## Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes (1998)

### Cached

### Download Links

- [www.brics.dk]
- [www.daimi.au.dk]
- [www.brics.dk]
- [www.brics.dk]
- [www.mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Citations: | 131 - 13 self |

### BibTeX

@MISC{Camenisch98provingin,

author = {Jan Camenisch and Markus Michels},

title = {Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes},

year = {1998}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper presents the first efficient statistical zero-knowledge protocols to prove statements such as: A committed number is a pseudo-prime.

### Citations

985 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1995
(Show Context)
Citation Context ... ∧ (1) cd = g γ h δ ∧ −2 ¨ ℓ <γ<2 ¨ ℓ ∧ (2) cn = g ε h ζ ∧ −2 ¨ ℓ <ε<2 ¨ ℓ ∧ (3) � ℓb−1 � i=0 c 2i� /cb = h bi η ∧ (4) 4 In practice a more enhanced exponentiation algorithm might be used (see, e.g., =-=[15]-=-), but one should keep in mind that it must not leak additional information about the exponent.s114 Jan Camenisch and Markus Michels cv1 = g λ1 h µ1 ∧ ... ∧ cvℓ b −1 = gλℓ b −1 h µℓ b −1 ∧ (5) cv1 = c... |

621 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...nowledge protocols for proving knowledge of and about discrete logarithms and introduce our notation for such protocols. Proving the knowledge of a discrete logarithm x of a group element y toabase g =-=[13,35]-=-. The prover chooses a random r ∈R ZQ and computes t := g r and sends t to the verifier. The verifier picks a random challenge c ∈R {0, 1} k and sends it to the prover. The prover computes s := r − cx... |

409 |
Non-Interactive and Information-Theoretical Secure Verifiable Secret Sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...ed value. It includes RSA-based as well as discrete-logarithm-based schemes of both kinds. For easier description of our protocols, we will use a particular commitment scheme which is due to Pedersen =-=[31]-=-: A value a ∈ ZQ is committed to by ca := g a h r ,wherer is randomly chosen from ZQ. This scheme is unconditionally hiding and computationally binding, i.e., a prover able to compute log g h can chan... |

318 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...1)/2 have a large prime factor that is between 100 and 120 bit [39] 1 . Previously, the only way known to prove such properties was applying inefficient general zero-knowledge proof techniques (e.g., =-=[23,5,16]-=-). In this paper we describe an efficient protocol for proving that a committed integer is in fact the modular addition of two committed integer modulo another committed integer without revealing any ... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...f t = yc �l i=1 gsi i holds. This protocol is denoted by PK {(α1,... ,αl) :y = �l i=1 gαi i }. Proving the equality of the discrete logarithms of elements y1 and y2 to the bases g and h, respectively =-=[14]-=-. Let y1 = gx and y2 = hx . The prover chooses a random r ∈ Z∗ Q , computes t1 := gr ,t2 := hr , and sends t1,t2 to the verifier. The verifier picks a random challenge c ∈{0, 1} k and sends it to the ... |

287 | Efficient group signature schemes for large groups (extended abstract
- Camenisch, Stadler
(Show Context)
Citation Context ... such as those listed earlier. 1 Introduction The problem of proving that a number n is the product of two primes p and q of special form arises in many recently proposed cryptographic schemes (e.g., =-=[7,8,20,21]-=-) whose security is based on both the infeasibility of computing discrete logarithms and of computing roots in groups of unknown order. Such schemes typically involve a designated entity that knows th... |

284 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgard, et al.
(Show Context)
Citation Context ...nother one (modulo the group order), e.g., PK {(α) :y1 = gα ∧ y2 = yα 1 }. Proving the knowledge of (at least) one out of the discrete logarithms of the elements y1 and y2 to the base g (proof of OR) =-=[17,34]-=-. W.l.o.g., we assume that the prover knows x =loggy1. Thenr1,s2 ∈R Z∗ Q , c2 ∈R {0, 1} k and computes t1 := gr1 ,t2 := gs2 y c2 2 and sends t1 and t2 to the verifier. The verifier picks a random chal... |

233 | Untraceable Off-line Cash in Wallets with Observers
- Brands
- 1993
(Show Context)
Citation Context .... Adopting the notation in [8], we denote this protocol by PK {(α) :y = gα },wherePK stands for “proof of knowledge”. Proving the knowledge of a representation of an element y to the bases g1,... ,gl =-=[3,12]-=-, i.e., proving the knowledge of integers x1,... ,xl such that y = �l i=1 gxi i . This protocol is an extension of the previous one with respect to multiple bases. The prover chooses random integers r... |

