Upload
medea
View
48
Download
0
Embed Size (px)
DESCRIPTION
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce, and the contents of Volume 4 of Knuth.” Victor: “No, you don’t.” Peggy: “Yes, I do.” Victor: “Do not!” Peggy: “Do too!” - PowerPoint PPT Presentation
Citation preview
Lecture 15 Zero-Knowledge Techniques
Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce, and the contents of Volume 4 of Knuth.”
Victor: “No, you don’t.” Peggy: “Yes, I do.” Victor: “Do not!” Peggy: “Do too!” Victor: “Prove it!” Peggy: “All right. I’ll tell you.” She whispers in
Victor’s ear. Victor: “That’s interesting. Now I know it, too.
I’m going to tell The Washington Post.”
A few years ago, it was reported that some thieves set up a fake automatic teller machine at a shopping mall. When a person inserted a bank card and typed in an identification number, the machine recorded the information but responded with the message that it could not accept the card. The thieves then made counterfeit bank cards and went to legitimate teller machines and withdrew cash, using the identification numbers they had obtained.
How can this be avoided? There are several situations where someone reveals a secret identification number or password in order to complete a transaction. Anyone who obtains this secret number, plus some (almost public) identification information (for example, the information on a bank card), can masquerade as this person. What is needed is a way to use the secret number without giving any information that can be reused by an eavesdropper. This is where zero-knowledge techniques come in.
Outline Overview of Zero-Knowledge Concepts Fiat-Shamir Identification Protocol Feige-Fiat-Shamir Identification Protocol GQ Identification Protocol Schnorr Identification Protocol
1 Overview of Zero-Knowledge Concepts1.1 Idea
1.1 Idea (Continued)
Peggy knows the secret of the cave. She wants to prove her knowledge to Victor, but she doesn’t want to reveal the magic words. Here’s how she convinces him:
(1) Victor stands at point A.
(2) Peggy walks all the way into the cave, either to point C or point D.
(3) After Peggy has disappeared into the cave, Victor walks to point B.
1.1 Idea (Continued)
(4) Victor shouts to Peggy, asking her either to:
(4.1) come out of the left passage or
(4.2) come out of the right passage.
(5) Peggy complies, using the magic words to open the secret door if she has to.
(6) Peggy and Victor repeat steps (1) through (5) n times.
1.1 Idea (Continued)
Comment.
The technique used in this protocol is called cut and choose, because of its similarity to the classic protocol for dividing anything fairly:
(1) Peggy cuts the thing in half.
(2) Victor chooses one of the halves for himself.
(3) Peggy takes the remaining half.
It is in Peggy’s best interest to divide fairly in step (1), because Victor will choose whichever half he wants in step (2).
1.2 Interactive Proof Systems and Zero-Knowledge Protocols
The ZK protocols to be discussed are instances of interactive proof systems, wherein a prover and verifier exchange multiple. The prover’s objective is to convince the verifier the truth of an assertion, e.g., claimed knowledge of a secret. The verifier either accepts or rejects the proof. The traditional mathematical notion of a proof, however, is altered to an interactive game wherein proofs are probabilistic rather than absolute; a proof in this context need be correct only with bounded probability. For this reason, an interactive proof is sometimes called a proof by protocol.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Interactive proofs used for identification may be formulated as proofs of knowledge. A possesses some secret s, and attempts to convince B it has knowledge of s by correctly responding to queries (involving publicly known inputs and agreed upon functions) which require knowledge of s to answer. Note that proving knowledge of s differs from proving that such s exists. An interactive proof is said to be a proof of knowledge if it has both the properties of completeness and soundness.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Definition 1 (completeness property) An interactive proof (protocol) is complete if, given an honest prover and an honest verifier, the protocol succeeds with overwhelming probability (i.e., the verifier accepts the prover’s claim).
