All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to SCIS 2006 does not prevent future submissions to any journals or conferences with proceedings. SCIS 2006 The 2006 Symposium on Cryptography and Information Security Hiroshima, Japan, Jan. 17-20, 2006 The Institute of Electronics, Information and Communication Engineers An Identification Scheme Based on KEA1 Assumption Natsumi Kawashima Seigo Arita Abstract There are three well-known identification schemes: Fiat-Shamir, GQ and Schnorr identification schemes. All of them are proven secure against passive or active attacks under number theoretic assumptions. However, the efficiencies of reductions in those proofs are not tight, since they need rewinding. We show an identification scheme IDKEA1. Although it needs four exchanges of messages and slightly more exponentiations, IDKEA1 is proved to be secure under KEA1 assumption with tight reduction to DLA. The idea underlying IDKEA1 is to use extractable commitment for prover s commitment. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind and can prove the security without the loss of efficiency of the reduction. Keywords: identification scheme, rewinding, KEA1 assumption, tight reduction. 1 Introduction 1.1 Zero-Knowledge Identification Scheme The zero-knowledge identification scheme is a triple (K, P, V ) of probabilistic polynomial-time algorithms. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk in (honest-verifier) zeroknowledge. The major security goal of identification scheme is to prevent an adversary A with no secret key sk from impersonating the prover P. Such an adversary A is called passive if A only eavesdrops message flows between honest P and honest V. If A acts as a cheating prover or verifier beyond eavesdropping, A is called active adversary. In particular, if A can act as a cheating verifier concurrently against several prover clones with the same secret key, the attack is called concurrent attack, in which interest has been growing. There are three well-known identification schemes: Fiat-Shamir [5], GQ [6] and Schnorr [8] identification schemes. Fiat-Shamir scheme is proven to be secure against impersonation of active adversary based on the difficulty of integer factorization problem. However, it needs rather long secret keys. GQ identification scheme is an extension of Fiat-Shamir scheme, which reduces both number of messages exchanged and memory requirements for secret keys. GQ identification scheme is proven to be secure against passive and concurrent attack under RSA assumption and One-moreinversion assumption, respectively [3]. Schnorr identification scheme is an alternative to Fiat-Shamir and GQ schemes. It is also proven to be secure against passive and concurrent attack under DLA (Discrete Log- Institute of Information Security, Graduate School of Information Security, Japan. arithmic Assumption) and One-More-DL assumption, respectively [3]. 1.2 Provable Security of Identification Scheme Let us briefly see how the proof of the security against impersonation does work in the case of Schnorr scheme. Remember that in Schnorr scheme, P has a secret key x and V has a public key q, g, h(= g x ). P randomly chooses k from Z q, computes a commitment t = g k and sends t to V. V, then, randomly chooses a challenge c from Z q and sends c to P. P responses y = k + xc to V, which sees whether y can correctly open h c t or not, that is, the equality of g y = h c t. Suppose there is an adversary A which can impersonate a prover in Schnorr scheme with a non-negligible probability. A simulator S invokes a copy of A, which is given a public key h(= g x ) of security parameter k, and plays a role of a verifier. The simulator S, receiving a cheating commitment t from A, sends a random challenge c to A and gets a cheating response y. Then, we have g y = h c t with the probability equal to success probability of A. Now, we rewind S to the point generating a random challenge to get a new challenge c 1 and the corresponding new response y1. We have g y 1 = h c 1 t also with the probability equal to success probability of A. Then, we can compute the discrete logarithm x = (y y1)(c c 1 ) 1 of h with the probability of square of success probability of A. Thus, we have with some negligible function η Adv imp (k) Adv dl G,E(k) + η(k), where Adv imp and Advdl G,E denotes the advantage of the impersonator A against ID and the advantage of the extractor E of DLP (Discrete Logarithmic Problem) on G = g, respectively. This contradicts to DLA. Note the time-complexity t E of E is about the twice t E (k) 2t A (k) + O(k 3 ).
