Table of Contents Author Guidelines Submit a Manuscript
The Scientific World Journal
Volume 2015, Article ID 237514, 9 pages
Research Article

Twin-Schnorr: A Security Upgrade for the Schnorr Identity-Based Identification Scheme

1Faculty of Engineering, Multimedia University, 63000 Cyberjaya, Selangor, Malaysia
2Faculty of Information Science and Technology, Multimedia University, 75450 Melaka, Malaysia

Received 30 April 2014; Revised 9 September 2014; Accepted 10 September 2014

Academic Editor: Jong-Hyuk Park

Copyright © 2015 Ji-Jian Chin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Most identity-based identification (IBI) schemes proposed in recent literature are built using pairing operations. This decreases efficiency due to the high operation costs of pairings. Furthermore, most of these IBI schemes are proven to be secure against impersonation under active and concurrent attacks using interactive assumptions such as the one-more RSA inversion assumption or the one-more discrete logarithm assumption, translating to weaker security guarantees due to the interactive nature of these assumptions. The Schnorr-IBI scheme was first proposed through the Kurosawa-Heng transformation from the Schnorr signature. It remains one of the fastest yet most secure IBI schemes under impersonation against passive attacks due to its pairing-free design. However, when required to be secure against impersonators under active and concurrent attacks, it deteriorates greatly in terms of efficiency due to the protocol having to be repeated multiple times. In this paper, we upgrade the Schnorr-IBI scheme to be secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption. This translates to a higher degree of security guarantee with only some minor increments in operational costs. Furthermore, because the scheme operates without pairings, it still retains its efficiency and superiority when compared to other pairing-based IBI schemes.

1. Introduction

Identification schemes, first proposed by Fiat and Shamir [1], are a cryptographic primitive that allows one party, called the prover, to verify himself to another party, the verifier, with the verifier learning nothing else other than the fact that the prover knows the prover’s secret key as claimed. This primitive is a challenge-response one-way authentication mechanism that is frequently used in access control and is able to provide high security guarantees due to the zero-knowledge property of the protocol.

Traditional identification schemes, however, rely on a certificate issued by a certificate authority to explicitly certify that a user’s public key rightfully belongs to him. To mitigate the problem of cryptosystems growing large and where certificate management becomes a major and costly issue, Shamir proposed the notion of identity-based cryptography, where certificates are no longer necessary and users can implicitly certify their public keys using their own identity-string [2].

However, identity-based cryptography only began to gain interest in 2001 when Boneh and Franklin proposed the first identity-based encryption scheme [3]. Three years later in 2004, IBI schemes were then formalized independently by Bellare et al. [4] and Kurosawa and Heng [5].

1.1. Related Work

Reference [4] presented a framework to construct IBI schemes from traditional public key identification schemes using a family of trapdoor sampleable relations. The authors also showed the relationship between security notions of standard identification schemes, public key signature schemes, IBI schemes, and identity-based signature schemes.

On the other hand, [5] showed that any digital signature with a zero-knowledge proof-of-knowledge protocol can be converted into an IBI scheme that is secure against impersonation under passive attacks. Reference [6], which is an extension of [5], showed several instantiations of the Kurosawa-Heng transformation, among which was the Schnorr-IBI scheme which is based on the transformation from the Schnorr digital signature scheme [7].

This passive-secure original scheme was fast and efficient and based on the weak discrete logarithm assumption similar to the signature scheme it was derived from. However, to improve the scheme to be secure against impersonation under active and concurrent attacks, a modified strong witness hiding protocol was required. This yielded an inefficient scheme where the protocol had to be repeated times, where is the size of the discrete logarithm group.

Tan et al. improved on this result in 2011, modifying the Schnorr-IBI scheme to provide active and concurrent security using only one iteration of the protocol [8]. However, since it was basing its security on the decisional Diffie-Hellman assumption, which is a stronger assumption than the discrete logarithm assumption, it thus resulted in a degradation of security guarantee.

