Ubiquitous Systems towards Green, Sustainable, and Secured Smart EnvironmentView this Special Issue
Twin-Schnorr: A Security Upgrade for the Schnorr Identity-Based Identification Scheme
Most identity-based identification (IBI) schemes proposed in recent literature are built using pairing operations. This decreases efficiency due to the high operation costs of pairings. Furthermore, most of these IBI schemes are proven to be secure against impersonation under active and concurrent attacks using interactive assumptions such as the one-more RSA inversion assumption or the one-more discrete logarithm assumption, translating to weaker security guarantees due to the interactive nature of these assumptions. The Schnorr-IBI scheme was first proposed through the Kurosawa-Heng transformation from the Schnorr signature. It remains one of the fastest yet most secure IBI schemes under impersonation against passive attacks due to its pairing-free design. However, when required to be secure against impersonators under active and concurrent attacks, it deteriorates greatly in terms of efficiency due to the protocol having to be repeated multiple times. In this paper, we upgrade the Schnorr-IBI scheme to be secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption. This translates to a higher degree of security guarantee with only some minor increments in operational costs. Furthermore, because the scheme operates without pairings, it still retains its efficiency and superiority when compared to other pairing-based IBI schemes.
Identification schemes, first proposed by Fiat and Shamir , are a cryptographic primitive that allows one party, called the prover, to verify himself to another party, the verifier, with the verifier learning nothing else other than the fact that the prover knows the prover’s secret key as claimed. This primitive is a challenge-response one-way authentication mechanism that is frequently used in access control and is able to provide high security guarantees due to the zero-knowledge property of the protocol.
Traditional identification schemes, however, rely on a certificate issued by a certificate authority to explicitly certify that a user’s public key rightfully belongs to him. To mitigate the problem of cryptosystems growing large and where certificate management becomes a major and costly issue, Shamir proposed the notion of identity-based cryptography, where certificates are no longer necessary and users can implicitly certify their public keys using their own identity-string .
However, identity-based cryptography only began to gain interest in 2001 when Boneh and Franklin proposed the first identity-based encryption scheme . Three years later in 2004, IBI schemes were then formalized independently by Bellare et al.  and Kurosawa and Heng .
1.1. Related Work
Reference  presented a framework to construct IBI schemes from traditional public key identification schemes using a family of trapdoor sampleable relations. The authors also showed the relationship between security notions of standard identification schemes, public key signature schemes, IBI schemes, and identity-based signature schemes.
On the other hand,  showed that any digital signature with a zero-knowledge proof-of-knowledge protocol can be converted into an IBI scheme that is secure against impersonation under passive attacks. Reference , which is an extension of , showed several instantiations of the Kurosawa-Heng transformation, among which was the Schnorr-IBI scheme which is based on the transformation from the Schnorr digital signature scheme .
This passive-secure original scheme was fast and efficient and based on the weak discrete logarithm assumption similar to the signature scheme it was derived from. However, to improve the scheme to be secure against impersonation under active and concurrent attacks, a modified strong witness hiding protocol was required. This yielded an inefficient scheme where the protocol had to be repeated times, where is the size of the discrete logarithm group.
Tan et al. improved on this result in 2011, modifying the Schnorr-IBI scheme to provide active and concurrent security using only one iteration of the protocol . However, since it was basing its security on the decisional Diffie-Hellman assumption, which is a stronger assumption than the discrete logarithm assumption, it thus resulted in a degradation of security guarantee.
1.2. Motivations and Contributions
While pairing-based IBI schemes continue to flourish, it would be of interest to continue to improve existing pairing-free IBI schemes in terms of both efficiency and security. It is well known that pairing operations are costly compared to other operations like exponentiations, as shown by implementation results such as those by . Therefore, pairing-free IBI schemes run faster than their pairing-based counterparts in general.
In this paper, we show that the Schnorr-IBI scheme is able to be proven secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption, which is an improvement in terms of security guarantee over the results of  of using the decisional Diffie-Hellman assumption. This comes at a small cost to storage and operation.
Specifically, we extend the number of secret key components to two components and thus name the modified Schnorr scheme the Twin-Schnorr-IBI scheme. The increased security guarantee comes at a small price in terms of increase in user secret key size as well as a few additional exponentiation operations. However, when compared to the majority of IBI schemes that utilize bilinear pairings, it is still considered more efficient since it is pairing-free.
