Paper 2020/402

A Note on Low Order Assumptions in RSA groups

István András Seres and Péter Burcsi

Abstract

In this short note, we show that substantially weaker Low Order assumptions are sufficient to prove the soundness of Pietrzak's protocol for proof of exponentiation in groups of unknown order. This constitutes the first step to a better understanding of the asymptotic computational complexity of breaking the soundness of the protocol. Furthermore, we prove the equivalence of the (weaker) Low Order assumption(s) and the Factoring assumption in RSA groups for a non-negligible portion of moduli. We argue that in practice our reduction applies for a considerable amount of deployed moduli. Our results have cryptographic applications, most importantly in the theory of recently proposed verifiable delay function constructions. Finally, we describe how to certify RSA moduli free of low order elements.

Note: Added a new partial reduction using the generalized cycling attack

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint. MINOR revision.
Keywords
number theoryRSAfactoringcomplexity theory
Contact author(s)
istvanseres @ caesar elte hu
bupe @ inf elte hu
History
2020-08-27: revised
2020-04-09: received
See all versions
Short URL
https://ia.cr/2020/402
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/402,
      author = {István András Seres and Péter Burcsi},
      title = {A Note on Low Order Assumptions in RSA groups},
      howpublished = {Cryptology ePrint Archive, Paper 2020/402},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/402}},
      url = {https://eprint.iacr.org/2020/402}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.