R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In Proc. of the Fifth ACM Conference on Computer and Communications Security '98. ACM, 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....that the group generated by hg 1 ; g k i is all of QN with high probability. Such techniques have already been used by Frankel et al. in [18] and a precise treatment has been given by Poupard and Stern in [31] Moreover, using a nice trick of Gennaro et al. which first appeared in [22] and the protocol recently proposed by Catalano et al. in [8] the calculation of gcd(p Gamma 1; q Gamma 1) can be performed in a distributed way. These methods allow to keep key generation and signature efficient. In this paper, we show how to jointly construct RSA moduli such that the ....

....To guarantee this property, we use the fact that the product of two cyclic groups which orders are coprime is a cyclic group. The following lemma and the GCD protocol enables to check that p are coprime in a distributed way. First we prove a lemma which has been used in another form in [22]. Lemma 1. Let N = pq an RSA modulus, gcd(p Gamma 1; q Gamma 1)j gcd(N Gamma 1; N) and the square free part of gcd(N Gamma 1; N) divides gcd(p Gamma 1; q Gamma 1) See appendix section 9.2 for a proof of this lemma. Corollary 1. If gcd(N Gamma 1; N) 2, then gcd(p Gamma 1; q ....

R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In Proc. of the Fifth ACM Conference on Computer and Communications Security '98. ACM, 1998.

....[3] allows to prove that a given n is squarefree, i.e. there is no prime p with pjn such that p jn. Hence, if for a given n both properties can be shown, it follows that n is of form n = pq, where p and q are primes and p q 3 (mod 4) This result was recently strengthened by Gennaro et al. [20] who present a proof system for showing that a number n satisfying certain side conditions is the product of quasi safe primes, i.e. primes p and q for which (p 1) 2 and (q 1) 2 is a prime power. However, their protocol can not guarantee that (p 1) 2 and (q 1) 2 are indeed primes which is ....

....for a single (pseudo )primality proof (cf. Subsection 4.3) 5.2 A Protocol For a Publicly Known RSA Modulus We now consider the case where the modulus n is publicly known. In case n fulfils certain side conditions (see below) it is more efficient to first run the protocol due to Gennaro et al. [20] (which includes the proofs proposed by Peralta van de Graaf [32] and by Boyar et al. 3] This protocol is a statistical zero knowledge proof system that there exist two integers a; b 1 such that n consists of two primes p = 2 p 1 and q = 2 q 1 with p; q; p; q 6 1 (mod 8) p ....

[Article contains additional citation context not shown here]

R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In 5rd ACM Conference on Computer and Communicatons Security, 1998.

....prime factor decomposition of p Gamma1 2 and q Gamma1 2 . In particular, if p Gamma1 2 and q Gamma1 2 have no small prime factors, then with high probability few randomly chosen elements generate the entire group QN . Moreover, using a nice trick of Gennaro et al. which first appeared in [9] and the protocol recently proposed by Catalano et al. in [4] the calculation of gcd(p Gamma 1; q Gamma 1) can be performed in a distributed way. This method allows to keep key generation efficient. In this paper, we show how to jointly construct RSA moduli such that the subgroup QN is cyclic, ....

....that QN is cyclic, we use the fact that the product of two cyclic groups which orders are coprime is a cyclic group. The following lemma and the GCD protocol enables to check that p 0 and q 0 are coprime in a distributed way. First we prove a lemma which has been used in another form in [9]. Lemma 1. Let N = pq an RSA modulus, gcd(p Gamma 1; q Gamma 1)j gcd(N Gamma 1; N) and the square free part of gcd(N Gamma 1; N) divides gcd(p Gamma 1; q Gamma 1) Proof. We can note that (N) N Gamma p Gamma q 1 = N Gamma 1) Gamma (p Gamma 1) Gamma (q Gamma 1) So, N ....

R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In Proc. of the Fifth ACM Conference on Computer and Communications Security '98. ACM, 1998.

