The Scientific World Journal

Volume 2015, Article ID 237514, 9 pages

http://dx.doi.org/10.1155/2015/237514

## Twin-Schnorr: A Security Upgrade for the Schnorr Identity-Based Identification Scheme

^{1}Faculty of Engineering, Multimedia University, 63000 Cyberjaya, Selangor, Malaysia^{2}Faculty of Information Science and Technology, Multimedia University, 75450 Melaka, Malaysia

Received 30 April 2014; Revised 9 September 2014; Accepted 10 September 2014

Academic Editor: Jong-Hyuk Park

Copyright © 2015 Ji-Jian Chin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Most identity-based identification (IBI) schemes proposed in recent literature are built using pairing operations. This decreases efficiency due to the high operation costs of pairings. Furthermore, most of these IBI schemes are proven to be secure against impersonation under active and concurrent attacks using interactive assumptions such as the one-more RSA inversion assumption or the one-more discrete logarithm assumption, translating to weaker security guarantees due to the interactive nature of these assumptions. The Schnorr-IBI scheme was first proposed through the Kurosawa-Heng transformation from the Schnorr signature. It remains one of the fastest yet most secure IBI schemes under impersonation against passive attacks due to its pairing-free design. However, when required to be secure against impersonators under active and concurrent attacks, it deteriorates greatly in terms of efficiency due to the protocol having to be repeated multiple times. In this paper, we upgrade the Schnorr-IBI scheme to be secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption. This translates to a higher degree of security guarantee with only some minor increments in operational costs. Furthermore, because the scheme operates without pairings, it still retains its efficiency and superiority when compared to other pairing-based IBI schemes.

#### 1. Introduction

Identification schemes, first proposed by Fiat and Shamir [1], are a cryptographic primitive that allows one party, called the prover, to verify himself to another party, the verifier, with the verifier learning nothing else other than the fact that the prover knows the prover’s secret key as claimed. This primitive is a challenge-response one-way authentication mechanism that is frequently used in access control and is able to provide high security guarantees due to the zero-knowledge property of the protocol.

Traditional identification schemes, however, rely on a certificate issued by a certificate authority to explicitly certify that a user’s public key rightfully belongs to him. To mitigate the problem of cryptosystems growing large and where certificate management becomes a major and costly issue, Shamir proposed the notion of identity-based cryptography, where certificates are no longer necessary and users can implicitly certify their public keys using their own identity-string [2].

However, identity-based cryptography only began to gain interest in 2001 when Boneh and Franklin proposed the first identity-based encryption scheme [3]. Three years later in 2004, IBI schemes were then formalized independently by Bellare et al. [4] and Kurosawa and Heng [5].

##### 1.1. Related Work

Reference [4] presented a framework to construct IBI schemes from traditional public key identification schemes using a family of trapdoor sampleable relations. The authors also showed the relationship between security notions of standard identification schemes, public key signature schemes, IBI schemes, and identity-based signature schemes.

On the other hand, [5] showed that any digital signature with a zero-knowledge proof-of-knowledge protocol can be converted into an IBI scheme that is secure against impersonation under passive attacks. Reference [6], which is an extension of [5], showed several instantiations of the Kurosawa-Heng transformation, among which was the Schnorr-IBI scheme which is based on the transformation from the Schnorr digital signature scheme [7].

This passive-secure original scheme was fast and efficient and based on the weak discrete logarithm assumption similar to the signature scheme it was derived from. However, to improve the scheme to be secure against impersonation under active and concurrent attacks, a modified strong witness hiding protocol was required. This yielded an inefficient scheme where the protocol had to be repeated times, where is the size of the discrete logarithm group.

Tan et al. improved on this result in 2011, modifying the Schnorr-IBI scheme to provide active and concurrent security using only one iteration of the protocol [8]. However, since it was basing its security on the decisional Diffie-Hellman assumption, which is a stronger assumption than the discrete logarithm assumption, it thus resulted in a degradation of security guarantee.

##### 1.2. Motivations and Contributions

While pairing-based IBI schemes continue to flourish, it would be of interest to continue to improve existing pairing-free IBI schemes in terms of both efficiency and security. It is well known that pairing operations are costly compared to other operations like exponentiations, as shown by implementation results such as those by [9]. Therefore, pairing-free IBI schemes run faster than their pairing-based counterparts in general.

