EUROCRYPT 2017: Advances in Cryptology – EUROCRYPT 2017 pp 321-350

# Removing the Strong RSA Assumption from Arguments over the Integers

• Geoffroy Couteau
• Thomas Peters
• David Pointcheval
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10211)

## Abstract

Committing integers and proving relations between them is an essential ingredient in many cryptographic protocols. Among them, range proofs have been shown to be fundamental. They consist in proving that a committed integer lies in a public interval, which can be seen as a particular case of the more general Diophantine relations: for the committed vector of integers $$\varvec{x}$$, there exists a vector of integers $$\varvec{w}$$ such that $$P(\varvec{x},\varvec{w})=0$$, where P is a polynomial.

In this paper, we revisit the security strength of the statistically hiding commitment scheme over the integers due to Damgård-Fujisaki, and the zero-knowledge proofs of knowledge of openings. Our first main contribution shows how to remove the Strong RSA assumption and replace it by the standard RSA assumption in the security proofs. This improvement naturally extends to generalized commitments and more complex proofs without modifying the original protocols.

As a second contribution, we design an interactive technique turning commitment scheme over the integers into commitment scheme modulo a prime p. Still under the RSA assumption, this results in more efficient proofs of relations between committed values. Our methods thus improve upon existing proof systems for Diophantine relations both in terms of performance and security. We illustrate that with more efficient range proofs under the sole RSA assumption.

## Keywords

Public-key cryptography Commitment schemes Interactive arguments of knowledge Zero-knowledge proofs RSA assumption

## 1 Introduction

Commitment Schemes. Commitments are one of the most fundamental and widely used tools in cryptography. A commitment scheme allows a committer $$\mathscr {C}$$ holding a secret value s to send a commitment c of s to a verifier $$\mathscr {V}$$, and later on to open this commitment to reveal the value s. Such a commitment should hide the committed value s to the verifier, but binds the committer in opening only s. A famous example of commitment scheme, that perfectly hides its input, is the Pedersen commitment scheme [38], whose binding property relies on the discrete logarithm assumption: let $$\mathbb {G}$$ be a group of prime order p with two generators (gh). To commit to $$m \in \mathbb {Z}_p$$, $$\mathscr {C}$$ picks at random $$r \in \mathbb {Z}_p$$ and sends $$c = g^mh^r$$.

Fujisaki and Okamoto introduced the first integer commitment scheme [23], which was later generalized in [20]. Unlike classical commitment schemes, an integer commitment scheme allows $$\mathscr {C}$$ to commit to any $$m \in \mathbb {Z}$$. Intuitively, this is done by committing to m in a group $$\mathbb {Z}_\tau$$ of unknown order $$\tau$$, where division by units cannot be performed in general.

Interactive Proofs of Knowledge. An interactive proof of knowledge is a two-party protocol in which a prover $$\mathscr {P}$$ wants to convince a verifier $$\mathscr {V}$$ of his knowledge of some values satisfying a public statement. It should be knowledge-extractable, which means that an extractor can get values satisfying the statement when interacting with a successful prover, and zero-knowledge, which means that no information about these values leaks to the verifier (except that they satisfy the statement). Such proofs of knowledge are useful in many cryptographic constructions. Commitment schemes are a core component of zero-knowledge proofs of knowledge. In particular, integer commitment schemes have been extensively used in various interactive protocols involving zero-knowledge proofs of knowledge.

Assumptions for Proofs on Integer Commitments. The binding property of the Damgård-Fujisaki commitment scheme relies on the hardness of factoring composite integers. Even though the intractability of factoring is widely considered as a mild computational assumption, the knowledge-extractability of the proofs using these commitments relies on the $$\textsf {Strong\text {-}RSA}$$ assumption [3, 23], which is a much stronger assumption than the classical $$\textsf {RSA}$$ assumption. This assumption states that, given a composite integer n and a random element $$u \in {\mathbb {Z}_n ^*}$$, it is hard to find a pair (ve) such that $$u = v^e \bmod n$$. Unlike the $$\textsf {RSA}$$ assumption [43], where the exponent $$e>1$$ is imposed, there are exponentially many solutions to a given instance of the $$\textsf {Strong\text {-}RSA}$$ problem, the problem is thus easier to solve. However, these commitments still provide the best solution to prove relations over integers.

Range Proof. The most widespread reason to work over the integers is to prove that a committed value x lies in a public integer range $$\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$. Indeed, working over the integers allows to show that $$x-a$$ and $$b-x$$ are positive by decomposing them as sum of four squares, following the well-known Lagrange’s result. Boudot in his Eurocrypy’00 talk, and Lipmaa [36], were the first to propose such a method by relying on a commitment over the integers. As a consequence, the knowledge extractability of this range proof requires the $$\textsf {Strong\text {-}RSA}$$ assumption.

### 1.1 Our Contribution

First, we revisit the Damgård-Fujisaki integer commitment scheme and show that the security of arguments of knowledge of openings can be based on the standard $$\textsf {RSA}$$ assumption, instead of the $$\textsf {Strong\text {-}RSA}$$ assumption. In the reduction, we use the rewinding technique in another way than in [20] as well as the splitting lemma [39, 40]. Our result extends to any protocols involving arguments or relations between committed integers which first prove the knowledge of the inputs before proving that the relations are satisfied. This implies that the security of numerous protocols, such as two-party computation [18, 32], e-cash [12], e-voting [25], secure generation of RSA keys [21, 33], zero-knowledge primality tests [14], password-protected secret sharing [31], and range proofs [36], among many others, can be proven under the $$\textsf {RSA}$$ assumption instead of the $$\textsf {Strong\text {-}RSA}$$ assumption at no computational cost. In addition, we believe that the ideas on which our proof relies could be used in several other constructions whose security was proven under the $$\textsf {Strong\text {-}RSA}$$ assumption, and might allow to replace the $$\textsf {Strong\text {-}RSA}$$ assumption by the standard $$\textsf {RSA}$$ assumption as well.

Second, we revisit a commitment scheme which was formally introduced in [24]: $$c=g^m R^\pi \bmod n$$, for a message $$m\in \mathbb {Z}_\pi$$ and $$R\in {\mathbb {Z}_n ^*}$$. It is perfectly hiding, and the binding property relies on the $$\textsf {RSA}$$ assumption (with modulus n, exponent $$\pi$$, and challenge g). We prove, as for the Damgård-Fujisaki commitment scheme, that the security of an argument of knowledge of an opening can also be based on the classical $$\textsf {RSA}$$ assumption. Therefore, we identify an interesting property that is satisfied by this commitment, which corresponds informally to the possibility to see this commitment scheme either as an integer commitment scheme (i.e., $$c = g^m h^r \bmod n$$), or, after some secret has been revealed, as a commitment scheme over $$\mathbb {Z}_\pi$$ for some prime $$\pi$$ (i.e., $$c = g^m R^\pi \bmod n$$). Without additional assumption, we show how the unpredictability of $$\pi$$ allows improving the efficiency of zero-knowledge arguments over the integers as the knowledge of the order $$\pi$$ is delayed in the protocol. This method allows to save communication and greatly reduces the work of the verifier, compared with a classical zero-knowledge argument for the same statement. We illustrate our method on range proofs [36], a zero-knowledge argument of knowledge of an input to a commitment such that the input belongs to some public interval.

Taken together, our contributions allow us to enhance both the security, by removing the $$\textsf {Strong\text {-}RSA}$$ assumption, and the efficiency of numerous cryptographic protocols relying on integer commitment schemes.

### 1.2 Related Works

The Damgård-Fujisaki commitment scheme [20, 23] is the only known homomorphic statistically-hiding commitment scheme over the integers. Arguments of knowledge over the integers were studied in [16, 34, 36].

Range proofs were introduced in [10]. They are a core component in numerous cryptographic protocols, including e-cash [12], e-voting [25], private auctions [37], group signatures [15], and anonymous credentials [13], among many others. There are two classical methods for performing a range proof:
• Writing the number in binary notation [10, 27] or u-ary notation [11], committing to its decomposition and performing a specific proof for each of these commitments For example, membership to $$\mathopen {[\![}0\mathclose {}\mathpunct {};2^\ell \mathclose {]\!]}$$ is proven in communication $$O(\ell /(\log \ell - \log \log \ell ))$$ in the protocol of [11], and in communication $$O(\ell ^{1/3})$$ in the protocol of [27] (only counting the number of group elements).

• Using an integer commitment scheme [8, 25, 36].

Note that protocols such as [17] do also allow to prove that a committed integer x lies in a given interval $$\mathopen {[\![}0\mathclose {}\mathpunct {};a\mathclose {]\!]}$$ up to an accuracy parameter $$\delta$$: actually only membership to $$\mathopen {[\![}0\mathclose {}\mathpunct {};(1+\delta )a\mathclose {]\!]}$$ is proved.

Eventually, several papers have proposed signatures based on the standard $$\textsf {RSA}$$ assumption [7, 29, 30] as alternatives to classical signature schemes based on the $$\textsf {Strong\text {-}RSA}$$ assumption. Our work is in the same vein as these papers, replacing the $$\textsf {Strong\text {-}RSA}$$ assumption by the $$\textsf {RSA}$$ assumption in arguments over the integers. However, note that we do not actually propose a new argument system to get rid of the $$\textsf {Strong\text {-}RSA}$$ assumption, but rather show that the security of the classical argument system is implied by the $$\textsf {RSA}$$ assumption. As a consequence, the schemes using arguments over the integers do not need to be modified to benefit from our security analysis.

### 1.3 Organization

Section 2 introduces the necessary background for what follows, and namely some useful facts on the RSA groups. Section 3 recalls the Damgård-Fujisaki commitment scheme, its properties, and the argument of knowledge of [20]. A new security proof of the latter, under the standard $$\textsf {RSA}$$ assumption, is given in details in Sect. 4. Section 5 illustrates some extensions of our result. First, we show how one can commit to vectors at once with generalized commitments. And then, we show how one can make range proofs under the standard $$\textsf {RSA}$$ assumption. Section 6 revisits the commitment scheme of [24] and shows how, by switching from the previous commitment to this one, we can get a new interactive proof system for performing zero-knowledge arguments over the integers, that is more efficient. Eventually, Sect. 7 illustrates our method on range proofs, with concrete efficiency comparisons.

For the sake of completeness, in the full version [19] we exhibit a flaw in the optimized version of Lipmaa’s range proof [36, Annex B]. We then propose a fix as well as security proof.

## 2 Backgrounds

Throughout this paper, $$\kappa$$ denotes the security parameter. An algorithm is efficient when it runs in polynomial time in the (implicit) security parameter $$\kappa$$. A positive function f is negligible if for any polynomial p there exists a bound $$B>0$$ such that, for any integer $$k\ge B$$, $$f(k)\le 1/\vert p(k) \vert$$. An event depending on $$\kappa$$ occurs with overwhelming probability when its probability is at least $$1-\varepsilon (\kappa )$$ for a negligible function $$\varepsilon$$.

### 2.1 Notations

Given a finite set S, the notation $$x\leftarrow _RS$$ means a uniformly random assignment of an element of S to the variable x, then for any $$s\in S$$ we have $$\Pr _S[x=s]=1/\# S$$ where $$\# S$$ denotes the cardinality of S. When an element s is represented by an integer, $$\vert s \vert _b$$ is the bit-length of the integer, and $$\vert s \vert$$ denotes its absolute value (or norm). Bold variables denote vectors. For a vector $$\varvec{x} = (x_1, \cdots , x_\ell )$$, $$g^{\varvec{x}}$$ denotes $$(g^{x_1}, \cdots , g^{x_\ell })$$ and $$\Vert \varvec{x} \Vert _\infty =\max _{1\le i\le \ell }\vert x_i \vert$$.

The integer range $$\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$ stands for $$\{x\in \mathbb {Z}\;\vert \;a\le x\le b\}$$. For any integers $${a\le b}$$, the statistical distance between two uniform distributions, over $$U_a=\mathopen {[\![}1\mathclose {}\mathpunct {};a\mathclose {]\!]}$$ and $$U_b=\mathopen {[\![}1\mathclose {}\mathpunct {};b\mathclose {]\!]}$$ respectively, is given by $$\sum _{i=1}^{b} \vert \Pr _{U_a}[x=i]-\Pr _{U_b} [x=i] \vert = \sum _{i=1}^{a}(1/a-1/b)+\sum _{i=a+1}^{b} 1/b = 2 (b-a)/b$$.

### 2.2 Commitment Scheme

We first recall the basic definition of a commitment scheme on the message space $$\mathscr {M}$$. This is an essential primitive in cryptography, that is used to lock a value in a box, so that the sender cannot change at the opening time (the binding property) but still the receiver has no information about the value before the opening (the hiding property). A non-interactive commitment scheme is defined by three algorithms $$(\mathsf {Setup},\mathsf {Commit},\mathsf {Verify})$$:
• $$\mathsf {Setup}(1^\kappa )$$, generates the public parameters $$\mathsf {pp}$$, which also specifies the message space $$\mathscr {M}$$, the commitment space $$\mathscr {C}$$, the opening space $$\mathscr {D}$$, and the random source $$\mathscr {R}$$;

• $$\mathsf {Commit}(\mathsf {pp},m;r)$$, given the message $$m\in \mathscr {M}$$ and some random coins $$r\in \mathscr {R}$$, outputs a commitment-opening pair (cd). When there is no ambiguity, we will abuse the notation $$(c,d)\leftarrow _R\mathsf {Commit}(m)$$, for $$\mathsf {pp}$$ and $$r\leftarrow _R\mathscr {R}$$;

• $$\mathsf {Verify}(\mathsf {pp},c,d,m)$$, outputs a bit whose value depends on the validity of the opening (md) with respect to the commitment c.

A commitment scheme must be
Correct.

