Knowledge-Proof Based Versatile Smart Card Verification Protocol

Transcription

1 Kowledge-Proof Based Versatle Smart Card Verfcato Protocol DaeHu Nyag ad JooSeok Sog Departmet of Computer Scece Departmet, Yose Uversty SeodaemuGu ShchoDog 34, Seoul , Korea fyag, ABSTRACT We propose a zero-kowledge teractve proof based detfcato ad sgature scheme. The protocol s based o Euler s totet fucto ad dscrete logarthms over the rg Z=Z, ad ca be appled to smart cards. A prover keeps a sged subgroup geerator provded by a trusted ceter as ts secret formato. Our scheme has symmetrcty the sese that the same computatoal complexty ad the same hardware both for Prover ad for Verfer are requred. Also, t requres mmal amout of computato ad commucatos for secret formato. The protocol s versatle eough to be applcable to dgtal sgature scheme, multple dgtal sgature scheme ad key exchage protocol. We outle those protocols to show the versatlty of our protocol. Categores ad Subject Descrptors F.2.m [Theory of Computato]: Mscellaeous; G.2.3 [Mathematcs of Computg]: Applcatos Geeral Terms Securty Keywords Cryptography, Smart card, Idetfcato, Zero-Kowledge Iteractve Proof, Dgtal Sgature, Multple Sgature, Key Exchage. INTRODUCTION I a computerzed commucato socety, t s ecessary to provde a adequate method by whch commucators ca detfy themselves to each other a uforgeable maer. Sce 984, cosderable atteto has bee pad to ZKIP[, 6, 3], whch s useful detfcato ad dgtal sgature. Idetfcato schemes usg ZKIP are geerally based o the dffculty of computg the dscrete logarthm modulo a large prme umber, quadratc resduosty of umbers, modular square roots, ad the factorzato of a composte umber. May detfcato schemes have bee proposed based o zero-kowledge proof[2, 5, 0, 2]. I ths paper, we propose the cocept of a sged subgroup geerator ad desg a ew teractve proof based detfcato scheme ad dgtal sgature. The scheme uses dscrete logarthm over the rg Z=Z ad Euler s totet fucto to get ts securty, ad s sutable for smart cards because t requres oly oe secret umber ad oe accredtato to complete the teractve proof. Our detfcato scheme s superor to Gullous ad Qusquater s scheme that a verfer s computatoal burde s reduced to about half ad t smplfes the hardware mplemetato. Besdes those, our protocol ca be easly modfed to serve as a key exchage protocol ad as a multple sgature scheme. 2. IDENTIFICATION SCHEME 2. Backgroud Before proceedg, we brefly expla zero-kowledge teractve proof. Iteractve proof s defed by two teractve Turg maches (P; V ). They have a few tapes to do ther operato ad commucate wth each other. Prover(P ) proves a certa kowledge to verfer(v ), ad the proof s called a wtess. ZKIP duces a formal laguage L, ad for a put x a prover proves x 2 L. If x 2 L, the, wth very hgh probablty, the verfer s covced of ths fact, after teractg wth the prover. If x 62 L,theomatter what the prover does, wth very hgh probablty, he fals to fool the verfer(to belevg that x s L). The frst codto s referred to as the completeess, whle the secod codto s referred to as soudess. Iformally, a proof system s calledzero-kowledge whe the prover tells the verfer othg but that x 2 L, eve though the verfer tres to trck the prover to revealg somethg. Our teractve protocol s a proof of kowledge of a predcate P (s; x) =[s x g mod pq] where gcd(x; (pq)) =, ad g s a geerator of a suffcetly large subgroup of Z=Z( s the Carmchael fucto[8]). We propose a ew protocol where a trusted ceter sgs g wth a prvate-key correspodg to the publc-key whch s certfed by a trusted ceter. Thus, each user keeps the sged g as ts secret formato, but does ot kow the prvate-key wth whch g s sged. g s a geerator of a suffcetly large subgroup of Z=Z. 2.2 The Idetfcato Scheme for Smart Cards

