Open main menu

Talk:Feige–Fiat–Shamir identification scheme

WikiProject Cryptography / Computer science  (Rated Start-class, High-importance)
This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the quality scale.
 High  This article has been rated as High-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as High-importance).


algorithm accuracyEdit

The algorith given under the "procedure" heading describes the Fiat-Shamit identification scheme, which is not zero-knowledge. See the German wikipedia for the differences of Feige-Fiat_shamir and Fiat-Shamir.

ZK simulatorEdit

In the security section, a ZK simulator is proposed. This simulator is not sufficient: the x it outputs is always a square (a member of QR(N)), while this is not the case for honest commitments.

participant namesEdit

In ZKPs, it's traditional to use Peggy/Victor (prover/verifier) instead of Alice and Bob. --Johnruble 15:07, 10 July 2007 (UTC)

Section "Setup": Wrong equation?Edit

Could it be that v_i ≡ s_i^2 ( mod n ) is wrong? According to Trappe, Wade; Washington, Lawrence C. (2003). Introduction to Cryptography with Coding Theory it is v_i ≡ s_i^(-2) ( mod n ) which is equal to v_i*s_i^2 ≡ (1 mod n) (talk) 08:51, 27 July 2016 (UTC) ANSWER: To me, v_i ≡ s_i^2 ( mod n ) looks good! You propose v_i ≡ s_i^(-2) which means v_i^2 = s_i, i.e. squaring the public value yields the secret value. Squaring is easy mod N, so what you propose is not secure. (I didn't check Trappe et al). — Preceding unsigned comment added by (talk) 15:38, 25 September 2016 (UTC)

Return to "Feige–Fiat–Shamir identification scheme" page.