Hashing to Prime in Zero-Knowledge

We establish a set of zero-knowledge arguments that allow for the hashing of a committed secret a-bit input x to a committed secret (k + 1)-bit prime number p(x). The zero-knowledge arguments can convince a verifier that a commitment indeed is the correctly generated prime number derived from x with a soundness error probability of at most 2(-k) + 2(-t) dependent on the number of zero-knowledge argument rounds k and the number of primality bases t to establish primality. Our constructions offer a range of contributions including enabling dynamic encodings for prime-based accumulator (Baric and Pfitzmann, 1997; Camenisch and Lysyanskaya, 2002), signature (Gross, 2015) and attribute-based credential schemes (Camenisch and Gross, 2008) allowing to reduce these schemes' public key size and setup requirements considerably and rendering them extensible. While our new primality zero-knowledge arguments are of independent interest, we also show improvements on proving that a secret number is the product of two secret safe primes significantly more efficient than previously known results (Camenisch and Michels, 1999), with applications to setting up secure special RSA moduli.