Non-interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms

  • Fabrice Benhamouda
  • Houda Ferradi
  • Rémi Géraud
  • David Naccache
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


RSA public keys are central to many cryptographic applications; hence their validity is of primary concern to the scrupulous cryptographer. The most relevant properties of an RSA public key \((n, e)\) depend on the factors of \(n\): are they properly generated primes? are they large enough? is \(e\) co-prime with \(\phi (n)\)? etc. And of course, it is out of question to reveal \(n\)’s factors.

Generic non-interactive zero-knowledge (NIZK) proofs can be used to prove such properties. However, NIZK proofs are not practical at all. For some very specific properties, specialized proofs exist but such ad hoc proofs are naturally hard to generalize.

This paper proposes a new type of general-purpose compact non-interactive proofs, called attestations, allowing the key generator to convince any third party that \(n\) was properly generated. The proposed construction applies to any prime generation algorithm, and is provably secure in the Random Oracle Model.

As a typical implementation instance, for a 138-bit security, verifying or generating an attestation requires \(k=1024\) prime generations. For this instance, each processed message will later need to be signed or encrypted 14 times by the final users of the attested moduli.


RSA key generation Random oracle Non-interactive proof 



The first author was supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No.W911NF-15-C-0236.


  1. 1.
    Anderson, R.: Practical RSA trapdoor. Electron. Lett. 29(11), 995–995 (1993)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Yung, M.: Certifying cryptographic tools: the case of trapdoor permutations. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 442–460. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_31 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptology 9(3), 149–166 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Ben-Or, M., Goldreich, O., Goldwasser, S., Håstad, J., Kilian, J., Micali, S., Rogaway, P.: Everything provable is provable in zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 37–56. Springer, New York (1990). doi: 10.1007/0-387-34799-2_4 CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Franklin, M.: Efficient generation of shared RSA keys (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 425–439. Springer, Heidelberg (1997). doi: 10.1007/BFb0052253 CrossRefGoogle Scholar
  6. 6.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_31 CrossRefGoogle Scholar
  7. 7.
    Boyar, J., Friedl, K., Lund, C.: Practical zero-knowledge proofs: giving hints and using deficiencies. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 155–172. Springer, Heidelberg (1990). doi: 10.1007/3-540-46885-4_18 CrossRefGoogle Scholar
  8. 8.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_27 CrossRefGoogle Scholar
  10. 10.
    Chan, A., Frankel, Y., Tsiounis, Y.: Easy come — easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998). doi: 10.1007/BFb0054154 CrossRefGoogle Scholar
  11. 11.
    Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). doi: 10.1007/BFb0055745 CrossRefGoogle Scholar
  12. 12.
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). doi: 10.1007/BFb0052225 CrossRefGoogle Scholar
  13. 13.
    Fujisaki, E., Okamoto, T.: A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 32–46. Springer, Heidelberg (1998). doi: 10.1007/BFb0054115 CrossRefGoogle Scholar
  14. 14.
    Gennaro, R., Micciancio, D., Rabin, T.: An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In: ACM CCS 1998, pp. 67–72. ACM Press, San Francisco, 2–5 November 1998Google Scholar
  15. 15.
    Goldreich, O., Micali, S., Wigderson, A.: How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 171–185. Springer, Heidelberg (1987)Google Scholar
  16. 16.
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). doi: 10.1007/11761679_21 CrossRefGoogle Scholar
  17. 17.
  18. 18.
    Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi: 10.1007/3-540-45664-3_26 CrossRefGoogle Scholar
  19. 19.
    Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_25 CrossRefGoogle Scholar
  20. 20.
    Liskov, M., Silverman, B.: A statistical-limited knowledge proof for secure RSA keys (1998) (manuscript)Google Scholar
  21. 21.
    Mao, W.: Verifiable partial sharing of integer factors. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 94–105. Springer, Heidelberg (1999). doi: 10.1007/3-540-48892-8_8 CrossRefGoogle Scholar
  22. 22.
    Micali, S.: Fair public-key cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 113–138. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_9 CrossRefGoogle Scholar
  23. 23.
    Oracle: Sun Crypto accelerator SCA 6000.
  24. 24.
    Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53890-6_2 CrossRefGoogle Scholar
  25. 25.
    Stanton, D., White, D.: Constructive Combinatorics. Springer, New York (1986)CrossRefzbMATHGoogle Scholar
  26. 26.
    van de Graaf, J., Peralta, R.: A simple and secure way to show the validity of your public key. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 128–134. Springer, Heidelberg (1988). doi: 10.1007/3-540-48184-2_9 Google Scholar
  27. 27.
    Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_8 Google Scholar
  28. 28.
    Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_6 CrossRefGoogle Scholar
  29. 29.
    Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). doi: 10.1007/BFb0052241 CrossRefGoogle Scholar
  30. 30.
    Young, A., Yung, M.: Malicious cryptography: kleptographic aspects (invited talk). In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 7–18. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30574-3_2 CrossRefGoogle Scholar
  31. 31.
    Young, A., Yung, M.: A space efficient backdoor in RSA and its applications. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 128–143. Springer, Heidelberg (2006). doi: 10.1007/11693383_9 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Fabrice Benhamouda
    • 1
  • Houda Ferradi
    • 2
  • Rémi Géraud
    • 3
  • David Naccache
    • 3
  1. 1.IBM ResearchYorktown HeightsUSA
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan
  3. 3.Département d’informatique de l’ENS, École normale supérieure, CNRSPSL Research UniversityParisFrance

Personalised recommendations