## Efficient proofs that a committed number lies in an interval (2000)

Citations: | 155 - 0 self |

### BibTeX

@INPROCEEDINGS{Boudot00efficientproofs,

author = {Fabrice Boudot},

title = {Efficient proofs that a committed number lies in an interval},

booktitle = {},

year = {2000},

pages = {431--444},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). This paper presents a new proof, which is both efficient and exact. Here, “efficient ” means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly verifiable secret encryption, etc...). 1

### Citations

1384 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...n an Interval 439 – soundness: A cheating prover can succeed with probability less than 1 − (1 − 2 −89 ) 512 < 2 −80 . – zero-knowledge: Perfectly zero-knowledge in the random-oracle model defined in =-=[3]-=-. – what is proven: x ∈ [0, 2 k − 1]. – expansion rate: 1 ≤ δ < 2 (can be decreased to 1 by proving that both x and b − x are k-bit numbers). – length of the proof: 1,612,800 bits = 196.9 kB. 1.2.2 BC... |

860 | How to Prove Yourself: Practical Solution to Identification and
- Fiat, Shamir
(Show Context)
Citation Context ...0, b], where r is randomly selected over Z ∗ p. For simplicity, we present an interactive version of the protocol which can be easily turned into a non-interactive one using the Fiat-Shamir heuristic =-=[15]-=-. Protocol: P K [BCDG](x, r : E = E(x, r) ∧ x ∈ [−b, 2b]). Run t times in parallel: 1. Alice picks random ω1 ∈R [0, b] and sets ω2 = ω1 − b. She also randomly selects η1 ∈R [0, q − 1] and η2 ∈R [0, q ... |

599 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ... Results In this subsection, we present three existing proofs of membership to an interval. They are based on zero-knowledge proofs of knowledge of a discrete logarithm either modulo a prime (Schnorr =-=[19]-=-) or a composite number (Girault [16]). 1.2.1 Classical Proof [17] This protocol proves that a committed number x ∈ I = [0, b] belongs to I = [0, 2 k − 1], where the binary length of b is k. Let p be ... |

310 |
Wallet databases with observers
- Chaum, Pedersen
(Show Context)
Citation Context ...e to Bob that she knows x, r1, r2 such that E = E1(x, r1) and F = E2(x, r2), i.e. that E and F hide the same secret x. This protocol is derived from proofs of equality of two discrete logarithms from =-=[6, 12, 1]-=-, combined with a proof of knowledge of a discrete logarithm modulo n [16]. Protocol: P K(x, r1, r2 : E = E1(x, r1) ∧ F = E2(x, r2)).sEfficient Proofs that a Committed Number Lies in an Interval 443 1... |

163 | A new public-key cryptosystem as secure as factoring
- Okamoto, Uchiyama
(Show Context)
Citation Context ...ryption scheme. Alice has sent two encrypted messages to Charlie and Deborah, and wants to prove to Bob that the two ciphertexts encrypt the same message. Charlie and Deborah use the Okamoto-Uchiyama =-=[18]-=- cryptosystem, i.e. Charlie holds a composite number nC = p2 CqC (|pC| = |qC| = k), an element gC ∈ Z∗ nC such that the order of gpC−1 C mod p2 C is pC, and Deborah holds a composite such that the ord... |

132 |
Statistical Zero Knowledge Protocols to Prove Modular
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ...ind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocols (e.g. =-=[13, 10]-=-). Nowadays, there exist two methods to prove that a committed integer is in a specific interval: – the first one (see e.g. [17]) allows to prove that the bit-length of the committed number is less or... |

124 | Proving in zero-knowledge that a number n is the product of two safe primes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...ind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocols (e.g. =-=[13, 10]-=-). Nowadays, there exist two methods to prove that a committed integer is in a specific interval: – the first one (see e.g. [17]) allows to prove that the bit-length of the committed number is less or... |

113 |
Self-Certified Public Keys
- Girault
- 1991
(Show Context)
Citation Context ...nt three existing proofs of membership to an interval. They are based on zero-knowledge proofs of knowledge of a discrete logarithm either modulo a prime (Schnorr [19]) or a composite number (Girault =-=[16]-=-). 1.2.1 Classical Proof [17] This protocol proves that a committed number x ∈ I = [0, b] belongs to I = [0, 2 k − 1], where the binary length of b is k. Let p be a large prime number, let q such that... |

77 | Separability and efficiency for generic group signature schemes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...checking whether a committed integer lies in a specific interval was first developed in [2]. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures =-=[11]-=-, publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocols (e.g. [13, 10]). Nowadays, there exist two methods to prove that a committed integer is in a specific interval:... |

71 | Easy come - easy go divisible cash
- Chan, Frankel, et al.
- 1998
(Show Context)
Citation Context ...roduction The idea of checking whether a committed integer lies in a specific interval was first developed in [2]. Such kind of proofs are intensively used in several schemes: electronic cash systems =-=[7]-=-, group signatures [11], publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocols (e.g. [13, 10]). Nowadays, there exist two methods to prove that a committed integer is ... |

