JOURNAL OF COMPUTING, VOLUME 3, ISSUE 5, MAY 2011, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG     102
A Modified Zero Knowledge Identification Scheme
using ECC
Kanika Garg1, Dr. R. Radhakrishan2, Vikas Chaudhary3, Ankit Panwar4
1,2,3,4
Department of MCA, Krishna Engineering College, Mohan Nagar, Ghaziabad-201007, India
Abstract
In this paper we present a Fiat-Shamir-like Zero-Knowledge
identification scheme based on the elliptic curve
Cryptography. As we know in an open network-computing
environment, a workstation cannot be trusted to identify its
users correctly to network services. Zero-knowledge (ZK)
protocols are designed to address these concerns, by allowing
a prover to demonstrate knowledge of a secret while
revealing no information to be used by the verifier to convey
the demonstration of knowledge to others. The reason that
ECC has been chosen is that it provides methodology for
obtaining higher speed implementations of authentication
protocols and encryption/decryption techniques while using
fewer bits for the keys. This means that ECC systems require
smaller chip size and less power consumption.
Key Words – Identification, Security, Zero-Knowledge,
Elliptic Curve.
I. INTRODUCTION
Communication between the computer and a remote
user is currently one of the most vulnerable aspects of a
computer system. In order to secure this, cryptographic
system must be built into the user terminal, and suitable
protocols developed to allow the computer and the user to
recognize each other upon initial contact and maintain
continued security assurance of secret messages. In
particular, zero-knowledge proofs (ZKP) can be used
whenever there is a need to prove the possession of critical
data without a real need to exchange the data itself.
Examples of such applications include: credit card
verification, digital cash system, digital watermarking, and
authentication. Most of the messaging systems used, rely
on secret sharing to provide identification. Unfortunately,
once you tell a secret it is no longer a secret. This is how
identity theft and credit card fraud happen. Authentication
and key exchange protocols have been purposed and
implemented to limit the amount of information shared in
order to provide positive identification. Several of these
techniques have some weaknesses and are particularly
susceptible to man-in-the-middle, off-line and
 
impersonation attacks [1]. Zero-knowledge proofs
techniques are powerful tools in such critical applications
for providing both security and privacy at the same time.
II. ZERO KNOWLEDGE SCHEME
A zero knowledge interactive proof system allows one
person to convince another person of some fact without
revealing the information about the proof. In particular, it
does not enable the verifier to later convince anyone else
that the prover has a proof of the theorem or even merely
that the theorem is true [2].
A zero-knowledge proof is a two-party protocol
between a prover and a verifier, which allows the prover
to convince the verifier that he knows a secret value that
satisfies a given relation (zero-knowledge property).
Zero-knowledge protocols are instances of an
interactive proof system, where prover and verifier
exchange messages (typically depending on random
events).
1. Security: An impostor can comply with the protocol
only with overwhelmingly small probability.
2. Completeness: An interactive proof is complete if the
protocol succeeds (for a honest proofer and a honest
verifier) with overwhelming probability p > 1/2.
(Typically, p ~ 1).
3. Soundness: An interactive proof is sound if there is an
algorithm M with the following properties:
i M is polynomial time.
ii If a dishonest prover can with non-negligible
probability successfully execute the protocol
with the verifier, then M can be used to extract
knowledge from this prover which with
overwhelming probability allows successful
subsequent protocol executions. (In effect, if
someone can fake the scheme, then so can
everyone observing the protocol e.g. by
computing the secret of the true prover).
4. Zero-Knowledge (ZK) Property: There exists a
simulator (an algorithm) that can simulate (upon input of
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 5, MAY 2011, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG     103
the assertion to be proven, but without interacting with the
real prover) an execution of the protocol that for an
outside observer cannot be distinguished from an
execution of the protocol with the real prover.
The concept of zero-knowledge, first introduced by
Goldwasser, Micali [4] and Rackoff is one approach to the
design of such protocols. Particularly, in Feige, Fiat, and
Shamir show an elegant method for using an interactive
Zero-Knowledge proof to prove identity in [2] a
cryptographic protocol.
Fiat-Shamir Zero-Knowledge identification scheme is
based on discrete logarithmic. In this paper, we modify
Fiat-Shamir Zero-Knowledge identification scheme using
Elliptic Curve Cryptography.
III. FIAT-SHAMIR PROTOCOL
The Fiat Shamir protocol is based on the difficulty of
calculating a square-root. The claimant proves knowledge
of a square root modulo a large modulus n. Verification
can be done in 4 steps as shown in figure 1.
Fig. 1 Fiat –Shamir User Identification Process
Fiat –Shamir User Identification Process: The Process of
user identification can be understood as.
 Key Generation Process:
i Trusted centre choose two large prime
numbers p & q.
ii Then trusted center calculate n = p*q and
publishes n as modulus.
iii Each potential claimant (prover) selects a
secret prime number s which should be
coprime to n
 
