An Identification Scheme Based on KEA1 Assumption

Similar documents
PAPER An Identification Scheme with Tight Reduction

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks

A Note on the Cramer-Damgård Identification Scheme

Homework 3 Solutions

Katz, Lindell Introduction to Modern Cryptrography

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

PAIRING-BASED IDENTIFICATION SCHEMES

Entity Authentication

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

Notes on Zero Knowledge

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Pairing-Based Identification Schemes

Identity-Based Identification Schemes

On The (In)security Of Fischlin s Paradigm

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Interactive Zero-Knowledge with Restricted Random Oracles

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

A Fair and Efficient Solution to the Socialist Millionaires Problem

Lecture 10: Zero-Knowledge Proofs

Statistically Secure Sigma Protocols with Abort

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Interactive protocols & zero-knowledge

Cryptographical Security in the Quantum Random Oracle Model

On The (In)security Of Fischlin s Paradigm

Digital Signatures from Challenge-Divided Σ-Protocols

Foundations of Cryptography

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Short Exponent Diffie-Hellman Problems

How many rounds can Random Selection handle?

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Efficient Password-based Authenticated Key Exchange without Public Information

The Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization

III. Authentication - identification protocols

Tightly-Secure Signatures From Lossy Identification Schemes

March 19: Zero-Knowledge (cont.) and Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Concurrent Non-malleable Commitments from any One-way Function

Lecture 15 - Zero Knowledge Proofs

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Transitive Signatures Based on Non-adaptive Standard Signatures

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

The odd couple: MQV and HMQV

Constructing Provably-Secure Identity-Based Signature Schemes

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Proofs of Storage from Homomorphic Identification Protocols

Lecture 3: Interactive Proofs and Zero-Knowledge

Public Key Authentication with One (Online) Single Addition

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

How to Go Beyond the Black-Box Simulation Barrier

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Interactive protocols & zero-knowledge

Resettable Zero-Knowledge in the Weak Public-Key Model

Schnorr Signature. Schnorr Signature. October 31, 2012

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Decentralized Identity Management Scheme and its Realization by RSA and Discrete-Log-Based Encryption

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Probabilistically Checkable Arguments

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

1 Number Theory Basics

Notes for Lecture 17

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Non-Conversation-Based Zero Knowledge

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

From Secure MPC to Efficient Zero-Knowledge

On the Security of Classic Protocols for Unique Witness Relations

Lecture 3,4: Universal Composability

On the (In)security of the Fiat-Shamir Paradigm

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

VI. The Fiat-Shamir Heuristic

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Cryptographic Protocols Notes 2

Zero-Knowledge Proofs and Protocols

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Zero-knowledge proofs of knowledge for group homomorphisms

Secure and Practical Identity-Based Encryption

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Simple SK-ID-KEM 1. 1 Introduction

3-Move Undeniable Signature Scheme

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Limits of Security Reductions From Standard Assumptions

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Lecture 13: Seed-Dependent Key Derivation

Zero Knowledge in the Random Oracle Model, Revisited

George Danezis Microsoft Research, Cambridge, UK

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

An Epistemic Characterization of Zero Knowledge

A Strong Identity Based Key-Insulated Cryptosystem

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Transcription:

