# Girault’s identification protocol ## Definition - This scheme is a zero-knowledge proof for a discrete logarithm, like [Schnorr’s protocol](https://hackmd.io/VtTLrLEoQPavPPoK_gz8VQ), but over a composite modulus instead of a prime modulus. - **Goal:** $\textbf{Prover}$ convinces $\textbf{Verifier}$ that they know $x$ such that $h = g^{-x} \bmod N$ ## Key Components: - **Public input :** $h, N$ and a high order generator $g \in Z^{*}_{N}$ - **Private input :** $\textbf{Prover}$ knows the secret $x \in [S]$ - **Security parameters :** The parameters $k, k', S$ and $R = 2^{k+k'+|S|}$ ## Interactive Protocol  - **Security note :** The interactive identification protocol assumes an honest verifier and should not be used in the context of malicious verifiers. A malicious verifier can send $e = R$ and recover the secret $x$ by dividing $z$ by $e$ ([Too Honest challenge](https://cryptohack.org/challenges/zkp/)) ## Non-Interactive Protocol:  ## Choice of parameter values - $|N| = 2048$ - $S = 2^{256}$ - $k, k' = 128$ ## References - https://www.zkdocs.com/docs/zkdocs/zero-knowledge-protocols/girault-identification/