((\varvec{x},\varvec{w})\) in \((\varvec{c_x},\varvec{c_w})\), and \(\textsf {ZK} _2\) proves that \(P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi \) for a \(\kappa \)bit prime \(\pi \) which was revealed after \((\varvec{x},\varvec{w})\) were committed. Hence, \(\mathscr {P}\) knew vectors of integer \((\varvec{x},\varvec{w})\) such that \(P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi \) for a random \(\kappa \)bit prime \(\pi \). This has a negligible probability to happen unless \(P_S(\varvec{x},\varvec{w}) = 0\) holds over the integers, since \(P_S\) is a polynomial. The full proof consists of the three properties: correctness, zeroknowledge, and knowledgeextractability.
Correctness. It easily follows from the correctness of \(\textsf {ZK} _1\) and \(\textsf {ZK} _2\): if \(\mathscr {P}\) knows \((\varvec{x},\varvec{w},\varvec{r_x},\varvec{r_w})\) such that \((\varvec{c_x},\varvec{c_w}) = (\textsf {com} (\varvec{x};\varvec{r_x}), \textsf {com} (\varvec{w};\varvec{r_w}))\) and \(P_S(\varvec{x}, \varvec{w})=0\), then the argument of knowledge of \((\varvec{x},\varvec{r_x})\) such that \(\varvec{c_x} = \textsf {com} (\varvec{x};\varvec{r_x})\) will succeed, and it holds that \((\varvec{c_x},\varvec{c_w}) = (\textsf {com} _\pi (\varvec{x}\bmod \pi ;v^{\mathfrak {q} _\pi (\varvec{x})}\tilde{h} ^{\varvec{r_x}}), \textsf {com} _\pi (\varvec{w}\bmod \pi ;v^{\mathfrak {q} _\pi (\varvec{x})}\tilde{h} ^{\varvec{r_x}}))\). Moreover, as \(P_S\) is a polynomial, the modular reduction applies, and leads to \(P_S(\varvec{x} \bmod \pi ,\varvec{w} \bmod \pi ) = P_S(\varvec{x}, \varvec{w}) = 0 \bmod \pi \).
ZeroKnowledge. It also follows from the zeroknowledge of \(\textsf {ZK} _1\) and \(\textsf {ZK} _2\), and the hiding property of the commitments. Let \(\mathscr {S}\!\textit{im}_\mathsf {ZK}\) be the following simulator: one first generates dummy commitments \((\varvec{c_x},\varvec{c_w})\), which does not make any difference under the hiding property, and runs the simulator of \(\textsf {ZK} _1\). Once \((\pi ,h_0)\) is revealed, \(\mathscr {S}\!\textit{im}_\mathsf {ZK}\) runs the simulator of \(\textsf {ZK} _2\).
Since the commitment is statistically hiding, \(\textsf {ZK} _1\) is our statistically zeroknowledge argument of knowledge of opening from Sect. 3 and \(\textsf {ZK} _2\) is an argument of relations on commitments with known order \(\pi \) (since \(h = h_0^\pi \bmod n\)) that is possible in statistical zeroknowledge, the full protocol is statistically zeroknowledge.
Knowledge Extractability. Let Open image in new window outputing a convincing argument with probability \(\varepsilon \), i.e. Open image in new window succeeds in \(\textsf {ZK} _1\) and \(\textsf {ZK} _2\) with probability greater than \(\varepsilon \).

If \(\varvec{x}' = \varvec{x} \bmod \pi \) and \(\varvec{w}' = \varvec{w} \bmod \pi \), then the value committed over the integers, before \(\pi \) was revealed, satisfy \(P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi \), for a random \(\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}\). We stress that the view of (n, g, h) does not reveal any information on the prime \(\pi \).
