U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. J. Cryptology, 1 , pp. 77--94, 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....she knows this solution, while giving Vic absolutely no clue as to what the solution is. A little more formally: suppose a relation R on sets U and V, and an element y 6 V are given. Then Peggy is t rying to convince Vic that she knows how to compute z 6 U such that (z, St) 6 R holds. Following [FiFiSh] and [ToWo] we will let both the prover and the verifier be probabilistic pol.vaomial time Turing machines. In this model, it was proved in [BrChCr] that the existence of a bit commitment scheme implies the existence of a zero knowledge proof of information possession (as defined in [ToWo] for ....

....help of P ) tries to compute z X such that (x, y) 6 R. We require that there is a constant e 1 such that rob( V) accepts AND Mp. fails) for all sufficiently large m. This is the definition proposed in [ToWo] A very similar but technically slightly different definition appeared in [FiFiSh]. If these 3 conditions are satisfied, P, V) is called a weakly zero knowledge proof system of information possession. e is called the error probability of (P, V) We can now state the main result: Suppose there ex sts a binary relation R with the following properties: It is easy to select ....

Fiat, Fiege, Shamir: Zero-Knowledge Proof of Identity", Proc. of STOC 87.

....that, since the last answer is accepted, both (U Gamma U ) oe and (V Gamma V ) have all coordinates in X. Also M: U Gamma U ) V Gamma V ) as observed above. It follows that the underlying system of constrained linear equations has been solved. Following the techniques in [5], it is possible to prove a more foundational result, which shows that repetition of either protol is a proof of knowledge of a solution of the constrained system We state such a result for our first protocol. We let N denote the size of the public data. Theorem2. Assume that some ....

U. Feige, A. Fiat and A. Shamir: Zero-knowledge proofs of identity. In: Proc. 19th ACM Symp. Theory of Computing,

....in the strongest sense of Goldwasser, Micali and Rivest (see [9] not existentially forgeable under adaptively chosen message attacks. There are numerous examples of primitives that satisfy our conditions, e.g. Feige Fiat Shamir, Schnorr, Guillou Quisquater, Okamoto and Brickell Mc.Curley ([7], 15] 10] 13] 3] In fact, the existence of one way group homomorphisms is a sufficient assumption to support our construction. As we also demonstrate that our construction can be based on claw free pairs of trapdoor oneway permutations, our results can be viewed as a generalization ....

....be. Before investigating under which general assumptions signature protocols can be shown to exist, we mention some examples of proofs of knowledge that can be viewed as signature protocols. ffl Guillou Quisquater [10] ffl Okamoto [13] both the factoring and the RSA versions. ffl Fiat Shamir [7] (if the number of secret roots is chosen sufficiently large) Schnorr s discrete log protocol [15] does not directly satisfy the conditions, but can be modified to do so since it is based on a one way group homomorphism (see below) 3 Sufficient Assumptions The most general computational ....

[Article contains additional citation context not shown here]

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77--94.

....identi cation scheme using the factoring representation problem. We show that for suitable parameters the protocol becomes provably secure under the factoring assumption. Among other identi cation schemes provably secure as factoring, the presumably most popular are the Feige Fiat Shamir protocol [FFS88] and its variation due to Ong Schnorr [OS90,S96] as well as Shoup s system [Sh99] For these schemes there is a trade o between the key size and security against parallel attacks. While the Feige Fiat Shamir protocol provides security against such parallel attacks, and therefore forms a fundament ....

U. Feige,A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology, vol. 1(2), pp. 77-94, 1988.

....proof where the prover P convinces the veri er V that P knows some secret. Typically, the secret is the preimage under some one way function of a publicly known piece of information. Thus the secret could be for example a discrete log or an RSA root. Such a proof is called a proof of knowledge [5], and can be used in practice to design identi cation schemes or signature systems. We assume in the following that the proof of knowledge has a special form in that the veri er only sends uniformly chosen bits. This is also known as a public coin protocol. For simplicity, we restrict ourselves ....

....of w s, such that (x; w) 2 R. In the following, we assume that we are given a protocol P , which is a proof of knowledge for R, i.e. there is a common input x (of length k bits) to prover P and veri er V and a private input w to P . The prover tries to convince the veri er that w 2 w(x) Refer to [5] or [4] for a formal de nition. In order for the constructions in the following to work, P needs to satisfy a few special properties. First, we will assume that P is a three round public coin protocol (although the three round restriction can be removed) Conversations in the protocol will be ....