1.2. Motivations and Contributions

While pairing-based IBI schemes continue to flourish, it would be of interest to continue to improve existing pairing-free IBI schemes in terms of both efficiency and security. It is well known that pairing operations are costly compared to other operations like exponentiations, as shown by implementation results such as those by [9]. Therefore, pairing-free IBI schemes run faster than their pairing-based counterparts in general.

In this paper, we show that the Schnorr-IBI scheme is able to be proven secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption, which is an improvement in terms of security guarantee over the results of [8] of using the decisional Diffie-Hellman assumption. This comes at a small cost to storage and operation.

Specifically, we extend the number of secret key components to two components and thus name the modified Schnorr scheme the Twin-Schnorr-IBI scheme. The increased security guarantee comes at a small price in terms of increase in user secret key size as well as a few additional exponentiation operations. However, when compared to the majority of IBI schemes that utilize bilinear pairings, it is still considered more efficient since it is pairing-free.

One of the desirable properties of identification schemes is in their fast operation sequence. Generally speaking, three-move identification schemes are one of the faster cryptographic primitives in the asymmetric cryptography setting. This can be seen via the Fiat-Shamir transform, where digital signatures are constructed from identification schemes. This fast operation, coupled with the security feature where no information can be obtained by observing the running of the identification protocol, makes the identification scheme an excellent candidate for implementation on low-power, light-processing platforms. Moreover, for pairing-free identity-based identification schemes, one is able to authenticate himself securely with minimal computing required because certificate management issues are a thing of the past, and no pairing operations means less power is required in computing the intermediate steps during the identification protocol.

With strong security guarantees, high efficiency without pairing operations, and in the identity-based setting, the Twin-Schnorr-IBI scheme fits the description of the lightweight cryptographic scheme that is an excellent cryptographic primitive that can be implemented to provide fast access control mechanisms for entity authentication without having to use certificates. Implementation instances of the scheme can be applied to smart cards, mobile devices, and online systems to facilitate entity authentication before granting these entities access to available resources such as the larger reservoirs of computing power on cloud servers to handle the subsequent more taxing computations.

The rest of the paper is organized as follows. In Section 2, we begin with some preliminaries, including assumptions and security definitions for IBI schemes. In Section 3 we propose the Twin-Schnorr-IBI scheme. In Section 4 we provide a corresponding proof of security against impersonation under active and concurrent attacks. In Section 5 we provide a comparison of our proposed scheme against other discrete logarithm-based IBI schemes provable secure in the random oracle model. In Section 6, we provide implementation results to demonstrate the speed of the Twin-Schnorr-IBI scheme. We provide some areas of potential application for the Twin-Schnorr-IBI scheme in Section 6 and conclude in Section 7.

2. Preliminaries

2.1. Notations

Let be the set of individual bits and let be the set of all bit strings. Let denote the set of natural numbers, and if then is the bit string of ones. Denote by the set of bit strings of length . If is a binary string, we denote by its length and denote by the concatenation of strings and .

If is a set then by we denote the action of sampling uniformly from . If is an algorithm then denotes that outputs when run with input and random coins . By we denote the distribution of over the uniform choice of . For algorithms and , denote by an output produced as the result of an interaction between and on arbitrary inputs.

Also, define a negligible function such that, for every positive exponent , there exists an integer such that for all .

2.2. Discrete Logarithm Assumption

Let be a cyclic group with prime order and let be a generator of . The discrete logarithm problem is defined as follows: given a number in group , output .

The discrete logarithm assumption states that there exists no polynomial time algorithm that is able to -solve the discrete logarithm problem with nonnegligible probability such that .

