A Generic View on the Uniﬁed Zero-Knowledge Protocol and its Applications

. We present a generalization of Maurer’s uniﬁed zero-knowledge (UZK) protocol, namely a uniﬁed generic zero-knowledge (UGZK) construction. We prove the security of our UGZK protocol and discuss special cases. Compared to UZK, the new protocol allows to prove knowledge of a vector of secrets instead of only one secret. We also provide the reader with a hash variant of UGZK and the corresponding security analysis. Last but not least, we extend Cogliani et al. ’s lightweight authentication protocol by describing a new distributed uniﬁed authentication scheme suitable for wireless sensor networks and, more generally, the Internet of Things.


Introduction
Zero knowledge proofs (ZKPs) are closely related with one of the main cryptographic goals, entity authentication.Applying ZKPs, researchers are able to propose clever solutions to a variety of practical problems mainly in the fields of digital cash, auctioning, Internet of Things (IoT), password authentication and so on.
A standard zero knowledge protocol involves a prover P eggy possessing a piece of secret information x associated with her identity and a verifier V ictor which has to check that P eggy indeed owns x.Two classical examples of such constructions are the Schnorr [18] and the Guillou-Quisquater [11] protocols.Raising the level of abstraction, Maurer shows in [13] that the previously mentioned protocols are actually instantiations of the same one.
Building on Maurer's result, we considered of great interest providing the reader with a generalized perspective of the Unified Zero-Knowledge (UZK) protocol as well as a hash variant of it.An important consequence of our generic approach is the unification of Maurer's [13], Feige-Fiat-Shamir's [3] and Chaum-Everste-Van De Graaf's [1] protocols.Moreover, a special case of our protocol's hash version is the h-variant of the Fiat-Shamir scheme [7,9].
Practical implications which motivated our research.As the IoT paradigm arised, lightweight devices3 became more and more popular.Due to the open and distributed nature of the IoT, proper security is needed for the entire network to operate accordingly.Now let us consider the case of online wireless sensor networks (WSNs).The lightweight nature of sensor nodes heavily restricts cryptographic operations.Thus, the need for specific cryptographic solutions becomes obvious.The Fiat-Shamir-like distributed authentication protocol presented in [2] represents such an example.Based on this previous construction we propose a unified generic zero-knowledge protocol.Just as the result described in [2], our protocol can be applied for securing WSNs and, more generally, IoT-related solutions.Nonetheless, our construction offers flexibility when choosing the assumptions on which its security relies.A secondary feature of our scheme is the possibility of reusing existing certificates when implementing the distributed authentication protocol.
Structure of the paper.We establish notations and recall zero-knowledge concepts in Section 2. Inspired by Maurer's UZK construction, in Section 3 we present our main result, a Unified Generic Zero-Knowledge (UGZK) protocol, and prove it secure.We provide the reader with various special cases of UGZK in Section 4. A hash variant of our core protocol is tackled in Section 5 together with its security analysis.Following Cogliani et al.'s lightweight authentication protocol ideas, in Section 6 we describe a distributed unified Fiat-Shamir-based protocol, discuss security and complexity aspects and present implementation trade-offs which arise from small variations of the proposed result.We conclude in Section 7 and underline future work proposals.

Preliminaries
Notations.Throughout the paper, the notation |S| denotes the cardinality of a set S. The subset {0, . . ., s} ∈ N is denoted by [0, s].The action of selecting a random element x from a sample space X is represented by x $ ← − X, while x ← y indicates the assignment of value y to variable x.

Groups
Let (G, ) and (H, ⊗) be two groups.We assume that the group operations and ⊗ are efficiently computable.
Let f : G → H be a function (not necessarily one-to-one).We say that f is a homomorphism if f (x y) = f (x) ⊗ f (y).Throughout the paper we consider f to be a one-way function, i.e. it is infeasible to compute x from f (x).To be consistent with [13], we denote by [x] the value f (x).Note that given [x] and [y] we can efficiently compute [x y] = [x] ⊗ [y], due to the fact that f is a homomorphism.

