Removing the Strong RSA Assumption from Arguments over the Integers - - PowerPoint PPT Presentation

Removing the Strong RSA Assumption from Arguments over the Integers

Geoffroy Couteau, Thomas Peters, and David Pointcheval

École Normale Supérieure, CNRS, INRIA, PSL

R E S E A R C H U N I V E R S I T Y

May 2, 2017

Commitment Schemes over Groups of Unknown Order

m

2 / 7

Commitment Schemes over Groups of Unknown Order

m

2 / 7

Commitment Schemes over Groups of Unknown Order

m Hiding

2 / 7

Commitment Schemes over Groups of Unknown Order

m m Binding

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Cash E-Voting Range Proofs Auctions PPSS Group Sig.

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Cash E-Voting Range Proofs Auctions PPSS Group Sig.

ZKAoK

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Cash E-Voting Range Proofs Auctions PPSS Group Sig.

ZKAoK Strong-RSA

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Cash E-Voting Range Proofs Auctions PPSS Group Sig.

ZKAoK Strong-RSA

2 / 7

Commitment Schemes over Groups of Unknown Order

m Fujisaki-Okamoto (1997): m ∈ G, |G| unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Cash E-Voting Range Proofs Auctions PPSS Group Sig.

ZKAoK This work: RSA

2 / 7

Preliminaries on RSA Groups

Zn, with n = pq, p = 2p′ + 1, and q = 2q′ + 1. |QR[n]| = (p − 1)(q − 1) 4 = p′q′ Fact (p, q) n n ? = p · q RSA v (u, x) u ? = vx mod n single solution Zn : Strong-RSA (v, x) u u ? = vx mod n

• exp. many solutions

3 / 7

Preliminaries on RSA Groups

Zn, with n = pq, p = 2p′ + 1, and q = 2q′ + 1. |QR[n]| = (p − 1)(q − 1) 4 = p′q′ Fact (p, q) n n ? = p · q RSA v (u, x) u ? = vx mod n single solution Zn : x Strong-RSA (v, x) u u ? = vx mod n

• exp. many solutions

3 / 7

Preliminaries on RSA Groups

Zn, with n = pq, p = 2p′ + 1, and q = 2q′ + 1. |QR[n]| = (p − 1)(q − 1) 4 = p′q′ Fact (p, q) n n ? = p · q RSA v (u, x) u ? = vx mod n single solution Zn : x = 65537 Strong-RSA (v, x) u u ? = vx mod n

• exp. many solutions

3 / 7

Preliminaries on RSA Groups

Zn, with n = pq, p = 2p′ + 1, and q = 2q′ + 1. |QR[n]| = (p − 1)(q − 1) 4 = p′q′ Fact (p, q) n n ? = p · q RSA v (u, x) u ? = vx mod n single solution Zn : x Strong-RSA (v, x) u u ? = vx mod n

• exp. many solutions

3 / 7

Preliminaries on RSA Groups

Zn, with n = pq, p = 2p′ + 1, and q = 2q′ + 1. |QR[n]| = (p − 1)(q − 1) 4 = p′q′ Fact (p, q) n n ? = p · q RSA v (u, x) u ? = vx mod n single solution Zn : x Strong-RSA (v, x) u u ? = vx mod n

• exp. many solutions

3 / 7

Zero-Knowledge Argument of Knowledge of an Opening

n = p · q, g = QR[n], hα = g com = gmhr m, r z ← em + y t ← er + s com′ = gyhs e z , t V checks whether comecom′ = gzht.

4 / 7

Zero-Knowledge Argument of Knowledge of an Opening

n = p · q, g = QR[n], hα = g com = gmhr m, r z ← em + y t ← er + s com′ = gyhs e z , t V checks whether comecom′ = gzht.

• Soundness. With rewinding, extract (m, r) =
• z0−z1

e0−e1 , t0−t1 e0−e1

• 4 / 7

Zero-Knowledge Argument of Knowledge of an Opening

n = p · q, g = QR[n], hα = g com = gmhr m, r z ← em + y t ← er + s com′ = gyhs e z , t V checks whether comecom′ = gzht.