All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to SCIS 2006 does not prevent future submissions to any journals or conferences with proceedings. SCIS 2006 The 2006 Symposium on Cryptography and Information Security Hiroshima, Japan, Jan. 17-20, 2006 The Institute of Electronics, Information and Communication Engineers An Identification Scheme Based on KEA1 Assumption Natsumi Kawashima Seigo Arita Abstract There are three well-known identification schemes: Fiat-Shamir, GQ and Schnorr identification schemes. All of them are proven secure against passive or active attacks under number theoretic assumptions. However, the efficiencies of reductions in those proofs are not tight, since they need rewinding. We show an identification scheme IDKEA1. Although it needs four exchanges of messages and slightly more exponentiations, IDKEA1 is proved to be secure under KEA1 assumption with tight reduction to DLA. The idea underlying IDKEA1 is to use extractable commitment for prover s commitment. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind and can prove the security without the loss of efficiency of the reduction. Keywords: identification scheme, rewinding, KEA1 assumption, tight reduction. 1 Introduction 1.1 Zero-Knowledge Identification Scheme The zero-knowledge identification scheme is a triple (K, P, V ) of probabilistic polynomial-time algorithms. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk in (honest-verifier) zeroknowledge. The major security goal of identification scheme is to prevent an adversary A with no secret key sk from impersonating the prover P. Such an adversary A is called passive if A only eavesdrops message flows between honest P and honest V. If A acts as a cheating prover or verifier beyond eavesdropping, A is called active adversary. In particular, if A can act as a cheating verifier concurrently against several prover clones with the same secret key, the attack is called concurrent attack, in which interest has been growing. There are three well-known identification schemes: Fiat-Shamir [5], GQ [6] and Schnorr [8] identification schemes. Fiat-Shamir scheme is proven to be secure against impersonation of active adversary based on the difficulty of integer factorization problem. However, it needs rather long secret keys. GQ identification scheme is an extension of Fiat-Shamir scheme, which reduces both number of messages exchanged and memory requirements for secret keys. GQ identification scheme is proven to be secure against passive and concurrent attack under RSA assumption and One-moreinversion assumption, respectively [3]. Schnorr identification scheme is an alternative to Fiat-Shamir and GQ schemes. It is also proven to be secure against passive and concurrent attack under DLA (Discrete Log- Institute of Information Security, Graduate School of Information Security, Japan. arithmic Assumption) and One-More-DL assumption, respectively [3]. 1.2 Provable Security of Identification Scheme Let us briefly see how the proof of the security against impersonation does work in the case of Schnorr scheme. Remember that in Schnorr scheme, P has a secret key x and V has a public key q, g, h(= g x ). P randomly chooses k from Z q, computes a commitment t = g k and sends t to V. V, then, randomly chooses a challenge c from Z q and sends c to P. P responses y = k + xc to V, which sees whether y can correctly open h c t or not, that is, the equality of g y = h c t. Suppose there is an adversary A which can impersonate a prover in Schnorr scheme with a non-negligible probability. A simulator S invokes a copy of A, which is given a public key h(= g x ) of security parameter k, and plays a role of a verifier. The simulator S, receiving a cheating commitment t from A, sends a random challenge c to A and gets a cheating response y. Then, we have g y = h c t with the probability equal to success probability of A. Now, we rewind S to the point generating a random challenge to get a new challenge c 1 and the corresponding new response y1. We have g y 1 = h c 1 t also with the probability equal to success probability of A. Then, we can compute the discrete logarithm x = (y y1)(c c 1 ) 1 of h with the probability of square of success probability of A. Thus, we have with some negligible function η Adv imp (k) Adv dl G,E(k) + η(k), where Adv imp and Advdl G,E denotes the advantage of the impersonator A against ID and the advantage of the extractor E of DLP (Discrete Logarithmic Problem) on G = g, respectively. This contradicts to DLA. Note the time-complexity t E of E is about the twice t E (k) 2t A (k) + O(k 3 ).

