The RSA Group is Pseudo-Free

We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudo-free. More specifically, no polynomial-time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free Abelian group generated by the symbols g1,…,gn, together with a solution modulo the product of two randomly chosen safe primes when g1,…,gn are instantiated to randomly chosen quadratic residues. Ours is the first provably secure construction of pseudo-free Abelian groups under a standard cryptographic assumption and resolves a conjecture of Rivest (Theory of Cryptography Conference—Proceedings of TCC 2004, LNCS, vol. 2951, pp. 505–521, 2004).

[1]  Ronald L. Rivest On the Notion of Pseudo-Free Groups , 2004, TCC.

[2]  Vitaly Shmatikov,et al.  Towards computationally sound symbolic analysis of key exchange protocols , 2005, FMSE '05.

[3]  Dan Boneh,et al.  Breaking Generalized Diffie-Hellmann Modulo a Composite is no Easier Than Factoring , 1999, Information Processing Letters.

[4]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[5]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[6]  Gregory Neven A simple transitive signature scheme for directed trees , 2008, Theor. Comput. Sci..

[7]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[8]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[9]  John C. Mitchell,et al.  A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols , 2005, Theor. Comput. Sci..

[10]  E. Bach Discrete Logarithms and Factoring , 1984 .

[11]  Bruce M. Kapron,et al.  Logics for reasoning about cryptographic constructions , 2006, J. Comput. Syst. Sci..

[12]  A. Myasnikov,et al.  Implicit function theorem over free groups , 2003, math/0312509.

[13]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[14]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[15]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[16]  Daniele Micciancio,et al.  Adaptive Security of Symbolic Encryption , 2005, TCC.

[17]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[18]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[19]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[20]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[21]  Kevin S. McCurley,et al.  A key distribution system equivalent to factoring , 1988, Journal of Cryptology.

[22]  Birgit Pfitzmann,et al.  A Composable Cryptographic Library with Nested Operations (Extended Abstract) , 2003 .

[23]  Susan Rae Hohenberger,et al.  The cryptographic impact of groups with infeasible inversion , 2003 .

[24]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[25]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.