Since there are approximately \(2^{\kappa +1}/\kappa \) primes in this set, and this extraction works with probability greater than \(\varepsilon ^2\), \(P_S(\varvec{x},\varvec{w}) = 0 \bmod Q\), for \(Q \ge 2^{2^\kappa /\varepsilon ^2}\), which is much larger than the values that can be taken in the integers, since the inputs and the witnesses have a size polynomial in \(\kappa \), and the polynomial \(P_S\) has a bounded degree.
 If \(\varvec{x}' \ne \varvec{x} \bmod \pi \) or \(\varvec{w}' \ne \varvec{w} \bmod \pi \), wlog, we can assume that \(\varvec{x}' \ne \varvec{x} \bmod \pi \):

we get \((\varvec{x},\varvec{r_x})\) such that \(\varvec{c_x} = \pm g^{\varvec{x}}h^{\varvec{r_x}} = g^{\mathfrak {r} _\pi (\varvec{x})}(\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}})^\pi \bmod n\);

and \((\varvec{x}', \varvec{R_x})\) such that \(\varvec{c_x} = g^{\varvec{x}'}\varvec{R_x}^\pi \bmod n\).
Hence, \(g^{\mathfrak {r} _\pi (\varvec{x})} (\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}})^\pi = g^{\varvec{x}'}\varvec{R_x}^\pi \bmod n\), and so \(g^{\mathfrak {r} _\pi (\varvec{x})  \varvec{x}'} = S^\pi \bmod n\), for \(S = \varvec{R_x}/(\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}}) \bmod n\). If one would have set \(h_0=y^2\) from an \(\textsf {RSA}\) challenge \((n,y,\pi )\) of exponent \(\pi >2^\kappa \), and thus \(g=y^{2\rho }\), using Fact 5 from Proposition 1, one gets the \(\pi \)th root of y modulo n.

This concludes the proof of the knowledgeextractability of the protocol, under the \(\textsf {RSA}\) assumption over \(\mathbb {Z}_n \). \(\square \)
On the Efficiency of the Method. The advantages of this method compared to the classical method are twofold. First, most of the work in the protocol comes from the computation of exponentiations; and our technique transfers most of this work from \(\mathscr {V}\) to \(\mathscr {P}\). This comes from the fact that verifying an equation such as \(\varvec{c} = \textsf {com} (x;r)\) involves exponentiations by integers of size \(O(\log n + \kappa )\) while verifying the equation \(\varvec{c} = \textsf {com} _\pi (x\bmod \pi ;R)\) involves only two exponentiations by \(\kappa \)bit values, which greatly reduces Open image in new window ’s work. However, to switch from \(\textsf {com} \) to \(\textsf {com} _\pi \) \(\mathscr {P}\) has to adapt the opening as in (1) of Sect. 6.2, which costs exponentiations by integers of size \(O(\log n + \kappa )\) to compute the random coin R. \(\mathscr {V}\) will still need to perform exponentiations by integers during \(\textsf {ZK} _1\), but his work during this step can be made essentially independent of the number N of inputs and witnesses (up to a small \(\log N\) additive term) and completely independent of the degree of the representing polynomial.
Second, our method separates the argument of knowledge of inputs to a Diophantine equation from the argument that they do indeed satisfy the equation. The arguments of knowledge of an opening of a commitment can be very efficiently batched: if \(\mathscr {P}\) commits to \((x_1, \cdots , x_N)\) with random coins \((r_1, \cdots , r_N)\) as \((c_1, \cdots , c_N)\), the verifier can simply send a random seed \(\lambda \leftarrow _R\{0,1\}^\kappa \) from which both players compute \((\lambda _1, \cdots , \lambda _N)\) using a pseudorandom generator^{2}. Then, \(\mathscr {P}\) performs a single argument of knowledge of an opening \((\sum _i \lambda _i x_i; \sum _i \lambda _i r_i)\) of the commitment \(\prod _i c_i^{\lambda _i}\) (see [5, 6] for more details). Therefore, when performing multiple membership arguments, \(\mathscr {P}\) and \(\mathscr {V}\) will have to perform a single argument for \(\textsf {ZK} _1\) (of size essentially independent of the number of committed values).
