|
Abstract:
An identification (ID) scheme enables a party holding a secret key to
identify itself to another party without revealing the secret key.
The former party is called the prover, and the latter is called the
verifier. The main notion of security for ID schemes is security
against impersonation under active attack. In such an attack, the
adversary's goal is impersonation: playing the role of the prover, but
denied the secret key, it attempts to make the verifier accept. Before
the impersonation attempt, the adversary can play the role of cheating
verifier, interacting with the prover numerous times to try to obtain
information about the secret key.
The Guillou-Quisquater (GQ) and Schnorr ID schemes are among the most
efficient and best known such schemes. However, the question of
whether they are secure against impersonation under active attack had
remained open for more than 10 years. In this talk I will discuss our
results about the security properties of these schemes. We show that
GQ is provably secure based on an assumption about the RSA function
called RSA security under one more inversion. We also provide such a
proof for the Schnorr scheme based on a corresponding
discrete-logarithm-related assumption.
|