# A “Paradoxical” Indentity-Based Signature Scheme Resulting from Zero-Knowledge

## Abstract

At EUROCRYPT’88, we introduced an interactive zero-knowledge protocol (Guillou and Quisquater [13]) fitted to the authentication of tamper-resistant devices (e.g. smart cards, Guillou and Ugon [14]).

Each security device stores its secret *authentication* number, an RSA-like signature computed by an authority from the device identity. Any transaction between a tamper-resistant security device and a verifier is limited to a unique interaction: the device sends its *identity* and a random *test* number; then the verifier tells a random large *question*; and finally the device answers by a witness number. The transaction is successful when the test number is reconstructed from the witness number, the question and the identity according to numbers published by the authority and rules of redundancy possibly standardized.

This protocol allows a cooperation between users in such a way that a group of cooperative users looks like a new entity, having a shadowed identity the product of the individual shadowed identities, while each member reveals nothing about its secret.

In another scenario, the secret is partitioned between distinct devices sharing the same identity. A group of cooperative users looks like a unique user having a larger public exponent which is the greater common multiple of each individual exponent.

In this paper, additional features are introduced in order to provide: firstly, a mutual interactive authentication of both communicating entities and previously exchanged messages, and, secondly, a digital signature of messages, with a non-interactive zero-knowledge protocol. The problem of multiple signature is solved here in a very smart way due to the possibilities of cooperation between users.

The only secret key is the factors of the composite number chosen by the authority delivering one authentication number to each smart card. This key is not known by the user. At the user level, such a scheme may be considered as a keyless identity-based integrity scheme. This integrity has a new and important property: it cannot be misused, i.e. derived into a confidentiality scheme.

### Keywords

cryptology factoring complexity randomization zero-knowledge interactive proofs identity-based system public key system integrity identification authentication digital signature### References

- [1]Gilles Brassard, David Chaum and Claude Crépeau,
*Minimum disclosure proofs of knowledge*, July 1987.Google Scholar - [2]David Chaum,
*Security without identification: transaction systems to make Big Brother obsolete*, Comm. of ACM,**28**, Oct. 1985, pp. 1030–1044.CrossRefGoogle Scholar - [3]Ivan Bjerre Damgård,
*Collision-free hash functions and public-key signature schemes*, EUROCRYPT’ 87, to appear.Google Scholar - [4]Yvo Desmedt and Jean-Jacques Quisquater,
*Public-key systems based on the difficulty of tampering*, Advances in cryptology, Proceedings of CRYPTO’ 86, Lectures notes in computer science, N^{o}263, Springer-Verlag, pp. 186–194.Google Scholar - [5]Amos Fiat and Adi Shamir,
*How to prove yourself: practical solutions to identification and signature problems*. Springer Verlag, Lecture notes in computer science, N^{o}263, Advances in cryptology, Proceedings of CRYPTO’ 86, pp. 186–194, 1987.Google Scholar - [6]Amos Fiat and Adi Shamir,
*Unforgeable proofs of identity*, 5^{th}SECURICOM, Paris, 1987, pp. 147–153.Google Scholar - [7]Oded Goldreich, Shafi Goldwasser and Silvio Micali,
*How to construct random functions*, 25^{th}, IEEE symposium on foundations of computer science, 1984, pp. 464–479.Google Scholar - [8]Shafi Goldwasser, Silvio Micali and Charles Rackoff,
*The knowledge of interactive proof systems*, 17^{th}ACM symposium on theory of computing, 1985, pp. 291–304.Google Scholar - [9]Shafi Goldwasser, Silvio Micali and Ronald Rivest,
*A paradoxical signature scheme*, 25^{th}IEEE symposium on foundations of computer science, 1984, pp. 441–448.Google Scholar - [10]Oded Goldreich, Silvio Micali and Avi Wigderson,
*Proofs that yields nothing but the validity of the proof*, Workshop on probabilistic algorithms, Marseille, March 1986.Google Scholar - [11]Louis C. Guillou and Jean-Jacques Quisquater,
*Efficient digital public-key signatures with shadow*, Springer Verlag, Lecture notes in computer science, Advances in cryptology, Proceedings of CRYPTO’ 87, p.223.Google Scholar - [12]Louis C. Guillou, Marc Davio and Jean-Jacques Quisquater,
*Public-key techniques*, Cryptologia, to appear.Google Scholar - [13]Louis C. Guillou and Jean-Jacques Quisquater,
*A practical zero-knowledge protocol fitted to security microprocessors minimizing both transmission and memory*, EURO CRYPT’ 88, to appear.Google Scholar - [14]Louis C. Guillou and Michel Ugon,
*Smart card: a highly reliable and portable security device*, CRYPTO’ 86, Lecture notes in computer science, N^{o}263, Springer-Verlag, pp. 464–479.Google Scholar - [15]Jean-Jacques Quisquater,
*Secret distribution of keys for public-key system*, Springer Verlag, Lecture notes in computer science, N^{o}293, Advances in cryptology, Proceedings of CRYPTO’ 87, pp. 203–208, 1987.Google Scholar - [16]Ronald Rivest, Adi Shamir and Leonard Adleman,
*A method for obtaining digital signatures and public-key cryptosystems*, Comm. of ACM,**21**, Feb. 1978, pp. 120–126.CrossRefMATHMathSciNetGoogle Scholar - [17]Adi Shamir,
*Identity-based cryptosystems and signatures schemes*, Springer Verlag, Lecture notes in computer science, N^{o}196, Advances in cryptology, Proceedings of CRYPTO’ 84, pp. 47–53, 1985.Google Scholar - [18]H. C. Williams,
*A modification of the RSA public-key cryptosystem*, IEEE Trans. on Information Theory,**IT-26**, Nov. 1980, pp. 726–729.CrossRefGoogle Scholar