2 Lke other detfcato schemes, our protocol s composed of two phases. The frst phase s the smart card ssug step, ad the secod s teractve proof. A trusted ceter radomly chooses two large prmes, p ad q. The two prmes are kept securely by the trusted ceter. We assume that = pq s a 768-bt or 024-bt publc umber, ad the factorzato of s stll feasble. Aother publc value g s also chose by the trusted ceter. g s a geerator of a suffcetly large subgroup of Z=Z. It should be selected by the trusted ceter to satsfy g k mod where k s the order of g mod. k must ot be smooth ad must be large eough(say 60-bts) to be strog agast attacks such as baby-step gat-step ad dex calculus. Grault devsed a smart way to select g [7], but we do ot eed to reveal k, whchsa factor of ()(() s Euler s totet fucto). The trusted ceter publshes ( = pq; g) the publc drectory. The modulus ad the subgroup geerator g wll be shared amog a group of users. Whe a elgble user apples for a smart card, the trusted ceter ssues a strg I whch cotas formato about the user ad the card. Ad ow the trusted ceter performs the followg steps to compute the secret formato s ad a publc-key v for user. Preparatory steps for the ceter :. For a user who requests a trusted ceter of ts secret value, the trusted ceter chooses v,wherev s a prme ad gcd(v ;())=. 2. The ceter computes s g =v mod : s ca be easly obtaed by computg g d mod where vd mod(): 3. The ceter geerates a sgature ad the certfcate S = sgature(i;v ); C(User ) =(I;v ;S): 4. A smart card cotag the user s certfcate s ssued. Here, the certfcate ca be geerated by a trusted ceter usg ay well-kow sgature schemes or the sgature scheme proposed ths paper. Rab-lke dgtal sgature scheme or a low ecrypto expoet RSA ca be used for a faster certfcate verfcato[9]. They requre oly a few multplcatos the verfcato step. After the preparatory steps, a prover has a secret umber s ad ca prove ts detty to a verfer by the followg teractve proof. Iteractve proof betwee a prover ad a verfer :. Prover seds ts certfcate C(Prover) to Verfer. 2. Verfer checks Prover s certfcate C(Prover) =(I;v ;S). 3. Prover pcks a radom umber r 2f2;::: ;,g ad seds x r v mod as a test to Verfer. 4. Verfer seds a radom umber e 2 f;::: ;2 t g as a questo to Prover, where 2 t < v. The sze of 2 t represets a compromse betwee speed ad securty. 5. Prover seds to Verfer as a wtess: y rs e mod 6. Verfer checks that x y v g,e mod ad accepts the proof as vald oly whe the above result s correct. The above teractve proof requres oly oe securty umber ad oe accredtato for the proof of detty, but stll provdes the securty level of 2,t. To reduce the umber of bts commucated, a prover seds oly the frst t bts of a hash fucto h(x) to a verfer step 3, ad compares h(x) wth the frst t bts of y v g,e mod. Thus, the total umber of commucato bts s 2t + log. The protocol requres a verse operato to compute g,e mod, but the computato s already the preprocessg stage. 2.3 Soudess ad Completeess Proofs For the valdty ad securty of the proposed teractve proof, completeess ad soudess of the protocol should be cosdered. I ths secto, we gve formal proofs of the protocol. It s trval that the detfcato procedure succeeds f both a prover ad a verfer follow the protocol as show theorem. THEOREM (COMPLETENESS). If a prover ad a verfer follow the protocol, the verfer always accepts prover s proof of detty. PROOF. By defto y v g,e (rs e ) v g,e r v g e g,e r v x mod The proof that the cheatg probablty of a dshoest prover caot be creased to hgher tha 2,t s smlar to Gullous ad Qusquater s. THEOREM 2 (SOUNDNESS). Assume that a prover does ot kow the s ad caot compute polyomal tme the v -th root. If a verfer follows the protocol, he wll accept the proof as vald wth probablty bouded by 2,t. PROOF. To crease the probablty of cheatg, a prover must choose x such a way that he ca compute v -th roots y 0 ad y 00 of xg e mod for two questos e 0 ad e 00. However, the followg procedure reveals s, ad t cotradcts the assumpto that the v -th root caot be computed polyomal tme wthout kowg s.