The above (standard) proof depends on the wellknown technique rewind to extract. As seen above, the technique sacrifices the efficiency of the reduction. The probability to extract the secret is only the square of probability of the successful attack. The similar situation holds also for Fiat-Shamir and GQ schemes. 1.3 Our results We show an identification scheme IDKEA1. Although it needs four messages exchanged and one more and two more exponentiations for a prover and a verifier respectively than Schnorr s scheme, IDKEA1 is proved to be secure under KEA1 assumption [7, 4] with tight reduction to DLA. The idea underlying IDKEA1, which is inspired by Barak s generic non-back-box techniques [1, 2], is to use extractable commitment for prover s commitment. The extractable commitment is actually extractable only by the simulator who can use the nonblack-box extractor of KEA1 assumption. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor and the another through the simulated transcript. So, we don t need to use the rewind technique and can prove the security without the loss of efficiency of the reduction. Our first main theorem is as follows. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Using the variant OMDL+ of OMDL assumption [3], we can prove IDKEA1 is secure even under the concurrent attack also with tight reduction: Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. 1.4 Related works [4] shows 3-Round Zero-Knowledge protocol in which KEA3 assumption (a variant of KEA1) is used to prove its soundness. However the role played by KEA3 assumption is different from ours. The proof of the soundness in [4] needs the rewinding to extract the secret of the cheating prover. [9] shows a proof of knowledge system of DL knowledge, which establishes the tight reduction to DLA in the random oracle model. Our protocol doesn t rely on the random oracle. 2 Definitions and Assumptions In this section, we clarify the security of identification scheme under passive and concurrent attacks and introduce two assumptions KEA1 [7, 4] and OMDL+. 2.1 Definition of security of id scheme Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk. The security of identification scheme ID under passive attack is defined as follows. In the following A 1 acts as an eavesdropper of conversations between an honest prover and an honest verifier. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover. Definition 1 (Security under passive attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A, an experiment Exp imp pa is defined as follows (ɛ denotes the empty string). Exp imp pa : (pk, sk) K(k); Invoke A 1 (pk); When A 1 makes query ɛ, reply with the simulated transcript between P (sk, pk) and V (pk); Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 (St); Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under passive attack is defined by (k) = Pr[Expimp pa(k) = 1]. ID is called secure under passive attack if for any probabilistic polynomial-time adversary A the advantage ( ) is upper bounded by a negligible function. The security of identification scheme ID under concurrent attack is defined as follows. In the following A 1 acts as a cheating verifier that can take place in concurrent conversations with several prover clones P i (sk)
with the same secret key. Those conversations can be interleaved in any ways. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover P (sk). Definition 2 (Security under concurrent attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A = (A 1, A 2 ), an experiment Exp imp ca is defined as follows. Exp imp ca : (pk, sk) K(k); Invoke A 1 (pk); Simulate responses of prover clones P i (sk) concurrently to A 1 ; Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 ; Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under concurrent attack is defined by (k) = Pr[Expimp ca(k) = 1]. ID is called secure under concurrent attack if for any probabilistic polynomial-time adversary A its advantage ( ) is upper bounded by a negligible function. 2.2 KEA1 assumption KEA1 assumption [7, 4] for group G = g means that it is possible only when one knows b to generate a DH-pair (g b, g ab ) for a randomly selected g a. Definition 3 (KEA1 Assumption [4]). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let H be any probabilistic polynomial-time algorithm which on input q, g, A( g ) and an auxiliary input w, outputs a pair (B,W) of elements in G. Let H be an extractor for H, that is, any probabilistic polynomial-time algorithm which on input q, g, A and an auxiliary input w, outputs b. For any string w and such G, H, H, an experiment Exp w G,H,H is defined as follows. Exp w G,H,H : (q, g) G(1 k ); a $ Z q ; A = g a ; (B, W ) H(q, g, A, w); b H (q, g, A, w); If W = B a, B g b then return 1; Else return 0. Then, the advantage of adversary H in G for extractor H is defined by Adv w G,H,H (k) = Pr[Expw G,H,H (k) = 1]. G is called to satisfy KEA1 assumption if for any w and any adversary H with time-complexity t H (k), there exists an extractor H with the negligible Adv w G,H,H (k) and with time-complexity t H (k) not larger than time complexity t H (k) of H. KEA1 assumption in [4] is stated without such an auxiliary input w or the condition on the time-complexity. Providing the auxiliary input w for both H and H seems not to affect the validness of the assumption. The condition t H (k) t H (k) on the time-complexity is seemed valid, since H is being assumed to need b to construct (B, W ). 