This preview shows page 1. Sign up to view the full content.
Unformatted text preview: urther details of this bizarre story are in [936]. Simplified FeigeFiatShamir Identification Scheme
Before issuing any private keys, the arbitrator chooses a random modulus, n, which is the product of two large primes. In real life, n should be at least 512 bits long and probably closer to 1024 bits. This n can be shared among a group of provers. (Choosing a Blum integer makes computation easier, but it is not required for security.) To generate Peggy’s public and private keys, a trusted arbitrator chooses a number, v, where v is a quadratic residue mod n. In other words, choose v such that x2 a v (mod n) has a solution and v1 mod n exists. This v is Peggy’s public key. Then calculate the smallest s for which s a sqrt (v1) (mod n). This is Peggy’s private key. The identification protocol can now proceed. (1) Peggy picks a random r, where r is less then n. She then computes x = r2 mod n, and sends x to Victor. (2) Victor sends Peggy a random bit, b. (3) If b = 0, then Peggy sends Victor r. If b = 1, then Peggy sends Victor y = r * s mod n. (4) If b = 0, Victor verifies that x = r2 mod n, proving that Peggy knows sqrt (x). If b = 1, Victor verifies that x = y2 * v mod n, proving that Peggy knows sqrt (v1). This is a single round—called an accreditation—of the protocol. Peggy and Victor repeat this protocol t times, until Victor is convinced that Peggy knows s. It’s a cutandchoose protocol. If Peggy doesn’t know s, she can pick r such that she can fool Victor if he sends her a 0, or she can pick r such that she can fool Victor if he sends her a 1. She can’t do both. The odds of her fooling Victor once are 50 percent. The odds of her fooling him t times are 1 in 2t. Another way for Victor to attack the protocol would be trying to impersonate Peggy. He could initiate the protocol with another verifier, Valerie. In step (1), instead of choosing a random r, he would just reuse an old r that he saw Peggy use. However, the odds of Valerie choosing the same value for b in ste...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details