Twin-Schnorr: A Security Upgrade for the Schnorr Identity-Based Identification Scheme

Most identity-based identification (IBI) schemes proposed in recent literature are built using pairing operations. This decreases efficiency due to the high operation costs of pairings. Furthermore, most of these IBI schemes are proven to be secure against impersonation under active and concurrent attacks using interactive assumptions such as the one-more RSA inversion assumption or the one-more discrete logarithm assumption, translating to weaker security guarantees due to the interactive nature of these assumptions. The Schnorr-IBI scheme was first proposed through the Kurosawa-Heng transformation from the Schnorr signature. It remains one of the fastest yet most secure IBI schemes under impersonation against passive attacks due to its pairing-free design. However, when required to be secure against impersonators under active and concurrent attacks, it deteriorates greatly in terms of efficiency due to the protocol having to be repeated multiple times. In this paper, we upgrade the Schnorr-IBI scheme to be secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption. This translates to a higher degree of security guarantee with only some minor increments in operational costs. Furthermore, because the scheme operates without pairings, it still retains its efficiency and superiority when compared to other pairing-based IBI schemes.


Introduction
Identification schemes, first proposed by Fiat and Shamir [1], are a cryptographic primitive that allows one party, called the prover, to verify himself to another party, the verifier, with the verifier learning nothing else other than the fact that the prover knows the prover's secret key as claimed. This primitive is a challenge-response one-way authentication mechanism that is frequently used in access control and is able to provide high security guarantees due to the zeroknowledge property of the protocol.
Traditional identification schemes, however, rely on a certificate issued by a certificate authority to explicitly certify that a user's public key rightfully belongs to him. To mitigate the problem of cryptosystems growing large and where certificate management becomes a major and costly issue, Shamir proposed the notion of identity-based cryptography, where certificates are no longer necessary and users can implicitly certify their public keys using their own identitystring [2].
However, identity-based cryptography only began to gain interest in 2001 when Boneh and Franklin proposed the first identity-based encryption scheme [3]. Three years later in 2004, IBI schemes were then formalized independently by Bellare et al. [4] and Kurosawa and Heng [5].

Related Work.
Reference [4] presented a framework to construct IBI schemes from traditional public key identification schemes using a family of trapdoor sampleable relations. The authors also showed the relationship between security notions of standard identification schemes, public key signature schemes, IBI schemes, and identity-based signature schemes.
On the other hand, [5] showed that any digital signature with a zero-knowledge proof-of-knowledge protocol can be converted into an IBI scheme that is secure against impersonation under passive attacks. Reference [6], which is an extension of [5], showed several instantiations of the Kurosawa-Heng transformation, among which was the 2 The Scientific World Journal Schnorr-IBI scheme which is based on the transformation from the Schnorr digital signature scheme [7].
This passive-secure original scheme was fast and efficient and based on the weak discrete logarithm assumption similar to the signature scheme it was derived from. However, to improve the scheme to be secure against impersonation under active and concurrent attacks, a modified strong witness hiding protocol was required. This yielded an inefficient scheme where the protocol had to be repeated = log 2 times, where is the size of the discrete logarithm group.
Tan et al. improved on this result in 2011, modifying the Schnorr-IBI scheme to provide active and concurrent security using only one iteration of the protocol [8]. However, since it was basing its security on the decisional Diffie-Hellman assumption, which is a stronger assumption than the discrete logarithm assumption, it thus resulted in a degradation of security guarantee.