• Soundness. With rewinding, extract (m, r) =
• z0−z1

e0−e1 , t0−t1 e0−e1

• Requires inversions over the exponents of G!

4 / 7

Soundness Argument

com = gmhr

g = hα

m, r z ← em + y t ← er + s com′ = gyhs e z , t

5 / 7

Soundness Argument

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e z , t

5 / 7

Soundness Argument

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come0−e1 = g z0−z1ht0−t1

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

e | z and e | t Case 1.

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

e | z and e | t com = ±gz/eht/e Case 1.

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht = hαz+t

Case 2.

e ∤ z or e ∤ t

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht = hαz+t

Case 2.

e ∤ z or e ∤ t [DF02]: With probabil- ity 1/2, e ∤ αz + t.

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht = hαz+t

Case 2.

Shamir’s gcd trick: e/ gcd(e, αz + t) = π can find v such that v π = ±h

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht = hαz+t

Case 2. Solves a Strong RSA challenge w/ π

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht = hαz+t

Case 2. Core observation: π can’t be too large.

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

e

2

z , t z

2

, t

2

z

1

, t

1

Rewind P w/ (e0, e1, e2); with pr. ε3, come = g zht, come′ = g z′ht′ → g a = hb

Case 2.

Suppose π > 8/ε

5 / 7

Soundness Argument

z = z0 − z1, e = e0 − e1, t = t0 − t1 com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

e

2

z , t z

2

, t

2

z

1

, t

1

Rewind P w/ (e0, e1, e2); with pr. ε3, come = g zht, come′ = g z′ht′ → g a = hb

Case 2.

Suppose π > 8/ε g a = hb factors n unless a = b = 0

5 / 7

Soundness Argument

π′ divides e′, e′ is random Pr[π = π′] ≤ Pr[π divides e′] = O(ε)

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

e

2

z , t z

2

, t

2

z

1

, t

1

Rewind P w/ (e0, e1, e2); with pr. ε3, come = g zht, come′ = g z′ht′ → g a = hb

Case 2.

Suppose π > 8/ε g a = hb factors n unless a = b = 0

• π = π′

5 / 7

Soundness Argument

Factors n with

1 poly probability

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

e

2

z , t z

2

, t

2

z

1

, t

1

Rewind P w/ (e0, e1, e2); with pr. ε3, come = g zht, come′ = g z′ht′ → g a = hb

Case 2.

Suppose π > 8/ε g a = hb factors n unless a = b = 0

• π = π′

5 / 7

Soundness Argument

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

e

2

z , t z

2

, t

2

z

1

, t

1

Rewind P w/ (e0, e1, e2); with pr. ε3, come = g zht, come′ = g z′ht′ → g a = hb

Case 2.

Suppose π > 8/ε g a = hb factors n

5 / 7

Soundness Argument

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

Case 2.

π ≤ 8/ε

5 / 7

Soundness Argument

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

Case 2.

π ≤ 8/ε A random small RSA challenge is equal to π with O(ε) probability

5 / 7

Soundness Argument

Sim gets (m, r) or solves RSA with O(ε3) proba

com = gmhr

g = hα

m, r zi ← eim + y ti ← eir + s RSA v (h, x) com′ = gyhs e e

1

z , t z

1

, t

1

Rewind P w/ (e0, e1); with pr. ε2, come = g zht, but we cannot divide by e!

Case 2.

π ≤ 8/ε A random small RSA challenge is equal to π with O(ε) probability

5 / 7

Applications, Other Contributions, and Open Problems

Applications.

◮ Relations between committed values (e.g. [CM99]) ◮ Range proofs ([Lip03])

Other Contributions.

◮ Can convert an FO commitment (integers) into a Gennaro

commitment (modulo a small prime)

◮ Allows integer ZK proofs with efficient verification

Open Problems.

◮ Can we build short algebraic RSA-based signatures?

6 / 7

Thank you for your attention Questions?

7 / 7