Unformatted text preview: p (2) that Victor did in the protocol with Peggy are 1 in 2. So, the odds of his fooling Valerie are 50 percent. The odds of his fooling her t times are 1 in 2t. For this to work, Peggy must not reuse an r, ever. If she did, and Victor sent Peggy the other random bit in step (2), then he would have both of Peggy’s responses. Then, from even one of these, he can calculate s and it’s all over for Peggy. FeigeFiatShamir Identification Scheme
In their papers [544,545], Feige, Fiat and Shamir show how parallel construction can increase the number of accreditations per round and reduce Peggy and Victor’s interactions. First generate n as in the previous example, the product of two large primes. To generate Peggy’s public and private keys, first choose k different numbers: v1, v2,..., vk, where each vi is a quadratic residue mod n. In other words, choose vi such that x2 = vi mod n has a solution and vi1 mod n exists. This string, v1, v2,..., vk, is the public key. Then calculate the smallest si such that si = sqrt (vi1) mod n. This string, s1, s2,..., sk, is the private key. And the protocol is: (1) Peggy picks a random r, when r is less than n. She then computes x = r2 mod n, and sends x to Victor. (2) Victor sends Peggy a random binary string kbits long: b1, b2,..., bk. (3) Peggy computes y = r * (s1b1 * s2b2 *...* skbk) mod n. (She multiplies together whichever values of si that correspond to bi = 1. If Victor’s first bit is a 1, then s1 is part of the product; if Victor’s first bit is a 0, then s1 is not part of the product, and so on.) She sends y to Victor. (4) Victor verifies that x = y2 * (v1b1 * v2b2 *...* vkbk) mod n. (He multiplies together the values of vi based on the random binary string. If his first bit is a 1, then v1 is part of the product; if his first bit is a 0, then v1 is not part of the product, and so on.) Peggy and Victor repeat this protocol t times, until Victor is convinced that Peggy knows s1, s2,..., sk. The chance that Peggy can fool Victor is 1 in 2kt. The authors recommend a 1 in 220 chance of a cheater fooling Victor and suggest that k = 5 and t = 4. If you are more paranoid, increase these numbers. Previous Table of Contents Next Products  Contact Us  About Us  Privacy  Ad Info  Home Use of this site is subject to...
View
Full Document
 Fall '10
 ALIULGER
 Cryptography, Bruce Schneier, Applied Cryptography, EarthWeb, Search Search Tips

Click to edit the document details