In general, the higher the degree of the representing polynomial is, the lower will be the communication with our method. Still, we show in the next section that even for the case of range proofs, which is a membership proof to a Diophantine set whose representing polynomial is of degree 2, our method provides efficiency improvements.
Further Improvements. \(\mathscr {V}\) can set h to \(h_0^{\prod _i\pi _i}\) for several primes \(\pi _i\) instead of \(h_0^\pi \). For some integer i, let \(p_i \leftarrow \prod _{j\ne i}\pi _j\). Doing so allows \(\mathscr {V}\) to reveal \((h_0^{p_i}, \pi _i)\) instead of \((h_0,\pi )\) in our method. Hence, in addition to allowing arbitrary parallel arguments with a single prime \(\pi \), a single setting is sufficient to perform a polynomial number of sequential arguments (fixed in advance) with different primes \(\pi _i\). In addition, we explained that commitments with knowledgedelayed order allow splitting the arguments of knowledge of the witnesses, denoted \(\textsf {ZK} _1\), and the argument that they indeed belong to a Diophantine set, denoted \(\textsf {ZK} _2\). The arguments \(\textsf {ZK} _1\) can be batched as described above but, for efficiency reason, we should not generate \((\lambda _1,\lambda _2 \ldots , \lambda _N)\) as \((\lambda ,\lambda ^2,\ldots ,\lambda ^N)\). Indeed, \(\vert \lambda ^j \vert _b\) grows linearly with j over the integers. However, for the argument \(\textsf {ZK} _2\), the order of the commitment has been revealed. Hence, we can now use batching technique with such \(\lambda _j=\lambda ^j\) since the prover is able to reduce the exponents modulo \(\pi \) at this stage. That means that our technique consisting of efficiently revealing the order of the commitment between \(\textsf {ZK} _1\) and \(\textsf {ZK} _2\) allows to use any method that crucially relies on batching coefficients expressed as powers of some \(\lambda \), that were only available for discretelog based proofs of statement over (pairingfree) knownorder groups. For instance, we can get a sublinear size argument to show that a committed matrix is the Hadamard products over the integers of two other committed matrices. Indeed, we can commit the rows of the matrices using a generalized commitment and make a batch proof for \(\textsf {ZK} _1\), which remain sublinear in the number of entries, and then we can import the results of [4, 26] to \(\textsf {ZK} _2\), preserving its sublinearity.
FullFledged ZeroKnowledge. With an honest verifier, there is no need to prove the existence of \(\alpha \) such that \(g=h^\alpha \). In the malicious setting, this proof guarantees the hiding property of the commitments to the prover, who additionally checks \(h=h_0^\pi \bmod n\) when they are revealed. Then we can use classical techniques to convert the HVZK protocol into a ZK protocol, such as an equivocable commitment of the challenge by the verifier, before the commitments from the prover.
7 Application to Range Proofs
7.1 Lipmaa’s Compact Argument for Positivity
As explained before, Lipmaa [36] proposed an efficient argument for positivity, using generalized DamgårdFujisaki commitments, and the proof that an integer is positive if and only if it can be written as the sum of four squares. However, it appears that the explicit construction given in [36, annex B] is flawed — although the highlevel description is correct: any prover can provide a convincing argument for positivity, regardless of the sign of the committed integer, and so without holding valid witnesses. This might raise some concerns as the protocol of Lipmaa is the “textbook” range proof based on hidden order groups. Hence the protocol is suggested in several papers, and was implemented in e.g. [2]. In the full version [19], we recall the argument of [36], identify its flaw, and provide a correct optimized version with a full proof of security.
