Efficient Zero-Knowledge Identification Schemes for Smart Cards

Efficient Zero-Knowledge Identification Schemes for Smart Cards M. BURMESTER*1, Y. DESMEDT*2 AND T. BETH3 1 Department of Mathematics, University of London-RHBNC, Egham, Surrey TW20 OEX Department of EE & CS, University of Wisconsin - Milwaukee, P.O. Box 784, Wl 53201, USA 3 European Institute for System Security, Universitdt Karlsruhe, Fakultat fur Jnformatik, D-7500 Karlsruhe, Germany 2 Secure identification is an important security issue to avoid computer fraud due to masquerading. This can be achieved with zero-knowledge based smart cards. We present very efficient new zero-knowledge schemes in a general algebraic setting. Particular cases of our scheme improve the performance of the Guillou-Quisquater and the Chaum-Evertsevan de Graaf schemes. Our scheme is formally proven and, overall, is more efficient than currently available schemes including the Fiat-Shamir scheme. As an application we discuss how our scheme can be used for identification, in particular as an electronic passport scheme. Received May 1991, revised September 1991 * Research partly done while visiting the EISS, University of Karlsruhe, West Germany. Furthermore, to an increasing degree credit cards are accepted for identification purposes (although without pictures). Fake passports and fake drivers' licenses are handy tools for criminals and terrorists. A brief survey of identification schemes Let us briefly overview the history of identification mechanisms. One of the oldest methods of identification has been the password. This mechanism is based on secret knowledge. As already mentioned this solution is insecure because the prover reveals his secret. Indeed the prover does not know if he identifies himself to an adversary who could later on use the password fraudulently. Other techniques rely on the assumption that it is hard (expensive) to produce certain types of cards. However old-fashioned cards 'can be manufactured, without excessive difficulty, to resemble true cards sufficiently well as to deceive most people having to deal with them'.15 Recently systems relying on the physical description of the individual have been proposed. Such systems have a questionable security and in many circumstances this approach is either too expensive, or too impractical or unacceptable for the users. Davies and Price have stressed this last aspect,14 giving examples, for example measuring lips for identification purposes which would be rejected on hygienic grounds. The idea of measuring fingerprints creates the fear that some machines could cut an individual's finger. Today, a major research topic in data security is the design of secure identification mechanisms.35-4121 Recently great attention has been directed to identification based on zero-knowledge.22 The prover does not have to reveal his secret password. Instead, he proves (using interactive challenges) to a verifier the knowledge of a secret without revealing it. Since this proof requires a computation, a chip card which contains the secret of the prover is used. At first glance, it appears that the verifier cannot masquerade as the prover, because the secret is not revealed. However, it has been pointed out 318 that the verifier could perform an on-line fraud by forwarding THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 21 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 1. INTRODUCTION To guarantee computer security one needs a secure login. Login methods used nowadays are insecure. When typing in a password on a terminal bystanders can easily overlook and see what is being entered. Worse, often one is logging in at a remote machine, thousands of miles away. The password travels electronically from a terminal or a personal computer to the remote machine and meanwhile it is easy to eavesdrop. Due to the use of workstations and the progress in networking, ethernet based Local Area Networks (LANs) have become common. For such networks the password of each user passes through all local workstations, making the task of eavesdropping much easier. In many cases of computer break-in the attacker does not have to eavesdrop to get the password, but just consults a dictionary of frequently used passwords. So there is no doubt that more secure login procedures must be developed. In our paper we discuss techniques to achieve this. Before addressing this problem we remark that entering a PIN in an Automatic Teller Machine (ATM), or at a Point of Sales (POS) terminal, is a special case of login. The same applies for phone cards. Although the amount involved in such transactions usually is small, criminal organisations are sometimes targeting ATMs and POSs. Indeed due to the very large number of customers the total amount involved in such transactions could be enormous. To reduce such criminal activities some credit card companies are using cards which are harder to forge, for example, by displaying a hologram. In some countries, such as France,27 smart cards are already in use today to further reduce the risk. The problem of secure login is a special case of the problem of secure identification. Identification is the process in which an individual (the prover) identifies himself to another individual or a machine. The last party is called the verifier. Tokens for identification purposes such as, drivers' licences, identification cards, passports and visas, are often used in our society. M. BURMESTER, Y. DESMEDT AND T. BETH Definitions In this paper we focus on the development of new and faster zero-knowledge protocols. A characteristic property of our protocols is that the number of messages exchanged, or rounds, is 'almost-constant'. This property to a large extent accounts for their efficiency. A function / = t(n) of the natural numbers is almost-constant if it is an unbounded function which grows very slowly, for example significantly slower than logw. For our purpose it is not necessary to specify such functions any further, but if it helps to have a particular function in mind then we could take t(n) = log *n (so t{n) grows slower than any iterated logarithm).7 We note that if fg are functions of the natural numbers then J{ri) = O(g(n)) if there is a constant c such that f[n) < cg(n) for (almost) all n, and f[n) = &(g(n)) if there are positive constants c, d such that cg(n) ^f{ri) < dg(n) for (almost) all n. Finally a set L belongs to the class BPP if it can be recognised by a polynomially bounded probabilistic Turing machine with bounded error probability.23 2. AN ALMOST-CONSTANT ROUND PROTOCOL In this Section we discuss intuitively the concept of zeroknowledge schemes, by considering a concrete new example. We use this to make a practical identification scheme for passports and remote login (see Section 7). This scheme will be utilised as the building block for a zero-knowledge proof (of membership) for the discrete logarithm problem, which is the most efficient so far presented (see Corollary 2 of Section 5). The discrete logarithm is an important one-way function which is often used in modern cryptography. 