## The composite discrete logarithm and secure authentication (2000)

Venue: | In Public Key Cryptography |

Citations: | 18 - 2 self |

### BibTeX

@INPROCEEDINGS{Pointcheval00thecomposite,

author = {David Pointcheval},

title = {The composite discrete logarithm and secure authentication},

booktitle = {In Public Key Cryptography},

year = {2000},

pages = {113--128}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. For the two last decades, electronic authentication has been an important topic. The first applications were digital signatures to mimic handwritten signatures for digital documents. Then, Chaum wanted to create an electronic version of money, with similar properties, namely bank certification and users ’ anonymity. Therefore, he proposed the concept of blind signatures. For all those problems, and furthermore for online authentication, zero-knowledge proofs of knowledge became a very powerful tool. Nevertheless, high computational load is often the drawback of a high security level. More recently, witness-indistinguishability has been found to be a better property that can conjugate security together with efficiency. This paper studies the discrete logarithm problem with a composite modulus and namely its witness-indistinguishability. Then we offer new authentications more secure than factorization and furthermore very efficient from the prover point of view. Moreover, we significantly improve the reduction cost in the security proofs of Girault’s variants of the Schnorr schemes which validates practical sizes for security parameters. Finally, thanks to the witness-indistinguishability of the basic protocol, we can derive a blind signature scheme with security related to factorization.

### Citations

2912 | L.: A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... [26] presented some variants of the Schnorr [44] and Guillou-Quisquater [20] identification schemes, therefore related to the discrete logarithm in subgroups of prime order and to the RSA assumption =-=[41]-=- respectively. The Random Oracle Model. For the last years, the so-called “random oracle model” [1] has boosted researches, providing an interesting tool for the designers since it helps to prove the ... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ..., therefore related to the discrete logarithm in subgroups of prime order and to the RSA assumption [41] respectively. The Random Oracle Model. For the last years, the so-called “random oracle model” =-=[1]-=- has boosted researches, providing an interesting tool for the designers since it helps to prove the security of very efficient schemes. Indeed, this model, where some concrete cryptographic objects a... |

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ...iciency and security. The reason is the large use of zero-knowledge protocols. Identification. Concerning identification schemes, the first theoretical paper was the famous paper about zero-knowledge =-=[19]-=- which claimed that it was possible to prove the knowledge of a secret without revealing any information about it. Unfortunately, such a property, which guarantees security even against active attacks... |

832 | A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems - Fiat, Shamir - 1986 |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...t not which one. In the following, we focus on this latter property which provides three-pass identification schemes secure against active attacks. Okamoto [26] presented some variants of the Schnorr =-=[44]-=- and Guillou-Quisquater [20] identification schemes, therefore related to the discrete logarithm in subgroups of prime order and to the RSA assumption [41] respectively. The Random Oracle Model. For t... |

424 |
Blind signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ... three-pass identification scheme into a signature scheme. Therefore, an efficient solution for identification furthermore solves the problem of efficient signatures. Blind Signatures. In 1982, Chaum =-=[8]-=- wanted to create an electronic version of money, with similar properties, namely anonymity. He claimed that a way to do it was to use the notion of electronic coins together with blind signatures. A ... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...ely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes [1, 2, 48, 27, 15, 32, 16, 29, 33] and digital/blind signature schemes =-=[3, 35, 34, 36, 25, 37]-=-, etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust since it is more and more used. For example, the encryption sc... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...urity even against active attacks, often requires many iterations to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view =-=[14, 12, 20, 21, 43, 28, 6, 17]-=- or from the communication load [45, 49, 50, 31], and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...urity even against active attacks, often requires many iterations to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view =-=[14, 12, 20, 21, 43, 28, 6, 17]-=- or from the communication load [45, 49, 50, 31], and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem... |