Comment. Completeness is viewed as the customary requirement that a protocol functions properly given honest participants.The definition of overwhelming depends on the application, but generally implies that the probability of failure is not of practical significance.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Definition 2 (soundness property) An interactive proof (protocol) is sound if there exists an expected polynomial-time algorithm M with the following property: if a dishonest prover (impersonating A) can with non-negligible probability successfully execute the protocol with B, then M can be used to extract from this prover knowledge (essentially equivalent to A’s secret) which with overwhelming probability allows successful subsequent protocol executions.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Since any party capable of impersonating A must know the equivalent of A’s secret knowledge (M can be used to extract it from this party in polynomial time), soundness guarantees that the protocol does indeed provide a proof of knowledge – knowledge equivalent to that being queried is required to succeed. Soundness thus prevents a dishonest prover from convincing an honest verifier.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Definition 3 (zero-knowledge property) A protocol which is a proof of knowledge has the zero-knowledge property if it is simulatable in the following sense: there exists an expected polynomial-time algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover, transcripts indistinguishable from those resulting from interaction with the real prover.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
Comment. (1) The zero-knowledge property implies that a pro
ver executing the protocol (even when interacting with a malicious verifier) does not release any information (about its secret knowledge, other than that the particular assertion itself is true) not otherwise computable in polynomial time from public information alone. Thus, participation does not increase the chances of subsequent impersonation.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
(2) Consider an observer C who witnesses a zero-knowledge interactive proof (ZKIP) involving a prover A convincing a verifier B (B C) of some knowledge A has. The “proof” to B does not provide any guarantees to C. (Indeed, A and B might have a prior agreement, conspiring against C, on the challenges to be issued.) Similarly, a recorded ZKIP conveys no guarantees upon playback. This is fundamental to the idea of the zero-knowledge property and the condition that proofs be simulatable by a verifier alone.
1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)
(3) The zero-knowledge property (Definition 3) does not guarantee that a protocol is secure (i.e., that the probability of it being easily defeated is negligible). Similarly, the soundness property (Definition 2) does not guarantee that a protocol is secure. Neither property has much value unless the underlying problem faced by an adversary is computationally hard.
1.3 General Structure of Zero-Knowledge Protocols
witness.(public) associatedan computes thisfrom and
,commitmentsecret its asset defined-pre a fromelement
random a selects be toclaimingprover The
:protocols knowledge-zero move- threeof class
large a of structure general thesillustrate Above
response :
challenge :
witness:
A
BA
BA
BA
1.3 General Structure of Zero-Knowledge Protocols (Continued)
cheating. successful ofy probabilit thelimiting bound the
improve tonecessary, if iterated, is protocol The s.correctnes
for checks which response, its provides questions. these
of one selects challenge subsequent s' secret. term-long s'
about n informatio no provides theseof oneany answer to the
and questions, theall answering of capable truly is secret,
s' of knowledge with ,party legitimate only the design,
protocolBy response. gforthcominher ngconstraini priori
a thereby answer, toable be toclaimsprover which theof
all questions ofset a definesy essentiall and runs, protocol
other fromion for variat randomness initial provides This
B A
BA
AA
1.4 Zero-Knowledge VS. Asymmetric Protocols (1) No degradation with usage: protocols proven to have th
e ZK property do not suffer degradation of security with repeated use, and resist chosen-text attacks. This is perhaps the most appealing practical feature of ZK techniques.
(2) Encryption avoided: many ZK techniques avoid use of explicit encryption algorithms.
(3) Efficiency: while some ZK-based techniques are extremely efficient, protocols which formally have the zero-knowledge property typically have higher communications and/or computational overheads than PK protocols which do not. The computational efficiency of the more practical ZK-based schemes arises from their nature as interactive proofs, rather than their zero-knowledge aspect.
1.4 Zero-Knowledge VS. Asymmetric Protocols (Continued)
(4) Unproven assumptions: many ZK protocols ("proofs of knowledge") themselves rely on the same unproven assumptions as PK techniques (e.g., the intractability of factoring).
