Comparison of Zero Knowledge Authentication Protocols

A Zero knowledge Authentication is a protocol which takes place between two parties called the Claimant and the Verifier. In the Zero Knowledge Authentication, anything which may increase the danger of confidentiality of the secret is not revealed by one party, which is called the claimant. The claimant simply has to prove the other part called the verifier that it knows a secret, without telling it. The interactions are designed not to give or reveal any secret. After interchanging messages, the verifier can only know that the claimant does or doesn’t have the secret. The result which is found out is simply a yes/no situation that has only single bit of information. Here the three important protocols of Zero knowledge Authentication have been implemented, which are Fiat-Shamir protocol, Fiege-Fiat Shamir protocol and Guillou- Quisquater protocol and their performances are compared

Identification Protocols in Cryptography

In this paper we examine the role of Identification Protocols in the field of Cryptography. Firstly, the rationale behind the need for Identification Protocols is discussed. Secondly, we examine, in detail, challenge-response protocols, based upon zero-knowledge proofs, that form a subset of Identification Protocols in general. Thirdly, the mathematical tools necessary for the understanding of how these protocols work is given. Finally, we discuss four main Identification Protocols: Fiat-Shamir, Feige-Fiat-Shamir, Schnorr and Guillou- Quisquater. This discussion includes the theory, practical examples and the security aspects of each protocol

Fiat-Shamir for highly sound protocols is instantiable

The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model. We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks. Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable

On Adaptive Security of Delayed-Input Sigma Protocols and Fiat-Shamir NIZKs

We study adaptive security of delayed-input Sigma protocols and non-interactive zero-knowledge (NIZK) proof systems in the common reference string (CRS) model. Our contributions are threefold: - We exhibit a generic compiler taking any delayed-input Sigma protocol and returning a delayed-input Sigma protocol satisfying adaptive-input special honest-verifier zero-knowledge (SHVZK). In case the initial Sigma protocol also satisfies adaptive-input special soundness, our compiler preserves this property. - We revisit the recent paradigm by Canetti et al. (STOC 2019) for obtaining NIZK proof systems in the CRS model via the Fiat-Shamir transform applied to so-called trapdoor Sigma protocols, in the context of adaptive security. In particular, assuming correlation-intractable hash functions for all sparse relations, we prove that Fiat- Shamir NIZKs satisfy either: (i) Adaptive soundness (and non-adaptive zero-knowledge), so long as the challenge is obtained by hashing both the prover’s first round and the instance being proven; (ii) Adaptive zero-knowledge (and non-adaptive soundness), so long as the challenge is obtained by hashing only the prover’s first round, and further assuming that the initial trapdoor Sigma protocol satisfies adaptive-input SHVZK. - We exhibit a generic compiler taking any Sigma protocol and returning a trapdoor Sigma protocol. Unfortunately, this transform does not preserve the delayed-input property of the initial Sigma protocol (if any). To complement this result, we also give yet another compiler taking any delayed-input trapdoor Sigma protocol and returning a delayed-input trapdoor Sigma protocol with adaptive-input SHVZK. An attractive feature of our first two compilers is that they allow obtaining efficient delayed-input Sigma protocols with adaptive security, and efficient Fiat-Shamir NIZKs with adaptive soundness (and non-adaptive zero-knowledge) in the CRS model. Prior to our work, the latter was only possible using generic NP reductions

A Generic View on the Unified Zero-Knowledge Protocol and its Applications

We present a generalization of Maurer\u27s unified zero-knowledge (UZK) protocol, namely a unified generic zero-knowledge (UGZK) construction. We prove the security of our UGZK protocol and discuss special cases. Compared to UZK, the new protocol allows to prove knowledge of a vector of secrets instead of only one secret. We also provide the reader with a hash variant of UGZK and the corresponding security analysis. Last but not least, we extend Cogliani \emph{et al.}\u27s lightweight authentication protocol by describing a new distributed unified authentication scheme suitable for wireless sensor networks and, more generally, the Internet of Things

A Fiat-Shamir Implementation Note

In the Micali-Shamir paper improving the efficiency of the original Fiat-Shamir protocol, the authors state that (...) not all of the $v_i$\u27s will be quadratic residues mod $n$. We overcome this technical difficulty with an appropriate perturbation technique (...) This perturbation technique is made more explicit in the associated patent application: Each entity is allowed to modify the standard $v_j$ which are QNRs. A particularly simple way to achieve this is to pick a modulus $n=pq$ where $p=3 \bmod 8$ and $q=7 \bmod 8$, since then exactly one of $v_j,-v_j,2v_j,-2v_j$ is a QR mod $n$ for any $v_j$. The appropriate variant of each $v_j$ can be (...) deduced by the verifier himself during the verification of given signatures. In this short note we clarify the way in which the verifier can infer by himself the appropriate variant of each $v_j$ during verification

Authentication from matrix conjugation

We propose an authentication scheme where forgery (a.k.a. impersonation) seems infeasible without finding the prover's long-term private key. The latter would follow from solving the conjugacy search problem in the platform (noncommutative) semigroup, i.e., to recovering X from X^{-1}AX and A. The platform semigroup that we suggest here is the semigroup of nxn matrices over truncated multivariable polynomials over a ring.Comment: 6 page