## On the Security of a Practical Identification Scheme (1996)

Venue: | J. Cryptology |

Citations: | 21 - 0 self |

### BibTeX

@ARTICLE{Shoup96onthe,

author = {Victor Shoup},

title = {On the Security of a Practical Identification Scheme},

journal = {J. Cryptology},

year = {1996},

volume = {12},

pages = {344--353}

}

### Years of Citing Articles

### OpenURL

### Abstract

We analyze the security of an interactive identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali and Rackoff to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme is certainly not new, its security was apparently not fully understood. We prove that this scheme is secure if factoring integers is hard, even against active attacks where the adversary is first allowed to pose as a verifier before attempting impersonation.

### Citations

1417 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...mes. These schemes, however, are somewhat more complicated and less efficient than the original schemes. Identification Schemes vs. Signatures We note that there are well-known techniques (see, e.g., =-=[1]) using cr-=-yptographic hash functions for converting identification schemes into digital signature schemes, in which proofs of security are based on an "ideal" hash function model (the hash function is... |

1079 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...inst only passive attacks. In this paper, we analyze the security of an identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali and Rackoff =-=[5]-=- to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme is certainly not new, its security was apparently not fully understo... |

862 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context .... 2 Definition of Security In this section, we formally state our definition of a secure identification scheme, which is essentially that of [3]. For conciseness and clarity, we adopt the notation of =-=[6]-=- for expressing the probability of various events. If S is a probability space, then [S] denotes the set of elements in this space that occur with nonzero probability. For probability spaces S 1 ; S 2... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...[11] has shown that this scheme is secure against passive attacks if factoring is hard. Other identification schemes are based on the hardness of the discrete logarithm problem. The scheme of Schnorr =-=[16]-=- is only known to be secure against passive attacks, provided the discrete logarithm problem in (a subgroup of) Z p , where p is prime, is hard. Brickell and McCurley [2] give a variant of Schnorr's s... |

324 |
Zero knowledge proofs of identity
- Fiege, Fiat, et al.
- 1987
(Show Context)
Citation Context ...k There are several other variants of the square root scheme, but the only other one in the literature that is secure against active attacks if factoring is hard is the Feige/Fiat/Shamir (FFS) scheme =-=[3]-=-. The FFS scheme is actually a parameterized family of schemes, one of which is the parallel version of the square root scheme. Compared to the FFS scheme, the 2 m th root scheme has much smaller spac... |

204 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...2 m th root scheme much more attractive in many practical situations, such as smart card implementations. Ohta and Okamoto [13] discuss variants of the FFS scheme. The Guillou/Quisquarter (GQ) scheme =-=[8, 9]-=- is the same as the 2 m th root scheme, except that 2 m is replaced by an m-bit prime number. It is only known to be secure against passive attacks, provided that RSA-inversion is hard (a possibly str... |

195 | On the composition of zero-knowledge proof systems
- Goldreich, Krawczyk
- 1996
(Show Context)
Citation Context ...licable to proving the security of the 2 m th scheme. Our proof of security does not show that the 2 m th scheme is zero-knowledge (in the sense of [5]). Indeed, the results of Goldreich and Krawczyk =-=[4] and Itoh -=-and Sakurai [10], together with the result of Jakobsson, imply that there is no "black box" zero-knowledge simulator, assuming factoring is hard. Perhaps even more interestingly, this scheme... |

155 |
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...re p is prime, is hard. Brickell and McCurley [2] give a variant of Schnorr's scheme, and give a security analysis against active attacks; however, the hardness assumption is quite unnatural. Okamoto =-=[14]-=- gives modifications of the GQ and Schnorr schemes which are proved secure, even against active attacks, under the same intractability assumptions of the corresponding original schemes. These schemes,... |

109 |
A \paradoxical" identity-based signature scheme resulting from zero-knowledge
- Quisquater, Guillou
- 1990
(Show Context)
Citation Context ...2 m th root scheme much more attractive in many practical situations, such as smart card implementations. Ohta and Okamoto [13] discuss variants of the FFS scheme. The Guillou/Quisquarter (GQ) scheme =-=[8, 9]-=- is the same as the 2 m th root scheme, except that 2 m is replaced by an m-bit prime number. It is only known to be secure against passive attacks, provided that RSA-inversion is hard (a possibly str... |

