Modification of Diffie – Hellman Key Exchange Algorithm for Zero Knowledge Proof

: There are networks and entity groupings that require entity authentication while preserving the privacy of the entity being authenticated. Zero-knowledge proof (ZKP) plays an important role in authentication without revealing secret information. Diffie – Hellman (D-H) key exchange algorithm was developed to exchange secret keys through unprotected channels. In this paper D-H algorithm has been modified into an interactive zero-knowledge proof protocol. The proposed protocol is designed to satisfy the zero-knowledge proof properties and resists the known attacks.


I. INTRODUCTION
In simple password protocols, a claimant A gives his password to a verifier B. If certain precautions are not taken, an eavesdropper can get the password that was transferred, and from there on he can impersonate A to his benefit.Other protocols try to improve on this, as in the case of challengeresponse systems [14].
A zero-knowledge proof is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the verity of the statement.It is common practice to label the two parties in a zero-knowledge proof as the prover of the statement and the verifier of the statement.Sometimes P (Prover) and V (Verifier) are known instead [16].A common use of a zero-knowledge proof is in authentication systems where an entity proves his identity to the prover without revealing his secret [12].
Diffie-Hellman (D-H) key exchange algorithm is a specific method of exchanging secret keys.It is one of the earliest practical examples of key exchange implemented within the field of cryptography.The D-H key exchange algorithm allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communication channels.This key can then be used to encrypt subsequent communications using a symmetric key cipher.It is designed specially to exchange secret key in insecure communication channels [2,5].
In this paper zero-knowledge proof, Fiat-Shamir ZKP Protocol and D-H key exchange algorithm has been presented and criticized.A new ZKP has been proposed based on modification of the D-H key exchange algorithm to a zeroknowledge protocol.Two versions of the proposed protocol are presented; the first one was built around the basic D-H key exchange algorithm, which is vulnerable to man-in-themiddle-attack.The second proposed version solves the problem of the mentioned attack.

II. ZERO-KNOWLEDGE PROOF
A zero-knowledge proof (ZKP) is a proof of some statement which reveals nothing other than the veracity of the statement.The word "proof" here is not used in the traditional mathematical sense.Rather, a "proof", or equivalently a "proof system", is an interactive protocol by which one party (called the prover) wishes to convince another party (called the verifier) that a given statement is true.In ZKP, the prover proves that he/she knows a secret without revealing it [4].
Researches in zero-knowledge proofs has been motivated by authentication systems where one party wants to prove its identity to a second party via some secret information (such as a password) but doesn't want the second party to learn anything about this secret.This is called a "zeroknowledge proof of knowledge".However, a password is typically too small or insufficiently random to be used in many schemes for zero-knowledge proofs of knowledge.A zero-knowledge password proof is a special kind of zeroknowledge proof of knowledge that addresses the limited size of passwords [12].
One of the most fascinating uses of zero-knowledge proofs within cryptographic protocols is to enforce honest behavior while maintaining privacy.Roughly, the idea is to enforce a user to prove, using a zero-knowledge proof, that its behavior is correct according to the protocol.Because of soundness, we know that the user must really act honestly in order to be able to provide a valid proof.Because of zero knowledge, we know that the user does not compromise the privacy of its secrets in the process of providing the proof [10,9].

A. Definition Of Zero Knowledge Proof
ZKP model of computation defined as an interactive proof system (P,V), where P is a prover and V is a verifier.Protocol (P,V) is for proving a language membership statement for a language over {0.1}.
Let L be a language over {0,1}*, for a membership instance xL, P and V must share the common input x, proof instance is denoted as (P,V)(x).
P and V are linked by a communication channel over which they exchange a sequence, called proof transcript a 1 , b 1 , a 2 , b 2 ... a n , b n .Proof transcript interleaves prover's transcript and verifier's transcript.Each element a i , b i exchanged is bounded by polynomial time in |x| and proof instance (P,V)(x) must terminate in polynomial time in |x|.Upon completing the interaction, the output of the protocol should be of form (P,V)(x){Accept, Reject} representing V's acceptance or rejection of P's claim that xL [5].
Three properties are expected from a zero-knowledge proof [11,3]: 1) Completeness: An interactive proof (protocol) is complete if, given an honest prover and an honest verifier (that is, one following the protocol properly), the protocol succeeds with overwhelming probability (i.e., the verifier accepts the prover's claim).2) Soundness: An interactive proof (protocol) is sound if there exists an expected polynomial time algorithm M with the following property: if a dishonest prover (impersonating P) can with non-negligible probability successfully execute the protocol with V, then M can be used to extract from this prover knowledge (essentially equivalent to P's secret) which with overwhelming probability allows successful subsequent protocol executions.3) Zero-knowledge: a protocol has zero-knowledge property if it is simulatable in the following sense; there exists an expected polynomial-time algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover, transcripts indistinguishable from those resulting from interaction with the real prover.Zero-knowledge proofs are not proofs in the mathematical sense of the term, because there is some small probability (called the soundness error) that a cheating prover will be able to convince the verifier of a false statement.However, there are standard techniques to decrease the soundness error to any arbitrarily small value [4,6].

