1. The Schnorr Identification Protocol
Student: Aurimas Aurimaitis IF-3.3
Supervisor: Prof. dr. E. Sakalauskas

2. Outline The need for electronic identification
The Schnorr Identification Protocol and its security

3. Scenarios Requiring Electronic Identification
To withdraw money from an ATM – a card plus a four-digit personal identification number (PIN);
To charge purchases over the telephone to a credit card – credit card number plus expiry date;
To charge long-distance telephone calls (using a calling card) – telephone number plus a four-digit PIN;
To do a remote login to a computer over a network – user name plus password;

4. What is an Identification Scheme?
Definition: An identification scheme is a protocol for one to prove his/her identity electronically without “giving away” his/her identifying information. Scenario: Alice wants to prove her identity electronically to Bob. If Bob could learn Alice’s identifying information, Bob could impersonate Alice.

5. The Schnorr Identification Protocol
Parties involved: A trusted authority, plus other participants.
System parameters chosen by the TA (1):
𝑝 is a large prime (i.e., 𝑝 ≥ ) such that the discrete logarithm problem in 𝒁 𝑝 is intractable.
𝑞 is a large prime divisor of 𝑝−1 (i.e., 𝑞 ≥ ).
𝛼= 𝛽 (𝑝−1) 𝑞 𝑚𝑜𝑑 𝑝 where 𝛽 is a primitive root of 𝑝.
(Note that 𝛼 𝑞 𝑚𝑜𝑑 𝑝=1 by Fermat’s Theorem.)

6. The Schnorr Identification Protocol
System parameters chosen by the TA (2):
A security parameter 𝑡 such that 𝑞> 2 𝑡 . For most practical applications, 𝑡=40 will provide adequate security. For serious security, 𝑡=100.
The TA also establishes a secure signature scheme with secret signing algorithm 𝑠𝑖𝑔 𝑇𝐴 (only known to TA) and public verification algorithm 𝑣𝑒𝑟 𝑇𝐴 , which is in the public domain.
A secure hash function ℎ is specified and published. As usual, all information is to be hashed before signed.

7. The Schnorr Identification Protocol
Public parameters:
𝑝,𝑞, 𝛼,
hash algorithm ℎ, and
the public verification algorithm 𝑣𝑒𝑟 𝑇𝐴 .

8. Schnorr Protocol: Issuing a certificate to Alice
The TA establishes Alice’s identity by means of conventional forms of identification, such as birth certificate, passport, etc. Then the TA forms string 𝐼𝐷(𝐴𝑙𝑖𝑐𝑒) which contains her identity information.
Alice secretly chooses a random exponent 𝑎, where 0≤𝑎≤𝑞−1. Alice computes 𝑣= 𝛼 −𝑎 𝑚𝑜𝑑 𝑝 and gives 𝑣 to the TA.
The TA generates a signature
𝑠= 𝑠𝑖𝑔 𝑇𝐴 (ℎ[𝐼𝐷(𝐴𝑙𝑖𝑐𝑒)| 𝑣 ),
And gives Alice the certificate
𝐶 𝐴𝑙𝑖𝑐𝑒 =(𝐼𝐷 𝐴𝑙𝑖𝑐𝑒 ,𝑣,𝑠).

9. Schnorr Protocol: Identification & Verification
Alice chooses a random number 0≤𝑘≤𝑞−1 and computes
𝛾= 𝛼 𝑘 𝑚𝑜𝑑 𝑝.
Alice sends her certificate 𝐶 𝐴𝑙𝑖𝑐𝑒 =(𝐼𝐷(𝐴𝑙𝑖𝑐𝑒,𝑣,𝑠) and 𝛾 to Bob.
Bob verifies the signature of the TA by checking that
𝑣𝑒𝑟 𝑇𝐴 𝐼𝐷 𝐴𝑙𝑖𝑐𝑒 ,𝑣,𝑠 =𝑡𝑟𝑢𝑒
Bob chooses a random number 𝑟, 1≤𝑟≤ 2 𝑡 , and gives it to Alice.
Alice computes 𝑦=𝑘+𝑎𝑟 𝑚𝑜𝑑 𝑞 and gives 𝑦 to Bob.
Bob verifies that 𝛾 ≡ 𝛼 𝑦 𝑣 𝑟 (𝑚𝑜𝑑 𝑝).

