[Cryptography] Are zero knowledge authentication systems safe?
Benjamin Kreuter
brk7bx at virginia.edu
Sun Nov 1 13:01:06 EST 2015
On Sat, 2015-10-31 at 22:04 -0400, Phillip Hallam-Baker wrote:
> Am I just missing the point or is this particular zero knowledge proof
> rather brittle in practice?
Actually this problem likely applies any protocol whose security
definition calls for a knowledge extractor. You see extractors in a lot
of security definitions; ZK proofs-of-knowledge are a well-studied
example.
The reason for this weakness is that extractors must use a combination
of rewinding and interaction to "trick" a party into revealing its
secret. The rewinding process is equivalent to repeating a protocol
execution with a party that has no source of entropy; so the security
argument *depends* on the protocol being sensitive to poor entropy!
On the other hand there are cases where it is not clear clear how to
define security without extractors. In other words, sometimes security
depends on high-quality sources of randomness (but we already knew that,
right?).
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151101/4c33bf03/attachment.sig>
More information about the cryptography
mailing list