22 Many key exchange protocols19'3334 and the El Gamal signature scheme20 have been based on the discrete logarithm. As an illustrative example, when we perform our calculations mod 7, then the discrete logarithm of 2 base 5 is 4, because 5 4 s 2 (mod 7). When 7 is replaced by a very large prime number then finding the discrete logarithm, or even finding whether it exists, is considered to be difficult.37 Let p be a prime number and Z p be the ring of integers modulo p. Define kp to be the largest divisor of p~ 1 whose prime factors are at least as large asi; = flog2p]. We note that it is easy to compute kp. We shall consider a language (set) L whose elements are the strings x = (/;/?,/?), where /? is an element of Z* = Zp\{0} for which 0*p = l(mod/>) and IeZ* is such that /? /• " = l(modp) for some seZv_v That is, L = {(/;£,/>) \p is a prime, p,IeZ*; p"v = l(mod/?); ^seZv^:I-ps = l(modp)}. We call / the ' public' number and s the ' secret' number. Let Hbe the subgroup of Z*() which has order kp. Then the public numbers are elements of H. Observe that any PeH,fl 4= 1, has order at least v = \\og2p\. In the following protocol, \p\ is the binary length of p and aeRA indicates that the element a is selected randomly with uniform distribution from the set A. Protocol (P, V): Input x = (/;/?,/>). V checks that p is a prime,42 then computes kv and checks that IeH and that /?*? = l(mod/>). If any one of these conditions fails then V halts and rejects. Otherwise the following Steps are repeated / times independently, where t = t(\p\) is almost-constant. Step 1. P sends to V: z = /T(mod/?), where reRZv_1. Step 2. V sends to P: q, where qeRZM. Step 3. P verifies that qeZM, and if so, sends to V: y = r + qs{rnod. (/?— 1)), where the * is such that P"I= Step 4. V verifies that yeZp_x and that z = pyP{modp). If this check fails then the protocol is halted. After t complete rounds V accepts (V is convinced). This protocol is a proof of membership in the language L. That is, when xeL then the verifier will (almost) always accept, whereas when x$L the verifier will (almost) always reject. Indeed, when xeL then Pv-IQ=Pr-pQ'-P = z(PsI)'' = z(mo<ip), so that the verification in Step 4 checks and V always accepts. Next \etx$L. When I$Hor/?*? ^ l(mod/>), Kalways rejects. When IeH and /?*" = l(mod/?) and when there is no s such that PSI = 1 (mod p), then it can be shown (Lemma 1 of Section 5) that it is not possible, even for an infinitely powerful dishonest prover, to answer more than one of the queries q in Step 3 of any particular round. So the probability that V will accept after t consecutive rounds when there is no s such that PSI = l(modp) is negligible (at most \p\~'). The protocol is also a zero-knowledge proof (a formal definition and proof are given in Section 5). Intuitively, the prover does not reveal any new knowledge to the verifier because the verifier can simulate by himself the communications of the protocol. The verifier can guess THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 the bits which are being exchanged. Techniques to avoid this, and similar frauds, have been proposed3'5 and make zero-knowledge identification attractive when implemented carefully. One of these is that a trusted centre keeps a black list of stolen or lost tokens. Another is that the prover's secret is hidden from him, to prevent the prover from helping others impersonate him. This can be achieved by having the trusted centre encapsulate the secret in a tamper-proof device. All so far known problems with zero-knowledge based identification methods can be easily overcome, except the rental of smart cards. If no physical description is used then it is hard to detect this fraud because the card is identified and not the individual. However, one could argue that it is unlikely that one will rent one's own credit card! This paper is organised as follows. In the remainder of this section we give some definitions. In Section 2 we discuss a particular case of our protocol and introduce zero-knowledge informally. In Section 3 we describe the general protocol, and in Section 4 we discuss its efficiency. In Sections 5 and 6 we prove that our protocol is a zeroknowledge proof. Many informally presented zeroknowledge schemes have collapsed, or require radical modifications.10 For this reason we have opted for a formal approach. At a first reading the proofs could be omitted. In Section 7 we consider an application of our scheme to electronic passports, and we conclude in Section 8. IDENTIFICATION SCHEMES FOR SMART CARDS 3. A GENERAL PROTOCOL The protocol above can be generalised. One obvious generalisation is to replace Z p by any finite field GF(q). There are many other possible settings. One such setting is based on elliptic curves whose ^-rational points form an Abelian group. Discrete logarithms on elliptic curves have recently been extensively studied because in our present state of knowledge they implement much faster algorithms 36 ' 32>8 (for a given level of security). To allow for such settings, and for others which cannot be foreseen, we shall consider a general protocol. The protocol in Section 2 is based on the homomorphism Zp_1( + )->Z*(-):r^-pr. We can generalise this by taking a group homomorphism/:(/->//. However, to make a complexity theoretic treatment possible we have to consider families fn:Gn-> Hn of such homomorphisms. Here Gn,Hn are groups, and fn{ab)=fja)fn{b) for all a,beGn. These families are indexed by a string neJ, where J is an infinite subset of {0,1}*. To have cryptographic value the functions /„ must be one-way. A number of things are specified by n. In particular, the triple (/„, Gn, Hn) is described in some uniform way. Also n specifies a number v = v(n) which will be used in our protocol. For convenience, and when there is no ambiguity, we will omit the subscript n from Gn and Hn (but not from /„). The input x of our protocol consists of the 'public number' IeHn and the string n. We use the abbreviation