B. Fiat-Shamir ZKP Protocol
In cryptography, the Fiat-Shamir identification scheme is a type of interactive zero-knowledge proof.Like all zeroknowledge proofs, the Fiat-Shamir scheme allows one party (prover), to prove to another party (verifier), that he possesses secret information without revealing to him what that secret information is [8].
In Fiat-Shamir protocol, a trusted third party selects two large prime numbers p and q to calculate the value of (n = p.q).The value of n is announced to the public; the values p and q are kept secret.Alice the prover choose a secret number (1 s n-1) and calculate (v = s 2 mod n).She keeps s as private key and register v as her public key with the third party.Figure-1 illustrates the steps of the protocol.Alice, the prover and Bob the verifier performs the following procedure [6]: 1) Alice, the prover, chooses a random number r (commitment) such that (1 r n-1), she then calculate the value of (x = r 2 mod n), x called the witness.
2) Alice sends x to Bob as the witness.
3) Bob, the verifier, sends the challenge c to Alice.The value of c is [0, 1].

4)
Alice calculates the response (y = rs c ), where s is Alice's private key.

5)
Alice sends the response (y) to Bob to prove that she knows her private key (she claims to be Alice).

6)
Bob calculate y 2 and xv c .If these two values are congruent, then Alice either knows the value of s (honest) or she calculated y in some other way (dishonest).
[y 2 mod n = (rs c ) 2 mod n = r 2 s 2c mod n = r 2 (s 2 ) c mod n = xv c mod n] 7) Repeat steps (1-6) several times with value of c equal to 0 or 1.The prover must pass the test in each round to be verified.
Another protocol, Feige-Fiat-Shamir protocol is similar to Fiat-Shamir protocol except that it uses a vector of private keys [s 1 , s 2 , … s k ], a vector of public keys [v 1 , v 2 , …, v k ], and a vector of challenges [c 1 , c 2 , …, c k ].The keys are chosen randomly but they must be relatively prime to n.However, Feige-Fiat-Shamir identification scheme uses modular arithmetic and a parallel verification process that limits the number of communications between the prover and verifier [6,8].

C. Zero Knowledge Proof Analysis
Zero-Knowledge protocols can be fooled by a third party user (Eve) pretending she is actually Alice to Bob and therefore get access.Eve just has to guess the challenge (as mentioned above, c can only be 0 or 1) and send the response y which is set to a random number without using the secret key for encryption y = r).Two situations can happen [6,8]: 1) Eve guesses that the value (c = 1), Eve calculates (x = r 2 /v) and sends x as witness.If her guess is correct then she sends (y = r) as the response and pass the test because; (y 2 = r 2 and y 2 = xv c = r 2 v c /v = r 2 v 1 /v = r 2 ).2) Eve guesses that the value (c = 0), Eve calculates (x = r 2 ) and sends x as witness.If her guess is correct then she sends (y = r) as the response and pass the test because; (y 2 = r 2 and y 2 = xv c = r 2 v 0 = r 2 ).This attack works perfectly for the Fiat-Shamir-Scheme where the chance of guessing correctly is 50%.However, if the process is repeated 20 times, the probability of Eve correctly guessing Alice's secret number decreases to (1/2) 20 9.54x10 -

7
. In other words, it is highly improbable that Eve can guess correctly 20 times [8].Recall the definition of ZKP, then (P,V)(x) is a probabilistic system such that; For each x in L, the prover P will accept x with probability of ≤ 1 [5,6].
Of course, the challenge is changed every time the protocol is used; therefore, an Eavesdropper can, in time, gather enough partial information about the shared Secret to try an impersonation attack like the one described above [8].

III. DIFFIE-HELLMAN KEY EXCHANGE ALGORITHM
Diffie-Hellman key exchange algorithm was invented in 1976 during collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret between two parties (Alice and Bob) over an unprotected communications channel.The protocol uses the multiplicative group of integers modulo p <Z p *,x>, where p is a prime number.That simply means that the integers between 1 and p−1 are used with normal multiplication, exponentiation and division, except that after each operation the result keeps only the remainder after dividing by p.The two parties (Alice and Bob) need to choose two numbers p and g; where p (modulo) is a prime number and the second number g is a primitive root of order (p-1) in the group <Z p *,x> called the generator.The two numbers are public and can be sent through the Internet.Figure -2 shows the procedure of the protocol, the steps are as follows [6,7,13]: 1. Alice chooses a large random number x, such that 0 x  p and calculate R 1 = g x mod p.
2. Bob chooses another large random number y, such that 0 y  p and calculate R 2 = g y mod p.
Both Alice and Bob have arrived at the same key value; x mod p = (g y mod p) x mod p = g xy mod p.
K Bob = (R 1 ) y mod p = (g x mod p) y mod p = g xy mod p.

IV. SECURITY OF DIFFIE-HELLMAN KEY EXCHANGE ALGORITHM
The Diffie-Hellman algorithm is susceptible to two attacks; the discrete logarithm attack and the man-in-the-middle attack [6].