2.3. Formal Definition of IBI Schemes

An IBI scheme is defined by four polynomial time algorithms SETUP, EXTRACT, PROVE, and VERIFY.(1)SETUP takes in the security parameter and outputs the master public key and master secret key .(2)EXTRACT takes in , , and the user identity-string to produce the user secret key .(3)IDENTIFICATION PROTOCOL: PROVE and VERIFY interact with each other according to a three-step canonical proof-of-knowledge protocol. Each algorithm takes in and , with PROVE receiving the additional as auxiliary input.(a)PROVE initiates and sends a commitment to VERIFY. Usually this takes the form of the prover’s identity-string mixed with some salt for the identification instance.(b)VERIFY picks a random challenge from a set of predefined challenges to send to PROVE. These challenges are uniformly distributed within the predefined set of challenges.(c)PROVE responds with an answer to the challenge and VERIFY chooses whether to accept or reject based on PROVE’s response that is calculated based on the identification instance’s commitment, challenge, and the user secret key and identity-string .The definition of an IBI scheme is presented in Algorithm 1.

Algorithm 1: Definition of an IBI scheme.

2.4. Security Model for IBI Schemes

An adversary attacking an IBI scheme is defined as an impersonator. The goal of the impersonator is to successfully impersonate an honest user. Impersonators are further broken down into two categories.(i)Passive impersonator: this type of impersonator only eavesdrops on conversations between honest users and verifiers before attempting impersonation.(ii)Active and concurrent impersonators: these impersonators are able to actively participate in conversations with honest verifiers to learn as much information as they can before attempting impersonation. The difference between active and concurrent impersonators is that active impersonators are only able to interact with one verifier at a time, while the concurrent impersonator is able to run several conversations with several verifiers concurrently.

We model the security of an IBI scheme as a game played by an impersonator and a challenger as follows.(1) creates and and runs as a subroutine. passes to but keeps to itself.(2)In phase 1, can issue extract and identification queries. If is a passive impersonator, will respond with transcripts of valid conversations between honest provers and honest verifiers for an identification query. If is an active and concurrent impersonator, will play the cheating verifier to answer ’s identification queries while plays the role of the prover.(3)In phase 2, outputs an identity that it wishes to be challenged on. is able to continue issuing extract and identification queries, but once it converses with as a cheating prover and manages to convince that he is the challenge identity, he wins the game.We provide the description of the experiment in Algorithm 2.

Algorithm 2: Description of the security model for IBI schemes.

Let who runs in time with and security parameter ; the advantage of to impersonate is where can make at most extract queries. An IBI scheme is secure if is negligible for every polynomial time .

3. The Twin-Schnorr-IBI Scheme

Before the description of the scheme, we briefly note that while the key generation process of Schnorr-IBI from [5] looks similar to that of BNN-IBI from [4], the two schemes have different identification protocols and are therefore considered as two distinct IBI schemes. Similarly, one might note the similarity in the key generation process for OKDL-IBI from [4] with Twin-Schnorr-IBI, but because the two schemes have separate and distinct identification protocols, we consider them as two distinct IBI schemes.

The construction of the Twin-Schnorr-IBI scheme is as follows.(1)SETUP takes in the security parameter and generates the group of order . It picks random generators and two random integers . It sets and lastly chooses a hash function . It publishes while keeping securely stored away.(2)EXTRACT takes in , , and the user identity-string . It first picks two random integers and calculates and sets . With those values, EXTRACT then calculates and and sets .(3)IDENTIFICATION PROTOCOL: PROVE takes in , , and while VERIFY takes in and . They run the identification protocol as follows.(a)PROVE begins by picking two random integers and sets . PROVE additionally sets and sends , to VERIFY.(b)VERIFY picks a random challenge and sends it to PROVE.(c)PROVE responds by setting and and then sends , to VERIFY as its response.

VERIFY calculates and VERIFY accepts if the following equation holds:

VERIFY can calculate by itself since

Correctness of the identification protocol can be proven as such:

The detailed description of the scheme is provided in Algorithm 3.

Algorithm 3: Definition of the Twin-Schnorr-IBI scheme.

4. Security Analysis

To outline the strategy for the proof, the general strategy is to prove that a challenger to the discrete logarithm problem can use the impersonator for the Twin-Schnorr-IBI scheme to solve an instance of the discrete logarithm problem.