41 |
An Interactive Identification Scheme Based on Discrete Logrithms and Factoring
- Brickell, McCurley
- 1991
(Show Context)
Citation Context ...oblem. The scheme of Schnorr [16] is only known to be secure against passive attacks, provided the discrete logarithm problem in (a subgroup of) Z p , where p is prime, is hard. Brickell and McCurley =-=[2]-=- give a variant of Schnorr's scheme, and give a security analysis against active attacks; however, the hardness assumption is quite unnatural. Okamoto [14] gives modifications of the GQ and Schnorr sc... |

41 | Fast signature generation with a Fiat Shamir-like scheme,” EUROCRYPT’90
- Ong, Schnorr
- 1990
(Show Context)
Citation Context ...public key is always b = 4. Guillou shows that this scheme is secure against passive attacks if factoring is hard. The same ideas have been discussed by Micali [12]. 2 The Ong and Schnorr (OS) scheme =-=[15]-=- is also a parameterized family of schemes, one of which is the 2 m th root scheme. Ong and Schnorr give a security analysis against passive attacks only; moreover, the hardness assumption is somewhat... |

36 |
A modification of the Fiat-Shamir scheme
- Ohta, Okamoto
- 1990
(Show Context)
Citation Context ...cheme has much smaller space and communication complexities, which makes the 2 m th root scheme much more attractive in many practical situations, such as smart card implementations. Ohta and Okamoto =-=[13]-=- discuss variants of the FFS scheme. The Guillou/Quisquarter (GQ) scheme [8, 9] is the same as the 2 m th root scheme, except that 2 m is replaced by an m-bit prime number. It is only known to be secu... |

6 |
On the complexity of constant round zkip of possession of knowledge
- Itoh, Sakurai
- 1991
(Show Context)
Citation Context ...curity of the 2 m th scheme. Our proof of security does not show that the 2 m th scheme is zero-knowledge (in the sense of [5]). Indeed, the results of Goldreich and Krawczyk [4] and Itoh and Sakurai =-=[10], together-=- with the result of Jakobsson, imply that there is no "black box" zero-knowledge simulator, assuming factoring is hard. Perhaps even more interestingly, this scheme is provably not a proof o... |

2 |
Reducing costs in identification protocols. Manuscript available at http://www-cse.ucsd.edu/users/markus
- Jakobsson
- 1992
(Show Context)
Citation Context ...ed family of schemes, one of which is the 2 m th root scheme. Ong and Schnorr give a security analysis against passive attacks only; moreover, the hardness assumption is somewhat contrived. Jakobsson =-=[11]-=- has shown that this scheme is secure against passive attacks if factoring is hard. Other identification schemes are based on the hardness of the discrete logarithm problem. The scheme of Schnorr [16]... |

1 |
Collision-resistance and zero-knowledge techniques
- Guillou
- 1990
(Show Context)
Citation Context ... replaced by an m-bit prime number. It is only known to be secure against passive attacks, provided that RSA-inversion is hard (a possibly stronger assumption than the hardness of factoring). Guillou =-=[7]-=- analyzes a variant of the 2 m th roots scheme where n is the product of two primes, one congruent to 3 mod 8 and the other congruent to 7 mod 8; the public key is always b = 4. Guillou shows that thi... |

1 |
An efficient digital signature algorithm provably secure as integer factorization
- Micali
- 1995
(Show Context)
Citation Context ...and the other congruent to 7 mod 8; the public key is always b = 4. Guillou shows that this scheme is secure against passive attacks if factoring is hard. The same ideas have been discussed by Micali =-=[12]-=-. 2 The Ong and Schnorr (OS) scheme [15] is also a parameterized family of schemes, one of which is the 2 m th root scheme. Ong and Schnorr give a security analysis against passive attacks only; moreo... |