Identification Protocols

An identification protocol allows a prover Peggy to convince a verifier Vic of her identity. A goal of an identification scheme is that someone listening in as Peggy identifies herself to Vic should not subsequently be able to misrepresent herself as Peggy. Furthermore, it is desirable to guard against the possibility that Vic himself tries to impersonate Peggy after Peggy has identified herself. We will see that efficient implementations of such schemes exist.

Zero-knowledge identification protocols provide a mechanism to achieve the desir-able properties. In general, Peggy has a secret key only known to her and a public key known to Vic. Thus, if some person can prove to Bob that he knows Peggy’s secret key corresponding to Peggy’s public key, then Bob can conclude that this person must be Peggy.

Informally, an identification protocol consists of a key generation algorithm gen and an interactive protocol (P, V ) for a prover Peggy and a verifier Vic.

• Key generation algorithm gen: This is a probabilistic polynomial-time algorithm gen(1^k) = (sk, pk). It takes as input a security parameter 1^k and outputs a pair (sk, pk) of secret and public keys for the prover, each of size O(k^a) for a ∈ N a constant.

• Interactive protocol (P, V ): The protocol (P, V ) is an interactive proof of knowl-edge for sk corresponding to pk. We requires that it be complete, valid, and zero-knowledge (or witness-indistinguishable).

3.3.1 The Schnorr Identification Protocol

The Schnorr identification protocol [203] is one of the most attractive practical iden-tification scheme. It is a typical three-round (commit-challenge-response) interactive proof of knowledge. P first commits to a value. V then challenges one of two things:

either the commitment is of right form or P knows the witness. P then responds to such challenge, but reveals no information about the witness. Finally, V verifies whether the response is correct. We now describe the Schnorr identification protocol.

Assume that Peggy wants to convince Vic of her identity.

• Key generation: gen(1^k) = (α, (g, p, q, β)).

Peggy picks large primes p, q such that q | (p − 1) and a number g ∈ Z^∗_p of order q. She also chooses a random exponent α ∈ {0, . . . , q − 1} and computes β = g^α mod p. Peggy’s secret key is α and public key is (g, p, q, β).

• Interactive protocol: hP (α), V i(g, p, q, β) = accept/reject.

1. Peggy chooses a random number r ∈ {1, 2, . . . , q − 1}. She computes t = g^r mod p, and sends t to Vic.

2. Vic chooses a random number c ∈ {0, 1}^k, where 1 ≤ c ≤ 2^k < q. He sends c to Peggy.

3. Peggy checks 1 ≤ c ≤ 2^k and sends s = r − cα mod q to Vic.

4. Vic accepts Peggy’s identity if t = g^sβ^c mod p.

The Schnorr protocol allows Peggy to prove that she knows the discrete logarithm of her public key. The security of the protocol is based on the assumed intractability of the discrete logarithm problem. It can be shown that the protocol is honest-verifier zero-knowledge proof of knowledge. We discuss the protocol’s properties in detail in the next subsection.

3.3.2 Analysis of the Schnorr Identification Protocol

The Schnorr protocol is based on an initial idea of Chaum et al. [43]. Chaum et al.

have shown that the variant with k = 1 and q = p − 1 is a zero-knowledge proof of knowledge when sequentially repeated log₂(p) times. Nevertheless, in [203] it is shown that the Schnorr identification scheme is a proof of knowledge, but not zero knowledge. We will analyze the Schnorr identification protocol with respect to several properties, including proof of knowledge, zero knowledge, witness-indistinguishability, and witness-hiding.

Let G be a family of groups such that computing discrete logarithms in them is infeasible. The binary relation R underlying the protocol is the set {((p, g, q, β), α)|p, q primes, q | (p − 1), g ∈ Z^∗_p of order q, β = g^α mod p with 0 ≤ α < q, hgi ∈ G}.

Lemma 3.3.1. The Schnorr identification protocol is a proof of knowledge for k = Θ(poly(`)) where ` denotes the length of input (≈ 4 log₂(p)).

Proof. Completeness. It can easily be seen that P can always convince V . Validity. We construct a knowledge extractor K. Let

δ = P r[hP^∗(α), V i(p, g, q, β) = accept].

Consider the following algorithm for a knowledge extractor K that has oracle access to the (dishonest) prover P^∗.

1. Run P^∗ to obtain t and s using a randomly chosen c ∈ {0, 1}^k. Proceed if the triple (t, c, s) is accepting, otherwise output ⊥ and stop.

