[Cryptography] Are zero knowledge authentication systems safe?

[Jerry Leichter]

>> 3.  One can find examples where algorithms were almost certainly made
>> *weaker* in order to enable a "proof of security".
> 
> It is kind of hard to know what this statement means.  If there is no
> reason to think an algorithm is secure, how can we say it was weakened?
> What appears to be a weakness may actually be key to security.
You'll have to refer to the papers for the example.  If your *definition* of security is "provable security", then of course the kind of thing I describe makes no sense.  But if you agree with Koblitz and Menezes that given the current state of the art, proofs of security aren't worth much and we're stuck with heuristic/engineering arguments - as is the case for all symmetric algorithms, for example; at best, we have proofs that certain classes of attacks can't work - then the story is different.  The example they give - I read this a couple of years back so this is only an approximation - was of a protocol that had been subject to all kinds of attacks and looked solid.  Someone modified it to make it "provably secure".  The modifications added all kinds of complexity - and arguably made the whole thing much more brittle, in that minor mistakes not only lost you the proof of security, but you were now left with a complicated protocol about which you could no longer make any believable informal arguments.

                                                        -- Jerry