A Zero-Knowledge Identification Scheme in Gap Diffie ... .fr

This gives a very efficient identity-based signature scheme, which was ... Short Signatures without Random Oracles. ... the Security of Cryptographic Schemes.
Télécharger le PDF
157KB taille 4 téléchargements 199 vues
commentaire
Report
A Zero-Knowledge Identification Scheme in Gap Diffie-Hellman Groups Emeline Hufschmitt, David Lefranc and Herv´e Sibert France Telecom 42 rue des Coutures F-14066 Caen, France {emeline.hufschmitt, david.lefranc, herve.sibert}@francetelecom.com

1

Introduction

The Weil [10] and Tate pairings are bilinear maps defined on elliptic curves. They became popular for the design of new schemes since Joux’s tripartite key exchange [8]. When used with specific classes (supersingular and MNT [11]) of curves, they can be computed very efficiently. The existence of pairings gives rise to a new class of problems on these curves, such as the Bilinear Diffie-Hellman problem, which was first used in [8]. Moreover, the decisional version of the Diffie-Hellman problem is easy when pairings exist, and the computational Diffie-Hellman problem reduces to the Gap DiffieHellman problem (G-DH), introduced by Okamoto and Pointcheval in [13]. The goal of this paper is to introduce a new identification scheme, which we prove is a zero-knowledge proof of knowledge based on the G-DH problem. This scheme is based on Schnorr’s identification scheme [16]. In addition to being zero-knowledge, this scheme is efficient compared with other pairing-based authentication schemes, and its on-line execution time can be reduced using off-line precomputations, like in the GPS authentication scheme of Girault [6], Poupard and Stern [15] where it is particularly efficient.

2

Preliminary notions

2.1

The G-DH problem

Okamoto and Pointcheval formalized the gap between inverting and decisional problem in [13]. In particular, they applied it to the Diffie-Hellman problems [3]: - The Inverting Diffie-Hellman Problem (C-DH) (a.k.a. the Computational Diffie-Hellman Problem): given a triple of G elements (g, g a , g b ), find the element C = g ab . - The Decision Diffie-Hellman Problem (D-DH): given a quadruple of G elements (g, g a , g b , g c ), decide whether c = ab mod q or not. - The Gap Diffie-Hellman Problem (G-DH): given a triple (g, g a , g b ), find the element C = g ab with the help of a Decision Diffie-Hellman Oracle (which answers whether a given quadruple is a Diffie-Hellman quadruple or not).

At last, Proposition 2 of [13] states that, when the D-DH problem is strongly tractable, the inverting problem of f is reducible to the R-gap problem of f . We will use this fact to show that our scheme is based on the G-DH problem. 2.2

Bilinear maps and pairings

The bilinear maps used in cryptography are the Weil and Tate pairings on some elliptic curves. Both satisfy the following definition, stated in [2]: Definition 1. Let G and G1 be two groups of order some large prime q, denoted multiplicatively. An admissible bilinear map is a map e : G × G → G1 that is: - bilinear: e(g a , hb ) = e(g, h)ab for all g, h ∈ G and all a, b ∈ Z, - non-degenerate: for g and h two generators of G, we have e(g, h) 6= 1, - computable: there exists an efficient algorithm to compute e(g, h) for any g, h ∈ G. In the case of the Weil and Tate pairings, G is a subgroup of the additive group of points of an elliptic curve E/Fp , and G1 is the multiplicative group of the extension field Fp2 . However, in order to remain close to the identification scheme of Schnorr, we choose to keep the multiplicative notation both for G and G1 .

3

Our pairing-based identification scheme

From now on, G is a group in which the Gap Diffie-Hellman problem is intractable. We assume the existence of an admissible linear map e : G × G → G1 and G and G1 are of order q and we denote by g a generator of G.  The prover holds public parameters g, g a , g b , e(g, g), v = e(g, g)ab and a private key S = g ab . The public key is the couple I = (g a , g b ) and the value v is given in the public parameters in order to withdraw its computation by the verifier. The scheme we propose is a zero-knowledge proof of knowledge of the value g ab obtained by iterating ` times the three passes algorithm, described in Figure 1.

Prover

Verifier

choose r ∈ [[0, q[[ W

compute W = e(g, g)r −−−−−−−−−→ choose c ∈ [[ 0, 2k [[ c

←−−−−−−−− check c ∈ [[0, 2k [[ Y

compute Y = g r × S c −−−−−−−−→ verify e(g, Y ) = W × v c

Fig. 1. One round of the identification scheme

2

4

Security of the scheme

To prove the security of the scheme under the G-DH problem, we follow the outline of general zero-knowledge proofs as they were formally introduced in [4]. Namely, we prove the completeness and the soundness of the scheme. Finally we prove the protocol is zero-knowledge. During the proof, the prover and the verifier are modeled by Probabilistic Polynomial time Turing Machines (PPTM). Running times and probabilities are assumed to be functions in |I|. 4.1