For any public parameters $$\mathsf {pp} \leftarrow _R\mathsf {Setup}(1^\kappa )$$, any message $$m\in \mathscr {M}$$, and any random coin $$r\in \mathscr {R}$$, if $$(c,d)\leftarrow \mathsf {Commit}(\mathsf {pp},m;r)$$, then we necessarily have $$\mathsf {Verify}(\mathsf {pp},c,d,m)=1$$.

Hiding.

No probabilistic polynomial-time adversary $$\mathscr {A}$$, that is first given $$\mathsf {pp} \leftarrow _R\mathsf {Setup}(1^\kappa )$$, can distinguish commitments on two messages $$(m_0,m_1)$$ of its choice. The commitment scheme is said statistically hiding if the indistinguishability holds even for unbounded adversaries.

Binding.

No probabilistic polynomial-time adversary $$\mathscr {A}$$ can open a commitment c on two different messages $$m_0\ne m_1$$. The commitment scheme is said statistically binding if this is infeasible even for unbounded adversaries.

A commitment scheme can also be homomorphic, if for a group law $$\oplus$$ on the message space $$\mathscr {M}$$, from $$\mathsf {pp}$$, $$(c_0,d_0)\leftarrow \mathsf {Commit}(\mathsf {pp},m_0;r_0)$$ and $$(c_1,d_1)\leftarrow \mathsf {Commit}(\mathsf {pp},m_1;r_1)$$, one can generate c and d so that $$\mathsf {Verify}(\mathsf {pp},c,d,m_0\oplus m_1)=1$$.

### 2.3 Interactive Proof Systems

We now recall the second tool we will use in this paper, the zero-knowledge proofs of knowledge, and their variants.

Zero-Knowledge Proofs and Arguments. Let $$\mathsf {R}$$ be an NP-relation over a set $$\mathfrak {X}$$ defining an NP-language $$\mathscr {L} = \{x \in \mathfrak {X} \;\vert \;\exists w, \mathsf {R} (x,w) = 1\}$$, where a w such that $$\mathsf {R} (x,w) = 1$$ is called a witness for the statement $$x\in \mathscr {L}$$.

A zero-knowledge proof of knowledge ($$\textsf {ZKPoK}$$) for a relation $$\mathsf {R}$$ and a word $$x \in \mathfrak {X}$$ is an interactive protocol $$\langle \mathscr {P}(w),\mathscr {V}\rangle (x\in \mathscr {L})$$ between a prover $$\mathscr {P}$$ holding a witness w for the statement $$x \in \mathscr {L}$$, and a verifier $$\mathscr {V}$$, both modeled as interactive probabilistic polynomial-time Turing machines. The purpose of a $$\textsf {ZKPoK}$$ is for $$\mathscr {P}$$ to convince $$\mathscr {V}$$ of its knowledge of some witness w of the statement $$x\in \mathscr {L}$$, without revealing any information about this witness. More formally, let $$\textsc {View} _{\mathscr {V}}[\langle \mathscr {P}(w),\mathscr {V}\rangle (x\in \mathscr {L}) ]$$ be the view of $$\mathscr {V}$$ during the execution of the interactive protocol (i.e., all the messages it received when interacting with $$\mathscr {P}$$). A $$\textsf {ZKPoK}$$ must be:
Correct.

For every $$x\in \mathscr {L}$$, if $$\mathscr {P}$$ knows a witness w, and both $$\mathscr {P}$$ and $$\mathscr {V}$$ behave honestly, $$\langle \mathscr {P}(w),\mathscr {V}\rangle (x\in \mathscr {L})$$ is accepted by $$\mathscr {V}$$ with overwhelming probability.

Knowledge Extractable.

For any prover which succeeds in convincing $$\mathscr {V}$$ of $$x\in \mathscr {L}$$ with non-negligible probability, there exists a simulator $$\mathscr {S}\!\textit{im}_\mathsf {KE}$$, running in expected polynomial time, which extracts a witness w for $$x\in \mathscr {L}$$ from .

Zero-Knowledge.

For any verifier , there exists a simulator $$\mathscr {S}\!\textit{im}_\mathsf {ZK}$$ such that for every $$x\in \mathscr {L}$$, $$\mathscr {S}\!\textit{im}_\mathsf {ZK}(x)$$ and $$\textsc {View} _{\mathscr {V}'}[\langle \mathscr {P}(w),\mathscr {V}'\rangle (x\in \mathscr {L}) ]$$, where w is a witness for $$x\in \mathscr {L}$$, are indistinguishable.

If the knowledge-extractability holds only for a computationally-bounded $$\mathscr {P}'$$, the protocol is a zero-knowledge argument of knowledge ($$\textsf {ZKAoK}$$). If the verifier is restricted to being honest in the zero-knowledge property, the proof is an honest-verifier zero-knowledge proof.

Zero-Knowledge Arguments from Diophantine Relations. A Diophantine set $$S \subseteq \mathbb {Z}^k$$ is a set of vectors over $$\mathbb {Z}^k$$ defined by a representing polynomial $$P_S(X,W)$$ with $$X = (X_1, \cdots , X_k)$$ and $$W = (Y_1, \cdots , Y_\ell )$$, i.e. a set of the form $$S = \{\varvec{x} \in \mathbb {Z}^k \;\vert \;\exists \varvec{w} \in \mathbb {Z}^\ell , P_S(\varvec{x},\varvec{w}) = 0\}$$ for some polynomial $$P_S$$. It was shown in [22] that any recursively enumerable set is Diophantine. An interesting class for cryptographic applications is the class $$\mathbf {D}$$ of Diophantine sets S such that each $$\varvec{x} \in S$$ has at least one witness $$\varvec{w}$$ satisfying $$\Vert \varvec{w} \Vert _\infty \le \Vert \varvec{x} \Vert _\infty ^{O(1)}$$. It is widely conjectured that $$\mathbf {D} = \mathsf {NP}$$, as $$\mathbf {D}$$ contains several $$\mathsf {NP}$$-complete problems, and it was shown in [41] that if $$\mathsf {co}\text {-}\mathsf {NLOGTIME} \subseteq \mathbf {D}$$, then $$\mathbf {D} = \mathsf {NP}$$. The class $$\mathbf {D}$$ was introduced in [1] and its cryptographic relevance was pointed out in [36]. For example, the set $$\mathbb {Z}_+$$ of positive integers is in $$\mathbf {D}$$, as by a well-known result of Lagrange, it can be defined as $$\mathbb {Z}_+ = \{x \in \mathbb {Z}\;\vert \;\exists (w_1,w_2,w_3,w_4)\in \mathbb {Z}^4, x - (w_1^2 + w_2^2 + w_3^2 + w_4^2) = 0\}$$. In addition, each $$w_i$$ is of bounded size $$\vert w_i \vert \le \vert x \vert$$.

Lipmaa [36] has shown that zero-knowledge arguments of membership to a set $$S \in \mathbf {D}$$, with representing polynomial P over k-vector inputs and $$\ell$$-vector witnesses, can be constructed using an integer commitment scheme, such as [20]. The size of the argument (the communication between $$\mathscr {P}$$ and $$\mathscr {V}$$) depends on k, $$\ell$$, and $$\deg (P)$$, the degree of P. As noted in [36], intervals, unions of intervals, exponential relations (i.e., set of tuples (xyz) such that $$z = x^y$$) and $$\gcd$$ relation (i.e., set of tuples (xyz) such that $$z = \gcd (x,y)$$) are all in $$\mathbf {D}$$, with parameters (k, $$\ell$$ and $$\deg (P)$$) small enough for cryptographic applications.

### 2.4 RSA Group Structure

In this paper we focus on $${\mathbb {Z}_n ^*}$$ for a strong RSA modulus $$n=pq$$ where pq are distinct safe primes. That means that $$p=2p'+1$$ and $$q=2q'+1$$ for two other primes so that $$p,p',q,q'$$ are all distinct, and $$\varphi (n) = 4p'q'$$. We write $$a=b \bmod n$$ to specify that $$a=b$$ in $$\mathbb {Z}_n$$ and we write $$a\leftarrow [b \bmod n]$$ to affect the smallest positive integer to a so that $$a=b \bmod n$$.

By $$\mathsf {GenMod}(1^\kappa )$$, we denote a probabilistic efficient algorithm that, given the security parameter $$\kappa$$, generates a strong RSA modulus n and secret parameters (pq) of at least $$\kappa$$ bits each with the specification that $$n=pq$$. In the following, we write $$(n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )$$. We will sometimes abuse the notation $$n\leftarrow _R\mathsf {GenMod}(1^\kappa )$$ to say that the modulus n has been generated according to this distribution.

The RSA Assumption. The $$\textsf {RSA}$$ assumption states, informally, that given an exponent e prime to $$\varphi (n)$$, it is hard for any probabilistic polynomial-time algorithm to find the e-th root modulo n of a random $$y\leftarrow _R{\mathbb {Z}_n ^*}$$. More formally, let $$\mathsf {P} _n$$ be the subset of $$\mathbb {Z}_n$$ of elements prime to $$\varphi (n)$$. The $$\textsf {RSA}$$ assumption does in fact refer to a class of assumptions, depending of the distribution $$\mathscr {D} _n$$ over $$\mathsf {P} _n$$ from which the exponent e is drawn.

$$\mathscr {D} _n$$ - RSA Assumption

[43]. For $$n\leftarrow _R\mathsf {GenMod}(1^\kappa )$$ and $$e \leftarrow _R\mathscr {D} _n$$, it is hard for any probabilistic polynomial-time algorithm to find the e-th root modulo n of a random $$y\leftarrow _R{\mathbb {Z}_n ^*}$$. The triple (ney) is the $$\textsf {RSA}$$ instance.

Various flavours of the $$\textsf {RSA}$$ assumption are standard in the literature. In particular, the $$\textsf {RSA}$$ assumption with a fixed small exponent (the most common being 65537) is widely used in practical implementations. In theoretical papers, it is common to consider the $$\textsf {RSA}$$ assumption for exponents picked from the uniform distribution over $$\mathsf {P} _n$$ (see [30] for example). In this paper, we use a flavour of the $$\textsf {RSA}$$ assumption which is somewhat intermediate between these two standard variants: we will consider the $$\textsf {RSA}$$ assumption for exponents picked from the uniform distribution over $$\mathopen {[\![}3\mathclose {}\mathpunct {};a\mathclose {]\!]} \cap \mathsf {P} _n$$ for a value a polynomial in $$\kappa$$ (hence, we consider random small exponents). To simplify the notations, we will denote by a-$$\textsf {RSA}$$ this variant of the $$\textsf {RSA}$$ assumption1.

Other Computational Assumptions. Other famous computational assumptions over RSA groups are the intractability of the factorization and the $$\textsf {Strong\text {-}RSA}$$ assumption:

Integer Factorization Assumption.

It states that finding a non-trivial factor of $$n\leftarrow _R\mathsf {GenMod}(1^\kappa )$$ is hard for any probabilistic polynomial-time algorithm.

Strong-RSA Assumption

[3, 23]. It lets the choice of e to the algorithm: It states that, for $$n\leftarrow _R\mathsf {GenMod}(1^\kappa )$$, this is hard to find the e-th root modulo n, for a random $$y\leftarrow _R{\mathbb {Z}_n ^*}$$, for any probabilistic polynomial-time algorithm, for an exponent $$e>1$$ of its choice.

It is well-known that breaking the integer factorization assumptions allows to break both the $$\textsf {RSA}$$ and the $$\textsf {Strong\text {-}RSA}$$ assumption. From the definition, it is clear that the $$\textsf {Strong\text {-}RSA}$$ assumption gives more degree of freedom to the adversary, so it is seemingly much stronger. Indeed, for the $$\textsf {RSA}$$ assumption, the exponent is not chosen by the adversary, but can be fixed in any way in advance by the challenger.

Properties of Strong RSA Groups. One can note that in groups modulo n, where $$n=pq$$ is a strong RSA modulus, p and q are Blum primes: $$p=q=3 \bmod 4$$. If we denote $$\mathsf {QR}_n$$ the subgroup of the squares, $$\mathsf {QR}_n =\{a\in {\mathbb {Z}_n ^*}\ \;\vert \;\exists b\in {\mathbb {Z}_n ^*}, a=b^2\bmod n\}$$, this is a cyclic subgroup of $${\mathbb {Z}_n ^*}$$ of order $$\varphi (n)/4=p'q'$$.

### Proposition 1

The following facts hold:
1. 1.

$$-1\not \in \mathsf {QR}_n$$;

2. 2.

any square $$h\in \mathsf {QR}_n$$ has four square roots, with exactly one in $$\mathsf {QR}_n$$;

3. 3.

for a random element $$h\in \mathsf {QR}_n$$, finding a square root of h is equivalent to factoring the modulus n;

4. 4.

for random elements $$g,h\in \mathsf {QR}_n$$, finding non-zero integers ab such that $$g^a =h^b \bmod n$$ is equivalent to factoring the modulus n;

5. 5.

for an $$\textsf {RSA}$$ instance (ney), finding $$x\in {\mathbb {Z}_n ^*}$$ and $$e'$$ prime to e such that $$x^e =y^{e'} \bmod n$$ is equivalent to finding an e-th root of y modulus n.

### Proof

Let us briefly explain why these facts hold, using the Jacobi symbol function $$J_n(x) = J_p(x) \times J_q(x)$$ in $${\mathbb {Z}_n ^*}$$, as the extension of the Legendre symbol on $$\mathbb {Z}_p^*$$ for prime p, $$J_p(x) = (x)^{(p-1)/2}$$, which determines whether x is a square or not in $$\mathbb {Z}_p^*$$. Since p and q are Blum primes, $$J_p(-1) = J_q(-1) = -1$$, and so $$J_n(-1) =1$$, but $$-1$$ is not in $$\mathsf {QR}_n$$, hence the Fact 1. The four square roots of 1, in $${\mathbb {Z}_n ^*}$$ are 1 and $$-1$$, both with Jacobi symbol +1, but respectively $$(+1,+1)$$ and $$(-1,-1)$$ for the Legendre symbols in $$\mathbb {Z}_p^*$$ and $$\mathbb {Z}_q^*$$, and $$\alpha$$, and $$-\alpha$$, both with Jacobi symbol -1, but respectively $$(+1,-1)$$ and $$(-1,+1)$$ for the Legendre symbols in $$\mathbb {Z}_p^*$$ and $$\mathbb {Z}_q^*$$. As a consequence, given a square $$h\in \mathsf {QR}_n$$, and a square root u, the four square roots are $$u,-u$$, and $$\alpha u, -\alpha u$$, one of which being in $$\mathsf {QR}_n$$, since the four kinds of Legendre symbols are represented. This leads to the Fact 2.