3 . For two questos e 0 ad e 00, choose Bezout coeffcets m ad k such that v m +(e 0, e 00 )k = There always exst Bezout coeffcets m ad k, because of gcd(v ;e 0, e 00 )=. 2. Compute the followg ad output: (g m y 0 k y 00 ) (s v m y 0 k y 00 ) (s v m s mod s (e0,e 00 )k ) 2.4 Why s v a Prme Number? We show that the probablty of cheatg may be hgher tha 2,t, uless v s a prme. For ths, we assume that v s ot a prme. Suppose a dshoest prover who has (s ;v ) such that s v g mod ad preteds to be a prover j. Ifgcd(v ;v j) 6= such as v = la, v j = lb ad b<2 t, the he/she ca preted to be prover j wth probablty b, > 2,t by guessg e such that b dvdes e+r, ad sedg x g r mod ad y s (e+r)a=b mod. Ideed, y vj g,e s (e+r)v ja=b g,e s (e+r)lba=b g,e s v (e+r) g r x mod : g,e Thus, a dshoest prover ca cheat a verfer wth probablty hgher tha 2,t.However,fv s a prme, ths caot happe. If the questo e s predcted by a prover, she ca deceve the verfer by guessg e such that v dvdes r + e ad sedg x g r mod ad y g (r+e)=v mod. A verfer wll accept the proof of kowledge, because y v g,e (g (r+e)=v ) v g r+e g,e x mod : However, the probablty of ths evet s 2,t, ad for a suffcetly large t, t s almost mpossble to guess a questo e. There s a tradeoff betwee speed ad securty. If a securty parameter t has a large value, the speed becomes slow. For the detfcato scheme, t = 20 s eough for the most applcatos, t = 45 for atoal securty applcatos. For the dgtal sgature, t =72s eough. I the protocol, (x r v mod ) s a radom umber, ad y s masked by a radom umber r whch caot be computed by a verfer who does ot kow the factorzato. Thus, all the messages from a prover to a verfer do ot reveal ay formato about the prover s secret, s. The protocol wth oe roud, however, s ot a zero-kowledge proof, because the rug tme of the smulator whch produces trascrpts wth a detcal probablty dstrbuto to those produced whe Prover actually takes part the protocol s O(2 t ). Techcally for soudess, t must grow asymptotcally faster tha log, but the codto makes the rug tme of the smulator grow asymptotcally faster tha (log ) c, for a costat c. Thus, our protocol wth oe roud s ot a zerokowledge proof. However, the protocol wth k-rouds (k >) has surely the zero-kowledgeess. If we perform the protocol wth k-rouds, the smulator rus O(2 t ) ad for the soudess, kt (ot t) must grow asymptotcally faster tha log. If we chooses k large eough for kt to grow faster tha log for a t that grows slower tha log, both the soudess ad the zero-kowledgeess are obtaed. The protocol wth k-rouds, however, s ot effcet to lose the practcal meag. If we restrct k =, the protocol loses the zero-kowledgeess theoretcal sese but t gets effcecy stead. Perfect zero-koledge practce s hard to get, ad oly Fat-Shamr s scheme amog the referred oes the paper obtas t. Practcally, we do t eed to sst the zero-kowledgeess the asymptotc sese, sacrfcg the effcecy. Proper selecto of parameters such as k ad t s eough to protect the secret formato. 2.5 Cosderato o Commo Modulus The protocol ths paper uses the same securty assumpto as that of RSA. That s, the v-th root fdg Z=Z s as dffcult as the factorzato. Smmos has show that the protocol usg commo modulus RSA fals as a prvacy chael f a message was ecrypted ad set to two or more recevers[4]. I that case, a outsder (ot a subscrber/user) usg oly the publc-key could decrypt the cphertext wth uacceptably hgh probablty. Also, DeLaurets has show that the commo modulus protocol s eve more vulerable to attack by sders (subscrber/user) who ca break the cryptosystem by usg ether a probablstc or a determstc method[3]. Kowledge of a sgle ecrypto/decrypto par s equvalet to factorg the modulus probablstcally, ad eables a subscrber to fd other users secret key determstcally. Thus, a protocol usg RSA should ot use commo modulus. There are two securty aspects to be cosdered the proposed scheme. Oe s whether a subscrber(a legal prover) ca fd d from g =v g d mod ad v. If he fds d, he ca easly factor by [3]. To fd out d oly from g d mod, he should solve a dscrete logarthm problem. I fact, most sub-expoetal algorthms to solve the dscrete logarthm problem assume a fte feld F p or a Galos feld GF (p m ). The order of g mod p or g mod p m s kow a pror these felds, whereas the order of g mod s ot kow. Thus, those algorthms are ot applcable to fd out d oly from g d Z=Z. Moreover, t s equvalet to breakg the RSA dgtal sgature scheme to fd d from g d mod ad v. The other to be cosdered s whether a subscrber ca compute aother subscrber s secret formato g =v j mod from ts secret g =v mod,wherev;v j are prmes. Uless v = av j(a =; 2;:::), oe caot compute g =v j mod wth g =v wthout the kowledge of the factorzato[4]. 