Zero-Knowledge Authentication

Zero-Knowledge proofs (ZKPs) enable proving of mathematical statements, revealing nothing but their validity. We design an authentication sys-tem with a ZKP as a password veriﬁcation mechanism within the Extensible Authentication Protocol (EAP) framework. Designing a secure pass-word authentication system requires us to adopt security practices for protecting ourselves against the vulnerabilities of passwords. Integrating said practices is not trivial because of the tight coupling with the password verification method.


Introduction
Today privacy is a necessary sacrifice we have to make in order to take part in the digital world, imperative to our modern life. Every day, more digital systems gain access to our personal information. While this practice is often a necessary evil, many companies seek to exploit this position. Zero-knowledge proofs (ZKPs) are an intriguing cryptographic phenomenon for proving mathematical statements without revealing why they are true, and have the potential to change how our data exists in the digital space.
Our focus will be to define a simple use for zero-knowledge proofs. We will design an authentication system using a zero-knowledge proof as a password verification method, as an authentication method in the extensible authentication protocol (EAP). When designing the system, we need to protect ourselves from vulnerabilities of passwords. However, integrating security methods presents a challenge because of the zero-knowledge proof system.

Extensible Authentication Protocol
Extensible authentication protocol [10] (EAP) is a general purpose authentication framework designed for network access authentication. EAP defines a set of messages that support negotiation and execution of a variety of authentication protocols. EAP is a two-party protocol between a peer and an authenticator at each end of a link.
Messages. The peer and the authenticator communicate by exchanging EAP messages. The protocol starts with the authenticator sending a message to the peer. They keep exchanging messages until the authenticator can either authenticate the peer or not. Messages are exchanged in a lock-step manner, where an authenticator sends a message and the peer responds to it. The authenticator dictates the order of messages, meaning it can send a message at any point of communication, as opposed to the peer, which can only respond to messages from the authenticator.
Messages are composed of fields, each field length is multiple of an octet of bits (Table 1). We will store our authentication method data within the Type-Data field.
Our EAP method is identified by the Type 84.

Zero-Knowledge Proofs
Zero-Knowledge Proofs [5,6,7] (ZKPs) are a concept in cryptography for proving the validity of mathematical statements. What makes them particularly interesting is that ZKPs can prove a statement revealing no information about why a statement is true, hence the term zeroknowledge. In mathematics, theorem proofs are logical arguments that establish truth through inference rules of a deductive system based on axioms and other proven theorems. ZKPs are probabilistic, meaning they convince the verifier of the validity. We use the term convince, because ZKPs are not absolute truth, but the probability of someone being convinced by a false statement is arbitrarily small.

Definition 3.1 (Quadratic Residuosity Problem)
Given an integer x, a semiprime modulus n = pq, where p and q are unknown different primes, and a Jacobi symbol value x n = 1. Determine if x is a quadratic residue modulo n or not.
The law of quadratic reciprocity enables efficient computation of the Jacobi symbol value x n . However, when x n = 1, it does not tell if x is a quadratic residue modulo n or not. x is only a quadratic residue if it's a quadratic residue of both modulo p and q ( x p = x q = 1). To compute this, we would have to know the factorization of n. However, since n is a product of two primes pq = n, this is computationally hard [2]. The only efficient way  to prove x is a quadratic residue modulo n, is with the root w. The problem acts as a trapdoor function, where it's hard to prove if x is a quadratic residue modulo n solely from x and n, while it is easy to prove when you know its root w.

Authors [7] described a ZKP system for the quadratic residuosity problem.
To prove x is a quadratic residue modulo n in zero-knowledge we need to prove the existence of the root w, where w 2 ≡ x (mod n), without revealing w to the verifier.  Table 2 of the ZKP authentication process, the middle spaces represent the EAP message Type-Data field.
The prover begins by picking a random integer u from the field Z n , computing y = u 2 (mod n), and sending y to the verifier. The verifier picks a random bit b and sends it to the prover. The prover computes the value z with b and sends it back. The verifier checks the proof by asserting z 2 ≡ yx b (mod n), this is possible since For each round a cheating prover has a 1 2 probability of succeeding by correctly guessing the value of the random bit b. To improve the strength of the proof, we repeat this process m times for a confidence of 1 − 2 −m .
To use this protocol as a password verification method, we can treat the root w as the password p = w known by the peer. The ZKP protocol proves that x is a quadratic residue modulo n, by proving the knowledge of the root w, where w 2 ≡ x (mod n). The peer will prove that x is a quadratic residue modulo n, to do this however, the peer needs to prove the knowledge of the password p = w. With this, the authenticator can assert that the password is valid.