10. The Schnorr Protocol: Correctness of Verification
Proof: Note that 𝛼 𝑞 𝑚𝑜𝑑 𝑝=1. By definition there is a 𝑤 such that 𝑦= 𝑘+𝑟𝑎 −𝑤𝑞. Hence 𝛼 𝑦 ≡ 𝛼 𝑞 −𝑤 𝛼 𝑘+𝑎𝑟 𝑚𝑜𝑑 𝑝 ≡ 𝛼 𝑘+𝑎𝑟 (𝑚𝑜𝑑 𝑝) Hence 𝛼 𝑦 𝑣 𝑟 ≡ 𝛼 𝑘+𝑎𝑟 𝑣 𝑟 𝑚𝑜𝑑 𝑝 ≡ 𝛼 𝑘+𝑎𝑟 𝛼 −𝑎𝑟 𝑚𝑜𝑑 𝑝 ≡𝛼 𝑘 𝑚𝑜𝑑 𝑝 ≡ 𝛾 𝑚𝑜𝑑 𝑝

11. The Schnorr Protocol: Security Issues
The role of the security parameter 𝑡:
To prevent an imposter posing as Alice, say Eve, from guessing Bob’s challenge 𝑟, before sending certificate and 𝛾 to Bob.
Probability of success 2 −𝑡 .
Impersonation attack:
If Eve guessed 𝑟 correctly, she could choose any value for 𝑦 and compute
𝛾= 𝛼 𝑦 𝑣 𝑟 𝑚𝑜𝑑 𝑝
She would give Bob 𝛾 at the beginning of Identification & Verification process, and then she receives the challenge 𝑟, she would supply the value 𝑦 she has already chosen. The 𝛾 would be verified at the end of process

12. The Schnorr Protocol: Security Issues
1st impersonation attack by forging the certificate:
An imposter, Eve, tries to impersonate Alice by forging a certificate
𝐶 ′ 𝐴𝑙𝑖𝑐𝑒 = 𝐼𝐷 𝐴𝑙𝑖𝑐𝑒 , 𝑣 ′ , 𝑠 ′ ,, where 𝑣 ′ ≠𝑣
But 𝑠′ is a signature of (𝐼𝐷 𝐴𝑙𝑖𝑐𝑒 , 𝑣 ′ ),and this is verified by Bob in the public domain of TA. So if the signature of the TA is secure, Eve will not be able to forge signature 𝑠′ which will subsequently be verified by Bob.
Problem:
If Eve picks up 𝑎 0≤ 𝑎 ′ ≤𝑞−1, and computes
𝑣 ′ = 𝛼 −𝑎′ 𝑚𝑜𝑑 𝑝
Assume that she picks up randomly an 𝑠′ and it happens that
𝑠 ′ = 𝑠𝑖𝑔 𝑇𝐴 (ℎ[𝐼𝐷(𝐴𝑙𝑖𝑐𝑒)| 𝑣 ′ )
Then Eve is successful in forging 𝐶′(𝐴𝑙𝑖𝑐𝑒), and able to impersonate Alice.

13. The Schnorr Protocol: Security Issues
2nd impersonation attack by forging certificate:
Eve uses Alice’s correct certificate (not secret):
𝐶 𝐴𝑙𝑖𝑐𝑒 =(𝐼𝐷 𝐴𝑙𝑖𝑐𝑒 ,𝑣,𝑠)
But Eve will not be able to impersonate Alice, unless she also knows the value of 𝑎 which is needed when computing value of 𝑦
How does Eve find 𝑎 from 𝑣?
Solve the discrete logarithm problem, which is hard.
The role of 𝑎:
It functions like Alice’s PIN. But Alice is able to identify herself to bob without revealing her PIN number 𝑎 to Bob. So in this sense, it is different from a PIN

14. Security of Schnorr Protocol
Theorem:
Suppose that Eva knows a value 𝑟 for which she has probability ∈ ≥ 𝑡−1 of successfully impersonating Alice in the verification protocol. Then Eve can compute 𝑎 in polynomial time.
Meaning of the theorem:
If the discrete logarithm is intractable, then the probability of successful attack based on a value of 𝑟 is less than 𝑡−1

15. Conclusion
We have considered some security issues of the Schnorr identification scheme. But no one can rove that it is secure!
The scheme was designed to be very fast and efficient, both from computational point of view and the amount of information that needs to be exchanged in the protocol.
It is also designed to minimize the amount of computation performed by Alice (Alice’s computation will be done by a smart card, while that of Bob by a more powerful computer.)