This preview shows page 1. Sign up to view the full content.
Unformatted text preview: she multiplies together the values of the sj based on the random bi,j values. If bi,1 is a 1, then s1 is multiplied; if bi,1 is a 0, then s1 is not multiplied.) (4) Alice sends Bob m, all the bit values of bi,j, and all the values of yi. He already has Alice’s public key: v1, v2,..., vk. (5) Bob computes z1, z2,..., zt, where zi = yi2 * (v1bi1 * v2bi2 *...* vkbik) mod n (Again, Bob multiplies based on the bi, j values.) Also note that zi should be equal to xi. (6) Bob verifies that the first k * t bits of H(m, z1, z2,..., zt) are the bi, j values that Alice sent him. As with the identification scheme, the security of this signature scheme is proportional to 1/2kt. It also depends on the difficulty of factoring n. Fiat and Shamir pointed out that forging a signature is easier when the complexity of factoring n is considerably lower than 2kt. And, because of birthdaytype attacks (see Section 18.1), they recommend that k * t be increased from 20 to at least 72. They suggest k = 9 and t = 8. Improved FiatShamir Signature Scheme
Silvio Micali and Adi Shamir improved the FiatShamir protocol in [1088]. They chose v1, v2,..., vk to be the first k prime numbers. So v1 = 2, v2 = 3, v3 = 5, and so on. This is the public key. The private key, s1, s2,..., sk is a random square root, determined by si = sqrt (vi1) mod n In this version, every person must have a different n. The modification makes it easier to verify signatures. The time required to generate signatures, and the security of those signatures, is unaffected. Other Enhancements
There is also an Nparty identification scheme, based on the FiatShamir algorithm [264]. Two other improvements to the FiatShamir scheme are proposed in [1218]. Another variant is [1368]. OhtaOkamoto Identification Scheme
This protocol is a modification of the FeigeFiatShamir identification scheme and gets its security from the difficulty of factoring [1198,1199]. The same authors also wrote a multisignature scheme (see Section 23.1), by wh...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details