This preview shows page 1. Sign up to view the full content.
Unformatted text preview: s a 1, she opens the solution she committed to in step (2) and proves that it is a solution to the new problem. (5) Peggy publishes all the commitments from step (2) as well as the solutions in step (4). (6) Victor or Carol or whoever else is interested, verifies that steps (1) through (5) were executed properly. This is amazing: Peggy can publish some data that contains no information about her secret, but can be used to convince anyone of the secret’s existence. The protocol can also be used for digital signature schemes, if the challenge is set as a oneway hash of both the initial messages and the message to be signed. This works because the oneway hash function acts as an unbiased randombit generator. For Peggy to cheat, she has to be able to predict the output of the oneway hash function. (Remember, if she doesn’t know the solution to the hard problem, she can do either (a) or (b) of step (4), but not both.) If she somehow knew what the oneway hash function would ask her to do, then she could cheat. However, there is no way for Peggy to force the oneway function to produce certain bits or to guess which bits it will produce. The oneway function is, in effect, Victor’s surrogate in the protocol—randomly choosing one of two proofs in step (4). In a noninteractive protocol, there must be many more iterations of the challenge/reply sequence. Peggy, not Victor, picks the hard problems using random numbers. She can pick different problems, hence different commitment vectors, till the hash function produces something she likes. In an interactive protocol, 10 iterations—a probability of 1 in 210 (1 in 1024) that Peggy can cheat—may be fine. However, that’s not enough for noninteractive zeroknowledge proofs. Remember that Mallory can always do either (a) or (b) of step (4). He can try to guess which he will be asked to do, go through steps (1) through (3), and see if he guessed right. If he didn’t, he can try again—repeatedly. Making 1024 guesses is easy on a computer. To prevent this bruteforce attack, noninteractive protocols need 64 iterations, or e...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details