[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] POKs for mix accountability transcript

To: freehaven-dev@freehaven.net
Subject: Re: [freehaven-dev] POKs for mix accountability transcript
From: David Hopwood <hopwood@zetnet.co.uk>
Date: Wed, 03 Jan 2001 22:14:23 +0000
Delivery-Date: Wed, 03 Jan 2001 17:21:13 -0500
References: <Pine.OSF.4.05.10101020037510.25079-100000@hcs.harvard.edu>
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-dev@freehaven.net

-----BEGIN PGP SIGNED MESSAGE-----

dmolnar wrote:
> On Mon, 1 Jan 2001, David Hopwood wrote:
> >   except with sub-polynomial probability. ...
> >
> > The paper has been withdrawn from the ePrint archive though; I don't
> > know why.
> 
> I contacted the author about this idea last year - IIRC, what happened is
> that he found a fatal flaw in his proof that the resulting protocol was
> zero-knowledge. The protocol is in fact just a speedup of Rabin's
> "Deniable Authentication" (presented at CRYPTO '98, slides online in the
> www.iacr.org archives

http://www.iacr.org/publications/dl/rabin98/rabin98html/index.html

> - my copy of the paper is at school, so I won't try
> to give a summary of it here.)

On closer examination I don't think this really helps. We would like to
be able to prove to any observer that:
  1) N_j received C (this part is easy)
  2) E_pk_j(N_{j+1}, M) = C
  3) M was not sent to N_{j+1}

without giving away M or N_{j+1}. I'm not sure this is even possible.
In any case, a proof-of-plaintext-knowledge as defined in Rabin's paper
would only prove 2) to N_j; it wouldn't allow proving 3), and wouldn't
convince anyone else of 2). I.e. it doesn't achieve anything more than
using a plaintext-aware encryption scheme.

- -- 
David Hopwood <hopwood@zetnet.co.uk>

Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5  0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOlK0XzkCAxeYt5gVAQFfKggAtne25jXlL/RQIUf3yl3GxZBIH+7WQykX
kbfZkFKsHNegLAsiyB0mMShe/p+fFRk+JDX8mxjre8FyqdJmHRMHUt5ZygX7VEUJ
pIvdWTHQrWrxejVE7nAWIUTiZm988M2S6f0lKAGIu4H8TpM4szoXhnzBsxaEMXyp
LRnCpcjpca26MvLa3BTQlsRjxJ1KLJHSQP4pOwPSEWDDt4zv0kvplNXJjX/6OlTI
UU0e17k2k4azF5LrSXEna8bXjBAKzzh46lmTQVuwucfqyxvwM+lZmjxM9bGHaOwy
gLPBq13WSUiV6lb7EYebBDDLptxxqlGwgUlOOa2Dl8jK87Uwj2xsKg==
=cpEU
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [freehaven-dev] POKs for mix accountability transcript
  - From: dmolnar@belegost.mit.edu

References:
- Re: [freehaven-dev] POKs for mix accountability transcript
  - From: dmolnar <dmolnar@hcs.harvard.edu>

Prev by Date: Re: [freehaven-dev] POKs for mix accountability transcript
Next by Date: Re: [freehaven-dev] POKs for mix accountability transcript
Prev by thread: Re: [freehaven-dev] POKs for mix accountability transcript
Next by thread: Re: [freehaven-dev] POKs for mix accountability transcript
Index(es):
- Date
- Thread