Password Protection
Password cracking [1] is an offline attack [8], where an attacker extracts passwords from data used by the authentication system for password verification. Protecting passwords on the data layer is of critical importance. Key-stretching, [9,1] also called password hashing, is the industry standard method for improving security of low entropy secrets like passwords.
The quadratic residue x is derived from root w = p and persistently stored with the authenticator. This introduces a vulnerability, as an attacker with access to x could crack the password w in an offline attack. To provide adequate security, we need to use key-stretching in our authentication method. A common application of a key-stretching method is to transform the vulnerable data stored in the authentication system. However, this approach doesn't work in our case. Let us revisit how the authenticator verifies the proof, and why key-stretching the password verification data (x) data is an issue. We'll begin by assuming the system can verify the proof and key-stretching the password verification data (x) data. As we define our process, we will see why it is not possible.
Key-Stretching x. On the last step of the protocol the authenticator verifies that This is possible assuming a polynomial algorithm H −1 exists, however, since key-stretching methods are based on hashing functions (one-way functions), we know that the probability of a polynomial algorithm H −1 to successfully compute a pseudo-inverse is negligibly small. For all positive integers c [4] Even if given unbounded time and resources, the pseudoinverse x = H −1 (H(x)) might not be equal to x = x.
The set x, x ∈ I x are all values that map into H(x) = H(x ), and since H is not injective we know that |I x | ≥ 1.
Meaning that the probability that x = x is Key-stretching x prevents us from verifying the ZKP. However, by increasing the entropy of the root w, we can eliminate the vulnerability and ensure adequate security.
Our new approach won't treat the password p = w as the root w. However, we will use the password p to derive the root w = H(p, s), using a key-stretching function H and salt s. This way we've ensured the same level of protection against offline attacks as if we stretched the data stored in the system. And because we didn't transform x, we can verify the proof without being affected by issues mentioned in the previous paragraph. A similar approach is used in the PPP EAP SRP-SHA1 protocol [3]. Earlier we argued the ZKP works as a password verification method because p = w, this argument isn't true anymore. However, even though w = p, the peer can only derive w knowing the password p, so when the peer proves the knowledge of w, it can only be so because they know p as well.

Secure Authentication
The authentication process now begins with the peer sending his identifier to the authenticator and the authenticator responding with the peer's unique salt s and modulo n. The peer can now derive the root w from the password p and salt s. This part of the process (Steps 1. and 2. in the Table 3) happens only once.
The peer can then authenticate by following the process as described in §3.1. This part (Steps 3., 4. and 5.) of the process is repeated m times for a confidence of 1 − 2 −m .
The middle space in the Table 3 represents the Type-Data field of the EAP messages.
Peer Authenticator  Figure 1) of the authentication process described in Table 3. The mapping between EAP messages and the steps in Table 3 is not one-to-one. We merged some steps to reduce the number of message exchanges required for the process to complete.
Identity This message is used to query the identity of the peer. In a system with multiple peers, this is required to identify the peer authenticating, and to find the correct salt s and quadratic residue x. (Table 3, Step 1.) Setup The peer needs both the salt s and the modulus n to compute the proof, however, he only knows the password p. Once the peer identifies himself, the authenticator needs to send him the salt s and modulus n in the setup request message. (Table 3, Step 2. and 3.) Verification With this message pair the peer and the authenticator exchange data to compute and verify The peer also sends the y i+1 for the next verification round i + 1, this is done as an optimisation to improve the speed of the process. (Table 3, Step 4., 5. and 3.) Success/Failure After each verification message, the authenticator verifies the proof, and once it's done successfully for m rounds, the authenticator sends the success message. However, if the proof isn't valid, the authenticator must send a failure message.

Conclusions and Future Work
The aim of this work was to study the utility of zeroknowledge proofs as an EAP authentication method. We've presented an EAP method using a ZKP system for password verification. Additionally, we ensured adequate password protection by using a key-stretching method.
We have been successful in our goal of studying and using the ZKP protocol. While theoretically interesting the system's performance may not appropriate for real-world applications. The iterative nature of the underlying ZKP protocol accumulates communication latencies, slowing down the system.

Future work.
• The EAP method presented in this work can be implemented and tested in a real-world environment.
• The ZKP protocol used in this work is a first generation protocol. Today there are many newer protocols that have solved many shortcomings of the older generation ZKPs. Using a newer generation ZKP protocol can improve the performance of the authentication system. • The ZKP protocol we've examined is iterative, which can cause worse performance. A parallel ZKP construction is assumed to have a weaker strength of zero-knowledge. However, in a real-world application, the performance improvements might justify the theoretical shortcomings.