For Fact 3, if one chooses a random $$u\in {\mathbb {Z}_n ^*}$$ and sets $$h=u^2 \bmod n$$, $$J_n(u)$$ is completely hidden. Another square root v has probability one-half to have $$J_n(v) = - J_n(u)$$. This means that $$u^2 = v^2 \bmod n$$, but $$u\ne \pm v \bmod n$$. Then, $$\gcd (u-v,n)$$ gives a non-trivial factor of n.

For Fact 4, if one chooses a random $$u\in {\mathbb {Z}_n ^*}$$ and a large random scalar $$\alpha$$ and sets $$h=u^2 \bmod n$$ and $$g=h^\alpha \bmod n$$, h is likely a generator of $$\mathsf {QR}_n$$, and then $$g^a =h^b \bmod n$$ means that $$m = b - a \alpha$$ is a multiple of $$p'q'$$, the order of the subgroup of the squares. Let us note $$m = 2^v \cdot t$$, for an odd t, then $$p'q'$$ divides t: let us choose a random element $$u\in {\mathbb {Z}_n ^*}$$, with probability close to one-half, $$J_n(u)=-1$$, and so $$J_n(u^t)=-1$$ while $$u^t$$ is a square root of 1. As in the proof of the previous Fact 3, we can obtain a non-trivial factor of n.

Eventually, for Fact 5, using Bézout relation $$ue + ve' = 1$$, then $$x^{ve} = y^{v e'} = y^{1 - ue} \bmod n$$. So $$y = (x^v y^u)^e \bmod n$$.    $$\square$$

## 3 Commitment of Integers Revisited

In [23], Okamoto and Fujisaki proposed a statistically-hiding commitment scheme allowing commitment to arbitrary-size integers. Their commitment was later generalized in [20]. It relies on the fact that when the factorization is unknown, it is infeasible to know the order of the sub-group $$\mathsf {QR}_n$$ of the squares in $${\mathbb {Z}_n ^*}$$, where n is a strong RSA modulus. Hence, the only way for a computationally-bounded committer to open a commitment is to do it over the integers.

In addition, [23] gave an argument of knowledge of an opening of a commitment and proved that the knowledge extractability of the argument is implied by the $$\textsf {Strong\text {-}RSA}$$ assumption. A flaw in the original proof was later identified and corrected in [20]. We will revisit the argument of knowledge of an opening due to Damgård-Fujisaki [20] and provide a new proof for its knowledge extractability, in order to remove the requirement of the $$\textsf {Strong\text {-}RSA}$$ assumption. Our proof requires the standard $$\textsf {RSA}$$ assumption only, with an exponent randomly chosen in a polynomially-bounded set.

### 3.1 Commitments over the Integers

Description. Let us recall the commitment of one integer m:
• $$\mathsf {Setup}(1^\kappa )$$ runs $$(n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )$$, and picks two random generators gh of $$\mathsf {QR}_n$$. It returns $$\mathsf {pp} =(n,g,h)$$;

• $$\mathsf {Commit}(\mathsf {pp},m;r)$$, for $$\mathsf {pp} =(n,g,h)$$, a message $$m\in \mathbb {Z}$$, and some random coins $$r\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}$$, computes $$c= g^m h^r\bmod n$$, and returns (cd) with $$d=r$$;

• $$\mathsf {Verify}(\mathsf {pp},c,d,m)$$ parses $$\mathsf {pp}$$ as $$\mathsf {pp} =(n,g,h)$$ and outputs 1 if $$c= \pm g^{m}h^{d} \bmod n$$ and 0 otherwise.

One should note that an honest user will always open such that $$c= g^{m}h^{d} \bmod n$$. But the knowledge-extractability of the next $$\textsf {ZKAoK}$$ of opening cannot exclude the change of sign. In this description, we provide a trusted setup algorithm. But as we see below, the guarantees for the committer (the hiding property of the commitment) just rely on the existence of $$\alpha$$ such that $$g=h^\alpha \bmod n$$. For the verifier to be convinced, one can just let him generate the parameters (ngh), and prove the existence of such an $$\alpha$$ to the committer.

Security Analysis. The above commitment scheme is obviously correct. The hiding property relies on the existence of $$\alpha$$ such that $$g = h^\alpha \bmod n$$ (they are both generators of the same subgroup $$\mathsf {QR}_n$$), and so, for any $$m'\in \mathbb {Z}$$,
\begin{aligned} c&= \mathsf {Commit}(\mathsf {pp},m;r) = g^{m}h^{r} = h^{r+\alpha m} = h^{(r+\alpha (m-m'))+\alpha m'} \\&= g^{m'} h^{r+\alpha (m-m')} = \mathsf {Commit}(\mathsf {pp},m';r'), \end{aligned}
with $$r'\leftarrow [r+\alpha (m-m') \bmod p'q']$$, that is smaller than n and follows a distribution statistically close to the distribution of r. The binding property relies on the Integer Factorization assumption: indeed, from two different openings $$m_0,d_0,m_1,d_1$$ for a commitment c, with $$d_1>d_0$$, the validity checks show that $$g^{m_0} h^{d_0} = \pm g^{m_1} h^{d_1} \bmod n$$, and so $$g^{m_0-m_1} = \pm h^{d_1-d_0} \bmod n$$. Since g and h are squares, and $$-1$$ is not a square, necessarily $$g^{m_0-m_1} = h^{d_1-d_0} \bmod n$$. The Fact 4 from Proposition 1 leads to a non-trivial factor of n.

### 3.2 Zero-Knowledge Argument of Opening

Let us now study the argument of knowledge of a valid opening for such a commitment. The common inputs are the public parameters $$\mathsf {pp}$$ and the commitment $$c=g^x h^r \bmod n$$, together with the bit-length $$k_x$$ of the message x, that is then assumed to be in $$\mathopen {[\![}-2^{k_x}\mathclose {}\mathpunct {};2^{k_x}\mathclose {]\!]}$$, while $$r\in \mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}$$ and x are the private inputs, i.e. the witness of the prover. We stress that $$k_x$$ is chosen by the prover, since this reveals some information about the integer x, while r is always in the same set, whatever the committed element x is.

Description of the Protocol. The protocol works as follows:
Initialize:

$$\mathscr {P}$$ and $$\mathscr {V}$$ decide to run the protocol on input $$(\mathsf {pp},\kappa ,c,k_x)$$;

Commit:

$$\mathscr {P}$$ computes $$d = g^yh^s \bmod n$$, for randomly chosen $$y\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{k_x+2\kappa }\mathclose {]\!]}$$ and $$s\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }\mathclose {]\!]}$$, and sends d to the $$\mathscr {V}$$;

Challenge:

$$\mathscr {V}$$ outputs $$e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}$$;

Response:

$$\mathscr {P}$$ computes and outputs the integers $$z=ex+y$$ and $$t=er+s$$;

Verify:

$$\mathscr {V}$$ accepts the proof and outputs 1 if $$c^e d = g^z h^t \bmod n$$. Otherwise, $$\mathscr {V}$$ rejects the proof and outputs 0.

In the rest of this section, we prove this protocol is indeed a zero-knowledge argument of knowledge of an opening. Which means it is correct, zero-knowledge, and knowledge-extractable.

Correctness. First, the correctness is quite obvious: if $$c = g^x h^r \bmod n$$, with $$z=ex+y$$ and $$t=er+s$$, we have $$g^z h^t = (g^x h^r)^e \cdot g^y h^s = c^e d \bmod n$$.

Zero-Knowledge. For the zero-knowledge property, in the honest-verifier setting, the simulator $$\mathscr {S}\!\textit{im}$$ (that is $$\mathscr {S}\!\textit{im}_\mathsf {ZK}$$ in this case) can simply do as follows:
1. 1.

$$\mathscr {S}\!\textit{im}$$ chooses a random challenge $$e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}$$;

2. 2.

$$\mathscr {S}\!\textit{im}$$ chooses random responses $$z\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{k_x+2\kappa }\mathclose {]\!]}$$ and $$t\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }\mathclose {]\!]}$$;

3. 3.

$$\mathscr {S}\!\textit{im}$$ sets $$d = g^z h^t c^{-e} \bmod n$$.

The simulated transcript is the tuple (de, (zt)), where the elements follow the distribution $$\mathscr {D} _{3}$$ from Fig. 1, while the real transcript follows the distribution $$\mathscr {D} _{0}$$.
However, it is clear that $$\mathscr {D} _0 = \mathscr {D} _1 = \mathscr {D} _2$$, while the distance between $$\mathscr {D} _2$$ and $$\mathscr {D} _3$$ is the sum of the distances between the distributions of z and t, respectively in $$\mathscr {Z} _2 = \mathopen {[\![}xe\mathclose {}\mathpunct {};2^{k_x+2\kappa }+xe\mathclose {]\!]}$$ and $$\mathscr {Z} _3 = \mathopen {[\![}0\mathclose {}\mathpunct {};2^{k_x+2\kappa }\mathclose {]\!]}$$, and $$\mathscr {T} _2 = \mathopen {[\![}re\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }+re\mathclose {]\!]}$$ and $$\mathscr {T} _3 = \mathopen {[\![}0\mathclose {}\mathpunct {};2^{\vert n \vert _b+2\kappa }\mathclose {]\!]}$$:
\begin{aligned} \varDelta _z&= \sum _{Z=0}^{2^{k_x+2\kappa }+xe} \vert \Pr [z\leftarrow _R\mathscr {Z} _2: z=Z] - \Pr [z\leftarrow _R\mathscr {Z} _3: z=Z] \vert \\&= \sum _{Z=0}^{xe-1} 2^{-k_x-2\kappa } + \sum _{Z=2^{k_x+2\kappa }+1}^{2^{k_x+2\kappa }+xe} 2^{-k_x-2\kappa } = 2 \cdot xe \cdot 2^{-k_x-2\kappa } \le 2 \cdot 2^{k_x+\kappa } \cdot 2^{-k_x-2\kappa } \end{aligned}
that is bounded by $$2\cdot 2^{-\kappa }$$. Similarly, $$\varDelta _t \le 2\cdot 2^{-\kappa }$$. Hence the statistical zero-knowledge property, since the real distribution $$\mathscr {D} _0$$ and the simulated distribution $$\mathscr {D} _3$$ have a negligible distance bounded by $$2^{-\kappa +2}$$.

Knowledge-Extractability. The last property is the most intricate, and this is the one that required the $$\textsf {Strong\text {-}RSA}$$ assumption in the original proof of Damgård and Fujisaki [20]. In the next section, we present a detailed proof of the following theorem:

### Theorem 2

Given a prover able to convince a verifier $$\mathscr {V}$$ of its knowledge of an opening of c for random system parameters $$\mathsf {pp} =(n,g,h)$$ with probability greater than $$\varepsilon$$ within time t, one either breaks the $$4/\varepsilon$$-$$\textsf {RSA}$$ assumption with expected time upper-bounded by $$256 t/\varepsilon ^3$$, or extracts a valid opening with expected time upper-bounded by $$16 t / \varepsilon ^2$$.

## 4 Proof of Theorem 2

Since this proof is the main technical contribution of the paper, with many practical applications, we provide it in details. We start with some preliminaries, and then discuss various cases.

### 4.1 Preliminaries

The proof will make use of the splitting lemma [39, 40], that we recall below:

### Lemma 3

Let $$A \subset X \times Y$$ such that $$\Pr [(x,y) \in A] \ge \varepsilon$$. For any $$\varepsilon ' < \varepsilon$$, if one defines $$B = \left\{ (x,y) \in X \times Y \mid \Pr _{y' \in Y}[(x,y') \in A] \ge \varepsilon -\varepsilon '\right\}$$, then it holds that:
\begin{aligned} (i)&\Pr [B] \ge \varepsilon '&(ii)&~\forall (x,y) \in B, \mathop {\Pr }\limits _{y' \in Y}[(x,y') \in A] \ge \varepsilon - \varepsilon '&(iii)&\Pr [B \mid A] \ge \varepsilon '/\varepsilon . \end{aligned}

In the proof, we will consider an adversary with a random tape R who succeeds with some probability $$\varepsilon$$ in any run of the full argument. Our proof will make use of rewinding: we will rewind the adversary several times to get several transcripts of the protocol for the same random tape R, and various challenges. The purpose of the splitting lemma is therefore to get a bound on the probability of getting valid transcripts when we fix R and run the adversary on various challenges.

### 4.2 Detailed Proof

Let us suppose the extractor $$\mathscr {S}\!\textit{im}$$ (that is $$\mathscr {S}\!\textit{im}_\mathsf {KE}$$ in this case) is given a $$4/\varepsilon$$-$$\textsf {RSA}$$ challenge (neu), which means that the exponents e is randomly chosen prime to $$\varphi (n)$$ but also in the set $$[1,4/\varepsilon ]$$. It sets $$h \leftarrow u^2 \bmod n$$ and $$g \leftarrow h^{\alpha } \bmod n$$ for a random exponent $$\alpha \leftarrow _R\mathbb {Z}_{n^2}$$. It sets $$\mathsf {pp} = (n, g,h)$$. Note that as u is random in $${\mathbb {Z}_n ^*}$$, (gh) are actually distributed as in the real protocol. We consider an adversary $$\mathscr {A}$$ that provides a convincing proof of knowledge of an opening of c (an accepted transcript) with probability $$\varepsilon$$, with the parameters $$(\mathsf {pp} =(n,g,h),\kappa ,c,k_x)$$.

