Cryptology ePrint Archive: Report 2016/1039

A Fiat-Shamir Implementation Note

Simon Cogliani and Rémi Géraud and David Naccache

Abstract: In the Micali-Shamir paper improving the efficiency of the original Fiat-Shamir protocol, the authors state that

"(...) not all of the $v_i$'s will be quadratic residues mod $n$. We overcome this technical difficulty with an appropriate perturbation technique (...)"

This perturbation technique is made more explicit in the associated patent application: "Each entity is allowed to modify the standard $v_j$ which are QNRs. A particularly simple way to achieve this is to pick a modulus $n=pq$ where $p=3 \bmod 8$ and $q=7 \bmod 8$, since then exactly one of $v_j,-v_j,2v_j,-2v_j$ is a QR mod $n$ for any $v_j$. The appropriate variant of each $v_j$ can be (...) deduced by the verifier himself during the verification of given signatures."

In this short note we clarify the way in which the verifier can infer by himself the appropriate variant of each $v_j$ during verification.

Category / Keywords: implementation / fiat-shamir, arithmetics

Date: received 3 Nov 2016, last revised 3 Nov 2016

Contact author: remi geraud at ens fr

Available format(s): PDF | BibTeX Citation

Version: 20161103:232238 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]