Add to collection(s) Add to saved
  1. No category
Uploaded by Sarthak Singh

Network Security Presentation - Schnorr Identification Protocol & Okamoto Protocol

advertisement 
NETWORK SECURITY
01
SCHNORR
IDENTIFICATION
PROTOCOL
Niharika Kabra (LIT2019053)
Sarthak Singh (LIT2019068)
NETWORK SECURITY
02
Table of
Contents
- What are generators?
- Discrete Logarithm Problem
- Schnorr Protocol Description
- Security of Schnorr Protocol
- Comparison with different schemes
- Types of Delays
- Code Explanation
- Okamoto Protocol - Extension of Schnorr Protocol
- Code Explanation
NETWORK SECURITY
A number 'g' is said to be a generator modulo n if every
number co-prime to n is congruent to
a power of 'g' modulo n.
03
What are
Generators?
More easily..
'g' is a generator of prime number 'p', if
g 1 mod p, g 2 mod p, g 3 mod p,....., g p-1 mod p are distinct.
For example, 2 is a generator of 5.
Generators and Cyclic Groups
A cyclic group can be generated by a generator 'g', such
that every other element of the group can be written as a
power of the generator 'g'.
NETWORK SECURITY
Taking an example:
5 is a generator of 17 which means 1
04
Discrete
Logarithm
Problem
2
16
5 mod 17, 5 mod 17,...., 5 mod 17
are all distinct and the results are uniformly distributed.
≡
x
5 mod 17
|||||||||||||||||
generator
Equally distributed
x
Computing 5 mod 17 is easy but consider the reverse:
x
≡
5 mod 17
12
Now finding this x can be difficult as it can take many values x can be 9, 25, 41, 57, 73 and so on...
This is the Discrete Logarithm Problem.
NETWORK SECURITY
Schnorr Protocol Description
Basic Idea:
05
Prover authenticates itself by proving that it knows the DLog g y of a publicly known value y, in a ZK fashion
Verifier challenges the prover by demanding a random linear combination of DLog gy
Verification Key: vk = (G, g, q, y) where G is a cyclic group of order q and generator g; y=g x
Secret Key: s = x ; x Zq
k
∈
k
I = gk
Zq
r
Zq
s = ( k + r*x ) mod q
X
Prover
-r
s
Verifier verifies by calculating: g . y ≟ I
Verifier verifies by calculating: g s. y -r ≟ I
Verifier
NETWORK SECURITY
How will the expression be correct?
g s . y-r = I
06
g
k+x.r
-x.r
.g =I
k
g . g x.r. g -x.r=I
g k= I
In the implementation, the program has to calculate two values:
value1 : g s
value2 : I. y
r
value1 will be equal to value2 by the above proof.
NETWORK SECURITY
Security of Schnorr Protocol
Security against eavesdropping:
07
k
I = gk
Zq
r
Zq
s = ( k + r*x ) mod q
X
Prover
Verifier
Consider an eavesdropper who has monitored polynomial number of executions of Schnorr's Identification
Scheme.
An eavesdropper learns nothing about the secret key x, from the transcript (I,r,s) because Distribution of I is independent of x
Distribution of r is independent of x
Distribution of s is independent of x (k is uniformly random and unknown to the adversary)
NETWORK SECURITY
Let's consoder a simultaion strategy by an eavesdropper
Randomly select r', s' ← Zq and then,
08
Set I' = g s'. y-r'
Comparing the probability distribution of real and simulated transcripts{(I,r,s)} ≈ {I',r',s')}
Question - Does the above claim imply that an eavesdropper can forge accepting
transcripts on behalf of the prover, without knowing sk?
This is not true. Because in the simulation strategy, the adversary is fixing the r value and s value to
begin with. Thus, the probability that he is able to come up with an accepting transcript is the same as
the probability of r=r'.
pr(r=r') = 1/q
Eavesdropping on honest executions is not going to help an adversary attack the
Schnorr Identification Scheme.
NETWORK SECURITY
Hence to attack Schnorr IS, an adversary has to interact with a verifier:
k
Zq
r
09
k
I=g
Zq
s = ( k + r*x ) mod q
X
Prover
Verifier
If adversary is able to interact with verifier and successfully produce an accepting transcript (I, r, s), then
with a high probability, it should be able to produce accepting transcripts of the form (I, r1, s1 ) and
(I, r 2 , s 2 ).
s 1 -r1
s2 -r 2
g .y =I=g .y
this means that adversary knows how to compute-1
DLog g y =[(s 1 - s 2 ) (r1 - r2 ) mod q]
Theorem: If Discrete Logarithm assumption holds in (G,o) then the Schnorr IS
is secure.