JC = (/;«). General Protocol (P,V): Input x = (/;«)• V checks that neJ and IeH, calculates v = v(n), and then executes a probabilistic polynomial time test T to be specified later (7* is always true when unspecified). If any of these conditions fails then V halts the protocol and rejects (the proof of P). Otherwise the following steps are repeated / times independently, where t = t(\n\) is almostconstant. Step 1. P sends to V: z =/ n (r), where reRG. Step 2. V sends to P: q, where qeRZv. Step 3. P verifies that qeZv and if so, sends to V: y = r-^eG, where the s is such that //„(• ? ) = 1. Step 4. V verifies that yeG and that z = fn(y)-I«. If this check fails then the protocol is halted. After t successful rounds V accepts (the proof of P). In order that the verifier can execute efficiently his part of the protocol we have to restrict the setting as follows: • the mappings /„ and the operation of Hn can be executed in polynomial time (in \n\), • LG = U neJ Gn and LH = U neJ Hn are in BPP. • / can be efficiently represented, that is |/| is O(\n\). • it is easy to recognise the strings n of J (that is, J belongs to BPP). From now on we shall assume that these conditions are always satisfied. In Section 5 we will prove that this protocol is a proof of membership for the language L = {(/;«)\neJ; Iefn(Gn)}, if appropriate conditions are satisfied. In Section 6 we consider the case when the protocol is a proof of knowledge. 4. EFFICIENCY In this section we discuss the performance of our protocol and compare it with existing schemes. We shall assume that v (the number of 'queries' in Step 2) is polynomially bounded in \n\, and hence that \v\ = C>(log|«|). For the communication and computation complexity we only consider the case when the elements of the groups G, H are modular numbers and when the group operations can be expressed in terms of modular operations. For convenience we assume that H = Z* (the set of numbers modulo m which are relatively prime to m) and that the length of the input is ®(\m\). The performance of our protocol will be measured in terms of \m\. The number of iterations An interactive protocol is of Arthur-Merlin (A-M) type if the strings sent by the honest verifier consist of random bits.2 It has been shown24 that a constant round A-M proof for a language L cannot be proven zero-knowledge (using black-box simulation) unless L belongs to BPP. This result has been extended to proofs of knowledge.30 Our protocol is A-M (for us v is not necessarily a power of 2: however this makes little difference). Consequently, in the cases when our protocol is a zero-knowledge proof, our choice of almost-constant rounds is optimal (provided that the corresponding problem is hard). To achieve almost-constant rounds we have had to use a relatively large v. The idea of using such vs is related to 'deep coin tosses'.28 However, in earlier work no bounds THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 23 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 his own question q and obtain by himself the z and y which the prover would send him. That is he can produce strings (z,q,y) which satisfy the conditions in Step 4, with the same distribution as in the actual protocol. A crucial aspect of this simulation is that given any q and any y it is easy to obtain an appropriate z. Of course a simulated proof will not convince the verifier that xeL. This protocol with suitable preprocessing can be used to recognise the elements of any subgroup </?> generated by /? of Z*, with no restriction on the order of p or / (Corollary 2 of Section 5). If the factors of (/?— 1) are not known then it is generally believed that checking membership in L is a hard problem.1 So a prover P who has unlimited computational power can use this protocol to prove that xeL to a verifier with limited resources. Next suppose that the verifier V is given the factors of (p— 1), say as an additional part of the common input x. Then V can easily check by himself membership in L. Indeed from the factors of (p— 1) the verifier can obtain the order of ft, say d. Then when the initial test is satisfied, xeL if and only if /" = l(mod/>), since Z* is a cyclic group (from elementary group theory). However, even though Fcan confirm the existence of an s such that 0s • I = l(mod/>), it is generally believed1 that it is hard to find such an s. This is called the discrete logarithm problem. In this case the protocol can be used as a proof of knowledge. The prover convinces the verifier that he 'knows' a secret s such that /?*• / = l(mod/>), and not merely that there exists such an s (as in the case of proofs of membership). M. BURMESTER, Y. DESMEDT AND T. BETH were set on v, resulting in informal systems which are not zero-knowledge (provided that the corresponding problem is hard). complexity to |/?| log^ J/?| (see Section 5, Corollary 2, and Section 6, Corollary 3). The Schnorr identification scheme40 uses a one round protocol and therefore is not zero-knowledge24 (unless the discrete logarithm problem is easy). This scheme is not necessarily sound.9 However, if the Schnorr protocol is modified so that Corollary 3 of Section 6 applies, then we get an almost-constant round zero-knowledge proof. We note that it is not necessary for the order of /? to be a prime number (as in Ref. 40). The number of bits communicated With each round of the protocol \m\ bits are communicated in Step 1 and Step 3 and \v\ bits in Step 2. For t iterations we have t(2\m\ + \v\) bits. Since \v\ = O(log \m\), when / « log^lml, the number of bits communicated is Comparison with other schemes In Table 1 we compare the performance of many schemes. For the Fiat-Shamir scheme,22 G = H = Z m (-), where m = pq,p,q distinct primes, and f-.r-^-r2. The input x = (I1,...,Ilc;m) has k public numbers, k = 0(log|ra|). We can take the number of rounds to be / x log1+c \m\ so that the number bits communicated is t(2\m\+k) « |w|log1+*|w|. The (average) number of multiplications is t(k + 2) x k\og1+c\m\. For the GuillouQuisquater28 and Ohta-Okamoto 38 schemes we have G = H = Z* (•) and/: r -»- r", and we get the same bounds. However if our conditions for Corollary 1 of Section 5 apply, then we can take t « log* \m\ and the communication complexity reduces to \m\ log* \m\ bits. For the Chaum-Evertse-van de Graaf scheme11 and the Beth scheme4 we have G = Zp_x{ + ),pa prime, H = Z*( •) and /:r->/T,/?eZ*,andwecan taker « Iog1+C\p\. The number of bits communicated is t(2\p\+k) « |/?