Zero-Knowledge Protocols
Let Q : {0, 1} * × {0, 1} * → {true, false} be a predicate.Given a value z, Peggy will try to convince Victor that she knows a value x such that Q(z, x) = true.
We further base our reasoning on both a definition from [3,13] and a definition from [10,13] which we recall next.

Definition 1 (Proof of Knowledge Protocol
).An interactive protocol (P, V ) is a proof of knowledge protocol for predicate Q if the following properties hold -Completeness: V accepts the proof when P has as input a value x with Q(z, x) = true; -Soundness: there exists an efficient program K (called knowledge extractor) such that for any P (possibly dishonest) with non-negligible probability of making V accept the proof, K can interact with P and output (with overwhelming probability) an x such that Q(z, x) = true.

Definition 2 (Zero Knowledge Protocol).
A protocol (P, V ) is zero-knowledge if for every efficient program V there exists an efficient program S, the simulator, such that the output of S is indistinguishable from a transcript of the protocol execution between P and V .If the indistinguishability is perfect 4 , then the protocol is called perfect zero-knowledge.According to [13], the UZK protocol presented in Figure 1 is a zero-knowledge protocol if the conditions mentioned in Theorem 1 are satisfied.
then by running the protocol described in Figure 1 for m rounds we obtain a proof of knowledge protocol if 1/|C| m is negligible, and a zero-knowledge protocol if |C| is polynomially bounded.Remark 1.If C is small, then several 3-move rounds are needed to make the soundness error negligible.

Hash Functions
In the following, we consider the definitions from [9].These concepts are further applied in Section 5 within the security proof of our proposed generalization of the h-variant protocol [7].Definition 3. Let λ ≥ 2 be an integer.An λ-collision for a hash function h is an λ-tuple {m i } i∈ [1,λ] such that h(m 1 ) = h(m 2 ) = . . .= h(m λ ).Definition 4. Let λ ≥ 2 be an integer.A hash function is λ-collision resistant if it is computationally infeasible to find an λ-collision.

The Main Protocol
Inspired by Maurer's UZK protocol [13], we describe a UGZK protocol (Figure 2).Note that the UZK scheme is a special case of the UGZK construction.We also prove the security of our proposed construction in a Feige-Fiat-Shamir manner [3].

Description
Let n be a positive integer.The protocol in Figure 2 is a proof of knowledge of a vector {[x i ]} i∈ [1,n] such that z i = [x i ], for all i ∈ [1, n], where the vector {z i } i∈ [1,n] is given, provided that the conditions of Theorem 2 are satisfied.The challenge spaces C i for the elements c i are chosen as arbitrary subsets of N, for all i ∈ [1, n].
For the sake of uniformity, we assume that all the challenge spaces C i are equal and we denote them by C. If |C| is chosen to be small, then several rounds are needed in order to reduce the soundness error up to the point of being negligible.
When n = 1 we obtain the UZK protocol introduced in [13].Note that in this case G and H need not be commutative.

