You are on page 1of 4




A Modified Zero Knowledge Identification Scheme using ECC
Kanika Garg1, Dr. R. Radhakrishan2, Vikas Chaudhary3, Ankit Panwar4

Department of MCA, Krishna Engineering College, Mohan Nagar, Ghaziabad-201007, India

Abstract In this paper we present a Fiat-Shamir-like Zero-Knowledge identification scheme based on the elliptic curve Cryptography. As we know in an open network-computing environment, a workstation cannot be trusted to identify its users correctly to network services. Zero-knowledge (ZK) protocols are designed to address these concerns, by allowing a prover to demonstrate knowledge of a secret while revealing no information to be used by the verifier to convey the demonstration of knowledge to others. The reason that ECC has been chosen is that it provides methodology for obtaining higher speed implementations of authentication protocols and encryption/decryption techniques while using fewer bits for the keys. This means that ECC systems require smaller chip size and less power consumption. Key Words – Identification, Security, Zero-Knowledge, Elliptic Curve.

impersonation attacks [1]. Zero-knowledge proofs techniques are powerful tools in such critical applications for providing both security and privacy at the same time.

Communication between the computer and a remote user is currently one of the most vulnerable aspects of a computer system. In order to secure this, cryptographic system must be built into the user terminal, and suitable protocols developed to allow the computer and the user to recognize each other upon initial contact and maintain continued security assurance of secret messages. In particular, zero-knowledge proofs (ZKP) can be used whenever there is a need to prove the possession of critical data without a real need to exchange the data itself. Examples of such applications include: credit card verification, digital cash system, digital watermarking, and authentication. Most of the messaging systems used, rely on secret sharing to provide identification. Unfortunately, once you tell a secret it is no longer a secret. This is how identity theft and credit card fraud happen. Authentication and key exchange protocols have been purposed and implemented to limit the amount of information shared in order to provide positive identification. Several of these techniques have some weaknesses and are particularly susceptible to man-in-the-middle, off-line and

A zero knowledge interactive proof system allows one person to convince another person of some fact without revealing the information about the proof. In particular, it does not enable the verifier to later convince anyone else that the prover has a proof of the theorem or even merely that the theorem is true [2]. A zero-knowledge proof is a two-party protocol between a prover and a verifier, which allows the prover to convince the verifier that he knows a secret value that satisfies a given relation (zero-knowledge property). Zero-knowledge protocols are instances of an interactive proof system, where prover and verifier exchange messages (typically depending on random events). 1. Security: An impostor can comply with the protocol only with overwhelmingly small probability. 2. Completeness: An interactive proof is complete if the protocol succeeds (for a honest proofer and a honest verifier) with overwhelming probability p > 1/2. (Typically, p ~ 1). 3. Soundness: An interactive proof is sound if there is an algorithm M with the following properties: i M is polynomial time. ii If a dishonest prover can with non-negligible probability successfully execute the protocol with the verifier, then M can be used to extract knowledge from this prover which with overwhelming probability allows successful subsequent protocol executions. (In effect, if someone can fake the scheme, then so can everyone observing the protocol e.g. by computing the secret of the true prover). 4. Zero-Knowledge (ZK) Property: There exists a simulator (an algorithm) that can simulate (upon input of



the assertion to be proven, but without interacting with the real prover) an execution of the protocol that for an outside observer cannot be distinguished from an execution of the protocol with the real prover. The concept of zero-knowledge, first introduced by Goldwasser, Micali [4] and Rackoff is one approach to the design of such protocols. Particularly, in Feige, Fiat, and Shamir show an elegant method for using an interactive Zero-Knowledge proof to prove identity in [2] a cryptographic protocol. Fiat-Shamir Zero-Knowledge identification scheme is based on discrete logarithmic. In this paper, we modify Fiat-Shamir Zero-Knowledge identification scheme using Elliptic Curve Cryptography.

The Fiat Shamir protocol is based on the difficulty of calculating a square-root. The claimant proves knowledge of a square root modulo a large modulus n. Verification can be done in 4 steps as shown in figure 1.

