26 th may 20031 comparative study on zero- knowledge identification protocols konidala m. divyan...
Post on 18-Dec-2015
213 views
TRANSCRIPT
26th May 2003 1
Comparative Study on Zero-Knowledge Identification
Protocols
Konidala M. Divyan
International Research Center for Information Security
Director: Prof. Kwangjo Kim
Discrete Mathematics-Term Project Final Presentation, Lectured by: Prof. Kwangjo Kim
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
2
Introduction
• Identification– Allows one party (the verifier) to gain assurances,
that the identity of another (the prover) is as declared, thereby preventing impersonation.
• Methods of Identification– Passwords (Weak Authentication)– Challenge-response identification (Strong
Authentication)• Symmetric-Key Techniques• Public-Key Techniques
– Zero-Knowledge Identification Protocols
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
3
Introduction
• Zero-knowledge Identification Protocols– Based on, Interactive Proof Systems and
Zero-Knowledge Proofs
– Use random numbers as challenges and as commitments to prevent cheating
– Do not rely on digital signatures or public-key encryption, block ciphers, sequence numbers, and timestamps.
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
4
Discrete Mathematics Vs My Term Project
• Projects one of the practical uses of Discrete Mathematics in the field of Information Security
• My topic is strongly based on the following Discrete Mathematics concepts– Logic, Sets, and Functions– Algorithms (Their Analysis), the Integers, and
Matrices– Counting, Relations– Graphs
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
5
My Term Project Vs My Major
• My Major– Cryptology and Information Security– Advising Prof: Prof. Kwangjo Kim
• Earlier concentrated only on the “zero-knowledge interactive proofs” based on– Integer Factorization Problem (RSA)
• Fiat-Shamir Identification Protocol• Feige-Fiat-Shamir Identification Protocol• Guillou-Quisquater (GQ) identification Protocol
– Discrete Logarithmic Problem• Schnorr Identification Protocol
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
6
My Term Project Vs My Major
• Through this term project, I could concentrate on the “zero-knowledge interactive proofs” based on– Graph Problems
• Hamiltonian cycles of large graphs
• Graph Isomorphism
• Graph Coloring
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
7
My Term Project Vs My Major
• Study on these zero-knowledge interactive proofs helped me in analyzing their importance in my M.S. degree research topic “Security in Pervasive Computing”– Cause they involve very few computations
when compared to other Symmetric Key and PKI protocols
– Very useful for light weight devices used in pervasive environments
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
8
Goal of Term Project
• Compare the following Zero-Knowledge Identification Protocols based on– Integer Factorization Problem (like RSA)
• Feige-Fiat-Shamir Identification Protocol• Guillou-Quisquater (GQ) identification Protocol
– Discrete Logarithmic Problem• Schnorr Identification Protocol
– Graph Problems• Hamiltonian cycles of large graphs• Graph Isomorphism• Graph Coloring
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
9
Goal of Term Project
• Comparison Criteria– Communications– Computations– Memory– Security Guarantees– Trust required in third party
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
10
Overview of Zero-Knowledge Concepts
• A prover demonstrates knowledge of a secret while revealing no information whatsoever of use to the verifier in conveying this demonstration of knowledge to others.
• ZK Protocols are instances of– interactive proof systems,
• Prover and verifier exchange multiple messages (challenges and responses)
• Proofs are probabilistic rather than absolute; need be correct only with bounded probability,
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
11
Overview of Zero-Knowledge Concepts
– Proofs of knowledge• Interactive proofs used for identification• A possesses some secret s, and attempts to
convince B it has knowledge of s by correctly responding to queries which require knowledge of s to answer.