In the following, we describe a range proof in the same vein as the positivity argument of Lipmaa: an integer x belongs to an interval \(\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\) if and only if \((xa)(bx) \ge 0\). In addition, we take into account the following improvement suggested by Groth [25]: x is positive if and only if \(4x+1\) can be written as the sum of three squares, and such a decomposition can be computed in polynomial time by the prover. We view this range proof (we call the threesquare range proof, and denote it \(\mathsf {3SRP}\)) as an optimized version of the textbook range proof with integer commitments, to which we will compare our new method with knowledgedelayed order commitments (denoted \(\mathsf {3SRP}\text {}\mathsf {KDO}\)).
7.2 ThreeSquare Range Proof
7.3 Results
Complexities of \(\mathsf {3SRP}\) and \(\mathsf {3SRP}\text {}\mathsf {KDO}\)
\(\mathsf {3SRP}\)  \(\mathsf {3SRP}\text {}\mathsf {KDO}\)  

Communication  \(N(8 \log n + 18\kappa + 5B) + 3\kappa \)  \(N(8\log n + 4\kappa ) + 10\kappa + 2\log n + B + \log N\) 
Prover’s work  \(1.5 N(8\log n + 12B + 26\kappa + \log a)\)  \(1.5(N(13\log n + 13B + 18\kappa + \log a) + \log n + B + 6\kappa + \log N)\) 
Verifier’s work  \(1.5(N(5\log n + 9B + 30\kappa + \log a + \log b) + \kappa )\)  \(1.5(N(12\kappa + \log a + \log b) + \log n + B + 10\kappa + \log N)\) 
Table 1 sums up the communication complexity and the computational complexity of both the \(\mathsf {3SRP} \) and the \(\mathsf {3SRP}\text {}\mathsf {KDO} \) arguments for the execution of N parallel range proofs on the same interval \(\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}\), as classical batch techniques [5, 6] allow to batch arguments of knowledge. Note that we omit constant terms. The communication is given in bits, while the work is given as a number of multiplications of elements of \(\mathsf {QR}_n \). When comparing the work of the prover, we also omit the cost of the decomposition in sum of squares, as it is the same in both protocols. Similarly, we omit the cost of the initial proof of \(g=h^\alpha \bmod n\) by the verifier to the prover.
Efficiency Analysis. We now provide a detailed comparison between the \(\mathsf {3SRP}\) and the \(\mathsf {3SRP}\text {}\mathsf {KDO}\) protocols. We set the order of the modulus n to 2048 bits and the security parameter \(\kappa \) to 128. As the communication of the protocols does also depend on the bound \(2^B\) on the size of the interval, we consider various bounds in our estimation. For the sake of simplicity, we assume \(B = \log b\). We evaluate the overhead of the \(\mathsf {3SRP}\text {}\mathsf {KDO}\) with respect to \(\mathsf {3SRP}\), computed as \(100\times (\mathsf {cost} (\mathsf {3SRP}\text {}\mathsf {KDO})\mathsf {cost} (\mathsf {3SRP}))/\mathsf {cost} (\mathsf {3SRP})\), \(\mathsf {cost} \) being either a number of bits exchanged, or a number of exponentiations.
