Feige-Fiat-Shamir Identification Scheme

Feige-Fiat-Shamir Identification Scheme

In cryptography, the Feige-Fiat-Shamir Identification Scheme is a type of parallel zero-knowledge proof developed by Uriel Feige, Amos Fiat, and Adi Shamir in 1988. Like all zero-knowledge proofs, the Feige-Fiat-Shamir Identification Scheme allows one party, Peggy, to prove to another party, Victor, that she possesses secret information without revealing to Victor what that secret information is. The Feige-Fiat-Shamir Identification Scheme, however, uses modular arithmetic and a parallel verification process that limits the number of communications between Peggy and Victor.

Setup

Choose two large prime integers "p" and "q" and compute the product "n = pq". Create secret numbers s_1, cdots, s_k with gcd(s_i,n) = 1. Compute v_i equiv s_i^{2} pmod{n}. Peggy and Victor both receive n while p and q are kept secret. Peggy is then sent the numbers s_i. These are her secret login numbers. Victor is sent the numbers v_i. Victor is unable to recover Peggy's s_i numbers from his v_i numbers due to the difficulty in determining a modular square root when the modulus' factorization is unknown.

Procedure

# Peggy chooses a random integer r, a random sign sin{-1,1} and computes x equiv scdot r^2 pmod{n}. Peggy sends this number to Victor.
# Victor chooses numbers a_1, cdots, a_k where a_i equals 0 or 1. Victor sends these numbers to Peggy.
# Peggy computes y equiv rs_1^{a_1}s_2^{a_2} cdots s_k^{a_k}pmod{n}. Peggy sends this number to Victor.
# Victor checks that y^2 equiv pm, x v_1^{a_1}v_2^{a_2} cdots v_k^{a_k}pmod{n}.

This procedure is repeated with different r and a_i values until Victor is satisfied that Peggy does indeed possess the modular square roots (s_i) of his v_i numbers.

Security

In the procedure, Peggy does not give any useful information to Victor. She merely proves to Victor that she has the secret numbers without revealing what those numbers are. Anyone who intercepts the communication between each Peggy and Victor would only learn the same information. The eavesdropper would not learn anything useful about Peggy's secret numbers.

In an early version, the Fiat-Shamir-Scheme (on which the Feige-Fiat-Shamir-Scheme was based), one bit of information was leaked. By the introduction of the sign s even this bit was concealed resulting in a zero-knowledge-protocol.

Suppose Eve has intercepted Victor's v_i numbers but does not know what Peggy's s_i numbers are. If Eve wants to try to convince Victor that she is Peggy, she would have to correctly guess what Victor's a_i numbers will be. She then picks a random y , calculates x equiv y^2 v_1^{-a_1}v_2^{-a_2} cdots v_k^{-a_k}pmod{n} and sends x to Victor. When Victor sends a_i, Eve simply returns her y. Victor is satisfied and concludes that Eve has the secret numbers. However, the probablity of Eve correctly guessing what Victor's a_i will be is 1 in 2^k. By repeating the procedure t times, the probability drops to 1 in 2^{k t} . For k = 5 and t = 4 the probability of successfully posing as Peggy is less than 1 in 1 million.

References

*Wade Trappe, Lawrence C. Washington, "Introduction to Cryptography with Coding Theory" (Prentice-Hall, Inc., 2003), pp. 231–233.


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Adi Shamir — Infobox Scientist name = Adi Shamir image width = 200px caption = At the CRYPTO 2003 conference birth date = 1952 birth place = Tel Aviv, Israel death date = death place = residence = Israel citizenship = nationality = ethnicity = field =… …   Wikipedia

  • Schema d'identification — Schéma d identification Dans les métadonnées, un schéma d identification est utilisé pour identifier des enregistrements uniques dans un segment. Si un élément est utilisé pour identifier un enregistrement dans un segment de donnée, l élement… …   Wikipédia en Français

  • Schéma d'identification — Dans les métadonnées, un schéma d identification est utilisé pour identifier des enregistrements uniques dans un segment. Si un élément est utilisé pour identifier un enregistrement dans un segment de donnée, l élement utilise le terme de… …   Wikipédia en Français

  • Zero-knowledge proof — In cryptography, a zero knowledge proof or zero knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement.A… …   Wikipedia

  • FFS — can stand for: General * , a Stuff Pack for The Sims 2. * For Fucks Sake (book), a novel by Robert Lasner * For fuck s sake in Internet slang. * Friendly fire shots gaming term. * Fee for service, a general industry term * For Further Study , a… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”