applied cryptography - protocols, algorithms, and source code in c

Patents schnorr is patented in the united states 1398

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: she multiplies together the values of the sj based on the random bi,j values. If bi,1 is a 1, then s1 is multiplied; if bi,1 is a 0, then s1 is not multiplied.) (4) Alice sends Bob m, all the bit values of bi,j, and all the values of yi. He already has Alice’s public key: v1, v2,..., vk. (5) Bob computes z1, z2,..., zt, where zi = yi2 * (v1bi1 * v2bi2 *...* vkbik) mod n (Again, Bob multiplies based on the bi, j values.) Also note that zi should be equal to xi. (6) Bob verifies that the first k * t bits of H(m, z1, z2,..., zt) are the bi, j values that Alice sent him. As with the identification scheme, the security of this signature scheme is proportional to 1/2kt. It also depends on the difficulty of factoring n. Fiat and Shamir pointed out that forging a signature is easier when the complexity of factoring n is considerably lower than 2kt. And, because of birthday-type attacks (see Section 18.1), they recommend that k * t be increased from 20 to at least 72. They suggest k = 9 and t = 8. Improved Fiat-Shamir Signature Scheme Silvio Micali and Adi Shamir improved the Fiat-Shamir protocol in [1088]. They chose v1, v2,..., vk to be the first k prime numbers. So v1 = 2, v2 = 3, v3 = 5, and so on. This is the public key. The private key, s1, s2,..., sk is a random square root, determined by si = sqrt (vi-1) mod n In this version, every person must have a different n. The modification makes it easier to verify signatures. The time required to generate signatures, and the security of those signatures, is unaffected. Other Enhancements There is also an N-party identification scheme, based on the Fiat-Shamir algorithm [264]. Two other improvements to the Fiat-Shamir scheme are proposed in [1218]. Another variant is [1368]. Ohta-Okamoto Identification Scheme This protocol is a modification of the Feige-Fiat-Shamir identification scheme and gets its security from the difficulty of factoring [1198,1199]. The same authors also wrote a multisignature scheme (see Section 23.1), by wh...
View Full Document

Ask a homework question - tutors are online