A. Discrete Logarithm attack
An interceptor (Eve) can intercept R 1 and R 2 and [6,15]; Find x from (R 1 = g x mod p); Find y from (R 2 = g y mod p); Then she can calculate (K = g xy mod p).The secret key is not secret anymore.
To make Diffie-Hellman safe from the discrete logarithm attack, the following are recommended: 1) The prime number p must be very large (more than 300 digits).
2) The generator g must be chosen from the group <Z p *,x>.
3) The numbers x and y must be large random numbers of at least 100 digits long, and used only once (destroyed after being used).
Still, no algorithm for the discrete logarithm problem exists with computational complexity O(x r ) for any r; all are infeasible [15,1].

B. Man-in-the-middle attack
Diffie-Hellman algorithm is vulnerable to the man-in-themiddle attack in which the attacker is able to read and modify all messages between Alice and Bob.As g is not secret, the attacker can easily create his own power of g and send that to Bob.When Bob replies, the attacker intercepts the message and will share his key with Bob.Eve, the interceptors can create two keys; one between herself and Alice, and another between herself and Bob. Figure -3 shows the man-in-themiddle attack.The attack can be performed as follows [6,15]: 1) Alice chooses x, and calculate R 1 = g x mod p and sends R 1 to Bob. 2) Eve, the intruder, intercept R 1 , chooses z, calculates R 2 = g z mod p, send R 2 to both Alice and Bob. 3) Bob chooses y, and calculate R 3 = g y mod p and sends R 3 to Alice.R 3 is intercepted by Eve and never reaches Alice.4) Alice and Eve calculate K 1 = g xz mod p, which becomes shared key between them.5) Eve and Bob calculate K 2 = g zy mod p, which becomes shared key between them.
However, man-in-the-middle attack can be prevented by a station-to-station key agreement by using digital signature with public key certificates to establish a session key between Alice and Bob [6,1].

V. PROPOSED ZKP
The proposed ZKP based on D-H key exchange algorithm in the sense that both parties (the prover and the verifier) exchange non secret information and did not revealing secrets to get one identical secret key.This means that the prover can prove to the verifier that he knows the secret.The proposed algorithm developed in two stages; in the first stage we develop a first version based on the basic D-H key exchange algorithm which is vulnerable to man-in-the-middle-attack.
The second version has been developed to resists the man-inthe-middle attack.The two versions will be describes below.

A. Proposed ZKP Version-1
A trusted third party selects two prime numbers p and g, and announced as public numbers.Where p (modulo) is a large prime number and g is a primitive root of order (p-1) in the group <Z p *,x>.
The prover (Alice) proves to the verifier (Bob) that she knows a secret by calculating the key (K Alice ) and resend Bob's reply (R 2 ) to the verifier (Bob) encrypted with the generated secret key (K Alice ). Bob will encrypt his own reply (R 2 ) with the generated secret key (K Bob ) and match the two encrypted information; if they matched then Alice is verified, otherwise it is rejected.Figure -4 shows the procedure of the proposed protocol.The protocol performed as follows: 1) Alice (the prover) chooses a large random number x, such that 0 x  p and calculate R 1 = g x mod p. 3) Zero-Knowledge: on completion, both parties; the prover and the verifier would not have any further information other than their own secret numbers and calculated secret key.Secret numbers x, y and K was not revealed.

4)
The proposed protocol version-2 resists man-in-the-middle attack, since Eve cannot calculate two secret keys; (K 1 = R 1 z mod p) and (K 2 = R 2 z mod p) to be shared with Alice and Bob.

5)
The proposed protocol can be protected against discrete logarithm attack, by applying the recommendation mentioned in (IV.A).

VI. CONCLUSIONS
A. Zero-knowledge proofs are probabilistic proofs because there is some small probability (soundness error) that allows a cheating prover to convince the verifier of a false statement.Standard techniques used to decrease the soundness error to any arbitrarily small value, but with additional computation cost.B. The proposed protocol is a deterministic algorithm with bounded values (not probabilistic), hence has no soundness error and no additional computation cost.C. The proposed protocol fulfills the ZKP properties and protected against discrete logarithm attack and man-in-themiddle attack.D. The proposed algorithm serves as key exchange algorithm with the addition to authentication services.
G is a group <Z p *,x>.R 1 , R 2 , C 1 , and C 2 are a membership instances  G and proof transcript.P and V are exchanging a finite sequence of proof transcript and upon completion the interaction the output of the protocol will be {Accept or reject}.The proposed protocol satisfies the ZKP properties and resists known attacks as follows: 1) Completeness: if Alice (the prover) and Bob (the verifier) are honest, then on performing the protocol steps, it must ends with {accept, reject} decision.That is because the final decision depends on the computed value of the secret key K which is equal to (K = g xy mod p) on both sides, which can be either identical [accept] or different [reject].2) Soundness: if the prover fail to compute the correct value of the secret key K, the encrypted reply (C 2' = E(K Alice , R 2 )) will be different from the value computed by the verifier (C2 = E(KBob, R2)).The values of C1 and C2 can't be guessed, there are two possibilities; either (C2 = C2') or (C2 ≠ C2').The proposed algorithm is not a probabilistic protocol; hence it has no soundness error. where