Security Analysis
Theorem 2. Let H be a commutative group.If for all j values j ∈ Z and u j ∈ G are known such that gcd(c j − c j , j ) = 1 for all c j , c j ∈ C with c j = c j , then by running the protocol described in Figure 2 for m rounds we obtain a proof of knowledge protocol if 1/|C| nm is negligible, and a zero-knowledge protocol if |C| n is polynomially bounded.
Proof.Let s = |C|.To prove that P 's proof always convinces V , we evaluate the verification condition: Note that a corrupt P can cheat V with a negligible probability s −nm per iteration by guessing the in the first step, and providing r = k in the last step.Next, we show that whenever V accepts P 's proof with non-negligible probability, there exists a knowledge extractor K that can print out all the x i s with overwhelming probability.Let T be the truncated execution tree of ( P , V ) for input I and random tape RA.As in [3,Theorem 3], the algorithm we construct explores this tree by repeatedly resetting P to the root, providing the necessary steering requests and verifying which one of the s sons of each explored vertex corresponds to a correct answer.V may ask s n possible questions at each stage and, thus, the vertices in T may have polynomially many sons in terms of |I|.A vertex is called heavy if its degree is larger than s n−1 (i.e. if more than s n−1 executions of ( P , V ) at this state are successful).Our goal in this part of the proof is to show that all the x i s can be computed from the sons of a heavy vertex and that a PPT K can find a heavy vertex in T with overwhelming probability.
Let H be any heavy vertex in T and let Q be the set of queries in the form of vectors {c i } i∈ [1,n] which are properly answered by P .It is easy to show that for any 1 ≤ j ≤ n a set Q of more than s n−1 vectors (having the length n) must contain two vectors {c i } i∈ [1,n] and {c i } i∈ [1,n] in which c j = c j and c i = c i for all i = j.Since both queries were properly answered, the two verification conditions imply However, P must choose t before he obtains V 's query and, thus, t j = t j .From r j and r j we can obtain xj such that [x j ] = z j , as where a j and b j are computed using Euclid's extended gcd algorithm such that j a j + (c j − c j )b j = 1.
By rewriting the equations we get , where for obtaining the last equality we used the commutative property of H. Thus, Now we show that at least half the vertices in at least one of the levels in T must be heavy.Let α i be the ratio between the number of vertices at level i + 1 and the number of vertices at level i in T .If α i ≤ (1/2s)s n for all 1 ≤ i ≤ m, then the total number of leaves in T (which is the product of all these α i ) is bounded by (1/2s) m s nm , which is a negligible fraction of the s nm possible leaves.Since we assume that this fraction is polynomial, α i > (1/2s)s n for at least one i, and thus at least half the vertices at this level must contain more than s n /s sons.
To find a heavy vertex in T , K chooses polynomially many random vertices at each level, and determines their degrees by repeated resets and executions of P .To ensure a uniform probability distribution in spite of the uneven degrees of the vertices, M should explore random paths in the untruncated tree, and restart from the root whenever the path encounters an improperly answered query.Since a non-negligible fraction of the leaves is assumed to survive the truncation, this blind exploration of T can be carried out in polynomial time.
The last part of the proof deals with the zero-knowledge aspect of the protocol.By using resettable simulation in the sense of [10], the simulator S described in Algorithm 1 can mimic the communication in (P, V ) with an indistinguishable probability distribution in O(ms n ) expected time, which is polynomial by our assumptions on s n .

Special Cases of the UGZK protocol
In this section we describe a number of protocols as instantiations of our main UGZK construction.Note that when n = 1 we obtain the UZK protocol from [13].Thus, some schemes described in [13] are further reconsidered, while some examples are specific to our UGZK protocol.Although in the original paper [13] Maurer shows how to use UZK to prove the knowledge of a vector of secrets, our protocol UGZK is better in terms transcript size.

Algorithm 1:
The simulator S.

Input:
The public key {zi} i∈ [1,n] Output: Call V with input t and obtain a challenge c

Proofs of Knowledge of a Multiple Discrete Logarithm
Let p = 2q + 1 be a prime number such that q is also prime.Select an element h ∈ H p of order q in some multiplicative group of order p.The multiple discrete logarithm of a vector We further describe a protocol for proving the knowledge of a multiple discrete logarithm.
A protocol for proving knowledge of a multiple discrete logarithm can be obtained as a special case of UGZK where (G, ) = (Z q , +) and H = h .The one-way group homomorphism is defined by [x] = h x , while the challenge space C can be any arbitrary subset of [0, q − 1].The conditions of Theorem 2 are satisfied for j = q and u j = 0, where j ∈ [1, n].When n = 1 we obtain the Schnorr protocol [18] 5 .In the case n ≥ 1 and C = {0, 1} we obtain the multiple logarithm protocol described in [1].
Next we discuss a variation 5 of the previously presented protocol.Let p = 2f p + 1 and q = 2f q + 1 be prime numbers such that f , p and q are distinct primes.Select an element h ∈ Z * N of order f , where N = pq.Note that p and q are secret.
Using the UGZK notations we have (G, ) = (Z f , +) and H = h .The one-way group homomorphism is defined by [x] = h x and the challenge space C can be any arbitrary subset of [0, f − 1].We can observe that the conditions of Theorem 2 are satisfied for j = f and u j = 0, where j ∈ [1, n].When n = 1 we obtain the Girault protocol [8].

