An Identification Scheme with Tight Reduction

There are three well-known identification schemes: the Fiat-Shamir, GQ and Schnorr identification schemes. All of them are proven secure against the passive or active attacks under some numbertheoretic assumptions. However, efficiencies of the reductions in those proofs of security are not tight, because they require “rewinding” a cheating prover. We show an identification scheme IDKEA1, which is an enhanced version of the Schnorr scheme. Although it needs the four exchanges of messages and slightly more exponentiations, the IDKEA1 is proved to be secure under the KEA1 and DLA assumptions with tight reduction. The idea underlying the IDKEA1 is to use an extractable commitment for prover’s commitment. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor of the KEA1 assumption and the other through the simulated transcript. This means that we don’t need to rewind a cheating prover and can prove the security without loss of the efficiency of reduction. key words: identification scheme, rewinding, KEA1 assumption, tight reduction