• Should satisfy “Completeness” and “Soundness” properties
– Zero-knowledge property• there exists an expected polynomial-time
algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover (Simulatable)
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
12
Zero-knowledge vs. other asymmetric protocols
• No degradation with usage– Resist chosen-text attacks
• Encryption avoided• Efficient• Unproven assumptions
– many ZK protocols (“proofs of knowledge”) themselves rely on the same unproven assumptions as PK techniques
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
13
General Structure of ZK Protocols
• A B : witness• A B : challenge• A B : response• Combination of
– cut-and-choose protocols and challenge-response protocols
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
14
Modes of Operations
• Interactive– where prover and verifier interactively go through the protocol,
building up the certainty piece by piece. • Parallel
– where prover creates a number of problems and verifier asks for a number of solutions at a time. This can be used to bring down the number of interactive messages with a slow-response-time connection.
• Off line– where prover creates a number of problems, and then uses a
cryptographically strong one-way hash function on the data and the set of problems to play the role of verifier, to select a random solution wanted for each problem. He then appends these solutions to the message. This mode can be used for digital signatures
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
15
ZK Proof based on Integer Factorization Problem
• Feige-Fiat-Shamir Identification Protocol (1998)
• 1. One-time setup.– (a) Selection of system parameters:
• A trusted center T selects and publishes an RSA-like modulus n = pq but keeps primes p and q secret.
– (b) Selection of pre-entity secrets:• Each prover A selects a secret s1,s2,..sk 1 ≤ sk ≤ n -
1, and k random bits b1,…bk compute vi=(-1)bi (si2)-
1mod n, 1 ≤ i ≤ k and registers (v1 … vk, n) with T as its public key.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
16
Feige-Fiat-Shamir Identification Protocol
• 2.Protocol Actions– a)A choose integer r, bit b, compute x=(-1)b
r2mod n, sends x (the witness) to B
– b)B sends to A challenge a random k-bit vector (e1,e2,...ek)
– c)A compute y=rkj=1sj
ejmod n and send y to B (the response)
– d)B compute z=y2kj=vj
ejmod n. verifies
z= x and z 0
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
17
Example of Feige-Fiat-Shamir Identification Protocol
• 1. The trusted center T selects the primes p = 683, q = 811, and publishes n = pq = 553913. Integers k = 3 and t = 1 are defined as security parameters.
• 2. Entity A does the following.– (a) Selects 3 random integers s1=157, s2= 43215, s3 = 4646, and 3 bits b1
= 1, b2 = 0, b3 = 1.– (b) Computes v1 = 441845, v2 = 338402, and v3 = 124423.– (c) A’s public key is (441845, 338402, 124423, 553913) and private
key is (157, 43215, 4646).
• 3. Protocol Actions– (a) A chooses r = 1279, b = 1, computes x = 25898, and sends this to B.– (b) B sends to A the 3-bit vector (0, 0, 1).– (c) A computes and sends to B y = r. s3 mod n = 403104.
– (d) B computes z = y2 v3 mod n = 25898 and accepts A’s identity since
z = +x and z 0.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
18
Guillou-Quisquater (GQ) Identification Protocol (1988)
• System Parameters– Private: p, q, s=v-1 mod (n)– n=pq, v >2
• User Parameters– The secret of A with JA=f(IA) is JA
-s mod n
• Protocol Messages (Repeat t times)– A sends to B(Commit): IA, x=rv mod n for a random r– B sends to A(Challenge): a random e with 1=<e=<v– A sends to B(Response): y=r sA
e mod n
• Verify– B computes z=JA
eyv mod n – Accept A’s proof of identity if z = x and z 0
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
19
ZK Proof based on Discrete Logarithmic Problem
• Schnorr Identification Protocol (1990)
• System Parameters– Primes p and q with q|p-1
– h=g(p-1)/q mod p has order q (g is a generator of GF(p))
– Verification public key for the signature ST(m), a parameter t
• User Parameters– A chooses a private key a and computes the public key
v=h-a
– A transfers v to T and obtains certA=(IA,v,ST(IA,v))
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
20
Schnorr Identification Protocol
• Protocol Messages (Repeat t times)– A sends to B(Commit): certA, x=hr mod p for
a random r
– B authenticates A’s public key and sends to A(Challenge): a random e with 1=<e=<2t <q
– A sends to B(Response): y=ae+r mod q
• Verify– B computes z=hyve mod p
– Accept A’s proof of identity if z=x
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
ZK Proof based on Graph Problem
• Graph-Isomorphism• A pair of two graphs,
Where• Lets be an isomorphism between the input
graphs, namely is 1-1 and onto mapping of the vertex set V1 to the vertex set V2 so that
21 ))(),((),( EuviffEuv
.|V||V| 21 ).E,(VG),E,(VG 222111
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
Graph Isomorphism
• Prover’s first step(A1): Select random permutation over V1, construct the set , and send
to the verifier.• Verifier’s first step (B1): B gets H from P.