NETWORK SECURITY
Comparison with different schemes
10
Computational Efficiency
Off-line computations
The Schnorr scheme is designed to be very fast and efficient, both
from a computational viewpoint and the amount of information that
needs to be exchanged in the protocol. Fiat-Shamir requires between
one and two orders of magnitude fewer full modular multiplications
by the prover.
Schnorr identification has the advantage of requiring only a
single on-line modular multiplication by the claimant,
provided exponentiation may be done as a precomputation.
However,significant computation isrequired by the verifier
compared to Fiat-Shamir and GQ.
Bandwidth and memory for secrets
GQ allows the simultaneous reduction of both memory and
transmission bandwidth ;this simultaneous reduction is not
possible in Fiat-Shamir.
Security assumptions
The protocols require the assumptions that the following
underlying problems are intractable, for a composite
integer n: Fiat-Shamir – extracting square roots mod n;
GQ – extracting vth roots mod n; Schnorr identification –
computing discrete logs modulo a prime p.
NETWORK SECURITY
Types of Delays
Propagation Delay
11
Transmission Delay
The time it takes to transmit a data
packet onto the outgoing link.
The delay is determined by the size of the
packet and the capacity of the outgoing
link.
Transmission delay for will be
comparatively less in Schnorr protocol.
Time taken for one bit to reach one
end of a link to another.
Given by:
D/S
where D is the distance and S is the
speed of wave signal.
Total propagation delay for all bits will
be comparatively less in Schnorr
protocol.
Queuing delay
Time that a packet waits to be
processed in the buffer of a switch.
The delay is dependent on the arrival
rate of the incoming packets, the
transmission capacity of the outgoing
link, and the nature of the network’s​
traffic.
Schnorr Protocol Code
12
Output
13
NETWORK SECURITY
Delay Table
14
Time Complexity - O(log(k) + log(s))
NETWORK SECURITY
Okamoto Protocol - extension of Schnorr Protocol
15
Verification Key: vk = (G, g, q, g1, g2, y) where G is a cyclic group of order q and generator g; g1, g2
and logg1g2 is not known; y= g1 x1. g2 x2
Secret Key: sk= (x1, x2) ; x1, x2
k1 , k2
r
X
Prover
∈ Zq
k1
Zq
∈G
I = g1 . g2
k2
Zq
s1 = ( k1 + r*x1 ) mod q
s2 = (k2 + r*x2) mod q
Verifier
s1
Verifier verifies by g1 . g2
s
s2
≟ I. y
-r
Verifier verifies by calculating: g . y ≟ I
r
Okamoto Protocol Code
16
Output
17
NETWORK SECURITY
Delay Table
18
Time Complexity - O(log(k1)*log(k2) + log(s1)*log(s2))
NETWORK SECURITY
Verification Key
19
Difference
between Schnorr
Identification
Protocol &
Okamoto Protocol
The verification key is changed by adding two new elements g1
and g2, which are random elements from G. The random number
y is also changed.
The number of Secret Keys
Okamoto protocol has 2 secret keys which makes it more secure
as Schnorr had only 1.
Number of Responses
In Okamoto Protocol, the number of responses is also changed to
2 thus making it difficult for the eavesdropper to forge the
2
transcript and the probability decreases to 1/q .
NETWORK SECURITY
20
Thank you!
Niharika Kabra (LIT2019053)
Sarthak Singh (LIT2019068)
Related documents
Applied Algebra
Applied Algebra
MA342J: Introduction to Modular Forms Homework 5, due on March 28
MA342J: Introduction to Modular Forms Homework 5, due on March 28
MATH 3360 Exam I July 25, 1994
MATH 3360 Exam I July 25, 1994
Math 345/645 - Weekly homework 7
Math 345/645 - Weekly homework 7
MATH 433 April 24, 2015 Quiz 11: Solutions
MATH 433 April 24, 2015 Quiz 11: Solutions
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
Document10389957 10389957
Document10389957 10389957
Download
advertisement