225 |
Riemann’s hypothesis and test for primality
- Miller
- 1976
(Show Context)
Citation Context ...nt. Some primality tests reveal information about the structure of the prime and are hence not suited unless one is willing to expose this information. Examples of such tests are the MillerRabin test =-=[30,33]-=- or the one based on Pocklington’s theorem. A test that does not reveal such information is due to Lehmann [27] and described in the next subsection. 4.1 Lehmann’s Primality Test Lehmann’s test is var... |

197 |
Probabilistic algorithm for testing primality
- Rabin
- 1980
(Show Context)
Citation Context ...nt. Some primality tests reveal information about the structure of the prime and are hence not suited unless one is willing to expose this information. Examples of such tests are the MillerRabin test =-=[30,33]-=- or the one based on Pocklington’s theorem. A test that does not reveal such information is due to Lehmann [27] and described in the next subsection. 4.1 Lehmann’s Primality Test Lehmann’s test is var... |

141 |
A Fast Monte-Carlo Test for Primality
- Solovay, Strassen
- 1977
(Show Context)
Citation Context ...n’s theorem. A test that does not reveal such information is due to Lehmann [27] and described in the next subsection. 4.1 Lehmann’s Primality Test Lehmann’s test is variation of the Solovay-Strassen =-=[36]-=- primality test and based on the following theorem [26]: Theorem 3. An odd integer n>1 is prime if and only if ∀a ∈ Z ∗ n : a(n−1)/2 ≡±1 (mod n) and ∃a ∈ Z ∗ n : a(n−1)/2 ≡−1 (mod n) . This theorem su... |

136 |
Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, proc. of Crypto 97, Springer Verlag LNCS series 1294
- Fujisaki
(Show Context)
Citation Context ...tion, modular exponentiation, and, more general, for any multivariate polynomial equation. Previously known protocols allow only to prove that algebraic relations modulo a publicly known integer hold =-=[4,9,16,18]-=-. Furthermore, we present an efficient zero-knowledge argument of primality of a committed number and, as a consequence, a zero-knowledge argument that an RSA modulus n consists of two safe primes. Th... |

132 | Efficient generation of shared RSA keys
- Boneh, Franklin
- 1997
(Show Context)
Citation Context ... 1)/2 is a prime power. However, their protocol can not guarantee that (p − 1)/2 and (q − 1)/2 are indeed primes which is what we are aiming for. Let us further mention the work of Boneh and Franklin =-=[2]-=-, who provide a proof that a distributively generated number n indeed consists of two primes (without further showing that these primes are of special form). It should be noted that all these solution... |

83 | Robust and Efficient Sharing of RSA Functions
- Gennaro, Krawczyk, et al.
(Show Context)
Citation Context ... such as those listed earlier. 1 Introduction The problem of proving that a number n is the product of two primes p and q of special form arises in many recently proposed cryptographic schemes (e.g., =-=[7,8,20,21]-=-) whose security is based on both the infeasibility of computing discrete logarithms and of computing roots in groups of unknown order. Such schemes typically involve a designated entity that knows th... |

76 | RSA-based Undeniable Signatures
- Gennaro, Krawczyk, et al.
- 2000
(Show Context)
Citation Context ... such as those listed earlier. 1 Introduction The problem of proving that a number n is the product of two primes p and q of special form arises in many recently proposed cryptographic schemes (e.g., =-=[7,8,20,21]-=-) whose security is based on both the infeasibility of computing discrete logarithms and of computing roots in groups of unknown order. Such schemes typically involve a designated entity that knows th... |

75 |
Theorems on factorization and primality testing
- Pollard
- 1974
(Show Context)
Citation Context ...e probability that (p − 1)/2, (p +1)/2, (q − 1)/2, and (q +1)/2 have a large prime factor is overwhelming. This is sufficient protection against the Pollard p − 1 and Williams p + 1 factoring methods =-=[32,38]-=-. Moreover, an efficient proof that an arbitrarily generated RSA modulus is not weak without revealing its factors seems to be hard to obtain as various conditions have to be checked (e.g., see [1]).s... |

72 | Easy come - easy go divisible cash
- Chan, Frankel, et al.
(Show Context)
Citation Context ...mes 109 q for which (p − 1)/2 and(q − 1)/2 isaprimepower. However, their protocol can not guarantee that (p − 1)/2 and(q − 1)/2 are indeed primes which is what we are aiming for. Finally, Chan et al. =-=[11]-=- and Mao [29] provide protocols for showing that a committed number consists of two large factors, and, recently, Liskov & Silverman describe a proof that a number is a product of two nearly equal pri... |

65 | Proof systems for general statements about discrete logarithms
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...tion, modular exponentiation, and, more general, for any multivariate polynomial equation. Previously known protocols allow only to prove that algebraic relations modulo a publicly known integer hold =-=[4,9,16,18]-=-. Furthermore, we present an efficient zero-knowledge argument of primality of a committed number and, as a consequence, a zero-knowledge argument that an RSA modulus n consists of two safe primes. Th... |