(5) ZK-based vs. ZK: although supported by prudent underlying principles, many techniques based on zero-knowledge concepts fall short of formally being zero-knowledge and/or formally sound in practice, due to parameter selection for reasons of efficiency, or for other technical reasons. In fact, many such concepts are asymptotic, and do not apply directly to practical protocols.
2 Fiat-Shamir Identification Protocol
succeed. rounds all if proof
theaccepts tly).independen andlly (sequentia times
iterated are steps following The actions. Protocol (2)
key. public
its as with registers and ,) mod( computes 1,
1 , tocoprimesecret a selects claimantEach (1.2)
secret. and primes keepsbut modulus
like-RSAan publishes and selects center A trusted (1.1)
setup. time-One (1)
protocol. pass-3 a
of executions in to of knowledge proves :SUMMARY
protocoltion identificaShamir -Fiat
2
t
B
t
Tvn svn
sns A
qpqpn
T
tBsA
1 Protocol
2 Fiat-Shamir Identification Protocol (Continued)
0.) case theprecludes 0 for checkingthat
Note ). (mod since ), (mod or
,on (Depending ). (mod yingupon verif
accepts otherwise and 0, if proof therejects (2.4)
1). (if ) (mod or 0) (if
either , response) (the tosends and computes (2.3)
. to sends and
1, or 0 bit )(challenge a selectsrandomly (2.2)
. to) (mod witness)(the sends and
1, 1 , t)(commitmen random a chooses (2.1)
222
2
2
ry
nsvnvxy xy
envxy
yB
ensryery
yBA
Ae
eeB
Bnrx
nrrA
e
BA) (mod 2 nrx
proof. therejects otherwise,
proof; theaccepts then
), (mod and 0 If 2
B
B
nvxyy e
1} {0,e
)(mod ns ry e
2 Fiat-Shamir Identification Protocol (Continued)
2 Fiat-Shamir Identification Protocol (Continued)
answered.ly successful are rounds) (over questions all if
only identity ' accepting with times, iterated is protocol
the40), = or 20 = (e.g., 2 of valuesmall acceptably
an y toarbitraril cheating ofy probabilit thedecrease
To detection. escaping of 1/2only y probabilit has so and
questions, two theof oneanswer best at can otherwise
but questions,both answer can knowing prover A
cheating.prevent toprovers)honest (for question easy an
other theand ,secret theof knowledgeher esdemonstrat
which of one questions, twoanswering of capable
be thatrequires exam)(or challenge The follows. as
justified informally and explained bemay (1)
tt
ABt
tt
sA
s
Ae
t
1 Protocol
Comment.
2 Fiat-Shamir Identification Protocol (Continued)
.challenges time-real epredict thcannot because
eimpersonat tounable is proofs, simulate ability to the
Despite property. knowledge-zero thesestablishe thisproduce;
would thosefrom ishableindistingu ison which distributi
yprobabilit a have ) ,( pairssuch pairs,such construct would
by which method not the is this.While ) mod(/or
defining then randomly, choosingby alone verifier aby
simulated be llequally we could from extracted ) ,( pairs
n Informatio . unknown to is random thebecause about
n informatio no provides also ) mod( response the
while,secret s' oft independen is response The(2)
22
B
AB
A
yxA
nv y yx
yB
Ayx
Brs
ns ry
sAry
Comment.