|log1+£|/>|, where k = O(\og\p\) is the number of secrets, and the number of multiplications is k\p\ log* \p\. If we use our protocol in Section 2 then we can reduce the communication Reducing the computational complexity We consider the protocol in Section 2 when G = Zp_1( + ) and/ n :G->//;/• -• /T,/?e/f . In this case the computational complexity can be as much as |/?| log^ |/?| multiplications. We can reduce this to Iog1+£|/>| by modifying the language in such a way that H is replaced by / / ' , a subgroup of H with superpolynomial order, G by G' = Zord(H.)( + ) c Zp_1( + ), and f G ' p p 5. A PROOF OF MEMBERSHIP Definitions We present an overview of the concept of zero-knowledge interactive proofs.25 Informally a proof should convince a reader, i.e. a verifier, that a theorem is true. It should not be possible for the verifier to be convinced of an untruth. With interactive proofs25 the verifier is allowed to ask questions. For us both the prover and the verifier will use randomness (toss coins). The randomness is obtained from private random tapes (that is bit strings with uniform distribution). As a consequence the verifier is only convinced with a certain probability. Formally the prover P and the verifier V are probabilistic interactive Turing machines. P and V share a common input tape, private work tapes and private random tapes. The interaction is done by using communication tapes. Definition 1. Let L c { 0 , l } * be a language and let (P, V) be a pair of interactive probabilistic Turing machines. (P, V) is an interactive proof for L if for common input x, # Completeness: when xeL then (P, V) accepts with overwhelming probability ( > 1 — (1/|JC|°, any a) # Soundness: when x$L, for any prover P', (Pr, V) accepts only with negligible probability (< (l/|x| a ), any a). P' is a prover who may deviate from the protocol (for example, in an attempt to prove to V an untruth). With this setting it is customary to assume that P has unlimited Table 1. The complexity of some zero-knowledge identification schemes. |JC| is the length of the input Zero-knowledge schemes Number of rounds Bits communicated Multiplications Fiat-Shamir22 Guillou-Quisquater,28 Ohta-Okamoto38 Chaum-Evertse-van de Graaf,11 Beth" Schnorr40 (not zero-knowledge) Our scheme (Particular cases) log11+"£ \x\ |JC| log 1 + c |x| /c log 1+E |jcj, A: = 0 ( l o g | * | ) log 1+£ |*| 24 Iog |*| Iog 1+C |jc| One log«W j * | log 1+c |JC| Wlog 1+£ W 0(|x|) Wlog«W THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 fc|*|log1+£|*|,fc = 0(log|*|) 0(1*1) (without preprocessing) Iog1+£|*| Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 The number of operations We shall assume, for convenience, that the cost of multiplication in G is no more than in Hand that the cost of the exponentiation r° in H is (on average) 3/2 log q multiplications. Suppose that the cost of computing /„(/-) eH,reG, is equivalent to l(r) multiplications in H. Then we have l{r) multiplications in Step 1,1+ 3/2 log q multiplications in Step 3, and 1 + /(y) + 3/2 log q multiplications in the verification step. For f«log'|m| iterations we get approximately (l(r) + l(y) + O(log\m\)) log* \m\ multiplications, since q < v and \v\ = OQog \m\). If we assume that l(r) = @(\v|), for example when fn(r) = r" (as in many schemes 28388 ), then the computational complexity is approximately Iog1+£|w| multiplications. When l(r) = 0(|/"|), for example when f(f)=pr (as in many schemes), 11440 the computational complexity is approximately |m|log£|w| multiplications (in the general case). IDENTIFICATION SCHEMES FOR SMART CARDS Definition 2. An interactive proof (P, V) for L is perfect zero-knowledge^ if, for every V there is an expected polynomial time Turing machine Mv., the simulator, which given xeL and h will generate a distribution which is identical to that generated by View(P „.)(.*, h). We also have25 statistical and computational zeroknowledge. These, however, will not concern us here. when xeL, then the view of any verifier V can be simulated by a probabilistic expected polynomial time Turing machine Mv., with an identical distribution. We use the technique of'probing and resetting' the verifier.25 In our case Mv. first prepares ' transcripts' of the form (z = fn(r) • I", q,y = r), where r eR G and q eR Zv, and then obtains the appropriate distribution by probing and resetting V. The simulator can do this because the expected number of probings is O(tv), which is polynomial in |.v|. • We remark that if / is linear in |«| then we can do without condition Cl in Theorem 1. Corollary 1. Suppose that v is as in Theorem 1, and that there exists an integer k = k(n) such that C2 H" c fjfi): that is, for any IeH there exists such that Ik =fn(w), C3 Theorem 1. Suppose that the following condition is satisfied: Cl VneJ:v = \]ogn\:\/IeHn\\/qeZ°v: Pefn(Gn)=>Iefn(Gn). Then protocol (P, V) is a perfect zero-knowledge proof for the language L = {(/,ri)\neJ;Ief n (G n )}. To prove this theorem we use the following, Lemma 1. Suppose that condition Cl is satisfied. If there is a zeHn for which there is more than one qeZv such that z = fn(y)-I°, some yeGn, then Iefn(Gn). Proof. If 2 =/„(/)• /* ' =/,(/)• /• " for / , y"eG, and q',q"eZv,q' > q", then fn(y)Iq = 1 with y = ( / T V , q = q'-q". So /• = fn(y-1)efn(G), and by condition Cl we have Iefn{G). • Proof of Theorem. Completeness follows directly from the fact that/ n is a homomorphism. For soundness we have to show that if x$L then the probability with which the verifier will accept is negligible. From the Lemma there cannot be more than one query q such that z=fn(y)I". Since the verifier V chooses the qeZv randomly with a uniform probability distribution, the probability that the verification in Step 4 is successful when x $ L is bounded by 1 /v. This is the probability of error per iteration. So the probability that V will accept after / independent iterations is bounded by v~'. This is negligible. Indeed we are assuming that v = 0(|«|) and that \n\ = Q(\x\). So v~l = (1/0(1x1)'), which is negligible when / is unbounded. For perfect zero-knowledge we have to show that The smallest prime factor ofk is at least v. Then protocol (P, V) is a perfect zero-knowledge interactive proof for L provided that test T checks these conditions. Proof. We only need to show that conditions C2 and C3 imply Cl of Theorem 1. Suppose that P =fn(u),IeH,qeZ°v,ueG. Then since 0 < q < v and since the smallest prime factor of k is at least v, we must have gcd(q, k) - 1. So there exist integers a, d with aq + dk=\. Consequently I = Iaq+d" = Iaq • Idk = a d fniMY-fniwf =fn(u w )efn(G), since /• = / » for some weG by condition C2. So Iefn(G) and we get condition Cl. Our zero-knowledge proof of membership aweG • Examples. We will consider two particular cases for which condition C2 is trivially satisfied. In the first case, Gn = Hn = Z* a n d / » : r + r * . with m = m{n),k = k(n). Then Hkn = (Z*)* =fn{Gn). This case has been discussed elsewhere.8 The second case is the one considered in Section 2. For this protocol we have H* = {1}. Corollary 2. The discrete logarithm decision problem is polynomial-time reducible (efficiently) to the language in Section 2. This result can be generalised to the (relaxed) discrete logarithm over any Abelian group with known order. This implies that after suitable preprocessing16 the zero-knowledge proof of Section 2 recognises the elements of any subgroup of Z*. Proof. Our argument is based on smooth numbers 12 and the Pohlig-Hellmann algorithm.39 Let the input be (I;P,p). The verifier first checks that / ^ e ^ p ) . If this is successful, the prover and verifier use the protocol of Section 2 with input (/<p-1)/*J>;£<p-1>/*p,/7). • 6. PROOFS OF KNOWLEDGE Definitions We refer the reader to the discussion at the end of Section 2 for an example of a proof of knowledge. The only difference from a proof of membership is that with proofs of knowledge a dishonest prover who does not know the secret (or an equivalent) should fail to convince the verifier. The problem is to define the meaning of 'knowledge', allowing for knowledge one is not aware of. The solution4321 is to employ an 'outsider', the extractor, who succeeds in extracting from the prover (a THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 25 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 computational resources (and can therefore 'recognise' the elements of L), whereas V is polynomially bounded (and cannot check membership by himself, if this is a 'hard' problem). P and V are the 'honest' parties. We shall now consider the impact of a possibly dishonest verifier V on a proof (P, V). V may deviate from the protocol in an attempt to gain some additional knowledge, for example, about the input x. Informally a proof is zero-knowledge2b if it guarantees that the prover reveals no more knowledge than that xeL (one bit), to any verifier V. V may wish to use previously obtained knowledge. To allow for this we shall assume that the verifier has an additional tape, called the history tape, on which such knowledge can be written. During the execution of a proof, P and V exchange messages. We define the view of V to be everything that V sees. That is, the messages exchanged and the portion of the random tape that V uses. Clearly V will gain no further knowledge if this view can be simulated without any help from the prover. We define View(P v^(x, h) to be the random variable whose value is the view of V. Here h is the contents of the history tape of V. Formally we have, M. BURMESTER, Y. DESMEDT AND T. BETH The zero-knowledge proof of knowledge For proofs of knowledge the prover P is polynomially bounded. So we have to assume, additionally, that # the operation in Gn can be executed in polynomial time (otherwise P cannot compute y in Step 3), 0 for all y&Gn,y~x can be computed in polynomial time. With such proofs, P proves that it knows an s such that I-fn(s) = 1 (and not merely that such an s exists). So condition Cl of Theorem 1 must be strengthened. Theorem 2. Suppose that x = (/; n), that v is as in Theorem 1 and that, C4 There exists a probabilistic polynomial time algorithm which for any neJ, when given as input n, IeHn,qeZ°v,ueGn with I" =/„(«), will output an weGn such that I =fn(w). Then the protocol (P, V) is a perfect zero-knowledge proof of knowledge of the relation R = {(x, s) | n eJ; seGn ;/• /„(* ) = 1}. Furthermore (P, V) is unrestricted input zero-knowledge if test T checks that Iefn(Gn). Proof. The proof of completeness and zero-knowledge are the same as for Theorem 1. The proof of soundness is similar to that in Feige-Fiat-Shamir when one defines vertices of degree 2, or more, as 'heavy'.21 We assume that (a portion of) the random tape of a (possibly cheating) prover P' is such that the verifier V accepts with non-negligible probability when the input is x, and show that there is a probabilistic polynomial time machine M which will obtain a witness seG such that I-fn(s) = 1. As in Feige-Fiat-Shamir,21 by probing and resetting the prover P', it is possible for M to find in expected polynomial time a ' heavy' vertex (of degree 2 or more), and hence to obtain a zeH,y',y"eG, and numbers q',q"eZv,q' > q", such that z = /„(/)/*' = fn(y")I"'. So M can obtain q = q' — q" and u = (.y')" 1 /' such that /* =/„(«). Then by using condition C4, M can compute &weG such that / = fn(w), and thus an s = w'1 such that I-fn(s)= 1. • 26 When Gn and Hn are cyclic groups then condition C4 can be simplified. Corollary 3. Suppose that Gn and Hn are cyclic groups, that fn:Gn^-Hn;r^-pr, that /? is given, and that C5 The order offn(Gn), say m, is known, and test T checks that Im = 1. Then condition C4 is satisfied. Proof. Test T is equivalent to that in Theorem 2. Observe31 that for any divisor d of the order of a cyclic group there is only one subgroup of order d. So for any IeH: IefJJJ), if and only if, Im = 1. We shall now show that condition C5 implies condition C4 of Theorem 2. Suppose that I" =/ n («) = ^JeH^e^ueG. Since Im = 1, we must have / =fn(w) = /T for some weG. So ffw = P". Let m0 = gcd(<7,m) with m = m'mo,q = q'm0, u = u'm0. Then there exists29 an integer a such that, w = au mod m' + cm', for some ceZn (1) Now m0 ^ q < v, so c is polynomially bounded in \x\. Consequently it is possible to compute in polynomial time all the values of w in (1) and thus obtain the appropriate w. So we get condition C4. • Examples. Consider the case when Gn = Hn = Z% and fn{r):r^r", with TV = N{n),k = k{n), and gcd(/c, <j>(N)) = 1 (a trusted centre which may know the factorisation of JV must guarantee this). Then we only need condition C3 to get C4 of Theorem 2. So we have a zero-knowledge proof of knowledge if the smallest prime factor of k is at least v. Indeed suppose that we are given IeH,qeZ°v,ueG with I" = uk(modN). Then by C3, gcd(g, k) = 1, so that aq + bk = 1 for suitable a, b. So / = IaQ+bk = uak • Ibk = (M°/ 6 )*(mod N). Thus / = ^(mod N) for w = ual"(mod N), and we have condition C4. For the second example we take Gn = Zp_v Hn = Z* and fn:r^-pr,PeZ*. The input \s{I;p,y,p), were y is the list of all prime factors of (/? — 1). Note that it is easy to compute the order m of /?, given y. So we apply Corollary 3 to get a zero-knowledge proof of knowledge. Remark. Let us compare Corollary 1 to Corollary 3. When H is cyclic, condition C2 of Corollary 1 is satisfied for k = h/m (the index of/„((?) in H). Indeed in this case Hk=fn(G). However, in Corollary 3 we make no assumption on the size or the factors of k. Corollary 3 can be extended to Abelian groups, with minor adjustments. We recall that finite Abelian groups have an independent set of generators31 with invariant properties. Corollary 4. Suppose that Hn is an Abelian group, that a set of independent generators fi(,i= \,...,b, offn(Gn) is given, that the orders mi of fi( are given, that Gn = Zmy +) x ... x ZmJi + ){direct product), and that v is as in Ttieorem 1. Let fn:{ul,...,u^)->T\b_lf%K Suppose that the order of Hn, say h, is given and that m = !!