V select and send it to P. P is supposed to answer with an isomorphism between and
2,1
1v)(u,:(v)(u),:F E
F),(VH 1
H
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
G
Graph Isomorphism
• (A2): If =1, then send = to B. Otherwise send = -1 to B.
• (B2): If is an isomorphism between G and H then B output 1, otherwise it outputs 0.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
Graph Isomorphism (Flow)
Prover Verifier
=Random Permutation
H G1 R{1,2}
If =1, send =
otherwise = -1
Accept iff
H = (G)
H
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
25
Graph Isomorphism example
22
55
11
44
33
GG11
33
11
22
GG2255
44
Common input: two graphs G1 and G2.
Only P knows
.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
26
Graph Isomorphism example
22
55
11
44
33
GG11
55
33
44
11
22
HH
33
11
22
55
44GG22
= -1
Only P knows .
A sends H to B. B gets
and accepts.
B sends
=2 to A.
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
27
Graph 3 Coloring
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
• Common Input: A graph 12
3 4
5
12
3 4
5
• P can paint the graph in 3 colors.
• P must keep the coloring a secret.
12
3 4
5
12
3 4
5
12
3 4
5
Graph 3 Coloring
• P chooses a random color
permutation.
• He puts all the nodes inside envelopes.
• And sends them to the verifier.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
Graph 3 Coloring
• Verifier receives a 3-colored graph, but colors are hidden. 1
2
3 4
5
12
3 4
5
• He chooses an edge at random.
• And asks the prover to open the 2 envelopes.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
Graph 3 Coloring
• Prover opens the envelopes, revealing the colors. 1
2
3 4
5
12
3• Verifier accepts if the colors are different.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
31
Graph 3 Coloring• G = (V,E) is 3-colorable if there exists a
mapping
for every .
• Let be a 3-coloring of G, and let be a permutation over {1,2,3} chosen randomly.
• Define
a random 3-coloring.
• Put each (v) in a box with v marked on it.
• Send all the boxes to the verifier.
)()(}3,2,1{: vuthatsoV Evu ),(
))(()( vv
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
32
Graph 3 Coloring
• Verifier selects an edge at random asking to inspect the colors.
• Prover sends the keys to boxes u and v.• Verifier uses the keys to open the boxes.• If he finds 2 different colors from {1,2,3}
- Accept.• Otherwise - Reject.
Evue R ),(
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
Graph 3 Coloring(Flow)
(1) (n)(2)1 2 n
P V
P V
Keyu , keyv
P V
Evue R ),(
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
34
Hamiltonian Cycles
• Similar to Graph Isomorphism ZK Identification Protocol
• The Hamiltonian cycle for a graph is a path through the graph that passes every node exactly once.– For an extremely large graph, this is very
hard (hard enough) to calculate.
• The prover's secret is the Hamiltonian cycle of a graph.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
35
Hamiltonian Cycles
• The prover gives the verifier a permuted version of the original graph,
• Verifier can ask for either – prove that the graph is a permutation of the original
graph, or– show the Hamiltonian path for the permuted graph.
• one of these can be calculated easily from the original data, but to know both, to be able to respond to both possible requests, requires knowledge of the secret, i.e. the Hamiltonian path of the graph
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
36
Hamiltonian Cycles
• A must use a different permuted graph in each round, as he should never give both solutions to the same problem to B.
• This protocol is theoretical because of the requirement for the graph to be extremely large, and the large memory and message size requirements it has.