2. Reset and run P^∗ repeatedly with a randomly chosen ˜c ∈ {0, 1}^k until an accepting triple (t, ˜c, ˜s) is found. If ˜c 6= c proceed to Step 3, otherwise output

⊥ and stop.

3. Output α = ^s−s˜_c−˜c mod q.

Let p_t denote the probability that P^∗ outputs a commitment t and let δ_t denote the probability that then, on input of a random c ∈_R {0, 1}^k, P^∗ outputs an s such that (t, c, s) is an accepting triple. Then we have δ = P

tp_tδ_t.

First we show that the expected running time of K is polynomial in the length of the input. Recall that verifying whether a triple is accepting requires O(`<sup>3</sup>) steps (modular exponentiation computations). Consider a particular t. The probability that K stops in the first step is 1 − δ<sub>t</sub> and the running time is O(`³) (note that a call to the oracle P^∗ counts as one step). In Steps 2 and 3, we have an expected running time of (1/δ_t)O(`³). Because Step 2 is only entered with probability δ_t, the total expected running time given a particular t is

(1 − δ_t)O(`³) + δ_t1

δ_tO(`<sup>3</sup>) = (2 − δ<sub>t</sub>)O(`³).

Because a particular t gets chosen with probability pt, the expected running time of the knowledge extractor K is

X

t

p_t(2 − δ_t)O(`<sup>3</sup>) = (2 − δ)O(`³),

which is polynomial in the length of the input as required.

What remains to show is that for every positive polynomial Q and all sufficiently large `,

P r[((p, g, q, β), K^{P∗(p,g,q,β)}) ∈ R] ≥ P r[hP^∗(α), V i(p, g, q, β) = accept] − 1 Q(`), where Pr[((p, g, q, β), K^{P∗(p,g,q,y)}) ∈ R] is the probability that the extractor K will out-put a witness and not the special symbol ⊥, and Pr[hP^∗(α), V i(p, g, q, β) = accept] = δ.

Consider the probability that in the second step, a triple with ˜c 6= c is found is 2^kδt− 1

2^kδ_t = 1 − 1 2^kδ_t,

because we have δ_t2^k > 1 accepting triples in Step 2 and one of which we cannot use. Again, the probability that Step 2 is entered is δ_t, and thus the total success probability is

P r[((p, g, q, β), K^{P∗(p,g,q,β)}) ∈ R] =X

t

p_tδ_t(1 − 1

2^kδ_t) = δ − 1 2^k.

For every positive polynomial Q and all sufficiently large `, the probability is at least δ − 1/Q(`) if k = Θ(poly(`)) holds. Hence we have constructed a knowledge extractor.

As stated in [203] it is not zero-knowledge when k is selected as in Lemma 3.3.1.

This is because k is too large such that the success probability of the simulator is negligible. If a smaller k is chosen, namely k = O(log₂(`)), it is zero-knowledge. The following algorithm is a simulator for the output of any verifier V^∗.

1. Choose ˜c ∈R{0, 1}^k. 2. choose ˜s ∈R Zq. 3. Compute ˜t = g^s˜β^˜c.

4. Run V^∗ using the computed ˜t and receive a c.

5. If c equals ˜c, send ˜s to V^∗ and output V^∗’s output and stop. Otherwise, continue with Step 1.

By construction, the output of the simulator is identically distributed to the output of the verifier. To conclude that the protocol is zero-knowledge, we must show that the expected running time is polynomial in `. Because for the simulator all possible choices of ˜c are equally likely, the probability that in Step 5 the variable c will equal

˜c (and thus the simulator will stop) is 2^−k. Hence the expected running time of the simulator is O(2^k). Therefore, we have to choose k = O(log(`)) so that the simulator’s expected running time is polynomial in `. However, for such a choice the Schnorr identification scheme is no longer a proof of knowledge because this would require k = Θ(poly(`)).

The following lemma says that we can obtain both properties (proof of knowledge and zero knowledge) at the same time by repeating the protocol in a sequential manner.

Lemma 3.3.2. The Schnorr identification protocol is a proof of knowledge and is per-fect zero-knowledge for k = O(log₂(`)) when sequentially repeated Θ(poly(`)) times.

The Schnorr identification protocol is not known to be witness-hiding but is triv-ially witness-indistinguishable because there exists only one witness for each instance.

In [174], Okamoto presents a variant which uses two different bases and thus two secret exponents for a public key. Then there exist q different witnesses for each instance.

This variant is witness-indistinguishable and witness-hiding.