comparative study on zero-knowledge identification protocols

26th May 2003 1

Comparative Study on Zero-Knowledge Identification

Protocols

Konidala M. Divyan

International Research Center for Information Security

Director: Prof. Kwangjo Kim

Discrete Mathematics-Term Project Final Presentation, Lectured by: Prof. Kwangjo Kim

26th May 2003 Comparative Study on Zero-Knowledge Identification

Protocols

2

Introduction

• Identification– Allows one party (the verifier) to gain assurances,

that the identity of another (the prover) is as declared, thereby preventing impersonation.

• Methods of Identification– Passwords (Weak Authentication)– Challenge-response identification (Strong

Authentication)• Symmetric-Key Techniques• Public-Key Techniques

– Zero-Knowledge Identification Protocols


Protocols

3

Introduction

• Zero-knowledge Identification Protocols– Based on, Interactive Proof Systems and

Zero-Knowledge Proofs

– Use random numbers as challenges and as commitments to prevent cheating

– Do not rely on digital signatures or public-key encryption, block ciphers, sequence numbers, and timestamps.


Protocols

4

Discrete Mathematics Vs My Term Project

• Projects one of the practical uses of Discrete Mathematics in the field of Information Security

• My topic is strongly based on the following Discrete Mathematics concepts– Logic, Sets, and Functions– Algorithms (Their Analysis), the Integers, and

Matrices– Counting, Relations– Graphs


Protocols

5

My Term Project Vs My Major

• My Major– Cryptology and Information Security– Advising Prof: Prof. Kwangjo Kim

• Earlier concentrated only on the “zero-knowledge interactive proofs” based on– Integer Factorization Problem (RSA)

• Fiat-Shamir Identification Protocol• Feige-Fiat-Shamir Identification Protocol• Guillou-Quisquater (GQ) identification Protocol

– Discrete Logarithmic Problem• Schnorr Identification Protocol


Protocols

6


• Through this term project, I could concentrate on the “zero-knowledge interactive proofs” based on– Graph Problems

• Hamiltonian cycles of large graphs

• Graph Isomorphism

• Graph Coloring


Protocols

7


• Study on these zero-knowledge interactive proofs helped me in analyzing their importance in my M.S. degree research topic “Security in Pervasive Computing”– Cause they involve very few computations

when compared to other Symmetric Key and PKI protocols

– Very useful for light weight devices used in pervasive environments


Protocols

8

Goal of Term Project

• Compare the following Zero-Knowledge Identification Protocols based on– Integer Factorization Problem (like RSA)

• Feige-Fiat-Shamir Identification Protocol• Guillou-Quisquater (GQ) identification Protocol

– Discrete Logarithmic Problem• Schnorr Identification Protocol

– Graph Problems• Hamiltonian cycles of large graphs• Graph Isomorphism• Graph Coloring


Protocols

9

Goal of Term Project

• Comparison Criteria– Communications– Computations– Memory– Security Guarantees– Trust required in third party


Protocols

10

Overview of Zero-Knowledge Concepts

• A prover demonstrates knowledge of a secret while revealing no information whatsoever of use to the verifier in conveying this demonstration of knowledge to others.

• ZK Protocols are instances of– interactive proof systems,

• Prover and verifier exchange multiple messages (challenges and responses)

• Proofs are probabilistic rather than absolute; need be correct only with bounded probability,


Protocols

11

Overview of Zero-Knowledge Concepts

– Proofs of knowledge• Interactive proofs used for identification• A possesses some secret s, and attempts to

convince B it has knowledge of s by correctly responding to queries which require knowledge of s to answer.

• Should satisfy “Completeness” and “Soundness” properties

– Zero-knowledge property• there exists an expected polynomial-time

algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover (Simulatable)


Protocols

12

Zero-knowledge vs. other asymmetric protocols

• No degradation with usage– Resist chosen-text attacks

• Encryption avoided• Efficient• Unproven assumptions

– many ZK protocols (“proofs of knowledge”) themselves rely on the same unproven assumptions as PK techniques


Protocols

13

General Structure of ZK Protocols

• A B : witness• A B : challenge• A B : response• Combination of

– cut-and-choose protocols and challenge-response protocols


Protocols

14

Modes of Operations

• Interactive– where prover and verifier interactively go through the protocol,

building up the certainty piece by piece. • Parallel

– where prover creates a number of problems and verifier asks for a number of solutions at a time. This can be used to bring down the number of interactive messages with a slow-response-time connection.