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
37
Analysis
ProtocolFamily
MessageSize
ProtocolIterations
Amount ofCalculation
MemoryRequirements
Zero-knowledge large many large large
Public-key large One very large large
Symmetric small One small small
Cryptographic protocol families and their calculation and memory requirements
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
38
Analysis
ZK ID Protocol
Comparison
Criteria
FFS GQ
Probability of forgery
1/2kt
Provably Secure against chosen message attack
1/vt
Security Assumption Required
•Extracting square Roots modulo large composite integers n of unknown factorization.
•Equivalent to that of factoring n
•Extracting vth roots modulo the composite integer n•Equivalent to that of factoring n•Computationally intractable
Zero-Knowledge & Soundness
•K = O(log(log n)): asymptotic upper bound
•T = (log n): asymptotic tight bound
•Verifier: soundness large t
•Prover: zero-knowledge property small t
•Soundness
v-t = O(e-kt) vt = O((log n)c) for a constant c
•zero-knowledge property
tv = O((log n)c) for constant c
Parameter Selection
Choosing k and t such that kt = 20, k=5, t=4, allows a 1 in a million chance of impersonation
Similar as FFS
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
39
Analysis
ZK ID Protocol
Comparison
Criteria
FFS GQ
Computational Efficiency
modulo multiplication(steps) by prover
e.g. kt=20, N: 512bitk=20, t=1 1+20/2 = 11(steps)
k=1, t=20 20+20/2 = 30(steps)
modulo multiplication(steps) by prover
e.g. kt=20, N: 512bit
t=1, m=20=log2(Y) 203=60(steps)
Bandwidth and memory for secrets
Simultaneous reduction is not possible cause it requires k user secrets and t iterations for an estimated security (probability
of cheating) of 1/ 2-kt.
allows the simultaneous reduction of both memory (parameter k) and transmission bandwidth (parameter t) with k = t = 1, by introducing the public exponent v > 2 with the intention that the probability of
successful cheating becomes 1/ v-kt
Others Computationally efficient Memory efficient
ZKP–IFP
•FFS Protocol
•GQ Protocol
ZKP–DLP
•Schnorr Protocol
ZKP–Graph Prob.
•Graph Isomorphism
•Graph Coloring
•Hamiltonian Cycles
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
40
AnalysisComparison
Criteria
Schnorr Identification Protocol
Probability of forgery 1/2t
Security Assumption Required
computing discrete logs modulo a prime p - DLP
Zero-Knowledge & Soundness
protocol reveals “no useful information” about a because x is a random number, and y is perturbed by the random number r.
The protocol is not zero-knowledge for large e
Parameter Selection t must be sufficiently large to make the probability 1/2t of correctly guessing the challenge e negligible.
t = 40, q >= 22t = 280 was originally suggested in the case that a response is required within seconds
Other •The design allows pre-computation, reducing the real-time computation for the claimant to one multiplication modulo a prime q•Suitable for claimants of limited computational ability.•protocol was designed to require only three passes, and a low communications bandwidth•reduces the required number of transmitted bits
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
41
Analysis
ZK ID Protocol
Comparison
Criteria
Graph Isomorphism Graph 3 Coloring
Probability of forgery
1/2k 1/ek
Where e ~ 2.718 is the natural logarithm
base
Security Assumption Required
•Graph Isomorphism •Coloring all the vertices of a graph with 3 colors such that the vertices connected by edges have different colors
Zero-Knowledge & Soundness
•Perfect zero-knowledge interactive proof system
Parameter Selection
Minimum of 24 vertices = 256 edges Similar as Graph Isomorphism
26th May 2003 Comparative Study on Zero-Knowledge Identification
Protocols
42
Future Work
• Study Digital Signatures using Zero-Knowledge Protocols– Fiat-Shamir Digital Signature Protocol– Guillou-Quisquater Digital Signature
Protocol– Schnorr Digital Signature Protocol
• Consider other modes of operations like parallel and offline modes in detail
• Study other Zero-Knowledge protocols– Permuted Kernels Identification Scheme