The completeness property

If the legitimate prover and the verifier both follow the scheme, then it always succeeds. Indeed, at each iteration, the probability of success is equal to 1 since: e(g, Y ) = e(g, g r (g ab )c ) = e(g, g)r+abc = e(g, g)r × (e(g, g)ab )c = W × v c . 4.2

The soundness property

With classical arguments, a cheater has a non zero-probability of success. Indeed, for each round, he can guess the value c that will be sent to him. Then he randomly picks an integer Y in G and finally computes the value W = e(g, Y )v −c . His overall probability of success over the ` rounds is at least equal to 1/2`k . If the probability of succes of a cheater is substantially greater than 1/2`k , then the private key can be computed. Indeed, one can construct a polynomial time algorithm which, by interacting with the cheater, obtain, with a non negligible probability, two couples (c1 , Y1 ) and (c2 ,Y2 ) such that e(g, Y1 )v c2 = e(g, Y2 )v c1 . Then, we obtain (Y1 Y2−1 )α = g ab , i.e the private key. The algortihm used to obtain the two couples is the classical one used for the proof of the Schnorr scheme. Its time complexity is polynomial if ` is polynomail in I. The probability of success of this algorithm is analyzed using the well known splitting Lemma(stated for example in [14]). This algorithm allows us to choose ` = 1 like done in practical. Finally, the probability of success of a cheater must be negligibel which is verified if log(|I|) = o(`k). 4.3

The zero-knowledge property

The present identification scheme satisfies the zero-knowledge property. To simulate in polynomial time (in |I|) the communications between a real prover and a (not necessarily honest) verifier, we use the following algorithm M : For the simulation of one round, M randomly picks c in [[0, 2k [[, randomly picks Y in G and computes W = e(g, Y ) × v −1 . M then sends W to the verifier which answers c˜. If c = c˜ then the triple (W, c, Y ) is kept, otherwise M computes 3

a new triple. To simulate the ` rounds, M construct ` triplets with the previous method. In average, the equality c = c˜ holds after 2k tests. To obtain, ` triples, M constructs `×2k triples. If `×2k is polynomial in |I|, then we obtain a polynomial time algorithm. The distribution of the simulation is perfectly equal to the distrbution of real communicaiton.

5

Efficiency of the scheme

We compare our scheme with three other identification schemes based on the use of bilinear maps. The first one, described in Figure ??, was proposed by Shao, Lu and Cao [17] and its security is based on the Strong Diffie-Hellman problem introduced by Boneh and Boyen [1]. The two remaining schemes were proposed by Kim and Kim [9] and Yao, Wang and Wang [18].

Public Parameters: g, e(g, g) Private key : s ∈ [[0, q[[ Public key : v = g s Prover

Verifier

choose r ∈R [[0, q[[ compute W = g r

W

−−−−−→ β

←−−−− choose β ∈R [[0, q[[ compute Y = g

1 r+sβ

Y

−−−−−→ verify e(Y, v β W ) = e(g, g)

Fig. 2. Three existing identification schemes using bilinear maps

To evaluate the efficiency of our new scheme, we first evaluate the number of computations of each scheme, focusing on the number of group exponentiations or bilinear map pairing evaluations, which are by far the costliest operations. These results are summed up in Figure 3. Our scheme has about the same computation cost as the Shao-Lu-Cao scheme, being slightly more efficient on the verifier’s side and about as efficient on the prover’s side. Moreover, it is obviously more efficient than the Kim-Kim scheme and the Yao-Wang-Wang scheme. Now, we analyze these schemes with respect to the possible use of coupons [12], i.e. the use of precomputations on the prover’s side. In our scheme, with the precomputation of W and g r , only one on-line group exponentiation by a k-bit number is required on the prover’s side. For the three other schemes, one on-line group exponentiation by a log q-bit number is required, with log q significantly 4

Our scheme Shao Lu ao Kim-Kim Yao Wang ang Number of group exponentiations for the prover Number of evaluations of e(., .) for the prover Number of group exponentiations for the verifier Number of evaluations of e(., .) for the verifier *

2+ε*

2

4

6

0

0

0

0

ε

1

2

2

1

1

2

1

the exponent c is a k-bit number significantly less than q Fig. 3. Comparison of efficiency

greater than k (for instance, log q = 160 and k = 32). Thus, both the prover’s and the verifier’s side become more efficient in our scheme than in the other schemes when using precomputations.

6

Applications

6.1

Using the identification scheme for anonymity   Consider Alice with keys a, g a , and Bob with keys b, g b . Then, the public parameters of the set {Alice, Bob} is essentially the same as the public key of the prover in our scheme. The remaining public parameters of our scheme can be computed using the bilinear map e. Thus, the scheme provides a zero-knowledge identification of a prover P belonging to the set {Alice, Bob}. Moreover, only the prover can revoke the anonymity after the execution of the protocol, by giving, the value y = r + sc where s is a if the prover is Alice, and b if he is Bob, and c is the challenge sent by the verifier during the execution of the scheme. Then, the verifier checks e(g, g)y = W × v 0c , with v 0 = e(g, g s ), as g s is public (it is either g a or g b depending on who the prover pretends to be). 6.2

