Are Crypto-Accelerators Really Inevitable?

20 bit zero-knowledge in less than a second on simple 8-bit microcontrollers
  • David Naccache
  • David M’raïhi
  • William Wolfowicz
  • Adina di Porto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 921)


This paper describes in detail a recent smart-card prototype that performs a 20-bit zero-knowledge identification in less than one second on a simple 8-bit microcontroller without any dedicated crypto-engine aboard.

A curious property of our implementation is its inherent linear complexity: unlike all the other protocols brought to our knowledge, the overall performance of our prover (computation and transmission) is simply proportional to the size of the modulus (and not to its square).

Therefore (as paradoxical as this may seem...) there will always exist a modulus size ℓ above which our software-coded prover will be faster than any general- purpose hardware accelerator.

The choice of a very unusual number representation technique (particularly adapted to Fischer-Micali-Rackoff’s protocol) combined with a recent modulo delegation scheme, allows to achieve a complete 20-bit zero-knowledge interaction in 964 ms (with a 4 MHz clock). The microcontroller (ST16623, the prover), which communicates with a PC via an ISO 7816-3 (115,200 baud) interface, uses only 400 EEPROM bytes for storing its 64-byte keys.

An overhead video-projected demonstration will be done at the end of our talk.


Modular Multiplication Oblivious Transfer Modular Reduction European Patent Application Curious Property 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    O. Brugia, A. di Porto & P. Filiponi, Un metodo per migliorare l’efficienza degli algoritmi di generazione delle chiavi crittografiche basati sull’impiego di grandi numeri primi, Note Recesioni e Notizie, Ministero Poste e Telecommunicazioni, vol. 33, no. 1–2, 1984, pp. 15–22.Google Scholar
  2. 2.
    U. Feige, A. Fiat & A. Shamir, Zero-knowledge proofs of identity, Proc. 19th. ACM Symp. Theory of Computing, 210–217, (1987) and J. Cryptology, 1 (1988), 77–95.Google Scholar
  3. 3.
    A. Fiat & A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. of Crypto'86, Lecture notes in computer science 263, 181–187.Google Scholar
  4. 4.
    M. Fischer, S. Micali & C. Rackoff, A secure protocol for oblivious transfer, presented at Eurocrypt'84 but missing in the proceedings.Google Scholar
  5. 5.
    P. Montgomery, Modular multiplication without trial division, Mathematics of computation, vol. 44, 1985, pp. 519–521.zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    D. Naccache, Method, sender apparatus and receiver apparatus for modulo operation, European patent application no. 91402958.2, November 5, 1991.Google Scholar
  7. 7.
    D. Naccache, D. M’raïhi, S. Vaudenay & D. Raphaeli, Can DSA be Improved ?, Proceedings of Eurocrypt'94, to appear.Google Scholar
  8. 8.
    A. Shamir, How to implement public-key schemes with 16,000 bit moduli on a smart-card with 36 bytes of RAM, presented at the rump session of Eurocrypt'94 (05-10-1994 at 20h11).Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • David Naccache
    • 1
  • David M’raïhi
    • 1
  • William Wolfowicz
    • 2
  • Adina di Porto
    • 2
  1. 1.Gemplus Card InternationalSarcellesFrance
  2. 2.Fondazione Ugo BordoniRomeItaly

Personalised recommendations