• Off line– where prover creates a number of problems, and then uses a

cryptographically strong one-way hash function on the data and the set of problems to play the role of verifier, to select a random solution wanted for each problem. He then appends these solutions to the message. This mode can be used for digital signatures


Protocols

15

ZK Proof based on Integer Factorization Problem

• Feige-Fiat-Shamir Identification Protocol (1998)

• 1. One-time setup.– (a) Selection of system parameters:

• A trusted center T selects and publishes an RSA-like modulus n = pq but keeps primes p and q secret.

– (b) Selection of pre-entity secrets:• Each prover A selects a secret s1,s2,..sk 1 ≤ sk ≤ n -

1, and k random bits b1,…bk compute vi=(-1)bi (si2)-

1mod n, 1 ≤ i ≤ k and registers (v1 … vk, n) with T as its public key.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.

•Graph Isomorphism

•Graph Coloring

•Hamiltonian Cycles


Protocols

16

Feige-Fiat-Shamir Identification Protocol

• 2.Protocol Actions– a)A choose integer r, bit b, compute x=(-1)b

r2mod n, sends x (the witness) to B

– b)B sends to A challenge a random k-bit vector (e1,e2,...ek)

– c)A compute y=rkj=1sj

ejmod n and send y to B (the response)

– d)B compute z=y2kj=vj

ejmod n. verifies

z= x and z 0

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

17

Example of Feige-Fiat-Shamir Identification Protocol

• 1. The trusted center T selects the primes p = 683, q = 811, and publishes n = pq = 553913. Integers k = 3 and t = 1 are defined as security parameters.

• 2. Entity A does the following.– (a) Selects 3 random integers s1=157, s2= 43215, s3 = 4646, and 3 bits b1

= 1, b2 = 0, b3 = 1.– (b) Computes v1 = 441845, v2 = 338402, and v3 = 124423.– (c) A’s public key is (441845, 338402, 124423, 553913) and private

key is (157, 43215, 4646).

• 3. Protocol Actions– (a) A chooses r = 1279, b = 1, computes x = 25898, and sends this to B.– (b) B sends to A the 3-bit vector (0, 0, 1).– (c) A computes and sends to B y = r. s3 mod n = 403104.

– (d) B computes z = y2 v3 mod n = 25898 and accepts A’s identity since

z = +x and z 0.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

18

Guillou-Quisquater (GQ) Identification Protocol (1988)

• System Parameters– Private: p, q, s=v-1 mod (n)– n=pq, v >2

• User Parameters– The secret of A with JA=f(IA) is JA

-s mod n

• Protocol Messages (Repeat t times)– A sends to B(Commit): IA, x=rv mod n for a random r– B sends to A(Challenge): a random e with 1=<e=<v– A sends to B(Response): y=r sA

e mod n

• Verify– B computes z=JA

eyv mod n – Accept A’s proof of identity if z = x and z 0

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

19

ZK Proof based on Discrete Logarithmic Problem

• Schnorr Identification Protocol (1990)

• System Parameters– Primes p and q with q|p-1

– h=g(p-1)/q mod p has order q (g is a generator of GF(p))

– Verification public key for the signature ST(m), a parameter t

• User Parameters– A chooses a private key a and computes the public key

v=h-a

– A transfers v to T and obtains certA=(IA,v,ST(IA,v))

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

20

Schnorr Identification Protocol

• Protocol Messages (Repeat t times)– A sends to B(Commit): certA, x=hr mod p for

a random r

– B authenticates A’s public key and sends to A(Challenge): a random e with 1=<e=<2t <q

– A sends to B(Response): y=ae+r mod q

• Verify– B computes z=hyve mod p

– Accept A’s proof of identity if z=x

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


ZK Proof based on Graph Problem

• Graph-Isomorphism• A pair of two graphs,

Where• Lets be an isomorphism between the input

graphs, namely is 1-1 and onto mapping of the vertex set V1 to the vertex set V2 so that

21 ))(),((),( EuviffEuv

.|V||V| 21 ).E,(VG),E,(VG 222111

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


Graph Isomorphism

• Prover’s first step(A1): Select random permutation over V1, construct the set , and send

to the verifier.• Verifier’s first step (B1): B gets H from P.

