Feige–Fiat–Shamir identification scheme

In cryptography, the Feige–Fiat–Shamir identification scheme is a type of parallel zero-knowledge proof developed by Uriel Feige, Amos Fiat, and Adi Shamir in 1988. Like all zero-knowledge proofs, it allows one party, the Prover, to prove to another party, the Verifier, that they possess secret information without revealing to Verifier what that secret information is. The Feige–Fiat–Shamir identification scheme, however, uses modular arithmetic and a parallel verification process that limits the number of communications between Prover and Verifier.

Setup

Following a common convention, call the prover Peggy and the verifier Victor.

Choose two large prime integers p and q and compute the product n = pq. Create secret numbers s 1 , , s k {\displaystyle s_{1},\cdots ,s_{k}} coprime to n. Compute v i s i 2 ( mod n ) {\displaystyle v_{i}\equiv s_{i}^{2}{\pmod {n}}} . Peggy and Victor both receive n {\displaystyle n} while p {\displaystyle p} and q {\displaystyle q} are kept secret. Peggy is then sent the numbers s i {\displaystyle s_{i}} . These are her secret login numbers. Victor is sent the numbers v i {\displaystyle v_{i}} by Peggy when she wishes to identify herself to Victor. Victor is unable to recover Peggy's s i {\displaystyle s_{i}} numbers from his v i {\displaystyle v_{i}} numbers due to the difficulty in determining a modular square root when the modulus' factorization is unknown.

Procedure

  1. Peggy chooses a random integer r {\displaystyle r} , a random sign s { 1 , 1 } {\displaystyle s\in \{-1,1\}} and computes s x r 2 ( mod n ) {\displaystyle s\cdot x\equiv r^{2}{\pmod {n}}} . Peggy sends x {\displaystyle x} to Victor.
  2. Victor chooses numbers a 1 , , a k {\displaystyle a_{1},\cdots ,a_{k}} where a i {\displaystyle a_{i}} equals 0 or 1. Victor sends these numbers to Peggy.
  3. Peggy computes y r s 1 a 1 s 2 a 2 s k a k ( mod n ) {\displaystyle y\equiv rs_{1}^{a_{1}}s_{2}^{a_{2}}\cdots s_{k}^{a_{k}}{\pmod {n}}} . Peggy sends this number to Victor.
  4. Victor checks that y 2 ( mod n ) ± x v 1 a 1 v 2 a 2 v k a k ( mod n ) {\displaystyle y^{2}{\pmod {n}}\equiv \pm \,xv_{1}^{a_{1}}v_{2}^{a_{2}}\cdots v_{k}^{a_{k}}{\pmod {n}}} and that x 0. {\displaystyle x\neq 0.}

This procedure is repeated with different r {\displaystyle r} and a i {\displaystyle a_{i}} values until Victor is satisfied that Peggy does indeed possess the modular square roots ( s i {\displaystyle s_{i}} ) of his v i {\displaystyle v_{i}} numbers.

Security

In the procedure, Peggy does not give any useful information to Victor. She merely proves to Victor that she has the secret numbers without revealing what those numbers are. Anyone who intercepts the communication between each Peggy and Victor would only learn the same information. The eavesdropper would not learn anything useful about Peggy's secret numbers.[citation needed]

Suppose Eve has intercepted Victor's v i {\displaystyle v_{i}} numbers but does not know what Peggy's s i {\displaystyle s_{i}} numbers are. If Eve wants to try to convince Victor that she is Peggy, she would have to correctly guess what Victor's a i {\displaystyle a_{i}} numbers will be. She then picks a random y {\displaystyle y} , calculates x y 2 v 1 a 1 v 2 a 2 v k a k ( mod n ) {\displaystyle x\equiv y^{2}v_{1}^{-a_{1}}v_{2}^{-a_{2}}\cdots v_{k}^{-a_{k}}{\pmod {n}}} and sends x {\displaystyle x} to Victor. When Victor sends a i {\displaystyle a_{i}} , Eve simply returns her y {\displaystyle y} . Victor is satisfied and concludes that Eve has the secret numbers. However, the probability of Eve correctly guessing what Victor's a i {\displaystyle a_{i}} will be is 1 in 2 k {\displaystyle 2^{k}} . By repeating the procedure t {\displaystyle t} times, the probability drops to 1 in 2 k t {\displaystyle 2^{kt}} . For k = 5 {\displaystyle k=5} and t = 4 {\displaystyle t=4} the probability of successfully posing as Peggy is less than 1 in 1 million.

References

  • Feige, Uriel; Fiat, Amos; Shamir, Adi (1988). "Zero-knowledge proofs of identity". Journal of Cryptology. 1 (2): 77–94. doi:10.1007/BF02351717. S2CID 2950602.
  • Trappe, Wade; Washington, Lawrence C. (2003). Introduction to Cryptography with Coding Theory. Upper Saddle River: Prentice-Hall. pp. 231–233. ISBN 0-13-061814-4.
  • Wong, Chung Kei; Lam, Simon S (August 1999). "Digital Signatures for Flows and Multicasts" (PDF). IEEE/ACM Transactions on Networking. 7 (4). (eFFS, extended Feige–Fiat–Shamir scheme)