3. DIGITAL SIGNATURES Ths secto treats dgtal sgatures that are costructed from our detfcato scheme. Also, we show that the dgtal sgature scheme s extedble to multple dgtal sgature scheme. 3. Dgtal Sgature Usg a zero-kowledge based detfcato scheme ad a hash fucto, oe ca costruct a secure dgtal sgature scheme[5]. The role of the trusted ceter ths case s the same as that the detfcato scheme. I our detfcato scheme, radom

4 umber e cotas o formato, but ts upredctablty prevets a prover from cheatg. Swtchg the detfcato scheme to a sgature scheme, we replace the verfer s role by the hash fucto h ad obta the followg sgature protocol. To sg a message M, Sger :. Pcks a radom umber, r, ad computes x r v mod Ths computato s the preprocessg stage. 2. Cocateates M ad x, ad hashes the result: 3. Computes e = h(m;x) 2f0;::: ;2 t, g y rs e mod The sgature s e ad y; he/she seds these to Verfer wth M, C(User ). To verfy Sger s sgature o M, Verfer :. Computes z y v g,e mod 2. Verfes whether h(m; z) s e or ot. Verfer accepts the message M as geue f ad oly f e equals to h(m;z). THEOREM 3 (COMPLETENESS). If Sger ad Verfer follow ther protocols, Verfer always accepts the sgature as vald. PROOF. By defto, z y v g,e (rs e ) v g,e r v (s v )e g,e r v g e g,e r v ad thus h(m;z) =h(m;x). x mod The probablty dstrbuto of the hash fucto h(m;x) must be uform wth respect to radom x. Also,h(M; x) should be oeway wth respect to M. The hash fucto whch satsfes both crtera s hghly resstat agast kow platext attacks ad chose platext attacks. 3.2 Multple Sgature A exteso of the sgature scheme to the multple sgature scheme s preseted. Multple sgatures are eeded f may people wat to sg the same documet. A easy way to do ths s to let each of them sg the same documet separately, ad cocateate the result to the sged documet. Wth the scheme, the legth ad the tme to sg a documet s proportoal to the umber of people volved. Usg the sgature scheme desged secto 3., we ca sg a documet wth more effcecy. To sg a message, sgers geerate ther ow radom umbers ad use the product of those umbers as a commtmet umber. The radom questo s geerated from the commtted umber, the message to be sged, ad a hash fucto, so t s detcal amog sgers. Verfcato process s smlar to that of sgle sgature scheme except that the publc-key used the verfcato s the product of v s. To wrte a multple sgature ad verfy a documet, each partcpat does the followg procedure. To sg a message M, Sger :. Pcks a radom umber, r, ad computes x r j= vj mod 2. Seds x to every other sgers. 3. Receves x ;x 2;::: ;x,;x +;x +2;::: ;x ad computes x Y j= x j mod 4. Cocateates M ad x, ad hashes the result: 5. Computes e = h(m;x) 2f0;::: ;2 t, g y rs e mod ad seds y to every other sgers. 6. Receves y ;y 2;::: ;y,;y +;y +2;::: ;y ad computes y Y j= y j mod The sgature s e ad y; he/she seds these to Verfer wth M ad I ;I 2;::: ;I whch are correspod to each sger s publc-key. To verfy Sgers multple sgature o M, Verfer:. Computes the followg from v = f(i );v 2 = f(i 2);::: ;v = f(i ),wherei s a detfcato word for Sger : 2. Computes v = Y = v z y v g,e P j= v=vj mod 3. Verfes whether h(m;z) s e or ot. Verfer accepts the message M as geue f ad oly f e equals to h(m; z). Ife 6= h(m;z), there s at least oe vald sgature. Usg our multple sgature scheme, the legth of a sgature s greatly reduced. Regardless of the umber of people volved sgg procedure, the legth of a sgature s costatly t + log. For example, whe s a 52-bt umber ad the securty parameter t =2 72, total sgature legth of the scheme s bts, whch s the same as that of the sgle sgature. Eve better, the umber of sgers does ot crease the sgature legth. As before, the completeess proof s followed by defto.

