4

Let's say there is a public key $v$. Peggy has to prove to Victor that she has the corresponding private key $a$. Of course she doesn't want to disclose $a$ to Victor, but just to prove that she has the key.

Question: What is the benefit of "Solution 2" described below (a.k.a. Fiat-Shamir), which seems more complex and using zero knowledge proofs, when there is an easy solution (see Solution 1)?

Solution 1 (easy):

  • Victor generates a random number $r$, encrypts it with the public key $v$, and sends the encrypted message $r_E$ to Peggy
  • If Peggy has the private key $a$, she can decrypt $r_E$ into $r$, and send $r$ back to Victor and claim: "Hey Victor, here is $r$, this is the proof I can decrypt your message $r_E$, so this proves I have $a$"
  • If Peggy doesn't have the private key $a$, she cannot decrypt $r_E$, so she cannot prove anything.

I don't know the name of this simple scheme, but I think this can be done with nearly any public/private key encryption algorithm, and it seems safe.

Solution 2 (Fiat-Shamir, interactive zero knowledge proof):

  1. $a$ is the private key, $v = a^2 \pmod n$ is the public key

  2. Peggy generates a random number $r$ and sends $x=r^2 \pmod n$ to Victor

  3. Victor sends 0 or 1 (randomly) to Peggy

  4. If Peggy receives 0, she has to send $r$ to Victor (he can then check if $r^2$ is $x$ modulo $n$)

    If Peggy receives 1, she has to send $y = r \times a \pmod n$ to Victor (he can then check if $y^2 \times v^{-1}$ is $x$ modulo $n$)

  5. Repeat from step 2 at least $k$ times: the higher $k$ the smaller the probability ($2^{-k}$) of passing the test succesfully without actually knowing $a$

What is the benefit of complex Solution 2 when you can just do Solution 1?

Community
  • 1
Basj
  • 563
  • 5
  • 25

3 Answers3

2

Solution 1 has some weakness when the verifier is malicious. If the prover's private key $a$ is used for decryption, Solution 1 provides the verifier with a decryption oracle, i.e., a malicious verifier can decrypt any ciphertext encrypted with the public key $v$. On the other hand, Solution 2 reveals nothing about the private key $a$ because the random number $r$ (which masks the private key $a$ when the verifier sends a bit 1) is chosen by the prover rather than the verifier.

Shan Chen
  • 2,755
  • 1
  • 13
  • 19
1

Digital signatures and authentication/identification schemes are very closed concepts. A major difference is that a digital signature is a proof that can be verified by every one that get it. The proofs in authentication/identification schemes are generally addressed to a target verifier.

One point is that in many applications when Peggy wants prove herself, or do a proof of identity, she can require that an adversary Eve can't be able to copy their interaction and so get some advantage on it. In the challenge-response in solution 1, a malicious Eve can impersonate Victor, i.e., how can Peggy be sure of Victor identity? If Eve captures an answer cheating this way, she can pose as Peggy hereafter.

Solution 2 brought some advances: $2^{k}$ is number of ways Victor can challenge Peggy. So, if Eve copied a previous protocol transcript, $2^{-k}$ is the probability Victor repeat the same challenge set, making the chance of Eve impersonate Peggy harder.

Crypto Learner
  • 648
  • 6
  • 16
0

So yes, your solution 1 would work providing use of a one-way encryption scheme. However, this is also a zero-knowledge proof since it obeys completeness, soundness and honest verifier zero knowledge (transcript can be simulated by anyone).

What solution 2 has going for it is that it can be make in to a non-interactive proof and it also obeys special soundness. So yeah, it is more complicated but it gives better guarantees.

logi-kal
  • 116
  • 9
Jackoson
  • 133
  • 4