Số nguyên tố an toàn trong các giao thức DH-KE

Tóm tắt—Việc sinh các số nguyên tố “an toàn” p, mà ở đó tất cả các ước nguyên tố khác 2 của p-1 đều là ước nguyên tố lớn, là hết sức cần thiết để tránh các tấn công nhóm con nhỏ được chỉ ra bởi hai tác giả Chao Hoom Lim và Pil Joong Lee. Một thuật toán hiện có để sinh các số nguyên tố như vậy cũng đã được trình bày bởi hai tác giả này. Tuy nhiên, hạn chế của phương pháp đó là thuật toán không phải khi nào cũng trả về được một số nguyên tố an toàn. Một phần lý do cho vấn đề này là vì thuật toán không (và khó có thể) được phân tích và đánh giá kỹ lưỡng về mặt toán học. Do đó, mục đích chính của bài báo là đề xuất một thuật toán mới để sinh các số nguyên tố an toàn và kèm theo các đánh giá chi tiết về mặt toán học.Abstract—The generate of “safe” primes p, where all prime divisors of p-1 are large prime divisors, is essential to avoid small subgroup attacks which are point out by two authors Chao Hoom Lim and Pil Joong Lee. An existing algorithm for generating such primes has also been presented by these two authors. However, the drawback of that method is that the algorithm does not always return safe prime numbers. Part of the reason for this is that the algorithm is not (and hardly) be thoroughly analyzed and evaluated mathematically. Therefore, the main purpose of this paper is to propose a new algorithm for generating safe prime numbers, including detailed mathematical evaluations.

A new public key cryptosystem over ℤn2*

At Eurocrypt ’99, Paillier showed a cryptographic application of the group [Formula: see text], the multiplicative group modulo [Formula: see text] where [Formula: see text] is some RSA modulus. In this paper, we have present a new public key cryptosystem over [Formula: see text] where [Formula: see text] is a product of two safe primes, which is based on two intractable problems namely, integer factorization and partial discrete logarithm problem over [Formula: see text], the group of quadratic residues modulo [Formula: see text]. This scheme is a combination of BCP (Bresson–Catalano–Pointcheval) cryptosystem, proposed by Bresson et al. at Asiacrypt ’03 and the Rabin–Paillier scheme proposed by Galindo et al. at PKC 2003. We will show that the one-wayness of this new scheme equally depends on the Computational Diffie–Hellman assumption and factoring assumption. We will also prove that the proposed scheme is more secure than the BCP cryptosystem and the Rabin–Paillier cryptosystem.

Practical Threshold RSA Signatures Without a Trusted Dealer

We propose a threshold RSA scheme which is as efficient as the fastest previous<br />threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup's and in<br />previous schemes can be dropped, namely that the modulus must be a product of safe primes<br />and that a trusted dealer generates the keys.

Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes

<p>This paper presents the first efficient statistical zero-knowledge protocols to prove statements such as:<br />A committed number is a pseudo-prime.<br />A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)=2 and (q - 1)=2 are primes as well.<br />A given value is of large order modulo a composite number that consists of two safe prime factors.</p><p>So far, no methods other than inefficient circuit-based proofs are known for proving such properties. Proving the second property is for instance necessary in many recent cryptographic schemes that rely on both the hardness of computing discrete logarithms and of difficulty computing roots modulo a composite.<br />The main building blocks of our protocols are statistical zero-knowledge proofs that are of independent interest. Mainly, we show how to prove the correct computation of a modular addition, a modular multiplication, or a modular exponentiation, where all values including the modulus are committed but not<br />publicly known. Apart from the validity of the computation, no other information about the modulus (e.g., a generator which order equals the modulus) or any other operand is given. Our technique can be generalized to prove in zeroknowledge<br />that any multivariate polynomial equation modulo a certain modulus is satisfied, where only commitments to the variables of the polynomial and a commitment to the modulus must be known. This improves previous results,<br />where the modulus is publicly known.<br />We show how a prover can use these building blocks to convince a verifier that a committed number is prime. This finally leads to efficient protocols for proving that a committed (or revealed) number is the product of two safe primes. As a consequence, it can be shown that a given value is of large order modulo a<br />given number that is a product of two safe primes.</p><p> </p><p>Keywords. RSA-based protocols, zero-knowledge proofs of knowledge, primality tests.</p>