Each potential claimant (prover) calculates v = s2 mod n as its public key and publish it.  Verifying Process: The following steps are performed to identify the authenticated user. i The prover choose a random number r and sends x= r2 mod n (the witness x) to the verifier. ii The verifier randomly selects a single bit c= 0 or c = 1, and sends c to the prover. iii The prover computes the response y = r · sc mod n and sends it to the verifier. iv The verifier rejects the proof if y = 0 and accepts if y2 = xvc mod n . Informally, the challenge (or exam) c selects between two answers (0 or 1): the secret r (to keep the claimant honest) or one that can only be known from s. If a false claimant were to know that the challenge is c = 1, then he could provide an arbitrary number a, then sends witness a2/v. Upon receiving c = 1, he sends y = a. Then y2 = a2/v · v. If the false claimant were to know that the challenge is c = 0, then he could select an arbitrary number a and send witness a2. This property allows us to simulate runs of the protocol that an outside observer cannot distinguish from real runs (where the challenges c is true random challenges).


Fig. 1 Fiat –Shamir User Identification Process Fiat –Shamir User Identification Process: The Process of user identification can be understood as.  Key Generation Process: i Trusted centre choose two large prime numbers p & q. ii Then trusted center calculate n = p*q and publishes n as modulus. iii Each potential claimant (prover) selects a secret prime number s which should be coprime to n

Elliptic Curve Cryptography (ECC) is a public key cryptography. In public key cryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular user knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. ‘Domain parameters’ in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. The mathematical operations of ECC is defined over the elliptic curve y2 = x3 + ax + b, where 4a3 + 27b2 mod p ≠ 0. Each value of the ‘a’ and ‘b’ gives a different elliptic curve. All points (x, y) which satisfies the above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve. The generator point G, the curve parameters ‘a’ and ‘b’, together with few more constants constitutes the domain parameter of ECC. One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA. The elliptic curve addition operation differs from general addition. Assuming that P and Q are two points on the elliptic curve, P = (x1, y1) and Q = (x2, y2); if P = Q,



then the elliptic curve addition operation P + Q = (x3, y3) can be obtained through the following rules. x3 = (λ2− x1 − x2) mod p ---[1] y3 = {λ(x1 − x3) − y1} mod p --- [2] Where λ= y2 - y1 x2 - x1 λ= 3x12 + a 2y1 The dominant operation in ECC cryptographic schemes is point multiplication. Point multiplication is simply calculating kP as shown in figure 2, where k is an integer and P is a point on the elliptic curve defined in the prime field. for P=Q for P ≠ Q

iv) The claimant chooses a secret point s on curve and calculates v=2s mod p. Claimant keeps s as its private key and registers v as public key with the third party. Verifying Process: The following steps are performed to identify the authenticated user. i) Alice the claimant, chooses a random point r (r is the point on the curve). She then calculate the value of x= (2r) mod p; is called the witness and send x to the Bob as the witness. ii) Bob, the verifier, sends the challenge C to Alice. The value of C is a prime number lies between 1 to p-1.

Fig. 2 Point Multiplication All reported methods for computing kP parse the scalar k and depending on the bit value, they perform either an ECC-ADD or a ECC-Double operation. In fact, ECC is no longer new, and has withstood in the last years a great deal of cryptanalysis and a long series of attacks, which makes it appear as a mature and robust cryptosystem at present. ECC has a number of advantages over other public-key cryptosystems, such as RSA, which make it an attractive alternative. In particular, for a given level of security, the size of the cryptographic keys and operands involved in the computation of EC cryptosystems are normally much shorter than other cryptosystems and, as the computational power available for cryptanalysis grows up, this difference gets more and more noticeable.

Fig. 3 Fiat –Shamir Scheme using ECC iii) Alice calculate the response y= r +c.s mod p. Note that r is the random point selected by the Alice in the first step, s is secret number and c is the challenge send by Bob and sends the response (y) to Bob. iv) Bob calculates x+(c v) mod n and 2y mod n. If these two values are congruent, then Alice knows the value of s and she is authenticated person.( she is honest ) . If not congruent that means she is not authenticated person and verifier can reject her request.