5 THEOREM 4 (COMPLETENESS). If Sgers ad Verfer follow ther protocols, Verfer always accepts the sgature as vald. PROOF. Letv be = v. By defto, y = v g,e P j= v=vj (y y 2 y ) = v g,e P j= v=vj (r r 2 r s e s e 2 s e ) = v g,e P j= v=vj (r r 2 r ) = v (s = v s = v 2 s = v ) e g,e P j= v=vj (r r 2 r ) = v (g = v=v g = v=v2 g = v=v ) e g,e P j= Q v=vj r = v r = v 2 r = v x mod Q THEOREM 5 (SOUNDNESS). Assume that a prover theq does ot kow the = s ad caot compute polyomal tme vth root. If a verfer follows the protocol, he/she wll accept the = proof as vald wth probablty bouded by 2,t. PROOF. To crease the probablty of cheatg, Q a prover must choose x such a way that he/she ca compute = v-th roots y 0 ad y 00 of xg e P j= v=vj mod for two Q questos e 0 ad e 00. However, the followg procedure Q reveals s, ad t cotradcts the assumpto that the v- = = th Qroot caot be computed polyomal tme wthout kowg s. =. Choose Bezout coeffcets m, k such that m Y = for =; 2;::: ;: v +(e 0, e 00 )k = ; where v > (e 0, e 00 ) Sce gcd( = v;e0,e 00 )=, there exst k ad m whch satsfy the Q above codto. 2. Compute = s as followg : 00 (g ( = v=v)m g ( = v=v2)m Q g ( = v=v)m y k) 0 y ((s v )( = v=v)m (s v2 2 )( = v=v2)m (s v ) ( = v=v)m s (e0,e 00 )k s (e0,e 00 )k 2 s (e0,e 00 )k ) ((s s 2 s ) ( = v)m+(e 0,e 00 )k ) s s 2 s mod # of mults Prover Verfer Bytes(x; e; y) FS (t(k+2)/2) (t(k+2)/2) Schorr* (.5l +0.25t) GQ (.5t) (3t) OgSchorr* (t(k+2)/2 - ) (t(k+2)/2 + ) Ours* (.5t) (.5t) Table : Comparso wth the other detfcato schemes : * requres a certfcate verfcato phase. # of mults Sg ge Sg verfy Legth(y; e) RSA Fat-Shamr Schorr GQ Og-Schorr Our Scheme Table 2: Comparso wth the other sgature schemes a verfer ca prepare g,e mod advace. Whe the protocol starts, the oly multplcatos a prover should do are s e mod. Smlarly, t s eough for a verfer to compute y v mod ad check the valdty of the proof. Ths pre-computato does half the verfer s computato. Comparsos wth other schemes terms of the umber of multplcatos ad the requred storage amout are show Table ad Table 2. Pre-computatos are cosdered. We assume that detfcato schemes provde a securty level of 2,24 ad sgature schemes 2,72. Table ad Table 2 show the computatoal load of detfcato schemes ad sgature schemes, respectvely. I the case of Schorr s, Og-Shorr s ad our scheme, the umber of multplcatos to verfy the certfcate s ot couted. As stated Secto 2.2, ether Rab-lke dgtal sgature scheme or a low ecrypto expoet RSA adds oly a couple of multplcatos the verfcato step[, 9]. We assume the square ad multply algorthm s used to expoetate a umber. I Table, t meas the securty level ad l meas the umber of bts of q Schorr s scheme. k s the umber of Prover s secrets whch s proportoal to the amout of commucato. Our scheme requres the same computatoal complexty ad almost the same hardware both for Prover ad for Verfer. Ths symmetrcty s useful the evromet where mutual detfcatos are requred. I the sgature geerato process, our scheme requres oly 4% of the umber of multplcatos requred by RSA. I the verfcato phase, 50% of that of Schorr s ad Gullous ad Qusquater s are eough. The amout of computato of Gullous ad Qusquater s durg the verfcato ca be reduced by smultaeous multple expoetato, but t requres more complex hardware tha ours. 4. PERFORMANCE EVALUATION I the detfcato protocol ad the sgature scheme, pre-computatos ca reduce the verfer s burde as well as the prover s. A prover ca pre-compute the value x r v mod ts dle tme, ad 5. CONCLUSION I ths paper, we propose a ew teractve proof based detfcato scheme ad a dgtal sgature. The proposed scheme s very effcet both verfcato ad provg steps owg to the pre-computable protocol structure. Ths property makes our