Note that the probability distribution of a protocol execution is $$D = (R,e)$$, where R is the adversary’s random tape that determines d, and e is the random challenge from the honest verifier. Then, we can assume that on a random pair $$(R,e_0)$$, its probability to output an accepted transcript $$(d,e_0,z_0,t_0)$$ is greater than $$\varepsilon$$. We apply the splitting lemma with $$\varepsilon ' = \varepsilon /2$$ for the distribution $$D = \{R\} \times \{e\}$$: after one execution, with probability greater than $$\varepsilon$$, we obtain an accepted transcript $$(d,e_0, z_0,t_0)$$. In such a case, with probability greater than 1 / 2, R is a good random tape, which means that another execution with the same R but a random challenge $$e_1$$ will lead to another accepted transcript $$(d, e_1, z_1,t_1)$$ with probability $$\varepsilon ' = \varepsilon /2$$. Note that since R is kept unchanged, d is the same. Globally, with probability greater than $$\varepsilon ^2/4$$, after 2 executions of the protocol, one gets two related accepted transcripts: $$(d,e_0, z_0,t_0)$$ and $$(d,e_1, z_1,t_1)$$.

Without loss of generality, we may assume $$e_0 \ge e_1$$. Writing $$e'_1 \leftarrow e_0 - e_1$$, $$z'_1 \leftarrow z_0 - z_1$$, and $$t'_1 \leftarrow t_0 - t_1$$, the two valid tuples lead to the relation $$c^{e'_1} = {g}^{z'_1}{h}^{t'_1} \bmod n$$.

Then, with our adversary $$\mathscr {A}$$ and a rewind, with random $$(R,e_0,e_1)$$, we have at least one of the two statements below that is true after a first execution of $$\mathscr {A}$$ with $$(R,e_0)$$ and a rewind with $$(R,e_1)$$:
• Statement 1. one gets two related accepted transcripts $$(d,e_0, z_0,t_0)$$ and $$(d,e_1, z_1,t_1)$$, and $$e'_1$$ divides both $$z'_1$$ and $$t'_1$$ (with above notations) with probability greater than $$\varepsilon ^2/8$$;

• Statement 2. one gets two related accepted transcripts $$(d,e_0, z_0,t_0)$$ and $$(d,e_1, z_1,t_1)$$, and $$e'_1$$ does not divide both $$z'_1$$ and $$t'_1$$ (with above notations) with probability greater than $$\varepsilon ^2/8$$.

Statement 1: One gets two related accepted transcripts and $$e'_1$$ divides both $$z'_1$$ and $$t'_1$$ with probability greater than $$\varepsilon ^2/8$$. $$\mathscr {S}\!\textit{im}$$ simply outputs the pair of integers $$(x_1,r_1) \leftarrow (z'_1/e'_1,t'_1/e'_1)$$. If $$e'_1$$ is odd, and thus prime to $$\varphi (n)$$, we have $$c= g^{x_1}h^{r_1} \bmod n$$. However, if $$e'_1 = 2^v \rho$$ for an odd $$\rho$$ and $$v\ge 1$$, $$(c^{-1}g^{x_1}h^{r_1})^{2^v} = 1 \bmod n$$: from the Fact 2 from Proposition 1, $$(c^{-1}g^{x_1}h^{r_1})^2 = 1 \bmod n$$:
• either $$c^{-1}g^{x_1}h^{r_1} = \pm 1 \bmod n$$, and so $$c=\pm g^{x_1}h^{r_1} \bmod n$$ (valid opening);

• or we have a non-trivial square root of 1 modulo n, which leads to the factorization of n (see Proposition 1). As the $$\textsf {RSA}$$ assumption is stronger than the factorization, when we solve the factorization, we can compute the solution to the $$\textsf {RSA}$$ challenge.

Statement 2: One gets two related accepted transcripts and $$e'_1$$ does not divide both $$z'_1$$ and $$t'_1$$ with probability greater than $$\varepsilon ^2/8$$. We first show that, with reasonable probability, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$ either (this is exactly the case 2 from [20]). The intuition behind this argument is that the only information that $$\mathscr {A}$$ can get about $$\alpha$$ is from $$g = h^{\alpha } \bmod n$$. However, this leaks only $$\alpha \bmod p'q'$$, while $$\alpha$$ was taken at random in $$\mathbb {Z}_{n^2}$$: all the information on its most significant bits is perfectly hidden. We recall below the proof given by Damgård and Fujisaki, for completeness.

Let Q be a prime factor of $$e'_1$$ and j be the integer such that $$Q^j$$ divides $$e'_1$$ but $$Q^{j+1}$$ does not divide $$e'_1$$, and at least one of $$z'_1$$ or $$t'_1$$ is non-zero modulo $$Q^j$$. Since $$e'_1$$ does not divide both $$z'_1$$ and $$t'_1$$, such a pair (Qj) does necessarily exist. Actually, if $$Q^j$$ divides $$z'_1$$, as it divides $$e'_1$$, it must also divide $$\alpha z'_1 + t'_1$$ and therefore $$t'_1$$, which was excluded (at least one of $$z'_1$$ or $$t'_1$$ is non-zero modulo $$Q^j$$). Therefore, $$z'_1 \ne 0 \bmod Q^j$$.

We can write $$\alpha = [\alpha \bmod p'q'] + \lambda p'q'$$ for some $$\lambda$$. Let us denote $$\mu = [\alpha \bmod p'q']$$. The tuple (ngh) uniquely determines $$\mu$$, whereas $$\lambda$$ is perfectly unknown to the prover. As $$Q^j$$ divides $$e'_{1}$$, it also divides $$\alpha z'_1 + t'_1$$:
\begin{aligned} \alpha z'_1 + t'_1 = \lambda z'_1 p'q' + \mu z'_1 + t'_1 = 0 \bmod Q^j. \end{aligned}
Note that $$p'q' \ne 0 \bmod Q$$, since $$p'$$ and $$q'$$ are $$\kappa$$-bit primes and the challenges are less than $$2^{\kappa }$$. And from the view of the adversary, $$\lambda$$ is uniformly distributed in $$\mathbb {Z}_n$$, while it should satisfy the above equation. But since this equation has at most $$\gcd (z'_1 p'q',Q^j)$$ solutions, which is a power of Q (and at most $$Q^{j-1}$$), and since n is larger than $$Q^j$$ by a factor (far) bigger than $$2^\kappa$$, the distribution of $$\lambda \bmod Q^j$$ is statistically close to uniform in $$\mathbb {Z}_{Q^j}$$, and the probability that $$\lambda$$ satisfies the above equation is bounded by $$1/Q - 2^{-\kappa } \le 1/2$$, independently of the actions of $$\mathscr {A}$$. Hence, when Statement 2 holds (the global probability is greater than $$\varepsilon ^2/8$$), $$e'_1$$ cannot divide $$\alpha z'_1 + t'_1$$ more than half the time. As a consequence, we necessarily have a stronger statement

One gets two related accepted transcripts and $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$ with probability greater than $$\varepsilon ^2/16$$.

This allows $$\mathscr {S}\!\textit{im}$$ to solve an RSA instance, which is the difference with the original proof. Let $$\beta _1 = \gcd (e'_1, \alpha z'_1 + t'_1)$$. Since $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, we necessarily have $$1 \le \beta _{1}<e'_{1}$$. Let $$\varGamma _1 \leftarrow e'_1/\beta _1$$ and $$F_1 \leftarrow (\alpha z'_1 + t'_1)/\beta _1$$: $$F_1/\varGamma _1$$ is the irreducible fraction form of $$(\alpha z'_1 + t'_1)/e'_1$$ and $$e'_{1}\ge \varGamma _1>1$$. We now consider the following statements, among which at least one holds:
• Statement 2.a. One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, and $$\varGamma _1 \le 8/\varepsilon$$ with probability at least $$\varepsilon ^2/32$$;

• Statement 2.b. One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, and $$\varGamma _1 > 8/\varepsilon$$ with probability at least $$\varepsilon ^2/32$$.

Statement 2.a: One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, and $$\varGamma _1 \le 8/\varepsilon$$ with probability at least $$\varepsilon ^2/32$$. If $$\varGamma _1 \le 8/\varepsilon$$, since $$\beta _1 < e'_1$$, we must have $$\varGamma _1\in \mathopen {[\![}2\mathclose {}\mathpunct {};8/\varepsilon \mathclose {]\!]}$$. Let us recall we have $$(e'_1,z'_1,t'_1)$$ so that $$c^{e'_1} = g^{z'_1} h^{t'_1} \bmod n$$ and $$\beta _1 = \gcd (e'_1,\alpha z'_1+t'_1)$$ with $$1 < \varGamma _1 = e'_1/\beta _1\le 8/\varepsilon$$.
So we have $$e'_1 = \beta _1 \varGamma _1$$ and $${\alpha z'_1+ t'_1} = \beta _1 F_1$$ for relatively prime integers $$\varGamma _1$$ and $$F_1$$. Since $$h = u^2 \bmod n$$, we have $$c^{e'_1} = u^{2(\alpha z'_1+ t'_1)} \bmod n$$, which reduces to $$c^{\varGamma _1} = c^{e'_1/\beta _1}= \pm u^{2(\alpha z'_1+ t'_1)/\beta _1} = \pm u^{2F_1} \bmod n$$, unless one finds a non-trivial square root of 1 modulo n (which allows to solve any $$\textsf {RSA}$$ instance modulo n, see above). We now consider two additional statements, among which at least one holds:
• Statement 2.a.1. One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, $$\varGamma _1 \le 8/\varepsilon$$, and $$\varGamma _1 = 2^a$$ with $$a\ge 1$$, with probability at least $$\varepsilon ^2/64$$.

We thus have, with probability $$\varepsilon ^2/64$$, an odd $$k_1$$ such that $$c^{2^a } = u^{2 F_1} \bmod n$$: $$c^{2^{a-1}}$$ and $$u^{F_1}$$ are two square roots of the same value. Since no information leaks about the actual square roots $$\{u,-u\}$$ known for h, nor for $$h^{F_1}\bmod n$$, so $$c^{2^{a-1}} \ne \pm u^{F_1} \bmod n$$ with probability 1 / 2, which leads to the factorization of n with probability 1 / 2 (see Proposition 1). Hence, we solve the $$\textsf {RSA}$$ challenge with probability at least $$\varepsilon ^2/128$$.

• Statement 2.a.2. One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, $$\varGamma _1 \le 8/\varepsilon$$, and $$\varGamma _1=2^a v$$ with $$a\ge 0$$ and an odd $$v>1$$, with probability at least $$\varepsilon ^2/64$$.

It thus holds, with probability $$\varepsilon ^2/64$$ (unless one finds a non-trivial square root of 1 modulo n, which allows to solve any $$\textsf {RSA}$$ instance modulo n, see above), that $$C^v = u^{2F_1} \bmod n$$, for $$C=\pm c^{2^a}$$ and $$\gcd (v,2F_1)=1$$, since $$v \;\vert \;\varGamma _1$$ and v is odd. Using the Fact 5 from Proposition 1, one gets the v-th root of u modulo n, for $$v\in \mathopen {[\![}3\mathclose {}\mathpunct {};8/\varepsilon \mathclose {]\!]}\cap \mathsf {P} _n$$. Since our simulation that uses the RSA challenge (nue) does not leak any information about e, then $$v=e$$ with probability greater than $$\varepsilon /4$$, if the exponent e is randomly chosen in $$\mathopen {[\![}2\mathclose {}\mathpunct {};8/\varepsilon \mathclose {]\!]}\cap \mathsf {P} _n$$ (this set being exactly the set of odd integers smaller than $$8/\varepsilon$$, it contains approximately $$4/\varepsilon$$ elements). Hence, we solve an $$\textsf {RSA}$$ challenge with probability at least $$\varepsilon ^2/64\times \varepsilon /4 = \varepsilon ^3/256$$.

Statement 2.b: One gets two related accepted transcripts, $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, and $$\varGamma _1 > 8/\varepsilon$$ with probability at least $$\varepsilon ^2/32$$. When $$\varGamma _1 > 8/\varepsilon$$, the simulator rewinds the protocol once more, with a third challenge $$e_2$$. Let us consider all the possible challenges $$e_2$$ for this rewinding (independently of any success). Among all the possible challenges $$e_2$$, and so the differences $$e'_2 = \vert e_0 - e_2 \vert$$, the number of differences that $$\varGamma _1$$ divides is at most $$(2^\kappa +1)/\varGamma _1 < 8(2^\kappa +1)/\varepsilon$$. A given $$e'_2$$ appears with probability at most $$2/2^\kappa$$ (since $$0 \le e'_2 \le \max \{e_0,2^\kappa -e_0\}$$). Therefore, the probability that $$\varGamma _1$$ divides $$e'_2$$ for a random $$e_2$$ is less than $$\varepsilon /4$$. Recall that, from the splitting lemma (with a good R), one gets a third related accepted transcript with probability greater than $$\varepsilon /2$$. Hence globally, we get three related accepted transcripts, such that $$e'_1$$ does not divide $$\alpha z'_1 + t'_1$$, $$\varGamma _1 > 8/\varepsilon$$, and $$\varGamma _1$$ does not divide $$e'_2$$, with probability at least $$\varepsilon ^3/128$$.

As above, for the third transcript $$(d,e_2,z_2,t_2)$$, we assume $$e_0 \ge e_2$$, and define $$e'_2 \leftarrow e_0 - e_2$$, $$z'_2 \leftarrow z_0 - z_2$$ (otherwise we change the signs). We also define $$\beta _2 = \gcd (e'_2, \alpha z'_2 + t'_2)$$. Note that we do not require that $$e'_2$$ does not divide $$\alpha z'_2 + t'_2$$. We also set $$\varGamma _2 \leftarrow e'_2/\beta _2$$ and $$F_2 \leftarrow (\alpha z'_2 + t'_2)/\beta _2$$: $$F_2/\varGamma _2$$ is the irreducible fraction form of $$(\alpha z'_2 + t'_2)/e'_2$$. Since $$\varGamma _2$$ divides $$e'_2$$, it cannot be equal to $$\varGamma _1$$.

