IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Special Section on Cryptography and Information Security
A New ‘On the Fly’ Identification Scheme: An Asymptoticity Trade-Off between ZK and Correctness
Bagus SANTOSOKazuo OHTA
Author information
Keywords: identification scheme, zero-knowledge, impersonation under serial active attack
JOURNAL RESTRICTED ACCESS

2009 Volume E92.A Issue 1 Pages 122-136

Details
Download PDF (335K)
Download citation RIS

(compatible with EndNote, Reference Manager, ProCite, RefWorks)

BIB TEX

(compatible with BibDesk, LaTeX)

Text
How to download citation
Contact us
Abstract
GPS is an efficient identification (ID) scheme based on Schnorr ID scheme designed for applications where low cost devices with limited resources are used and a very-short authentication time is required. Let P and V be a prover and a verifier in GPS and <g> be a multiplicative group. P holds a secret key s ∈ [0, S) and publishes I = g-s. In each elementary round: (1) P sends to V x = gr where r is chosen randomly from [0, A), (2) V sends to P a random c ∈ [0, B), and (3) P sends y = r + cs (no modulus computation). Since there is no modular reduction on y, a key issue is whether GPS leaks information about s. It has been proved that GPS is statistical zero-knowledge, if in asymptotic sense, $\\ell$BS/A is negligible, where $\\ell$ is the number of elementary rounds in one complete identification trial. In this paper, first we will show the followings. (1) We can construct a concrete attack procedure which reveals one bit of secret key s from the specified value range of y unless BS/A is negligible. We reconfirm that we must set A extremely large compared to BS. (2) This drawback can be avoided by modifying GPS into a new scheme, GPS+., in which P does not send the value of y in the specified range where y reveals some information about s. GPS+ ensures perfect ZK only by requiring both A > BS and A being a multiple of the order of g, while it allows an honest P to be rejected with probability at most BS/(2A) in one elementary round. Under the standard recommended parameters for 80-bit security where $\\ell$ = 1, |S| = 160, and |B| = 35, |A| = 275 is recommended for GPS in GPS' paper. On the other hand, GPS+ can guarantee 80-bit security and less than one false rejection on average in 100 identifications with only |A| = 210 with the same parameters as above. In practice, this implies 275-210 = 65 bits (≈ 24%) reductions on storage requirement. We have confirmed that the reduce of A also reduces approximately 4% of running time for online response using a certain implementation technique for GPS+ by machine experiment.
Content from these authors
© 2009 The Institute of Electronics, Information and Communication Engineers
Previous article Next article
Favorites & Alerts

Recently viewed articles
Announcements from publisher
Share this page
feedback
 Top