|
|
Line 1: |
Line 1: |
| {{no footnotes|date=January 2014}}
| | Nice to satisfy you, my name is Ling and I totally dig that name. The thing she adores most is to play handball but she can't make it her occupation. Years in the past we moved to Kansas. Managing individuals is how I make money and it's some thing I really enjoy.<br><br>my website; extended car warranty ([http://www.strawberrystudio.co.uk/UserProfile/tabid/43/userId/64649/Default.aspx funny post]) |
| In [[cryptography]], the '''Feige–Fiat–Shamir identification scheme''' is a type of parallel [[zero-knowledge proof]] developed by [[Uriel Feige]], [[Amos Fiat]], and [[Adi Shamir]] in 1988. Like all zero-knowledge proofs, the Feige-Fiat-Shamir Identification Scheme allows one party, Peggy, to prove to another party, Victor, that she possesses secret information without revealing to Victor what that secret information is. The Feige-Fiat-Shamir Identification Scheme, however, uses [[modular arithmetic]] and a parallel verification process that limits the number of communications between Peggy and Victor.
| |
| | |
| == Setup ==
| |
| Choose two large prime integers ''p'' and ''q'' and compute the product ''n = pq''. Create secret numbers <math>s_1, \cdots, s_k</math> with gcd(<math>s_i</math>,<math>n</math>) = 1. Compute <math>v_i \equiv s_i^{2} \pmod{n}</math>. Peggy and Victor both receive <math>n</math> while <math>p</math> and <math>q</math> are kept secret. Peggy is then sent the numbers <math>s_i</math>. These are her secret login numbers. Victor is sent the numbers <math>v_i</math>. Victor is unable to recover Peggy's <math>s_i</math> numbers from his <math>v_i</math> numbers due to the difficulty in determining a [[modular square root]] when the modulus' factorization is unknown.
| |
| | |
| == Procedure ==
| |
| # Peggy chooses a random integer <math>r</math>, a random sign <math>s\in\{-1,1\}</math> and computes <math>x \equiv s\cdot r^2 \pmod{n}</math>. Peggy sends <math>x</math> to Victor.
| |
| # Victor chooses numbers <math>a_1, \cdots, a_k</math> where <math>a_i</math> equals 0 or 1. Victor sends these numbers to Peggy.
| |
| # Peggy computes <math>y \equiv rs_1^{a_1}s_2^{a_2} \cdots s_k^{a_k}\pmod{n}</math>. Peggy sends this number to Victor.
| |
| # Victor checks that <math>y^2 \equiv \pm\, x v_1^{a_1}v_2^{a_2} \cdots v_k^{a_k}\pmod{n}.</math>
| |
| | |
| This procedure is repeated with different <math>r</math> and <math>a_i</math> values until Victor is satisfied that Peggy does indeed possess the modular square roots (<math>s_i</math>) of his <math>v_i</math> numbers.
| |
| | |
| == Security ==
| |
| In the procedure, Peggy does not give any useful information to Victor. She merely proves to Victor that she has the secret numbers without revealing what those numbers are. Anyone who intercepts the communication between each Peggy and Victor would only learn the same information. The eavesdropper would not learn anything useful about Peggy's secret numbers.
| |
| | |
| In an early version, the '''Fiat-Shamir-Scheme''' (on which the Feige-Fiat-Shamir-Scheme was based), one bit of information was leaked. By the introduction of the sign <math>s</math> even this bit was concealed resulting in a zero-knowledge-protocol.
| |
| | |
| Suppose Eve has intercepted Victor's <math>v_i</math> numbers but does not know what Peggy's <math>s_i</math> numbers are. If Eve wants to try to convince Victor that she is Peggy, she would have to correctly guess what Victor's <math>a_i</math> numbers will be. She then picks a random <math>y</math> , calculates <math>x \equiv y^2 v_1^{-a_1}v_2^{-a_2} \cdots v_k^{-a_k}\pmod{n}</math> and sends <math>x</math> to Victor. When Victor sends <math>a_i</math>, Eve simply returns her <math>y</math>. Victor is satisfied and concludes that Eve has the secret numbers. However, the probability of Eve correctly guessing what Victor's <math>a_i</math> will be is 1 in <math>2^k</math>. By repeating the procedure <math>t</math> times, the probability drops to 1 in <math>2^{k t}</math> . For <math>k = 5</math> and <math>t = 4</math> the probability of successfully posing as Peggy is less than 1 in 1 million.
| |
| | |
| == References ==
| |
| *{{cite journal |last1=Feige |first1=Uriel |last2=Fiat |first2=Amos| last3=Shamir |first3=Adi |year=1988 |title=Zero-knowledge proofs of identity |journal=Journal of Cryptology |volume=1 |issue=2 |pages=77–94 |doi=10.1007/BF02351717 |url= https://springerlink3.metapress.com/content/9gl5112723626462}}
| |
| *{{cite book |first=Wade |last=Trappe |first2=Lawrence C. |last2=Washington |title=Introduction to Cryptography with Coding Theory |location=Upper Saddle River |publisher=Prentice-Hall |year=2003 |pages=231–233 |isbn=0-13-061814-4 }}
| |
| | |
| {{DEFAULTSORT:Feige-Fiat-Shamir identification scheme}}
| |
| [[Category:Zero-knowledge protocols]]
| |
Nice to satisfy you, my name is Ling and I totally dig that name. The thing she adores most is to play handball but she can't make it her occupation. Years in the past we moved to Kansas. Managing individuals is how I make money and it's some thing I really enjoy.
my website; extended car warranty (funny post)