280 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...ely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes [1, 2, 48, 27, 15, 32, 16, 29, 33] and digital/blind signature schemes =-=[3, 35, 34, 36, 25, 37]-=-, etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust since it is more and more used. For example, the encryption sc... |

246 | S.: The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ...m ones, helped to provide security proofs for many encryption schemes [1, 2, 48, 27, 15, 32, 16, 29, 33] and digital/blind signature schemes [3, 35, 34, 36, 25, 37], etc. In spite of the recent paper =-=[7]-=- making people to be careful with the random oracle model, this latter is widely considered robust since it is more and more used. For example, the encryption scheme OAEP [2] which is proven secure in... |

226 | Untraceable off-line cash in wallets with observers
- Brands
(Show Context)
Citation Context ...he user wants to get a coin signed by the bank in such a way that the bank cannot recognize later either the coin nor the signature. He proposed a variation of the RSA signature [41] and later Brands =-=[5]-=- proposed a variation of the Schnorr’s one. Unfortunately, none of those schemes admits any security proof. Excepted some theoretical propositions [9, 30, 22] which are totally impractical, we had to ... |

209 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...ely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes [1, 2, 48, 27, 15, 32, 16, 29, 33] and digital/blind signature schemes =-=[3, 35, 34, 36, 25, 37]-=-, etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust since it is more and more used. For example, the encryption sc... |

207 |
Riemann’s hypothesis and tests for primality
- Miller
- 1976
(Show Context)
Citation Context ...0, 1}. One has just to check the right value for c. y = βα −1 2On can remark that in the particular case where g is of maximal order λ(N), a multiple of Ord(g) = λ(N) leads to the factorization of N =-=[24]-=-. ⊓⊔ Theorem 6. This protocol is statistically zero-knowledge. Proof. The reader may refer to the Poupard-Stern’s paper [38] or to the proof of witness-indistinguishability presented below. ⊓⊔ However... |

204 | Optimal Asymmetric Encryption - How to Encrypt with RSA
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...his model, where some concrete cryptographic objects are idealized, namely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes =-=[1, 2, 48, 27, 15, 32, 16, 29, 33]-=- and digital/blind signature schemes [3, 35, 34, 36, 25, 37], etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust si... |

200 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...urity even against active attacks, often requires many iterations to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view =-=[14, 12, 20, 21, 43, 28, 6, 17]-=- or from the communication load [45, 49, 50, 31], and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem... |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...his model, where some concrete cryptographic objects are idealized, namely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes =-=[1, 2, 48, 27, 15, 32, 16, 29, 33]-=- and digital/blind signature schemes [3, 35, 34, 36, 25, 37], etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust si... |

169 | Witness indistinguishable and witness hiding protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...ern [38], with security relative to the discrete logarithm problem. However, the cost of the reduction is so high that the proof can not validate realistic parameters. Few years ago, Feige and Shamir =-=[13]-=- defined weaker but sufficient properties for secure identification protocols, the “witness-hiding” and the “witnessindistinguishable” properties. They are indeed weaker than the zero-knowledge c○ Spr... |

147 | Provably secure and practical identification schemes and corresponding signature schemes - Okamoto - 1993 |

136 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ..., Okamoto presented efficient three-pass identification schemes [26] provably secure even against active 2attacks, thanks to witness-indistinguishability. One of them uses the representation problem =-=[4]-=- and is therefore based on the discrete logarithm problem in subgroups of prime order. The second relies on the RSA assumption [41]. However, all of the above schemes remained less efficient than the ... |

110 |
Seif-certified public keys
- Girault
- 2001
(Show Context)
Citation Context |

109 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- SHOUP, GENNARO
- 2002
(Show Context)
Citation Context ...his model, where some concrete cryptographic objects are idealized, namely the hash functions which are assumed to be really random ones, helped to provide security proofs for many encryption schemes =-=[1, 2, 48, 27, 15, 32, 16, 29, 33]-=- and digital/blind signature schemes [3, 35, 34, 36, 25, 37], etc. In spite of the recent paper [7] making people to be careful with the random oracle model, this latter is widely considered robust si... |