V select and send it to P. P is supposed to answer with an isomorphism between and

2,1

1v)(u,:(v)(u),:F E

F),(VH 1

H

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


G

Graph Isomorphism

• (A2): If =1, then send = to B. Otherwise send = -1 to B.

• (B2): If is an isomorphism between G and H then B output 1, otherwise it outputs 0.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


Graph Isomorphism (Flow)

Prover Verifier

=Random Permutation

H G1 R{1,2}

If =1, send =

otherwise = -1

Accept iff

H = (G)

H


Protocols

25

Graph Isomorphism example

22

55

11

44

33

GG11

33

11

22

GG2255

44

Common input: two graphs G1 and G2.

Only P knows

.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

26

Graph Isomorphism example

22

55

11

44

33

GG11

55

33

44

11

22

HH

33

11

22

55

44GG22

= -1

Only P knows .

A sends H to B. B gets

and accepts.

B sends

=2 to A.


Protocols

27

Graph 3 Coloring

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


• Common Input: A graph 12

3 4

5

12

3 4

5

• P can paint the graph in 3 colors.

• P must keep the coloring a secret.

12

3 4

5

12

3 4

5

12

3 4

5

Graph 3 Coloring

• P chooses a random color

permutation.

• He puts all the nodes inside envelopes.

• And sends them to the verifier.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


Graph 3 Coloring

• Verifier receives a 3-colored graph, but colors are hidden. 1

2

3 4

5

12

3 4

5

• He chooses an edge at random.

• And asks the prover to open the 2 envelopes.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


Graph 3 Coloring

• Prover opens the envelopes, revealing the colors. 1

2

3 4

5

12

3• Verifier accepts if the colors are different.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

31

Graph 3 Coloring• G = (V,E) is 3-colorable if there exists a

mapping

for every .

• Let be a 3-coloring of G, and let be a permutation over {1,2,3} chosen randomly.

• Define

a random 3-coloring.

• Put each (v) in a box with v marked on it.

• Send all the boxes to the verifier.

)()(}3,2,1{: vuthatsoV Evu ),(

))(()( vv

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

32

Graph 3 Coloring

• Verifier selects an edge at random asking to inspect the colors.

• Prover sends the keys to boxes u and v.• Verifier uses the keys to open the boxes.• If he finds 2 different colors from {1,2,3}

- Accept.• Otherwise - Reject.

Evue R ),(

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring


Graph 3 Coloring(Flow)

(1) (n)(2)1 2 n

P V

P V

Keyu , keyv

P V

Evue R ),(


Protocols

34

Hamiltonian Cycles

• Similar to Graph Isomorphism ZK Identification Protocol

• The Hamiltonian cycle for a graph is a path through the graph that passes every node exactly once.– For an extremely large graph, this is very

hard (hard enough) to calculate.

• The prover's secret is the Hamiltonian cycle of a graph.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

35

Hamiltonian Cycles

• The prover gives the verifier a permuted version of the original graph,

• Verifier can ask for either – prove that the graph is a permutation of the original

graph, or– show the Hamiltonian path for the permuted graph.

• one of these can be calculated easily from the original data, but to know both, to be able to respond to both possible requests, requires knowledge of the secret, i.e. the Hamiltonian path of the graph

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

36

Hamiltonian Cycles

• A must use a different permuted graph in each round, as he should never give both solutions to the same problem to B.

• This protocol is theoretical because of the requirement for the graph to be extremely large, and the large memory and message size requirements it has.

