applied cryptography - protocols, algorithms, and source code in c

As with the identification scheme the security of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: urther details of this bizarre story are in [936]. Simplified Feige-Fiat-Shamir Identification Scheme Before issuing any private keys, the arbitrator chooses a random modulus, n, which is the product of two large primes. In real life, n should be at least 512 bits long and probably closer to 1024 bits. This n can be shared among a group of provers. (Choosing a Blum integer makes computation easier, but it is not required for security.) To generate Peggy’s public and private keys, a trusted arbitrator chooses a number, v, where v is a quadratic residue mod n. In other words, choose v such that x2 a v (mod n) has a solution and v-1 mod n exists. This v is Peggy’s public key. Then calculate the smallest s for which s a sqrt (v-1) (mod n). This is Peggy’s private key. The identification protocol can now proceed. (1) Peggy picks a random r, where r is less then n. She then computes x = r2 mod n, and sends x to Victor. (2) Victor sends Peggy a random bit, b. (3) If b = 0, then Peggy sends Victor r. If b = 1, then Peggy sends Victor y = r * s mod n. (4) If b = 0, Victor verifies that x = r2 mod n, proving that Peggy knows sqrt (x). If b = 1, Victor verifies that x = y2 * v mod n, proving that Peggy knows sqrt (v-1). This is a single round—called an accreditation—of the protocol. Peggy and Victor repeat this protocol t times, until Victor is convinced that Peggy knows s. It’s a cut-and-choose protocol. If Peggy doesn’t know s, she can pick r such that she can fool Victor if he sends her a 0, or she can pick r such that she can fool Victor if he sends her a 1. She can’t do both. The odds of her fooling Victor once are 50 percent. The odds of her fooling him t times are 1 in 2t. Another way for Victor to attack the protocol would be trying to impersonate Peggy. He could initiate the protocol with another verifier, Valerie. In step (1), instead of choosing a random r, he would just reuse an old r that he saw Peggy use. However, the odds of Valerie choosing the same value for b in ste...
View Full Document

Ask a homework question - tutors are online