The above (standard) proof depends on the wellknown technique rewind to extract. As seen above, the technique sacrifices the efficiency of the reduction. The probability to extract the secret is only the square of probability of the successful attack. The similar situation holds also for Fiat-Shamir and GQ schemes. 1.3 Our results We show an identification scheme IDKEA1. Although it needs four messages exchanged and one more and two more exponentiations for a prover and a verifier respectively than Schnorr s scheme, IDKEA1 is proved to be secure under KEA1 assumption [7, 4] with tight reduction to DLA. The idea underlying IDKEA1, which is inspired by Barak s generic non-back-box techniques [1, 2], is to use extractable commitment for prover s commitment. The extractable commitment is actually extractable only by the simulator who can use the nonblack-box extractor of KEA1 assumption. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor and the another through the simulated transcript. So, we don t need to use the rewind technique and can prove the security without the loss of efficiency of the reduction. Our first main theorem is as follows. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Using the variant OMDL+ of OMDL assumption [3], we can prove IDKEA1 is secure even under the concurrent attack also with tight reduction: Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. 1.4 Related works [4] shows 3-Round Zero-Knowledge protocol in which KEA3 assumption (a variant of KEA1) is used to prove its soundness. However the role played by KEA3 assumption is different from ours. The proof of the soundness in [4] needs the rewinding to extract the secret of the cheating prover. [9] shows a proof of knowledge system of DL knowledge, which establishes the tight reduction to DLA in the random oracle model. Our protocol doesn t rely on the random oracle. 2 Definitions and Assumptions In this section, we clarify the security of identification scheme under passive and concurrent attacks and introduce two assumptions KEA1 [7, 4] and OMDL+. 2.1 Definition of security of id scheme Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk. The security of identification scheme ID under passive attack is defined as follows. In the following A 1 acts as an eavesdropper of conversations between an honest prover and an honest verifier. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover. Definition 1 (Security under passive attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A, an experiment Exp imp pa is defined as follows (ɛ denotes the empty string). Exp imp pa : (pk, sk) K(k); Invoke A 1 (pk); When A 1 makes query ɛ, reply with the simulated transcript between P (sk, pk) and V (pk); Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 (St); Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under passive attack is defined by (k) = Pr[Expimp pa(k) = 1]. ID is called secure under passive attack if for any probabilistic polynomial-time adversary A the advantage ( ) is upper bounded by a negligible function. The security of identification scheme ID under concurrent attack is defined as follows. In the following A 1 acts as a cheating verifier that can take place in concurrent conversations with several prover clones P i (sk)

with the same secret key. Those conversations can be interleaved in any ways. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover P (sk). Definition 2 (Security under concurrent attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A = (A 1, A 2 ), an experiment Exp imp ca is defined as follows. Exp imp ca : (pk, sk) K(k); Invoke A 1 (pk); Simulate responses of prover clones P i (sk) concurrently to A 1 ; Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 ; Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under concurrent attack is defined by (k) = Pr[Expimp ca(k) = 1]. ID is called secure under concurrent attack if for any probabilistic polynomial-time adversary A its advantage ( ) is upper bounded by a negligible function. 2.2 KEA1 assumption KEA1 assumption [7, 4] for group G = g means that it is possible only when one knows b to generate a DH-pair (g b, g ab ) for a randomly selected g a. Definition 3 (KEA1 Assumption [4]). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let H be any probabilistic polynomial-time algorithm which on input q, g, A( g ) and an auxiliary input w, outputs a pair (B,W) of elements in G. Let H be an extractor for H, that is, any probabilistic polynomial-time algorithm which on input q, g, A and an auxiliary input w, outputs b. For any string w and such G, H, H, an experiment Exp w G,H,H is defined as follows. Exp w G,H,H : (q, g) G(1 k ); a $ Z q ; A = g a ; (B, W ) H(q, g, A, w); b H (q, g, A, w); If W = B a, B g b then return 1; Else return 0. Then, the advantage of adversary H in G for extractor H is defined by Adv w G,H,H (k) = Pr[Expw G,H,H (k) = 1]. G is called to satisfy KEA1 assumption if for any w and any adversary H with time-complexity t H (k), there exists an extractor H with the negligible Adv w G,H,H (k) and with time-complexity t H (k) not larger than time complexity t H (k) of H. KEA1 assumption in [4] is stated without such an auxiliary input w or the condition on the time-complexity. Providing the auxiliary input w for both H and H seems not to affect the validness of the assumption. The condition t H (k) t H (k) on the time-complexity is seemed valid, since H is being assumed to need b to construct (B, W ). 2.3 OMDL+ assumption OMDL+ assumption is a stronger version of OMDL assumption used in [3]. OMDL assumption means it is difficult to solve one more DLP (Discrete Logarithmic Problem) instance even if one is provided with several randomly selected DLP instances with their answers, all sharing the same base element. OMDL+ assumption is stronger in the sense that the challenge problems are given with some hints. Definition 4 (OMDL+ Assumption). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let I be any probabilistic polynomial-time algorithm which on input q, g outputs x 1,..., x n using the challenge oracle CO and the DL oracle DL. The challenge oracle CO g given query h answers with a pair of g x and h x, where x is randomly chosen from Z q independently by every query. The DL oracle DL g, given query h, answers with x satisfying h = g x. For such G and I, an experiment Exp omdl+ is defined as follows. Exp omdl+ : (q, g) G(1 k ); Invoke I CO g,dl g (q, g); When I makes a query to CO g, let CO g reply with such (g i, h i ); When I makes query h to DL g, let DL g reply with log g (h); Let (x 1,..., x n ) be an output of I; Let (g 1, h 1 ),..., (g n, h n ) be the overall challenges by CO g ; Let m be the number of the overall replies by DL g ; If g i = g x i for all i = 1,..., n and m < n then return 1; Else return 0. Then, the advantage of adversary I against G is defined by Adv omdl+ (k) = Pr[Exp omdl+ (k) = 1]. G is called to satisfy OMDL+ assumption if for any probabilistic polynomial-time algorithm adversary I its advantage Adv omdl+ ( ) is upper bounded by a negligible function. It is easily seen that OMDL+ assumption means OMDL assumption and that OMDL assumption means CDH assumption or OMDL+ assumption. 3 The Identification Scheme IDKEA1 We describe our identification scheme IDKEA1= {K, P, V }.