Motivations and Contributions.
While pairing-based IBI schemes continue to flourish, it would be of interest to continue to improve existing pairing-free IBI schemes in terms of both efficiency and security. It is well known that pairing operations are costly compared to other operations like exponentiations, as shown by implementation results such as those by [9]. Therefore, pairing-free IBI schemes run faster than their pairing-based counterparts in general.
In this paper, we show that the Schnorr-IBI scheme is able to be proven secure against impersonation under active and concurrent attacks using only the classical discrete logarithm assumption, which is an improvement in terms of security guarantee over the results of [8] of using the decisional Diffie-Hellman assumption. This comes at a small cost to storage and operation.
Specifically, we extend the number of secret key components to two components and thus name the modified Schnorr scheme the Twin-Schnorr-IBI scheme. The increased security guarantee comes at a small price in terms of increase in user secret key size as well as a few additional exponentiation operations. However, when compared to the majority of IBI schemes that utilize bilinear pairings, it is still considered more efficient since it is pairing-free.
One of the desirable properties of identification schemes is in their fast operation sequence. Generally speaking, threemove identification schemes are one of the faster cryptographic primitives in the asymmetric cryptography setting. This can be seen via the Fiat-Shamir transform, where digital signatures are constructed from identification schemes. This fast operation, coupled with the security feature where no information can be obtained by observing the running of the identification protocol, makes the identification scheme an excellent candidate for implementation on low-power, lightprocessing platforms. Moreover, for pairing-free identitybased identification schemes, one is able to authenticate himself securely with minimal computing required because certificate management issues are a thing of the past, and no pairing operations means less power is required in computing the intermediate steps during the identification protocol.
With strong security guarantees, high efficiency without pairing operations, and in the identity-based setting, the Twin-Schnorr-IBI scheme fits the description of the lightweight cryptographic scheme that is an excellent cryptographic primitive that can be implemented to provide fast access control mechanisms for entity authentication without having to use certificates. Implementation instances of the scheme can be applied to smart cards, mobile devices, and online systems to facilitate entity authentication before granting these entities access to available resources such as the larger reservoirs of computing power on cloud servers to handle the subsequent more taxing computations.
The rest of the paper is organized as follows. In Section 2, we begin with some preliminaries, including assumptions and security definitions for IBI schemes. In Section 3 we propose the Twin-Schnorr-IBI scheme. In Section 4 we provide a corresponding proof of security against impersonation under active and concurrent attacks. In Section 5 we provide a comparison of our proposed scheme against other discrete logarithm-based IBI schemes provable secure in the random oracle model. In Section 6, we provide implementation results to demonstrate the speed of the Twin-Schnorr-IBI scheme. We provide some areas of potential application for the Twin-Schnorr-IBI scheme in Section 6 and conclude in Section 7. If is a binary string, we denote by | | its length and denote by | the concatenation of strings and .

Preliminaries
If is a set then by $ ← we denote the action of sampling uniformly from . If is an algorithm then ← ( : ) denotes that outputs when run with input and random coins . By ( ) we denote the distribution of ← ( : ) over the uniform choice of . For algorithms and , denote by ← (⋅) ↔ (⋅) an output produced as the result of an interaction between and on arbitrary inputs.
Also, define a negligible function : N → [0, 1] such that, for every positive exponent ∈ N, there exists an integer ∈ N such that ( ) ≤ − for all > .

Discrete Logarithm Assumption.
Let be a cyclic group with prime order and let be a generator of . The discrete logarithm problem is defined as follows: given a number = in group , output . The discrete logarithm assumption states that there exists no polynomial time algorithm that is able to ( , )solve the discrete logarithm problem with nonnegligible probability such that Pr[ ( , , , )] ≥ .

Formal Definition of IBI Schemes.
An IBI scheme is defined by four polynomial time algorithms SETUP, EXTRACT, PROVE, and VERIFY.
The Scientific World Journal Algorithm 1: Definition of an IBI scheme.
(1) SETUP takes in the security parameter (1 ) and outputs the master public key and master secret key .
(2) EXTRACT takes in , , and the user identitystring to produce the user secret key . (3) IDENTIFICATION PROTOCOL: PROVE and VER-IFY interact with each other according to a three-step canonical proof-of-knowledge protocol. Each algorithm takes in and , with PROVE receiving the additional as auxiliary input.
(a) PROVE initiates and sends a commitment to VERIFY. Usually this takes the form of the prover's identity-string mixed with some salt for the identification instance. (b) VERIFY picks a random challenge from a set of predefined challenges to send to PROVE. These challenges are uniformly distributed within the predefined set of challenges. (c) PROVE responds with an answer to the challenge and VERIFY chooses whether to accept or reject based on PROVE's response that is calculated based on the identification instance's commitment, challenge, and the user secret key and identity-string .
The definition of an IBI scheme is presented in Algorithm 1.