The challenge takes in the discrete logarithm problem instance and simulates the environment for the Twin-Schnorr-IBI for the learning phase of phase 1.

In phase 2, it then uses the impersonation attempt of the Twin-Schnorr-IBI to solve the instance of the discrete logarithm problem. However, it is well known that no probabilistic polynomial time algorithm can solve the discrete logarithm problem.

Hence we arrive at the conclusion that no such impersonator for the Twin-Schnorr-IBI exists.

Theorem 1. The Twin-Schnorr-IBI scheme is secure against impersonation under active and concurrent attacks if the discrete logarithm problem is hard in group , where

Proof. Suppose an impersonator exists. We can then show an algorithm that is able to break the discrete logarithm problem. begins by taking in the discrete logarithm instance and runs as a subroutine to calculate .
simulates the challenge environment for by first setting and . Then it runs the rest of SETUP as usual, choosing two random integers and setting , publishing while keeping to itself.
In phase 1, plays the cheating verifier in training, trying to learn what it can from . As defined in the security model, is able to issue both extract and identification queries.
Throughout the simulation, instantiates a user with credentials via the oracle and adds to the set of generated identities and their corresponding . Also define the set to be the set of all corrupted users on which has issued an extract query (and therefore corrupted). When queries for via the corrupt oracle , will generate using the original EXTRACT algorithm since has access to , removes from , and then adds to the set . Therefore, represents the maximum number of corrupt queries that can issue.
Similarly, when issues identification queries on , will create (if not yet queried before as an extract query) to participate in the identification protocol oracle as a prover and adds to the set . Without loss of generality we can assume that will not issue an identification query on a user which it has corrupted already. It is evident that can query as many identification queries as it likes as long as the number of generated does not exceed .
In phase 2, takes on the role of the cheating prover trying to convince that it knows of the challenge identity . outputs and then runs the identification protocol oracle with , but this time as a cheating verifier. If does not have generated yet prior to this, it runs to create it now.
Using the Reset Lemma [10], is able to extract 2 valid transcripts and from where . From here, extracts and . If and then aborts. The attack on the discrete logarithm problem has failed. Otherwise, if the values are different, can calculate as
A detailed description of the Simulator that solves the discrete logarithm problem using impersonator as subroutine is given in Algorithm 4.
It remains to calculate the probability of winning the game to solve the discrete logarithm problem. By the Reset Lemma, will successfully extract 2 valid conversations to derive and calculate with probability .
Let the advantage of solving the discrete logarithm problem be defined as , which comprises the events computes , defined as event , and that does not abort, defined as event . The probability that wins is given by
The probability of aborting, event , is exactly since the only event that aborts is if and .
Hence the probability of winning is

Algorithm 4: Description of the Simulator solving an instance of the discrete logarithm problem with the help of impersonator as subroutine.

5. Efficiency Analysis

In this section, we provide the efficiency cost of the Twin-Schnorr-IBI scheme in Table 1. We measure the operation costs in terms of exponentiations, multiplications in group , multiplications in , and additions in .

Table 1: Efficiency of the Twin-Schnorr-IBI Scheme without precomputation.

Next a comparison is made with other IBI schemes that are constructed based on discrete logarithms in Table 2. We take into consideration only the identification protocol operation cost, since that is the most-run algorithm in the whole scheme.

Table 2: Comparison of the identification protocol with other discrete logarithm IBI schemes.

From the comparisons above in Table 2, one can see that the closest competitor for Twin-Schnorr is the OKDL-IBI scheme since both offer almost similar efficiency cost using the classical discrete logarithm assumption. In fact, for the schemes as they are, OKDL-IBI is slightly more efficient with one less exponentiation and one less multiplication in in its identification protocol.