2.3 OMDL+ assumption OMDL+ assumption is a stronger version of OMDL assumption used in [3]. OMDL assumption means it is difficult to solve one more DLP (Discrete Logarithmic Problem) instance even if one is provided with several randomly selected DLP instances with their answers, all sharing the same base element. OMDL+ assumption is stronger in the sense that the challenge problems are given with some hints. Definition 4 (OMDL+ Assumption). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let I be any probabilistic polynomial-time algorithm which on input q, g outputs x 1,..., x n using the challenge oracle CO and the DL oracle DL. The challenge oracle CO g given query h answers with a pair of g x and h x, where x is randomly chosen from Z q independently by every query. The DL oracle DL g, given query h, answers with x satisfying h = g x. For such G and I, an experiment Exp omdl+ is defined as follows. Exp omdl+ : (q, g) G(1 k ); Invoke I CO g,dl g (q, g); When I makes a query to CO g, let CO g reply with such (g i, h i ); When I makes query h to DL g, let DL g reply with log g (h); Let (x 1,..., x n ) be an output of I; Let (g 1, h 1 ),..., (g n, h n ) be the overall challenges by CO g ; Let m be the number of the overall replies by DL g ; If g i = g x i for all i = 1,..., n and m < n then return 1; Else return 0. Then, the advantage of adversary I against G is defined by Adv omdl+ (k) = Pr[Exp omdl+ (k) = 1]. G is called to satisfy OMDL+ assumption if for any probabilistic polynomial-time algorithm adversary I its advantage Adv omdl+ ( ) is upper bounded by a negligible function. It is easily seen that OMDL+ assumption means OMDL assumption and that OMDL assumption means CDH assumption or OMDL+ assumption. 3 The Identification Scheme IDKEA1 We describe our identification scheme IDKEA1= {K, P, V }.
Let G be a probabilistic polynomial-time algorithm which given security parameter k outputs a prime number q of k bits and a generator g of a group of order q. Key-generation algorithm K of IDKEA1 on input k runs G(k) to get q, g 1, chooses x randomly from Z q, computes h 1 = g x 1 and outputs x and q, g 1, h 1 as a secret key and a public key, respectively. In IDKEA1, prover P (with a secret key x) proves its identity to verifier V (with a public key q, g 1, h 1 ) as follows. 1 V randomly selects a from Z q and computes g 2 = g a 1. V sends g 2 to P. 2 P randomly selects m 0 from Z q and computes c 1 = g m 0 1, c 2 = g m 0 2. P sends c 1, c 2 to V. 3 V sees whether c 2 = c a 1 or not. If not V aborts, else V randomly selects r from Z q and sends r to P. 4 P computes m = m 0 rx and sends m to V. 5 V sees whether c 1 = g m 1 h r 1 dose hold or not. If it does, V accepts. Otherwise V rejects. As seen above, IDKEA1 needs two exponentiations for a prover and three exponentiations for a verifier, and it needs four message exchanged. Thus, IDKEA1 is not so efficient as Schnorr identification scheme in computations and communications. However, IDKEA1 has security proof with tight reduction without the loss of security. 4 Security of IDKEA1 We prove the security of IDKEA1. In the proof, the simulator can open the cheating prover s commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind. 4.1 Security under passive attack Security of IDKEA1 under passive attack is proven under the assumptions DLA and KEA1 with tight reduction. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Proof. Let A = (A 1, A 2 ) be any passive adversary against ID = {K, P, V }. We construct a DL extractor E by using A. Let q, g 1, h 1 be generated as in K(k): q, g 1 G(k); x $ Z q ; h 1 = g x 1. On inputs q, g 1, h 1, DL extractor E proceeds as follows. 1 E starts the adversary A 1 with inputs q, g 1, h 1. When A 1 makes a query ɛ, E computes a $ Zq ; g 2 = g a $ Zq m, r c 1 = g1 m h r 1 ; c 2 = c a 1 and answer A 1 with transcript (g 2, (c 1, c 2), r, m ). Note the simulated transcripts are distributed just as real ones between honest P and V. Suppose A 1 halts and outputs string St. 2 E starts the adversary A 2 with input St and with random coins R. E randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then E aborts. Else E randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, E aborts. Note informations given to A 2 are distributed just as real ones given by real V. 3 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. E invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 4 E outputs ˆx = (m 0 m )r 1. Now we evaluate the success probability Pr[ˆx = x] of the DL extractor E. Let Imp be an event that A 2 successfully impersonates P in the above simulation by E and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have 1 c 2 = c a 1, c 1 = g1 m h r 1. (1) c 1 = g m 0 1. (2) By the second equation of Equation (1) and Equation (2), we see x = (m 0 m )r 1 = ˆx.