102 |
A “paradoxical” identity-based signature scheme resulting from zero-knowledge
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context |

79 | How to Enhance the Security of Public-key Encryption at Minimum Cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context |

69 | Provably secure blind signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context |

63 | A new identification scheme based on syndrome decoding
- Stern
- 1993
(Show Context)
Citation Context ...ns to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view [14, 12, 20, 21, 43, 28, 6, 17] or from the communication load =-=[45, 49, 50, 31]-=-, and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem. However, the cost of the reduction is so high ... |

44 |
Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals (Extended Abstract
- Damgard
- 1988
(Show Context)
Citation Context ...iation of the RSA signature [41] and later Brands [5] proposed a variation of the Schnorr’s one. Unfortunately, none of those schemes admits any security proof. Excepted some theoretical propositions =-=[9, 30, 22]-=- which are totally impractical, we had to wait 1996 to see blind signature schemes [34] provably secure. They were based on the Okamoto [26] witness-indistinguishable protocols, and used the following... |

42 |
An Efficient Identification Scheme based on Permuted Kernels. CRYPTO
- Shamir
- 1989
(Show Context)
Citation Context ...ns to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view [14, 12, 20, 21, 43, 28, 6, 17] or from the communication load =-=[45, 49, 50, 31]-=-, and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem. However, the cost of the reduction is so high ... |

40 | On concrete security treatment of signatures derived from identification
- Ohta, Okamoto
- 1998
(Show Context)
Citation Context |

40 | Fast Signature Generation with a Fiat-Shamir-Like Scheme. Eurocrypt ’90
- Ong, Schnorr
(Show Context)
Citation Context |

40 | Chosen-ciphertext security for any one-way cryptosystem
- Pointcheval
(Show Context)
Citation Context |

39 |
An Interactive Identification Scheme Based on Discrete Logarithms and Factoring
- Brickell, McCurley
- 1991
(Show Context)
Citation Context |

38 |
Security of blind digital signatures
- Juels, Luby, et al.
- 1997
(Show Context)
Citation Context ...iation of the RSA signature [41] and later Brands [5] proposed a variation of the Schnorr’s one. Unfortunately, none of those schemes admits any security proof. Excepted some theoretical propositions =-=[9, 30, 22]-=- which are totally impractical, we had to wait 1996 to see blind signature schemes [34] provably secure. They were based on the Okamoto [26] witness-indistinguishable protocols, and used the following... |

28 | Security analysis of a practical “on the fly” authentication and signature generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context ...mal order λ(N), a multiple of Ord(g) = λ(N) leads to the factorization of N [24]. ⊓⊔ Theorem 6. This protocol is statistically zero-knowledge. Proof. The reader may refer to the Poupard-Stern’s paper =-=[38]-=- or to the proof of witness-indistinguishability presented below. ⊓⊔ However, the zero-knowledge property of an interactive proof of knowledge is a too strong property for identification purpose, and ... |

26 | A new identification scheme based on the perceptrons problem
- Pointcheval
- 1995
(Show Context)
Citation Context ...ns to actually reach a high security level and therefore results into inefficient protocols, either from the computational point of view [14, 12, 20, 21, 43, 28, 6, 17] or from the communication load =-=[45, 49, 50, 31]-=-, and even both. Recently, a very efficient scheme has been proposed by Poupard and Stern [38], with security relative to the discrete logarithm problem. However, the cost of the reduction is so high ... |

25 | Designing identification schemes with keys of short size
- Stern
- 1994
(Show Context)
Citation Context |

24 | New public key cryptosystem based on the dependent RSA problem
- Pointcheval
(Show Context)
Citation Context |

