[2119] in cryptography@c2.net mail archive
Re: Something really new???
daemon@ATHENA.MIT.EDU (David P Jablon)
Fri Feb 6 15:50:39 1998
Date: Fri, 6 Feb 1998 15:39:02 -0500
From: dpj@world.std.com (David P Jablon)
To: cryptography@c2.net
Regarding ...
> http://www.economist.com/editorial/freeforall/current/index_st4443.html
>
> HOW do you find out if you share a secret with someone without
> giving that secret away? Moni Naor, of the Weizmann Institute,
> in Israel, thinks he knows. [...]
It is not clear to me how their method can work in an electronic system.
The security of the scheme depends on each party returning half of
the envelopes, unopened. If all the contents were revealed,
the method is trivially broken.
> Obviously this clumsy manual method would not often be used in practice,
> and the services of a computer programmer would generally be required to
> automate it. But the program involved is not a complex one, and is thus
> available for easy verification that no shenanigans (such as storing the
> contents of the electronic =93envelopes=94, rather than deleting them) ar=
> e
> going on.
Show me that program!
What makes the problem interesting is that the secret
is a small number, which can be enumerated on a modest computer.
Given access to all possible sums, and recognizing that one
party must reveal knowledge of the combined result first,
the other party can determine the secret by brute force,
if all envelopes are opened, or held up to a strong light ...
As a zero-knowledge proof of low-entropy knowledge, their
manual method is indeed clumsy, and I'm quite skeptical about
how it can be implemented electronically.
The simplest method that I know of is a password-authenticated
Diffie-Hellman exchange, such as SPEKE or DH-EKE. I would
be surprised to hear about an alternative that completely avoided
using big number arithmetic. I anxiously await their next
big press release.
> Dr Naor thinks that computerised versions of his method could have
> widespread applications in areas such as banking, where the secure
> exchange of information requires the comparison of passwords. The
> researchers therefore hope that their discovery will now be
> commercialised.
I too hope to see wider commercial use of proofs of
low-entropy knowledge, even if it's just methods that are
well-known and easily implementable.
------------------------------------------------------
David P. Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>