61 | Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem - Camenisch - 1998 |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context .... Adopting the notation in [8], we denote this protocol by PK {(α) :y = gα },wherePK stands for “proof of knowledge”. Proving the knowledge of a representation of an element y to the bases g1,... ,gl =-=[3,12]-=-, i.e., proving the knowledge of integers x1,... ,xl such that y = �l i=1 gxi i . This protocol is an extension of the previous one with respect to multiple bases. The prover chooses random integers r... |

53 | Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free
- Cramer, Damg̊ard
- 1998
(Show Context)
Citation Context ...1)/2 have a large prime factor that is between 100 and 120 bit [39] 1 . Previously, the only way known to prove such properties was applying inefficient general zero-knowledge proof techniques (e.g., =-=[23,5,16]-=-). In this paper we describe an efficient protocol for proving that a committed integer is in fact the modular addition of two committed integer modulo another committed integer without revealing any ... |

46 | New public-key schemes based on elliptic curves over the ring zn
- Koyama, Maurer, et al.
(Show Context)
Citation Context ... order (p − 1)(q − 1)/4 or(p − 1)(q − 1)/2 [21]. Another example are elliptic curves over Zn. Inthiscase,n is required to be the product of two primes p and q such that (p +1)/2 and(q +1)/2 are prime =-=[25]-=-. Finally, standards such as X9.31 require the modulus to be the product of two primes p and q, where(p − 1)/2, (p +1)/2, (q − 1)/2, and (q +1)/2 have a large prime factor that is between 100 and 120 ... |

42 | Rapid demonstration of linear relations connected by boolean operators
- Brands
- 1997
(Show Context)
Citation Context ...tion, modular exponentiation, and, more general, for any multivariate polynomial equation. Previously known protocols allow only to prove that algebraic relations modulo a publicly known integer hold =-=[4,9,16,18]-=-. Furthermore, we present an efficient zero-knowledge argument of primality of a committed number and, as a consequence, a zero-knowledge argument that an RSA modulus n consists of two safe primes. Th... |

42 |
H.C.: ‘A p + 1 method of factoring
- WILLIAMS
(Show Context)
Citation Context ...e probability that (p − 1)/2, (p +1)/2, (q − 1)/2, and (q +1)/2 have a large prime factor is overwhelming. This is sufficient protection against the Pollard p − 1 and Williams p + 1 factoring methods =-=[32,38]-=-. Moreover, an efficient proof that an arbitrarily generated RSA modulus is not weak without revealing its factors seems to be hard to obtain as various conditions have to be checked (e.g., see [1]).s... |

40 | A group signature scheme based on an RSA-variants
- Camenisch, Michels
- 1998
(Show Context)
Citation Context |

34 |
A practical and provably secure scheme for publicly verifiable secret sharing and its applications
- Fujisaki, Okamoto
(Show Context)
Citation Context ...on to binary challenges can be dropped if the order of the group is not known to the prover (e.g., if a subgroup of an RSA-ring is used) and when believing in the non-standard strong RSA-assumption 2 =-=[18,19]-=-. Although we describe our protocols in the following in the setting where the group’s order is known to the prover, all protocols can easily be adapted to the case where the prover does not know the ... |

33 |
Demonstrating Possession of a Discrete Logarithm without Revealing It
- Chaum, Evertse, et al.
- 1987
(Show Context)
Citation Context ...nowledge protocols for proving knowledge of and about discrete logarithms and introduce our notation for such protocols. Proving the knowledge of a discrete logarithm x of a group element y toabase g =-=[13,35]-=-. The prover chooses a random r ∈R ZQ and computes t := g r and sends t to the verifier. The verifier picks a random challenge c ∈R {0, 1} k and sends it to the prover. The prover computes s := r − cx... |

32 | Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies
- Boyar, Friedl, et al.
- 1990
(Show Context)
Citation Context ... de Graaf and Peralta [37] provide an efficient proof that a given integer n is of the form n = p r q s ,wherer and s are odd, p and q are primes and p ≡ q ≡ 3 (mod 4). A protocol due to Boyar et al. =-=[2]-=- allows to prove that a number n is square-free, i.e., there is no prime p with p|n such that p 2 |n. Hence, if both properties are proved, it follows that n is the product of two primes p and q, wher... |

29 |
A Simple and Secure Way to Show the Validity of Your Public Key
- Graaf, Peralta
- 1988
(Show Context)
Citation Context ...bining our techniques with known results which are described in the next paragraph. A number of protocols for proving properties of composite numbers are found in literature. Van de Graaf and Peralta =-=[37]-=- provide an efficient proof that a given integer n is of the form n = p r q s ,wherer and s are odd, p and q are primes and p ≡ q ≡ 3 (mod 4). A protocol due to Boyar et al. [2] allows to prove that a... |