3 Feige-Fiat-Shamir Identification Protocol
. 1for ) (mod Compute (2.2)
.) ofion factorizat allows failure its as guaranteed
surely almost isbut required, is 1 ) ,gcd( reasons, ical(For techn
1, 1 range in the , . . . , , integers random Select (2.1)
following. thedoes entity Each secrets.entity -per ofSelection (2)
.parameterssecurity as
defined are and Integers factor. toinfeasiblenally computatio
is such that and users, allfor moduluscommon the
publishes center A trusted .parameters system ofSelection (1)
protocol. pass-3
a of executions in oidentity t its proves :SUMMARY
protocoltion identificaShamir -Fiat-Feige
2
21
kinsv
n
ns
nssss k
A
tk
nqpn
T
tBA
ii
i
ik
2 Protocol
3 Feige-Fiat-Shamir Identification Protocol (Continued)
0.) choosingby succeedingadversary an precludeslatter (The
0. and that verifiesand ), (mod computes (3.4)
.challenge) by the specified thoseand ofproduct
(the ) (mod :response) (the tosends and computes (3.3)
). , . . . ,( bit vector- random a )challenge, (the tosends (3.2)
. to witness)(the sends and
),mod( computes ,11 ,integer random a chooses (3.1)
). ; , . . . ,(key public
authentic s' has Assume succeed. rounds all ifidentity s' accepts
times; executed are steps following The actions. Protocol (3)
phase. up-set time-one thecompletes This
. and ) , . . . ,(key private its knows only
while), ; , . . . ,(key public s' registersreafter which the, to
id) photo (e.g., means hiccryptograp-nonby itself identifies (2.3)
1
2
1
1
2
1
1
1
r
zxznvyzB
sr
nsryBA
eekAB
Bx
n rxnrrA
nvv
AB tA
Bt
nssA
nvvA T
A
k
j
ej
j
k
j
ej
k
k
k
k
j
j
3 Feige-Fiat-Shamir Identification Protocol (Continued)
A B) (mod 2 nrx
proof. therejects otherwise,
proof; theaccepts then
, and ) 0(mod If1
2
B
B
xznvyzj
j
e
ej
1} {0, ), , . . . ,( 1 ik eee
) (mod 1
nsryje j
3 Feige-Fiat-Shamir Identification Protocol (Continued)
.0 and since
identity s' accepts and 528015 ) (mod computes (3.4)
403104. ) mod ( tosends and computes (3.3)
1). 0, (0, bit vector-3 the tosends (3.2)
. to thissends and 528015, computes 1279, chooses (3.1) (3)
4646). 43215, (157, iskey
private and 553913) 429490; 338402, (112068, iskey public As (2.3)
429490. and 338402, 112068, Computes (2.2)
4646. 43215, 157, integers random 3 Selects ) (2.1
following. thedoes Entity (2)
.parameters
security as defined are 1 and 3 Integers 553913.
publishes and 811, 683, primes theselects center trustedThe (1)
)parameters smallly artificial(with
32
3
321
321
zxz
AnvyzB
nsryBA
AB
BxrA
vvv
sss
A
tkqpn
qpT
1 Example
3 Feige-Fiat-Shamir Identification Protocol (Continued)
).(log and ) log O(log provided knowledge
of proof knowledge-zero (sound) a server, trusteda to
relative is, protocol The soundness. and knowledge- Zero(3)
. factoring of
that toequivalent is This ion.factorizatunknown of integers
composite large modulo roots square extracting of difficulty
on the reliessecurity The required. assumptionSecurity (2)
ion.impersonat successful of 2y probabilit a
hasattack best thedifficult, is factoring that provided
:sense following in theattack messagechosen against
secureprovably is forgery. ofy Probabilit (1)
ntnk
n
n
ntk
2 Protocol
Comment.
3 Feige-Fiat-Shamir Identification Protocol (Continued)
knowledge. of proof knowledge-zero alonger no is
protocol thecase in this however, ; decreasing while increasing
andconstant product theholding 1), (iteration single
a yield toparameterssecurity off by trading reduced bemay
ion communicat andn computatioBoth off.-radeSecurity t (5)
5. 6, :2for 4; 5, :2security for be,might
choicesparameter Specific e.appropriat as suggested originally
was181 off; tradedbecan ion communicat and memory,
n,Computatio or.impersonat be- wouldaby appearance
personal a requiresattempt tion identificaan that case in the
suffices which ion,impersonat of chancemillion ain 1 a allows
20 such that and Choosing selection.Parameter (4)
3020
tk
tkt
tktk
k
tkt k
3 Feige-Fiat-Shamir Identification Protocol (Continued)
rounds.