*_! mi is relative prime to k = h/m. Then protocol (A, B) is a perfect unrestricted input zero-knowledge proof of knowledge of the relation R= {(iI;n),(sl,...,sb))\neJ;(s1,...,sb)eGn; =1}, m provided that test T checks that I = 1. THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 machine) the secret. The extractor will fail if the prover does not know the secret. The formal setting for proofs of knowledge21 requires that both the prover P and the verifier Fare polynomially bounded Turing machines, and the prover has access to a restricted oracle (from which he obtains the secret). Definition 3. (P, V) is an interactive proof ofknowledge21 of the relation R if for common input x, # Completeness: (P, V) will accept x = (I;ri)with overwhelming probability when (x,s)eR. 0 Soundness: there is a probabilistic polynomial time Turing machine M (the extractor) which is such that, given any P' and any string h: if (/>', V) accepts x with non-negligible probability then M will output an / = M(P'', h, x) which is such that (x, s') e R with overwhelming probability. Definition 4. Zero-knowledge is as for proofs of languages. We have unrestricted input zero-knowledge21 if the simulator can simulate the view of V even when x$L, where L = {x\3s:(x, s)eR}. IDENTIFICATION SCHEMES FOR SMART CARDS Proof. We show that /„((?) e BPP and that condition C4 of Theorem 2 applies. Observe31 that H has only one subgroup which has order m since gcd(w, k) = 1. Thus IefJG), if and only if, Im = I. The rest is similar to Corollary 3. • This result holds for any set of independent generators /?( of/n((7n). Corollary 4 can be modified to allow for the case when gcd(w, k) 4= 1, provided that we impose a condition on the index k. We have Corollary 5. We get the same conclusion as in Corollary 4 if we replace the condition k = h/m by the assumption that k satisfies conditions C2 and C3 of Corollary 1. Proof. We show that condition C4 is valid. If IeH,u = (u1,...,u,,)eG and qeZ°v are such that, /'=/„(») = #""#», electronic passport. The country encapsules k and s in a tamper-proof electronic passport (modern smart cards are not very tamper-proof), k, s are the secret numbers of the passport. Verification of a passport. To verify a passport x = (/;/;/?; y/;a;p), a verifier must first check that y/, a, and p are as published, that J is not on the black list, and that (modp). (4) aJ-l=w^ Then he must check that the secret numbers of the passport are k, s. For this purpose our protocol is used twice as a proof of existence (or knowledge) of a k and an s such that /? = a*(modp) and I = ft'{modp). Then *JI= aJ-ks{modp) and / = au"(mod/>), so that from (4) we see that k, s must satisfy (3). (2) and if condition C2 holds, then it is possible to compute in polynomial time a w = (w1,...,wl>)eG such that /=/ B (w) = ^ - - - ^ » . Indeed by C2 there is a in Corollary 3, we can compute in polynomial time the iv(. We now proceed as in Corollary 1. In this case we have /"« = #"—#"», and hence / = ft*.*"-^"**"*, where a, d are such that aq + dk = 1. • 7. APPLICATIONS Passports are an important means of identification. Compared with other identification tokens (or tools) such as credit cards, there are many centres, each one distrusting the other, that issue tokens. An electronic passport scheme An international body, say the U.N. (or I.S.O.), organises a setting in which various countries can issue unforgeable electronic passports.13 It is assumed that the countries will not trust the U.N., or each other. Furthermore it should not be possible for citizens to make passports, or for one country to issue passports for another country. Initiation. The U.N. chooses a large prime number p and a primitive element a.eZ* (it is not necessary for a to be primitive, but its order must be superpolynomial in \p\). The U.N. guarantees that p, a are correct and makes these numbers public. Registration of a country. Each participating country chooses a random ueZv_x and computes y/ = a". The public number of the country is yi, and the secret number is u. Making a passport. For each citizen who applies for a passport, the country chooses a random keZ%_lt such that the smallest prime factor of A: is at least v,v = flogp]. Then it computes P = a* mod/?, and the secret number s by solving the congruence20 up+ks = J (mod(p-l)), (3) where / i s the value of a string which identifies the citizen (name, etc.). The numbers /,/? = a*mod/? and [ = P~'modp, are the public numbers of the passport. These can be read using bar codes or may be given by the In our introduction we mentioned that login was a special case of identification. The aspect of remoteness of login makes it possible for an active eavesdropper to divert the zero-knowledge proof to another verifier (remote machine). The scheme above can be extended to cover this case. To solve17 this problem the prover signs20 the name of the remote machine J, and keeps the resulting signature k, s secret. This time, u is the secret key of the prover and y/ is his public key. To login he proves knowledge of k, s to the remote machine. 