An identity-based identification scheme

An authority A broadcasts its public key g s , and keeps its private key s secret. For an entity P with identity IdP , its private key is h(IdP )s , computed by the authority. Now, we are exactly in the framework of our identification scheme: let a be such that h(IdP ) = g a . The element a is unknown, because h is a hash function. However, we can now say that g a = h(IdP ) and g s are public, so the  public key of P is g, g a = h(IdP ), g s , e(g, g), v = e(g, g)as = e(h(IdP ), g s ) . This public key can be computed by everyone knowing the authority’s public key g s and the identity IdP . At last, the Fiat-Shamir paradigm [5] can also be applied to our identitybased identification scheme. This gives a very efficient identity-based signature scheme, which was already proposed by Hess in [7]. 5

7

Conclusion

In this paper, we present a new identification scheme based on the Gap DiffieHellman problem, and prove that it is a zero-knowledge proof of knowledge. It appears that our scheme is among the most efficient schemes based on bilinear maps. Moreover, we show that a trapdoor in the private key generation gives rise to several applications, including very efficient identity-based identification. We believe that pairing-based cryptography can still bring efficiency to many well-known applications, and we intend our future work to be driven by this idea.

8

Acknowledgements

The authors wish to thank Marc Girault and Fabien Laguillaumie for valuable and helpful discussions and comments.

6

References 1. D. Boneh and X. Boyen. Short Signatures without Random Oracles. In C. Cachin and J. Camenisch, editors, Advances in Cryptology - Eurocrypt ’04, volume 3027 of Lecture Notes in Computer Science. Springer-Verlag, 2004. 2. D. Boneh and M. Franklin. Identity-based Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology - Crypto ’01, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer-Verlag, 2001. 3. W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6):644–654, November 1976. 4. U. Feige, A. Fiat, and A. Shamir. Zero Knowledge Proofs of Identity. Journal of Cryptology, 1(2):77–94, 1988. 5. A. Fiat and A. Shamir. How to Prove Yourself : Practical Solutions to Identification and Signature Problems. In A. M. Odlyzko, editor, Advances in Cryptology - Crypto ’86, volume 263 of Lecture Notes in Computer Science, pages 186–194. SpringerVerlag, 1987. 6. M. Girault. An Identity-based Identification Scheme Based on Discrete Logarithms Modulo a Composite Number. In I. Damg˚ ard, editor, Advances in Cryptology Eurocrypt ’90, volume 473 of Lecture Notes in Computer Science, pages 481–486. Springer-Verlag, 1991. 7. F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. In K. Nyberg and H. M. Heys, editors, Selected Areas in Cryptography, volume 2595 of Lecture Notes in Computer Science, pages 310–324. Springer-Verlag, 2003. 8. A. Joux. A One-Round Protocol for Tripartite Diffie-Hellman. In Springer-Verlag, editor, Algorithm Number Theory Symposium – ANTS-IV, volume 1838 of Lecture Notes in Computer Science, pages 385–394, 2000. 9. M. Kim and K. Kim. A New Identification Scheme Based on the Bilinear DiffieHellman Problem. In The 7th Australian Conference on Information Security and Privacy, ACISP ’02, pages 362–378. Springer-Verlag, 2002. 10. A. Menezes, T. Okamoto, and S. Vanstone. Reducing Elliptic Curve Logarithms to Logarithms in Finite Fields. In The 22nd Annual ACM Symposium on the Theory of Computing, pages 80–89, 1991. 11. A. Miyaji, M. Nakabayashi, and S.Takano. New Explicit Conditions of Elliptic Curve Traces for FR-reduction. IEICE Trans. Fundamentals, E84-A(5), 2001. 12. D. M’Raihi and D. Naccache. Couponing Scheme Reduces Computational Power Requirements for DSS Signatures. In CardTech, pages 99–104, 1994. 13. T. Okamoto and D. Pointcheval. The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes. In K. Kim, editor, Public Key Cryptography, volume 1992 of Lecture Notes in Computer Science, pages 104–118. SpringerVerlag, 2001. 14. D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In U. M. Maurer, editor, Advances in Cryptology - Eurocrypt ’96, volume 1070 of Lecture Notes in Computer Science, pages 387–398. Springer-Verlag, 1996. 15. G. Poupard and J. Stern. Security Analysis of a Practical ”on the fly” Authentication and Signature Generation. In K. Nyberg, editor, Advances in Cryptology Eurocrypt ’98, volume 1403 of Lecture Notes in Computer Science, pages 422–436. Springer-Verlag, 1998. 16. C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In G. Brassard, editor, Advances in Cryptology - Crypto ’89, volume 435 of Lecture Notes in Computer Science, pages 239–252. Springer-Verlag, 1990.

7

17. J. Shao, R. Lu, and Z. Cao. A New Efficient Identification Scheme Based on the Strong Diffie-Hellman Assumption. In International Symposium on Future Software Technology, 2004. 18. G. Yao, G. Wang, and Y. Wang. An Improved Identification Scheme. In Progress in Computer Science and Applied Logic. Berkhauser-Verlag, November 2003.

8