However, it is possible to increase the efficiency of both Twin-Schnorr-IBI and OKDL-IBI through precomputation of some of the fixed values in the identification protocol. For example, for Twin-Schnorr-IBI, can be computed beforehand and stored in the PROVE party’s device for future use since the value does not change. For OKDL-IBI, one can first precompute and store for similar reasons, resulting in less exponentiations. Results of the improved efficiency of the Twin-Schnorr-IBI and OKDL-IBI after precomputation are presented in Table 3.

Table 3: Comparison of the identification protocol of Twin-Schnorr-IBI and OKDL-IBI after precomputation.

If precomputation is done, then it is shown that the two schemes have similar operation costs. However, Twin-Schnorr requires less communication bandwidth of 1 group element in (generally 2048 bits for 128-bit security) compared to OKDL-IBI for each run of the identification protocol.

Secondly, Twin-Schnorr-IBI does not require the semistrong unforgeability property, as defined by [4], since no component of the user secret key is transmitted in the open. This is in contrast to the OKDL-IBI scheme, where one component of the user secret key is transmitted from PROVE to VERIFY during each interaction. Thus, there is security degradation with the requirement of semistrong unforgeability for the OKDL-IBI.

Therefore, with precomputation, the Twin-Schnorr-IBI is slightly superior in terms of efficiency and security compared to the OKDL-IBI.

6. Implementation Results

In this section, we run an instantiation of the Twin-Schnorr-IBI written in Java utilizing the Java Cryptography Architecture and Java Cryptography Extension libraries to showcase the actual running time results. The simulation was conducted on an i7-4702 MQ workstation with 8 GB RAM running on 64-bit Windows 8 operating system. Each algorithm of the Twin-Schnorr-IBI scheme is run for 100 times using various security-level settings and the average running time is taken. The results are displayed in Table 4.

Table 4: Average running time of Twin-Schnorr-IBI algorithms on different security levels.

7. Potential Applications of Twin-Schnorr-IBI

As mentioned in the introduction, the Twin-Schnorr-IBI scheme is ideal in terms of providing a lightweight secure-authentication mechanism to facilitate access control to further resources. One desirable area of facilitating access control would be in multimedia systems, where the Twin-Schnorr-IBI can be used to determine which user is allowed access to certain multimedia content. This is implementable on multimedia services mentioned in [11], IPTV service platforms [12], and even learning management systems [13]. Another area where secure identification is required is to determine user access to confidential data. Access to job information systems [14], credit-card payment systems [15], and ID credit scoring systems [16] would be suitable for the Twin-Schnorr-IBI to be implemented as a gateway before allowing users access to the confidential information found within the systems. The Twin-Schnorr-IBI scheme can also be used for peer-to-peer validation before allowing users into a hosted e-meeting such as ones conducted using the shared presentation board [17]. Another application for the Twin-Schnorr-IBI is to serve as an initial identification before allowing users further access to cloud-based computing resources such as cloud-based personal tutoring systems [18] and personal mobile albums and diaries [19]. As one can see, the use of the IBI scheme can be versatile for use in multiple settings, and the Twin-Schnorr is a good instantiation to serve these purposes because of its fast running time.

8. Conclusion

In this paper, we showed that, with a slight additional cost to the original Schnorr-IBI scheme, we can obtain security against active and concurrent impersonation attacks using the weak discrete logarithm assumption and thus provide a high security guarantee compared to the single key counterpart that rely on the stronger decisional Diffie-Hellman assumption. The modified scheme is efficient in that it remains pairing-free and is comparable (and slightly more secure and efficient) to the most-secure pairing-free IBI scheme in literature to date in terms of efficiency under the classical discrete logarithm assumption.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.


The authors are grateful to the Ministry of Education of the Government of Malaysia for partially funding this research under The Fundamental Research Project Scheme (no. FRGS/2/2013/ICT07/MMU/03/5).


