Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:02
Anonymous (nobody@replay.com)
Wed, 6 Jan 1999 23:51:31 +0100
You were too kind to say it "may not be appropriate to the current problem."
What rdl wanted was something really efficient and zero-knowledge, and that was
neither. It didn't fit into the "otherwise, I wouldn't mind..." category,
either.
The whole approach I took is flawed -- B is supposed to generate a set of
values from those stored which will always be "right" or always be "wrong" when
checked by A, regardless of which secret A uses. But I don't know how A could
check the "always" part (i.e., catch a corrupt B) -- even probablistically --
without requiring a really big leak composed of some of B's secrets. And
although I can think of a few optimizations, I have no clue whatsoever as to
how I'd go about making something efficient.
Frankly, I shouldn't have posted the thing in the first place; at this time, I
don't know zero-knowledge, period.
>
> (Greg Rose's proposal for a Bloom mask had A send her mask to B. This is
> presumably extremely sparse and so can be sent efficiently.)
But that's basically a fancy password-based authentication scheme; even if A
and B are perfect model citizens in executing the protocol, B can discover
which secret was used.
...
> We probably need to assume that both parties can be trusted to follow the
> protocol.
They can't be trusted, though. Say the protocol was being used in an anonymous
authentication scheme avoiding use of blind signatures. The service would, in a
paranoid user's opinion, want to know which user was which, and hackers would
want to use the service without being authorized.
...
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:02