1

Identification & ZKIPIdentification & ZKIP

Introduction Passwords Challenge-Response ZKIP

2

1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine)

2. In store credit card purchases3. Prepaid calling card : Asking a service by

telephone card or membership cards4. Remote login: Remote access to host under

Client /Server environment5. Access to restricted areas, etc.

3

Method Examples Reliability

Security Cost

What youRemember

(know)

PasswordTelephone #

Reg. #M/L

M(theft)L(imperso- nation)

Cheap

What you have

Registered SealMagnetic Card

IC CardM L(theft)

M(imperso-nation)

Reason-Able

What you Are

Bio-metric(Fingerprint,

Eye, DNA, face,Voice, etc.)

H H(theft)H(imperso- nation)

Reasonable

Expensive

4

5

Extracted from A. Jail’s presentation in SCIS2006, Japan

Password-based scheme (weak authentication) ◦ crypt passwd under UNIX◦ one-time password

Challenge-Response scheme (strong authentication)◦ Symmetric cryptosystem◦ MAC(keyed-hash) function◦ Asymmetric cryptosystem

Cryptographic Protocols◦ Fiat-Shamir identification protocol◦ Schnorr identification protocol, etc

6

7

passwd,Apasswd table

A h(passwd)

Prover Verifier

passwd h =

A

yaccept

n

reject

Replay fixed pwds◦ Observe pwd as it is typed in◦ Eavesdrop the data in cleartext◦ Not suitable over open communication networks

Exhaustive pwd search◦ Let E(c) be the entropy of 8-char pwds from choices◦ E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6

Pwd guessing and dictionary attacks◦ A large dictionary contains 250,000 words◦ Dictionary attack: order lists and compared to entries in the

encrypted dictionary ◦ Combine numerical and alphabetical characters.

8

9

truncate to 8ASCII chars; 0-pad if necessary

userpasswd DES*

Repack 76 bitsinto 11 7-bitcharacters

encrypted passwd

/etc/passwd

user salt

I1= 0…0next input Ii

2 i 25

output, Oi

O25

56

64

64

12

12

salt : 12-bit random from system clock when select passwd.DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations,

Assumption◦Secret Key : known to only P and V◦Random Challenge : P and V have perfect

random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions

◦MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)

10

Using Symmetric Cryptosystem

11

P Vrandom challenge,x

x

y=eK(x)y

y’=eK(x)y=y’ ?

K

Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r

Using Asymmetric Cryptosystem P can prove to have secret information in

either way :(1) P decrypts a challenge encrypted under P’s public

key.(2) P digitally signs a challenge.

12

P Vrandom challenge,x

x

y=e[sK,x]y

y’= d[pk ,x]y = y’ ?

PK

GMR (Goldwasser, Micali, Rackoff) 1. “The knowledge complexity of interactive-proof

systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985

2. “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version)

ZKIP (Zero Knowledge Interactive Proof) : between P and V◦ Completeness : Only true P can prove V.◦ Soundness : False P’ can’t prove V.◦ 0-Knowledge : No knowledge transfer to V.

13

14

15

16

1P/1V

Interactive

Non-interactive

ZK

GMR Model * P:infinite, V: poly

BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)

0-KMinimum Know.Oracle ZKIP

WH

PerfectComputationalStatistical

MembershipKnowledgeComputational power

Property

Object

Model

MP

MV

*AM-game : GMR model and V has random coin.

17

1P/1V

Interactive

Non-interactive

ZK

GMR Model * P:infinite, V: poly

BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)

0-KMinimum Know.Oracle ZKIP

WH

PerfectComputationalStatistical

MembershipKnowledgeComputational power

Property

Object

Model

MP

MV

*AM-game : GMR model and V has random coin.

(Preparation)

(TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization.

(P)

(i) private key: choose random value S, s.t. gcd(S,n)=1. (1 < S < n) (ii) public key : P computes I=S2 mod n, and publishes (I,n)

as public

Goal P has to convince V that he knows his private key S and its

corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.

18

1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V.2. V requests from P one of the following request at random (a) r or (b) rS mod n3. P sends the requested information to V.4. V verifies that he received the right answer by checking

whether (a) r2 = x mod n or (b) (rS)2 = xI mod n5. If verification fails, V concludes that P does not know S, and

thus he is not the claimed party.6. This protocol is repeated t (usually 20 or 30) times, and if in

all of them the verification succeeds, V concludes that P is the claimed party.

19

20

V Ppublic : I,n n=pq, I=S2 mod n

2.ei={0,1}

x

ei

Repeat t-times 3. If ei=0, send y=r

If ei=1, send y=rS

y

4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n?

* commitment-witness-challenge-response-verification and repeat

(1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n.

(2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance.

(3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30)

(4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue

21

Based on DLP under Trusted Authority (TA) TA decides public parameters

◦ p : large prime (1024 bit)◦ q : large prime divisor of p-1 (160 bit)◦ α Zp

* has order q

◦ t : security parameter s.t. q > 2t ◦ Public parameters : p, q, α, t

Prover choose ◦ private key : a ( 1 ≤ a ≤ q-1) ◦ public key v = α–a mod p

Honest Verifier (choose r at random by the scheme) ZKIP

22

23

1 1 mod qkpk

tr 21

?(*) mod pvry

private key : a, public key: v

1. Select random k V P

Public par. : p,q,α,t

r

3. y = k + ar mod qy

2. Verify P’s public key generate random challenge

4. Verify

, cert(P)

mod (*) pvv kararkrarkry

(TA) ◦ p=88667, q=1031, t=10, α=70322 has order q in Zp

*

(P) ◦ private key a = 755 ◦ public key v = α-a mod p = 703221031-755 mod 88667 = 13136

P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = 543 + 755x1000 mod 1031=

851 V: on receiving y, verify that 84109 = 70322851

131361000 mod 88667. If equals, accept

24

Okamoto Identification scheme (p.378) Guillou-Quisquarter Identification scheme (p. 383) ID-based identification Others

25