This preview shows page 1. Sign up to view the full content.
Unformatted text preview: she multiplies together the values of the sj based on the random bi,j values. If bi,1 is a 1, then s1 is multiplied; if bi,1 is a 0, then s1 is not multiplied.) (4) Alice sends Bob m, all the bit values of bi,j, and all the values of yi. He already has Alice’s public key: v1, v2,..., vk. (5) Bob computes z1, z2,..., zt, where zi = yi2 * (v1bi1 * v2bi2 *...* vkbik) mod n (Again, Bob multiplies based on the bi, j values.) Also note that zi should be equal to xi. (6) Bob verifies that the first k * t bits of H(m, z1, z2,..., zt) are the bi, j values that Alice sent him. As with the identification scheme, the security of this signature scheme is proportional to 1/2kt. It also depends on the difficulty of factoring n. Fiat and Shamir pointed out that forging a signature is easier when the complexity of factoring n is considerably lower than 2kt. And, because of birthday-type attacks (see Section 18.1), they recommend that k * t be increased from 20 to at least 72. They suggest k = 9 and t = 8. Improved Fiat-Shamir Signature Scheme
Silvio Micali and Adi Shamir improved the Fiat-Shamir protocol in . They chose v1, v2,..., vk to be the first k prime numbers. So v1 = 2, v2 = 3, v3 = 5, and so on. This is the public key. The private key, s1, s2,..., sk is a random square root, determined by si = sqrt (vi-1) mod n In this version, every person must have a different n. The modification makes it easier to verify signatures. The time required to generate signatures, and the security of those signatures, is unaffected. Other Enhancements
There is also an N-party identification scheme, based on the Fiat-Shamir algorithm . Two other improvements to the Fiat-Shamir scheme are proposed in . Another variant is . Ohta-Okamoto Identification Scheme
This protocol is a modification of the Feige-Fiat-Shamir identification scheme and gets its security from the difficulty of factoring [1198,1199]. The same authors also wrote a multisignature scheme (see Section 23.1), by wh...
View Full Document
- Fall '10