Let G be a probabilistic polynomial-time algorithm which given security parameter k outputs a prime number q of k bits and a generator g of a group of order q. Key-generation algorithm K of IDKEA1 on input k runs G(k) to get q, g 1, chooses x randomly from Z q, computes h 1 = g x 1 and outputs x and q, g 1, h 1 as a secret key and a public key, respectively. In IDKEA1, prover P (with a secret key x) proves its identity to verifier V (with a public key q, g 1, h 1 ) as follows. 1 V randomly selects a from Z q and computes g 2 = g a 1. V sends g 2 to P. 2 P randomly selects m 0 from Z q and computes c 1 = g m 0 1, c 2 = g m 0 2. P sends c 1, c 2 to V. 3 V sees whether c 2 = c a 1 or not. If not V aborts, else V randomly selects r from Z q and sends r to P. 4 P computes m = m 0 rx and sends m to V. 5 V sees whether c 1 = g m 1 h r 1 dose hold or not. If it does, V accepts. Otherwise V rejects. As seen above, IDKEA1 needs two exponentiations for a prover and three exponentiations for a verifier, and it needs four message exchanged. Thus, IDKEA1 is not so efficient as Schnorr identification scheme in computations and communications. However, IDKEA1 has security proof with tight reduction without the loss of security. 4 Security of IDKEA1 We prove the security of IDKEA1. In the proof, the simulator can open the cheating prover s commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind. 4.1 Security under passive attack Security of IDKEA1 under passive attack is proven under the assumptions DLA and KEA1 with tight reduction. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Proof. Let A = (A 1, A 2 ) be any passive adversary against ID = {K, P, V }. We construct a DL extractor E by using A. Let q, g 1, h 1 be generated as in K(k): q, g 1 G(k); x $ Z q ; h 1 = g x 1. On inputs q, g 1, h 1, DL extractor E proceeds as follows. 1 E starts the adversary A 1 with inputs q, g 1, h 1. When A 1 makes a query ɛ, E computes a $ Zq ; g 2 = g a $ Zq m, r c 1 = g1 m h r 1 ; c 2 = c a 1 and answer A 1 with transcript (g 2, (c 1, c 2), r, m ). Note the simulated transcripts are distributed just as real ones between honest P and V. Suppose A 1 halts and outputs string St. 2 E starts the adversary A 2 with input St and with random coins R. E randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then E aborts. Else E randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, E aborts. Note informations given to A 2 are distributed just as real ones given by real V. 3 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. E invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 4 E outputs ˆx = (m 0 m )r 1. Now we evaluate the success probability Pr[ˆx = x] of the DL extractor E. Let Imp be an event that A 2 successfully impersonates P in the above simulation by E and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have 1 c 2 = c a 1, c 1 = g1 m h r 1. (1) c 1 = g m 0 1. (2) By the second equation of Equation (1) and Equation (2), we see x = (m 0 m )r 1 = ˆx.