39 | A group signature scheme based on an RSA-variant
- Camenisch, Michels
- 1998
(Show Context)
Citation Context ...1 � W2). 3. She computes D = ω + cx, D1 = η1 + cr1, D2 = η2 + cr2 (in Z) and sends (c, D, D1, D2) to Bob. 4. Bob checks whether c = H(g D 1 h D1 1 E−c mod n � g D 2 h D2 2 F −c mod n). It is shown in =-=[9]-=- that a successful execution of this protocol convinces Bob that the numbers hidden in E and F are equal provided the Strong RSA problem is infeasible. Characteristics of this proof: For |n| = 1024 bi... |

31 | A practical and provably secure scheme for publicly verifiable secret sharing and its applications - Fujisaki, Okamoto |

30 |
de Graaf, Gradual and verifiable release of a secret, in
- Brickell, Chaum, et al.
- 1988
(Show Context)
Citation Context ...lectronic cash, group signatures, publicly verifiable secret encryption, etc. . . ). 1 Introduction The idea of checking whether a committed integer lies in a specific interval was first developed in =-=[2]-=-. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocol... |

22 |
An improved protocol for demonstrating possession of discrete logarithms and some generalizations", Eurocrypt '87, LNCS 304
- Chaum, Evertse, et al.
(Show Context)
Citation Context ...e to Bob that she knows x, r1, r2 such that E = E1(x, r1) and F = E2(x, r2), i.e. that E and F hide the same secret x. This protocol is derived from proofs of equality of two discrete logarithms from =-=[6, 12, 1]-=-, combined with a proof of knowledge of a discrete logarithm modulo n [16]. Protocol: P K(x, r1, r2 : E = E1(x, r1) ∧ F = E2(x, r2)).sEfficient Proofs that a Committed Number Lies in an Interval 443 1... |

17 |
An efficient verifiable encryption scheme for encryption of discrete logarithms
- Bao
- 1998
(Show Context)
Citation Context ...e to Bob that she knows x, r1, r2 such that E = E1(x, r1) and F = E2(x, r2), i.e. that E and F hide the same secret x. This protocol is derived from proofs of equality of two discrete logarithms from =-=[6, 12, 1]-=-, combined with a proof of knowledge of a discrete logarithm modulo n [16]. Protocol: P K(x, r1, r2 : E = E1(x, r1) ∧ F = E2(x, r2)).sEfficient Proofs that a Committed Number Lies in an Interval 443 1... |

16 |
Efficient Publicly Verifiable Secret Sharing Schemes with Fast or Delayed Recovery
- Boudot, Traor
- 1999
(Show Context)
Citation Context ...ecific interval was first developed in [2]. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes =-=[17, 4]-=-, and other zero-knowledge protocols (e.g. [13, 10]). Nowadays, there exist two methods to prove that a committed integer is in a specific interval: – the first one (see e.g. [17]) allows to prove tha... |

15 |
Guaranteed correct sharing of integer factorization with off-line shareholders
- Mao
- 1998
(Show Context)
Citation Context ...ecific interval was first developed in [2]. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes =-=[17, 4]-=-, and other zero-knowledge protocols (e.g. [13, 10]). Nowadays, there exist two methods to prove that a committed integer is in a specific interval: – the first one (see e.g. [17]) allows to prove tha... |

7 |
Easy come-easy go divisible cash, Updated version with corrections on the Range Bounded Commitment protocol. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html
- CHAN, FRANCHEL, et al.
(Show Context)
Citation Context ... to prove that the bit-length of the committed number is less or equal to a fixed value k, and hence belongs to [0, 2 k −1]. Unfortunately, this method is very inefficient. – the second one (see e.g. =-=[2, 8]-=-) is much more efficient, but the price to pay is that only membership to a much larger interval can be proven. In this paper, we give a new method to prove that a committed number belongs to an inter... |

1 |
picks random ω
- Alice
(Show Context)
Citation Context |

1 |
computes c
- Alice
(Show Context)
Citation Context ...lectronic cash, group signatures, publicly verifiable secret encryption, etc. . . ). 1 Introduction The idea of checking whether a committed integer lies in a specific interval was first developed in =-=[2]-=-. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes [17, 4], and other zero-knowledge protocol... |

1 |
computes D = ω + cx
- She
(Show Context)
Citation Context ...n an Interval 439 – soundness: A cheating prover can succeed with probability less than 1 − (1 − 2 −89 ) 512 < 2 −80 . – zero-knowledge: Perfectly zero-knowledge in the random-oracle model defined in =-=[3]-=-. – what is proven: x ∈ [0, 2 k − 1]. – expansion rate: 1 ≤ δ < 2 (can be decreased to 1 by proving that both x and b − x are k-bit numbers). – length of the proof: 1,612,800 bits = 196.9 kB. 1.2.2 BC... |

1 |
checks whether c = H(g D 1 h D1 1 E−c mod n1 � g D 2 h D2 2 F −c mod n2
- Bob
(Show Context)
Citation Context ...ecific interval was first developed in [2]. Such kind of proofs are intensively used in several schemes: electronic cash systems [7], group signatures [11], publicly verifiable secret sharing schemes =-=[17, 4]-=-, and other zero-knowledge protocols (e.g. [13, 10]). Nowadays, there exist two methods to prove that a committed integer is in a specific interval: – the first one (see e.g. [17]) allows to prove tha... |