Are Crypto-Accelerators Really Inevitable? 20Bit Zero-Knowledge in Less than a Second on Simple 8-bit Microcontrollers

This paper describes in detail a recent smart-card prototype that performs a 20-bit zero-knowledge identification in less than one second on a simple 8-bit microcontroller without any dedicated cryptoengine aboard. A curious property of our implementation is its inherent linear complexity: unlike all the other protocols brought to our knowledge, the overall performance of our prover (computation and transmission) is simply proportional to the size of the modulus (and not to its square). Therefore (as paradoxical as this may seem...) there will always exist a modulus size l above which our software-coded prover will be faster than any general-purpose hardware accelerator. The choice of a very unusual number representation technique (particularly adapted to Fischer-Micali-Rackoff’s protocol) combined with a recent modulo delegation scheme, allows to achieve a complete 20-bit zero-knowledge interaction in 964 ms (with a 4 MHz clock). The microcontroller (ST16623, the prover), which communicates with a PC via an ISO 7816-3 (115,200 baud) interface, uses only 400 EEPROM bytes for storing its 64-byte keys. An overhead video-projected demonstration will be done at the end of our talk.