Proofs of Knowledge of a Multiple e th -root
Let p and q be two large prime numbers.Compute N = pq and choose a prime e such that gcd(e, ϕ(N )) = 1.
A multiple e th -root of a vector {z i } i∈ [1,n] ∈ (Z * N ) n is a base vector {x i } i∈ [1,n] such that z i = x e i .Note that the multiple e th -root is not unique.We further describe a protocol for proving the knowledge of a multiple e th -root.
Such a protocol can be obtained from UGZK with (G, ) = (H, ⊗) = (Z * N , •).The one-way group homomorphism is defined by [x] = x e and the challenge space C can be any arbitrary subset of [0, e − 1].The conditions of Theorem 2 are satisfied for j = e and u j = z, where j ∈ [1, n].We stress that when e = 2 we obtain the protocol introduced by Feige, Fiat and Shamir [3].In the case n = 1 we obtain the Guillou-Quisquater protocol [11]6 .

Proofs of Knowledge of a Multiple Discrete Logarithm Representation
Let p = 2q + 1 be a prime number such that q is also prime.Select α elements {h j } j∈ [1,α] ∈ H α p of order q in some multiplicative group of order p.A multiple discrete logarithm representation of a vector {z i } i∈ [1,n] ∈ ( h 1 , . . ., h α ) n is a vector of exponent vectors ({x 1,j } j∈ [1,α] , . . ., {x n,j } j∈ [1,α] ) such that Note that multiple discrete logarithm representations are not unique.We further describe a protocol for proving the knowledge of a multiple discrete logarithm representation.
A protocol for proving the knowledge of a multiple representation can be instantiated from UGZK by setting G = Z α q with defined as a component-wise addition operation and H = h 1 , . . ., h α .The one-way group homomorphism is defined by [(x 1 , . . ., x α )] = h x1 1 . . .h xα α and the challenge space C can be any arbitrary subset of [0, q − 1].The conditions of Theorem 2 are satisfied for j = q and u j = (0, . . ., 0), where j ∈ [1, n].
When n = 1 we obtain a protocol proposed by Maurer in [13] which is a generalization of the protocols presented by Okamoto in [15] and Chaum et.al. in [1].
Chaum et al. [1] also provide a protocol variant for a composite n.Thus, by adapting the protocol presented in Section 4.1 and tweaking the previously described one, we can obtain a similar version for composite numbers.Using the notations from the protocol in Section 4.1, we set G = Z α f and H = h 1 , . . ., h m , where h 1 , . . ., h α ∈ Z * n are elements of order f .The one-way group homomorphism is defined by [(x 1 , . . ., x α )] = h x1 1 . . .h xα α and the challenge space C can be any arbitrary subset of Z f .It is easy to see that j = f and u j = (0, . . ., 0), where j ∈ [1, n].

Proofs of Knowledge of a Multiple e th -root Representation
Let p and q be two large prime numbers.Compute N = pq and choose primes e 1 , . . ., e α such that gcd(e i , ϕ(N )) = 1, for i ∈ [1, α].A multiple e th -root representation of a vector {z i } i∈ [1,n] ∈ (Z * N ) n is a vector of bases vector ({x 1,j } j∈ [1,α] , . . ., {x n,j } j∈ [1,α] ) such that Note that multiple e th -root representations are not unique.We further describe a protocol for proving the knowledge of a multiple e th -root representation.
A protocol for proving the knowledge of a multiple e th -root representation can be obtained from UGZK if we set G = (Z * N ) α with defined as multiplication applied component-wise and (H, ⊗) = (Z * N , •).The one-way group homomorphism is defined by [(x 1 , . . ., x α )] = x e1 1 . . .x eα α and the challenge space C can be any arbitrary subset of [0, e − 1], where e is a prime such that gcd(e, φ(N )) = 1.It is easy to see that j = e and u j = (x e 1 , . . ., x e α ), where j ∈ [1, n].When n = 1 we obtain a protocol introduced in [19].