  1. A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” in Proceedings of the Advances in Cryptology (CRYPTO '86), pp. 186–194, 1986.
  2. C.-P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991. View at Publisher · View at Google Scholar · View at Scopus
  3. D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Advances in Cryptology—CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, 2001. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  4. M. Bellare, C. Namprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes,” in Advances in Cryptology—EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 268–286, Springer, Berlin, Germany, 2004. View at Google Scholar
  5. K. Kurosawa and S.-H. Heng, “From digital signature to ID-based identification/signature,” in Public Key Cryptography—PKC 2004, pp. 248–261, Springer, Berlin, Germany, 2004. View at Publisher · View at Google Scholar
  6. S.-H. Heng, Design and analysis of some cryptographic primitives [Ph.D. thesis], Graduate School of Science and Engineering, Tokyo Institute of Technology, 2004.
  7. A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology, vol. 196 of Lecture Notes in Computer Science, pp. 47–53, 1985. View at Google Scholar
  8. S.-Y. Tan, S.-H. Heng, C.-W. Raphael, and B.-M. Goi, “A variant of Schnorr identity-based identification scheme with tight reduction,” in Future Generation Information Technology, pp. 361–370, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar
  9. S.-Y. Tan, S.-H. Heng, and B.-M. Goi, “Java implementation for pairing-based cryptosystems,” in Proceedings of the International Conference on Computational Science and Its Applications (ICCSA '10), vol. 6019 of Lecture Notes in Computer Science, pp. 188–198, Springer, Berlin, Germany. View at Publisher · View at Google Scholar
  10. M. Bellare and A. Palacio, “Adriana palacio: GQ and Schnorr identification schemes,” in Proceedings of the 22nd Annual International Cryptology Conference, pp. 162–177, Santa Barbara, Calif, USA, 2002.
  11. H. Luo and M.-L. Shyu, “Quality of service provision in mobile multimedia—a survey,” Human-Centric Computing and Information Sciences, vol. 1, article 5, 2011. View at Google Scholar
  12. P. S. Kim, “An architecture for home-oriented IPTV service platform on residential gateway,” Journal of Information Processing Systems, vol. 9, no. 3, pp. 425–434, 2013. View at Publisher · View at Google Scholar · View at Scopus
  13. R. M. Ijtihadie, B. C. Hidayanto, A. Affandi, Y. Chisaki, and T. Usagawa, “Dynamic content synchronization between learning management systems over limited bandwidth network,” Human-Centric Computing and Information Sciences, vol. 2, no. 1, article 17, 2013. View at Publisher · View at Google Scholar
  14. D. Lee and P. Brusilovsky, “Proactive: comprehensive access to job information,” Journal of Information Processing Systems, vol. 8, no. 4, pp. 721–738, 2012. View at Publisher · View at Google Scholar · View at Scopus
  15. C.-P. Cheong, S. Fong, P. Lei, C. Chatwin, and R. Young, “Designing an efficient and secure credit card-based payment system with web services based on the ANSI X9.59-2006,” Journal of Information Processing Systems, vol. 8, no. 3, pp. 495–520, 2012. View at Publisher · View at Google Scholar · View at Scopus
  16. H.-J. Seo and Y.-C. Choy, “ID credit scoring system based on application scoring system: conceptual online ID credit for ID integrated environment,” Journal of Convergence, vol. 5, no. 1, pp. 38–42, 2014. View at Google Scholar
  17. A. J. Berena, S. Chunwijitra, H. Okada, and H. Ueno, “Shared virtual presentation board for e-meeting in higher education on the WebELS platform,” Human-Centric Computing and Information Sciences, vol. 3, no. 1, article 6, 2013. View at Publisher · View at Google Scholar
  18. M. W. Martin, T. K. Shih, and J. C. Hung, “A personal tutoring mechanism based on the cloud environment,” Journal of Convergence, vol. 4, no. 3, pp. 37–44, 2013. View at Google Scholar
  19. H. Cho and M. Choi, “Personal mobile album/diary application development,” Journal of Convergence, vol. 5, no. 1, pp. 32–37, 2014. View at Google Scholar