Security Model for IBI
Schemes. An adversary attacking an IBI scheme is defined as an impersonator. The goal of the impersonator is to successfully impersonate an honest user. Impersonators are further broken down into two categories.
(i) Passive impersonator: this type of impersonator only eavesdrops on conversations between honest users and verifiers before attempting impersonation. (ii) Active and concurrent impersonators: these impersonators are able to actively participate in conversations with honest verifiers to learn as much information as they can before attempting impersonation. The difference between active and concurrent impersonators is that active impersonators are only able to interact with one verifier at a time, while the concurrent impersonator is able to run several conversations with several verifiers concurrently.
We model the security of an IBI scheme as a game played by an impersonator and a challenger as follows.
(1) creates and and runs as a subroutine. passes to but keeps to itself.
(2) In phase 1, can issue extract and identification queries. If is a passive impersonator, will respond with transcripts of valid conversations between honest provers and honest verifiers for an identification query. If is an active and concurrent impersonator, will play the cheating verifier to answer 's identification queries while plays the role of the prover.
(3) In phase 2, outputs an identity that it wishes to be challenged on. is able to continue issuing extract and identification queries, but once it converses with as a cheating prover and manages to convince that he is the challenge identity, he wins the game.
We provide the description of the experiment in Algorithm 2.
Let = ( , ) who runs in time with ∈ { , , } and security parameter ; the advantage of to impersonate is where can make at most extract queries. An IBI scheme is (⋅) is negligible for every polynomial time .

The Twin-Schnorr-IBI Scheme
Before the description of the scheme, we briefly note that while the key generation process of Schnorr-IBI from [5] looks similar to that of BNN-IBI from [4], the two schemes have different identification protocols and are therefore considered as two distinct IBI schemes. Similarly, one might note the similarity in the key generation process for OKDL-IBI from [4] with Twin-Schnorr-IBI, but because the two schemes have separate and distinct identification protocols, we consider them as two distinct IBI schemes.
The construction of the Twin-Schnorr-IBI scheme is as follows.
(1) SETUP takes in the security parameter 1 and generates the group of order . It picks random generators ; and indicates the transcript session.
VERIFY can calculate = ( , , ) by itself since ( Correctness of the identification protocol can be proven as such: The detailed description of the scheme is provided in Algorithm 3.
The Scientific World Journal Accept iff

Security Analysis
To outline the strategy for the proof, the general strategy is to prove that a challenger to the discrete logarithm problem can use the impersonator for the Twin-Schnorr-IBI scheme to solve an instance of the discrete logarithm problem. The challenge takes in the discrete logarithm problem instance and simulates the environment for the Twin-Schnorr-IBI for the learning phase of phase 1.
In phase 2, it then uses the impersonation attempt of the Twin-Schnorr-IBI to solve the instance of the discrete logarithm problem. However, it is well known that no probabilistic polynomial time algorithm can solve the discrete logarithm problem.
Hence we arrive at the conclusion that no such impersonator for the Twin-Schnorr-IBI exists.

Theorem 1. The Twin-Schnorr-IBI scheme is secure against impersonation under active and concurrent attacks if the discrete logarithm problem is hard in group , where
Proof. Suppose an impersonator exists. We can then show an algorithm that is able to break the discrete logarithm problem.
begins by taking in the discrete logarithm instance ( , = ) and runs as a subroutine to calculate . simulates the challenge environment for by first setting 1 = and 2 = . Then it runs the rest of SETUP as usual, choosing two random integers 1 , 2 $ ← Z and setting = − 1 1 − 2 2 , publishing = ⟨ , , 1 , 2 , ⟩ while keeping = ⟨ 1 , 2 ⟩ to itself. In phase 1, plays the cheating verifier in training, trying to learn what it can from . As defined in the security model, is able to issue both extract and identification queries. Throughout the simulation, instantiates a user with credentials via the ( ) oracle and adds to the set of generated identities and their corresponding . Also define the set to be the set of all corrupted users on which has issued an extract query (and therefore corrupted). When queries for via the corrupt oracle ( ), will generate using the original EXTRACT algorithm since has access to , removes from , and then adds to the set . Therefore, = | | represents the maximum number of corrupt queries that can issue. Similarly, when issues identification queries on , will create (if not yet queried before as an extract query) to participate in the identification protocol oracle ( ) as a prover and adds ⟨ , ⟩ to the set . Without loss of generality we can assume that will not    issue an identification query on a user which it has corrupted already. It is evident that can query as many identification queries as it likes as long as the number of generated does not exceed .
It remains to calculate the probability of winning the game to solve the discrete logarithm problem. By the Reset Lemma, will successfully extract 2 valid conversations to derive ( 1 , 2 ) and calculate with probability Let the advantage of solving the discrete logarithm problem be defined as V log , ( ), which comprises the events computes , defined as event , and that does not abort, defined as event . The probability that wins is given by The probability of aborting, event , is exactly 1/2 since the only event that aborts is if 1 =1 and 2 =2.
Hence the probability of winning is