ofnumber theincreasing without decreased be to(forgery)error
ofy probabilit theallows proofs einteractivin iteration) sequential
toopposed (asexecution parallelSuch secure. be shown to becan
usly,simultaneo rounds allfor data respective thecontains messages
threeofeach in which protocol, theof version parallel The (6.3)
y.accordingl modifiedon verificati
s' with , of instead )( hash value a of) bits 128 (e.g.,
sends if reduced becan complexityion communicat The (6.2)
modulus. itsuser with
each associate toneeded still is . modulussuch own itspick
may user each , of (1) toealternativan As (6.1)
concerns.on Modificati (6)
t
BxxhB
A
Tn
2 Protocol
3 Feige-Fiat-Shamir Identification Protocol (Continued)
. tothese
gives and each of root square a computes , ofion factorizat
theknowing center, trustedThen the .function eappropriatan
using ) ,( as partiesother and both by derived
thenare 1 , valuespublic As e).corroborat omay wish t
verifier an which informatioother or address, name, As (e.g.,
partyeach to string gidentifyin heddistinguis a assigns
follows. as based-identity made becan scheme The (6.4)
A
vsn
f
iIfvBT
kiv
A
IT
ii
Ai
i
A
3 Feige-Fiat-Shamir Identification Protocol (Continued)
function.hash on the
attacks line-off preclude toincreased beally must typic challenge
theof bitsize thescheme, signature einteractiv-non a toscheme
tion identifica einteractivan converts thisAs verifier.of role the
playsy essentiall )( signed be messagemto theand witness theof
ion concatenat theof ),||( hash way -one by the verifier the
of challenge random thereplace :scheme signature a tosequence
response-challenge- witnessa involving schemetion identifica
an convert toused bemay techniquegeneral following The (6.5)
e
hx
mxhe
e
4 GQ Identification Protocol
users. allfor ty)authentici
guaranteed(with available made are ) ,( parameters System (1.3)
.) (mod exponent private its computes and 1),1)((
1where ) ,gcd( with 3 exponent public a defines (1.2)
.)factor toinfeasiblenally computatio bemust it
RSA,for (As . modulus a yielding and primes like
-RSA randomsecret selects keys, public toidentities binding
respect to with parties allby trusted, authority An (1.1)
.parameters system ofSelection (1)
protocol. pass-3 ain
to) of knowledge (viaidentity its proves :SUMMARY
protocoltion identifica GQ
1
nv
vsqp
vvT
n
qpnqp
T
B
sA A
3 Protocol
4 GQ Identification Protocol (Continued)
.successful are
executions all ifonly identity theaccepts following; theof
executions by oidentity t its proves actions. Protocol (3)
). (mod
)( data)tion (accreditasecret the togives (2.2)
1.) ) ,gcd( impliesdifficult is factoringthat
(Assuming .function redundancyknown a using derived
is , 1 satisfying ),( identity)redundant (the
whichfrom ,identity unique agiven is entity Each (2.1)
.parametersuser -per ofSelection (2)
tB
tBA
n
JsAT
Jn
f
nJIfJ
IA
sAA
A
AAA
A
4 GQ Identification Protocol (Continued)
0.) choosingby
succeedingadversary an precludeslatter (The 0. and both if
identity of proof s' accepts and ,)(mod computes
above), (see using from constructs , receives (3.5)
.)(mod response) (the tosends and computes (3.4)
.1
,challenge) (the integer random a tosends and selects (3.3)
). ,( integers ofpair the tosends (3.2)
). (mod witness)(the computes and 1,
1 ),commitment (the integer secret random a selects (3.1)
r
zxz
AnyJz
fIJyB
nsryBA
ve
eAB
xI BA
nrxnr
rA
veA
AA
eA
A
v
4 GQ Identification Protocol (Continued)
BA) (mod , nrxI v
A
proof. therejects otherwise,
proof; theaccepts then
, and ) 0(mod If
B
B
xznyJz veA
vee 1 where,
) (mod nsry eA
4 GQ Identification Protocol (Continued)
0. and since
identity s' accepts and 89525 )(mod computes (3.5)
. to83551 ) (mod sends (3.4)
38980. challenge random the tosends (3.3)
89525). ,(pair the tosends (3.2)
89525. ) (mod computes and 65446 selects (3.1) (3)
403154. ) (mod )( dataion accreditat the togives (2.2)
34579. isidentity redundant s' that Suppose (2.1) (2)
users. allfor available made are 420491) (54955, parameters System (1.3)
233875. mod computes
and 54955, selects 419184, 1)1)(( computes (1.2)
420491.