6 scheme much more approprate for smart cards, ad provdes the computatoal symmetrcty. I addto, our detfcato protocol requres mmal amout of storage for secret formato ad mmal amout of commucatos. Our protocol ca be modfed such that a prover uses x g r mod ad y s e+r mod. I that case, a radom umber r should be chose the rage [;::: ;k],wherek s the order of g mod. Wth ths modfed verso, a verfer ca check the valdty of the proof as the same way as before. y v g,e s (e+r)v g,e (s v )e+r g,e g e+r g,e x mod Soudess proof of the modfed verso s the same as the orgal oe. However, ths modfcato requres a prover to do much more multplcatos, eve though those are the pre-computato phase. Besdes the dgtal sgature, the protocol ca be exteded for the key-exchage whe t s used for mutual detfcato. Istead of prover s sedg x = r v mod, the alterate verso of the protocol s used.. User commts x g r mod,wherer s a radom umber. 2. User j seds a questo ad her commtmet: e j ad x j g r j mod. 3. User seds her aswer ad questo: y s ej +r mod ad e 4. User j checks x g,ej y v mod. ad seds her aswer: y j s e+rj mod 5. User checks x j g,e y v j mod. After dog the mutual detfcato protocol, User ad j ca obta a commo key, K j = K j. K j x r j g r j r g r rj x rj K j mod 6. REFERENCES [] L. Baba. Arthur-merl games: A radomzed proof system, ad a herarchy of complexty classes. Joural of Computer ad System Sceces, 36: , 988. [2] T. Beth. Effcet zero-kowledge detfcato scheme. I Advaces Cryptology : Proceedgs of EuroCrypt 88, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 988. [3] J. M. DeLaurets. A further weakess the commo modulus protocol for the rsa cryptoalgorthm. Cryptologa, 8(3): , 984. [4] J.-H. Evertse. Whch ew rsa sgatures ca be computed from some gve rsa sgatures? I Advaces Cryptology : Proceedgs of EuroCrypt 90, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 99. [5] A. Fat ad A. Shamr. How to prove yourself: Practcal solutos to detfcato ad sgature problems. I Advaces Cryptology : Proceedgs of Crypto 86, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 987. [6] D. C. Glles Brassard ad C. Crépeau. Mmum dsclosure proofs of kowledge. Joural of Computer ad System Sceces, 37:56 89, 988. [7] M. Grault. A detty-based detfcato scheme based o dscrete logarthms modulo a composte umber. I Advaces Cryptology : Proceedgs of EuroCrypt 90, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 990. [8] G. L. Mller. Rema s hypothess ad tests for prmalty. Joural of Computer ad System Sceces, 3:300 37, 976. [9] D. H. Nyag ad J. S. Sog. Fast dgtal sgature scheme based o the quadratc resdue problem. Electrocs Letters, 33(3): , 997. [0] J. Qusquater ad L. Gullou. A paradoxcal detty based sgature scheme resultg from zero kowledge. I Advaces Cryptology : Proceedgs of EuroCrypt 88, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 988. [] M. O. Rab. Dgtalzed sgatures ad publc key fuctos as tractable as factorzato. I Techcal Report, MIT/LCS/TR22, Cambrdeg, Mass. MIT Lab., 979. [2] C. Schorr. Effcet detfcato ad sgatures for smart cards. I Advaces Cryptology : Proceedgs of Crypto 89, Lecture Notes Computer Scece, Sprger-Verlag, pages IACR, 989. [3] S. M. Shaf Goldwasser ad C. Rackoff. Kowledge complexty of teractve proof systems. SIAM Joural o Computg, 8():86 208, 989. [4] G. J. Smmos. A weak prvacy protocol usg the rsa cryptoalgorthm. Cryptologa, 7:80 82, 983.