In cryptography, the Feige–Fiat–Shamir identification scheme is a type of parallel zero-knowledge proof developed by Uriel Feige, Amos Fiat, and Adi Shamir in 1988. Like all zero-knowledge proofs, it allows one party, Peggy, to prove to another party, Victor, that she possesses secret information without revealing to Victor what that secret information is. The Feige–Fiat–Shamir identification scheme, however, uses modular arithmetic and a parallel verification process that limits the number of communications between Peggy and Victor.
Contents
Setup
Choose two large prime integers p and q and compute the product n = pq. Create secret numbers
Procedure
- Peggy chooses a random integer
r , a random signs ∈ { − 1 , 1 } and computesx ≡ s ⋅ r 2 ( mod n ) . Peggy sendsx to Victor. - Victor chooses numbers
a 1 , ⋯ , a k a i - Peggy computes
y ≡ r s 1 a 1 s 2 a 2 ⋯ s k a k ( mod n ) . Peggy sends this number to Victor. - Victor checks that
y 2 ≡ ± x v 1 a 1 v 2 a 2 ⋯ v k a k ( mod n ) and thatx ≠ 0.
This procedure is repeated with different
Security
In the procedure, Peggy does not give any useful information to Victor. She merely proves to Victor that she has the secret numbers without revealing what those numbers are. Anyone who intercepts the communication between each Peggy and Victor would only learn the same information. The eavesdropper would not learn anything useful about Peggy's secret numbers.
Suppose Eve has intercepted Victor's