Since these are all accepted transcripts, so $$c^{e'_1} = {g}^{z'_1} {h}^{t'_1} \bmod n$$ and $$c^{e'_2} = {g}^{z'_2} {h}^{t'_2} \bmod n$$, and then $$c^{e'_1 e'_2} = {g}^{e'_2 z'_1} {h}^{e'_2 t'_1} = {g}^{e'_1 z'_2} {h}^{e'_1 t'_2} \bmod n$$. This leads, for $$\varDelta _z=e_2'z_1'-e_1'z_2'$$ and $$\varDelta _t=e_2't_1'-e_1't_2'$$, to
\begin{aligned} g^{\varDelta _z} = g^{e_2'z_1'-e_1'z_2'}&=h^{e_1't_2'-e_2't_1'} = h^{-\varDelta _t} \bmod n. \end{aligned}
If $$\varDelta _z = \varDelta _t = 0$$, then it holds that $$z'_2/e'_2 = z'_1/e'_1$$ and $$t'_2/e'_2 = t'_1/e'_1$$:
$$\frac{F_2}{\varGamma _2} = \frac{\alpha z'_2 + t'_2}{e'_2} = \alpha \cdot \frac{z'_2}{e'_2} + \frac{t'_2}{e'_2} = \alpha \cdot \frac{z'_1}{e'_1} + \frac{t'_1}{e'_1} = \frac{\alpha z'_1 + t'_1}{e'_1} = \frac{F_1}{\varGamma _1}.$$
Since they are both the irreducible notations of the same fraction, we necessarily have $$\varGamma _1 = \varGamma _2$$ and $$F_1 = F_2$$, which contradicts the above remark that $$\varGamma _2\ne \varGamma _1$$. Hence, the pair $$(\varDelta _z,\varDelta _t)$$ is non-trivial, which leads to the factorization of n with probability 1 / 2, from the Fact 4 from Proposition 1. Overall, we get a solution to the $$\textsf {RSA}$$ challenge with probability at least $$\varepsilon ^3/128 \times 1/2 = \varepsilon ^3/256$$ (after getting the factorization).

Overall Success Probability. All in all, if Statement 2 is true, we get a solution to the $$\textsf {RSA}$$ challenge with probability at least $$\varepsilon ^3/256$$. On the other hand, if Statement 1 holds, there are two complementary situations: either we get a valid opening with probability at least $$\varepsilon ^2/16$$, or we get a non-trivial square root of 1 modulo n with probability at least $$\varepsilon ^2/16$$. Overall, we either get a valid opening with probability at least $$\varepsilon ^2/16$$, or we solve an $$\textsf {RSA}$$ challenge modulo n with probability at least $$\varepsilon ^3/256$$.    $$\square$$

## 5 Classical Extensions and Applications

We revisit the natural implications of the commitment scheme of Sect. 3 and its argument of knowledge. More precisely, we generalize the results of previous sections while we commit to vectors of integers. Then, we also show the security of Lipmaa’s range proofs [36] under the $$\textsf {RSA}$$ assumption to illustrate how the result of Sect. 4 extends to more general arguments over the integers.

### 5.1 Generalized Commitment of Integers

The following commitment scheme allows committing to a vector of integers $$(m_1,\ldots ,m_\ell )$$ with a single element of the form $$c=g_1^{m_1}\cdots g_\ell ^{m_\ell }h^r \bmod n$$:
• $$\mathsf {Setup}(1^\kappa ,\ell )$$ runs $$(n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )$$, and picks $$\ell +1$$ random generators $$(g_1,\ldots ,g_\ell ,h)$$ of $$\mathsf {QR}_n$$. It returns $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)$$;

• $$\mathsf {Commit}(\mathsf {pp},\varvec{m};r)$$, for $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)$$, a vector $$\varvec{m} = (m_1,\ldots ,m_\ell )\in \mathbb {Z}^\ell$$, and some random coins $$r\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n\mathclose {]\!]}$$, computes $$c=g_1^{m_1}\cdots g_\ell ^{m_\ell }h^r \bmod n$$, and returns (cd) with $$d=r$$;

• $$\mathsf {Verify}(\mathsf {pp},c,d,\varvec{m})$$ parses $$\mathsf {pp}$$ as $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,h)$$ and outputs 1 if $$c=\pm g_1^{m_1}\cdots g_\ell ^{m_\ell }h^d \bmod n$$ and 0 otherwise.

Again, the above commitment scheme is obviously correct. The hiding property relies on the existence of $$\alpha _i$$ such that $$g_i = h^{\alpha _i} \bmod n$$ for $$i=1,\ldots ,\ell$$, and so
\begin{aligned} c&= \mathsf {Commit}(\mathsf {pp},\varvec{m};r) = g_1^{m_1}\cdots g_\ell ^{m_\ell }h^r = h^{r+\sum \alpha _i m_i} \\&= h^{(r+\sum \alpha _i (m_i-m'_i))+\sum \alpha _i m'_i} = g_1^{m'_1}\cdots g_\ell ^{m'_\ell }h^{r+\sum \alpha _i (m_i-m'_i)} \\&= \mathsf {Commit}(\mathsf {pp},\varvec{m}';r'), \end{aligned}
for any $$\varvec{m}' = (m'_1,\ldots ,m'_\ell )\in \mathbb {Z}$$, with $$r'\leftarrow [r+\sum \alpha _i (m_i-m'_i) \bmod p'q']$$, that is smaller than n.

The binding property relies on the Integer Factorization assumption: indeed, from two different openings $$(\varvec{m},d)$$ and $$(\varvec{m}',d')$$ for a commitment c, with $$d'>d$$, the validity checks show that $$g_1^{m_1}\cdots g_\ell ^{m_\ell } h^d = g_1^{m'_1}\cdots g_\ell ^{m'_\ell } h^{d'} \bmod n$$, and so, if one has chosen $$\beta _i$$ such that $$g_i = g^{\beta _i} \bmod n$$, for a random square g, then one knows $$g^{\sum \beta _i (m_i-m'_i)} = h^{d'-d} \bmod n$$. The Fact 4 from Proposition 1 leads to the conclusion.

To avoid a trusted setup, one can note that the guarantees for the prover (the hiding property) just rely on the existence of $$\alpha _i$$ such that $$g_i = h^{\alpha _i} \bmod n$$ for $$i=1,\ldots ,\ell$$. The well-formedness of the RSA modulus is for the security guarantees against the verifier. It is important for him that the prover cannot break the $$\textsf {RSA}$$ assumption. So the setup can be run by the verifier, with an additional proof of existence of $$\alpha _i$$ such that $$g_i = h^{\alpha _i} \bmod n$$ for $$i=1,\ldots ,\ell$$ to the prover.

### 5.2 Zero-Knowledge Argument of Opening

An argument of knowledge of an opening of a commitment $$c = g_1^{x_1} \cdots g_\ell ^{x_\ell } h^r \bmod n$$ in the general case can be easily adapted from the normal case leading to a transcript of the form $$(d,e,(z_1,\ldots ,z_\ell ,t))$$ with $$d = g_1^{y_1}\cdots g_\ell ^{y_\ell }h^s$$, and $$c^e d = g_1^{z_1} \cdots g_\ell ^{z_\ell } h^t \bmod n$$. As above, the knowledge-extractor rewinds the execution for the same d, but two different challenges $$e_0 \ne e_1$$. Doing the quotient of the two relations, d cancels out: $$c^{e'} = g_1^{z'_1} \cdots g_\ell ^{z'_\ell } h^{t'} \bmod n$$. Let us assume that one would have set $$g_i = g^{a_i} h^{b_i} \bmod n$$, we would have
$$c^{e'} = g^{\sum a_i z'_i} h^{\sum b_i z'_i + t'} \bmod n.$$
Under the $$\textsf {RSA}$$ assumption, the above Statement 1 (from the proof, in Sect. 4) holds: $$e'$$ divides both $$\sum a_i z'_1$$ and $$\sum b_i z'_i + t'$$ with non-negligible probability. Since the coefficients $$a_i$$’s and $$b_i$$’s are random, this means that $$e'$$ divides all the $$z'_i$$’s and $$t'$$. Hence, one can set $$\mu _i = z'_i/e'$$, for $$i=1,\ldots ,\ell$$ and $$\tau = t'/e'$$, and $$c = \pm g_1^{\mu _1} \cdots g_\ell ^{\mu _\ell } h^{\tau } \bmod n$$ is a valid opening of c, unless one finds a non-trivial square-root of 1 modulo n.

### 5.3 Efficient Range Proofs from RSA

We show that Lipmaa’s range proof [36] also benefits from our technique as the $$\textsf {Strong\text {-}RSA}$$ assumption can also be avoided in the security analysis.

Range Proof from Integer Commitment Scheme. Let $$c= g^{x}h^r \bmod n$$ be a commitment of a value x and $$\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$ be a public interval. As the commitment is homomorphic, one can efficiently compute a commitment $$c_a$$ of $$x-a$$ and a commitment $$c_b$$ of $$b-x$$ from c. To prove that $$x \in \mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$, this is enough to show that $$c_a$$ and $$c_b$$ commit to positive values. Let us focus on the proof that $$c_a= g^{x-a}h^r \bmod n$$ commits to a positive value, since the same method applies for $$c_b$$. To do so, the prover computes $$(x_1, x_2, x_3, x_4)$$ such that $$x-a = \sum _{i=1}^4 x_i^2$$. By a famous result from Lagrange, such a decomposition exists if and only if $$x-a \ge 0$$. Moreover, this decomposition can be efficiently computed by the Rabin-Shallit algorithm [42], for which Lipmaa [36] also suggested some optimizations. The prover commits to $$(x_1,x_2,x_3,x_4)$$ in $$(c_1,c_2,c_3,c_4)$$, where $$c_i=g^{x_i}h^{r_i}\bmod n$$ for each $$i=1$$ to 4. Now, the prover proves his knowledge of openings $$x-a$$, $$x_1,x_2,x_3,x_4$$ (along with random coins $$r,r_1,r_2,r_3,r_4$$) of $$c_a, c_1,c_2,c_3,c_4$$ satisfying $$\sum _{i=1}^4 x_i^2 = x-a$$ over the integers.

The reason allowing to solely rely on the $$\textsf {RSA}$$ assumption in the range proof comes from the fact that the first part of the argument reduces to an argument of knowledge of openings $$x_1,x_2,x_3,x_4$$ of $$c_1,c_2,c_3,c_4$$ while the remaining part simply ensures the relation $$\sum _{i=1}^4 x_i^2 = x-a$$ to hold. Indeed, once the witnesses are extracted, this is implied by the representation $$c_a= \prod _{i=1}^4 c_i^{x_i} h^{r - \sum x_ir_i} \bmod n$$ which can be seen as generalized commitment scheme with basis $$(c_1,c_2,c_3,c_4,h)$$ from which the opening cannot change. Therefore, the argument can be seen as five parallel arguments of knowledge, the fifth one being an argument of knowledge for a generalized commitment, where the opening for the last argument is the vector of the openings for the other arguments. A formal proof of an optimized version of this protocol under the intractability of the $$\textsf {RSA}$$ assumption is presented in the full version [19].

Extension. Since most of the arguments of knowledge of a solution to a system of equations over the integers [16] can be split into parallel arguments of knowledge of values assigned to the variables and a proof of membership (in the language composed of all the solutions of the system), which is expressed as representations corresponding to generalized commitments, our analysis extends to all “discrete-logarithm relation set” (see [34]): the description of the protocol is unchanged but the security only relies on the standard $$\textsf {RSA}$$ assumption.

## 6 Commitment with Knowledge-Delayed Order

Arguments of knowledge of openings for the Damgård-Fujisaki commitment scheme can rely on the $$\textsf {RSA}$$ assumption rather than the $$\textsf {Strong\text {-}RSA}$$ assumption. In this section, we show that this scheme can be efficiently combined with another $$\textsf {RSA}$$-based commitment scheme which, as far as we know, was proposed by Gennaro [24]: we show how Damgård-Fujisaki commitments (which are homomorphic over the integers) can be converted into Gennaro commitments (which are homomorphic over $$\mathbb {Z}_\pi$$ for some prime $$\pi$$). We rely on this feature to design a method to improve the efficiency of zero-knowledge arguments over the integers on several aspects, by allowing the players to perform some of the computations over $$\mathbb {Z}_\pi$$ rather than over the integers. We then illustrate our technique on the famous example of range proofs.

### 6.1 RSA-Based Commitments with Known Order

We recall the homomorphic commitment scheme over $$\mathbb {Z}_\pi$$ of [24]. The order of the commitment is a known prime $$\pi > 2^\kappa$$.

Description of the Generalized Commitment Scheme. Let us describe the commitment of vectors of integers $$(m_1,\ldots ,m_\ell )$$:
• $$\mathsf {Setup}(1^\kappa )$$ runs $$(n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )$$, and picks $$\ell$$ random generators $$g_1,\ldots ,g_\ell$$ of $$\mathsf {QR}_n$$. Then, it picks a random prime $$\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}$$, and returns $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )$$;

• $$\mathsf {Commit}(\mathsf {pp},\varvec{m};r)$$, for $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )$$, a vector $$\varvec{m} = (m_1,\ldots ,m_\ell )\in \mathbb {Z}_{\pi }^\ell$$, and some random coins $$r\leftarrow _R\mathbb {Z}_n$$, computes $$c=g_1^{m_1} \cdots g_\ell ^{m_\ell } r^\pi \bmod n$$, and returns (cd) with $$d=r$$;

• $$\mathsf {Verify}(\mathsf {pp},c,d,\varvec{m})$$ parses $$\mathsf {pp}$$ as $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )$$ and outputs 1 if $$c=g_1^{m_1}\cdots g_\ell ^{m_\ell }r^{\pi } \bmod n$$, and 0 otherwise.