One of the desirable properties of identification schemes is in their fast operation sequence. Generally speaking, three-move identification schemes are one of the faster cryptographic primitives in the asymmetric cryptography setting. This can be seen via the Fiat-Shamir transform, where digital signatures are constructed from identification schemes. This fast operation, coupled with the security feature where no information can be obtained by observing the running of the identification protocol, makes the identification scheme an excellent candidate for implementation on low-power, light-processing platforms. Moreover, for pairing-free identity-based identification schemes, one is able to authenticate himself securely with minimal computing required because certificate management issues are a thing of the past, and no pairing operations means less power is required in computing the intermediate steps during the identification protocol.
With strong security guarantees, high efficiency without pairing operations, and in the identity-based setting, the Twin-Schnorr-IBI scheme fits the description of the lightweight cryptographic scheme that is an excellent cryptographic primitive that can be implemented to provide fast access control mechanisms for entity authentication without having to use certificates. Implementation instances of the scheme can be applied to smart cards, mobile devices, and online systems to facilitate entity authentication before granting these entities access to available resources such as the larger reservoirs of computing power on cloud servers to handle the subsequent more taxing computations.
The rest of the paper is organized as follows. In Section 2, we begin with some preliminaries, including assumptions and security definitions for IBI schemes. In Section 3 we propose the Twin-Schnorr-IBI scheme. In Section 4 we provide a corresponding proof of security against impersonation under active and concurrent attacks. In Section 5 we provide a comparison of our proposed scheme against other discrete logarithm-based IBI schemes provable secure in the random oracle model. In Section 6, we provide implementation results to demonstrate the speed of the Twin-Schnorr-IBI scheme. We provide some areas of potential application for the Twin-Schnorr-IBI scheme in Section 6 and conclude in Section 7.
Let be the set of individual bits and let be the set of all bit strings. Let denote the set of natural numbers, and if then is the bit string of ones. Denote by the set of bit strings of length . If is a binary string, we denote by its length and denote by the concatenation of strings and .
If is a set then by we denote the action of sampling uniformly from . If is an algorithm then denotes that outputs when run with input and random coins . By we denote the distribution of over the uniform choice of . For algorithms and , denote by an output produced as the result of an interaction between and on arbitrary inputs.
Also, define a negligible function such that, for every positive exponent , there exists an integer such that for all .
2.2. Discrete Logarithm Assumption
Let be a cyclic group with prime order and let be a generator of . The discrete logarithm problem is defined as follows: given a number in group , output .
The discrete logarithm assumption states that there exists no polynomial time algorithm that is able to -solve the discrete logarithm problem with nonnegligible probability such that .
2.3. Formal Definition of IBI Schemes
An IBI scheme is defined by four polynomial time algorithms SETUP, EXTRACT, PROVE, and VERIFY.(1)SETUP takes in the security parameter and outputs the master public key and master secret key .(2)EXTRACT takes in , , and the user identity-string to produce the user secret key .(3)IDENTIFICATION PROTOCOL: PROVE and VERIFY interact with each other according to a three-step canonical proof-of-knowledge protocol. Each algorithm takes in and , with PROVE receiving the additional as auxiliary input.(a)PROVE initiates and sends a commitment to VERIFY. Usually this takes the form of the prover’s identity-string mixed with some salt for the identification instance.(b)VERIFY picks a random challenge from a set of predefined challenges to send to PROVE. These challenges are uniformly distributed within the predefined set of challenges.(c)PROVE responds with an answer to the challenge and VERIFY chooses whether to accept or reject based on PROVE’s response that is calculated based on the identification instance’s commitment, challenge, and the user secret key and identity-string .The definition of an IBI scheme is presented in Algorithm 1.
2.4. Security Model for IBI Schemes
An adversary attacking an IBI scheme is defined as an impersonator. The goal of the impersonator is to successfully impersonate an honest user. Impersonators are further broken down into two categories.(i)Passive impersonator: this type of impersonator only eavesdrops on conversations between honest users and verifiers before attempting impersonation.(ii)Active and concurrent impersonators: these impersonators are able to actively participate in conversations with honest verifiers to learn as much information as they can before attempting impersonation. The difference between active and concurrent impersonators is that active impersonators are only able to interact with one verifier at a time, while the concurrent impersonator is able to run several conversations with several verifiers concurrently.
We model the security of an IBI scheme as a game played by an impersonator and a challenger as follows.(1) creates and and runs as a subroutine. passes to but keeps to itself.(2)In phase 1, can issue extract and identification queries. If is a passive impersonator, will respond with transcripts of valid conversations between honest provers and honest verifiers for an identification query. If is an active and concurrent impersonator, will play the cheating verifier to answer ’s identification queries while plays the role of the prover.(3)In phase 2, outputs an identity that it wishes to be challenged on. is able to continue issuing extract and identification queries, but once it converses with as a cheating prover and manages to convince that he is the challenge identity, he wins the game.We provide the description of the experiment in Algorithm 2.
