Are Crypto-Accelerators Really Inevitable?
This paper describes in detail a recent smart-card prototype that performs a 20-bit zero-knowledge identification in less than one second on a simple 8-bit microcontroller without any dedicated crypto-engine aboard.
A curious property of our implementation is its inherent linear complexity: unlike all the other protocols brought to our knowledge, the overall performance of our prover (computation and transmission) is simply proportional to the size of the modulus (and not to its square).
Therefore (as paradoxical as this may seem...) there will always exist a modulus size ℓ above which our software-coded prover will be faster than any general- purpose hardware accelerator.
The choice of a very unusual number representation technique (particularly adapted to Fischer-Micali-Rackoff’s protocol) combined with a recent modulo delegation scheme, allows to achieve a complete 20-bit zero-knowledge interaction in 964 ms (with a 4 MHz clock). The microcontroller (ST16623, the prover), which communicates with a PC via an ISO 7816-3 (115,200 baud) interface, uses only 400 EEPROM bytes for storing its 64-byte keys.
An overhead video-projected demonstration will be done at the end of our talk.
KeywordsModular Multiplication Oblivious Transfer Modular Reduction European Patent Application Curious Property
- 1.O. Brugia, A. di Porto & P. Filiponi, Un metodo per migliorare l’efficienza degli algoritmi di generazione delle chiavi crittografiche basati sull’impiego di grandi numeri primi, Note Recesioni e Notizie, Ministero Poste e Telecommunicazioni, vol. 33, no. 1–2, 1984, pp. 15–22.Google Scholar
- 2.U. Feige, A. Fiat & A. Shamir, Zero-knowledge proofs of identity, Proc. 19th. ACM Symp. Theory of Computing, 210–217, (1987) and J. Cryptology, 1 (1988), 77–95.Google Scholar
- 3.A. Fiat & A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. of Crypto'86, Lecture notes in computer science 263, 181–187.Google Scholar
- 4.M. Fischer, S. Micali & C. Rackoff, A secure protocol for oblivious transfer, presented at Eurocrypt'84 but missing in the proceedings.Google Scholar
- 6.D. Naccache, Method, sender apparatus and receiver apparatus for modulo operation, European patent application no. 91402958.2, November 5, 1991.Google Scholar
- 7.D. Naccache, D. M’raïhi, S. Vaudenay & D. Raphaeli, Can DSA be Improved ?, Proceedings of Eurocrypt'94, to appear.Google Scholar
- 8.A. Shamir, How to implement public-key schemes with 16,000 bit moduli on a smart-card with 36 bytes of RAM, presented at the rump session of Eurocrypt'94 (05-10-1994 at 20h11).Google Scholar