Thus, So, Pr[ˆx = x] Pr[Imp Ext] Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ˆx = x] + Pr[ Ext Imp]. By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ˆx = x] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. 4.2 Security under concurrent attack Under OMDL+ and KEA1 assumptions, IDKEA1 is proven to be secure even under the concurrent attack also with tight reduction. Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. Proof. Let A = (A 1, A 2 ) be any adversary in concurrent attack against ID = {K, P, V }. We construct an OMDL+ solver I by using A. Let q, g 1 be generated by q, g 1 G(k). On inputs q, g 1, OMDL+ solver I proceeds as follows. 1 I randomly chooses a from Z q and computes g 2 = g1 a. I sends g 2 to the challenge oracle CO g1 to get the response h 1 (= g x0 1 ), h 2(= g 2x 0 ). I starts the adversary A 1 with inputs q, g 1, h 1. 2 When A 1 sends the message g2 (i) to some prover clone (in the i-th session), I forwards the message g2 (i) to the challenge oracle CO g1 and get the response c (i) 1 (= gxi 1 ), c(i) 2 (= g 2 (i)x i ). I hands c (i) 1, c(i) 2 to A 1. When A 1 sends the response message r (i) to the prover clone, I makes a query c (i) 1 h r (i) 1 to the DL oracle DL g1 and gets the response m (i), which is transferred to A 1 by I. Suppose A 1 halts and outputs string St after performing concurrently such n sessions(i = 1,..., n). It is easy to see that the above simulation of prover clones for A 1 is perfect. 3 I starts the adversary A 2 with input St and with random coins R. I randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then I aborts. Else I randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, I aborts. Note the simulation of verifier V is perfect for A 2. 4 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. I invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 5 I outputs ˆx 0 = (m 0 m )r 1 and ˆx i = m (i) + ˆx 0 r (i) for i = 1,..., n. Now we evaluate the success probability Pr[ ˆx i = x i (i = 0, 1,..., n)] of the OMDL+ solver I. Let Imp be an event that A 2 successfully impersonates P in the above simulation by I and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have c 2 = c a 1, c 1 = g1 m h r 1. (3) c 1 = g m 0 1. (4) By the second equation of Equation (3) and Equation (4), we see and since g m(i) Thus, x 0 = (m 0 m )r 1 = ˆx 0, = c (i) 1 h r (i) 1, we have x i = DL g1 (c (i) 1 ) = m(i) + x 0 r (i) = ˆx i. Pr[ ˆx i = x i (i = 0, 1,..., n)] Pr[Imp Ext] So, Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)]+pr[ Ext Imp].

By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. References [1] B. Barak, How to go beyond the black-box simulation barrier, Proc. 42nd FOCS, pp. 106-115, IEEE, 2001. [2] B. Barak, and Y. Lindell, Strict Polynomial-time in Simulation and Extraction, In Proceedings of the 34th Annual Symposium on Theory of Computing. ACM, [3] M. Bellare and A. Palacio, GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks, pp. 162-177, Proc. of Crypto 2002, LNCS 2442. [4] M. Bellare and A. Palacio, The Knowledgeof-Exponent Assumptions and 3-Round Zero- Knowledge Protocols, pp. 273-289, Proc. of Crypto 2004, LNCS 3152. [5] A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. of Crypto 86, LNCS 263. [6] L. Guillou and J.J. Quisquater, A paradoxical identity-based signature scheme resulting from zero-knowledge, Proc. of Crypto 88, LNCS 403. [7] S. Hada and T. Tanaka, On the existence of 3-round zero-knowledge protocols, pp. 408-423, Proc. of Crypto 98, LNCS 1462. [8] C. P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 4(3), pp. 161-174, 1991. [9] I. Teranishi, Computationally efficient signature scheme with tight security reduction to Discrete Logarithm Problem, SCIS 05, 3E3-4, 2005.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback