Security analysis of a practical “on the fly” authentication and signature generation

  • Guillaume Poupard
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)


In response to the current need for fast, secure and cheap public-key cryptography, we study an interactive zero-knowledge identification scheme and a derived signature scheme that combine provable security based on the general problem of computing discrete logarithms modulo any number, short identity-based keys, very short transmission and minimal on-line computation. This leads to both efficient and secure applications well suited to the implementation on low cost smart cards. We develop complete proofs of completeness, soundness and statistical zero-knowledge property of the identification scheme. The security analysis of the signature scheme leads to present a novel number theoretical lemma of independent interest and an original use of the “forking lemma” technique. From a practical point of view, the possible choice of parameters is discussed and we submit performances of an actual implementation on a cheap smart card. As an example, a complete and secure authentication can be performed in less than 20 ms with low cost equipment.

Key words

Identification scheme digital signature security analysis general discrete logarithm problem minimal on-line computation low cost smart cards 


  1. 1.
    M. Bellare and P. Rogaway. Random Oracles are Practical: a paradigm for designing efficient protocols. In Proc. of the 1st CCCS, 62–73. ACM press, 1993.Google Scholar
  2. 2.
    E. F. Brickell and K. S. McCurley. An Interactive Identification Scheme Based on Discrete Logarithms and Factoring. Journal of Cryptology, 5:29–39, 1992.MATHCrossRefGoogle Scholar
  3. 3.
    H. Cohen. A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics 138. Springer, 1993.Google Scholar
  4. 4.
    J. Cowie, B. Dodson, R.M. Elkenbracht-Huizing, A. Lenstra, P. Montgomery, and J. Zayer. A World Wide Number Field Sieve Factoring Record: On to 512 Bits. In Asiacrypt '96, LNCS 1163, 382–394. Springer, 1996.Google Scholar
  5. 5.
    U. Feige, A. Fiat, and A. Shamir. Zero-Knowledge Proofs of Identity. Journal of Cryptology, 1:77–95, 1988.MATHMathSciNetCrossRefGoogle Scholar
  6. 6.
    A. Fiat and A. Shamir. How to Prove Yourself: practical solutions of identification and signature problems. In Crypto '86, LNCS 263, 186–194. Springer, 1987.Google Scholar
  7. 7.
    M. Girault. An Identity-Based Identification Scheme Based on Discrete Logarithms Modulo a Composite Number. In Eurocrypt '90, LNCS 473, 481–486, 1991.MathSciNetGoogle Scholar
  8. 8.
    M. Girault. Self-certified public keys. In Eurocrypt '91, LNCS 547, 490–497. Springer, 1992.Google Scholar
  9. 9.
    M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, 202–215. Springer, 1994.Google Scholar
  10. 10.
    O. Goldreich. Foundations of Cryptography. Weizmann Institute of Science, 1995. (fragment of a book).Google Scholar
  11. 11.
    S. Goldwasser, S. Micali, and C. Rackoff. The Knowledge Complexity of Interactive Proof Systems. In Proc. of the 17th STOC, 291–304. ACM Press, 1985.Google Scholar
  12. 12.
    D. E. Knuth. Seminumerical algorithms. In The Art of Computer Programming, volume 2. Addison-Wesley Publishing Company, 1969.Google Scholar
  13. 13.
    B. A. LaMacchia and A. M. Odlyzko. Computation of Discrete Logarithms in Prime Fields. Designs, Codes and Cryptography, 1(1):47–62, May 1991.MATHMathSciNetCrossRefGoogle Scholar
  14. 14.
    U. M. Maurer and Y. Yacobi. Non-interactive Public-Key Cryptography. In Eurocrypt '91, LNCS 547, 498–507. Springer, 1992.Google Scholar
  15. 15.
    G. Miller. Riemann's hypothesis and tests for primality. Journal of Computer and System Sciences, (13):300–317, 1976.MATHMathSciNetGoogle Scholar
  16. 16.
    D. Naccache, D. M'RaÏhi, S. Vaudenay, and D. Raphaeli. Can DSA be improved ? In Eurocrypt '94, LNCS 950, 77–85. Springer, 1995.Google Scholar
  17. 17.
    D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. In Eurocrypt '96, LNCS 1070, 387–398. Springer, 1996.Google Scholar
  18. 18.
    C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In Crypto '89, LNCS 435, 235–251. Springer, 1990.Google Scholar
  19. 19.
    A. Shamir. Identity-Based CryptoSystems and Signature Schemes. In Crypto '84, LNCS 196, 47–53. Springer, 1985.Google Scholar
  20. 20.
    V. Shoup. On The Security of a Practical Identification Scheme. In Eurocrypt '96, LNCS 1070, 344–353. Springer, 1996.Google Scholar
  21. 21.
    V. Shoup. Lower Bounds for Discrete Logarithms and Related Problems. In Eurocrypt '97, LNCS 1233, 256–266. Springer, 1997.Google Scholar
  22. 22.
    D. R. Stinson. Cryptography, Theory and Practice. CRC Press, 1995.Google Scholar
  23. 23.
    P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt '96, LNCS 1070, 332–343. Springer, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Guillaume Poupard
    • 1
  • Jacques Stern
    • 1
  1. 1.Laboratoire d'informatiqueécole Normale SupérieureParis Cedex 05France

Personalised recommendations