[Cryptography] Is Non-interactive Zero Knowledge Proof an oxymoron?

Phillip Hallam-Baker phill at hallambaker.com
Sat Mar 12 11:29:58 EST 2016


I am not sure I have a good answer to Charlie's question. What we have
here is a situation where a series of operations which are
individually zero knowledge are composed in a system that is not.

This type of problem is one example of a broader problem I am seeing
with formal approaches to cryptography. What you can prove to be
secure is frequently very much less secure than robust but
non-provable crypto systems. The difficulty is that to make a system
tractable in a system of formal logic, we have to simplify it and
strip it back to the simplest possible scheme that lacks robustness.

The prime example of this is 'one time pads' which are at the same
time the only provably secure encryption scheme and the most certain
indicator of cryptographic snakeoil.

There is currently a kickstarter for a 'provably perfectly secure'
encryption scheme using one time pads. So I asked them how they were
exchanging the cipher stream and of course they encrypt that when they
exchange it. They have this idea that if I can't attack the exchange
of cipherstream and I can't attack the messages, their system is
secure. Of course, what I would do is attack both at once. So what
they have managed to do is to reduce AES to a stream cipher - yuk!

I see the same problem in a lot of other academic systems.


More information about the cryptography mailing list