密码算法与协议4_密钥的认证协议案例分析.ppt

* * Analysis to Schnorr’s Scheme (cont.) The point is that the prover cannot prepare for answering both cases c = 0 and c = 1, without knowing the private key x. This follows from the following observation. Suppose that after committing to value a, a prover is able to answer both c = 0 and c = 1 correctly. This means that the prover is able to produce two responses r0 and r1, which are correct for challenges c = 0 and c = 1, respectively. This implies that the values a, r0 and r1 satisfy gr0 = a, gr1 = ah, which in turn implies that h = gr1-r0 . However, this means that the prover actually knows x, since x = r1 –r0 mod n holds. * * Analysis to Schnorr’s Scheme (cont.) Intuitively, this means that at each iteration of Schnorr’s protocol a cheating prover “survives” with probability at most 50%. Therefore, a cheating prover survives after k iterations with probability at most 2-k. Next, we consider why Schnorr’s protocol is zero-knowledge. A cheating verifier may engage many times in the identification protocol, obtaining a conversation (a, c, r) for each iteration of the protocol. Here, “many times” means at most p(k) times for a polynomial p (polynomially bounded in the security parameter k). The cheating verifier thus obtains many conversations (a, c, r). However, it turns out that the verifier may generate these conversations completely on its own, without interacting with the prover at all. * * Analysis to Schnorr’s Scheme (cont.) More generally, we show that the verifier may generate simulated conversations (a, c, r) that follow an identical distribution as the conversations (a, c, r) that occur in executions of the identification protocol, with a real prover. We first consider the zero-knowledge property for the case that the verifier is honest, that is, the verifier picks c uniformly at random in {0, 1} as prescribed by the protocol. Below, we list two algorithms, one for generating real conversations (following the protocol), and one for gen