The Search for Provably Secure Identification Schemes

1. Introduction. An identification scheme is a protocol which enables party A to prove his identity to party B in the presence of imposters G. This is one of the fundamental problems in cryptography, and it has numerous practical applications. In fact, whenever we present a driver's license, use a passport, pay with a credit card, enter a computer password, or punch a secret code into an automatic teller machine, we execute an identification protocol. The basic problem with these practical protocols is that A proves his identity by revealing to B a constant (in the form of a printed card or a memorized value). A sophisticated adversary C who cooperates with a dishonest B can use a xerox copy of the card or a recording of the secret value to misrepresent himself successfully as A at a later stage. Our goal in this paper is to survey some of the mathematical techniques developed to solve this problem, and to propose a new identification scheme which is provably secure if factoring is difficult, and orders of magnitude faster than previous schemes of this type. The mathematical version of the identification problem assumes that A is distinguished by knowing some secret information s which no one else knows. A's goal is to prove to B that he knows s, and 5's goal is to verify the correctness of A's proof. B is assisted by the public information v revealed in advance by A. Since v is also available to G, there should be no efficient algorithm for computing s from v, even though the two values are obviously related. The authenticity of v is guaranteed by publishing it in a public key directory or by attaching to it the digital signature of a trusted center, and thus we do not consider attacks in which G replaces J4'S real v by a modified v f .