Removing the Strong RSA Assumption from Arguments over the Integers Geoffroy Couteau, Thomas Peters, and David Pointcheval École Normale Supérieure, CNRS, INRIA, PSL R E S E A R C H U N I V E R S I T Y May 2, 2017 Commitment Schemes over Groups of Unknown Order m 2/7 Commitment Schemes over Groups of Unknown Order m 2/7 Commitment Schemes over Groups of Unknown Order m Hiding 2/7 Commitment Schemes over Groups of Unknown Order m m Binding 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials Group Sig. MPC Range Proofs E-Cash Auctions E-Voting PPSS 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization ZKAoK Anonymous Credentials Group Sig. MPC Range Proofs E-Cash Auctions E-Voting PPSS 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization ZKAoK Strong-RSA Anonymous Credentials Group Sig. MPC Range Proofs E-Cash Auctions E-Voting PPSS 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization ZKAoK Strong-RSA Anonymous Credentials Group Sig. MPC Range Proofs E-Cash Auctions E-Voting PPSS 2/7 Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization ZKAoK This work: RSA Anonymous Credentials Group Sig. MPC Range Proofs E-Cash Auctions E-Voting PPSS 2/7 Preliminaries on RSA Groups Zn , with n = pq, p = 2p 0 + 1, and q = 2q 0 + 1. |QR[n]| = (p − 1)(q − 1) = p0q0 4 Zn : Fact n (p, q) ? n =p·q RSA (u, x) ? Strong-RSA v u = v x mod n single solution u (v , x) ? u = v x mod n exp. many solutions 3/7 Preliminaries on RSA Groups Zn , with n = pq, p = 2p 0 + 1, and q = 2q 0 + 1. |QR[n]| = (p − 1)(q − 1) = p0q0 4 x Zn : Fact n (p, q) ? n =p·q RSA (u, x) ? Strong-RSA v u = v x mod n single solution u (v , x) ? u = v x mod n exp. many solutions 3/7 Preliminaries on RSA Groups Zn , with n = pq, p = 2p 0 + 1, and q = 2q 0 + 1. |QR[n]| = Zn : x = 65537 Fact n (p, q) ? n =p·q (p − 1)(q − 1) = p0q0 4 RSA (u, x) ? Strong-RSA v u = v x mod n single solution u (v , x) ? u = v x mod n exp. many solutions 3/7 Preliminaries on RSA Groups Zn , with n = pq, p = 2p 0 + 1, and q = 2q 0 + 1. |QR[n]| = (p − 1)(q − 1) = p0q0 4 x Zn : Fact n (p, q) ? n =p·q RSA (u, x) ? Strong-RSA v u = v x mod n single solution u (v , x) ? u = v x mod n exp. many solutions 3/7 Preliminaries on RSA Groups Zn , with n = pq, p = 2p 0 + 1, and q = 2q 0 + 1. |QR[n]| = (p − 1)(q − 1) = p0q0 4 x Zn : Fact n (p, q) ? n =p·q RSA (u, x) ? Strong-RSA v u = v x mod n single solution u (v , x) ? u = v x mod n exp. many solutions 3/7 Zero-Knowledge Argument of Knowledge of an Opening n = p · q, hg i = QR[n], hα = g com = g m hr m, r s 0 com yh =g e z, t z ← em + y t ← er + s V checks whether come com0 = g z ht . 4/7 Zero-Knowledge Argument of Knowledge of an Opening n = p · q, hg i = QR[n], hα = g com = g m hr m, r s 0 com yh =g e z, t z ← em + y t ← er + s V checks whether come com0 = g z ht . 1 t0 −t1 Soundness. With rewinding, extract (m, r ) = ez00 −z , −e1 e0 −e1 4/7 Zero-Knowledge Argument of Knowledge of an Opening n = p · q, hg i = QR[n], hα = g com = g m hr m, r s 0 com yh =g e z, t z ← em + y t ← er + s V checks whether come com0 = g z ht . 