....large cyclic subgroups. In fact, a much stronger requirement is imposed due to the secrecy of the group structure: the group in question must have two cyclic subgroups of sizes roughly equal to p n. Such a demand can be met if n has a so called safe prime structure [5] or pseudo safe prime, see [13]) Checking of such structures for a composite number of secret factorisation is not an easy job at all. Methods which offer high confidence of correctness are zero knowledge protocols in which the prover is the very signer who is suspected of cheating in first place. To date, no satisfiable ....

....are zero knowledge protocols in which the prover is the very signer who is suspected of cheating in first place. To date, no satisfiable zeroknowledge protocol (in terms of efficiency and security assumption) is known for checking such structures. The reader interested in that topic is referred to [5, 13]. 3 It is then natural to ask whether efficient RSA based zero knowledge undeniable signatures could be designed for a more general form of composite modulus. This is an open question originally posed by Gennaro et al. [12] which remains open to this day. 1.3 Our Work In our work, an RSA ....

Gennaro, R., Miccianicio, D. and Rabin, T. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products, 5th ACM Conference on Computer and Communications Security, October 1998.

....modulo n. Their protocol for the proof of Blum integers used this observation (a prover is challenged to show a square root of a positive Jacobi symbol element or of its negation) Anumber of other previous protocols for proving two prime product structure also used this idea (e.g. Gennaro et al. [9] and Camenisch Michels [6] though both protocols proved some additional nice properties of n which is outside the scope of this work) If n is not in a two prime product structure then it is certainly not a Blum integer. Omitting details, for any group elementofpositive Jacobi symbol mod such n ....

....actually evaluate the Legendre symbols i h p j and i h q j (reasoned in the completeness proof in B) Using challenges of the negative Jacobi symbol has the virtue of not disclosing the quadratic residue information of the challenges. In contrast, any square root displaying protocol (e.g. [9, 10]) discloses such information. The protocol allows for the two factors to have size differences satisfying j (p) q)j 2. Larger size differences, if desirable, can be accommodated by adjusting the inequalities in step 5.1. 4 Security Analysis The security analysis consists of the examination ....

R. Gennaro, D. Miccianicio and T. Rabin. An efficientnon-interactive statistical zeroknowledge proof system for quasi-safe prime products, In 5th ACM Conference on Computer and Communications Security, October 1998. 11

....public key Y is made available via the usual means (i.e. embedded in some form of a public key certificate signed by a trusted authority. We note that, in practice, components of Y must be verifiable to prevent framing attacks. There are efficient methods providing this kind of proofs (see [18] [19]) and, moreover, they must be done only once. For instance, to verify that a (or b) has large order in ZZ n , it is enough to test whether a 6= Gamma1; 1 and that gcd(a Gamma 1,n) 1 ( 18] This proves that a has order at least p 0 q 0 . The value b should be chosen as b = a c for a ....

....b = a c for a secret value c such that gcd(c,OE(n) 1 (so that a and b have the same order and generate the same group in which we assume the Diffie Hellman problem is hard) GRMGR also needs to provide a proof of n being a product of two primes p, q with p = 2p 0 1 and q = 2q 0 1. See [19] for an efficient method for this problem. Suppose now that an user wants to join the group. We assume that communication between the user and the group manager is secure, i.e. private and authentic. The selection of per user parameters is done as follows: 7 JOIN: 1. User generates a secret ....

R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zeroknowledge proof system for quasi-safe prime products. In ACM Conference on Computer and Communication Security, 1998.

....q s . Then Boyar et al. 4] proposed a protocol to prove that an integer is square free. The combination of those two protocols typically allows to prove that an integer is an RSA modulus. Those results have recently been enhanced with protocols which prove that the factors are quasi safe primes [12], have about the same size [16] or are exactly safe primes [5] All the above protocols are based on the basic observation that, modulo a given integer n, a random number has a square root with probability 2 Gammaj , where j is the number of different prime factors of n, and that such a square ....

