# Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes

## Abstract

This paper presents a three-move interactive identification scheme and proves it to be as secure as the discrete logarithm problem. This provably secure scheme is almost as efficient as the Schnorr identification scheme, while the Schnorr scheme is not provably secure. This paper also presents another practical identification scheme which is proven to be as secure as the factoring problem and is almost as efficient as the Guillou-Quisquater identification scheme: the Guillou-Quisquater scheme is not provably secure. We also propose practical digital signature schemes based on these identification schemes. The signature schemes are almost as efficient as the Schnorr and Guillou-Quisquater signature schemes, while the security assumptions of our signature schemes are weaker than those of the Schnorr and Guillou-Quisquater. signature schemes. This paper also gives a theoretically generalized result: a three-move identification scheme can be constructed which is as secure as the random-self-reducible problem. Moreover, this paper proposes a variant which is proven to be as secure as the difficulty of solving both the discrete logarithm problem and the specific factoring problem simultaneously. Some other variants such as an identity-based variant and an elliptic curve variant are also proposed.

## Keywords

Identification Scheme Signature Scheme Discrete Logarithm Blind Signature Discrete Logarithm Problem## References

- [Bet]T. Beth, “Efficient Zero-Knowledge Identification Scheme for Smart Cards,” Proceedings of Eurocrypt’ 88, LNCS 330, Springer-Verlag, pp.77–86 (1988).Google Scholar
- [BGMW]E.F. Brickell, D.M. Gordon, K.S. McCurley, and D. Wilson, “Fast Exponentiation with Precomputation”, to appear in the Proceedings of Eurocrypt’ 92.Google Scholar
- [BM1]E.F. Brickell, and K.S. McCurley, “An Interactive Identification Scheme Based on Discrete Logarithms and Factoring,” Journal of Cryptology, Vol. 5, No. 1, pp.29–39 (1992).zbMATHGoogle Scholar
- [BM2]E.F. Brickell, and K.S. McCurley, “Interactive Identification and Digital Signatures,” AT&T Technical Journal, pp.73–86, November/December (1991).Google Scholar
- [BMO1]M. Bellare, S. Micali and R. Ostrovsky, “Perfect Zero-Knowledge in Constant Rounds,” Proceedings of STOC, pp.482–493 (1990).Google Scholar
- [BMO2]M. Bellare, S. Micali and R. Ostrovsky, “The (True) Complexity of Statistical Zero-Knowledge.” Proceedings of STOC, pp.494–502 (1990).Google Scholar
- [Cha]D. Chaum, “Security without Identification: Transaction Systems to Make Big Brother Obsolete,” Comm. of the ACM, 28,10, pp.1030–1044 (1985).CrossRefGoogle Scholar
- [CD]L. Chen, I. Damgård, “Security Bounds for Parallel Versions of Identification Protocols,” Manuscript (1992).Google Scholar
- [FeS1]U. Feige and A. Shamir, “Witness Indistinguishable and Witness Hiding Protocols,” Proceedings of STOC, pp.416–426 (1990).Google Scholar
- [FeS2]U. Feige and A. Shamir, “Zero Knowledge Proofs of Knowledge in Two Rounds,” Proceedings of Crypto’ 89, LNCS 435, Springer-Verlag, pp.526–544 (1990).CrossRefGoogle Scholar
- [FFS]U. Feige, A. Fiat and A. Shamir, “Zero Knowledge Proofs of Identity,” Proceedings of STOC, pp.210–217 (1987).Google Scholar
- [FiS]A. Fiat and A. Shamir, “How to Prove Yourself: Practical Solutions to Identification and Signature Problems”, Proceedings of CRYPTO’ 86, LNCS 263, Springer-Verlag, pp.186–194 (1987).Google Scholar
- [GGM]O. Goldreich, S. Goldwasser, and S. Micali, “How to Construct Random Functions,” Journal of the ACM, Vol. 33, No. 4 (1986).Google Scholar