In this paper, we show that the Schnorr-IBI scheme is able to be proven secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption, which is an improvement in terms of security guarantee over the results of [8] of using the decisional Diffie-Hellman assumption. This comes at a small cost to storage and operation.

Specifically, we extend the number of secret key components to two components and thus name the modified Schnorr scheme the Twin-Schnorr-IBI scheme. The increased security guarantee comes at a small price in terms of increase in user secret key size as well as a few additional exponentiation operations. However, when compared to the majority of IBI schemes that utilize bilinear pairings, it is still considered more efficient since it is pairing-free.

One of the desirable properties of identification schemes is in their fast operation sequence. Generally speaking, three-move identification schemes are one of the faster cryptographic primitives in the asymmetric cryptography setting. This can be seen via the Fiat-Shamir transform, where digital signatures are constructed from identification schemes. This fast operation, coupled with the security feature where no information can be obtained by observing the running of the identification protocol, makes the identification scheme an excellent candidate for implementation on low-power, light-processing platforms. Moreover, for pairing-free identity-based identification schemes, one is able to authenticate himself securely with minimal computing required because certificate management issues are a thing of the past, and no pairing operations means less power is required in computing the intermediate steps during the identification protocol.

With strong security guarantees, high efficiency without pairing operations, and in the identity-based setting, the Twin-Schnorr-IBI scheme fits the description of the lightweight cryptographic scheme that is an excellent cryptographic primitive that can be implemented to provide fast access control mechanisms for entity authentication without having to use certificates. Implementation instances of the scheme can be applied to smart cards, mobile devices, and online systems to facilitate entity authentication before granting these entities access to available resources such as the larger reservoirs of computing power on cloud servers to handle the subsequent more taxing computations.

The rest of the paper is organized as follows. In Section 2, we begin with some preliminaries, including assumptions and security definitions for IBI schemes. In Section 3 we propose the Twin-Schnorr-IBI scheme. In Section 4 we provide a corresponding proof of security against impersonation under active and concurrent attacks. In Section 5 we provide a comparison of our proposed scheme against other discrete logarithm-based IBI schemes provable secure in the random oracle model. In Section 6, we provide implementation results to demonstrate the speed of the Twin-Schnorr-IBI scheme. We provide some areas of potential application for the Twin-Schnorr-IBI scheme in Section 6 and conclude in Section 7.

#### 2. Preliminaries

##### 2.1. Notations

Let be the set of individual bits and let be the set of all bit strings. Let denote the set of natural numbers, and if then is the bit string of ones. Denote by the set of bit strings of length . If is a binary string, we denote by its length and denote by the concatenation of strings and .

If is a set then by we denote the action of sampling uniformly from . If is an algorithm then denotes that outputs when run with input and random coins . By we denote the distribution of over the uniform choice of . For algorithms and , denote by an output produced as the result of an interaction between and on arbitrary inputs.

Also, define a negligible function such that, for every positive exponent , there exists an integer such that for all .

##### 2.2. Discrete Logarithm Assumption

Let be a cyclic group with prime order and let be a generator of . The discrete logarithm problem is defined as follows: given a number in group , output .

The discrete logarithm assumption states that there exists no polynomial time algorithm that is able to -solve the discrete logarithm problem with nonnegligible probability such that .

##### 2.3. Formal Definition of IBI Schemes

An IBI scheme is defined by four polynomial time algorithms SETUP, EXTRACT, PROVE, and VERIFY.(1)SETUP takes in the security parameter and outputs the master public key and master secret key .(2)EXTRACT takes in , , and the user identity-string to produce the user secret key .(3)IDENTIFICATION PROTOCOL: PROVE and VERIFY interact with each other according to a three-step canonical proof-of-knowledge protocol. Each algorithm takes in and , with PROVE receiving the additional as auxiliary input.(a)PROVE initiates and sends a commitment to VERIFY. Usually this takes the form of the prover’s identity-string mixed with some salt for the identification instance.(b)VERIFY picks a random challenge from a set of predefined challenges to send to PROVE. These challenges are uniformly distributed within the predefined set of challenges.(c)PROVE responds with an answer to the challenge and VERIFY chooses whether to accept or reject based on PROVE’s response that is calculated based on the identification instance’s commitment, challenge, and the user secret key and identity-string .The definition of an IBI scheme is presented in Algorithm 1.