applied cryptography - protocols, algorithms, and source code in c

Exchanges with the outside world are time consuming

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: p (2) that Victor did in the protocol with Peggy are 1 in 2. So, the odds of his fooling Valerie are 50 percent. The odds of his fooling her t times are 1 in 2t. For this to work, Peggy must not reuse an r, ever. If she did, and Victor sent Peggy the other random bit in step (2), then he would have both of Peggy’s responses. Then, from even one of these, he can calculate s and it’s all over for Peggy. Feige-Fiat-Shamir Identification Scheme In their papers [544,545], Feige, Fiat and Shamir show how parallel construction can increase the number of accreditations per round and reduce Peggy and Victor’s interactions. First generate n as in the previous example, the product of two large primes. To generate Peggy’s public and private keys, first choose k different numbers: v1, v2,..., vk, where each vi is a quadratic residue mod n. In other words, choose vi such that x2 = vi mod n has a solution and vi-1 mod n exists. This string, v1, v2,..., vk, is the public key. Then calculate the smallest si such that si = sqrt (vi-1) mod n. This string, s1, s2,..., sk, is the private key. And the protocol is: (1) Peggy picks a random r, when r is less than n. She then computes x = r2 mod n, and sends x to Victor. (2) Victor sends Peggy a random binary string k-bits long: b1, b2,..., bk. (3) Peggy computes y = r * (s1b1 * s2b2 *...* skbk) mod n. (She multiplies together whichever values of si that correspond to bi = 1. If Victor’s first bit is a 1, then s1 is part of the product; if Victor’s first bit is a 0, then s1 is not part of the product, and so on.) She sends y to Victor. (4) Victor verifies that x = y2 * (v1b1 * v2b2 *...* vkbk) mod n. (He multiplies together the values of vi based on the random binary string. If his first bit is a 1, then v1 is part of the product; if his first bit is a 0, then v1 is not part of the product, and so on.) Peggy and Victor repeat this protocol t times, until Victor is convinced that Peggy knows s1, s2,..., sk. The chance that Peggy can fool Victor is 1 in 2kt. The authors recommend a 1 in 220 chance of a cheater fooling Victor and suggest that k = 5 and t = 4. If you are more paranoid, increase these numbers. Previous Table of Contents Next Products | Contact Us | About Us | Privacy | Ad Info | Home Use of this site is subject to...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online