Fiat-Shamir Heuristic
Fiat, Amos, and Adi Shamir. “How to prove yourself: Practical solutions to identification and signature problems.” Conference on the theory and application of cryptographic techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 1986.
Trust Setup
f: A pseudo random function
I: Information
- Compute the values v j = f ( I , j ) v_j = f(I,j) vj=f(I,j) for small values of j j j.
- Pick k k k distinct values of j j j for which v j v_j vj is a quadratic residue (mod n) and compute the smallest square root s j s_j sj, of v j − 1 v_j^{-1} vj−1 (mod n).
- Issue I I I , the k s j s_j sj values, and their indices.
Interactive Protocol
- A sends I I I to B.
- B generates v j = f ( I , j ) v_j = f(I, j) vj=f(I,j) for j = 1 , . . . , k j = 1,...,k j=1,...,k.
Repeat steps 3 to 6 for i = 1 , . . . , t i = 1,...,t i=1,...,t:
- A picks a random r i ∈ [ 0 , n ) r_i \in [0,n) ri∈[0,n) and sends x i = r i 2 ( m o d n ) x_i = r_i^2 (\mod n) xi=ri2(modn) to B.
- B sends a random binary vector ( e i 1 , . . . , e i k ) (e_{i1},...,e_{ik}) (ei1,...,eik) to A.
- A sends to B :
y i = r i ∏ e i j = 1 s j m o d n y_i = r_i \prod_{e_ij=1}s_j\mod n yi=rieij=1∏sjmodn - B checks that
x i = y i ∏ e i j = 1 v j m o d n x_i = y_i \prod_{e_ij=1}v_j\mod n xi=yieij=1∏vjmodn
Non-interactive Protocol (Signature)
To sign a message m m m:
- A picks random r 1 , . . . , r t ∈ [ O , n ) r_1, ...,r_t \in [O,n) r1,...,rt∈[O,n) and computes x i = r i 2 m o d n x_i = r_i^2\mod n xi=ri2modn.
- A computes f ( m , x 1 , . . . , x t ) f(m, x_1,...,x_t) f(m,x1,...,xt)and uses its first kt bits as e i j e_{ij} eij values.
- A computes
y i = r i ∏ e i j = 1 s j m o d n y_i = r_i \prod_{e_ij=1}s_j\mod n yi=rieij=1∏sjmodn
and sends I I I, m m m, the e i j e_{ij} eij matrix and all the y i y_i yi to B.
To verify A’s signature on m m m:
- B computes v j = f ( I , j ) v_j = f(I, j) vj=f(I,j) for j = 1 , . . . , k j = 1,...,k j=1,...,k.
- B computes
x i = y i ∏ e i j = 1 v j m o d n x_i = y_i \prod_{e_ij=1}v_j\mod n xi=yieij=1∏vjmodn - B verifies that the first kt bits of f ( m , x 1 , . . . , x t ) f(m, x_1,...,x_t) f(m,x1,...,xt) are e i j e_{ij} eij matrix.
1542
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
