Identification & ZKIP

Contents Introduction Passwords Challenge-Response ZKIP

Why do need Identification ? 1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases 3. Prepaid calling card : Asking a service by telephone card or membership cards 4. Remote login: Remote access to host under Client /Server environment 5. Access to restricted areas, etc.

Identification by personal information Method Examples Reliability Security Cost What you Remember (know) Password Telephone # Reg. # M(theft) L(imperso- nation) M/L Cheap What you have Registered Seal Magnetic Card IC Card L(theft) M(imperso- nation) Reason- able M Bio-metric( Fingerprint, Eye, DNA, face, Voice, etc) What you are H(theft) H(Imperso- nation) Reasonable Expensive H

Biometric Information Extracted from A. Jail’s presentation in SCIS2006, Japan

Way of Identification Password-based scheme (weak authentication) crypt passwd under UNIX one-time password Challenge-Response scheme (strong authentication) Symmetric cryptosystem MAC(keyed-hash) function Asymmetric cryptosystem Cryptographic Protocols Fiat-Shamir identification protocol Schnorr identification protocol, etc

Identification by Password Prover Verifier passwd table passwd,A A A h(passwd) y h = accept passwd n reject

Attack against Fixed PWDs Replay fixed pwds Observe pwd as it is typed in Eavesdrop the data in cleartext Not suitable over open communication networks Exhaustive pwd search Let E(c) be the entropy of 8-char pwds from choices E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6 Pwd guessing and dictionary attacks A large dictionary contains 250,000 words Dictionary attack: order lists and compared to entries in the encrypted dictionary Combine numerical and alphabetical characters.

crypt passwd in UNIX I1= 0…0 next input Ii 2  i 25 user salt 64 user salt truncate to 8 ASCII chars; 0-pad if necessary user passwd 56 DES* 12 output, Oi O25 64 12 Repack 76 bits into 11 7-bit characters salt : 12-bit random from system clock when select passwd. DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations, encrypted passwd /etc/passwd

Challenge-Response Protocol Assumption Secret Key : known to only P and V Random Challenge : P and V have perfect random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)

Challenge-Response Scheme(I) Using Symmetric Cryptosystem K P V random challenge,x x y=eK(x) y y’=eK(x) y=y’ ? Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r

Challenge-Response Scheme(II) Using Asymmetric Cryptosystem P can prove to have secret information in either way : (1) P decrypts a challenge encrypted under P’s public key. (2) P digitally signs a challenge. PK P V random challenge,x x y=e[sK,x] y y’= d[pk ,x] y = y’ ?

Zero-Knowledge Interactive Proof GMR(Goldwasser, Micali, Rackoff) “The knowledge complexity of interactive-proof systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985 “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version) ZKIP (Zero Knowledge Interactive Proof) : between P and V Completeness : Only true P can prove V. Soundness : False P’ can’t prove V. 0-Knowledge : No knowledge transfer to V.

Concept of ZKIP By Quisquater and Guillou P knows the secret, but doesn’t want to reveal his secret. 1. V stands at point A. 2. P walks all the way into the cave, either C or D. 3. After P disappeared into the cave, V walks to point B. 4. V shouts to P asking him either to: (a) come out of the left passage or (b) come out of the right passage 5. P complies, using the magic words to open secret door if he has to. 6. P and V repeat steps (1) -(5) t times A B C D P knows the magic words (secret) to open the door between C and D. Fig. 0-knowledge cave

Classification of ZKIPs Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP Non-interactive GMR Model * P:infinite, V: poly MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.

F-S Identification (I) (Preparation) (TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization. (P) (1) private key: choose random value S, s.t. gcd(S,n)=1.(1 < S < n) (2) public key : P computes I=S2 mod n, and publishes (I,n) as public Goal P has to convince V that he knows his private key S and its corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.

F-S Identification (III) public : I,n n=pq, I=S2 mod n V P x 1. generate unique random,r x=r2 mod n 2.ei={0,1} ei Repeat t-times y 3. If ei=0, send y=r If ei=1, send y=rS 4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n? * commitment-witness-challenge-response-verification and repeat

F-S Identification (II) 1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V. 2. V requests from P one of the following request at random (a) r or (b) rS mod n 3. P sends the requested information to V. 4. V verifies that he received the right answer by checking whether (a) r2 = x mod n or (b) (rS)2 = xI mod n 5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party. 6. This protocol is repeated t (usually 20 or 30) times, and if in all of them the verification succeeds, V concludes that P is the claimed party.

Security of F-S scheme (1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n. (2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance. (3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30) (4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue

Other Identification schemes Schnorr Identification scheme (p.371) Okamoto Identification scheme (p.378) Guillou-Quisquarter Identification scheme (p. 383) ID-based identification Others

Schnorr Identification (I) Based on DLP under Trusted Authority (TA) TA decides public parameters p : large prime (1024 bit) q : large prime divisor of p-1 (160 bit) α Zp* has order q t : security parameter s.t. q > 2t Public parameters : p, q, α, t Prover choose private key : a ( 1 ≤ a ≤ q-1) public key v = α–a mod p Honest Verifier (choose r at random by the scheme) ZKIP

Schnorr Identification (II) Public par. : p,q,α,t private key : a, public key: v 1. Select random k V P 2. Verify P’s public key generate random challenge , cert(P) r 3. y = k + ar mod q 4. Verify y

Schnorr Identification (III) (TA) p=88667, q=1031, t=10, α=70322 has order q in Zp* (P) private key a = 755 public key v = α-a mod p = 703221031-755 mod 88667 = 13136 P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = 543 + 755x1000 mod 1031= 851 V: on receiving y, verify that 84109 = 70322851 131361000 mod 88667. If equals, accept