A Key Recovery System as Secure as Factoring

  • Adam Young
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


There has been a lot of recent work in the area of proving in zero-knowledge that an RSA modulus N is in the correct form. For example, protocols have been given that prove that N is the product of: two safe primes, two primes nearly equal in size, etc. Such proof systems are rather remarkable in what they achieve, but may be regarded as being heavyweight protocols due to the computational and messaging overhead they impose. In this paper an efficient zero-knowledge protocol is given that simultaneously proves that N is a Blum integer and that its factorization is recoverable. The proof system requires that the RSA primes p and q be such that p ≡ q ≡ 3 mod 4 and another sematically secure encryption. The solution is therefore amenable for use with systems based on PKCS #1. A proof is given that shows that our algorithm is secure under the integer factorization problem (and can be turned into a non-interactive roof in the random oracle model).


RSA Rabin Blum integer quadratic residue pseudosquare zero-knowledge public key cryptography PKCS #1 semantic Security chosen ciphertext security standard compatibility key recovery 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boyar, J., Friedl, K., Lund, C.: Practical Zero-Knowledge Proofs: Giving Hints and Using Deficiencies. Journal of Cryptology (1991)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. First Annual Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993) (on-line version dated October 20, 1995)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption- How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Bach, E., Sorenson, J.: Sive Algorithms for Perfect Power Testing. Algorithmica 9, 313–328 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Camenisch, J., Damgaard, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 331. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Camenisch, J., Michels, M.: Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 107. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    Camenisch, J., Shoup, V.: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Fujisaki, E., Okamoto, T.: A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 32–46. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is Secure under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing 18, 186–208 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Gennaro, R., Micciancio, D., Rabin, T.: An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In: The 5th ACM Conference on Computer and Communications Security (1998)Google Scholar
  12. 12.
    Goldreich, O.: Introduction to Complexity Theory: Non-Uniform Polynomial Time - P/poly. Lecture number 8, Goldreich’s web page at
  13. 13.
    Goldreich, O.: Modern Cryptography, Probabilistic Proofs and Pseudo-randomness. Appendix A.2, p. 113. Springer, Heidelberg (1999)Google Scholar
  14. 14.
    Goldreich, O.: Introduction. In: Foundations of Cryptography, ch. 1, February 27 (1998)Google Scholar
  15. 15.
    Goldreich, O.: Fragments of a chapter on Encryption Schemes, ch. 5, sec. 2, February 10 (2002)Google Scholar
  16. 16.
    van de Graaf, J., Peralta, R.: A simple and secure way to show the validity of your public key. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 128–134. Springer, Heidelberg (1988)Google Scholar
  17. 17.
    Liskov, M., Silverman, R.: A Statistical Limited-Knowledge Proof for Secure RSA Keys. Submitted to IEEE P1363 working groupGoogle Scholar
  18. 18.
    Luby, M.: Pseudorandomness and Cryptographic Applications, p. 4. Princeton University Press, Princeton (1996)zbMATHGoogle Scholar
  19. 19.
    Menezes, A., Orschoot, P., Vanstone, S.: Handbook of Applied Cryptography, p. 89. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  20. 20.
    Naccache, D., Stern, J.: A new candidate trapdoor function. In: 5th ACM Symposium on Computer and Communications Security (1998)Google Scholar
  21. 21.
    Okamoto, T., Uchiyama, S.: An efficient public-key cryptosystem. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    PKCS #1-RSA Cryptography Standard, version 2.1, available from
  23. 23.
    Paillier, P.: Public Key Cryptosystems based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  24. 24.
    Poupard, G., Stern, J.: Fair Encryption of RSA Keys. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 172. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Rabin, M.: Digitalized signatures and public-key functions as intractable as factorization, TR-212, MIT Laboratory for Computer Science (January 1979)Google Scholar
  26. 26.
    Ross, S.: A First Course in Probability Theory, 4th edn., p. 126. Prentice-Hall, Englewood Cliffs (1994)Google Scholar
  27. 27.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Shoup, V.: OAEP Reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 239. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Young, A., Yung, M.: Auto-Recoverable and Auto-certifiable cryptosystems with RSA or factoring based keys. United States Patent 6,389,136. Filed September 17 (1997) (Issued May 14, 2002)Google Scholar
  30. 30.
    Young, A., Yung, M.: Auto-Recoverable Auto-Certifiable Cryptosystems. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 17–31. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    Young, A., Yung, M.: Auto-Recoverable Auto-Certifiable Cryptosystems (a survey). In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, p. 204. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  32. 32.
    Young, A., Yung, M.: RSA Based Auto-Recoverable Cryptosystems. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 326–341. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Adam Young
    • 1
  • Moti Yung
    • 2
  1. 1.Cigital Labs 
  2. 2.Dept. of Computer ScienceColumbia University 

Personalised recommendations