Advertisement

Removing the Strong RSA Assumption from Arguments over the Integers

  • Geoffroy Couteau
  • Thomas Peters
  • David Pointcheval
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10211)

Abstract

Committing integers and proving relations between them is an essential ingredient in many cryptographic protocols. Among them, range proofs have been shown to be fundamental. They consist in proving that a committed integer lies in a public interval, which can be seen as a particular case of the more general Diophantine relations: for the committed vector of integers \(\varvec{x}\), there exists a vector of integers \(\varvec{w}\) such that \(P(\varvec{x},\varvec{w})=0\), where P is a polynomial.

In this paper, we revisit the security strength of the statistically hiding commitment scheme over the integers due to Damgård-Fujisaki, and the zero-knowledge proofs of knowledge of openings. Our first main contribution shows how to remove the Strong RSA assumption and replace it by the standard RSA assumption in the security proofs. This improvement naturally extends to generalized commitments and more complex proofs without modifying the original protocols.

As a second contribution, we design an interactive technique turning commitment scheme over the integers into commitment scheme modulo a prime p. Still under the RSA assumption, this results in more efficient proofs of relations between committed values. Our methods thus improve upon existing proof systems for Diophantine relations both in terms of performance and security. We illustrate that with more efficient range proofs under the sole RSA assumption.

Keywords

Public-key cryptography Commitment schemes Interactive arguments of knowledge Zero-knowledge proofs RSA assumption 

Notes

Acknowledgments

This work has been partially done while the second author was at ENS. This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 – CryptoCloud).

References

  1. 1.
    Adleman, L., Manders, K.: Diophantine complexity. In: Proceedings of the 17th Annual Symposium on Foundations of Computer Science, SFCS 1976, pp. 81–88 (1976). http://dx.doi.org/10.1109/SFCS.1976.13
  2. 2.
    Adelsbach, A., Rohe, M., Sadeghi, A.-R.: Non-interactive watermark detection for a correlation-based watermarking scheme. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 129–139. Springer, Heidelberg (2005). doi: 10.1007/11552055_13 CrossRefGoogle Scholar
  3. 3.
    Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_33 CrossRefGoogle Scholar
  4. 4.
    Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_17 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 170–191. Springer, Heidelberg (1998). doi: 10.1007/BFb0054320 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). doi: 10.1007/BFb0054130 CrossRefGoogle Scholar
  7. 7.
    Böhl, F., Hofheinz, D., Jager, T., Koch, J., Seo, J.H., Striecks, C.: Practical signatures from standard assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 461–485. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_28 CrossRefGoogle Scholar
  8. 8.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_31 CrossRefGoogle Scholar
  9. 9.
    Bresson, E., Stern, J.: Proofs of knowledge for non-monotone discrete-log formulae and applications. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 272–288. Springer, Heidelberg (2002). doi: 10.1007/3-540-45811-5_21 CrossRefGoogle Scholar
  10. 10.
    Brickell, E.F., Chaum, D., Damgård, I., van de Graaf, J.: Gradual and verifiable release of a secret. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 156–166. Springer, Heidelberg (1988)Google Scholar
  11. 11.
    Camenisch, J., Chaabouni, R., shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89255-7_15 CrossRefGoogle Scholar
  12. 12.
    Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact e-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). doi: 10.1007/11426639_18 CrossRefGoogle Scholar
  13. 13.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). doi: 10.1007/3-540-44987-6_7 CrossRefGoogle Scholar
  14. 14.
    Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_8 CrossRefGoogle Scholar
  15. 15.
    Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_27 CrossRefGoogle Scholar
  16. 16.
    Canard, S., Coisel, I., Traoré, J.: Complex zero-knowledge proofs of knowledge are easy to use. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 122–137. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75670-5_8 CrossRefGoogle Scholar
  17. 17.
    Chan, A.H., Frankel, Y., Tsiounis, Y.: Easy come - easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998)Google Scholar
  18. 18.
    Couteau, G., Peters, T., Pointcheval, D.: Encryption switching protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 308–338. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_12 CrossRefGoogle Scholar
  19. 19.
    Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. Cryptology ePrint Archive, Report 2016/128 (2016). http://eprint.iacr.org/2016/128
  20. 20.
    Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). doi: 10.1007/3-540-36178-2_8 CrossRefGoogle Scholar
  21. 21.
    Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed rsa key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-11799-2_12 CrossRefGoogle Scholar
  22. 22.
    Davis, M., Putnam, H., Robinson, J.: The decision problem for exponential diophantine equations. Ann. Math. 72, 425–436 (1961)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). doi: 10.1007/BFb0052225 CrossRefGoogle Scholar
  24. 24.
    Gennaro, R.: Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_14 CrossRefGoogle Scholar
  25. 25.
    Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). doi: 10.1007/11496137_32 CrossRefGoogle Scholar
  26. 26.
    Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_12 CrossRefGoogle Scholar
  27. 27.
    Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_23 CrossRefGoogle Scholar
  28. 28.
    Guajardo, J., Mennink, B., Schoenmakers, B.: Modulo reduction for paillier encryptions and application to secure statistical analysis. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 375–382. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14577-3_32 CrossRefGoogle Scholar
  29. 29.
    Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_35 CrossRefGoogle Scholar
  30. 30.
    Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_38 CrossRefGoogle Scholar
  31. 31.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_13 Google Scholar
  32. 32.
    Jarecki, S., Shmatikov, V.: Efficient two-party secure computation on committed inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 97–114. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72540-4_6 CrossRefGoogle Scholar
  33. 33.
    Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi: 10.1007/3-540-45664-3_26 CrossRefGoogle Scholar
  34. 34.
    Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_34 CrossRefGoogle Scholar
  35. 35.
    Kim, M., Lee, H.T., Cheon, J.H.: Mutual private set intersection with linear complexity. In: Jung, S., Yung, M. (eds.) WISA 2011. LNCS, vol. 7115, pp. 219–231. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-27890-7_18 CrossRefGoogle Scholar
  36. 36.
    Lipmaa, H.: On diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-40061-5_26 CrossRefGoogle Scholar
  37. 37.
    Lipmaa, H., Asokan, N., Niemi, V.: Secure vickrey auctions without threshold trust. Cryptology ePrint Archive, Report 2001/095 (2001). http://eprint.iacr.org/2001/095
  38. 38.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). doi: 10.1007/3-540-46766-1_9
  39. 39.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_33 CrossRefGoogle Scholar
  40. 40.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  41. 41.
    Pollett, C.: On the bounded version of hilbert’s tenth problem. Arch. Math. Log. 42(5), 469–488 (2003). http://dx.doi.org/10.1007/s00153-002-0162-y MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Rabin, M.O., Shallit, J.O.: Randomized algorithms in number theory. Commun. Pure Appl. Math. 39(S1), S239–S256 (1986). http://dx.doi.org/10.1002/cpa.3160390713
  43. 43.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)MathSciNetzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Geoffroy Couteau
    • 1
  • Thomas Peters
    • 2
  • David Pointcheval
    • 1
  1. 1.CNRS, INRIA, ENS/PSL Research UniversityParisFrance
  2. 2.FNRS and UCLouvainLouvain-la-NeuveBelgium

Personalised recommendations