Let who runs in time with and security parameter ; the advantage of to impersonate is where can make at most extract queries. An IBI scheme is secure if is negligible for every polynomial time .
3. The Twin-Schnorr-IBI Scheme
Before the description of the scheme, we briefly note that while the key generation process of Schnorr-IBI from  looks similar to that of BNN-IBI from , the two schemes have different identification protocols and are therefore considered as two distinct IBI schemes. Similarly, one might note the similarity in the key generation process for OKDL-IBI from  with Twin-Schnorr-IBI, but because the two schemes have separate and distinct identification protocols, we consider them as two distinct IBI schemes.
The construction of the Twin-Schnorr-IBI scheme is as follows.(1)SETUP takes in the security parameter and generates the group of order . It picks random generators and two random integers . It sets and lastly chooses a hash function . It publishes while keeping securely stored away.(2)EXTRACT takes in , , and the user identity-string . It first picks two random integers and calculates and sets . With those values, EXTRACT then calculates and and sets .(3)IDENTIFICATION PROTOCOL: PROVE takes in , , and while VERIFY takes in and . They run the identification protocol as follows.(a)PROVE begins by picking two random integers and sets . PROVE additionally sets and sends , to VERIFY.(b)VERIFY picks a random challenge and sends it to PROVE.(c)PROVE responds by setting and and then sends , to VERIFY as its response.
VERIFY calculates and VERIFY accepts if the following equation holds:
VERIFY can calculate by itself since
Correctness of the identification protocol can be proven as such:
The detailed description of the scheme is provided in Algorithm 3.
4. Security Analysis
To outline the strategy for the proof, the general strategy is to prove that a challenger to the discrete logarithm problem can use the impersonator for the Twin-Schnorr-IBI scheme to solve an instance of the discrete logarithm problem.
The challenge takes in the discrete logarithm problem instance and simulates the environment for the Twin-Schnorr-IBI for the learning phase of phase 1.
In phase 2, it then uses the impersonation attempt of the Twin-Schnorr-IBI to solve the instance of the discrete logarithm problem. However, it is well known that no probabilistic polynomial time algorithm can solve the discrete logarithm problem.
Hence we arrive at the conclusion that no such impersonator for the Twin-Schnorr-IBI exists.
Theorem 1. The Twin-Schnorr-IBI scheme is secure against impersonation under active and concurrent attacks if the discrete logarithm problem is hard in group , where
Proof. Suppose an impersonator exists. We can then show an algorithm that is able to break the discrete logarithm problem. begins by taking in the discrete logarithm instance and runs as a subroutine to calculate .
simulates the challenge environment for by first setting and . Then it runs the rest of SETUP as usual, choosing two random integers and setting , publishing while keeping to itself.
In phase 1, plays the cheating verifier in training, trying to learn what it can from . As defined in the security model, is able to issue both extract and identification queries.
Throughout the simulation, instantiates a user with credentials via the oracle and adds to the set of generated identities and their corresponding . Also define the set to be the set of all corrupted users on which has issued an extract query (and therefore corrupted). When queries for via the corrupt oracle , will generate using the original EXTRACT algorithm since has access to , removes from , and then adds to the set . Therefore, represents the maximum number of corrupt queries that can issue.
Similarly, when issues identification queries on , will create (if not yet queried before as an extract query) to participate in the identification protocol oracle as a prover and adds to the set . Without loss of generality we can assume that will not issue an identification query on a user which it has corrupted already. It is evident that can query as many identification queries as it likes as long as the number of generated does not exceed .
In phase 2, takes on the role of the cheating prover trying to convince that it knows of the challenge identity . outputs and then runs the identification protocol oracle with , but this time as a cheating verifier. If does not have generated yet prior to this, it runs to create it now.
Using the Reset Lemma , is able to extract 2 valid transcripts and from where . From here, extracts and . If and then aborts. The attack on the discrete logarithm problem has failed. Otherwise, if the values are different, can calculate as
A detailed description of the Simulator that solves the discrete logarithm problem using impersonator as subroutine is given in Algorithm 4.
It remains to calculate the probability of winning the game to solve the discrete logarithm problem. By the Reset Lemma, will successfully extract 2 valid conversations to derive and calculate with probability .
Let the advantage of solving the discrete logarithm problem be defined as , which comprises the events computes , defined as event , and that does not abort, defined as event . The probability that wins is given by
The probability of aborting, event , is exactly since the only event that aborts is if and .
Hence the probability of winning is