[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] POKs for mix accountability transcript


dmolnar wrote:
> On Mon, 1 Jan 2001, David Hopwood wrote:
> >   except with sub-polynomial probability. ...
> >
> > The paper has been withdrawn from the ePrint archive though; I don't
> > know why.
> I contacted the author about this idea last year - IIRC, what happened is
> that he found a fatal flaw in his proof that the resulting protocol was
> zero-knowledge. The protocol is in fact just a speedup of Rabin's
> "Deniable Authentication" (presented at CRYPTO '98, slides online in the
> www.iacr.org archives


> - my copy of the paper is at school, so I won't try
> to give a summary of it here.)

On closer examination I don't think this really helps. We would like to
be able to prove to any observer that:
  1) N_j received C (this part is easy)
  2) E_pk_j(N_{j+1}, M) = C
  3) M was not sent to N_{j+1}

without giving away M or N_{j+1}. I'm not sure this is even possible.
In any case, a proof-of-plaintext-knowledge as defined in Rabin's paper
would only prove 2) to N_j; it wouldn't allow proving 3), and wouldn't
convince anyone else of 2). I.e. it doesn't achieve anything more than
using a plaintext-aware encryption scheme.

- -- 
David Hopwood <hopwood@zetnet.co.uk>

Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5  0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip

Version: 2.6.3i
Charset: noconv