Special Uses and Abuses of the Fiat-Shamir Passport Protocol (extended abstract)

  • Yvo Desmedt
  • Claude Goutier
  • Samy Bengio
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 293)


If the physical description of a person would be unique and adequately used and tested, then the security of the Fiat-Shamir scheme is not based on zero-knowledge. Otherwise some new frauds exist. The Feige-Fiat-Shamir scheme always suffers from these bauds. Using an extended notion of subliminal channels, several other undetectable abuses of the Fiat-Shamir protocol, which are not possible with ordinary passports, are discussed. This technique can be used by a terrorist sponsoring country to communicate 500 new words of secret information each time a tourist passport is verified. A non-trivial solution to avoid these subliminal channel problems is presented. The notion of relative zero-knowledge is introduced.


Physical Description Random Source Encrypt Message Jacobi Symbol Subliminal Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    S. Bengio, G. Brassard, Y. Desmedt, C. Goutier. and J-J. Quisquater. Aspects and importance of secure implementations of identification systems. June 1987. Submitted to the Journal of Cryptology.Google Scholar
  2. [2]
    M. Blum and S. Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In Advances in Cryptology. Proc. of Crypto’84 (Lecture Notes in Computer Science 196), pages 289–299, Springer-Verlag, New York, 1985. Santa Barbara, August 1984.CrossRefGoogle Scholar
  3. [3]
    M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudorandom bits. Siam J. Comput., 13(4):850–864, November 1984.MathSciNetzbMATHCrossRefGoogle Scholar
  4. [4]
    D. Chaum. Untraceable electronic mail, return addresses. and digital pseudonyms. Commun. ACM, 24(2):84–88. February 1981.CrossRefGoogle Scholar
  5. [5]
    Y. Desmedt. A subliminal-free authentication system and its use for identification. In preparation.Google Scholar
  6. [6]
    Y. Desmedt and C. Goutier. Abuses of zero-knowledge proofs. in particular the Fiat-Shamir identification protocol. In preparation.Google Scholar
  7. [7]
    Y. Desmedt, C. Goutier, and S. Bengio. Special use and abuses of the Fiat-Shamir passport protocol. February 28, 1987. Submitted version of the paper.Google Scholar
  8. [8]
    Y. Desmedt and J.-J. Quisquater. Public key systems based on the difficulty of tampering (Is there a difference between DES and RSA?). Presented at CRYPTO’86, Santa Barbara, California, U. S. A., August 11–15, 1986, extended abstract will appear in Advances in Cryptology, Proc. of Crypto’86, Lecture Notes in Computer Science, Springer-Verlag, 1987.Google Scholar
  9. [9]
    W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22(6):644–654, November 1976.MathSciNetCrossRefGoogle Scholar
  10. [10]
    U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In Proceedings of the Nineteenth ACM Symp. Theory of Computing, STOC, pages 210–217, May 25–27, 1987.Google Scholar
  11. [11]
    A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. August 3–11, 1986. Presented at the International Congress of Mathematicians, ICM 86, Berkeley, California, U.S.A.Google Scholar
  12. [12]
    A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. August 11–15, 1986. Presented at Crypto’86, Santa Barbara, California.Google Scholar
  13. [13]
    J. Gleick. A new approach to protecting secrets is discovered. New York Times, pp. C1 and C3, February 18, 1987.Google Scholar
  14. [14]
    J.-J. Quisquater. Signatures, identifications et controles d’accès. December 16, 1986. Lecture given at INRIA (France).Google Scholar
  15. [15]
    J. Saltzer. On digital signatures. ACM Operating Syst. Rev., 12(2):12–14, April 1978.CrossRefGoogle Scholar
  16. [16]
    A. Shamir. Interactive identification. March 23–29, 1986. Presented at the Workshop on Algorithms, Randomness and Complexity, Centre International de Rencontres Mathématiques (CIRM), Luminy (Marseille), France.Google Scholar
  17. [17]
    G. J. Simmons. The prisoners’ problem and the subliminal channel. In D. Chaum, editor, Advances an Cryptology. Proc. of Crypto 83, pages 51–67, Plenum Press N.Y., 1984. Santa Barbara, California, August 1983.CrossRefGoogle Scholar
  18. [18]
    G. J. Simmons. The secure subliminal channel (?). In H. C. Williams, editor, Advances in Cryptology. Proc. of Crypto 85 (Lecture Notes in Computer Science 218), pages 33–41, Springer-Verlag, 1986. Santa Barbara, California, August 18–22, 1985.Google Scholar
  19. [19]
    G. J. Simmons. A system for verifying user identity and authorization at the point-of sale or access. Cryptologia, 8(1):1–21, January 1984.MathSciNetCrossRefGoogle Scholar
  20. [20]
    D. Slater. A note on the relationship between covert channels and application verification. ACM, SIG Security Audit & Control Review, 5(1):22, 1987.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1988

Authors and Affiliations

  • Yvo Desmedt
    • 1
  • Claude Goutier
    • 2
  • Samy Bengio
    • 1
  1. 1.Dépt. I.R.O.Université de MontréalMontréalCanada
  2. 2.Centre de calculUniversité de MontréalMontréalCanada

Personalised recommendations