Chapter 4. Public Key Cryptography

1
Identification ZKIP
2
Contents

• Introduction
• Passwords
• Challenge-Response
• ZKIP

3
Why do need Identification ?

• 1. Bank machine withdrawals 4 6-digit
  PIN(Personal Identification Number) at
  ATM(Automatic Teller Machine)
• 2. In store credit card purchases
• 3. Prepaid calling card Asking a service by
  telephone card or membership cards
• 4. Remote login Remote access to host under
  Client /Server environment
• 5. Access to restricted areas, etc.

4
Identification by personal info.
Method Examples Reliability Security Cost
What you Remember (know) Password Telephone Reg. M/L M(theft) L(imperso- nation) Cheap
What you have Registered Seal Magnetic Card IC Card M L(theft) M(imperso- nation) Reason- Able
What you Are Bio-metric( Fingerprint, Eye, DNA, face, Voice, etc.) H H(theft) H(imperso- nation) Reasonable Expensive
5
Biometric Information
Extracted from A. Jails presentation in
SCIS2006, Japan
6
Way of Identification

• Password-based scheme (weak authentication)
• crypt passwd under UNIX
• one-time password
• Challenge-Response scheme (strong
  authentication)
• Symmetric cryptosystem
• MAC(keyed-hash) function
• Asymmetric cryptosystem
• Cryptographic Protocols
• Fiat-Shamir identification protocol
• Schnorr identification protocol, etc

7
Identification by Password
8
Attack against Fixed PWDs

• Replay fixed pwds
• Observe pwd as it is typed in
• Eavesdrop the data in cleartext
• Not suitable over open communication networks
• Exhaustive pwd search
• Let E(c) be the entropy of 8-char pwds from
  choices
• E(26)37.6, E(36)41.4, E(62)47.6, E(95)52.6
• Pwd guessing and dictionary attacks
• A large dictionary contains 250,000 words
• Dictionary attack order lists and compared to
  entries in the encrypted dictionary
• Combine numerical and alphabetical characters.

9
crypt passwd in UNIX
I1 00
next input Ii 2 ? i? 25
64
user salt
truncate to 8 ASCII chars 0-pad if necessary
user passwd
56
DES
12
output, Oi
O25
64
12
Repack 76 bits into 11 7-bit characters
salt 12-bit random from system clock when
select passwd. DES DES with expansion E
modified by 12-bit salt, 212 4056 DES
variations,
encrypted passwd
/etc/passwd
10
Challenge-Response Protocol

• Assumption
• Secret Key known to only P and V
• Random Challenge P and V have perfect random
  number generator as their challenges. Very small
  probability that same challenges occur by chance
  in 2 different sessions
• MAC security MAC is secure which no (e,
  Q)-forger exist. Probability that Attack can
  correctly compute MAC is at most e, given Q
  other MACs. (e.g. Q10,000 or 100,000)

11
Challenge-Response Scheme(I)

• Using Symmetric Cryptosystem

K
V
P
random challenge,x
x
yeK(x)
y
yeK(x) yy ?

• Vulnerable to parallel session attack
  (man-in-the-middle).
• Need to change x to be ID(V)r

12
Challenge-Response Scheme(II)

• Using Asymmetric Cryptosystem
• P can prove to have secret information in
  either way
• (1) P decrypts a challenge encrypted under Ps
  public key.
• (2) P digitally signs a challenge.

PK
V
P
random challenge,x
x
yesK,x
y
y dpk ,x y y ?
13
Zero-Knowledge Interactive Proof(I)

• GMR (Goldwasser, Micali, Rackoff)
• The knowledge complexity of interactive-proof
  systems, Proc. of 17th ACM Sym. on Theory of
  Computation, pp.291-304, 1985
• The knowledge complexity of interactive-proof
  systems, Siam J. on Computation, Vol. 18,
  pp.186-208, 1989 (revised version)
• ZKIP (Zero Knowledge Interactive Proof) between
  P and V
• Completeness Only true P can prove V.
• Soundness False P cant prove V.
• 0-Knowledge No knowledge transfer to V.

14
Zero Knowledge Interactive Proof(II)
15
Concept of ZKIP
16
Classification of ZKIPs
17
Classification of ZKIPs
18
F-S Identification (I)

• (Preparation)
• (TA) Unlike in RSA, a trusted center can
  generate a universal n, used by everyone as long
  as none knows the factorization.
• (P)
• (i) private key choose random value S,
  s.t. gcd(S,n)1.
• (1 lt S lt n)
• (ii) public key P computes IS2 mod n, and
  publishes (I,n) as public
• Goal
• P has to convince V that he knows his private
  key S and its corresponding public key (I,n)
  (i.e., to prove that he knows a modular square
  root of I mod n), without revealing S.

19
F-S Identification (II)

• 1. P chooses random value r (1ltrltn) and computes
  xr2mod n.
• then sends x to V.
• 2. V requests from P one of the following request
  at random
• (a) r or (b) rS mod n
• 3. P sends the requested information to V.
• 4. V verifies that he received the right answer
  by checking whether
• (a) r2 x mod n or (b) (rS)2 xI mod n
• 5. If verification fails, V concludes that P does
  not know S, and thus he is not the claimed party.
• 6. This protocol is repeated t (usually 20 or 30)
  times, and if in all of them the verification
  succeeds, V concludes that P is the claimed
  party.

20
F-S Identification (III)
public I,n
npq, IS2 mod n
P
V
x
2.ei0,1
ei
Repeat t-times
y
3. If ei0, send yr If ei1, send yrS
4.If ei0, check y2x mod n? If ei1, check
y2xI mod n?
commitment-witness-challenge-response-verificati
on and repeat
21
Security of F-S scheme

• (1) Assuming that computing S is difficult, the
  breaking is equivalent to that of factoring n.
• (2) Since P doesnt know (when he chooses r or
  rS mod n) which question V will ask, he cant
  choose the required answer in advance.
• (3) P can succeed in guessing Vs question with
  prob. 1/2 for each question. If the protocol is
  repeated t times, the prob. that V fails to catch
  P in all the times is only 2-t, which is
  exponentially reducing with t. (t20 or 30)
• (4) Convinces V that P knows the square root of
  I, without revealing any information on S.
  However, V gets one bit of information he
  learns that I is a quadratic residue

22
Schnorr Identification (I)

• Based on DLP under Trusted Authority (TA)
• TA decides public parameters
• p large prime (1024 bit)
• q large prime divisor of p-1 (160 bit)
• a Zp has order q
• t security parameter s.t. q gt 2t
• Public parameters p, q, a, t
• Prover choose
• private key a ( 1 a q-1)
• public key v aa mod p
• Honest Verifier (choose r at random by the
  scheme) ZKIP

23
Schnorr Identification (II)
Public par. p,q,a,t
private key a, public key v 1. Select
random k
P
V
2. Verify Ps public key generate random
challenge
, cert(P)
r
3. y k ar mod q
y
4. Verify
24
Schnorr Identification (III)

• (TA)
• p88667, q1031, t10, a70322 has order q in Zp
• (P)
• private key a 755
• public key v a-a mod p 703221031-755 mod
  88667 13136
• P random k 543,
• ak mod p 70322543 mod 88667 84109,
  commit
• V random challenge r 1000
• P y k ar mod q 543 755x1000 mod 1031 851
• V on receiving y, verify that 84109 70322851
  131361000 mod 88667. If equals, accept

25
Other Identification schemes

• Okamoto Identification scheme (p.378)
• Guillou-Quisquarter Identification scheme (p.
  383)
• ID-based identification
• Others