Talk:Feige–Fiat–Shamir identification scheme

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Cryptography: Computer science High‑importance This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. High This article has been rated as High-importance on the importance scale. This article is supported by WikiProject Computer science (assessed as High-importance).

Algorithm accuracy

Latest comment: 17 years ago1 comment1 person in discussion

The algorith given under the "procedure" heading describes the Fiat-Shamit identification scheme, which is not zero-knowledge. See the German wikipedia for the differences of Feige-Fiat_shamir and Fiat-Shamir.— Preceding unsigned comment added by 194.231.192.194 (talk) 16:58, 2 January 2007 (UTC)Reply

participant names

Latest comment: 16 years ago1 comment1 person in discussion

In ZKPs, it's traditional to use Peggy/Victor (prover/verifier) instead of Alice and Bob. --Johnruble 15:07, 10 July 2007 (UTC)Reply

Section "Setup": Wrong equation?

Latest comment: 3 years ago3 comments3 people in discussion

Could it be that v_i ≡ s_i^2 ( mod n ) is wrong? According to Trappe, Wade; Washington, Lawrence C. (2003). Introduction to Cryptography with Coding Theory it is v_i ≡ s_i^(-2) ( mod n ) which is equal to v_i*s_i^2 ≡ (1 mod n) 138.246.2.114 (talk) 08:51, 27 July 2016 (UTC)Reply

ANSWER: To me, v_i ≡ s_i^2 ( mod n ) looks good! You propose v_i ≡ s_i^(-2) which means v_i^2 = s_i, i.e. squaring the public value yields the secret value. Squaring is easy mod N, so what you propose is not secure. (I didn't check Trappe et al). — Preceding unsigned comment added by 78.48.105.117 (talk) 15:38, 25 September 2016 (UTC)Reply

Wait, if v_i ≡ s_i^(-2), then v_i^2 = s_i^(-4). The anonimous proposed that v_i ≡ s_i^2 is wrong is right! Schneier's "Applied cryptography" writes that the equation here is s_i = sqrt (v_i^-1), so if you square it, you'll get v_i^-1 = s_i^2, namely what the anonimous proposed. — Preceding unsigned comment added by 5.227.192.150 (talk) 17:26, 7 November 2020 (UTC)Reply

ZK simulator

Latest comment: 1 year ago2 comments2 people in discussion

In the security section, a ZK simulator is proposed. This simulator is not sufficient: the x it outputs is always a square (a member of QR(N)), while this is not the case for honest commitments.— Preceding unsigned comment added by 78.48.105.117 (talk) 15:41, 25 September 2016 (UTC)Reply

https://web.archive.org/web/20220120034507/https://link.springer.com/content/pdf/10.1007/BF02351717.pdf https://web.archive.org/web/20200211022012/https://academiccommons.columbia.edu/doi/10.7916/D8PZ5HRV/download — Preceding unsigned comment added by 2600:1700:95E0:59F0:1133:B0CC:62CF:823F (talk) 13:54, 27 June 2022 (UTC)Reply