8. CONCLUSION Modern cryptography is being used to securely authenticate and sign messages. Many schemes rely on the difficulty of factoring or on the discrete logarithm. The use of cryptography has led to the design of more secure identification tokens. Zero-knowledge identification schemes have the advantage that the secret used to identify is guaranteed not to leak. A lot of research has concentrated on finding more efficient zero-knowledge schemes. In this paper we present new schemes for which the efficiency is far better than that of existing schemes. Although our examples have focused on schemes which are based on the discrete logarithm and on factoring, our setting is more general. We have presented two practical identification schemes: a cryptographic passport scheme and a secure remote login scheme. These can be further enhanced by using smart cards. Generalisations In this paper we have assumed that v = flog«]. We can extend all our results to the case when \n\a ^ v J* \n\", where a, b are constants, 0 < a < b. The input for our protocol x = (/; n) has only one /. We can easily extend all our results to the case when there are / inputs /„...,/„ where / is a constant. The proof is then a proof of existence (or knowledge) of secrets st for the Ivj = 1,...,/. Acknowledgement The authors wish to thank an anonymous referee for helpful suggestions. THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 27 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 (w1,...,wb)eG such that I* = ffi-~fi°*. Then by (2), /s* = ptu,...^ku, = ffqwl...p,uiQ S m c e t n e p( a r e independent, we must have qw( = ku((modmi),i =],...,b. As A secure remote login scheme M. BURMESTER, Y. DESMEDT AND T. BETH REFERENCES 28 abuses of the Fiat-Shamir passport protocol. Advances in Cryptology - Crypto 87, Lecture Notes in Computer Science 293, edited by C. Pomerance, Springer-Verlag, Berlin, pp 21-39 (1988). 19. W. Diffie and M. E. Hellman, New directions in cryptography. IEEE Trans. Inform. Theory IT-22 (6), 644-654 (1976). 20. T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform Theory 31, 469-472 (1985). 21. U. Feige, A. Fiat and A.Shamir, Zero knowledge proofs of identity. Journal of Cryptology, 1(2), 77-94 (1988). 22. A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems. Advances in Cryptology - Crypto 86, Lecture Notes in Computer Science 263, edited by A. Odlyzko, Springer-Verlag, Berlin, pp. 186-194 (1987). 23. J. Gill, Computational complexity of probabilistic Turing machines. Siam J. Comput., 6 (4), 675-695 (1977). 24. O. Goldreich and H. Krawczyk. On the composition of zero-knowledge proof systems. Proceedings of 17th International Colloquium on Automata, Languages and Programming (ICALP), Lecture Notes in Computer Science 443, Springer-Verlag, Berlin, pp. 268-282 (1990). 25. S. Goldwasser, S. Micali and C. Rackoff, The knowledge complexity of interactive proof systems. Siam J. Comput., 18(1), 186-208(1989). 26. R. Graham, D. E. Knuth and O. Patashnik, Concrete Mathematics - A foundation for computer science. AddisonWesley, Reading, MA, (1989). 27. L. Guillou, Data encipherement: Techniques, standards and applications, Proc. la Carte a Me'moire, pp. 17-23. Paris, France (1983). 28. L. C. Guillou and J.-J. Quisquater, A practical zeroknowledge protocol fitted to security microprocessor minimizing both transmission and memory. Advances in Cryptology — Eurocrypt 88, Lecture Notes in Computer Science 330, edited by C. G. Gunther, pp. 123-128. Springer-Verlag, Berlin (1988). 29. Hua, Introduction to Number Theory. Springer, New York (1982). 30. T. Itoh and K. Sakurai, On the complexity of constant round zkip of possession of information. Manuscript (1990). 31. N. Jacobson, Basic Algebra I. W. H. Freeman and Company, New York (1985). 32. N. Koblitz, Elliptic curve cryptosystems. Mathematics of Computation, 48, 203-209 (1987). 33. A. IConheim, Cryptography: A Primer. John Wiley, Toronto (1981). 34. J. L. Massey and J. K. Omura, A New Multiplicative Algorithm over Finite Fields and its Applicability in Public-Key Cryptography. Presented at Eurocrypt 83, Udine, Italy. 35. P. D. Merillat, Secure stand-alone positive personnel identity verification system (ssa-ppiv). Technical Report SAND79-0070, Sandia National Laboratories (1979). 36. V. Miller, Use of elliptic curves in cryptography. Advances in Cryptology - Crypto 85, Lecture Notes in Computer Science 218, edited by Hugh C. Williams, pp. 417-426. Springer-Verlag (1986). 37. A. M. Odlyzko, Discrete logs in a finite field and their cryptographic significance. Advances in CryptologyEurocrypt 84, Lecture Notes in Computer Science 209, edited by T. Beth, N. Cot and I. Ingemarsson, pp. 224-314. Springer-Verlag, Berlin (1984). 38. K. Ohta and T. Okamoto, A modification of the FiatShamir scheme. Advances in Cryptology - Crypto 88, THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 1. L. M. Adleman and K. S. McCurley, Open problems in number theoretic complexity. Discrete Algorithms and Complexity, Proceedings of the Japan-US Joint Seminar {Perspective in Computing series, Vol. 15), edited by D. Johnson, T. Nishizeki, A. Nozaki and H. Wilf, pp. 263-286. Academic Press, Orlando, Florida (1986). 2. L. Babai, Trading group theory for randomness. Proceedings of the seventeenth annual ACM Symp. Theory of Computing, STOC. pp. 421-429 (1985). 3. S. Bengio, G. Brassard, Y. Desmedt, C. Goutier and J.-J. Quisquater, Secure implementations of identification systems. Accepted for publication in the Journal of Cryptology. 4. T. Beth, A Fiat-Shamir-like authentication protocol for the El-Gamal-scheme. In Advances in Cryptology Eurocrypt 88, Lecture Notes in Computer Science 330, edited by C. G. Gunther, pp. 77-84. Springer-Verlag, Berlin (1988). 5. T. Beth and Y. Desmedt, Identification tokens-or: Solving the chess grandmaster problem. Presented at Crypto 90, August 12-15, 1990, Sant Barbara, California, U.S.A. To appear in: Proc. of Crypto 90, Lecture Notes in Computer Science, Springer-Verlag. 6. T. Beth and F. Schaefer, Non-Supersingular Elliptic Curves for Public Key Cryptosystems. Presented at Eurocrypt 91, April 8-11, 1991, Brighton, England. To appear in: Proc. of Eurocrypt 91, Lecture Notes in Computer Science, Springer-Verlag. 7. G. Brassard and P. Bratley, Algorithmics - Theory & Practice. Prentice Hall (1988). 8. M. V. D. Burmester, An optimal class of interactive zeroknowledge proofs. Submitted to Information Processing Letters, under revision. 9. M. V. D. Burmester, A remark on the efficiency of identification schemes. Advances in Cryptology - Eurocrypt 90, Lecture Notes in Computer Science 473, edited by I. B. Damgard, pp. 493-495. Springer-Verlag, Berlin (1991). 10. M. V. D. Burmester and Y. G. Desmedt, Remarks on the soundness of proofs. Electronics Letters, 25 (22), pp. 1509-1511 (1989). 11. D. Chaum, J.-H. Evertse and J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations. Advances in Cryptology - Eurocrypt 87, Lecture Notes in Computer Science 304, edited by D. Chaum and W. L. Price, pp. 127-141. Springer-Verlag, Berlin (1988). 