computes and 739, 569, primes selects authority The (1.1) (1)
1) and parameters smallly artificial(with
1
zxz
AnyJz B
BnsryA
eAB
IBA
nrxrA
nJsAT
JA
vs
vqpT
qpn
qpT
t
veA
eA
A
v
sAA
A
2 Example
4 GQ Identification Protocol (Continued)
. of factors theknowing without eintractablnally computatio
appears and , factoringn harder tha no is thisprotocol; defeat the to
necessary appears problem)RSA thesolving (i.e., integer composite
themodulo roots Extracting required. assumptionSecurity (2)
mounted. be could attacksh under whict environmen the
on depends thus ofbitlength drecommende The ould).verifier w
theas forming then (and priori acorrectly guessing
by chance in 1 a with protocol defeat thecan claimant fraudulent
A .advantages nalcomputatiooffer may 12 assuch values
some rounds;many are but there 2 whereShamir)-Fiat (cf. level
security thedetermines ,In forgery. ofy Probabilit (1)
th
16
n
n
n
v
v
yJxe
v
v
v
v
veA
3 Protocol
Comment.
4 GQ Identification Protocol (Continued)
identity. plausible
a toingcorrespond dataion accreditat false computingadversary
an preclude tois function redundancy theof purpose The (5)
. log
in polynomialn larger tha no bemust constant, for :allyasymptotic
on boundupper an imposing ,constantfor )) O((log
requires apparently knowledge-zero be toGQfor t,requiremen
soundness the tooppositionIn property. knowledge- Zero(4)
. log logn faster thaally asymptotic grow
must soundness,for nically then techconstant, is If . isforgery
ofy probabilit the), , ,( parameters dgeneralizeFor suggested.
often is primebit - a and 1 with GQ practice,In Soundness. (3)
f
n
tv
t cnvt
n
tvv
tvn
vkt
c
t
5 Schnorr Identification Protocol
e.certificat tedauthentica s' viakey public the
with ofn associatio he through t gidentifyin ), challenge a
on (dependingmanner variant timeain it) revealing(without
secret a of knowledge proves that is idea basic The bits.