[Article contains additional citation context not shown here]

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77-94.

....di#erent from his previous choice b # 1 ) and hands it to S. Again, we open A with a 2 such that c = a 2 b # 2 mod q. The adversary finishes his commitment with a # 2 , u # 2 as opening for A # and the missing values for the proof of knowledge. The fundamental proof of knowledge paradigm [FFS88] says that we can extract the message m # if we learn two valid executions between A and R with the same commitment M # , S # , A # but di#erent challenges. Hence, if the adversary s decommitments satisfy a # 1 = a # 2 and we have b 1 #= b 2 (which happens with probability 1 1 q) then ....

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology, vol. 1(2), pp. 77--94, Springer-Verlag, 1988.

....implies security against passive attacks. Security against adaptive attacks means that even though the attacker is allowed to query a prover on any challenge of his choice and in an adaptive fashion, it can still not later pose as that prover. This is basically the notion of security from [11]. The adaptive man in the middle attacker, is one which has adaptive access to a prover X as well. Additionally however, the attacker is allowed to pose as any verifier Y out of a given set V of verifiers, and have X identify itself to this verifier. The attacker s goal is to make an honest ....

....X , possibly running executions of X s identification to any Y 2 V online. If this is infeasible for any PPT attacker, we say that the identification scheme is secure against adaptive man in the middle impersonation. Note that our definition combines the notions of security from Feige et al. [11] and Bengio et al. 4] Our purpose is to transform identification schemes that are only secure against random challenge attacks into ones that withstand even adaptive man in themiddle impersonation, which seems to be the most desirable security level for public key identification schemes. 3 ....

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77--94.

....proof where the prover P convinces the verifier V that P knows some secret. Typically, the secret is the preimage under some one way function of a publicly known piece of information. Thus the secret could be for example a discrete log or an RSA root. Such a proof is called a proof of knowledge [5], and can be used in practice to design identification schemes or signature systems. We assume in the following that the proof of knowledge has a special form in that the verifier only sends uniformly chosen bits. This is also known as a public coin protocol. For simplicity, we restrict ourselves ....

....w s, such that (x; w) 2 R. In the following, we assume that we are given a protocol P, which is a proof of knowledge for R, i.e. there is a common input x (of length k bits) to prover P and verifier V and a private input w to P . The prover tries to convince the verifier that w 2 w(x) Refer to [5] or [4] for a formal definition. In order for the constructions in the following to work, P needs to satisfy a few special properties. First, we will assume that P is a three round public coin protocol (although the three round restriction can be removed) Conversations in the protocol will be ....

[Article contains additional citation context not shown here]

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77--94.

....proof where the prover P convinces the verifier V that P knows some secret. Typically, the secret is the preimage under some one way function of a publicly known piece of information. Thus the secret could be for example a discrete log or an RSA root. Such a proof is called a proof of knowledge [5], and can be used in practice to design identification schemes or signature systems. We assume in the following that the proof of knowledge has a special form in that the verifier only sends uniformly chosen bits. This is also known as a public coin protocol. For simplicity, we restrict ourselves ....

....since by using a hash function, any three round proof of knowledge as the one produced by Theorem 1 can be turned into a signature scheme by computing the challenge as a hash value of the message to be signed 6. Open Problems 17 and the prover s first message (this technique was introduced in [5]) By this method, a signature can be computed which will show that a qualified subset was present, without revealing which subset was involved. This may be seen as a generalization of the group signature concept, introduced by Chaum and Van Heyst [2] One aspect of group signatures which is ....

U. Feige, A. Fiat, and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77--94.

No context found.

U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. J. Cryptology, 1 , pp. 77--94, 1988.

No context found.

U.Feige, A.Fiat, A.Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology, Vol. 1, No. 2, pp. 77-94, Springer-Verlag, 1988.

No context found.

U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. Journal of Cryptology, 1 , pp. 77-94, 1988.

No context found.

U. Feige and A. Fiat, "Shamir : Zero-knowledge proofs of identity," Journal of Cryptology, vol. 1, pp. pp. 77--94, 1988.

No context found.

U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. Journal of Cryptology, 1 , pp. 77-94, 1988.

No context found.

U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. J. Cryptology, 1 , pp. 77--94, 1988.

No context found.

U. Feige, A. Fiat and A. Shamir: Zero-Knowledge Proofs of Identity, Journal of Cryptology 1 (1988) 77-- 94.

No context found.

U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. J. Cryptology, 1 , pp. 77-94, 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC