Talk:Feige–Fiat–Shamir identification scheme
|WikiProject Cryptography / Computer science||(Rated Start-class, High-importance)|
The algorith given under the "procedure" heading describes the Fiat-Shamit identification scheme, which is not zero-knowledge. See the German wikipedia for the differences of Feige-Fiat_shamir and Fiat-Shamir.
In the security section, a ZK simulator is proposed. This simulator is not sufficient: the x it outputs is always a square (a member of QR(N)), while this is not the case for honest commitments.
In ZKPs, it's traditional to use Peggy/Victor (prover/verifier) instead of Alice and Bob. --Johnruble 15:07, 10 July 2007 (UTC)
Section "Setup": Wrong equation?Edit
Could it be that v_i ≡ s_i^2 ( mod n ) is wrong? According to Trappe, Wade; Washington, Lawrence C. (2003). Introduction to Cryptography with Coding Theory it is v_i ≡ s_i^(-2) ( mod n ) which is equal to v_i*s_i^2 ≡ (1 mod n) 22.214.171.124 (talk) 08:51, 27 July 2016 (UTC) ANSWER: To me, v_i ≡ s_i^2 ( mod n ) looks good! You propose v_i ≡ s_i^(-2) which means v_i^2 = s_i, i.e. squaring the public value yields the secret value. Squaring is easy mod N, so what you propose is not secure. (I didn't check Trappe et al). — Preceding unsigned comment added by 126.96.36.199 (talk) 15:38, 25 September 2016 (UTC)