Comparison between the \(\mathsf {3SRP}\) and the \(\mathsf {3SRP}\text {}\mathsf {KDO}\)
Communication overhead  Prover’s work overhead  Verifier’s work overhead  

\(B= 30, N = 1\)  \(+16\%\)  \(+60.2\%\)  \(66\%\) 
\(B= 1024, N = 1\)  \(3.7\%\)  \(+44\%\)  \(71.7\%\) 
\(B=2048, N = 1\)  \(17\%\)  \(+36.4\%\)  \(74.1\%\) 
\(B= 30, N = 10\)  \(7.6\%\)  \(+47.5\%\)  \(86.8\%\) 
\(B= 1024, N = 10\)  \(26.5\%\)  \(+33.2\%\)  \(87.7\%\) 
\(B=2048, N = 10\)  \(39.1\%\)  \(+26.5\%\)  \(88\%\) 
Comparisons. Table 2 gives a summary of our results. As already noted, the overhead of the work of the prover in \(\mathsf {3SRP}\text {}\mathsf {KDO}\) is measured by comparing the works without considering the cost of the RabinShallit algorithm; the latter one, however, is by far the dominant cost when B is large (as it runs in expected \(O(B^2\log B\cdot M(\log B))\) time, where \(M(\log B)\) is the time taken to perform a multiplication of \((\log B)\)bit integers). Therefore, for a large B, the overhead of the work of the prover in \(\mathsf {3SRP}\text {}\mathsf {KDO}\) is very small, whereas there is a huge gain for the verifier. As expected, the \(\mathsf {3SRP}\text {}\mathsf {KDO}\) protocol provides interesting performances in settings where the verifier is computationally weak (e.g. in secure Cloud computing), and/or multiples range proofs are likely to be used in parallel, and/or the intervals are large.
Footnotes
Notes
Acknowledgments
This work has been partially done while the second author was at ENS. This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/20072013 Grant Agreement no. 339563 – CryptoCloud).
References
 1.Adleman, L., Manders, K.: Diophantine complexity. In: Proceedings of the 17th Annual Symposium on Foundations of Computer Science, SFCS 1976, pp. 81–88 (1976). http://dx.doi.org/10.1109/SFCS.1976.13
 2.Adelsbach, A., Rohe, M., Sadeghi, A.R.: Noninteractive watermark detection for a correlationbased watermarking scheme. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 129–139. Springer, Heidelberg (2005). doi: 10.1007/11552055_13 CrossRefGoogle Scholar
 3.Barić, N., Pfitzmann, B.: Collisionfree accumulators and failstop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). doi: 10.1007/3540690530_33 CrossRefGoogle Scholar
 4.Bayer, S., Groth, J.: Efficient zeroknowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_17 CrossRefGoogle Scholar
 5.Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 170–191. Springer, Heidelberg (1998). doi: 10.1007/BFb0054320 CrossRefGoogle Scholar
 6.Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). doi: 10.1007/BFb0054130 CrossRefGoogle Scholar
 7.Böhl, F., Hofheinz, D., Jager, T., Koch, J., Seo, J.H., Striecks, C.: Practical signatures from standard assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 461–485. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_28 CrossRefGoogle Scholar
 8.Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). doi: 10.1007/3540455396_31 CrossRefGoogle Scholar
 9.Bresson, E., Stern, J.: Proofs of knowledge for nonmonotone discretelog formulae and applications. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 272–288. Springer, Heidelberg (2002). doi: 10.1007/3540458115_21 CrossRefGoogle Scholar
 10.Brickell, E.F., Chaum, D., Damgård, I., van de Graaf, J.: Gradual and verifiable release of a secret. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 156–166. Springer, Heidelberg (1988)Google Scholar
 11.Camenisch, J., Chaabouni, R., shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). doi: 10.1007/9783540892557_15 CrossRefGoogle Scholar
 12.Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact ecash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). doi: 10.1007/11426639_18 CrossRefGoogle Scholar
 13.Camenisch, J., Lysyanskaya, A.: An efficient system for nontransferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). doi: 10.1007/3540449876_7 CrossRefGoogle Scholar
 14.Camenisch, J., Michels, M.: Proving in zeroknowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999). doi: 10.1007/354048910X_8 CrossRefGoogle Scholar
 15.Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999). doi: 10.1007/3540484051_27 CrossRefGoogle Scholar