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

37

Analysis

ProtocolFamily

MessageSize

ProtocolIterations

Amount ofCalculation

MemoryRequirements

Zero-knowledge large many large large

Public-key large One very large large

Symmetric small One small small

Cryptographic protocol families and their calculation and memory requirements


Protocols

38

Analysis

ZK ID Protocol

Comparison

Criteria

FFS GQ

Probability of forgery

1/2kt

Provably Secure against chosen message attack

1/vt

Security Assumption Required

•Extracting square Roots modulo large composite integers n of unknown factorization.

•Equivalent to that of factoring n

•Extracting vth roots modulo the composite integer n•Equivalent to that of factoring n•Computationally intractable

Zero-Knowledge & Soundness

•K = O(log(log n)): asymptotic upper bound

•T = (log n): asymptotic tight bound

•Verifier: soundness large t

•Prover: zero-knowledge property small t

•Soundness

v-t = O(e-kt) vt = O((log n)c) for a constant c

•zero-knowledge property

tv = O((log n)c) for constant c

Parameter Selection

Choosing k and t such that kt = 20, k=5, t=4, allows a 1 in a million chance of impersonation

Similar as FFS

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

39

Analysis

ZK ID Protocol

Comparison

Criteria

FFS GQ

Computational Efficiency

modulo multiplication(steps) by prover

e.g. kt=20, N: 512bitk=20, t=1 1+20/2 = 11(steps)

k=1, t=20 20+20/2 = 30(steps)

modulo multiplication(steps) by prover

e.g. kt=20, N: 512bit

t=1, m=20=log2(Y) 203=60(steps)

Bandwidth and memory for secrets

Simultaneous reduction is not possible cause it requires k user secrets and t iterations for an estimated security (probability

of cheating) of 1/ 2-kt.

allows the simultaneous reduction of both memory (parameter k) and transmission bandwidth (parameter t) with k = t = 1, by introducing the public exponent v > 2 with the intention that the probability of

successful cheating becomes 1/ v-kt

Others Computationally efficient Memory efficient

ZKP–IFP

•FFS Protocol

•GQ Protocol

ZKP–DLP

•Schnorr Protocol

ZKP–Graph Prob.


•Graph Coloring



Protocols

40

AnalysisComparison

Criteria

Schnorr Identification Protocol

Probability of forgery 1/2t


computing discrete logs modulo a prime p - DLP


protocol reveals “no useful information” about a because x is a random number, and y is perturbed by the random number r.

The protocol is not zero-knowledge for large e

Parameter Selection t must be sufficiently large to make the probability 1/2t of correctly guessing the challenge e negligible.

t = 40, q >= 22t = 280 was originally suggested in the case that a response is required within seconds

Other •The design allows pre-computation, reducing the real-time computation for the claimant to one multiplication modulo a prime q•Suitable for claimants of limited computational ability.•protocol was designed to require only three passes, and a low communications bandwidth•reduces the required number of transmitted bits


Protocols

41

Analysis

ZK ID Protocol

Comparison

Criteria

Graph Isomorphism Graph 3 Coloring

Probability of forgery

1/2k 1/ek

Where e ~ 2.718 is the natural logarithm

base


•Graph Isomorphism •Coloring all the vertices of a graph with 3 colors such that the vertices connected by edges have different colors


•Perfect zero-knowledge interactive proof system

Parameter Selection

Minimum of 24 vertices = 256 edges Similar as Graph Isomorphism


Protocols

42

Future Work

• Study Digital Signatures using Zero-Knowledge Protocols– Fiat-Shamir Digital Signature Protocol– Guillou-Quisquater Digital Signature

Protocol– Schnorr Digital Signature Protocol

• Consider other modes of operations like parallel and offline modes in detail

• Study other Zero-Knowledge protocols– Permuted Kernels Identification Scheme

comparative study on zero-knowledge identification protocols

Documents

knowledge of s

demonstration of knowledge

knowledge interactive

knowledge conceptsa

term projectprojects

discrete mathematics

symmetric key

information securitydirector