An Identification Scheme with Tight Reduction(Information Security)
スポンサーリンク
概要
- 論文の詳細を見る
There are three well-known identification schemes: the Fiat-Shamir, GQ and Schnorr identification schemes. All of them are proven secure against the passive or active attacks under some number-theoretic assumptions. However, efficiencies of the reductions in those proofs of security are not tight, because they require "rewinding" a cheating prover. We show an identification scheme IDKEA1, which is an enhanced version of the Schnorr scheme. Although it needs the four exchanges of messages and slightly more exponentiations, the IDKEA1 is proved to be secure under the KEA1 and DLA assumptions with tight reduction. The idea underlying the IDKEA1 is to use an extractable commitment for prover's commitment. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor of the KEA1 assumption and the other through the simulated transcript. This means that we don't need to rewind a cheating prover and can prove the security without loss of the efficiency of reduction.
- 一般社団法人電子情報通信学会の論文
- 2007-09-01
著者
関連論文
- A Straight-Line Extractable Non-malleable Commitment Scheme(Information Security)
- An Efficient Adaptive-Deniable-Concurrent Non-malleable Commitment Scheme
- Identification Schemes from Key Encapsulation Mechanisms
- An Identification Scheme with Tight Reduction(Information Security)