 16.Canard, S., Coisel, I., Traoré, J.: Complex zeroknowledge proofs of knowledge are easy to use. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 122–137. Springer, Heidelberg (2007). doi: 10.1007/9783540756705_8 CrossRefGoogle Scholar
 17.Chan, A.H., Frankel, Y., Tsiounis, Y.: Easy come  easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998)Google Scholar
 18.Couteau, G., Peters, T., Pointcheval, D.: Encryption switching protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 308–338. Springer, Heidelberg (2016). doi: 10.1007/9783662530184_12 CrossRefGoogle Scholar
 19.Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. Cryptology ePrint Archive, Report 2016/128 (2016). http://eprint.iacr.org/2016/128
 20.Damgård, I., Fujisaki, E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). doi: 10.1007/3540361782_8 CrossRefGoogle Scholar
 21.Damgård, I., Mikkelsen, G.L.: Efficient, robust and constantround distributed rsa key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_12 CrossRefGoogle Scholar
 22.Davis, M., Putnam, H., Robinson, J.: The decision problem for exponential diophantine equations. Ann. Math. 72, 425–436 (1961)MathSciNetCrossRefzbMATHGoogle Scholar
 23.Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). doi: 10.1007/BFb0052225 CrossRefGoogle Scholar
 24.Gennaro, R.: Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004). doi: 10.1007/9783540286288_14 CrossRefGoogle Scholar
 25.Groth, J.: Noninteractive zeroknowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). doi: 10.1007/11496137_32 CrossRefGoogle Scholar
 26.Groth, J.: Linear algebra with sublinear zeroknowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_12 CrossRefGoogle Scholar
 27.Groth, J.: Efficient zeroknowledge arguments from twotiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_23 CrossRefGoogle Scholar
 28.Guajardo, J., Mennink, B., Schoenmakers, B.: Modulo reduction for paillier encryptions and application to secure statistical analysis. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 375–382. Springer, Heidelberg (2010). doi: 10.1007/9783642145773_32 CrossRefGoogle Scholar
 29.Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_35 CrossRefGoogle Scholar
 30.Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_38 CrossRefGoogle Scholar
 31.Jarecki, S., Kiayias, A., Krawczyk, H.: Roundoptimal passwordprotected secret sharing and TPAKE in the passwordonly model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_13 Google Scholar
 32.Jarecki, S., Shmatikov, V.: Efficient twoparty secure computation on committed inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 97–114. Springer, Heidelberg (2007). doi: 10.1007/9783540725404_6 CrossRefGoogle Scholar
 33.Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi: 10.1007/3540456643_26 CrossRefGoogle Scholar
 34.Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004). doi: 10.1007/9783540246763_34 CrossRefGoogle Scholar
 35.Kim, M., Lee, H.T., Cheon, J.H.: Mutual private set intersection with linear complexity. In: Jung, S., Yung, M. (eds.) WISA 2011. LNCS, vol. 7115, pp. 219–231. Springer, Heidelberg (2012). doi: 10.1007/9783642278907_18 CrossRefGoogle Scholar
 36.Lipmaa, H.: On diophantine complexity and statistical zeroknowledge arguments. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). doi: 10.1007/9783540400615_26 CrossRefGoogle Scholar
 37.Lipmaa, H., Asokan, N., Niemi, V.: Secure vickrey auctions without threshold trust. Cryptology ePrint Archive, Report 2001/095 (2001). http://eprint.iacr.org/2001/095
 38.Pedersen, T.P.: Noninteractive and informationtheoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). doi: 10.1007/3540467661_9
 39.Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3540683399_33 CrossRefGoogle Scholar
 40.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
 41.Pollett, C.: On the bounded version of hilbert’s tenth problem. Arch. Math. Log. 42(5), 469–488 (2003). http://dx.doi.org/10.1007/s001530020162y MathSciNetCrossRefzbMATHGoogle Scholar
 42.Rabin, M.O., Shallit, J.O.: Randomized algorithms in number theory. Commun. Pure Appl. Math. 39(S1), S239–S256 (1986). http://dx.doi.org/10.1002/cpa.3160390713
 43.Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and publickey cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)MathSciNetzbMATHGoogle Scholar