Hash Protocol Variant
In order to decrease the number of communication bits, Peggy can hash t and send Victor the result.This method was proposed by Fiat and Shamir [7] and later analyzed in [9].We employ the same technique for the protocol presented in Figure 2 and analyze its security.

Description
Let H be a hash function that maps elements from H into bit streams.The hash variant of the protocol works as follows: in the first step Peggy sends H(t) to Victor (instead of t) and the last step becomes Else return false.

Security Analysis
Theorem 3. Let s = |C|.If there exists a PPT algorithm P such that the probability that P is accepted by an honest verifier is greater than (λ − 1)|C| −n + ε, where ε > 0, then there exists a PPT algorithm P which, with overwhelming probability, either inverts [•] or finds a λ-collision for h.
Proof.Let Ω be the set of p elements in which P picks its random values and E be the set C n , both of them characterized by the uniform distribution.For each value (ω, e) ∈ Ω × E, P passes the protocol (and we say it is a success) or not.Let S be the subset Ω × E composed of all possible successes.Our assumption is that Thus, Let P be the PPT algorithm obtained by resetting P ε −1 times.With constant probability, P picks ω in Ω r and the probability can be made close to 1 by repeating the execution of P .At the end, λ values {r i } i∈ [1,λ] are found such that, for distinct challenges . Now, we have two possibilities.In the first case, two of the values, say , are equal before hashing.Let This contradicts the intractability of [•].In the second case, all these values are pairwise distinct and a λ-collision for H has been found.This contradicts our assumption regarding H.
Remark 2. This result suggests the use of hash-functions which are only resistant to λ-collisions (with λ > 2), such that the hash values computed in the first pass can be made much shorter.Indeed, the decrease of the security level can be balanced by sending a slightly larger value of c in the second pass.More precisely, if λ = s n , we choose c ∈ C n+n instead of c ∈ C n .

A Distributed Unified Protocol
A Fiat-Shamir-like distributed authentication protocol was proposed in [2].Given our UGZK construction, we describe a generic collective authentication protocol which can be seen as a natural follow up of the main result in [2].

Description
Let us consider an n-node network consisting of N 1 , ..., N n .The nodes N i can be seen as users and the base station T as a trusted center.To achieve the authentication of the entire network, we propose a unified Fiat-Shamir-like construction which we detail next.
1. Let x i be a secret piece of information given to node N i .First, the network topology has to converge and a spanning tree needs to be constructed (e.g. with an algorithm similar with the one presented in [14]).Then, T sends an authentication request message to all the N i directly connected to it, a message which contains a commitment to c (see 3.) to ensure the protocol's zero-knowledge property even against dishonest verifiers.
2. After receiving an authentication request message: -Each N i generates a private k i and computes t i ← [k i ]; -The N i s send authentication messages to all their (existing) children; -After the children respond, nodes N i compute t i ← t i ⊗ (⊗ j t j ) and send the result up to their parents.Note that the t j s are sent by the nodes' children.
Such a construction permits the network to compute the ⊗ operation of all the t i s and send the result t c to the top of the tree in d steps, where d represents the degree of the spanning tree.We refer the reader to Figure 3 for a toy example of this step.
3. T sends a random c ∈ C n as an authentication challenge to the N i directly connected to it.

After receiving an authentication challenge c:
-Each N i computes r i ← k i x ci i ; -The N i s then send the authentication challenge to all their (existing) children; -After the children respond, the N i s compute r i ← r i ( j r j ) and send the result to their parents.
Note that the r j s are sent by the nodes' children.The network therefore computes collectively the operation of all the r i 's and transmits the result r c to T .Again, we refer the reader to Figure 3 for a toy example of this step.