ed transmittofnumber required thereduces also this1);(|
where,modulo integers of group tivemultiplica theof order
of subgroup a of use thefrom results efficiency nalcomputatio
important further A ability. nalcomputatio limited of
claimantsfor suitablely particular thusisit claimant; for the
n computatio time-real thereducing n,computatio-pre allows
design The problem. logarithm discrete theoflity intractabi
on the based is protocoltion identificaSchnorr ofsecurity The
Av
aAe
aA
pq
pq
5 Schnorr Identification Protocol (Continued)
)mechanism. signatureany be
may and signing, prior tofunction hash known suitable a involves (
.messageson )( signatures s' ofion verificatallowing , party
trusted theof key) (publicfunction ion verificat theand ) , ,(
parameters system theofcopy authentican obtainsparty Each (1.3)
.order
tivemultiplica having 1, 1 chosen, is element An (1.2)
.)infeasiblenally computatio
bemust modulo logarithms (Discrete .primeanother by
divisible is 1such that selected is prime suitableA (1.1)
.parameters system ofSelection (1)
protocol. pass-3 ain oidentity t its proves :SUMMARY
protocoltion identificaSchnorr
T
T
S
mmSTT
qp
q
p
p q
pp
BA
4 Protocol
5 Schnorr Identification Protocol (Continued)
. with binding from )),(
, ,( ecertificat a obtains and integrity, with totransfers
, topassport) (e.g., means alconventionby itself identifies (2.3)
.) (mod
computes and 1, 0 ,key private a chooses (2.2)
.identity unique agiven is claimant Each (2.1)
.parametersuser -per ofSelection (2)
).2 level
security a (definingchosen is , 2 40), (e.g., parameter A (1.4)
vIT vIS
vIcertT v
TA
p
vqaaA
IA
qtt
AAT
AA
a
A
t
t
5 Schnorr Identification Protocol (Continued)
. provided
identity s' accepts and ,) (mod computes (3.4)
). (mod
response) (the sends and 21 checks (3.3)
.21 ,challenge) (the
random used) previously(never a tosends then ,on
signature s' ngby verifyi key public s' tesauthentica (3.2)
. to),( sends and ,) (mod witness)(the computes
,1 1 ),commitment (the random a chooses (3.1)
follows. as verifier toitself identifies actions. Protocol (3)
xz
ApvβzB
qr
eayBeA
e
eAcert
TvAB
Bxcertpx
qrrA
BA
ey
t
t
A
Ar
5 Schnorr Identification Protocol (Continued)
BA) (mod , pxcert r
A
proof. therejects otherwise,
proof; theaccepts then
, ) (mod If
B
B
pxvz ey
qee t 21 where,
) (mod qreay
5 Schnorr Identification Protocol (Continued)
. since
identity s' accepts and 37123) (mod computes (3.4)
255.)(modnumber the sends (3.3)
129. challenge random the tosends (3.2)
. to37123 ) (mod sends and 274 chooses (3.1) (3)
7355.
) (mod computes and 357 key private a chooses (2)(2.1)
chosen. is 8 parameter The (1.4)
11444). 443, (48731, are parameters system The (1.3)
11444. )(mod
as computed is 6; is 48731 modulogenerator (1.2)
443. prime by the
divisible is 1 whereselected, is 48731 prime The (1.1) (1)
)parameters smallly artificial(with
1)/(
xz
ApvβzB
q r e ayBA
eAB
BpxrA
pvaA
t
p
A
q
pp
ey
r
a
qp
3 Example
5 Schnorr Identification Protocol (Continued)
.number random by the perturbed is and number,
random a is because aboutn informatio useful no reveals
protocol the,Informally .computing of capable bemust
as protocol thecompletingparty any i.e., , of knowledge
of proof a is protocol theshown that becan It Soundness. (2)
attacks. log discrete line-offother preclude
todrecommende is 2 and offs,-dememory tra-time
preclude tonecessary bemay larger ; negligible challenge
theguessingcorrectly of 2y probabilit themake tolarge
lysufficient bemust ,In forgery. ofy Probabilit (1)
160
ry
x a
a
Aa
q
q e
tt
4 Protocol
Comment.
5 Schnorr Identification Protocol (Continued)
tion.precomputa a as done be
maytion exponentia provided claimant, by thetion multiplica
modular line-on single aonly requiring of advantage
thehastion identificaSchnorr ns.computatio line-Off (5)
. of bits ingcorrespond to thiscompare having and bits),
tsignificanleast the(e.g., of bits specified-pre by message
in replacingby reduced becan protocol in the dtransmitte
bits ofnumber Thebandwidth.ion transmissReducing (4)
).on depend chosen to
were if (e.g., compute toable benot might itself which
,) (mod equation the to) , ,(solution the
obtains n,interactio through because , largefor knowledge
-zeronot is protocol The property. knowledge- Zero(3)
ztBt
xt
x
x
eB
pvβxeyx
Beey
Thank You!