Fiat-Shamir Zero-Knowledge identification scheme is based on discrete logarithmic. We modify Fiat-Shamir Zero-Knowledge identification scheme using Elliptic Curve Cryptography as shown in figure 3. Modified Fiat –Shamir User Identification Process: The Process of user identification can be understood as.  Key Generation Process: i) Third party choose the value of a and p for the elliptic curve Ep (a,b). ii) The value of b is selected by claimant so the equation satisfied the condition 4a3 + 27b2 mod p ≠ 0. iii) The value of a and p are announced to be public where as b remains secret to the claimant.


105  [4] [5] [6] S. Goldwasser, S. Micali, and C. Rackoff, "The knowledge complexity of interactive proof systems.", Siam J. Comput., 18(1), pp. 186- 208, February 1989. U. Feige, A. Fiat, and A. Shamir, "Zero knowledge proofs of identity.", Journal of Cryptology, 1(2), pp. 77-94, 1988. Chengming Qi , Beijing Union university,” A Zero-Knowledge Proof of Digital Signature Scheme Based on the Elliptic Curve Cryptosystem” 2009 Third International Symposium on Intelligent Information Technology Application. L. Guillou, and J. Quisquater, "A Paradoxical" Identity-Based Signature Scheme Resulting from Zero-Knowledge.",Proc. CRYPTO '88. W. Stallings. “Cryptography and network security", 3rd edition, Prentice Hall, 2003. Behrouz A. Forouzan. ” Cryptography and network security”. TMH

The security of the system is directly tied to the relative hardness of the underlying mathematical equation. We can easily prove that 2y is the same as x+ (cv) in modulo n arithmetic as shown below. 2Y=2(r+cs) =2r+2cs= (x+cv) --- [3] The challenge (or exam) c selects between the value of 1 and p-1, the secret r (to keep the claimant honest) or one that can only be known the value of s. If a false claimant were to know that the challenge c, then he could provide an arbitrary number m and send witness , Since b is chosen by claimant and generate the points on the equation of Elliptic curve Ep(a,b). No other person can guess on which equation points are generated and which point is randomly selected by claimant. If false claimant sends m to witness then definitely it will not match the final verification, as only claimant knows the value of r ad s and public key is depend on the value of s. The absence of a sub-exponential time algorithm for the scheme means that significantly smaller parameters can be used in ECC than with DSA or RSA. This will have a significant impact on a communication system as the relative computational performance advantage of ECC versus RSA is not indicated by the key sizes but by the cube of the key sizes. The difference becomes even more dramatic as the greater increase in RSA key sizes leads to an even greater increase in computational cost

[7] [8] [9]

A unique feature of the new identification scheme is that it is based on Elliptic Curve Cryptography (ECC). In [8], they conclude that the Elliptic Curve Discrete Logarithm Problem is significantly more difficult than Integer Factorization Problem. For instance, it was found in that to achieve reasonable security, RSA should employ 1024-bit modulo, while a 160-bit modulus should be sufficient for ECC. Also our identification scheme is faster than FiatShamir scheme [5] and Guillou-Quisquater [7], because our Scheme depends on addition operation while those schemes depend on exponential operation. In future few dominant proof techniques have emerged in security proofs. Among which are, probabilistic polynomial time reducibility’s between problems, simulation proofs, the hybrid method, and random self reducibility can be introduced and comparative performance study can be carried out.
REFERENCES Ali M. Allam, Ibrahim I., Ihab A. Ali, Abd ELrahman H. Elsawy” Efficient Zero-knowledge Identification Scheme with Secret Key Exchange” IEEE,2004 [2] Ali M. Allam ,Ibrahim I. Ibrahim ,Ihab A. Ali, Abdel Rahman H. Elsawy” The Performance Of An Efficient Zero-Knowledge Identification Scheme” IEEE,2004 [3] Sultan Almuhammadi, Nien T. Sui, and Dennis McLeod” Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs” IEEE,2004 [1]