After receiving r
, where z 1 , . . ., z n are the public keys corresponding to x 1 , . . ., x n respectively.
1 Fig. 3.The proposed algorithm running on a network consisting of 4 nodes: computation of tc (left) and of rc (right).
Remark 3. The protocol we have just described may be interrupted at any step and such an action results in a failed authentication.

Security Analysis
Theorem 4. Let H be a commutative group.If an adversary corrupts n < n nodes and if for all j values j ∈ Z and u j ∈ G are known such that gcd(c j − c j , j ) = 1 for all c j , c j ∈ C with c j = c j , then by running the protocol described in Section 6.1 for m rounds we obtain a proof of knowledge protocol if 1/|C| (n−n )m is negligible, and a zero-knowledge protocol if |C| (n−n ) is polynomially bounded.
Proof.If an adversary corrupts n nodes, then n secret keys x i are known to him.Thus, the protocol is equivalent with a UGZK protocol with n − n secrets.Hence, using Theorem 2 we obtain our statement.

Complexity Analysis
The number of operations necessary for authenticating the whole network depends on the topology.Precise complexity evaluations are given in Table 1.Note that each node performs in average only a few operations (a constant number).
Let d be the degree of the minimum spanning tree of the network.Then, only O(d) messages are sent and, if we do not consider atypical cases, d = O(log n).Put differently, throughout the authentication process only a logarithmic number of messages is sent.

Variations
When implementing the distributed zero knowledge protocol several trade-offs are possible.Note that when doing so any combination of the trade-offs described below may be used.

Hash based variant.
A distributed version of the UGZK protocol's hash variant (presented in Section 5) can be constructed.Using this "short commitment" version reduces somewhat the number of communicated bits, at the expense of a reduced security.

Short challenges variant.
In our protocol, the challenge c is sent throughout the network to all nodes.Assuming the use of an ideal hash function h, we may use shorter challenge without affecting security.
-A short c is sent to the nodes N i ; -Each N i computes c i ← h(c i), and uses c i as a challenge; -The base station T computes c i and uses it to check authentication.
Multiple-secret variant.Each node N i could use a set of secret values {x i,j } j∈ [1, ] instead of only one x i .For the algorithm to be as efficient as possible the supplementary secrets can be expanded from a concealed seed.For clarity purposes we describe the multiple secret variant for a single node.
When receiving a challenge c i , each node computes a response .
This result be checked by the verifier by applying the next formula: .
In the case of multiple nodes, the modified protocol we obtain is a proof of knowledge if 1/|C| (n−n ) m is negligible and a zero-knowledge protocol if |C| (n−n ) is polynomially bounded.Practical aspects.Applying the multiple-secret variant, the trade-off between memory and communication can be adjusted, as the security level is m (single-node compromission).Let µ be an integer.Therefore, if = µ it suffices to authenticate once to get the same security as t = µ authentications with = 1 7 .It is obvious that such an approach significantly reduces bandwidth usage, a clearly desirable fact in the IoT context.

Conclusions and Further Development
We proposed a UGZK protocol and analyzed its security.We provided various special cases of our core protocol, described a hash variant of UGZK and discussed security details.We also presented a distributed unified Fiat-Shamir-based protocol, tackled security and complexity aspects and presented implementation trade-offs.
Future work.In order to take advantage of our main protocol's characteristics, we suggest applying it for obtaining generic versions of digital signature schemes [12,16,17] and legally fair contract signing protocols [4,12].More generally, our proposal could be useful for future works on cryptographic protocol design.In the case of failed network authentication an interesting research direction would be to devise new batch verification algorithms or adapt the ones constructed for digital signatures [5,6] for finding compromised nodes.

Theorem 1 .
Let C be the challenge space.If values ∈ Z and u ∈ G are known such that