The above commitment scheme is obviously correct. The hiding property relies on the bijectivity of the $$\pi$$-th power modulo n (as $$\pi$$ is prime): for any message $$\varvec{m}'=(m'_1,\ldots ,m'_\ell )\in \mathbb {Z}_{\pi }^\ell$$, we have $$c=g_1^{m'_1} \cdots g_\ell ^{m'_\ell } \times g_1^{m_1-m'_i} \cdots g_\ell ^{m_\ell -m'_i} \times r^\pi \bmod n$$. By noting s the $$\pi$$-th root of $$g_1^{m_1-m'_i} \cdots g_\ell ^{m_\ell -m'_i}$$, $$c = \mathsf {Commit}(\mathsf {pp},\varvec{m}';rs)$$. The binding property uses an extension of the Fact 5 from Proposition 1: if one has chosen $$\beta _i$$ such that $$g_i = u^{2\beta _i}$$, for a challenge $$\textsf {RSA}$$ $$u\in {\mathbb {Z}_n ^*}$$, two distinct openings $$(\varvec{m},r) \ne (\varvec{m}',s)$$ satisfy $$g_1^{m_1} \cdots g_\ell ^{m_\ell } r^\pi = g_1^{m'_1} \cdots g_\ell ^{m'_\ell } s^\pi \bmod n$$, and so $$(s/r)^\pi = u^{2a} \bmod n$$, where $$a = \sum \beta _i (m_i-m'_i) = a_1 \pi + a_0$$, with $$0\le a_0 < \pi$$. Let us note $$\alpha$$ and $$\beta$$ the integers such that $$\alpha \pi +\beta 2a_0 =\gcd (\pi ,2a_0)=1$$, and output $$u_0:=u^{\alpha -2a_1\beta } \cdot (s/r)^\beta \bmod n$$, then
$$u_0^\pi =u^{\alpha \pi -2 a_1 \beta \pi } \cdot (s/r)^{\beta \pi } = u^{1 - 2(a_0+ a_1\pi ) \beta } \cdot u^{2a\beta } = u \bmod n.$$
This breaks the $$\textsf {RSA}$$ assumption with exponent $$\pi$$.

Homomorphic-Opening. In addition, this commitment scheme is homomorphic in $$\mathbb {Z}_\pi$$: given $$c=g_1^{m_1}\cdots g_\ell ^{m_\ell }r^\pi \bmod n$$ and $$d=g_1^{m_1'}\cdots g_\ell ^{m_\ell '}s^\pi \bmod n$$ with known openings, we can efficiently open the commitment $$c\cdot d \bmod n$$ to $$\bar{\varvec{m}} = (\bar{m}_1,\ldots ,\bar{m}_\ell )$$, with $$\bar{m}_i = m_i + m'_i \bmod \pi$$ for $$1\le i\le \ell$$, and a random coin $$rs \prod g_i^{(m_i+m'_i)\div \pi } \bmod n$$, where $$a\div b$$ is the quotient of the Euclidean division. We emphasize this property to be essential to avoid working with long integers in the arguments of knowledge of an opening: the prover can “reduce” its openings since $$\pi$$ is known.

Argument of Opening. Given $$\mathsf {pp} =(n,g_1,\ldots ,g_\ell ,\pi )$$ and $$c=g_1^{x_1}\cdots g_\ell ^{x_\ell }r^\pi \bmod n$$, with witness $$(x_1,\ldots ,x_\ell ,r)$$, we can describe a standard argument of knowledge of an opening:
Initialize:

$$\mathscr {P}$$ and $$\mathscr {V}$$ decide to run the protocol on input $$(\mathsf {pp},\kappa ,c)$$;

Commit:

$$\mathscr {P}$$ computes $$d=g_1^{y_1}\cdots g_\ell ^{y_\ell }s^\pi$$, for $$y_i\leftarrow _R\mathbb {Z}_\pi$$, and $$s\leftarrow _R{\mathbb {Z}_n ^*}$$, and sends d to $$\mathscr {V}$$;

Challenge:

$$\mathscr {V}$$ outputs $$e\leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};2^\kappa \mathclose {]\!]}$$;

Response:

$$\mathscr {P}$$ computes $$k_i,z_i,t$$ such that $$e x_i+y_i=k_i\pi +z_i$$, with $$0\le z_i<\pi$$, and $$t=g_1^{k_1}\cdots g_\ell ^{k_\ell } \cdot r^{e} s \bmod n$$. $$\mathscr {P}$$ outputs $$(z =(z_i)_i,t)$$;

Verify:

$$\mathscr {V}$$ accepts the proof and outputs 1 if, for each i, $$0\le z_i<\pi$$, and $$c^{e} d=g_1^{z_1} \cdots g_\ell ^{z_\ell } t^\pi \bmod n$$. Otherwise, $$\mathscr {V}$$ rejects the proof and outputs 0.

Completeness and zero-knowledge are straightforward. Then, let us focus on the knowledge-extractability: From two related valid transcripts, for the same d, we get as usual $$c^{e-e'}=g_1^{z_1-z_1'}\cdots g_\ell ^{z_\ell -z_\ell '}\cdot (t/t')^\pi \bmod n$$. Since the prime $$\pi > 2^\kappa \ge \vert e-e' \vert$$, the simulator can compute $$\alpha (e-e') + \beta \pi =1$$ and we have
$$c^{1-\beta \pi }=c^{\alpha (e-e')}=g_1^{\alpha (z_1-z_1')}\cdots g_\ell ^{\alpha (z_\ell -z_\ell ')}\cdot (t/t')^{\alpha \pi }\bmod n.$$
Then, for $$\alpha (z_i-z_i')=l_i\pi +x_i'$$ with $$0\le x_i'<\pi$$, and $$T=c^\beta \cdot g_1^{l_1}\cdots g_\ell ^{l_\ell } \cdot (t/t')^\alpha \bmod n$$, we have a valid opening $$(x_1',\ldots ,x_\ell ',T)$$ of c.

### 6.2 Commitment with Knowledge-Delayed Order

The above commitment scheme with known prime order $$\pi$$ can temporarily pass itself off as a commitment scheme of Sect. 3 with hidden order.

Description of the Commitment Scheme. The verifier sets up the parameter $$\mathsf {pp}$$ of the commitment scheme with hidden order but hides a prime order $$\pi$$ in $$\mathsf {pp}$$ during this execution. To guarantee the hiding property, in the setup the verifier also adds a proof that $$g = h^\alpha \bmod n$$ for some $$\alpha$$.

• $$\mathsf {Setup}(1^\kappa )$$ runs $$(n,(p,q))\leftarrow _R\mathsf {GenMod}(1^\kappa )$$, and picks $$h_0\leftarrow _R\mathsf {QR}_n$$ and a random prime $$\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}$$. Then, it picks $$\rho \leftarrow _R\mathopen {[\![}0\mathclose {}\mathpunct {};n^2\mathclose {]\!]}$$, relatively prime to $$\pi$$, and sets $$g\leftarrow h_0^\rho \bmod n$$ and $$h\leftarrow h_0^{\pi } \bmod n$$. Finally, it returns $$\mathsf {pp} =(n,g,h)$$ and keeps $$\mathsf {sk} =(\pi ,h_0)$$. Actually, we have $$h^\rho = g^\pi \bmod n$$. So, if one sets $$\alpha = \rho \cdot \pi ^{-1} \bmod \varphi (n)$$, one has $$g = h^\alpha \bmod n$$, and proves it;

• $$\mathsf {Commit}(\mathsf {pp},m;r)$$ parses $$\mathsf {pp}$$ as above and commits to $$m\in \mathbb {Z}$$ by picking $$r\leftarrow _R\mathbb {Z}_n$$ and computing $$c= g^m h^r\bmod n$$. It returns (cr);

• $$\mathsf {Verify}(\mathsf {pp},c,m,r)$$ parses $$\mathsf {pp} =(n,g,h)$$ and outputs 1 if $$c= \pm g^{m}h^{r} \bmod n$$ and 0 otherwise;

• $$\mathsf {Reveal}(\mathsf {pp},\mathsf {sk})$$ returns $$\mathsf {sk} =(\pi ,h_0)$$;

• $$\mathsf {Adapt}(\mathsf {pp},\mathsf {sk},c,m,r)$$ first parses $$\mathsf {sk} =(\pi ,h_0)$$ and checks whether $$h=h_0^\pi \bmod n$$. Then, it adapts the opening by computing $$m=k\pi +\bar{m}$$ for $$0\le \bar{m} <\pi$$ and $$t=g^kh_0^r \bmod n$$. It outputs $$(\bar{m},t)$$;

• $$\mathsf {Verify}'(\mathsf {pp},\pi ,c,\bar{m},t)$$ outputs 1 if $$c=g^{\bar{m}}t^{\pi } \bmod n$$, and 0 otherwise.

This construction easily extends to commitments of vectors. Note that from $$g^{\bar{m}} t^{\pi } = c = g^{\bar{m}'} {t'}^{\pi } \bmod n$$, with $$\bar{m}\ne \bar{m}'\bmod \pi$$, setting $$h_0=y^2$$ from an $$\textsf {RSA}$$ challenge (ny) of exponent $$\pi >2^\kappa$$, we obtain $$y^{2\rho (\bar{m} - \bar{m}')} = (t'/t)^\pi \bmod n$$, with $$2\rho (\bar{m} - \bar{m}')\ne 0 \bmod \pi$$, which leads to the $$\pi$$-th root of y modulo n (using Fact 5 from Proposition 1).

Switching Between Commitments. Let $$\textsf {com}$$ denote the Damgård-Fujisaki integer commitment scheme, such that $$\textsf {com} (m;r)=g^mh^r\bmod n$$, and $$\textsf {com} _\pi$$ denote the Gennaro commitment scheme, such that $$\textsf {com} _\pi (m;R)=g^mR^\pi \bmod n$$. On the one-hand, only $$\textsf {com}$$ leads to proof of relations over the integers. On the other hand, $$\textsf {com} _\pi$$ leads to much more efficient proofs of relation modulo $$\pi$$. The above commitment with knowledge-delayed order allows generating $$\mathsf {pp} =(n,g,h)$$ so that $$c = \textsf {com} (m;r) = g^m h^r \bmod n$$ can be switched into
\begin{aligned} c = \textsf {com} _\pi (\mathfrak {r} _\pi (m); g^{\mathfrak {q} _\pi (m)} h_0^r), \end{aligned}
(1)
where $$\mathfrak {q} _\pi (m)$$ and $$\mathfrak {r} _\pi (m)$$ denote the quotient and remainder of the euclidean division of m by $$\pi$$. This switching allows to keep some good properties over the integers and working modulo $$\pi$$ since $$\mathsf {pp}$$ gives no information about $$\pi$$ until the verifier reveals $$(\pi ,h_0)$$.

### 6.3 Improving Zero-Knowledge Arguments over the Integers

The commitment with knowledge-delayed order provides a new technique to zero-knowledge arguments for statements over the integers, while working modulo $$\pi$$. This technique leads to more efficient membership arguments, with a lower communication and a smaller verifier computation (some part of the cost is delegated to the prover). We restrict our attention to statements that can be expressed as membership to a set $$S \in \mathbf {D}$$. The protocol we describe is honest-verifier zero-knowledge. At the end of the section we recall standard methods to get full-fledged zero-knowledge.

Membership Argument for D. Given $$S \in \mathbf {D}$$, let $$P_S$$ be a representing polynomial with k-vector input and $$\ell$$-vector witness (e.g., if S is the set of positive integers, $$P_S:(x,w_1,w_2,w_3,w_4) = x - (\sum _i w_i^2)$$). We assume $$\mathscr {P}$$ and $$\mathscr {V}$$ agreed on a bound t such that each $$\varvec{x} \in S$$ has a witness $$\varvec{w}$$ such that $$\Vert \varvec{w} \Vert _\infty \le \Vert \varvec{x} \Vert _\infty ^{t}$$ ($$S \in \mathbf {D}$$, so there is always such a t. As shown in [36], $$t < 2$$ is sufficient for most cryptographic applications).

Let $$\varvec{x}$$ be a secret vector held by $$\mathscr {P}$$, and $$\varvec{w}$$ be a witness for $$\varvec{x} \in S$$, meaning that $$P_S(\varvec{x},\varvec{w}) = 0$$. Zero-knowledge argument for polynomial relations over committed inputs usually demands committing to intermediate values, and proving additive and multiplicative relationships with the inputs, see e.g. [9]. To prove a multiplicative relationship $$z=xy$$ between values (xyz) committed in $$(c_x,c_y,c_z)$$, $$\mathscr {P}$$ proves knowledge of inputs (xyz) and random coins $$(r_x,r_y,r_z)$$ such that $$c_x = g^xr_x^\pi \bmod n$$, $$c_y = g^yr_y^\pi \bmod n$$, and $$c_z = c_x^y r_z^\pi$$.

We almost follow this principle except that we use the commitment scheme of Sect. 6.2 to switch from $$\textsf {com}$$ to $$\textsf {com} _\pi$$ once $$\mathscr {P}$$ proved knowledge of both $$\varvec{x}$$ and $$\varvec{w}$$ over the integers. Proving $$P_S(\varvec{x},\varvec{w}) = 0$$ over the integers is then replaced by proving $$P_S(\varvec{x},\varvec{w}) = 0$$ modulo $$\pi$$.