Thus, So, Pr[ˆx = x] Pr[Imp Ext] Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ˆx = x] + Pr[ Ext Imp]. By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ˆx = x] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. 4.2 Security under concurrent attack Under OMDL+ and KEA1 assumptions, IDKEA1 is proven to be secure even under the concurrent attack also with tight reduction. Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. Proof. Let A = (A 1, A 2 ) be any adversary in concurrent attack against ID = {K, P, V }. We construct an OMDL+ solver I by using A. Let q, g 1 be generated by q, g 1 G(k). On inputs q, g 1, OMDL+ solver I proceeds as follows. 1 I randomly chooses a from Z q and computes g 2 = g1 a. I sends g 2 to the challenge oracle CO g1 to get the response h 1 (= g x0 1 ), h 2(= g 2x 0 ). I starts the adversary A 1 with inputs q, g 1, h 1. 2 When A 1 sends the message g2 (i) to some prover clone (in the i-th session), I forwards the message g2 (i) to the challenge oracle CO g1 and get the response c (i) 1 (= gxi 1 ), c(i) 2 (= g 2 (i)x i ). I hands c (i) 1, c(i) 2 to A 1. When A 1 sends the response message r (i) to the prover clone, I makes a query c (i) 1 h r (i) 1 to the DL oracle DL g1 and gets the response m (i), which is transferred to A 1 by I. Suppose A 1 halts and outputs string St after performing concurrently such n sessions(i = 1,..., n). It is easy to see that the above simulation of prover clones for A 1 is perfect. 3 I starts the adversary A 2 with input St and with random coins R. I randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then I aborts. Else I randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, I aborts. Note the simulation of verifier V is perfect for A 2. 4 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. I invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 5 I outputs ˆx 0 = (m 0 m )r 1 and ˆx i = m (i) + ˆx 0 r (i) for i = 1,..., n. Now we evaluate the success probability Pr[ ˆx i = x i (i = 0, 1,..., n)] of the OMDL+ solver I. Let Imp be an event that A 2 successfully impersonates P in the above simulation by I and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have c 2 = c a 1, c 1 = g1 m h r 1. (3) c 1 = g m 0 1. (4) By the second equation of Equation (3) and Equation (4), we see and since g m(i) Thus, x 0 = (m 0 m )r 1 = ˆx 0, = c (i) 1 h r (i) 1, we have x i = DL g1 (c (i) 1 ) = m(i) + x 0 r (i) = ˆx i. Pr[ ˆx i = x i (i = 0, 1,..., n)] Pr[Imp Ext] So, Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)]+pr[ Ext Imp].
By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. References [1] B. Barak, How to go beyond the black-box simulation barrier, Proc. 42nd FOCS, pp. 106-115, IEEE, 2001. [2] B. Barak, and Y. Lindell, Strict Polynomial-time in Simulation and Extraction, In Proceedings of the 34th Annual Symposium on Theory of Computing. ACM, [3] M. Bellare and A. Palacio, GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks, pp. 162-177, Proc. of Crypto 2002, LNCS 2442. [4] M. Bellare and A. Palacio, The Knowledgeof-Exponent Assumptions and 3-Round Zero- Knowledge Protocols, pp. 273-289, Proc. of Crypto 2004, LNCS 3152. [5] A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. of Crypto 86, LNCS 263. [6] L. Guillou and J.J. Quisquater, A paradoxical identity-based signature scheme resulting from zero-knowledge, Proc. of Crypto 88, LNCS 403. [7] S. Hada and T. Tanaka, On the existence of 3-round zero-knowledge protocols, pp. 408-423, Proc. of Crypto 98, LNCS 1462. [8] C. P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 4(3), pp. 161-174, 1991. [9] I. Teranishi, Computationally efficient signature scheme with tight security reduction to Discrete Logarithm Problem, SCIS 05, 3E3-4, 2005.