Security of 2t-Root Identification and Signatures

  • C. P. Schnorr
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1109)


Ong-Schnorr identification and signatures are variants of the Fiat-Shamir scheme with short and fast communication and signatures. This scheme uses secret keys that are 2t-roots modulo N of the public keys, whereas Fiat-Shamir uses square roots modulo N. Security for particular cases has recently been proved by Micali [M94] and Shoup [Sh96].

We prove that identification and signatures are secure for arbitrary moduli N = pq unless N can easily be factored. The proven security of identification against active impersonation attacks depends on the maximal 2-power 2m that divides either p − 1 or q − 1. We show that signatures are secure against adaptive chosen-message attacks. This proves the security of a very efficient signature scheme.


identification signature Fiat-Shamir scheme active/passive impersonation attacks adaptive chosen-message attack random oracle model factoring of integers 


  1. [BR93]
    M. Bellare and P. Rogaway. Random oracle are practical: a paradigma for designing efficient protocols. Proceedings of the 1st ACM Conference on Computer Communication Security, pages 62–73, 1993.Google Scholar
  2. [DGB87]
    Y. Desmedt, C. Goutier, and S. Bengo. Special uses and abuses of the Fiat-Shamir passport protocol. Proceedings CRYPTO’87, Springer LNCS 293: pages 21–39, 1988.Google Scholar
  3. [FS86]
    A. Fiat and A. Shamir. How to prove yourself: Practical Solution to Identification and Signature Problems. Proceedings of CRYPTO’86, Springer LNCS 263: pages 186–194, 1986.Google Scholar
  4. [FFS88]
    U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. J. Cryptology, 1: pages 77–94, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  5. [FS90]
    U. Feige, A. Shamir. Witness indistinguishable and witness hiding protocols Proceedings 22rd STOC, pages 416–426, 1990.Google Scholar
  6. [FS86]
    A. Fiat and A. Shamir. How to prove yourself: Practical Solution to Identification and Signature Problems. Proceedings of CRYPTO’86, Springer LNCS 263: pages 186–194, 1986.Google Scholar
  7. [GS94]
    M. Girault and J. Stern. On the length of cryptographic hash-values used to identification schemes. Proceedings of CRYPTO’94, Springer LNCS 839: pages 202–215.Google Scholar
  8. [GMR89]
    S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18: pages 186–208, 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  9. [GMR88]
    S. Goldwasser, S. Micali and R. Rivest. A digital signature secure against adaptive chosen-message attacks. Siam J. Computing 17: pages 281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  10. [GQ88]
    L. Guillou and J. Quisquater. A practical zero-knowledge protocol fitted to security microprocesors minimizing both transmission and memory. Proceedings of Eurocrypt’88, Springer LNCS 330: pages 123–128, 1988.Google Scholar
  11. [M94]
    S. Micali. A secure and efficient digital signature algorithm. Technical Report, MIT/LCS/TM-501, 1994Google Scholar
  12. [MS88]
    S. Micali and A. Shamir. An improvement of the Fiat-Shamir Identification Scheme. Proceedings CRYPTO’88, Springer LNCS 403: pages 244–247, 1990.Google Scholar
  13. [O92]
    T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. Proceedings of CRYPTO’92, Springer LNCS 740: pages 31–53, 1992.Google Scholar
  14. [OS90]
    H. Ong and C.P. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. Proceedings of Eurocrypt’90, Springer LNCS 473: pages 432–440, 1990.Google Scholar
  15. [PS96]
    D. Pointcheval and J. Stern. Security proofs for signatures. Proceedings Eurocrypt’96, Springer LNCS 1070: pages 387–398, 1996.Google Scholar
  16. [Sch91]
    C.P. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4 pages 161–174, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  17. [Sch96]
    V. Shoup. On the security of a practical identification scheme. Proceedings of Eurocrypt’96, Springer LNCS 1070: pages 340–353, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • C. P. Schnorr
    • 1
  1. 1.Fachbereich Mathematik/InformatikUniversität FrankfurtFrankfurt/MainGermany

Personalised recommendations