1 t0 −t1 Soundness. With rewinding, extract (m, r ) = ez00 −z , −e1 e0 −e1 Requires inversions over the exponents of G! 4/7 Soundness Argument com = g m hr g = hα m, r s 0 com yh =g e z, t z ← em + y t ← er + s 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r v s 0 yh =g com e 0 t0 z 0, zi ← ei m + y ti ← ei r + s 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r v Rewind P w/ (e0 , e1 ); with pr. ε2 , come0 −e1 = g z0 −z1 ht0 −t1 s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y zi ← ei m + y ti ← ei r + s 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! Case 1. e | z and e | t zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! Case 1. e | z and e | t com = ±g z/e ht/e zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht = hαz+t Case 2. e - z or e - t zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht = hαz+t zi ← ei m + y ti ← ei r + s Case 2. e - z or e - t [DF02]: With probability 1/2, e - αz + t. z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht = hαz+t zi ← ei m + y ti ← ei r + s Case 2. Shamir’s gcd trick: e/ gcd(e, αz + t) = π can find v such that v π = ±h z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht = hαz+t Case 2. Solves a Strong RSA challenge w/ π zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht = hαz+t Case 2. Core observation: π can’t be too large. zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r v Rewind P w/ (e0 , e1 , e2 ); with pr. ε3 , come = g z ht , 0 0 0 come = g z ht → g a = hb s y g h 0 = 2 com e 1 e t2 e0 z 2, 0 t z 0, t1 z 1, Case 2. Suppose π > 8/ε zi ← ei m + y ti ← ei r + s z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r v Rewind P w/ (e0 , e1 , e2 ); with pr. ε3 , come = g z ht , 0 0 0 come = g z ht → g a = hb s y g h 0 = 2 com e 1 e t2 e0 z 2, 0 t z 0, t1 z 1, zi ← ei m + y ti ← ei r + s Case 2. Suppose π > 8/ε g a = hb factors n unless a=b=0 z = z0 − z1 , e = e0 − e1 , t = t0 − t1 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) s y g h 0 = 2 com e 1 e t2 e0 z 2, 0 t z 0, t1 z 1, zi ← ei m + y ti ← ei r + s Case 2. Suppose π > 8/ε g a = hb factors n unless π = π0 a=b=0 m, r v Rewind P w/ (e0 , e1 , e2 ); with pr. ε3 , come = g z ht , 0 0 0 come = g z ht → g a = hb π 0 divides e 0 , e 0 is random Pr[π = π 0 ] ≤ Pr[π divides e 0 ] = O(ε) 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s y g h 0 = 2 com e 1 e t2 e0 z 2, 0 t z 0, t1 z 1, Case 2. Suppose π > 8/ε g a = hb factors n unless π = π0 a=b=0 zi ← ei m + y ti ← ei r + s Factors n with v Rewind P w/ (e0 , e1 , e2 ); with pr. ε3 , come = g z ht , 0 0 0 come = g z ht → g a = hb 1 poly probability 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r zi ← ei m + y ti ← ei r + s v Rewind P w/ (e0 , e1 , e2 ); with pr. ε3 , come = g z ht , 0 0 0 come = g z ht → g a = hb s y g h 0 = 2 com e 1 e t2 e0 z 2, 0 t z 0, t1 z 1, Case 2. Suppose π > 8/ε g a = hb factors n 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! Case 2. π ≤ 8/ε zi ← ei m + y ti ← ei r + s 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r zi ← ei m + y ti ← ei r + s s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! Case 2. π ≤ 8/ε A random small RSA challenge is equal to π with O(ε) probability 5/7 Soundness Argument RSA com = g m hr g = hα (h, x) m, r s g h 0 = com e 0 e 1 t0 z 0, t1 z 1, y v Rewind P w/ (e0 , e1 ); with pr. ε2 , come = g z ht , but we cannot divide by e! zi ← ei m + y ti ← ei r + s Case 2. π ≤ 8/ε A random small RSA challenge is equal to π with O(ε) probability Sim gets (m, r ) or solves RSA with O(ε3 ) proba 5/7 Applications, Other Contributions, and Open Problems Applications. I Relations between committed values (e.g. [CM99]) I Range proofs ([Lip03]) Other Contributions. I Can convert an FO commitment (integers) into a Gennaro commitment (modulo a small prime) I Allows integer ZK proofs with efficient verification Open Problems. I Can we build short algebraic RSA-based signatures? 6/7 Thank you for your attention Questions? 7/7
© Copyright 2026 Paperzz