iv Each potential claimant (prover) calculates v =
s2 mod n as its public key and publish it.
 Verifying Process: The following steps are
performed to identify the authenticated user.
i The prover choose a random number r and
sends x= r2 mod n (the witness x) to the
verifier.
ii The verifier randomly selects a single bit c=
0 or c = 1, and sends c to the prover.
iii The prover computes the response y = r · sc
mod n and sends it to the verifier.
iv The verifier rejects the proof if y = 0 and
accepts if y2 = xvc mod n .
Informally, the challenge (or exam) c selects between
two answers (0 or 1): the secret r (to keep the claimant
honest) or one that can only be known from s. If a false
claimant were to know that the challenge is c = 1, then he
could provide an arbitrary number a, then sends witness
a2/v. Upon receiving c = 1, he sends y = a. Then y2 = a2/v ·
v. If the false claimant were to know that the challenge is c
= 0, then he could select an arbitrary number a and send
witness a2. This property allows us to simulate runs of the
protocol that an outside observer cannot distinguish from
real runs (where the challenges c is true random
challenges).
IV. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
Elliptic Curve Cryptography (ECC) is a public key
cryptography. In public key cryptography each user or the
device taking part in the communication generally have a
pair of keys, a public key and a private key, and a set of
operations associated with the keys to do the
cryptographic operations. Only the particular user knows
the private key whereas the public key is distributed to all
users taking part in the communication. Some public key
algorithm may require a set of predefined constants to be
known by all the devices taking part in the
communication. ‘Domain parameters’ in ECC is an
example of such constants. Public key cryptography,
unlike private key cryptography, does not require any
shared secret between the communicating parties but it is
much slower than the private key cryptography. The
mathematical operations of ECC is defined over the
elliptic curve y2 = x3 + ax + b, where 4a3 + 27b2 mod p ≠
0. Each value of the ‘a’ and ‘b’ gives a different elliptic
curve. All points (x, y) which satisfies the above equation
plus a point at infinity lies on the elliptic curve. The public
key is a point in the curve and the private key is a random
number. The public key is obtained by multiplying the
private key with the generator point G in the curve. The
generator point G, the curve parameters ‘a’ and ‘b’,
together with few more constants constitutes the domain
parameter of ECC. One main advantage of ECC is its
small key size. A 160-bit key in ECC is considered to be
as secured as 1024-bit key in RSA.
The elliptic curve addition operation differs from
general addition. Assuming that P and Q are two points on
the elliptic curve, P = (x1, y1) and Q = (x2, y2); if P = Q,
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 5, MAY 2011, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG     104 

then the elliptic curve addition operation P + Q = (x3, y3) iv) The claimant chooses a secret point s on curve
can be obtained through the following rules. and calculates v=2s mod p. Claimant keeps s as its
x3 = (λ2− x1 − x2) mod p ---[1] private key and registers v as public key with the
y3 = {λ(x1 − x3) − y1} mod p --- [2] third party.
 Verifying Process: The following steps are
performed to identify the authenticated user.
Where i) Alice the claimant, chooses a random point r (r is
y2 - y1 the point on the curve). She then calculate the
λ= for P ≠ Q value of x= (2r) mod p; is called the witness and
x2 - x1 send x to the Bob as the witness.
ii) Bob, the verifier, sends the challenge C to Alice.
3x12 + a The value of C is a prime number lies between 1 to
λ= for P=Q p-1.
2y1
The dominant operation in ECC cryptographic schemes is
point multiplication. Point multiplication is simply
calculating kP as shown in figure 2, where k is an integer
and P is a point on the elliptic curve defined in the prime
field.