R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In Proc. of the 5th CCCS, pages 67--72. ACM press, 1998.

....algorithm. Therefore the fact that moduli are of a restricted form does not guarantee that the resulting RSA key is likely to be secure. Secondly, it is difficult for a user to efficiently prove to the CA in Zero Knowledge that the modulus is a product of two strong primes; see Gennaro et al. [5] and Camenisch and Michels [3] for some protocols which will help in this situation. Alternative methods of key generation that address the issues we are considering in this paper include ffl Requiring users RSA keys to be generated by a trusted party and not allowing any user to choose their ....

.... i 2 and i 6= i 1 . C checks that 2 2n Gamma2 N 2 2n . C checks that e and OE(N) are coprime by asking U to sign messages taken from the trusted source of randomness. Finally, U proves to C that N is a product of two primes; see van de Graaf and Peralta [6] Gennaro, Micciancio and Rabin [5] and Camenisch and Michels [3] for example. If all these checks succeed, the pair (N; e) is accepted as the user s RSA key. There are several known efficient protocols which can be used for the bit commitment schemes and zero knowledge proofs. The choice of protocol depends on which security ....

R. Gennaro, D. Micciancio and T. Rabin, `An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products', Proc. 5th ACM Conference on Computer and Communications Security, 1998, to appear.

....[15] which are not convincing. We also introduce a new kind of proof of knowledge for factoring [23] All previous ones were based on a preliminary proof that the number has a prescribed number of prime factors. Such proofs have been known for a long time [17, 26] and have been recently enhanced [18, 14]. However they are all based on the fact that modulo n, a random number has a square root with probability 2 Gammak , if k is the number of different prime factors of n, and that such a square root can be efficiently computed only when the factorization of the n is known. Consequently, a ....

R. Gennaro, D. Micciancio, and T. Rabin. An Efficient NonInteractive Statistical Zero-Knowledge Proof System for QuasiSafe Prime Products. In Proc. of the 5th CCCS, pages 67--72. ACM press, 1998.

....to Boyar et al. 2] allows to prove that a number n is square free, i.e. there is no prime p with pjn such that p 2 jn. Hence, if both properties are proved, it follows that n is the product of two primes p and q, where p j q j 3 (mod 4) This result was recently strengthened by Gennaro et al. [22] who present a proof system for showing that a number n (satisfying certain side conditions) is the product of quasi safe primes, i.e. primes p and q for which (p Gamma 1) 2 and (q Gamma 1) 2 is a prime power. However, their protocol can not guarantee that (p Gamma 1) 2 and (q Gamma 1) 2 are ....

....(cf. Subsection 4.3) 5. 2 A Protocol For a Publicly Known RSA Modulus In cases the number n is publicly known and fulfills some side conditions (see below) much less rounds of the Lehmann test will be sufficient if the prover and the verifier first run the protocol due to Gennaro et al. [22] (which includes the protocols proposed by Peralta van de Graaf [37] and by Boyar et al. 2] This protocol is a statistical zero knowledge proof system that there exist two integers a; b 1 such that n consists of two primes p = 2 p a 1 and q = 2 q b 1 with p; q; p; q 6j 1 (mod 8) ....

[Article contains additional citation context not shown here]

R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In 5rd ACM Conference on Computer and Communicatons Security, 1998.

....have that computing a signature will be less than 1.5 times slower than for a standard RSA signature. 3. When a key for our scheme is certified, it is possible for the signer to prove that the modulus n has been chosen correctly (i.e. the product of two quasi safe primes) by using a result from [12]. 4 Security in the Random oracle Model As we have stated, for the security of our scheme we must use the strong RSA conjecture which was introduced recently by Bari c and Pfitzmann. The difference between this conjecture and the standard RSA conjecture is that here the adversary is given the ....

R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical ZeroKnowledge Proof System for Quasi-Safe Prime Products. Proceedings of 1998 ACM Conference on Computers and Communication Security.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC