Removing the Strong RSA Assumption from Arguments over the Integers - PowerPoint PPT Presentation

Removing the Strong RSA Assumption from Arguments over the Integers Geoffroy Couteau , Thomas Peters, and David Pointcheval École Normale Supérieure, CNRS, INRIA, PSL R E S E A R C H U N I V E R S I T Y May 2, 2017

Commitment Schemes over Groups of Unknown Order m 2 / 7

Commitment Schemes over Groups of Unknown Order m 2 / 7

Commitment Schemes over Groups of Unknown Order m Hiding 2 / 7

Commitment Schemes over Groups of Unknown Order m m Binding 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization Anonymous Credentials MPC E-Voting E-Cash Group Sig. Range Proofs Auctions PPSS 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization ZKAoK Anonymous Credentials MPC E-Voting E-Cash Group Sig. Range Proofs Auctions PPSS 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization ZKAoK Strong-RSA Anonymous Credentials MPC E-Voting E-Cash Group Sig. Range Proofs Auctions PPSS 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization ZKAoK Strong-RSA Anonymous Credentials MPC E-Voting E-Cash Group Sig. Range Proofs Auctions PPSS 2 / 7

Commitment Schemes over Groups of Unknown Order m Fujisaki-Okamoto (1997): m ∈ G , | G | unknown Perfectly hiding, binding under Factorization ZKAoK This work: RSA Anonymous Credentials MPC E-Voting E-Cash Group Sig. Range Proofs Auctions PPSS 2 / 7

Preliminaries on RSA Groups Z n , with n = pq , p = 2 p ′ + 1, and q = 2 q ′ + 1. | QR [ n ] | = ( p − 1 )( q − 1 ) = p ′ q ′ 4 Z n : Strong-RSA Fact RSA n ( p , q ) ( u , x ) v u ( v , x ) n ? u ? = v x mod n u ? = v x mod n = p · q single solution exp. many solutions 3 / 7

Preliminaries on RSA Groups Z n , with n = pq , p = 2 p ′ + 1, and q = 2 q ′ + 1. | QR [ n ] | = ( p − 1 )( q − 1 ) = p ′ q ′ 4 x Z n : Strong-RSA Fact RSA n ( p , q ) ( u , x ) v u ( v , x ) n ? u ? = v x mod n u ? = v x mod n = p · q single solution exp. many solutions 3 / 7

Preliminaries on RSA Groups Z n , with n = pq , p = 2 p ′ + 1, and q = 2 q ′ + 1. | QR [ n ] | = ( p − 1 )( q − 1 ) = p ′ q ′ 4 x = 65537 Z n : Strong-RSA Fact RSA n ( p , q ) ( u , x ) v u ( v , x ) n ? u ? = v x mod n u ? = v x mod n = p · q single solution exp. many solutions 3 / 7

Preliminaries on RSA Groups Z n , with n = pq , p = 2 p ′ + 1, and q = 2 q ′ + 1. | QR [ n ] | = ( p − 1 )( q − 1 ) = p ′ q ′ 4 x Z n : Strong-RSA Fact RSA n ( p , q ) ( u , x ) v u ( v , x ) n ? u ? = v x mod n u ? = v x mod n = p · q single solution exp. many solutions 3 / 7

Preliminaries on RSA Groups Z n , with n = pq , p = 2 p ′ + 1, and q = 2 q ′ + 1. | QR [ n ] | = ( p − 1 )( q − 1 ) = p ′ q ′ 4 x Z n : Strong-RSA Fact RSA n ( p , q ) ( u , x ) v u ( v , x ) n ? u ? = v x mod n u ? = v x mod n = p · q single solution exp. many solutions 3 / 7

Zero-Knowledge Argument of Knowledge of an Opening n = p · q , � g � = QR [ n ] , h α = g com = g m h r m , r com ′ = g y h s e t , z z ← em + y t ← er + s V checks whether com e com ′ = g z h t . 4 / 7

Zero-Knowledge Argument of Knowledge of an Opening n = p · q , � g � = QR [ n ] , h α = g com = g m h r m , r com ′ = g y h s e t , z z ← em + y t ← er + s V checks whether com e com ′ = g z h t . � � z 0 − z 1 e 0 − e 1 , t 0 − t 1 Soundness. With rewinding, extract ( m , r ) = e 0 − e 1 4 / 7

Zero-Knowledge Argument of Knowledge of an Opening n = p · q , � g � = QR [ n ] , h α = g com = g m h r m , r com ′ = g y h s e t , z z ← em + y t ← er + s V checks whether com e com ′ = g z h t . � � z 0 − z 1 e 0 − e 1 , t 0 − t 1 Soundness. With rewinding, extract ( m , r ) = e 0 − e 1 Requires inversions over the exponents of G ! 4 / 7

Soundness Argument com = g m h r g = h α m , r com ′ = g y h s e t , z z ← em + y t ← er + s 5 / 7

Soundness Argument RSA com = g m h r g = h α ( h , x ) v m , r com ′ = g y h s e 0 t 0 , z 0 z i ← e i m + y t i ← e i r + s 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e 0 − e 1 = g z 0 − z 1 h t 0 − t 1 m , r com ′ = g y h s e 1 e 0 t 0 , z 0 t 1 , z 1 z i ← e i m + y t i ← e i r + s 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 ) ; RSA com = g m h r g = h α with pr. ε 2 , com e = g z h t , but we ( h , x ) v cannot divide by e ! m , r com ′ = g y h s e 1 e 0 t 0 , z 0 t 1 , z 1 z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 ) ; RSA com = g m h r g = h α with pr. ε 2 , com e = g z h t , but we ( h , x ) v cannot divide by e ! m , r com ′ = g y h s Case 1. e 1 e | z and e | t e 0 t 0 , z 0 t 1 , z 1 z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 ) ; RSA com = g m h r g = h α with pr. ε 2 , com e = g z h t , but we ( h , x ) v cannot divide by e ! m , r com ′ = g y h s Case 1. e 1 e | z and e | t e 0 t 0 , z 0 com = ± g z / e h t / e t 1 , z 1 z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e = g z h t = h α z + t m , r com ′ = g y h s Case 2. e 1 e 0 t 0 , e ∤ z or e ∤ t z 0 t 1 , z 1 z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e = g z h t = h α z + t m , r com ′ = g y h s Case 2. e 1 e 0 t 0 , e ∤ z or e ∤ t z 0 t 1 , [DF02]: With probabil- z 1 ity 1 / 2, e ∤ α z + t . z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e = g z h t = h α z + t m , r com ′ = g y h s Case 2. e 1 e 0 t 0 , Shamir’s gcd trick: z 0 t 1 , e / gcd ( e , α z + t ) = π z 1 can find v such that v π = ± h z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e = g z h t = h α z + t m , r com ′ = g y h s Case 2. e 1 e 0 t 0 , z 0 Solves a Strong RSA t 1 , z 1 challenge w/ π z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument RSA com = g m h r Rewind P w/ ( e 0 , e 1 ) ; g = h α with pr. ε 2 , ( h , x ) v com e = g z h t = h α z + t m , r com ′ = g y h s Case 2. e 1 e 0 t 0 , z 0 Core observation: t 1 , z 1 π can’t be too large. z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 , e 2 ) ; RSA com = g m h r with pr. ε 3 , g = h α com e = g z h t , com e ′ = g z ′ h t ′ ( h , x ) v → g a = h b m , r com ′ = g y h s Case 2. e 2 e 1 t 2 e 0 , z 2 t 0 , z 0 t 1 , Suppose π > 8 /ε z 1 z i ← e i m + y t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 , e 2 ) ; RSA com = g m h r with pr. ε 3 , g = h α com e = g z h t , com e ′ = g z ′ h t ′ ( h , x ) v → g a = h b m , r com ′ = g y h s Case 2. e 2 e 1 t 2 e 0 , z 2 t 0 , z 0 t 1 , Suppose π > 8 /ε z 1 g a = h b factors n unless z i ← e i m + y a = b = 0 t i ← e i r + s z = z 0 − z 1 , e = e 0 − e 1 , t = t 0 − t 1 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 , e 2 ) ; RSA com = g m h r with pr. ε 3 , g = h α com e = g z h t , com e ′ = g z ′ h t ′ ( h , x ) v → g a = h b m , r com ′ = g y h s Case 2. e 2 e 1 t 2 e 0 , z 2 t 0 , z 0 t 1 , Suppose π > 8 /ε z 1 g a = h b factors n unless z i ← e i m + y a = b = 0 π = π ′ � t i ← e i r + s π ′ divides e ′ , e ′ is random Pr [ π = π ′ ] ≤ Pr [ π divides e ′ ] = O ( ε ) 5 / 7

Soundness Argument Rewind P w/ ( e 0 , e 1 , e 2 ) ; RSA com = g m h r with pr. ε 3 , g = h α com e = g z h t , com e ′ = g z ′ h t ′ ( h , x ) v → g a = h b m , r com ′ = g y h s Case 2. e 2 e 1 t 2 e 0 , z 2 t 0 , z 0 t 1 , Suppose π > 8 /ε z 1 g a = h b factors n unless z i ← e i m + y a = b = 0 π = π ′ � t i ← e i r + s 1 Factors n with poly probability 5 / 7