Fig. 2 Point Multiplication

All reported methods for computing kP parse the scalar

k and depending on the bit value, they perform either an
ECC-ADD or a ECC-Double operation. In fact, ECC is no
longer new, and has withstood in the last years a great deal
of cryptanalysis and a long series of attacks, which makes
it appear as a mature and robust cryptosystem at present.
ECC has a number of advantages over other public-key
cryptosystems, such as RSA, which make it an attractive
alternative. In particular, for a given level of security, the
size of the cryptographic keys and operands involved in
the computation of EC cryptosystems are normally much
shorter than other cryptosystems and, as the computational
power available for cryptanalysis grows up, this difference
gets more and more noticeable. Fig. 3 Fiat –Shamir Scheme using ECC
V. MODIFIED FIAT-SHAMIR PROTOCOL
iii) Alice calculate the response y= r +c.s mod p.
Fiat-Shamir Zero-Knowledge identification scheme is
based on discrete logarithmic. We modify Fiat-Shamir Note that r is the random point selected by the
Zero-Knowledge identification scheme using Elliptic Alice in the first step, s is secret number and c is
Curve Cryptography as shown in figure 3. the challenge send by Bob and sends the
Modified Fiat –Shamir User Identification Process: response (y) to Bob.
The Process of user identification can be understood as. iv) Bob calculates x+(c v) mod n and 2y mod n. If
 Key Generation Process: these two values are congruent, then Alice knows
i) Third party choose the value of a and p for the
the value of s and she is authenticated person.(
elliptic curve Ep (a,b).
ii) The value of b is selected by claimant so the she is honest ) . If not congruent that means she is
equation satisfied the condition 4a3 + 27b2 mod p ≠ not authenticated person and verifier can reject
0. her request.
iii) The value of a and p are announced to be public
where as b remains secret to the claimant. VI. RESULT
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 5, MAY 2011, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG     105 

The security of the system is directly tied to the relative [4] S. Goldwasser, S. Micali, and C. Rackoff, "The knowledge
complexity of interactive proof systems.", Siam J. Comput., 18(1),
hardness of the underlying mathematical equation. We can pp. 186- 208, February 1989.
easily prove that 2y is the same as x+ (cv) in modulo n [5] U. Feige, A. Fiat, and A. Shamir, "Zero knowledge proofs of
arithmetic as shown below. identity.", Journal of Cryptology, 1(2), pp. 77-94, 1988.
2Y=2(r+cs) =2r+2cs= (x+cv) --- [3] [6] Chengming Qi , Beijing Union university,” A Zero-Knowledge
Proof of Digital Signature Scheme Based on the Elliptic Curve
The challenge (or exam) c selects between the value of 1 Cryptosystem” 2009 Third International Symposium on Intelligent
and p-1, the secret r (to keep the claimant honest) or one Information Technology Application.
that can only be known the value of s. If a false claimant [7] L. Guillou, and J. Quisquater, "A Paradoxical" Identity-Based
were to know that the challenge c, then he could provide Signature Scheme Resulting from Zero-Knowledge.",Proc.
CRYPTO '88.
an arbitrary number m and send witness , Since b is [8] W. Stallings. “Cryptography and network security", 3rd edition,
chosen by claimant and generate the points on the Prentice Hall, 2003.
equation of Elliptic curve Ep(a,b). No other person can [9] Behrouz A. Forouzan. ” Cryptography and network security”. TMH
guess on which equation points are generated and which
point is randomly selected by claimant. If false claimant
sends m to witness then definitely it will not match the
final verification, as only claimant knows the value of r ad
s and public key is depend on the value of s.
The absence of a sub-exponential time algorithm for the
scheme means that significantly smaller parameters can be
used in ECC than with DSA or RSA.
This will have a significant impact on a communication
system as the relative computational performance
advantage of ECC versus RSA is not indicated by the key
sizes but by the cube of the key sizes. The difference
becomes even more dramatic as the greater increase in
RSA key sizes leads to an even greater increase in
computational cost

VII. CONCLUSIONS AND FUTURE WORK

A unique feature of the new identification scheme is that
it is based on Elliptic Curve Cryptography (ECC). In [8],
they conclude that the Elliptic Curve Discrete Logarithm
Problem is significantly more difficult than Integer
Factorization Problem. For instance, it was found in that to
achieve reasonable security, RSA should employ 1024-bit
modulo, while a 160-bit modulus should be sufficient for
ECC. Also our identification scheme is faster than Fiat-
Shamir scheme [5] and Guillou-Quisquater [7], because
our Scheme depends on addition operation while those
schemes depend on exponential operation. In future few
dominant proof techniques have emerged in security
proofs. Among which are, probabilistic polynomial time
reducibility’s between problems, simulation proofs, the
hybrid method, and random self reducibility can be
introduced and comparative performance study can be
carried out.

REFERENCES
[1] Ali M. Allam, Ibrahim I., Ihab A. Ali, Abd ELrahman H. Elsawy”
Efficient Zero-knowledge Identification Scheme with Secret Key
Exchange” IEEE,2004
[2] Ali M. Allam ,Ibrahim I. Ibrahim ,Ihab A. Ali, Abdel Rahman H.
Elsawy” The Performance Of An Efficient Zero-Knowledge
Identification Scheme” IEEE,2004
[3] Sultan Almuhammadi, Nien T. Sui, and Dennis McLeod” Better
Privacy and Security in E-Commerce: Using Elliptic Curve-Based
Zero-Knowledge Proofs” IEEE,2004