12. D. Coppersmith, A. Odlyzko and R. Schroeppel, Discrete logarithms in GF(p). Algorithmica, pp. 1-15 (1986). 13. G. Davida and Y. Desmedt, Passports and visas versus IDs. Advances in Cryptology — Eurocrypt 88, Lecture Notes in Computer Science 330, edited by C. G. Gunther, pp. 183-188. Springer-Verlag, Berlin (1988). 14. D. W. Davies and W. L. Price. Security for Computer Networks. John Wiley and Sons, New York (1984). 15. D. W. Davies and W. L. Price. Security for Computer Networks. John Wiley and Sons, New York, second edition (1989). 16. Y. Desmedt and M. Burmester, An efficient zero-knowledge scheme for the discrete logarithm based on smooth numbers. To be presented at Asiacrypt 91, November 11-14, Fujiyoshida, Yamanashi, Japan. To appear in: Proc. of Asiacrypt 91, Lecture Notes in Computer Science, Springer-Verlag. 17. Y. Desmedt, Major security problems with the " unforgeable" (Feige-)Fiat-Shamir proofs of identity and how to overcome them. Securicom 88, 6th worldwide congress on computer and communications security and protection, SEDEP Paris, France, pp. 147-159 (1988). 18. Y. Desmedt, C. Goutier and S. Bengio, Special uses and IDENTIFICATION SCHEMES FOR SMART CARDS Lecture Notes in Computer Science 403, edited by S. Goldwasser, pp. 232-243. Springer-Verlag (1990). 39. S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF{p) and its cryptographic significance. IEEE Trans. Inform. Theory, IT-24 (1), 106-110(1978). 40. C. P. Schnorr, Efficient identification and signatures for smart cards. Advances in Cryptology - Crypto 89, Lecture Notes in Computer Science 435, edited by G. Brassard, pp. 239-252. Springer-Verlag (1990). 41. G. J. Simmons, A system for verifying user identity and authorization at the point-of-sale or access. Cryptologia, 8 (1), 1-21 (1984). 42. R. Solovay and V. Strassen, A fast Monte-Carlo test for primality. SIAM Journal on Computing, 6 (1), 84-85, erratum (1978), ibid, 7, 118 (1977). 43. M. Tompa and H. Woll, Random self-reducibility and zero-knowledge interactive proofs of possession of information. The Computer Society of IEEE, 28th Annual Symp. on Foundations of Computer Science (FOCS), pp. 472-482, IEEE Computer Society Press (1987). Book Review BRIAN SHACKEL and SIMON RICHARDSON (eds), Human Factors for Informatics Usability, Cambridge University Press, 1991. £35, ISBN 0-521-36570-8. perspective, is elaborated in the chapter by Leela Damodaran. The last part discusses some of the more basic interface issues. Ben Shneiderman shows the various styles of interface dialogues and Patricia Wright explains the reasons for the prevalence of poor documentation, and methods by which it can be improved. In the final chapter, Chapanis argues that lack of evaluation is why some computers, computer programs and manuals are hard to use. He gives guidelines for evaluation and cites numerous relevant examples. Overall, the book brings together an interesting, well-written and worthwhile collection of papers, and an extensive collection of references; my only criticism is the length of time taken to achieve this status. As Shackel points out, much of the material is as timely now as it was five years ago when the papers were written. However, it is clear, especially from the screens in some chapters, that the material is somewhat dated. Indeed, much has happened on the human factors front in the last few years, as is evident from CHI and similar conferences. This is a solid and useful book for anyone interested in interface design issues including undergraduate and postgraduate students. Although more recent material is missing, what is in this book is valuable, and inevitably something had to be omitted. MILDRED L. G. SHAW University of Calgary THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992 29 Downloaded from http://comjnl.oxfordjournals.org/ by guest on July 20, 2016 This book is the outcome of an Advanced Study Course held in December 1986. It is divided into five parts: Informatics Usability - introduction, scope and importance; System Design - orientation and approaches; Special topics in depth; Organisational aspects and design in large systems; and Design and Evaluation - some specific methods. In the preface Shackel explains the main objectives: to review the knowledge and methods available from the field of human factors to help improve the usability of informatics systems; to present recent theoretical and methodological developments in this field; to stimulate increased application of this knowledge and these methods. In the first part Brian Shackel and Simon Richardson give a background to human factors and usability, and in the following chapters Shackel goes into more detail about usability, its design and evaluation. In chapter 3, Alphonse Chapanis reviews many studies of human factors issues in real world situations and attempts to evaluate the cost savings involved in good human factors designs. Part 1 commences with Ken Eason and Susan Harker discussing the needs of a broad range of users and how human factors can help if they are incorporated in the design process. Tom Stewart's chapter again looks at these issues but from a consultant's perspective, and William Newman's lends yet another voice from the perspective of the system designer. Arthur Gardner describes an attempt to classify different sources of existing advice from the literature on human factors into an overall framework, and locate them within the system life cycle. Phil Barnard starts the section on special topics with a discussion of the contribution of cognitive psychology. This is another attempt to establish a much-needed framework within which to place aspects of usability. Formal models are discussed by Jurgen Ziegler and Hans-Jorg Bullinger; and they finish with a table showing where each method has been used, and conclude that no one method is universally applicable to all situations. The following chapter by Brian Gaines applies familiar human-computer interface design principles to expert systems which generate new modes of interaction between people and computers. Part 4, with chapters by Greif, Mumford and Damodaran, emphasises organisational aspects of design. In particular Siegfried Greif discusses the dimensions which must be considered: size, centralisation versus decentralisation, the reward and feedback system, and division of labour or specialisation. Enid Mumford looks at participation in design and describes the ETHICS methodology which deals with organisational factors in design; and the human factors strategy, a holistic approach to IT from the users organisation's