22 |
On the Length of Cryptographic Hash-Values used in Identification Schemes
- Girault, Stern
- 1994
(Show Context)
Citation Context ... hundreds of bits, provided S ≥ 2 · Ord(g) (namely 160 bits to avoid baby steps–giant steps attacks [46]). Furthermore, the communication load can be optimized using the Girault and Stern’s technique =-=[18]-=- as it is presented on Figure 2. Indeed, a hash function that returns 80-bit digests requires 2 64 computations to expect a 5-collision. Then, with a k + 3-bit challenge, the security level remains 2 ... |

20 | On the security of a practical identification scheme
- Shoup
- 1999
(Show Context)
Citation Context ... = (s/s ′ ) e mod N. For a large enough prime e, Bezout’s equality provides the e-th root of a modulo N. Otherwise, if e is a power of two and N a Blum integer, we can get the factorization of N (cf. =-=[28, 47]-=-). 3Later, another well-known witness-indistinguishable problem has been used [36], the modular square root: fN(x) = x 2 mod N for any 0 ≤ x ≤ N/2, where fN(x) = fN(y) =⇒ gcd(N, x − y) ∈ {factors of ... |

17 | On the fly signatures based on factoring
- Poupard, Stern
- 1999
(Show Context)
Citation Context ... also requires many iterations for a high level of security, and moreover uses an expansive reduction which can only validate large, and impractical, parameters They recently improved their reduction =-=[39, 40]-=-, making security just relative to factorization. It is also the direction taken in the present work. Concerning signatures, thanks to the Pointcheval–Stern’s [37] and Ohta– Okamoto’s [25] papers, one... |

16 | EPOC: Efficient Probabilistic Public-Key Encryption. Submission to
- Okamoto, Uchiyama, et al.
- 1998
(Show Context)
Citation Context |

15 | Efficient public key cryptosystems provably secure against active adversaries
- Paillier, Pointcheval
- 1999
(Show Context)
Citation Context |

13 |
On the Security of the Schnorr Scheme Using Preprocessing
- Rooij
- 1991
(Show Context)
Citation Context ...urity level against active attacks implies a high communication cost and either large memory for storing precomputations or high computation load, since no secure preprocessing has ever been proposed =-=[10, 11]-=-. Nevertheless, many applications assume its security even with the basic threepass protocol, using large challenges. Such a security would rely on the unproven assumption that this scheme is “witness... |

12 |
New blind signatures equivalent to factorization
- Pointcheval, Stern
- 1997
(Show Context)
Citation Context |

12 | Short Proofs of Knowledge for Factoring
- Poupard, Stern
- 2000
(Show Context)
Citation Context ... also requires many iterations for a high level of security, and moreover uses an expansive reduction which can only validate large, and impractical, parameters They recently improved their reduction =-=[39, 40]-=-, making security just relative to factorization. It is also the direction taken in the present work. Concerning signatures, thanks to the Pointcheval–Stern’s [37] and Ohta– Okamoto’s [25] papers, one... |

9 |
On Schnorr’s preprocessing for digital signature schemes
- Rooij
- 1997
(Show Context)
Citation Context ...urity level against active attacks implies a high communication cost and either large memory for storing precomputations or high computation load, since no secure preprocessing has ever been proposed =-=[10, 11]-=-. Nevertheless, many applications assume its security even with the basic threepass protocol, using large challenges. Such a security would rely on the unproven assumption that this scheme is “witness... |

8 | M.: How to Break and Repair a 'Provably Secure' Untraceable Payment System
- Pfitzmann, Waidner
- 1991
(Show Context)
Citation Context ...iation of the RSA signature [41] and later Brands [5] proposed a variation of the Schnorr’s one. Unfortunately, none of those schemes admits any security proof. Excepted some theoretical propositions =-=[9, 30, 22]-=- which are totally impractical, we had to wait 1996 to see blind signature schemes [34] provably secure. They were based on the Okamoto [26] witness-indistinguishable protocols, and used the following... |