Cryptography in Subgroups of \(\mathbb{Z}_{n}^{*}\)

  • Jens Groth
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3378)


We demonstrate the cryptographic usefulness of a small subgroup of \(\mathbb{Z}_{n}^{*}\) of hidden order. Cryptographic schemes for integer commitment and digital signatures have been suggested over large subgroups of \(\mathbb{Z}_{n}^{*}\), by reducing the order of the groups we obtain quite similar but more efficient schemes. The underlying cryptographic assumption resembles the strong RSA assumption.

We analyze a signature scheme known to be secure against known message attack and prove that it is secure against adaptive chosen message attack. This result does not necessarily rely on the use of a small subgroup, but the small subgroup can make the security reduction tighter.

We also investigate the case where \(\mathbb{Z}_{n}^{*}\) has semi-smooth order. Using a new decisional assumption, related to high residuosity assumptions, we suggest a homomorphic public-key cryptosystem.


RSA modulus digital signature homomorphic encryption integer commitment 


  1. [BP97]
    Bari, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)Google Scholar
  2. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73 (1993)Google Scholar
  3. [Bre80]
    Brent, R.P.: An improved monte carlo factorization algorithm. BIT 20, 176–184 (1980)zbMATHCrossRefMathSciNetGoogle Scholar
  4. [CDS94]
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  5. [CF85]
    Cohen, J.D., Fischer, M.J.: A robust and verifiable cryptographically secure election scheme. In: Proceedings of FOCS 1985, pp. 372–382 (1985)Google Scholar
  6. [CG04]
    Camenisch, J., Groth, J.: Group signatures: Better efficiency and new theoretical aspects. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 120–133. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. [CL02]
    Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. [CP01]
    Crandall, R., Pomerance, C.: Prime Numbers - a Computational Perspective. Springer, Heidelberg (2001)Google Scholar
  9. [CS00]
    Cramer, R., Shoup, V.: Signature schemes based on the strong rsa assumption. ACM Transactions on Information and System Security (TISSEC) 3(3), 161–185 (2000)CrossRefGoogle Scholar
  10. [DF02]
    Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. [DJ01]
    Damgård, I., Jurik, M.J.: A generalisation, a simplification and some applications of paillier’s probabilistic public-key system. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. [DK02]
    Damgård, I., Koprowski, M.: Generic lower bounds for root extraction and signature schemes in general groups. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 256–271. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. [DN02]
    Damgård, I., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002); Full paper available at CrossRefGoogle Scholar
  14. [DN03]
    Damgård, I., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. [Fis02]
    Fischlin, M.: On the impossibility of constructing non-interactive statistically-secret protocols from any trapdoor one-way function. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 79–95. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. [Fis03]
    Fischlin, M.: The cramer-shoup strong-rsasignature scheme revisited. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 116–129. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. [FO97]
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)Google Scholar
  18. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  19. [KKOT90]
    Kurosawa, K., Katayama, Y., Ogata, W., Tsujii, S.: General public key residue cryptosystems and mental poker protocols. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 374–388. Springer, Heidelberg (1991)Google Scholar
  20. [Kop03]
    Koprowski, M.: Cryptographic protocols based on root extracting. Dissertation Series DS-03-11, BRICS, PhD thesis, pp. xii+138 (2003)Google Scholar
  21. [Len87]
    Lenstra, H.W.: Factoring integers with elliptic curves. Ann. of Math. 126, 649–673 (1987)CrossRefMathSciNetGoogle Scholar
  22. [LP92]
    Lenstra, H.W., Pomerance, C.: A rigourous time bound for factoring integers. J. Amer. Math. Soc. 5, 483–516 (1992)zbMATHMathSciNetCrossRefGoogle Scholar
  23. [MY04]
    MacKenzie, P.D., Yang, K.: On simulation-sound trapdoor commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004); Full paper available at CrossRefGoogle Scholar
  24. [Nie03]
    Nielsen, J.B.: On protocol security in the cryptographic model. Dissertation Series DS-03-8, BRICS, PhD thesis, pp. xiv+341 (2003)Google Scholar
  25. [NS98]
    Naccache, D., Stern, J.: A new public key cryptosystem based on higher residues. In: ACM Conference on Computer and Communications Security, pp. 59–66 (1998)Google Scholar
  26. [OU98]
    Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  27. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–239. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  28. [Pol74]
    Pollard, J.M.: Theorems of factorization and primality testing. Proc. Cambridge Phil. Soc. 76, 521–528 (1974)zbMATHCrossRefMathSciNetGoogle Scholar
  29. [Pol75]
    Pollard, J.M.: A monte carlo method for factorization. BIT 15, 331–334 (1975)zbMATHCrossRefMathSciNetGoogle Scholar
  30. [Pol78]
    Pollard, J.M.: Monte carlo methods for index computation (mod p). Math. Comp. 32(143), 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  31. [PP99]
    Paillier, P., Pointcheval, D.: Efficient public-key cryptosystems provably secure against active adversaries. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 165–179. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  32. [Rab79]
    Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science (1979)Google Scholar
  33. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  34. [Sha71]
    Shanks, D.: Class number, a theory of factorization, and genera. In: 1969 Number Theory Institute (Proc. Sympos. Pure Math.), State Univ. New York, Stony Brook, N.Y, vol. XX, pp. 415–440. Amer. Math. Soc, Providence (1971)Google Scholar
  35. [Zhu03]
    Zhu, H.: A formal proof of zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jens Groth

There are no affiliations available

Personalised recommendations