Argument of knowledge of the inputs and witnesses.
1. 1.

$$\mathscr {V}$$ runs the setup from the Sect. 6.2, which generates $$\mathsf {pp} =(n,g,h)$$ and $$\mathsf {sk} =(\pi ,h_0)$$: this defines $$\textsf {com}: (x;r) \mapsto g^x h^r \bmod n$$. It additionally proves the existence of $$\alpha$$ such that $$g = h^\alpha \bmod n$$;

2. 2.

$$\mathscr {P}$$ picks random coins $$(\varvec{r_x},\varvec{r_w})$$ and commits to $$(\varvec{x},\varvec{w})$$ with $$(\varvec{r_x},\varvec{r_w})$$ as $$(\varvec{c_x},\varvec{c_w}) \leftarrow (\textsf {com} (\varvec{x};\varvec{r_x}),\textsf {com} (\varvec{w};\varvec{r_w}))$$;

3. 3.

$$\mathscr {P}$$ performs a $$\textsf {ZKAoK} \{(\varvec{x},\varvec{w},\varvec{r_x},\varvec{r_w}) \mid \varvec{c_x} = g^{\varvec{x}}h^{\varvec{r_x}} \wedge \varvec{c_w} = g^{\varvec{w}}h^{\varvec{r_w}}\}$$, we thereafter refer to $$\textsf {ZK} _1$$, with $$\mathscr {V}$$. If the argument fails, $$\mathscr {V}$$ aborts the protocol.

Argument of knowledge of $$(\varvec{x'},\varvec{w'})$$ such that $$P_S(\varvec{x'},\varvec{w'}) = 0 \bmod \pi$$.
1. 1.

$$\mathscr {V}$$ reveals $$(\pi ,h_0)$$ to $$\mathscr {P}$$ who checks whether $$h = h_0^\pi \bmod n$$ or not, to switch to $$\textsf {com} _\pi$$. Let $$(\varvec{x}', \varvec{w}') = (\mathfrak {r} _\pi (\varvec{x}),\mathfrak {r} _\pi (\varvec{w})) = (\varvec{x},\varvec{w}) \bmod \pi$$.

2. 2.

$$\mathscr {P}$$ performs a $$\textsf {ZKAoK} \{(\varvec{x}', \varvec{w}',\varvec{R_x}, \varvec{R_w})\}$$, we thereafter refer to $$\textsf {ZK} _2$$, such that $$(\varvec{c_x},\varvec{c_w}) = (\textsf {com} _\pi (\varvec{x};\varvec{R_x}), \textsf {com} _\pi (\varvec{w};\varvec{R_w}))$$ and $$P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi$$. Note that $$(\varvec{c_x},\varvec{c_w})$$ are now seen as commitments over $$\mathbb {Z}_\pi$$, using the fact that $$\textsf {com} (\varvec{x};\varvec{r_x}) = \textsf {com} _\pi (\mathfrak {r} _\pi (\varvec{x}); \varvec{R_x})$$ and $$\textsf {com} (\varvec{w};\varvec{r_w}) = \textsf {com} _\pi (\mathfrak {r} _\pi (\varvec{w}); \varvec{R_w})$$, with appropriate $$(\varvec{R_x},\varvec{R_w})$$. If the argument succeeds, $$\mathscr {V}$$ returns $$\mathsf {accept}$$.

### Theorem 4

Under the RSA assumption, the above protocol is a statistical zero-knowledge argument of knowledge of openings of $$(\varvec{c_x},\varvec{c_w})$$ to vectors of integers $$(\varvec{x},\varvec{w})$$ such that $$P_S(\varvec{x},\varvec{w})=0$$: which proves that $$\varvec{x} \in S$$.

### Proof

The intuition behind Theorem 4 is that $$\textsf {ZK} _1$$ proves that $$\mathscr {P}$$ knows $$(\varvec{x},\varvec{w})$$ in $$(\varvec{c_x},\varvec{c_w})$$, and $$\textsf {ZK} _2$$ proves that $$P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi$$ for a $$\kappa$$-bit prime $$\pi$$ which was revealed after $$(\varvec{x},\varvec{w})$$ were committed. Hence, $$\mathscr {P}$$ knew vectors of integer $$(\varvec{x},\varvec{w})$$ such that $$P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi$$ for a random $$\kappa$$-bit prime $$\pi$$. This has a negligible probability to happen unless $$P_S(\varvec{x},\varvec{w}) = 0$$ holds over the integers, since $$P_S$$ is a polynomial. The full proof consists of the three properties: correctness, zero-knowledge, and knowledge-extractability.

Correctness. It easily follows from the correctness of $$\textsf {ZK} _1$$ and $$\textsf {ZK} _2$$: if $$\mathscr {P}$$ knows $$(\varvec{x},\varvec{w},\varvec{r_x},\varvec{r_w})$$ such that $$(\varvec{c_x},\varvec{c_w}) = (\textsf {com} (\varvec{x};\varvec{r_x}), \textsf {com} (\varvec{w};\varvec{r_w}))$$ and $$P_S(\varvec{x}, \varvec{w})=0$$, then the argument of knowledge of $$(\varvec{x},\varvec{r_x})$$ such that $$\varvec{c_x} = \textsf {com} (\varvec{x};\varvec{r_x})$$ will succeed, and it holds that $$(\varvec{c_x},\varvec{c_w}) = (\textsf {com} _\pi (\varvec{x}\bmod \pi ;v^{\mathfrak {q} _\pi (\varvec{x})}\tilde{h} ^{\varvec{r_x}}), \textsf {com} _\pi (\varvec{w}\bmod \pi ;v^{\mathfrak {q} _\pi (\varvec{x})}\tilde{h} ^{\varvec{r_x}}))$$. Moreover, as $$P_S$$ is a polynomial, the modular reduction applies, and leads to $$P_S(\varvec{x} \bmod \pi ,\varvec{w} \bmod \pi ) = P_S(\varvec{x}, \varvec{w}) = 0 \bmod \pi$$.

Zero-Knowledge. It also follows from the zero-knowledge of $$\textsf {ZK} _1$$ and $$\textsf {ZK} _2$$, and the hiding property of the commitments. Let $$\mathscr {S}\!\textit{im}_\mathsf {ZK}$$ be the following simulator: one first generates dummy commitments $$(\varvec{c_x},\varvec{c_w})$$, which does not make any difference under the hiding property, and runs the simulator of $$\textsf {ZK} _1$$. Once $$(\pi ,h_0)$$ is revealed, $$\mathscr {S}\!\textit{im}_\mathsf {ZK}$$ runs the simulator of $$\textsf {ZK} _2$$.

Since the commitment is statistically hiding, $$\textsf {ZK} _1$$ is our statistically zero-knowledge argument of knowledge of opening from Sect. 3 and $$\textsf {ZK} _2$$ is an argument of relations on commitments with known order $$\pi$$ (since $$h = h_0^\pi \bmod n$$) that is possible in statistical zero-knowledge, the full protocol is statistically zero-knowledge.

Knowledge Extractability. Let outputing a convincing argument with probability $$\varepsilon$$, i.e. succeeds in $$\textsf {ZK} _1$$ and $$\textsf {ZK} _2$$ with probability greater than $$\varepsilon$$.

Under the $$\textsf {RSA}$$ assumption, there is an extractor of $$\textsf {ZK} _1$$ which computes $$(\varvec{x},\varvec{w},\varvec{r_x},\varvec{r_w})$$ such that $$\varvec{c_x} = g^{\varvec{x}}h^{\varvec{r_x}}$$ and $$\varvec{c_w} = g^{\varvec{w}}h^{\varvec{r_w}}$$. Then, $$(\pi , h_0)$$ is revealed in the protocol and still under the $$\textsf {RSA}$$ assumption, there is another extractor of $$\textsf {ZK} _2$$ which computes $$(\varvec{x}', \varvec{w}', \varvec{R_x},\varvec{R_w})$$ such that both relations $$(\varvec{c_x},\varvec{c_w}) = (\textsf {com} _{\pi }(\varvec{x}';\varvec{R_x}), \textsf {com} _{\pi }(\varvec{w}';\varvec{R_w}))$$ and $$P_S(\varvec{x}',\varvec{w}') = 0 \bmod \pi$$ are satisfied. Now, let us consider two situations:
• If $$\varvec{x}' = \varvec{x} \bmod \pi$$ and $$\varvec{w}' = \varvec{w} \bmod \pi$$, then the value committed over the integers, before $$\pi$$ was revealed, satisfy $$P_S(\varvec{x},\varvec{w}) = 0 \bmod \pi$$, for a random $$\pi \in \mathopen {[\![}2^{\kappa +1}\mathclose {}\mathpunct {};2^{\kappa +2}\mathclose {]\!]}$$. We stress that the view of (ngh) does not reveal any information on the prime $$\pi$$.

Since there are approximately $$2^{\kappa +1}/\kappa$$ primes in this set, and this extraction works with probability greater than $$\varepsilon ^2$$, $$P_S(\varvec{x},\varvec{w}) = 0 \bmod Q$$, for $$Q \ge 2^{2^\kappa /\varepsilon ^2}$$, which is much larger than the values that can be taken in the integers, since the inputs and the witnesses have a size polynomial in $$\kappa$$, and the polynomial $$P_S$$ has a bounded degree.

• If $$\varvec{x}' \ne \varvec{x} \bmod \pi$$ or $$\varvec{w}' \ne \varvec{w} \bmod \pi$$, wlog, we can assume that $$\varvec{x}' \ne \varvec{x} \bmod \pi$$:
• we get $$(\varvec{x},\varvec{r_x})$$ such that $$\varvec{c_x} = \pm g^{\varvec{x}}h^{\varvec{r_x}} = g^{\mathfrak {r} _\pi (\varvec{x})}(\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}})^\pi \bmod n$$;

• and $$(\varvec{x}', \varvec{R_x})$$ such that $$\varvec{c_x} = g^{\varvec{x}'}\varvec{R_x}^\pi \bmod n$$.

Hence, $$g^{\mathfrak {r} _\pi (\varvec{x})} (\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}})^\pi = g^{\varvec{x}'}\varvec{R_x}^\pi \bmod n$$, and so $$g^{\mathfrak {r} _\pi (\varvec{x}) - \varvec{x}'} = S^\pi \bmod n$$, for $$S = \varvec{R_x}/(\pm g^{\mathfrak {q} _\pi (\varvec{x})} h_0^{\varvec{r_x}}) \bmod n$$. If one would have set $$h_0=y^2$$ from an $$\textsf {RSA}$$ challenge $$(n,y,\pi )$$ of exponent $$\pi >2^\kappa$$, and thus $$g=y^{2\rho }$$, using Fact 5 from Proposition 1, one gets the $$\pi$$-th root of y modulo n.

This concludes the proof of the knowledge-extractability of the protocol, under the $$\textsf {RSA}$$ assumption over $$\mathbb {Z}_n$$.    $$\square$$

On the Efficiency of the Method. The advantages of this method compared to the classical method are twofold. First, most of the work in the protocol comes from the computation of exponentiations; and our technique transfers most of this work from $$\mathscr {V}$$ to $$\mathscr {P}$$. This comes from the fact that verifying an equation such as $$\varvec{c} = \textsf {com} (x;r)$$ involves exponentiations by integers of size $$O(\log n + \kappa )$$ while verifying the equation $$\varvec{c} = \textsf {com} _\pi (x\bmod \pi ;R)$$ involves only two exponentiations by $$\kappa$$-bit values, which greatly reduces ’s work. However, to switch from $$\textsf {com}$$ to $$\textsf {com} _\pi$$ $$\mathscr {P}$$ has to adapt the opening as in (1) of Sect. 6.2, which costs exponentiations by integers of size $$O(\log n + \kappa )$$ to compute the random coin R. $$\mathscr {V}$$ will still need to perform exponentiations by integers during $$\textsf {ZK} _1$$, but his work during this step can be made essentially independent of the number N of inputs and witnesses (up to a small $$\log N$$ additive term) and completely independent of the degree of the representing polynomial.

Second, our method separates the argument of knowledge of inputs to a Diophantine equation from the argument that they do indeed satisfy the equation. The arguments of knowledge of an opening of a commitment can be very efficiently batched: if $$\mathscr {P}$$ commits to $$(x_1, \cdots , x_N)$$ with random coins $$(r_1, \cdots , r_N)$$ as $$(c_1, \cdots , c_N)$$, the verifier can simply send a random seed $$\lambda \leftarrow _R\{0,1\}^\kappa$$ from which both players compute $$(\lambda _1, \cdots , \lambda _N)$$ using a pseudo-random generator2. Then, $$\mathscr {P}$$ performs a single argument of knowledge of an opening $$(\sum _i \lambda _i x_i; \sum _i \lambda _i r_i)$$ of the commitment $$\prod _i c_i^{\lambda _i}$$ (see [5, 6] for more details). Therefore, when performing multiple membership arguments, $$\mathscr {P}$$ and $$\mathscr {V}$$ will have to perform a single argument for $$\textsf {ZK} _1$$ (of size essentially independent of the number of committed values).

In general, the higher the degree of the representing polynomial is, the lower will be the communication with our method. Still, we show in the next section that even for the case of range proofs, which is a membership proof to a Diophantine set whose representing polynomial is of degree 2, our method provides efficiency improvements.