- [GK]O. Goldreich and H. Krawczyk “On the Composition of Zero-Knowledge Proof Systems,” Proceedings of ICALP, LNCS 443, Springer-Verlag, pp.268–282 (1990).Google Scholar
- [GMRa]S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proofs,” SIAM J. Comput., 18,1, pp.186–208 (1989).CrossRefzbMATHMathSciNetGoogle Scholar
- [GMRi]S. Goldwasser, S. Micali and R. Rivest, “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM J. Comput., 17,2, pp.281–308 (1988).CrossRefzbMATHMathSciNetGoogle Scholar
- [GQ]L.S. Guillou, and J.J. Quisquater, “A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and Memory,” Proceedings of Eurocrypt’ 88, LNCS 330, Springer-Verlag, pp.123–128 (1988).Google Scholar
- [HMV]G. Harper, A.J. Menezes, S.A. Vanstone, “Public-Key Cryptosystems with Very Small Key Length”, to appear in the Proceedings of Eurocrypt’ 92.Google Scholar
- [Kob1]N. Koblitz,
*A Course in Number Theory and Cryptography*, Berlin: Springer-Verlag, (1987).zbMATHGoogle Scholar - [Kob2]N. Koblitz, “CM-Curves with Good Cryptographic Properties,” Proceedings of Crypto’ 91 (1992).Google Scholar
- [Kun]D.E. Knuth,
*The Art of Computer Programming*, Vol. 2, 2nd Ed. Addison-Wesley (1981).Google Scholar - [Mil]V. Miller, “Uses of Elliptic Curves in Cryptography,” Proceedings of Crypto’ 85, LNCS 218, Springer-Verlag, pp.417–426 (1986).Google Scholar
- [Miy]A. Miyaji, “On Ordinary Elliptic Curve Cryptosystems,” to appear in the Proceedings of Asiacrypt’ 91, LNCS, Springer-Verlag.Google Scholar
- [Mon]P.L. Montgomery, “Modular Multiplication without Trial Division,” Math. of Computation, Vol. 44, pp.519–521 (1985).CrossRefzbMATHGoogle Scholar
- [MOV]A.J. Menezes, T. Okamoto, S.A. Vanstone, “Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field”, Proceedings of STOC, pp.80–89 (1991).Google Scholar
- [OhO1]K. Ohta, and T. Okamoto, “A Modification of the Fiat-Shamir Scheme,” Proceedings of Crypto’ 88, LNCS 403, Springer-Verlag, pp.232–243 (1990).Google Scholar
- [OhO2]K. Ohta, and T. Okamoto, “A Digital Multisignature Scheme Based on the Fiat-Shamir Scheme,” to appear in the Proceedings of Asiacrypt’ 91.Google Scholar
- [Oka]T. Okamoto, “A Single Public-Key Authentication Scheme for Multiple Users,”
*Systems and Computers in Japan*,*18,10*, pp.14–24 (1987), Previous version, Technical Report of IECE Japan, IN83–92 (1984).CrossRefMathSciNetGoogle Scholar - [OkO]T. Okamoto, and K. Ohta, “Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducible.” Proceedings of Eurocrypt’ 89, LNCS 434, Springer-Verlag, pp.134–149 (1990).Google Scholar
- [PH]S.C. Pohlig, and M.E. Hellman, “An Improved Algorithm for Computing Logarithmsover GF (
*p*) and Its Cryptographic Significance,” IEEE Trans. Inform. Theory, 24, pp.106–110 (1978)CrossRefzbMATHMathSciNetGoogle Scholar - [RSA]R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, Vol. 21, No. 2, pp.120–126 (1978).CrossRefzbMATHMathSciNetGoogle Scholar
- [Sch]C.P. Schnorr, “Efficient Signature Generation by Smart Cards,” Journal of Cryptology, Vol. 4, No. 3, pp.161–174 (1991).CrossRefzbMATHMathSciNetGoogle Scholar
- [Sha]A. Shamir, “Identity-Based Cryptosystems and Signature Scheme,” Proceedings of Crypto’ 84, LNCS 196. Springer-Verlag, pp.47–53 (1986).Google Scholar
- [SI]K. Sakurai, and T. Itoh, “On the Discrepancy between Serial and Parallel of Zero-Knowledge Protocols,” These proceedings.Google Scholar
- [TW]M. Tompa and H. Woll, “Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information,” Proceedings of FOCS, pp.472–482 (1987).Google Scholar