Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes

We present the first efficient statistical zero-knowledge protocols to prove statements such as: - A committed number is a prime. - A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)=2 and (q - 1)=2 are prime. - A given integer has large multiplicative order modulo a composite number that consists of two safe prime factors. The main building blocks of our protocols are statistical zero-knowledge proofs of knowledge that are of independent interest. We show how to prove the correct computation of a modular addition, a modular multiplication, and a modular exponentiation, where all values including the modulus are committed to but not publicly known. Apart from the validity of the equations, no other information about the modulus (e.g., a generator whose order equals the modulus) or any other operand is exposed. Our techniques can be generalized to prove that any multivariate modular polynomial equation is satisfied, where only commitments to the variables of the polynomial and to the modulus need to be known. This improves previous results, where the modulus is publicly known. We show how these building blocks allow to prove statements such as those listed earlier.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  J. M. Pollard,et al.  Theorems on factorization and primality testing , 1974, Mathematical Proceedings of the Cambridge Philosophical Society.

[3]  Gary L. Miller Riemann's Hypothesis and Tests for Primality , 1976, J. Comput. Syst. Sci..

[4]  Volker Strassen,et al.  A Fast Monte-Carlo Test for Primality , 1977, SIAM J. Comput..

[5]  M. Rabin Probabilistic algorithm for testing primality , 1980 .

[6]  Daniel J. Lehmann,et al.  On Primality Tests , 1982, SIAM J. Comput..

[7]  H. C. Williams,et al.  A $p+1$ method of factoring , 1982 .

[8]  J. Gordon Strong RSA keys , 1984 .

[9]  Jeffrey Shallit,et al.  Factoring with cyclotomic polynomials , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[10]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[11]  Evangelos Kranakis Primality and cryptography , 1986, Wiley-Teubner series in computer science.

[12]  David Chaum,et al.  Demonstrating Possession of a Discrete Logarithm Without Revealing It , 1986, CRYPTO.

[13]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[14]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.

[15]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[16]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[17]  Tatsuaki Okamoto,et al.  New Public-Key Schemes Based on Elliptic Curves over the Ring Zn , 1991, CRYPTO.

[18]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[19]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[20]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[21]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[22]  Giovanni Di Crescenzo,et al.  On monotone formula closure of SZK , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[23]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[24]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[25]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[26]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[27]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[28]  Eecient Group Signature Schemes for Large Groups , 1997 .

[29]  J. Camenisch,et al.  Proof systems for general statements about discrete logarithms , 1997 .

[30]  Jan Camenisch,et al.  Group signature schemes and payment systems based on the discrete logarithm problem , 1998 .

[31]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[32]  J. Camenisch,et al.  Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes , 1998 .

[33]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[34]  Rasmus Pagh,et al.  Low redundancy in dictionaries with O(1) worst case lookup time , 1998 .

[35]  Glynn Winskel,et al.  A Categorical Axiomatics for Bisimulation , 1998, CONCUR.

[36]  Devdatt P. Dubhashi Talagrand's Inequality and Locality in Distributed Computing , 1998, RANDOM.

[37]  Tal Rabin,et al.  An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products , 1998, CCS '98.

[38]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[39]  Devdatt P. Dubhashi Martingales and Locality in Distributed Computing , 1998, FSTTCS.

[40]  J. Camenisch,et al.  A Group Signature Scheme Based on an RSA-Variant , 1998 .

[41]  Wenbo Mao Verifiable Partial Sharing of Integer Fractions , 1998, Selected Areas in Cryptography.

[42]  Robert D. Silverman,et al.  A STATISTICAL LIMITED-KNOWLEDGE PROOF FOR SECURE RSA KEYS , 1998 .

[43]  Devdatt P. Dubhashi Talagrand’s Inequality in Hereditary Settings , 1998 .

[44]  Wenbo Mao Veriable Partial Sharing of Integer Factors , 1999 .

[45]  C. Caldwell Mathematics of Computation , 1999 .

[46]  Gian Luca Cattani,et al.  A Representation Result for Free Cocompletions , 1998 .

[47]  RabinTal,et al.  Robust and Efficient Sharing of RSA Functions , 2000 .

[48]  Meera Sitharam,et al.  Generating hard tautologies using predicate logic and the symmetric group , 1998, Log. J. IGPL.

[49]  M. Sitharam,et al.  Uniformly generated submodules of permutation modules , 1998 .

[50]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.