Further Improvements. $$\mathscr {V}$$ can set h to $$h_0^{\prod _i\pi _i}$$ for several primes $$\pi _i$$ instead of $$h_0^\pi$$. For some integer i, let $$p_i \leftarrow \prod _{j\ne i}\pi _j$$. Doing so allows $$\mathscr {V}$$ to reveal $$(h_0^{p_i}, \pi _i)$$ instead of $$(h_0,\pi )$$ in our method. Hence, in addition to allowing arbitrary parallel arguments with a single prime $$\pi$$, a single setting is sufficient to perform a polynomial number of sequential arguments (fixed in advance) with different primes $$\pi _i$$. In addition, we explained that commitments with knowledge-delayed order allow splitting the arguments of knowledge of the witnesses, denoted $$\textsf {ZK} _1$$, and the argument that they indeed belong to a Diophantine set, denoted $$\textsf {ZK} _2$$. The arguments $$\textsf {ZK} _1$$ can be batched as described above but, for efficiency reason, we should not generate $$(\lambda _1,\lambda _2 \ldots , \lambda _N)$$ as $$(\lambda ,\lambda ^2,\ldots ,\lambda ^N)$$. Indeed, $$\vert \lambda ^j \vert _b$$ grows linearly with j over the integers. However, for the argument $$\textsf {ZK} _2$$, the order of the commitment has been revealed. Hence, we can now use batching technique with such $$\lambda _j=\lambda ^j$$ since the prover is able to reduce the exponents modulo $$\pi$$ at this stage. That means that our technique consisting of efficiently revealing the order of the commitment between $$\textsf {ZK} _1$$ and $$\textsf {ZK} _2$$ allows to use any method that crucially relies on batching coefficients expressed as powers of some $$\lambda$$, that were only available for discrete-log based proofs of statement over (pairing-free) known-order groups. For instance, we can get a sub-linear size argument to show that a committed matrix is the Hadamard products over the integers of two other committed matrices. Indeed, we can commit the rows of the matrices using a generalized commitment and make a batch proof for $$\textsf {ZK} _1$$, which remain sub-linear in the number of entries, and then we can import the results of [4, 26] to $$\textsf {ZK} _2$$, preserving its sub-linearity.

Full-Fledged Zero-Knowledge. With an honest verifier, there is no need to prove the existence of $$\alpha$$ such that $$g=h^\alpha$$. In the malicious setting, this proof guarantees the hiding property of the commitments to the prover, who additionally checks $$h=h_0^\pi \bmod n$$ when they are revealed. Then we can use classical techniques to convert the HVZK protocol into a ZK protocol, such as an equivocable commitment of the challenge by the verifier, before the commitments from the prover.

## 7 Application to Range Proofs

### 7.1 Lipmaa’s Compact Argument for Positivity

As explained before, Lipmaa [36] proposed an efficient argument for positivity, using generalized Damgård-Fujisaki commitments, and the proof that an integer is positive if and only if it can be written as the sum of four squares. However, it appears that the explicit construction given in [36, annex B] is flawed — although the high-level description is correct: any prover can provide a convincing argument for positivity, regardless of the sign of the committed integer, and so without holding valid witnesses. This might raise some concerns as the protocol of Lipmaa is the “textbook” range proof based on hidden order groups. Hence the protocol is suggested in several papers, and was implemented in e.g. [2]. In the full version [19], we recall the argument of [36], identify its flaw, and provide a correct optimized version with a full proof of security.

In the following, we describe a range proof in the same vein as the positivity argument of Lipmaa: an integer x belongs to an interval $$\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$ if and only if $$(x-a)(b-x) \ge 0$$. In addition, we take into account the following improvement suggested by Groth [25]: x is positive if and only if $$4x+1$$ can be written as the sum of three squares, and such a decomposition can be computed in polynomial time by the prover. We view this range proof (we call the three-square range proof, and denote it $$\mathsf {3SRP}$$) as an optimized version of the textbook range proof with integer commitments, to which we will compare our new method with knowledge-delayed order commitments (denoted $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$).

### 7.2 Three-Square Range Proof

To prove that $$x\in \mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$, for x committed with an integer commitment scheme, we prove that $$4(x-a)(b-x) + 1$$ can be written as the sum of three squares. Let (ngh) be the public parameters of the Damgård-Fujisaki commitment scheme, generated by the verifier. The three-square range proof ($$\mathsf {3SRP}$$) is described in full details on Fig. 2. Basically, both $$\mathscr {P}$$ and $$\mathscr {V}$$ know that $$c_a$$ contains $$4(x-a)$$ and $$c_0$$ contains $$(b-x)$$. The latter, with $$c_1, c_2, c_3$$ containing respectively $$x_1,x_2,x_3$$, is proven in a classical way, and the last part of the proof shows that $$c_a^{x_0} g$$, which implicitly contains $$4(x-a)(b-x)+1$$ also contains $$x_1^2+x_2^2+x_3^2$$.
We then illustrate the technique introduced in Sect. 6.3 on this $$\mathsf {3SRP}$$ protocol. The full converted protocol, denoted $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$, is described on Fig. 3.

### 7.3 Results

Let $$B = \log (b-a)$$. Note that for all $$i \in \{0,1,2,3\}$$, $$x_i^2 \le (b-a)^2$$ hence $$\log x_i \le B$$. An exponentiation by a t-bit value takes on average 1.5t multiplications using a square-and-multiply algorithm; we do not take into account possible optimizations from multi-exponentiation algorithms.
Table 1.

Complexities of $$\mathsf {3SRP}$$ and $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$

$$\mathsf {3SRP}$$

$$\mathsf {3SRP}\text {-}\mathsf {KDO}$$

Communication

$$N(8 \log n + 18\kappa + 5B) + 3\kappa$$

$$N(8\log n + 4\kappa ) + 10\kappa + 2\log n + B + \log N$$

Prover’s work

$$1.5 N(8\log n + 12B + 26\kappa + \log a)$$

$$1.5(N(13\log n + 13B + 18\kappa + \log a) + \log n + B + 6\kappa + \log N)$$

Verifier’s work

$$1.5(N(5\log n + 9B + 30\kappa + \log a + \log b) + \kappa )$$

$$1.5(N(12\kappa + \log a + \log b) + \log n + B + 10\kappa + \log N)$$

Table 1 sums up the communication complexity and the computational complexity of both the $$\mathsf {3SRP}$$ and the $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ arguments for the execution of N parallel range proofs on the same interval $$\mathopen {[\![}a\mathclose {}\mathpunct {};b\mathclose {]\!]}$$, as classical batch techniques [5, 6] allow to batch arguments of knowledge. Note that we omit constant terms. The communication is given in bits, while the work is given as a number of multiplications of elements of $$\mathsf {QR}_n$$. When comparing the work of the prover, we also omit the cost of the decomposition in sum of squares, as it is the same in both protocols. Similarly, we omit the cost of the initial proof of $$g=h^\alpha \bmod n$$ by the verifier to the prover.

Efficiency Analysis. We now provide a detailed comparison between the $$\mathsf {3SRP}$$ and the $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ protocols. We set the order of the modulus n to 2048 bits and the security parameter $$\kappa$$ to 128. As the communication of the protocols does also depend on the bound $$2^B$$ on the size of the interval, we consider various bounds in our estimation. For the sake of simplicity, we assume $$B = \log b$$. We evaluate the overhead of the $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ with respect to $$\mathsf {3SRP}$$, computed as $$100\times (\mathsf {cost} (\mathsf {3SRP}\text {-}\mathsf {KDO})-\mathsf {cost} (\mathsf {3SRP}))/\mathsf {cost} (\mathsf {3SRP})$$, $$\mathsf {cost}$$ being either a number of bits exchanged, or a number of exponentiations.

Small Intervals and Large Intervals. As pointed out in [11], several practical applications of range proofs, such as e-voting [25] and e-cash [12], involve quite small intervals (say, of size at most $$2^{30}$$, and so $$B \le 30$$). However, in numerous cryptographic schemes, range proofs on very large intervals are involved. Examples include anonymous credentials [13], mutual private set intersection protocols [35], secure generation of RSA keys [21, 33], zero-knowledge primality tests [14], and some protocols for performing non-arithmetic operations on Paillier ciphertexts [18, 28]. In such protocols, B typically range from 1024 to 8000. We note that such intervals are exactly the ones for which range proofs based on groups of hidden order are likely to be used, since for small intervals, protocols based on some u-ary decomposition of the input [11, 27] will in general have better performances (essentially because they avoid the need of the Rabin-Shallit algorithm, which is computationally involved).
Table 2.

Comparison between the $$\mathsf {3SRP}$$ and the $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$

$$B= 30, N = 1$$

$$+16\%$$

$$+60.2\%$$

$$-66\%$$

$$B= 1024, N = 1$$

$$-3.7\%$$

$$+44\%$$

$$-71.7\%$$

$$B=2048, N = 1$$

$$-17\%$$

$$+36.4\%$$

$$-74.1\%$$

$$B= 30, N = 10$$

$$-7.6\%$$

$$+47.5\%$$

$$-86.8\%$$

$$B= 1024, N = 10$$

$$-26.5\%$$

$$+33.2\%$$

$$-87.7\%$$

$$B=2048, N = 10$$

$$-39.1\%$$

$$+26.5\%$$

$$-88\%$$

This is for various interval sizes ($$2^B)$$ and numbers N of parallel executions

Comparisons. Table 2 gives a summary of our results. As already noted, the overhead of the work of the prover in $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ is measured by comparing the works without considering the cost of the Rabin-Shallit algorithm; the latter one, however, is by far the dominant cost when B is large (as it runs in expected $$O(B^2\log B\cdot M(\log B))$$ time, where $$M(\log B)$$ is the time taken to perform a multiplication of $$(\log B)$$-bit integers). Therefore, for a large B, the overhead of the work of the prover in $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ is very small, whereas there is a huge gain for the verifier. As expected, the $$\mathsf {3SRP}\text {-}\mathsf {KDO}$$ protocol provides interesting performances in settings where the verifier is computationally weak (e.g. in secure Cloud computing), and/or multiples range proofs are likely to be used in parallel, and/or the intervals are large.

## Footnotes

1. 1.

It should be noted that in our proof, the bound a will depend on the success probability of the adversary.

2. 2.

The classical trick that consists of using $$\lambda _i = \lambda ^i$$ is not efficient here since we are in the integers, and so no reduction can be applied.

## Notes

### Acknowledgments

This work has been partially done while the second author was at ENS. This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 – CryptoCloud).

## References

1. 1.
Adleman, L., Manders, K.: Diophantine complexity. In: Proceedings of the 17th Annual Symposium on Foundations of Computer Science, SFCS 1976, pp. 81–88 (1976). http://dx.doi.org/10.1109/SFCS.1976.13
2. 2.
Adelsbach, A., Rohe, M., Sadeghi, A.-R.: Non-interactive watermark detection for a correlation-based watermarking scheme. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 129–139. Springer, Heidelberg (2005). doi:
3. 3.
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). doi:
4. 4.
Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012). doi:
5. 5.
Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 170–191. Springer, Heidelberg (1998). doi:
6. 6.
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). doi:
7. 7.
Böhl, F., Hofheinz, D., Jager, T., Koch, J., Seo, J.H., Striecks, C.: Practical signatures from standard assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 461–485. Springer, Heidelberg (2013). doi:
8. 8.
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). doi:
9. 9.
Bresson, E., Stern, J.: Proofs of knowledge for non-monotone discrete-log formulae and applications. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 272–288. Springer, Heidelberg (2002). doi:
10. 10.
Brickell, E.F., Chaum, D., Damgård, I., van de Graaf, J.: Gradual and verifiable release of a secret. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 156–166. Springer, Heidelberg (1988)Google Scholar
11. 11.
Camenisch, J., Chaabouni, R., shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). doi:
12. 12.
Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact e-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). doi:
13. 13.
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). doi:
14. 14.
Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999). doi:
15. 15.
Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999). doi:
16. 16.
Canard, S., Coisel, I., Traoré, J.: Complex zero-knowledge proofs of knowledge are easy to use. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 122–137. Springer, Heidelberg (2007). doi:
17. 17.
Chan, A.H., Frankel, Y., Tsiounis, Y.: Easy come - easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998)Google Scholar
18. 18.
Couteau, G., Peters, T., Pointcheval, D.: Encryption switching protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 308–338. Springer, Heidelberg (2016). doi:
19. 19.
Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. Cryptology ePrint Archive, Report 2016/128 (2016). http://eprint.iacr.org/2016/128
20. 20.
Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). doi:
21. 21.
Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed rsa key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). doi:
22. 22.
Davis, M., Putnam, H., Robinson, J.: The decision problem for exponential diophantine equations. Ann. Math. 72, 425–436 (1961)
23. 23.
Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). doi:
24. 24.
Gennaro, R.: Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004). doi:
25. 25.
Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). doi:
26. 26.
Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). doi:
27. 27.
Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). doi:
28. 28.
Guajardo, J., Mennink, B., Schoenmakers, B.: Modulo reduction for paillier encryptions and application to secure statistical analysis. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 375–382. Springer, Heidelberg (2010). doi:
29. 29.
Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011). doi:
30. 30.
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). doi:
31. 31.
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). doi: Google Scholar
32. 32.
Jarecki, S., Shmatikov, V.: Efficient two-party secure computation on committed inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 97–114. Springer, Heidelberg (2007). doi:
33. 33.
Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi:
34. 34.
Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004). doi:
35. 35.
Kim, M., Lee, H.T., Cheon, J.H.: Mutual private set intersection with linear complexity. In: Jung, S., Yung, M. (eds.) WISA 2011. LNCS, vol. 7115, pp. 219–231. Springer, Heidelberg (2012). doi:
36. 36.
Lipmaa, H.: On diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). doi:
37. 37.
Lipmaa, H., Asokan, N., Niemi, V.: Secure vickrey auctions without threshold trust. Cryptology ePrint Archive, Report 2001/095 (2001). http://eprint.iacr.org/2001/095
38. 38.
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). doi:
39. 39.
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi:
40. 40.
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)
41. 41.
Pollett, C.: On the bounded version of hilbert’s tenth problem. Arch. Math. Log. 42(5), 469–488 (2003). http://dx.doi.org/10.1007/s00153-002-0162-y
42. 42.
Rabin, M.O., Shallit, J.O.: Randomized algorithms in number theory. Commun. Pure Appl. Math. 39(S1), S239–S256 (1986). http://dx.doi.org/10.1002/cpa.3160390713
43. 43.
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)

© International Association for Cryptologic Research 2017

## Authors and Affiliations

• Geoffroy Couteau
• 1
Email author
• Thomas Peters
• 2
• David Pointcheval
• 1
1. 1.CNRS, INRIA, ENS/PSL Research UniversityParisFrance
2. 2.FNRS and UCLouvainLouvain-la-NeuveBelgium