Efficiency Analysis
In this section, we provide the efficiency cost of the Twin-Schnorr-IBI scheme in Table 1. We measure the operation costs in terms of exponentiations, multiplications in group , multiplications in Z , and additions in Z . Next a comparison is made with other IBI schemes that are constructed based on discrete logarithms in Table 2. We take into consideration only the identification protocol  operation cost, since that is the most-run algorithm in the whole scheme. From the comparisons above in Table 2, one can see that the closest competitor for Twin-Schnorr is the OKDL-IBI scheme since both offer almost similar efficiency cost using the classical discrete logarithm assumption. In fact, for the schemes as they are, OKDL-IBI is slightly more efficient with one less exponentiation and one less multiplication in in its identification protocol.
However, it is possible to increase the efficiency of both Twin-Schnorr-IBI and OKDL-IBI through precomputation of some of the fixed values in the identification protocol. For example, for Twin-Schnorr-IBI, can be computed beforehand and stored in the PROVE party's device for future use since the value does not change. For OKDL-IBI, one can first precompute and store = for similar reasons, resulting in less exponentiations. Results of the improved efficiency of the Twin-Schnorr-IBI and OKDL-IBI after precomputation are presented in Table 3.
If precomputation is done, then it is shown that the two schemes have similar operation costs. However, Twin-Schnorr requires less communication bandwidth of 1 group element in (generally 2048 bits for 128-bit security) compared to OKDL-IBI for each run of the identification protocol.

8
The Scientific World Journal  Secondly, Twin-Schnorr-IBI does not require the semistrong unforgeability property, as defined by [4], since no component of the user secret key is transmitted in the open. This is in contrast to the OKDL-IBI scheme, where one component of the user secret key is transmitted from PROVE to VERIFY during each interaction. Thus, there is security degradation with the requirement of semistrong unforgeability for the OKDL-IBI. Therefore, with precomputation, the Twin-Schnorr-IBI is slightly superior in terms of efficiency and security compared to the OKDL-IBI.

Implementation Results
In this section, we run an instantiation of the Twin-Schnorr-IBI written in Java utilizing the Java Cryptography Architecture and Java Cryptography Extension libraries to showcase the actual running time results. The simulation was conducted on an i7-4702 MQ workstation with 8 GB RAM running on 64-bit Windows 8 operating system. Each algorithm of the Twin-Schnorr-IBI scheme is run for 100 times using various security-level settings and the average running time is taken. The results are displayed in Table 4.

Potential Applications of Twin-Schnorr-IBI
As mentioned in the introduction, the Twin-Schnorr-IBI scheme is ideal in terms of providing a lightweight secureauthentication mechanism to facilitate access control to further resources. One desirable area of facilitating access control would be in multimedia systems, where the Twin-Schnorr-IBI can be used to determine which user is allowed access to certain multimedia content. This is implementable on multimedia services mentioned in [11], IPTV service platforms [12], and even learning management systems [13]. Another area where secure identification is required is to determine user access to confidential data. Access to job information systems [14], credit-card payment systems [15], and ID credit scoring systems [16] would be suitable for the Twin-Schnorr-IBI to be implemented as a gateway before allowing users access to the confidential information found within the systems. The Twin-Schnorr-IBI scheme can also be used for peer-to-peer validation before allowing users into a hosted e-meeting such as ones conducted using the shared presentation board [17]. Another application for the Twin-Schnorr-IBI is to serve as an initial identification before allowing users further access to cloud-based computing resources such as cloud-based personal tutoring systems [18] and personal mobile albums and diaries [19]. As one can see, the use of the IBI scheme can be versatile for use in multiple settings, and the Twin-Schnorr is a good instantiation to serve these purposes because of its fast running time.

Conclusion
In this paper, we showed that, with a slight additional cost to the original Schnorr-IBI scheme, we can obtain security against active and concurrent impersonation attacks using the weak discrete logarithm assumption and thus provide a high security guarantee compared to the single key counterpart that rely on the stronger decisional Diffie-Hellman assumption. The modified scheme is efficient in that it remains pairing-free and is comparable (and slightly more secure and efficient) to the most-secure pairing-free IBI scheme in literature to date in terms of efficiency under the classical discrete logarithm assumption.