HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 102
the assertion to be proven, but without interacting with the iv Each potential claimant (prover) calculates v =
real prover) an execution of the protocol that for an s2 mod n as its public key and publish it.
outside observer cannot be distinguished from an Verifying Process: The following steps are
execution of the protocol with the real prover. performed to identify the authenticated user.
The concept of zero-knowledge, first introduced by i The prover choose a random number r and
Goldwasser, Micali [4] and Rackoff is one approach to the sends x= r2 mod n (the witness x) to the
design of such protocols. Particularly, in Feige, Fiat, and verifier.
Shamir show an elegant method for using an interactive ii The verifier randomly selects a single bit c=
Zero-Knowledge proof to prove identity in [2] a 0 or c = 1, and sends c to the prover.
cryptographic protocol. iii The prover computes the response y = r · sc
Fiat-Shamir Zero-Knowledge identification scheme is mod n and sends it to the verifier.
based on discrete logarithmic. In this paper, we modify iv The verifier rejects the proof if y = 0 and
Fiat-Shamir Zero-Knowledge identification scheme using accepts if y2 = xvc mod n .
Elliptic Curve Cryptography. Informally, the challenge (or exam) c selects between
two answers (0 or 1): the secret r (to keep the claimant
III. FIAT-SHAMIR PROTOCOL honest) or one that can only be known from s. If a false
The Fiat Shamir protocol is based on the difficulty of claimant were to know that the challenge is c = 1, then he
calculating a square-root. The claimant proves knowledge could provide an arbitrary number a, then sends witness
of a square root modulo a large modulus n. Verification a2/v. Upon receiving c = 1, he sends y = a. Then y2 = a2/v ·
can be done in 4 steps as shown in figure 1. v. If the false claimant were to know that the challenge is c
= 0, then he could select an arbitrary number a and send
witness a2. This property allows us to simulate runs of the
protocol that an outside observer cannot distinguish from
real runs (where the challenges c is true random
challenges).
then the elliptic curve addition operation P + Q = (x3, y3) iv) The claimant chooses a secret point s on curve
can be obtained through the following rules. and calculates v=2s mod p. Claimant keeps s as its
x3 = (λ2− x1 − x2) mod p ---[1] private key and registers v as public key with the
y3 = {λ(x1 − x3) − y1} mod p --- [2] third party.
Verifying Process: The following steps are
performed to identify the authenticated user.
Where i) Alice the claimant, chooses a random point r (r is
y2 - y1 the point on the curve). She then calculate the
λ= for P ≠ Q value of x= (2r) mod p; is called the witness and
x2 - x1 send x to the Bob as the witness.
ii) Bob, the verifier, sends the challenge C to Alice.
3x12 + a The value of C is a prime number lies between 1 to
λ= for P=Q p-1.
2y1
The dominant operation in ECC cryptographic schemes is
point multiplication. Point multiplication is simply
calculating kP as shown in figure 2, where k is an integer
and P is a point on the elliptic curve defined in the prime
field.
The security of the system is directly tied to the relative [4] S. Goldwasser, S. Micali, and C. Rackoff, "The knowledge
complexity of interactive proof systems.", Siam J. Comput., 18(1),
hardness of the underlying mathematical equation. We can pp. 186- 208, February 1989.
easily prove that 2y is the same as x+ (cv) in modulo n [5] U. Feige, A. Fiat, and A. Shamir, "Zero knowledge proofs of
arithmetic as shown below. identity.", Journal of Cryptology, 1(2), pp. 77-94, 1988.
2Y=2(r+cs) =2r+2cs= (x+cv) --- [3] [6] Chengming Qi , Beijing Union university,” A Zero-Knowledge
Proof of Digital Signature Scheme Based on the Elliptic Curve
The challenge (or exam) c selects between the value of 1 Cryptosystem” 2009 Third International Symposium on Intelligent
and p-1, the secret r (to keep the claimant honest) or one Information Technology Application.
that can only be known the value of s. If a false claimant [7] L. Guillou, and J. Quisquater, "A Paradoxical" Identity-Based
were to know that the challenge c, then he could provide Signature Scheme Resulting from Zero-Knowledge.",Proc.
CRYPTO '88.
an arbitrary number m and send witness , Since b is [8] W. Stallings. “Cryptography and network security", 3rd edition,
chosen by claimant and generate the points on the Prentice Hall, 2003.
equation of Elliptic curve Ep(a,b). No other person can [9] Behrouz A. Forouzan. ” Cryptography and network security”. TMH
guess on which equation points are generated and which
point is randomly selected by claimant. If false claimant
sends m to witness then definitely it will not match the
final verification, as only claimant knows the value of r ad
s and public key is depend on the value of s.
The absence of a sub-exponential time algorithm for the
scheme means that significantly smaller parameters can be
used in ECC than with DSA or RSA.
This will have a significant impact on a communication
system as the relative computational performance
advantage of ECC versus RSA is not indicated by the key
sizes but by the cube of the key sizes. The difference
becomes even more dramatic as the greater increase in
RSA key sizes leads to an even greater increase in
computational cost
REFERENCES
[1] Ali M. Allam, Ibrahim I., Ihab A. Ali, Abd ELrahman H. Elsawy”
Efficient Zero-knowledge Identification Scheme with Secret Key
Exchange” IEEE,2004
[2] Ali M. Allam ,Ibrahim I. Ibrahim ,Ihab A. Ali, Abdel Rahman H.
Elsawy” The Performance Of An Efficient Zero-Knowledge
Identification Scheme” IEEE,2004
[3] Sultan Almuhammadi, Nien T. Sui, and Dennis McLeod” Better
Privacy and Security in E-Commerce: Using Elliptic Curve-Based
Zero-Knowledge Proofs” IEEE,2004