Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

The setup is the same as the identification scheme. Choose *n* to be the product of two large primes. Generate the public key, *v*_{1,} *v*_{2,...,} *v*_{k}, and the private key, *s*_{1,} *s*_{2,...,} *s*_{k}, such that *s*_{i} = sqrt (*v*i^{-1}) mod *n.*

**(1)**Alice picks*t*random integers between 1 and*n: r*_{1,}*r*_{2,...,}*r*_{t}, and computes*x*_{1,}*x*_{2,...,}*x*_{t}such that*x*_{i}=*r*_{i}^{2}mod*n.***(2)**Alice hashes the concatenation of the message and the string of*x*is to generate a bit stream:*H*(*m, x*_{1,}*x*_{2,...,}*x*_{t}). She uses the first*k***t*bits of this string as values of*b*_{ij}, where*i*goes from 1 to*t,*and*j*goes from 1 to*k.***(3)**Alice computes*y*_{1,}*y*_{2,...,}*y*_{t}, where*y*_{i}=*r*_{i}* (*s*_{1}^{b}^{i1}**s*_{2}^{b}^{i2}*...**s*_{k}^{b}^{ik}) mod*n*

(For each*i,*she multiplies together the values of the*s*_{j}based on the random*b*_{i,j}values. If*b*_{i,1}is a 1, then*s*_{1}is multiplied; if*b*_{i,1}is a 0, then*s*_{1}is not multiplied.)**(4)**Alice sends Bob*m,*all the bit values of*b*_{i,j,}and all the values of*y*_{i}. He already has Alice’s public key:*v*_{1,}*v*_{2,...,}*v*_{k}.**(5)**Bob computes*z*_{1,}*z*_{2,...,}*z*_{t}, where*z*_{i}=*y*_{i}^{2}* (*v*_{1}^{b}^{i1}**v*_{2}^{b}^{i2}*...**v*_{k}^{b}^{ik}) mod*n*

(Again, Bob multiplies based on the*b*_{i, j}values.) Also note that*z*_{i}should be equal to*x*_{i}.**(6)**Bob verifies that the first*k***t*bits of*H*(*m, z*_{1,}*z*_{2,...,}*z*_{t}) are the*b*_{i, j}values that Alice sent him.

As with the identification scheme, the security of this signature scheme is proportional to 1/2^{kt}. It also depends on the difficulty of factoring *n.* Fiat and Shamir pointed out that forging a signature is easier when the complexity of factoring *n* is considerably lower than 2^{kt}. And, because of birthday-type attacks (see Section 18.1), they recommend that *k* * *t* be increased from 20 to at least 72. They suggest *k* = 9 and *t* = 8.

*Improved Fiat-Shamir Signature Scheme*

Silvio Micali and Adi Shamir improved the Fiat-Shamir protocol in [1088]. They chose *v*_{1,} *v*_{2,...,} *v*_{k} to be the first *k* prime numbers. So

*v*_{1}= 2,*v*_{2}= 3,*v*_{3}= 5, and so on.

This is the public key.

The private key, *s*_{1,} *s*_{2,...,} *s*_{k} is a random square root, determined by

*s*_{i}= sqrt (*v*_{i}^{-1}) mod*n*

In this version, every person must have a different *n.* The modification makes it easier to verify signatures. The time required to generate signatures, and the security of those signatures, is unaffected.

*Other Enhancements*

There is also an *N-*party identification scheme, based on the Fiat-Shamir algorithm [264]. Two other improvements to the Fiat-Shamir scheme are proposed in [1218]. Another variant is [1368].

*Ohta-Okamoto Identification Scheme*

This protocol is a modification of the Feige-Fiat-Shamir identification scheme and gets its security from the difficulty of factoring [1198,1199]. The same authors also wrote a multisignature scheme (see Section 23.1), by which a number of different people can sequentially sign a message [1200]. This scheme has been proposed for smart-card implementation [850].

*Patents*

Fiat-Shamir is patented [1427]. Anyone interested in licensing the algorithm should contact Yeda Research and Development, The Weizmann Institute of Science, Rehovot 76100, Israel.

Feige-Fiat-Shamir was the first practical identity-based protocol. It minimized computation by increasing the number of iterations and accreditations per iteration. For some implementations, like smart cards, this is less than ideal. Exchanges with the outside world are time-consuming, and the storage required for each accreditation can strain the limited resources of the card.

Louis Guillou and Jean-Jacques Quisquater developed a zero-knowledge identification algorithm more suited to applications like these [670,1280]. The exchanges between Peggy and Victor and the parallel accreditations in each exchange are both kept to an absolute minimum: There is only one exchange of one accreditation for each proof. For the same level of security, the computation required by Guillou-Quisquater is greater than by Feige-Fiat-Shamir by a factor of three. And like Feige-Fiat-Shamir, this identification algorithm can be converted to a digital signature algorithm.

*Guillou-Quisquater Identification Scheme*

Peggy is a smart card who wants to prove her identity to Victor. Peggy’s identity consists of a set of credentials: a data string consisting of the card’s name, validity period, a bank account number, and whatever else the application warrants. This bit string is called *J.* (Actually, the credentials can be a longer string and hashed to a *J* value. This complexity does not modify the protocol in any way.) This is analogous to the public key. Other public information, shared by all “Peggys” who could use this application, is an exponent *v* and a modulus *n,* where *n* is the product of two secret primes. The private key is *B,* calculated such that *JB*^{v} ≡ 1 (mod *n*).

Peggy sends Victor her credentials, *J.* Now, she wants to prove to Victor that those credentials are hers. To do this, she has to convince Victor that she knows *B.* Here’s the protocol:

**(1)**Peggy picks a random integer*r,*such that*r*is between 1 and*n*- 1. She computes*T*=*r*^{v}mod*n*and sends it to Victor.**(2)**Victor picks a random integer,*d,*such that*d*is between zero and*v*- 1. He sends*d*to Peggy.**(3)**Peggy computes*D*=*rB*^{d}mod*n,*and sends it to Victor.**(4)**Victor computes*T*^{´}=*D*^{v}*J*^{d}mod*n.*If*T*≡*T*^{´}(mod*n*), then the authentication succeeds.

The math isn’t that complex:

*T*^{´}=*D*^{v}*J*^{d}= (*rB*^{d})^{v}*J*^{d}=*r*^{v}B^{dv}*J*^{d}=*r*^{v}(*JB*^{v})^{d}=*r*^{v}≡*T*(mod*n*)

since *B* was constructed to satisfy

*JB*^{v}≡ 1 (mod*n*)

Previous | Table of Contents | Next |