Zero Knowledge Identity Proofs

Dimitrios.Petropoulos at Dimitrios.Petropoulos at
Mon Jun 25 05:33:30 EDT 2001

I think this is a case for additional protective mechanisms to extend the protocol semantics (there is nothing in the protocol prohibiting the verifier to perform a verification on behalf of a third party, which is the vulnerability exploited in the Mafia Fraud attack). This 'challenge-relay' can easily be defeated if the verifier (in the Mafia Fraud case that's Bob and Dave) is required to digitally sign their challenges. If challenges are signed then Alice will only proceed with the rest of the protocol run if the challenge indeed comes from Bob; Carol can still pass Dave's challenges to Bob but Alice will refuse to perform the protocol run having noticed that the challenges do not come from Bob. The optimised versions of the Feige-Fiat-Shamir and Guillou-Quisquater protocols make signing easier since they employ a vector of challenges to perform multiple accreditations- in order to avoid multiple messages.

Dimitrios Petropoulos

> I'm reading about zero knowledge identity proofs and 'The Mafia Fraud' in
> Applied Cryptography. Has no one found a way to perform an identity proof
> such that you can prove who you are to a specific person? In the example in
> the book Alice proves who she is to Bob who transmits to Carol, and Carol
> proves that she is Alice to Dave. I'm curious what the problem is with
> creating a proof that Alice is Alice such that only Bob can be assured that
> she is Alice so that Carol can't use the proof to identify who she is to
> Dave.
> --
> Groove On Dude
> Michael Conlen
> Obfuscated Networking
> meconlen at

        Visit our Internet site at

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list