27 | An E±cient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products
- Gennaro, Micciancio, et al.
- 1998
(Show Context)
Citation Context ...ith p|n such that p 2 |n. Hence, if both properties are proved, it follows that n is the product of two primes p and q, wherep ≡ q ≡ 3 (mod 4). This result was recently strengthened by Gennaro et al. =-=[22]-=- who present a proof system for showing that a number n (satisfying certain side-conditions) is the product of quasi-safe primes, i.e., primes p and 1 However, it is unnecessary to explicitly add this... |

24 | How to Prove All NP Statements in Zero-Knowledge and a Methodology of Cryptographic
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...1)/2 have a large prime factor that is between 100 and 120 bit [39] 1 . Previously, the only way known to prove such properties was applying inefficient general zero-knowledge proof techniques (e.g., =-=[23,5,16]-=-). In this paper we describe an efficient protocol for proving that a committed integer is in fact the modular addition of two committed integer modulo another committed integer without revealing any ... |

22 |
Primality and Cryptography
- Kranakis
- 1986
(Show Context)
Citation Context ...on is due to Lehmann [27] and described in the next subsection. 4.1 Lehmann’s Primality Test Lehmann’s test is variation of the Solovay-Strassen [36] primality test and based on the following theorem =-=[26]-=-: Theorem 3. An odd integer n>1 is prime if and only if ∀a ∈ Z ∗ n : a(n−1)/2 ≡±1 (mod n) and ∃a ∈ Z ∗ n : a(n−1)/2 ≡−1 (mod n) . This theorem suggest the following probabilistic primality test [27]: ... |

21 |
Factoring with Cyclotomic Polynomials
- Bach, Shallit
- 1985
(Show Context)
Citation Context ...r hand, a proof that an arbitrarily generated RSA modulus is not weak without revealing the prime factors seems to be hard to obtain, as an infinite number of conditions have to be checked (e.g., see =-=[1]-=-). 2s(mod n) and gcd(a 2 − 1, n) =1holds. From this it follows that a can only be of order (p − 1)(q − 1)/4 or (p − 1)(q − 1)/2. Let us finally summarize related results on proving properties of compo... |

10 |
Strong RSA keys
- Gordon
- 1984
(Show Context)
Citation Context ... described in the previous section and the costs of protocol of Gennaro et al. [22]. It is obvious how to apply our techniques to get a protocol for proving that n is the product of two strong primes =-=[24]-=- (i.e., (p − 1)/2, (q − 1)/2, (p +1)/2 and (q +1)/2 are primes or have a large prime factor) or, more general, two primes p and q such that Φk(p) andΦk(q) are not smooth, where Φk is the k-th cyclotom... |

10 |
Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA
- 31
- 1998
(Show Context)
Citation Context ...nally, standards such as X9.31 require the modulus to be the product of two primes p and q, where(p − 1)/2, (p +1)/2, (q − 1)/2, and (q +1)/2 have a large prime factor that is between 100 and 120 bit =-=[39]-=- 1 . Previously, the only way known to prove such properties was applying inefficient general zero-knowledge proof techniques (e.g., [23,5,16]). In this paper we describe an efficient protocol for pro... |

7 | R.: A Statistical Limited-Knowledge Proof for Secure RSA Keys
- Liskov, Silverman
- 1998
(Show Context)
Citation Context ... Mao [29] provide protocols for showing that a committed number consists of two large factors, and, recently, Liskov & Silverman describe a proof that a number is a product of two nearly equal primes =-=[28]-=-. 2 Tools In the following we assume a group G = 〈g〉 of large known order Q and a second generator h whose discrete logarithm to the base g is not known. We define the discrete logarithm of y to the b... |

5 |
On primality tests
- Lehmann
(Show Context)
Citation Context ...s willing to expose this information. Examples of such tests are the MillerRabin test [30,33] or the one based on Pocklington’s theorem. A test that does not reveal such information is due to Lehmann =-=[27]-=- and described in the next subsection. 4.1 Lehmann’s Primality Test Lehmann’s test is variation of the Solovay-Strassen [36] primality test and based on the following theorem [26]: Theorem 3. An odd i... |

2 | Verifable Partial Sharing of Integer Factors
- Mao
- 1998
(Show Context)
Citation Context ... which (p − 1)/2 and(q − 1)/2 isaprimepower. However, their protocol can not guarantee that (p − 1)/2 and(q − 1)/2 are indeed primes which is what we are aiming for. Finally, Chan et al. [11] and Mao =-=[29]-=- provide protocols for showing that a committed number consists of two large factors, and, recently, Liskov & Silverman describe a proof that a number is a product of two nearly equal primes [28]. 2 T... |

1 | Revised version available as GTE - Verlag - 1998 |