Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital signatures or PK encryption avoid block ciphers, sequence numbers, timestamps Similar to challenge response protocols but are based on interactive proofs and zero-knowledge proofs, and employ random numbers as commitments to prevent cheating Not only as challenges 1
ZK concepts ZK allows prover (claimant) to demonstrate knowledge of a secret without revealing any information of use to the verifier Single bit of information need be conveyed that the prover knows the secret (related to trusted oracles) Interactive proofs Multiple messages exchanged Typically dependant on random numbers Probabilistic rather than absolute Called also proof by protocol Proof of knowledge Interactive proof is said to be a proof of knowledge if it has two properties: Completeness: Given honest prover and honest verifier, the protocol succeeds with overwhelming probability Soundness: Exists a polynomial-time algorithm M with the following property: If a dishonest prover (A ) can with non-negligible probability successfully execute the protocol with B, then M can be used to extract from this prover knowledge which with overwhelming probability allows successful subsequent protocol run 2
Note on soundness Any party impersonating A must know equivalent of A s secret Soundness guarantees that impersonator must know equivalent of A s secret (can be extracted in polynomial time) Soundness required for cryptographic use prevents dishonest prover from convincing an honest verifier Does not guarantee that acquiring the prover s secret is difficult Zero-knowledge property equally important ZK-property Transcript: A collection of messages resulting from a protocol execution ZK-property: A protocol that is a proof of knowledge has the ZK-property if it is simulatable in the following sense: Exists an expected polynomial-time algorithm (simulator) which can produce, upon input of assertions to be proven but without interacting with the real prover, transcripts indistinguishable from those resulting from interaction with real prover. 3
Computational vs. perfect ZK Computational ZK: An observer restricted to probabilistic polynomial-time tests can not distinguish real from simulated transcripts Real and simulated transcripts are said to be polynomially indistinguishable: Any information extracted by a verifier through interaction with a prover provides no advantage to the verifier within polynomial time Perfect ZK: Probability distributions of the transcripts must be identical ZK vs. other asymmetric protocols No degradation with usage: Resist chosen-text attacks Encryption avoided: political advantages? Efficiency: reasonable computation and communication overhead, efficiency raises from the nature of interactive proofs, not from ZK aspect Unproven assumptions: rely on same unproven PK assumptions (factoring, quadratic residuosity) ZK-based vs. ZK: Many real-world implementations not ZK, only based on ZK 4
Fiat-Shamir identification protocol A proves knowledge of s to B in t executions of a 3-pass protocol 1. One-time setup 2. Protocol messages 3. Protocol actions Fiat-Shamir setup a. Trust centre T 1. selects and publishes RSA-like modulus n=pq 2. keeps p and q secret b. Each claimant A 1. selects a secret s co-prime to n, 1 s n-1 2. computes v=s 2 mod n 3. registers v with T as it s public key 5
Fiat-Shamir protocol messages 1. 2. Each of t rounds has three messages with the form as follows: A B : A B : x = r 2 e {0,1} mod n 3. A B : y = r s e mod n Fiat-Shamir protocol actions Following steps iterated t times, B accepts the proof if all t rounds succeed: a. A chooses a random (commitment) r, 1 r n-1 and sends x=r 2 mod n to B b. B randomly selects a (challenge) bit e, sends to A c. A computes, sends to B (response) y. Either y=r (if e=0) or y=rs mod n (if e=1) d. B rejects the proof if y=0, otherwise accepts upon verifying y 2 x v e (mod n) 6
Why is it secure? A must answer two questions: One that demonstrates knowledge of secret s Another (easy) to prevent cheating Adversary impersonating A might try to cheat selecting any r and setting x=r 2 /v, answering challenge e=1 with correct y=r can not answer challenge e=0 that requires knowledge of square root of x mod n Has probability 2 -t for guessing t times right Prover A can answer both questions Schnorr identification protocol Security based on the intractability of the discrete logarithm problem Allows pre-computation, reducing real-time computation of the claimant to a single multiplication module a prime q Suitable for low-end devices Further efficiency through use of a subgroup of order q of the multiplicative group of integers module p, where q (p-1) Lower communication bandwidth than Fiat- Shamir 7
Schnorr protocol overview A proves knowledge of secret a (without revealing it) in a time-variant manner (depending on challenge e), identifying A through the association of a with the public key v via A s authenticated certificate A proves it s identity to B in a 3-pass protocol: Selection of system parameters Selection of per-user parameters Protocol messages Protocol actions Schnorr system parameters 1. Prime p is selected such that p-1 is divisible by other prime Discrete logarithms modulo p must be computationally infeasible (e.g. p 2 1024, q 2 160 ) 2. Element β is chosen, 1 β p-1 having multiplicative order q E.g. for α, a generator mod p, β= α (p-1)/q mod p 3. Each party obtains an authentic copy of system parameters (p,q, β) and the public key of trusted party T allowing verification of T s signatures S T (m) 4. Parameter t, 2 t < q is chosen, defines security level 2 t 8
Schnorr per-user parameters 1. Each claimant A is given a unique identity I A 2. A chooses private key a, 0 a q-1, computes v= β -a mod p 3. A identifies itself by conventional means (e.g. passport) to T, transfers v to T with integrity, obtains certificate cert A from T binding I A with v. Schnorr protocol messages Involves three messages: 1. A B : cert 2. A B : e where r, x = β mod p 1 e 2 3. A B : y = ae + r mod q A t q 9
Schnorr protocol actions 1. A chooses a random r (commitment), 1 r q-1, computes (witness) x= β r mod p, sends to B 2. B verifies certa, sends to A (never previously used) random e (challenge), 1 e 2 t 3. A checks 1 e 2 t and sends B (response) y=ae+r mod q 4. B computes z=β y v e mod p, accepts A s identity provided z=x. Notes on Schnorr security Probability of forgery: t must be sufficiently large to make the probability 2 -t of correctly guessing challenge e negligible. t=40, q 22t = 280 originally recommended. Larger q may be needed to timememory trade-offs, q 2160 recommended to preclude other off-line discrete log attacks. Guessing of e allows adversary to impersonate A. Soundness: Any party completing the protocol as A must be capable of computing a (i.e. protocol is a proof of knowledge). ZK-property:Not ZK for large e because through interaction, B obtains solution (x,y,e) to x=β y v e mod pi which B itself might not be able to compute 10
Avoiding attacks on identification Type of attack replay interleaving reflection chosen-text forced delay Avoidance Use of challenge response, use of nonces, embed target identity in response linking together all messages from a protocol run (e.g. using chained nonces) embed identifier of target party in responses to challenges, construc protocols with each message being different format (avoid symmetries), use unidirectional keys use of ZK, embed in each response to a challenge a self-chosen random number (cofounder) combine use of random numbers with short response time-outs, timestamps Thank you! Jussipekka Leiwo, Ph.D. 6/16/03 (c) Jussipekka Leiwo www.ialan.com 11